Posted by: Arian Eigen Heald
Compliance, HIPAA, Identity theft, Security
Can you tell I got behind on my hardcopy reading? I just caught Rebecca Herold‘s fine article in the Computer Security Alert of 2/2008 (a CSI monthly newsletter well worth getting, bye the bye, for the quality of the articles) concerning one of the aspects of medical identity theft: breach notification.
California is the first state in the nation to include “medical information” AND “health insurance information” in their updated state law on privacy breach notification. Since California was also the first state to implement a privacy breach requirement in state law, we can hope that other states will follow suit in this as well. The updated law, S.B. 1298, came into effect in January 2008. Here’s the relevant section:
(e)For purposes of this section, “personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(1) Social security number.
(2) Driver’s license number or California Identification Card number.
(3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(4) Medical information.
(5) Health insurance information.
(f) (1) For purposes of this section, “personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
(2) For purposes of this section, “medical information” means any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
(3) For purposes of this section, “health insurance information” means an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.
This law will have an impact on any entity doing business in the state of California, and addresses the fact that HIPAA regulations contain no requirement for breach notification. “Ooops, we lost your medical information, but whew, we don’t have to tell you!”
These regulations also affect health care technology companies, including companies like Google, or Microsoft (think Health Vault) who want to hold your information for you:
This bill would apply the prohibitions of the Confidentiality of Medical Information Act to any business organized for the purpose of maintaining medical information to allow an individual to manage his
or her information, or for the treatment or diagnosis of the individual.
You can read the full legislative act here.
The bill does exempt organizations that encrypt their Personally Identifiable Information. And I suspect this bill will have a bigger impact on health care in terms of compliance .