Skip to: Content | Footer | Accessibility
 Search
Wednesday, May 16, 2012
     

Providers of Health Care Requirements

REQUIREMENTS TO COMPLY WITH AB 211 AND THE CMIA

  1. AB 211 Compliance Requirements for Providers of Health Care

    Every provider of health care as defined in Civil Code sections 56.05(j) shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient’s medical information.

    Every provider of health care as defined in Civil Code sections 56.05(j) shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use or disclosure.

    Health & Safety Code Division 109, section 130203(a)

  2. Determining Compliance

    In determining if a violation has occurred, CalOHii will consider the provider’s:

    • Complexity
    • Size
    • History of compliance
    • Steps taken to correct and prevent detected violations from reoccurring, and
    • Any factors beyond the provider’s control that restricted the facility’s ability to comply.
    • Implementing regulations will be promulgated by CalOHII in the future.
    Health & Safety Code Division 109, section 130203(b)

     

  3. Unauthorized Access Defined

    Unauthorized access is the inappropriate viewing of patient medical information without direct need for diagnosis, treatment, or other unlawful use not permitted by either the Confidentiality of Medical information Act (CMIA) or any other laws governing the use or disclosure of medical information.

    Health & Safety Code Division 109, section 130201(e)

    Civil Code Division 1, Part 2.6, Ch.1, sections 56 et seq. (see especially section 56.10)

    For details on who must comply and penalties for violations, information is available on the following pages:

    • Providers of Health Care Who Must Comply
    • Penalties

HEALTH CARE PROVIDERS WHO MUST COMPLY

A provider of health care as defined in Civil Code sections 56.05(j) and 56.06 must comply. Generally, sections 56.05(j) and 56.06 encompass three types of providers of health care: health care facilities, health care professionals, and businesses who maintain medical information. The following lists are the providers of health care who must comply referenced in Civil Code sections 56.05(j) and 56.06.

Civil Code Division 1, Part 2.6, Ch.1, sections 56.05(j) & 56.06

Civil Code section 56.05(j) refers to facilities licensed pursuant to Sections 1204, 1250, 1725, or 1745 of the Health and Safety Code:

  • Primary care clinics
    • Community clinics
    • Free clinics
  • Specialty clinics
    • Surgical clinics
    • Chronic Dialysis clinics
    • Rehabilitation clinics
    • Alternative Birth centers
  • General acute care hospitals
    • Emergency centers
  • Acute psychiatric hospitals
  • Skilled nursing facilities
  • Intermediate care facilities
  • Special hospitals
  • Congregate living health facilities
  • Correctional treatment centers
  • Home health agencies
  • Hospices
  • Mobile health care units

Health & Safety Code Division 2, sections 1200 et seq.

Civil Code section 56.05(j) also refers to health care professionals licensed under: Division 2 of the Business and Professions Code, Osteopathic Initiative Act, the Chiropractive Initiative Act, or any person certified pursuant to Division 2.5 of the Health and Safety Code:

  • Acupuncturists
  • Chiropractors
  • Dentists
  • EMT I, EMT II, and Paramedics
  • Nurses
  • Occupational therapists
  • Opticians
  • Optometrists
  • Osteopaths
  • Pharmacists
  • Physician and surgeons
  • Physician assistants
  • Physical therapists
  • Psychiatric technicians
  • Psychologists
  • Social workers
  • Therapists
  • Vocational nurses

Licensed professionals: Business & Professions Code Division 2, sections 500 et seq.

Osteopaths: Business & Professions Code Division 2, Ch.5, art.4, sections 2080-2099

Chiropractors: Business & Professions Code Division 2, Ch.2, art.1, sections 1000-1005

Emergency Medical Services: Health & Safety Code Division 2.5, sections 1797 et seq.

 

PENALTIES AND REFERRALS

  1. Penalties

    CalOHII may assess a penalty on providers of health care as defined in 56.05 (j) other than licensed facilities. Any administrative fine assessment by CalOHII for an unauthorized use, disclosure or access of individually identifying information will be in an amount as provided in Civil Code section 56.36. An administrative fine or civil penalty for any violation by a health care facility will be assessed by the California Department of Public Health.

    CalOHII’s authority: Civil Code Division 1, Part 2.6, Ch.1, sections 56.36(d) & (e)

    And: Health & Safety Code Division 109, sections 130202(a)(1) & (2)

    Penalties: Civil Code Division 1, Part 2.6, Ch.1, section 56.36(c)

    1. CalOHII may assess penalties against health care professionals licensed under Division 2 of the Business and Professions Code, Osteopathic Initiative Act, the Chiropractive Initiative Act, or any person certified pursuant to Division 2.5 of the Health and Safety Code:
    2. CalOHII may assess the following penalties: Providers of health care as defined, that knowingly and willfully violate a patient’s medical information privacy are subject to penalties of up to:
      • $2,500 for the first offense,
      • $10,000 for the second offense,
      • $25,000 for each subsequent offense.

      Providers of health care as defined, that violate a patient’s medical information for financial gain are subject to penalties of up to:

      • $5,000 for the first offense,
      • $25,000 for the second offense,
      • $250,000 for each subsequent offense, and
      • Disgorgement of any proceeds.

      Any person or entity, but not entities that are licensed facilities subject to California Department of Public Health oversight or Civil Code section 56.06 entities that negligently discloses medical information in violation of the CMIA, irrespective of damage, may be subject to an administrative fine of up to $2,500 per violation.

      Civil Code Division 1, Part 2.6, Ch.1, section 56.36(c)

      Health & Safety Code Division 109, section 130202(a)(1)

    3. When assessing a penalty, CalOHII shall consider any relevant circumstances including but not limited to the following:
      • Good faith attempts to comply,
      • Nature of the misconduct,
      • Any harm done,
      • Number of violations,
      • Persistence of misconduct,
      • Length of time over which the misconduct occurred,
      • Willfulness of the misconduct, and
      • Defendant’s assets, liabilities, and net worth.

      Civil Code Division 1, Part 2.6, Ch.1, section 56.36(d)

  2. Referrals

    The director of CalOHII may recommend to the Attorney General, district attorney, county counsel, city attorney, or city prosecutor that a civil action be brought under Civil Code section 56.36. In addition, the director of CalOHII may refer evidence of potential violations for discipline or further investigation to the relevant licensing authority who shall review all evidence submitted.

    Health & Safety Code Division 109, section 130205

    Civil Code Division 1, Part 2.6, Ch.1, section 56.36(e) 

  3. Relief Available to the Individual 

    In addition to any administrative fines, an individual whose medical information privacy was violated has a private cause of action. An individual whose medical information has been used in violation of the CMIA and who has sustained economic loss or personal injury may recover:
    • Compensatory damages,
    • Punitive damages of up to $3000,
    • Attorney’s fees of up to $1000, and
    • Cost of litigation.
    • Any person or entity that negligently discloses medical information in violation of the CMIA may be subject to:
      • Nominal damages of $1000, and
      • Actual damages.

    Civil Code Division 1, Part 2.6, Ch.1, sections 56.35 & 56.36(b)