Health Care Information Gets Wider Protection Under California Law
A law that expands California's landmark data-breach notification statute to include electronic medical data and health insurance information took effect on Tuesday, the San Francisco Chronicle reports.
The law forces any companies doing business in the state to notify California residents if privacy breaches occur involving Californians':
- Unencrypted medical histories;
- Information on mental or physical conditions;
- Medical treatments and diagnoses;
- Unencrypted insurance policy or subscriber numbers; and
- Applications for insurance, claims histories and appeals.
The law also prevents any company from disclosing patients' electronic health records without their consent.
The medical data breach law was inspired in part by a 2006 World Privacy Forum report on medical identity theft.
Pam Dixon, the report's author, said about 250,000 people annually are the victims of medical identity theft.
California's initial data-breach law, which took effect in 2003, was the first in the nation and inspired similar laws in 40 states. Delaware and Arkansas are among the few states with data-breach laws that cover medical data.
In July 2006, California Gov. Arnold Schwarzenegger (R) issued an executive order to store all medical records on computers, a move that probably will result in more data breaches, according to Robert Herrell, a legislative assistant for state Assembly member Dave Jones (D), author of the bill (Gage, San Francisco Chronicle, 1/4).