By Jamie Jung -
Nadya Suleman. Farrah Fawcett. Britney Spears. Michael Jackson. These individuals are among a bevy of celebrities who have recently been subjected to intense media scrutiny as a result of some medical issue they were experiencing. The nation has gone crazy for celebrity gossip and has been unwilling to give way for privacy of any kind. Media outlets are willing to pay top dollar for inside information, including privileged medical information relating to these celebrities. This wave of leaked medical information has led to serious changes in the privacy laws regulating the use of this information.
At the end of September 2008, Gov. Arnold Schwarzenegger signed Senate Bill 541, which was codified as California Health & Safety Code Sections 1280.1, 1280.15 and 1280.3. These new regulations took effect on January 1, 2009. The regulations, among other things, imposed new reporting requirements on covered entities for breaches of patient information privacy and dramatically increased the penalties for such violations.
Highlighting both the need for these regulations and the seriousness by which the California Department of Public Health treats these violations, we need only to look as far as the infamous Octomom, Nadya Suleman. Just months after the regulations went into effect, the Department fined Kaiser Permanente’s Bellflower facility $250,000 for unlawfully releasing Suleman’s medical records.
Following closely behind the California law changes, Congress passed the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”) as part of the American Recovery and Reinvestment Act of 2009 (“ARRA”). The HITECH Act became effective September 24, 2009 and full compliance was required by February 22, 2010.
The HITECH Act made dramatic and important additions to the existing regulations found in the Health Insurance Portability and Accountability Act (“HIPAA”). HIPAA is the federal regulation which, in part, protects health information through its Privacy Rule and Security Rule. Among the changes that HITECH brings are:
- Changes in business associates’ duties and rights with regard to information provided to them by covered entities
- A new prohibition on snooping
- An extension of the “Minimum Necessary” Rule
- New breach notification requirements
- Authority of state attorney generals to bring civil action on behalf of state residents they believe to have been adversely affected by a violation of HIPAA or HITECH
The underlying purpose of the heightened standards and overall changes is to protect the patient and their health information. HITECH is the legislature’s recognition that more than just covered entities were handling private patient health information and the current regulations were not enough. These new regulations impose the responsibilities of HIPAA upon entities that do not traditionally fit the definition of a “covered entity.” Further, all these entities with access to personal health information will be responsible for taking action in the event of a breach in the security of that information. There is also a new prohibition against unauthorized viewing of personal health information, even without disclosure.
Not much enforcement has taken place thus far, although full enforcement is not far off. The US Department of Health and Human Services’ Office of Civil Rights recently sent their proposed regulations amending the HIPAA Privacy Rule to conform with HITECH’s requirements to the Office of Information and Regulatory Affairs for review. Although no one can predict how long it will take for these guidelines to be public, once they are public, it is anticipated that they will provide further guidance on how to comply with all the new requirements set forth by HITECH. It will be interesting to see what happens once these guidelines go public and all these new regulations begin to make more sense.
Gov. Schwarzenegger was no doubt influenced by California First Lady, Maria Shriver, whose medical records had been improperly viewed by employees at a UCLA medical facility in 2008.
 Under HIPAA, a covered entity is defined as health insurers and/or plans, clearinghouses and health care providers who engage in certain types of electronic transactions. See http://www.cms.hhs.gov/HIPAAGenInfo/06_AreYouaCoveredEntity.asp