by Kapua Iao
Article filed in

California’s breach notification rules: explained & clarified

by Kapua Iao

California Attorney General calls out unreported healthcare data breaches - Paubox

California updated its breach notification rules in July 2021 to better explain what state healthcare providers must do after a data breach. HIPAA and state regulations on patient privacy and protection require covered entities and business associates to demonstrate due diligence when it comes to safeguarding protected health information (PHI).

Such laws emphasize the importance of protecting personally identifiable information (PII) and PHI for solid patient care.

SEE ALSO: HIPAA compliant email

And this includes reporting all data breaches to officials and affected individuals.

Uncompliant healthcare organizations could face investigations, fines, and serious repercussions (e.g., a HIPAA violation). And likely why California clarified its breach notification rules.

HIPAA Breach Notification Rule

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation that protects the rights and privacy of patients.

The U.S. Health and Human Services Office for Civil Rights (OCR) regulates and enforces the act, which consists of five sections (or titles). Most referenced is Title II as it sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form.

Understanding and implementing these guidelines is fundamental to avoiding data breaches and HIPAA violations and to properly reporting problems.

RELATEDWhat to do after you violate HIPAA

The HIPAA Breach Notification Rule (2009) makes it mandatory for healthcare providers to report all PHI breaches.

Breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation). Fewer than 500 mean logging the incident with OCR within 60 days of year’s end.

California breach notification

At the same time, every state has its laws regarding unsecured data breaches and what/how to report them. The laws within California outline who has access to a patient’s PHI and what can be disclosed.

California Health and Safety Code section 1280.15 states that healthcare providers must notify the department and affected individuals no later than 15 days after “unlawful or unauthorized access.” Only law enforcement may request a delay.

SEE ALSO: California breach notification laws sections 1798.29 and 1798.82

However, the original law lacked details, which is why the state provided recent clarification regarding:

  • The form and content of notifications, which must include PII involved, individuals affected, and the type/description of the breach.
  • The exception (inadvertent, misdirected PHI within the same facility or healthcare system), expanded to carve out various types of access, use, and disclosure.
  • The base penalty ($15,000; the maximum is $250,000), which is subject to adjustments based on compliance history, actions after the breach, and the size and/or capabilities of an organization.

Moreover, the modifications further align California law with HIPAA in form and content while still highlighting different deadlines and needs.

So why is it important to report data breaches?

The healthcare industry continues to be one of the most heavily targeted by cyberattackers.

RELATED: Why is healthcare a juicy target for cybercrime?

This is why privacy laws and reporting regulations exist. Essentially, there are three main reasons why timely reporting is necessary. First, complying with breach notification laws provides an adequate warning to affected individuals in case they need to monitor their credit.

Second, reporting breaches supports agencies and IT specialists who collect information about threat actors and cyberattacks to stop future breaches.

RELATED: U.S. launches one-stop ransomware resource

Finally, compliance helps healthcare organizations avoid federal or state privacy violations that could include hefty fines as well as possible shutdowns.

Stop breaches before they even occur

Following the regulation updates, California Attorney General Bonta released a bulletin reminding healthcare organizations to comply with breach reporting laws. The bulletin also pointed out the benefit of preventing breaches, highlighting five methods:

But most important of all, healthcare providers must use strong email security (i.e., HIPAA compliant email).

Our patented HITRUST CSF certified solution Paubox Email Suite uses encryption on all outgoing emails. And these messages can be sent from your existing email platform (e.g., Microsoft 365 and Google Workspace), requiring no change in email behavior.

Moreover, our patent-pending Zero Trust Email feature for Plus and Premium customers adds an AI-powered proof of legitimacy to all inbound emails before they are delivered.

U.S. healthcare organizations must properly report breaches not only to protect patients but to also ensure compliance with federal and state laws. At the same time, proactive organizations mitigate risks, violations, fines, and the need to report.

No matter what, understanding guidelines and utilizing solid cybersecurity programs is the only way to effectively block cyberattacks.

Try Paubox Email Suite Plus for FREE today.