states have adopted legislation to require consumer and
law enforcement notification when a security breach
occurs that compromises personal information. These
regulations will apply to medical and health insurance
information if that information has been breached and if
it contains information that is typical of an identity
theft such as social security numbers.
However, most of the core medical information or health
insurance information maintained by health care
providers, health insurers or their contractors will
have data elements that are not considered in these
existing regulations as personal information.
response to this, California recently enacted an
Assembly bill that expands the scope of existing
confidentiality and privacy regulations and identity
theft laws. A copy of that legislation is
key distinction is an expansion of the definition of
personal information. Current regulations require
notification upon any breach of non encrypted
computerized personal information; the regulations
define personal information to include the individualís
name or first initial and last name and data elements
such as financial data, social security numbers, credit
card information and so forth.
new California legislation expands the definition by
applying its principles to medical information. This is
clearly in recognition of the potential for harm by
medical identity theft as well as damage by unauthorized
access to computerized medical information. The
proliferation of health information technology,
specifically electronic medical records, personal health
records and related, and the increased access created by
remote devices, the Internet etc all have contributed to
the need to expand current law.
Thus this regulation
adds medical information or health insurance information
to the data elements, that when combined with the
individualís name or first initial and last name
constitute personal data (which is subject to the
provisions of the new regulation).
Submitted By: David
Ginsberg - PrivaPlan Associates, Inc.