The California Department of Public Health (CDPH) informed CHA on June 28 that the Office of Administrative Law (OAL) approved CDPH’s medical breach regulations. They will take effect July 1.
Ordinarily these regulations would have become effective on Oct. 1, but CDPH requested an earlier effective date, not realizing that OAL would take so long to approve the regulation package. CDPH plans to notify health facilities, clinics, home health agencies, and hospices soon by way of an All Facilities Letter.
Given the extremely short notice period, CHA has requested that CDPH exercise enforcement discretion on the portions of the regulations that require hospitals to take various affirmative steps — for example, to put systems in place to keep track of every patient whose information has been breached.
The regulations do the following:
- Allow hospitals to conduct a HIPAA-like risk assessment and report only those breaches determined to pose a high probability that medical information has been compromised. This will reduce the number of incidents that hospitals will be required to report to CDPH.
- Specify the information that must be included when a hospital reports a breach to CDPH and to the patient
- Require extensive recordkeeping
- Set forth an administrative penalty structure, including base penalties and adjustment factors
The regulations mandate that records about breaches must be retained for six years. CHA has asked CDPH if this means that hospitals can now destroy older records. CDPH said that it has not yet investigated/resolved all breach reports, some of which are more than six years old, and wants hospitals to retain some older records. However, CDPH also realizes that hospitals do not know which older breaches CDPH might want to investigate, and so wouldn’t know which records they should keep for more than six years (contrary to the regulation). CDPH will get back to CHA on this issue.
CHA is planning a webinar to explain the new regulations. Details will be forthcoming.