Cal. Code Regs. tit. 22 § 79901

Current through Register 2024 Notice Reg. No. 49, December 6, 2024
Section 79901 - Definitions
(a) "Access" means the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
(b) "Breach" means each individual instance of unlawful or unauthorized access to, use, or disclosure of a specific patient's medical information.
(1) Breach excludes:
(A) Any paper record, electronic mail, or facsimile transmission inadvertently accessed, used, or disclosed within the same health care facility or health care system where the information is not further accessed, used, or disclosed unless permitted or required by law.
(B) Any internal paper record, electronic mail or facsimile transmission outside the same health care facility or health care system sent to a covered entity (as defined under Part 160.103 of Title 45 of the Code of Federal Regulations, as of June 27, 2014) that has been inadvertently misdirected within the course of coordinating care or delivering services.
(C) A disclosure of medical information in which a health care facility or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such medical information.
(D) Any access to, use, or disclosure of medical information permitted or required by state or federal law.
(E) Any lost or stolen encrypted electronic data containing a patient's medical information that is in any way created, kept, or maintained by a health care facility where the encrypted electronic data has not been accessed, used, or disclosed in an unlawful or unauthorized manner. Any lost or stolen electronic data containing a patient's medical information that is in any way created, kept, or maintained by a health care facility that is not encrypted shall be presumed a breach unless it is excluded by section 79901(b)(1)(F).
(F) A disclosure for which a health care facility or business associate, as applicable, determines that there is a low probability that medical information has been compromised based on a risk assessment of at least the following factors:
(i) The nature and extent of the medical information involved, including the types of identifiers and the likelihood of re-identification;
(ii) The unauthorized person who used the medical information or to whom the disclosure was made;
(iii) Whether the medical information was actually acquired or viewed; and
(iv) The extent to which the risk of access to the medical information has been mitigated.
(c) "Business associate" means a person or entity that, in the course of a contractual agreement with a health care facility or health care system:
(1) Creates, receives, maintains, or transmits medical information on behalf of the heath care facility or heath care system for a function or activity regulated by Subchapter C of Subtitle A of Title 45 of the Code of Federal Regulations as of January 25, 2013.
(2) Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services for which the provision of the services involves the disclosure of medical information to the person or entity.
(3) "Business associate" includes a subcontractor or agent that creates, receives, maintains, or transmits medical information in the course of a contractual agreement with a business associate of a health care facility or health care system.
(4) "Business associate" excludes a workforce member of the health care facility, health care systems affiliated with the health care facility, and providers of health care, as defined under Civil Code section 56.05.
(d) "Business day" means any calendar day except Saturday and Sunday, or the following business holidays: New Year's Day, Martin Luther King Jr. Day, Presidents' Day, Memorial Day, Independence Day, Labor Day, Veterans' Day, Thanksgiving Day, and Christmas Day.
(e) "Department" means the California Department of Public Health.
(f) "Detect" means the discovery of a breach, or the reasonable belief that a breach occurred by a health care facility or business associate. A breach shall be treated as detected as of the first business day on which such breach is known to the health care facility or business associate, or by exercising reasonable diligence would have been known to the health care facility or business associate. A health care facility or business associate shall be deemed to have knowledge of a breach if such a breach is known, or by exercising reasonable diligence would have been known, to any person other than the person committing the breach, who is a workforce member or agent of the health care facility or a business associate.
(g) "Disclosure" means the release, transfer, provision of access to, or divulging in any manner of information from the entity or individual holding the information.
(h) "Encrypted" means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key and such confidential process or key that might enable decryption has not been breached.
(i) "Factors outside the control of the health care facility" means any circumstance not within the reasonable control of the health care facility, including, but not limited to, fires, explosions, natural disasters, severe weather events, war, invasion, civil unrest, acts or threats of terrorism, and utility or infrastructure failure. "Factors outside the control of the health care facility" does not include the acts of the health care facility, business associate, or their respective workforce members.
(j) "Health care facility" means a clinic, health facility, home health agency or hospice licensed pursuant to section 1204, 1250, 1725, or 1745 of the Health and Safety Code. For purposes of this chapter, a "health care facility" as it relates to a breach of a patient's medical information shall include workforce members, medical staff, and business associates at the time of the breach and the detection of the breach.
(k) "Health care system" means:
(1) Health care facilities, along with members of their medical staff and entities under common ownership or control;
(2) Entities participating in an "organized health care arrangement," as defined under Part 160.103 of Title 45 of the Code of Federal Regulations, as of June 27, 2014;
(3) Entities designated as "affiliated covered entities," pursuant to Part 164.105(b) of Title 45 of the Code of Federal Regulations, as of March 26, 2013; and
(4) Entities participating in a health care provider network or health plan network, including but not limited to accountable care organizations as defined under Part 425.20 of Title 42 of the Code of Federal Regulations, as of August 9, 2016.
(l) "Medical Information" means, as provided for under Civil Code section 56.05, any individually identifiable information in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor, as defined in Civil Code section 56.05(d), regarding a patient's medical history, mental or physical condition, or treatment. The term "individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity.
(m) "Medical staff" shall have the same meaning as provided in section 70703(a)(1).
(n) "Patient representative" shall have the same meaning as provided in Health and Safety Code section 123105(e).
(o) "Reported event" means all breaches included in any single report that is made pursuant to Health and Safety Code section 1280.15(b), regardless of the number of breach events contained in the report.
(p) "Subsequent occurrence" means any additional breach of a patient's medical information subsequent to a reported event that is substantially related to the initial reported event.
(q) "Unauthorized" shall have the same meaning as provided in Health and Safety Code section 1280.15.
(r) "Workforce" means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a health care facility or business associate, is under the direct control of such health care facility or business associate, whether or not they are paid by the health care facility or business associate.

Cal. Code Regs. Tit. 22, § 79901

1. New section filed 6-28-2021; operative 7-1-2021 pursuant to Government Code section 11343.4(b)(3) (Register 2021, No. 27). Filing deadline specified in Government Code section 11349.3(a) extended 60 calendar days pursuant to Executive Order N-40-20 and an additional 60 calendar days pursuant to Executive Order N-71-20.

Note: Authority cited: Sections 131000, 131050, 131051, 131052 and 131200, Health and Safety Code. Reference: Section 1280.15, Health and Safety Code.

1. New section filed 6-28-2021; operative 7/1/2021 pursuant to Government Code section 11343.4(b)(3) (Register 2021, No. 27). Filing deadline specified in Government Code section 11349.3(a) extended 60 calendar days pursuant to Executive Order N-40-20 and an additional 60 calendar days pursuant to Executive Order N-71-20.