On Sept. 27, Gov. Newsom signed Executive Order N-16-21 , which extends protections for health care providers that experience a privacy breach during the good faith provision of telehealth services. These protections were originally instituted in Executive Order N-43-20, which was set to expire on Sept. 30, but will now remain in place for the duration of the state of emergency related to the COVID-19 pandemic. The Sept. 27 order does the following:
- Waives penalties and rights to sue under the California Confidentiality of Medical Information Act for breaches related to telehealth
- Waives penalties and rights to sue under the Civil Code related to timely patient breach notification
- Extends the deadline — from 15 to 60 days — for health care facilities, clinics, home health agencies, and hospices to notify patients and CDPH of breaches
- Waives penalties and rights to sue for breaches that occur as a result of using technology that does not fully comply with federal or state law
To reiterate, these protections apply only to privacy breaches related to the good faith provision of telehealth services and not to other types of privacy breaches. Importantly, the Sept. 27 executive order does not extend the waiver of the requirement for a health care provider to obtain verbal or written consent before the use of telehealth services and to document that consent. Health care providers will need to obtain and document consent starting Oct. 1.