News

CSO Disclosure Series | What California's New Medical Disclosure Law Means for the Rest of Us

New state law AB 1298, aimed at reducing instances of medical identity theft, could prompt similar legislation elsewhere, but experts are still unsure whether out-of-state companies with information about Californians must comply

By Katherine Walsh

February 04, 2008 — CSO — A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states, according to two analysts who follow the health-care industry. However, legal experts remain divided on whether the law applies to out-of-state organizations who hold information about Californians.

AB 1298 is an extension of the financial data breach notification law SB 1386, which has been partially responsible for influencing nearly 40 other states to adopt similar legislation over the past five years, and which is widely interpreted as applying to non-California entities that hold customer records about California residents. The new law requires all state agencies and companies that conduct business in California to notify residents when a breach of their medical information occurs. In order to warrant notification, a name must be associated with the data, but Social Security numbers do not have to be present. The new law also restricts organizations from disclosing personal health information without patient consent.

Robert Booz, a vice president of research at Gartner, anticipates that this law will expand the healthcare industry’s concern for privacy and security, as well as influence other states to adopt legislation--if for no other reason than to demonstrate good public policy.

Consumer confidence is central to the idea of electronic patient health records, Booz says, citing a November 2007 Wall Street Journal/Harris Interactive poll in which 40 percent of respondents said that the privacy risks associated with electronic health records do not outweigh the medical benefits. If use of these records is to proceed, “consumers must be confident their information will not be compromised,” he says.

In the short term, California-based health insurers and others who hold medical records must revisit their privacy and security standards. “They need to implement proper security measures, like encryption,” Booz says. In addition, the law will require a new level of investment in training for customer service, sales and other externally facing operations.

Still unclear is the law’s impact on hospitals and insurers in states other than California that are holding patient information about a California resident. Kate Borten, founder and president of The Marblehead Group, a health information security consultancy, has heard mixed opinions involving the jurisdiction of the disclosure laws either for financial information or medical information.

“I’ve heard lawyers say that a company in a state without the law is not subject to the breach notification requirement in another state because each state is a sovereign entity,” Borten says. “I don’t know that there is any case law yet that has cleared that up.”

[Editor’s note: Companies facing the unpleasant task of writing a disclosure letter should read Scott Berinato’s

• Email
• Print
• Comments
• Digg This
• SlashDot

• The Complete Guide to Security Breach Disclosure
• CSO Disclosure Series | Data Breach Notification Laws, State By State
• CSO Disclosure Series | Reporter's Notebook: The United States of TMI
• CSO Disclosure Series | The Dos and Don'ts of Disclosure Letters
• CSO Disclosure Series | User Education: How to Respond to a Data Breach Disclosure
• CSO Disclosure Series | What's Next with Disclosure Legislation?