California Updates Health Facility Data Breach Requirements 

July 15, 2021 - California is tightening up its health facility data breach regulations and recently issued an update to its administrative penalties and reporting requirements. 

The newly updated health facility data breach regulations went into effect on July 1, according to the California Department of Public Health.  

“The regulations implement California's Health and Safety Code Section 1280.15, which requires a clinic, health facility, home health agency, or hospice licensed by the Department [of Health] to prevent any unlawful or unauthorized access to, or use, or disclosure of, a patient's medical information,” according to a report by the law firm Baker Donelson. 

In an All Facilities Letter published by the California Department of Public Health, Acting Deputy Director Cassie Dunham stated that the updated “regulations require healthcare facilities to report a medical information breach to CDPH no later than 15 days after the breach has been detected. The regulations describe the information the health care facility must provide to CDPH. Delays in reporting may result in additional administrative penalties.” 

“CDPH may impose an administrative penalty on a health care facility if it determines that the facility has committed a breach of a patient’s health information,” the deputy director’s letter states.  

“The base penalty amount is $15,000 and the penalty must not exceed the maximum penalty amount specified in HSC section 1280.15,” Dunham noted. “The penalty may be adjusted based on the penalty adjustment factors described in the adopted regulations. In addition, CDPH may modify the penalty for small and rural hospitals if they submit a request to CDPH. CDPH may also adjust the penalties for primary care clinics and skilled nursing facilities under specified conditions.” 

Dunham stated that health facilities must also notify all patients whose information was breached.  

“CDPH may assess additional penalties to health care facilities that do not report a breach of a patient’s medical information to the patient or their representative,” she stated.  

“Facilities are responsible for following all applicable laws,” Dunham wrote in her letter. “CDPH’s failure to expressly notify facilities of statutory or regulatory requirements does not relieve facilities of their responsibility to follow all laws and regulations. Facilities should refer to the full text of all applicable sections of the HSC and Title 22 CCR.” 

The proceedings to update the California Health and Safety Code began in October of 2018 and were filed with the Secretary of State on June 29, 2021. The regulations went into effect on July 1, 2021.