Two laws that impose new reporting obligations and significant penalties for unauthorized access to patient medical data recently went into effect in California. The laws were spurred by recent breaches of patients’ medical records by employees at other hospitals.

SB 541 and AB 211 require facilities to report unauthorized access both to the state and to the individual affected. They also mandate security controls for preventing unauthorized access to patient data. AB 211 establishes a new state Office of Health Information Integrity, which enforces statutes governing the confidentiality of health-care data and imposes administrative fines.

Under the new laws, the state may impose fines ranging from $2,500 to $250,000 against health-care organizations and individuals for unauthorized access, use or disclosure of patient medical information. The new laws define “unauthorized” as the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment or other lawful use.

“These new laws put real teeth into the enforcement of existing privacy laws by mandating reporting to the state and patients and imposing personal liability on individuals’ violations,” said Debra Fields, privacy officer at City of Hope. “It is essential that all employees of health-care institutions have a solid understanding of the implications of the new laws and follow institutional policy and procedure to safeguard the integrity of patient data.”

City of Hope has existing privacy policies that are consistent with the new privacy laws.

As part of its commitment to maintaining patient confidentiality, City of Hope continues to enhance encryption activities and internal controls. City of Hope also will take advantage of the new Clinical Information System’s capabilities to monitor records to detect unauthorized access and use of patient medical information.

Employees with questions about City of Hope’s patient privacy policies are encouraged to contact the compliance office at ext. 64025.