CSO Disclosure Series | What California's New Medical Disclosure Law Means for the Rest of Us

New state law AB 1298, aimed at reducing instances of medical identity theft, could prompt similar legislation elsewhere, but experts are still unsure whether out-of-state companies with information about Californians must comply

A new California law requiring that customers be notified of a breach involving their medical information is likely to influence legislation in other states, according to two analysts who follow the health-care industry. However, legal experts remain divided on whether the law applies to out-of-state organizations who hold information about Californians.

AB 1298 is an extension of the financial data breach notification law SB 1386, which has been partially responsible for influencing nearly 40 other states to adopt similar legislation over the past five years, and which is widely interpreted as applying to non-California entities that hold customer records about California residents. The new law requires all state agencies and companies that conduct business in California to notify residents when a breach of their medical information occurs. In order to warrant notification, a name must be associated with the data, but Social Security numbers do not have to be present. The new law also restricts organizations from disclosing personal health information without patient consent.

Robert Booz, a vice president of research at Gartner, anticipates that this law will expand the healthcare industry’s concern for privacy and security, as well as influence other states to adopt legislation--if for no other reason than to demonstrate good public policy.

Consumer confidence is central to the idea of electronic patient health records, Booz says, citing a November 2007 Wall Street Journal/Harris Interactive poll in which 40 percent of respondents said that the privacy risks associated with electronic health records do not outweigh the medical benefits. If use of these records is to proceed, “consumers must be confident their information will not be compromised,” he says.

In the short term, California-based health insurers and others who hold medical records must revisit their privacy and security standards. “They need to implement proper security measures, like encryption,” Booz says. In addition, the law will require a new level of investment in training for customer service, sales and other externally facing operations.

Still unclear is the law’s impact on hospitals and insurers in states other than California that are holding patient information about a California resident. Kate Borten, founder and president of The Marblehead Group, a health information security consultancy, has heard mixed opinions involving the jurisdiction of the disclosure laws either for financial information or medical information.

“I’ve heard lawyers say that a company in a state without the law is not subject to the breach notification requirement in another state because each state is a sovereign entity,” Borten says. “I don’t know that there is any case law yet that has cleared that up.” [Editor’s note: Companies facing the unpleasant task of writing a disclosure letter should read Scott Berinato’s The Dos and Don’ts of Disclosure Letters from the December issue of CSO Magazine.]That confusion is one reason why Booz and Borten both say a federal disclosure law is necessary. “There are many privacy laws and regulations, some dealing with disclosure, but they tend to be very niche, like the protection of genetic information, for example,” says Borten, noting that the patchwork quilt of regulations will increasingly become a problem as interstate healthcare commerce grows and medical records become increasingly managed across state boundaries. In her opinion, “breach notification should be treated the same way across the country,” she says.Until that happens, Booz says the California law is a good thing that will spread soon enough. “States other than California can certainly act without legislation as a best practice,” he says. “Those that get in front of the issue will have a better ability to create consumer confidence.”The law aims to help foster consumer confidence and help curb a growing problem: medical identity theft. A 2006 report from the California-based World Privacy Forum, which helped drive the California legislation, found that a quarter of a million people become victims of medical identity theft each year. Gartner’s projections for this year are even higher. The consultancy estimates that there will be more than 1 million cases of medical identity theft in 2008.Booz says the exposure of medical information is just as detrimental if not more so than that of financial information. Not only can it create problems with out-of-pocket expenses and insurance bills, he says, “identity theft can lead to serious medical consequences for the actual owner of the information.” Because an individual fraudulently using a medical identity to receive services could theoretically change portions of a legitimate medical record, the care of the actual patient could be compromised, if the real patient receives medical care based on false information.

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful cybersecurity companies