HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

New California Health Data Privacy Law Plugs Holes in HIPAA

The Confidential Health Information Act came into force in California on January 1st, 2015 and provides greater privacy protection for individuals who are covered by a health plan but are not the actual policy holder.

Many individuals are covered by health insurance on a policy belonging to a parent or spouse; however when communications are sent out by the health plan operator, correspondence is usually addressed to the policy holder rather than the individual concerned. This could potentially result in the disclosure of Protected Health Information to the holder of the health plan policy.

The new legislation amends the State’s Confidentiality of Medical Information Act and has been introduced to give individuals the right to determine to whom information is disclosed and to ensure that even non policy holders are given the right to keep their medical information private.

The Health Insurance Portability and Accountability Act does cover these individuals and allows them to make a confidential information request to the provider of their health plan, although insurance companies are not bound to abide by the requests unless they clearly state that exposure of the information would “endanger the individual”.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

However HIPAA does not provide a definition of “endanger” and this has been addressed by the amendment to the California Confidentiality of Medical Information Act, which now defines endanger as “fears that disclosure of his or her medical information could subject the individual to harassment or abuse.”

The amendments made by the new law mean an individual will no longer be required to show or explain why they believe sensitive information will result in endangerment in order for confidential communication requests to be honored.

Under the Affordable Care Act, individuals under the age of 26 can be included and given dependent coverage on their parent’s health plan if they are living at home. It was believed that federal legislation could result in some individuals failing to take advantage of some Affordable Care Act benefits due to the lack of confidentiality under certain circumstances and the holes in HIPPA have now been plugged.

Specifically, the new legislation requires the provider of health plans to:

  • Honor confidential communications requests for communications relating to sensitive services, including STD tests, birth control or mental health care or for any disclosures that could endanger the covered individual; provided the covered individual is not the policy holder and makes the request in writing
  • Accommodate requests for confidential communications in the form and format requested by the covered individual, to the extent that it is feasible
  • Maintain a record of a confidential communication request until the covered individual submits a new confidential communication request or revokes the original request in writing.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.