Maintaining the confidential nature of patient records is integral to patient care and the practice of health information management. In addition to the federal Health Insurance Portability and Accountability Act (HIPAA), which includes privacy regulations, California has several state laws governing health information privacy, such as the Confidentiality of Medical Information Act, California Patient Access to Health Records Act and the Lanterman-Petris-Short Act.
To help providers comply with the myriad of regulations, CHA offers the California Health Information Privacy Manual, a California-specific resource that compares privacy requirements under HIPAA to state laws. Information pertaining to privacy laws is also contained in CHA’s Consent Manual and CHA’s Record and Data Retention Schedule. Educational opportunities are available periodically for specific privacy-related topics. CHA also advocates on behalf of member hospitals in the Legislature and regulatory arenas regarding health information privacy laws.
Federal law requires hospitals and other HIPAA-covered entities to report all 2013 privacy breaches affecting fewer than 500 patients to the Office for Civil Rights of the U.S. Department of Health and Human Services by March 1. Breaches affecting 500 or more patients should have been reported at the time of the incident. Information on how to report breaches may be found at www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule.
CHA’s California Health Information Privacy Manual contains a complete discussion of state and federal health information privacy laws, including breach notification rules. For more information, or to order the manual, visit www.calhospital.org/publications.
On Feb. 6, the U.S. Department of Health and Human Services published a final rule that gives patients the right to obtain their lab test results directly from any lab subject to the Health Insurance Portability and Accountability Act of 1996 Privacy Rule (HIPAA), and to require the labs to send their test results to any designated person or organization. The rule, attached, also amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to permit (but not require) CLIA-certified labs that are not subject to HIPAA to provide test results directly to patients. While patients can continue to get their lab test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the lab. The rule is intended to provide patients greater access to their health information, empowering them to take a more active role in managing their health and health care. The final rule is effective April 7, but HIPAA covered entities must comply with the applicable requirements by Oct. 6.
The Court of Appeal, second appellate district, ruled today that a cause of action for statutory damages based on negligent storage or maintenance of confidential medical information requires pleading and proof that an unauthorized individual actually viewed the confidential information. The decision is good news for hospitals and other health care providers who are victims of theft or hacking of medical information where the plaintiff cannot prove that the thief or hacker actually viewed the medical information.
In this class action lawsuit brought against The Regents of the University of California, the plaintiffs sought $16 million dollars following the theft of a laptop in a home invasion robbery of a UCLA physician. The laptop contained encrypted medical information of 16,000 patients; unfortunately, the encryption key was also stolen. There was no evidence that any third party actually accessed or viewed the medical information. The court held that The Regents is not liable to pay damages to the plaintiffs.
Hospitals must update their Notice of Privacy Practices by Monday, Sept. 23, according to regulations issued by the U.S. Department of Health and Human Services (HHS) on Jan. 25. The updated notice must be posted on the hospital’s website and in the facility, provided to new patients and made available to returning patients upon request. CHA has updated its model notices to comply with the rule; the CHA models are available at www.calhospital.org/cha-developed-privacy-tools.
In addition, HHS has developed model notices that hospitals may use as a guide in developing their own. However, the HHS model notices are not California-specific — some of the provisions conflict with stricter California law, particularly for patients being treated under the Lanterman-Petris-Short Act. The HHS model notices may be found at www.hhs.gov/ocr/privacy/hipaa/modelnotices.html.
There’s a lot of buzz around the new HIPAA/HITECH final rule, and hospitals are moving quickly to review and understand the new federal regulations. But, California has its own set of laws to consider that are sometimes more stringent. So, which laws do you need to follow?
You’ve just been served. The subpoena “looks” okay, and seems “official,” but you’re wary — and you should be. The stakes are often high if you get this wrong. This webinar thoroughly explains the nuances of civil and criminal subpoenas. Participants will learn how to review what they receive and respond with confidence.
Learn about the fundamentals of health information privacy to make decisions with confidence. Expert faculty explain the many laws governing patient privacy and how they apply to the most common situations. Case scenarios are used to challenge participant knowledge and critical thinking skills.
Significant requirements have been imposed on hospitals and other health facilities with the passage of federal and state laws regulating the privacy, security, use and disclosure of health information. The California Health Information Privacy Manual was written to help hospitals understand and comply with these increasingly complex laws.
The Office of Civil Rights within the U.S. Department of Health and Human Services has released its first report to Congress on breaches of unsecured protected health information that occurred between September 23, 2009 (The date the breach notification requirements became effective) and December 31, 2010. The report is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act.