CALIFORNIA NEW DATA BREACH LAW COVERS MEDICAL INFORMATION California data-breach law now covers medical information

California data-breach law now covers medical information

California residents must now be notified when their electronic medical information or health insurance information has been exposed.

AB1298, which took effect Tuesday, expands California's data-breach notification law to include unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses.

Also covered under the law are unencrypted insurance policy or subscriber numbers, any applications for insurance, claims histories and appeals.

The exposed information must include a California resident's name to require notification but does not need to include Social Security numbers. The law applies to state agencies and any company that does business with Californians, even if its headquarters are not in the state.

California's data-breach law - the first in the nation - previously covered only financial information. It took effect on July 1, 2003, and inspired similar laws in more than 40 states. Most of those laws don't cover medical information, however; Delaware and Arkansas are among the few that do.

In July 2006, Republican Gov. Arnold Schwarzenegger issued an executive order to store medical records on computers, which probably will result in more data breaches, said Robert Herrell, a legislative assistant to Assemblyman Dave Jones, D-Sacramento, who wrote the bill.

In December, Sutter Lakeside Hospital in Lakeport (Lake County) notified 45,000 patients, doctors and employees after a contractor downloaded their records onto a hospital laptop, took it home and the machine was stolen.

"When those breaches happen, consumers ought to know," Herrell said.

Federal privacy and security regulations have not been enough to protect patients as medical information moves onto computers. A survey in 2006 by Phoenix Health Systems showed that 39 percent of health care providers and 33 percent of insurers reported security incidents in the previous six months. Only 56 percent of providers had implemented federal security standards and 78 percent complied with federal privacy standards. Thirteen percent of insurers were out of compliance with federal privacy standards.

"We may be as unpleasantly surprised with this becoming law as (with) the data-breach notification law in 2003," Herrell said. California's original data-breach law led to thousands of letters telling people their financial data had been exposed.

California's law also was written because the World Privacy Forum, a nonprofit group in San Diego, issued a report in 2006 on medical identitytheft. About a quarter of a million people per year are victims of this crime, according to Pam Dixon, the report's author.

"I think a lot of organizations will end up being surprised by this law," Dixon said.

The law also prevents any company that holds electronic personal health records from disclosing that information without consent.