California joins 4 states revamping their healthcare data breach reporting requirements
Becker's Health IT
Five states are increasing data breach protections for residents. From new reporting deadlines to protecting businesses from lawsuits enacted by breached individuals, here's what cybersecurity leaders need to know:
The state issued new regulations July 1, effective immediately, that limit the circumstances when unauthorized access to medical information has to be reported to the California health department, JD Supra reported. If a fax was misdirected to a different physician's office or if a patient received the wrong discharge instructions, hospitals no longer need to report it. However, if a data breach on a healthcare organization does occur, it has 15 days to report if to the health department after the breach was detected.
The new rule will also grant the California health department access to an organization's records, internal assessments and documents if there is a breach. A hospital can be fined up to $25,000 for each patient whose medical information was unlawfully accessed, used or disclosed. It can be fined up to $17,500 per subsequent occurrence. The health department can also penalize a hospital $100 per day if it fails to report the breach to the health department or the patients affected. Hospitals can be fined up to $250,000.
The new law requires the attorney general's office to post data breach notices to a public website within 30 days of receiving notice of the breach. Companies are required to provide the office a notification within 60 days of discovering the breach if 250 or more Texans are involved, The National Law Review reported.
Reporting companies need to tell the...