Extended Data Breach Notification Deadline for California Healthcare Providers
A recent change to the California legislation will extend the time limit for issuing data breach notifications, with certain healthcare providers being allowed up to 15 days to issue notifications to affected persons under Assembly Bill 1755. The current deadline is 5 days.
Under AB1755, healthcare providers covered by California Health and Safety Code Section 1280.15 must issue a notice of a breach of medical data to the California Department of Public Health and any individual affected – or their representative. This change affects clinics, health care facilities, hospices and home health agencies.
In addition to the 10-day extension to the notification deadline some additional flexibility has been introduced with AB1755 regarding the method of contacting any patient affected by a data breach. The law currently requires that the patient (or his/her representative) is notified by mail to their last known address.
The change accommodates HIPAA regulations on confidential communications (45 CFR 164.522(b)) under which a covered healthcare provider may “accommodate reasonable requests by individuals to receive communications”. This includes the use of alternate means and/or locations to communicate issues of protected health information. Notification by E-mail is only permissible if prior content has been agreed in writing by the patient.
The recent changes to the legislation also make provision for law enforcement delays, with the notifications to be made within 15 days of the conclusion of any law enforcement delay. Currently the time limit is 5 days.
However, complications may arise where HIPAA standards apply. A 15 day delay in issuing notifications may be considered unacceptable under HIPAA as healthcare providers are required to issue data breach notifications without unreasonable delay.
It is important that health care providers are ready to act quickly following a data security incident and there should be a response plan in place, which should be frequently revised to accommodate changes in legislation. Because HIPAA standards may apply the California Health and Safety Code Section 1280.15 time limit should not be used as the sole guide to when a notification must be issued.