Even if HIPAA doesn’t technically apply to your wearable tech venture, mobile medical app, or telemedicine project, state laws have mirror privacy and security provisions with which your company must comply.To comply with state law privacy and security requirements, you’ll need mirror HIPAA policies, procedures, and forms.
These may not necessarily match all of HIPAA technical requirements, but they should be designed to provide privacy and security protection so as to comply with state law.
You’ll also want HIPAA online training for all your staff. HIPAA training is essential as a risk mitigation procedure.
While every state has its own laws, California’s are extensive.
California recently changed its medical data breach notification requirement through Assembly Bill 1755. The breach notification requirement is now 15 days for clinics, health facilities, home health agencies, and hospices (effective 1/1/15), changing California Health and Safety Code Section 1280.15.
The new law also expands the privacy protections to any business that maintains personal information about a California resident; previously, only those who “own or license” personal information were covered.
California law also requires the breaching entity to “offer to provide appropriate identity theft prevention and mitigation services … at no cost to the affected person for not less than 12 months.”
California has several important statutory provisions for privacy and security of personal information.
Among these, Civil Code Section 56-65.37 (the Confidentiality of Medical Information Act (CMIA)) applies to a “provider of healthcare,” such as a health care licensee (acupuncturists, chiropractors, dentists, EMTs and paramedics, nurses, occupational therapists, opticians and optometrists, osteopaths, pharmacists, physicians and surgeons, physician assistants, physical therapists, psychiatric technicians, psychologists, social workers, therapists, and vocational nurses), a health care facility (such as primary care clinics (community clinics and free clinics), specialty clinics (surgical clinics, chronic dialysis clinics, rehabilitation clinics, alternative birth centers), general acute hospitals (emergency centers), acute psychiatric facilities, skilled nursing facilities, intermediate care facilities, special hospitals, congregate living health facilities, correctional treatment centers, home health agencies, hospices, and mobile health units)), or a business that maintains medical information.
The CMIA applies to “medical information.”
“Medical information” means: “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity” (section 56.05(g)).
Critically, Section 56.101(a) of CMIA provides: “Every provider of health care, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical information shall do so in a manner that preserves the confidentiality of the information contained therein.”
But what does it mean to preserve the confidentiality of medical information?
HIPAA compliance is a gold standard, but remember that HIPAA itself is scalable, with respect to standards that are addressable and not required. California explains privacy and security obligations on some of the government websites, but enforcement authorities may default to HIPAA, especially after the fact if a breach has occurred.
And data breaches may inevitable even with the best privacy and security protection.
(The CMIA has other provisions regarding medical authorizations.)
The next important statutory provision is California Civil Code Sections 1798.80-1798.84. The reason this is important is because it requires safeguarding of personal information, which is broader than medical information.
Section 1798.80 defines “personal information” as: “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. ‘Personal information’ does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.”
The statute goes on to define disposal of records and security practices, and to provide breach notification rules. This statute should be reviewed and consulted in addition to the CMIA.
In general, because compliance is so tricky, HIPAA training is a necessary step – and one that can be used defensively in arguing that your company has done its best to achieve HIPAA compliance.
However, additional privacy and security compliance is necessary. Mirror HIPAA provisions exist in various states in different levels of detail. We can draft appropriate policies, procedures and forms, and advise on implementation, working hand in hand with your Privacy Official (if you’ve appointed one) and your Security Official or healthcare IT specialist.
Contact our healthcare law and FDA attorneys for legal advice relevant to your healthcare venture.
