Home » Data Protection » PCI and Compliance

CSO Disclosure Series | What California's New Medical Disclosure Law Means for the Rest of Us

New state law AB 1298, aimed at reducing instances of medical identity theft, could prompt similar legislation elsewhere, but experts are still unsure whether out-of-state companies with information about Californians must comply

f="http://www2.csoonline.com/exclusives/column.html?CID=33523">The Dos and Don’ts of Disclosure Letters from the December issue of CSO Magazine.]

That confusion is one reason why Booz and Borten both say a federal disclosure law is necessary. “There are many privacy laws and regulations, some dealing with disclosure, but they tend to be very niche, like the protection of genetic information, for example,” says Borten, noting that the patchwork quilt of regulations will increasingly become a problem as interstate healthcare commerce grows and medical records become increasingly managed across state boundaries. In her opinion, “breach notification should be treated the same way across the country,” she says.

Until that happens, Booz says the California law is a good thing that will spread soon enough. “States other than California can certainly act without legislation as a best practice,” he says. “Those that get in front of the issue will have a better ability to create consumer confidence.”

The law aims to help foster consumer confidence and help curb a growing problem: medical identity theft. A 2006 report from the California-based World Privacy Forum, which helped drive the California legislation, found that a quarter of a million people become victims of medical identity theft each year. Gartner’s projections for this year are even higher. The consultancy estimates that there will be more than 1 million cases of medical identity theft in 2008.

Booz says the exposure of medical information is just as detrimental if not more so than that of financial information. Not only can it create problems with out-of-pocket expenses and insurance bills, he says, “identity theft can lead to serious medical consequences for the actual owner of the information.” Because an individual fraudulently using a medical identity to receive services could theoretically change portions of a legitimate medical record, the care of the actual patient could be compromised, if the real patient receives medical care based on false information.