New State Medical Privacy Laws Incurring Personal Liability Now Effective

In response to recent privacy violations in California involving medical records, Governor Arnold Schwarzenegger recently signed two new laws to protect patient privacy, AB 211 and SB 541. Both are effective this year. These two laws work together to make health care providers — hospitals and individual health care professionals, as well as University employees — accountable for maintaining the confidentiality of patient medical information. Importantly, individuals now face fines and penalties, for which they will be personally responsible, of up to $250,000. In addition, individuals also face criminal sanctions, as well as disciplinary action by licensing boards, for unauthorized access to or disclosure of medical information. Furthermore, hospitals incur fines for failure to prevent or report unauthorized access to or disclosure of medical information. The new laws define unauthorized access as “the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use as permitted by the California Medical Information Act.” Both the University of California and UCSF have existing privacy policies that are consistent with these new laws. Current privacy policies provide that unauthorized access, use, disclosure and viewing of medical information are unlawful and subject to sanctions and disciplinary actions up to and including termination of employment. UCSF has posted policies, guidelines and standards to assist individuals in protecting electronic information on the Enterprise Information Security website. UCSF leadership is committed to ensuring the security of protected health information (PHI) and other sensitive data. UCSF will continue to communicate news and information about computer and data security to raise awareness and reinforce best practices. It is important to note that all those who access protected health information or personally identifiable information (PII) are personally responsible for ensuring the confidentiality, privacy and security of the data entrusted to them. Every person who accesses this information could be personally subject to statutory fines and penalties for failure to comply. Responsibilities Defined Under the new laws, those who access or use PHI or PII are expected to: • Access, use and disclose only the minimum necessary amount of information • Use safeguards, including encryption software, to protect oral, written and electronic health information • Use the “Secure” email system if PHI is in an email message • Dispose of health information appropriately • De-identify information whenever possible • Protect their password(s), not share passwords, log off promptly and use computing device security Report Incidents Immediately In addition, it is critical that UCSF employees report incidents immediately, due to the new five-day reporting requirement. Report suspected privacy violations to the UCSF Privacy Office. Report lost or stolen computers promptly to the UCSF Police (415/476-1414), and if PHI is involved, call the UCSF Privacy Office (415/353-2750), as well. Going forward, UCSF will enhance encryption activities on campus, enhance controls on clinical systems, and implement more robust monitoring and surveillance of electronic records to detect unauthorized access. If you have questions concerning privacy or data security, call any of the following: • UCSF Chief Privacy Officer: 415/353-2750 • UCSF Medical Center Information Security Officer: 415/353-3539 • UCSF Information Security Officer: 415/502-1593 For more detailed information on security practices for faculty, staff, students, trainees and guests, please visit the Office of Academic and Administrative Information Systems website. Related Links: California Office of Health Information Integrity Privacy Office California Department of Public Health UCSF Privacy and Confidentiality Computer Security: A Call to Action for Every One of Us UCSF Today, June 9, 2008