While recent legislation has tended to tighten data breach notification requirements (e.g., Florida and California), Assembly Bill 1755 extended the breach notification deadline from five to 15 days for certain healthcare providers. More specifically, according to AB1755 which becomes effective January 1, 2015, the deadline to provide notification of a breach of medical information for healthcare providers covered by California Health and Safety Code Section 1280.15 (clinics, health facilities, home health agencies, and hospices) will be 15 days. As under the existing rule, notification must be provided within that time frame to affected patients (or their representatives) and the California Department of Public Health.
Under current law, notice to the affected patient or his or her representative must be made to the patient’s or representative’s last known address. AB1755 adds some flexibility by incorporating HIPAA’s provisions for providing confidential communications under 45 CFR 164.522(b). Under that section of HIPAA, a covered healthcare provider generally is required to “accommodate reasonable requests by individuals to receive communications of protected health information…by alternative means or at alternative locations.” In that case, under AB1755, healthcare providers may send the notification using the alternative means or to the alternative location. In addition, notice can be provided by email only if the patient has previously agreed in writing to electronic notice by email.
Another change made by AB1755 is to apply the extended notification deadline in the case of a law enforcement delay. In other words, in the event notification is delayed due to law enforcement, notification must be made no later than 15 days following the conclusion of the law enforcement delay, not five days.
It is important to note that the HIPAA standards for breach notification also may apply. Under the HIPAA breach notification rule, notice will be considered timely if it is provided “without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.” In that case, depending on the circumstances, notification beyond 5 or 10 days may be considered unreasonable under HIPAA. Accordingly, healthcare providers subject to both HIPAA and California Health and Safety Code Section 1280.15, as amended, should be careful not to rely solely on the 15-day period under AB1755 as the deadline for providing notification.
It is important for healthcare providers and all entities that handle personal information to continually review their incident response plans and adapt them to changes in their business and changes in the law.