California’s breach notification rules: explained & clarified
by Kapua Iao
California updated its breach notification rules in July 2021 to better explain what state healthcare providers must do after a data breach. HIPAA and state regulations on patient privacy and protection require covered entities and business associates to demonstrate due diligence when it comes to safeguarding protected health information (PHI).
Such laws emphasize the importance of protecting personally identifiable information (PII) and PHI for solid patient care.
SEE ALSO: HIPAA compliant email
And this includes reporting all data breaches to officials and affected individuals.
Uncompliant healthcare organizations could face investigations, fines, and serious repercussions (e.g., a HIPAA violation). And likely why California clarified its breach notification rules.
HIPAA Breach Notification Rule
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients.
The U.S. Health and Human Services Office for Civil Rights (OCR) regulates and enforces the act, which consists of five sections (or titles). Most referenced is Title II as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form.
Understanding and implementing these guidelines is fundamental to avoiding data breaches and HIPAA violations and to properly reporting problems.
RELATED: What to do after you violate HIPAA
The HIPAA Breach Notification Rule (2009) makes it mandatory for healthcare providers to report all PHI breaches.
Breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation). Fewer than 500 mean logging the incident with OCR within 60 days of year’s end.
California breach notification
At the same time, every state has its laws regarding unsecured data breaches and what/how to report them. The laws within California outline who has access to a patient’s PHI and what can be disclosed.
California Health and Safety Code section 1280.15 states that healthcare providers must notify the department and affected individuals no later than 15 days after “unlawful or unauthorized access.” Only law enforcement may request a delay.
However, the original law lacked details, which is why the state provided recent clarification regarding:
- The form and content of notifications, which must include PII involved, individuals affected, and the type/description of the breach.
- The exception (inadvertent, misdirected PHI within the same facility or healthcare system), expanded to carve out various types of access, use, and disclosure.
- The base penalty ($15,000; the maximum is $250,000), which is subject to adjustments based on compliance history, actions after the breach, and the size and/or capabilities of an organization.
Moreover, the modifications further align California law with HIPAA in form and content while still highlighting different deadlines and needs.
So why is it important to report data breaches?
The healthcare industry continues to be one of the most heavily targeted by cyberattackers.
This is why privacy laws and reporting regulations exist. Essentially, there are three main reasons why timely reporting is necessary. First, complying with breach notification laws provides an adequate warning to affected individuals in case they need to monitor their credit.
Second, reporting breaches supports agencies and IT specialists who collect information about threat actors and cyberattacks to stop future breaches.
Finally, compliance helps healthcare organizations avoid federal or state privacy violations that could include hefty fines as well as possible shutdowns.
Stop breaches before they even occur
Following the regulation updates, California Attorney General Bonta released a bulletin reminding healthcare organizations to comply with breach reporting laws. The bulletin also pointed out the benefit of preventing breaches, highlighting five methods:
- Using up-to-date hardware and software
- Employing strong antivirus software
- Conducting regular employee training
- Maintaining strict access controls
- Generating frequent backups along with an up-to-date business continuity plan
But most important of all, healthcare providers must use strong email security (i.e., HIPAA compliant email).
Our patented HITRUST CSF certified solution Paubox Email Suite uses encryption on all outgoing emails. And these messages can be sent from your existing email platform (e.g., Microsoft 365 and Google Workspace), requiring no change in email behavior.
Moreover, our patent-pending Zero Trust Email feature for Plus and Premium customers adds an AI-powered proof of legitimacy to all inbound emails before they are delivered.
U.S. healthcare organizations must properly report breaches not only to protect patients but to also ensure compliance with federal and state laws. At the same time, proactive organizations mitigate risks, violations, fines, and the need to report.
No matter what, understanding guidelines and utilizing solid cybersecurity programs is the only way to effectively block cyberattacks.