California privacy laws heighten need for HIPAA compliance

Healthcare organizations that operate in California have two more good reasons to be sure that they comply with the data security and privacy requirements of the federal HIPAA law.

Last week, California Gov. Arnold Schwarzenegger signed into law two pieces of legislation that significantly increase state fines for security and privacy violations involving patient health information. The bills -- known as Senate Bill 541 and Assembly Bill 211 -- also set new breach-disclosure standards and mandate security controls for preventing unauthorized access to patient data.

In addition, AB 211 establishes a new state Office of Health Information Integrity that will be responsible for enforcing statutes governing the confidentiality of healthcare data and imposing administrative fines on entities that fail to comply with the rules. Both laws were signed by Schwarzenegger last Tuesday -- the same day that he vetoed a data breach bill aimed at retailers -- and are scheduled to take effect on Jan. 1.

The bills significantly raise the bar on security and privacy controls for healthcare businesses in California, warned Peter MacKoul, president of HIPAA Solutions LC, a consulting firm in Sugar Land, Texas. "The laws change the level of scrutiny, they increase penalties and fines by enormous amounts, they have mandatory reporting requirements and they allow individuals to sue," MacKoul said.

And, he noted, the statutes are likely to put more pressure on companies in California to comply with the Health Insurance Portability and Accountability Act (HIPAA), whose privacy and security provisions took effect in 2003 and 2005, respectively. HIPAA mandates many of the same controls on data as the new California laws do, but it has yet to be broadly enforced by the federal government.

"The state is using HIPAA as the floor, saying it been so many years since HIPAA went into effect that you needed to have complied with it a long time ago," MacKoul said. As state statutes, SB 541 and AB 211 don't directly require healthcare organizations to comply with the HIPAA regulations -- but in effect, that is what they will end up doing, he added.

The new California laws also come at a time when more attention is finally being paid to HIPAA enforcement at the federal level. Earlier this year, for instance, the U.S Department of Health and Human Services imposed a $100,000 settlement on Seattle-based Providence Health & Services and forced the healthcare provider to adopt a stringent "corrective action plan" in response to what HHS described as potential HIPAA violations.

The so-called resolution agreement -- the first of its kind to be signed under HIPAA -- stemmed from the loss or theft of laptops, optical discs and backup tapes containing the unencrypted medical records of more than 386,000 Providence patients during 2005 and 2006. The settlement stemmed from only the second known HIPAA audit conducted by the HHS, following one last year at Piedmont Hospital in Atlanta. But the deal with Providence was widely seen in the healthcare industry as a sign that HHS would step up its enforcement actions going forward.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.