On July 1, 2021, the California Department of Public Health (“CDPH”) issued new regulations[1] (the “Regulations”) effective immediately that more narrowly limit the circumstances under which instances of unauthorized access to medical information have to be reported to CDPH.  The new regulations also give CDPH more discretion to adjust penalties for violations.  The Regulations complement Section 1280.15 of the Health and Safety Code (“Section 1280.15”) requiring state-licensed clinics, health facilities, home health agencies, and hospices to prevent any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information, and to report any unauthorized access, use or disclosure to the Department no later than fifteen (15) business days after the breach was detected.

In large part, the Regulations synchronize state requirements with those provided by the Health Insurance Portability and Accountability Act of 1996 and its related regulations[2] (collectively, “HIPAA”).  However, the Regulations transcend HIPAA requirements in several ways, most notably by granting CDPH significant access to organizational records, documentation, and internal assessments in the event of a breach.

The Regulations Include Long-Anticipated Exceptions to Notice Requirements. 

Prior to the Regulations, facilities were required to report to CDPH any time a fax was misdirected to a different physician’s office or a patient received the wrong set of discharge instructions.  This resulted in a large volume of reports being made.  Under the Regulations, internal paper records, electronic mail, or faxes inadvertently misdirected within the same facility or health care system within the course of coordinating care or delivering services does not constitute unauthorized access to, or use or disclosure of, a patient’s medical information.  The Regulations adopt additional exceptions to reporting that largely mirror those provided by HIPAA[3] including:

1. inadvertently misdirected communications sent to a HIPAA-covered entity within the course of coordinating care or delivering services;
2. disclosures of medical information in which a health care facility or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the medical information;
3. any access to, use, or disclosure of medical information permitted or required by state or federal law;
4. encrypted electronic data containing a patient’s medical information, provided that the encrypted data has not been unlawfully accessed, used or disclosed; and
5. disclosures for which a health care facility or business associate determines that (a) there is a low risk of harm, considering the nature and extent of the medical information involved; (b) there is a low risk in light of the unauthorized person to whom the disclosure was made; (c) there is a low probability that medical information was actually acquired or viewed; and (d) the risk of access to the medical information has been mitigated.

Governmental Reporting Requirements are More Burdensome than Under HIPAA. 

Patient Notification.  Initially, Section 1280.15 did not specify the content of patient notifications in the event of a breach and only specified that such notice must be provided to affected patients within fifteen (15) days of detection of a breach.  The Regulations now provide precise criteria which were largely modeled after HIPAA[4], and must include a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm,  a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable). [5]

Department Notification.  As with the patient notifications, Section 1280.15 did not specify what information needed to be conveyed to CDPH in the event of a breach and only specified that such notice must be provided to CDPH within fifteen (15) days of detection of a breach.  HIPAA requires notification to the Department of Health and Human Services with only the information contained in the patient notices within at least sixty (60) calendar days of discovery of the breach and not until the end of the calendar year in breaches involving less than five hundred (500) individuals.[6]  Going above and beyond HIPAA requirements, the Regulations now require organizations to report not only all information contained in the patient notices to CDPH but also:

1. the names of all affected patients;
2. the names and contact information of the individuals who performed the breach, any witnesses to the breach and any unauthorized persons who used the medical information or to whom it was disclosed;
3. the dates of patient notice;
4. the contact information of a health care facility representative who the Department can contact for additional information;
5. any other instances of a reported event that includes a breach of the same patients’ medical information by the facility within the last six years; and
6. any audit reports, written statements, or other documents that the health care facility relied upon in determining that a breach occurred. [7]

Although HIPAA requires maintenance of audit logs and breach reports, providing the information sought in item (5) above is particularly burdensome because it assumes the facility maintains records that would allow it to identify all patients whose medical information was compromised during the prior six years.  In addition, under the Regulations, the facility or business associate must provide to CDPH internal records it generated in its investigation of the breach.  Therefore, if legal counsel is consulted regarding a breach, consider maintaining separate documentation reflecting legal advice so that no waiver of the attorney-client privilege occurs from the production of internal reports regarding the breach.  The facility or business associate should consult with counsel regarding the necessary steps to preserve the protections of the attorney-client privilege[8] and attorney work product privilege[9] during the course of a breach investigation and in relation to any possible litigation.

The Regulations Provide a Framework for Administrative Penalties. 

To some extent, Section 1280.15 includes significant legislative guidance on penalties for violations.  The statute allows for penalties up to $25,000 per patient whose medical information was unlawfully accessed, used, or disclosed, as well as up to $17,500 per subsequent occurrence.  Further, CDPH may assess a penalty of $100 for each day that the facility fails to report the breach to either CDPH or a patient.  However, the statute provides some guardrails, capping penalties at $250,000.

The Regulations prescribe a more precise formula for calculating administrative penalties.  The Regulations establish a base penalty amount at $15,000 for any initial violation, and permit CDPH to require “an amount equal to 70% of the initial violation amount” for any subsequent occurrence.

Section 1280.15 allows CDPH to consider the organization’s history of compliance with and other related state and federal statutes and regulations (e.g., HIPAA), the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility’s ability to comply with this section.  The Regulations refine CDPH’s level of discretion by (i) limiting discretionary adjustments to up to $10,000, (ii) narrowing the compliance look-back period to the past three years, (iii) defining “factors outside the control of the health care facility,”[10] and (iv) expressly allowing the consideration of any other factors applicable to the specific circumstances surrounding the breach, as identified by CDPH.[11]  Further, Regulations specify that penalties will not be imposed if the health care facility maintained and appropriately implemented disaster and emergency policies and procedures, if factors outside the control of the health facility were the sole cause of a breach.[12]

Penalty assessments provided by Section 1280.15 and the Regulations are summarized in the following table.

Base Penalty	Maximum Obligation Per Patient	Failure to Timely Report	Discretionary Adjustments	Maximum Penalty	Subsequent Occurrences
$15,000	Up to $25,000	$100 per day	Up to $10,000	$250,000	70% of the initial assessed penalty, but only up to $17,500

Also, as described initially in the statute, the Regulations permit CDPH to use payment plans or penalty reductions for small and rural hospitals with financial hardship and adjust penalties for primary care clinics in the interest of protecting access to care.[13]  Further, CDPH reserves the discretion to reduce penalty amounts if it determines that “the administrative penalty is unduly burdensome or excessive.”[14]

Moving Forward

Given that the Regulations provide several new exceptions to Section 1280.15’s breach reporting requirements, the number of reports to CDPH will certainly decrease.  It follows that CDPH will likely capitalize on the reduction in reports and the broader production of documents to investigate organizations more thoroughly after a reported breach.  Accordingly, in light of the new regulatory framework, health organizations would be well-advised to reassess their compliance policies and procedures to strengthen protection of patient information and minimize regulatory scrutiny in the event of a breach.

FOOTNOTES

[1] 22 CCR §§ 79900-79905  Available at:

https://www.cdph.ca.gov/Programs/OLS/CDPH%20Document%20Library/DPH-11-009-Final-Reg-Text-ADA.pdf

[2] 45 CFR Part 160 and Part 164

[3] 45 CFR § 164.402.

[4] 45 CFR § 164.404.

[5] 22 CCR § 79902(b).

[6] 45 CFR § 164.408.

[7] 22 CCR § 79902(a).

[8] Evid. Code § 954.

[9] Civ. Proc. Code § 2018.030.

[10] “Factors outside the control of the health care facility” means any circumstance not within the reasonable control of the health care facility, including, but not limited to, fires, explosions, natural disasters, severe weather events, war, invasion, civil unrest, acts or threats of terrorism, and utility or infrastructure failure; this does not include the acts of the health care facility, business associate, or their respective workforce members.  22 CCR § 79901(i).

[11] 22 CCR § 79904(a).

[12] 22 CCR § 79904(a)(3).

[13] 22 CCR § 79905(a-b).

[14] 22 CCR § 79904(b).