Privacy Breach Raises Jurisdictional Questions
Privacy advocates are questioning whether state and federal laws are strong enough after UCLA Medical Center this week disclosed that more than 50 patients' health records had been improperly accessed -- 33 of them by a now-former employee who explained the situation as "just me being nosy" about high-profile patients, according to published reports.
In addition to state charges, she could face criminal charges for violating the federal Health Insurance Portability and Accountability Act.
But that is a gray area in the law.
A recent legal opinion by the Justice Department concluded that HIPAA rules apply primarily to organizations -- hospitals, health plans and physician offices -- and only secondarily to individuals.
California's medical privacy laws leave jurisdiction to the courts, rather than to state health officials. But the question remains -- which court?
"My understanding is that we could refer the case to the attorney general to enforce the [state Confidentiality of Medical Information Act], or to the local district attorney or the city attorney," said Kim Belshé, secretary of the Health and Human Services Agency.
"We're looking at all three," Belshé said.
An expansion of California's medical privacy law took effect Jan. 1, but it remains to be seen whether advocates and lawmakers will take events at UCLA as their cue to push for still more laws on the issue.
In the meantime, here's a look at how some other bills are faring in the California Legislature.