Cal. Code Regs. tit. 22 § 79902

Current through Register 2024 Notice Reg. No. 49, December 6, 2024
Section 79902 - Breach Reporting Requirements
(a) A health care facility, excluding a business associate, shall report to the Department a breach of a patient's medical information, or a breach reasonably believed to have occurred, no later than 15 business days after the breach has been detected. Such breaches shall be reported to the Department by the health care facility by electronic mail, telephone, facsimile transmission, first-class mail, or through an internet website maintained by the Department.
(1) In its reporting of a breach, the health care facility shall provide the Department, in writing and signed by a representative of the health care facility, the following:
(A) Name and address of the health care facility where the breach occurred;
(B) Date and time that each breach occurred;
(C) Date and time that each breach was detected;
(D) Name of patient(s) affected;
(E) Description of the medical information that was breached, including the nature and extent of the medical information involved, including the types of individually identifiable information (as defined in Civil Code section 56.05), and the likelihood of re-identification;
(F) Description of the events surrounding the breach;
(G) Name(s) and contact information of the individual(s) who performed the breach, any witness(es) to the breach, and any unauthorized person(s) who used the medical information or to whom the disclosure was made, to the extent known;
(H) Date that patient or patient's representative was notified, was attempted to be notified, or will be notified of breach;
(I) The contact information of a health care facility representative whom the Department may contact for additional information;
(J) Description of any corrective or mitigating action taken by the health care facility;
(K) Any other instances of a reported event that includes a breach of that patient's medical information by the health care facility in the previous six years.
(L) A copy of the notification sent to the patient or patient's representative, pursuant to section 79902(b), and any additional information provided to the patient or patient's representative relating to the breach; and
(M) Any audit reports, witness statements, or other documents that the health care facility relied upon in determining that a breach occurred.
(2) A health care facility shall report any additional information relevant to the breach, as it becomes available to the health care facility, beyond the 15 business days.
(3) If a health care facility fails to report a breach of a patient's medical information to the Department, the Department may assess a penalty in the amount of $100 for each day that the breach is not reported to the Department, not to exceed the limits set forth in Health and Safety Code section 1280.15.
(4) A breach shall not be deemed reported to the Department unless the health care facility has provided, or made a good faith effort to provide, to the Department the items required in section 79902(a)(1). Any items required for reporting under section 79902(a)(1) not available to the health care facility at the time of the reporting shall be provided to the Department as they are available to the health care facility. Any unreasonable delays in reporting by the health care facility pursuant to this subdivision are subject to an administrative penalty assessed pursuant to section 79902(a)(3). In assessing whether delay is unreasonable, the Department will consider, among other factors, the size of the affected population, lack of sufficient information in the reporting of an incident to make a determination of compliance, time passed between the time of an incident and its discovery, whether the cause of an incident was a business associate or workforce member, and availability of staff to respond to an incident.
(5) In the event a health care facility has performed, pursuant to section 79901(b)(1)(F), a risk assessment and has determined that an incident does not constitute a breach of a patient's medical information, the health care facility shall maintain a centralized record of each non-breach incident, along with all materials the health care facility relied upon in performing the risk assessment. All such centralized records shall be maintained by the health care facility and available for inspection by the Department at all times. A health care facility shall retain records relating to such a risk assessment for a period of at least six years from the time of the incident.
(b) Except as provided in Health and Safety Code section 1280.15(c), a health care facility shall report a breach of a patient's medical information in writing by first-class mail to the patient or the patient's representative at the last known address, or by electronic mail, if the individual agrees and such agreement has not been withdrawn, pursuant to Part 164.404(d) of Title 45 of the Code of Federal Regulations, no later than 15 business days after the breach has been detected by the health care facility. The notification may be provided in one or more mailings as information is available.
(1) In its reporting of the breach, the health care facility shall provide the patient or the patient's representative:
(A) A brief description of what happened, including the health care facility name and address, the date of the breach and the date of the discovery of the breach, if known;
(B) A description of the types of medical information that were involved in the breach (e.g., full name, Social Security number, date of birth, home address, account number, diagnosis, or other types of information);
(C) Any steps the patient should take to protect himself or herself from potential harm resulting from the breach;
(D) A brief description of what the health care facility involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and
(E) Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, internet website address, or postal address.
(2) The reporting required in subsection (b)(1) shall be written in plain language.
(3) If a health care facility does not report a breach of a patient's medical information to a patient or the patient's representative, the Department may assess a penalty in the amount of $100 for each day that the breach is not reported to the patient or the patient's representative, not to exceed the limits set forth in Health and Safety Code section 1280.15.

Cal. Code Regs. Tit. 22, § 79902

1. New section filed 6-28-2021; operative 7-1-2021 pursuant to Government Code section 11343.4(b)(3) (Register 2021, No. 27). Filing deadline specified in Government Code section 11349.3(a) extended 60 calendar days pursuant to Executive Order N-40-20 and an additional 60 calendar days pursuant to Executive Order N-71-20.

Note: Authority cited: Sections 131000, 131050, 131051, 131052 and 131200, Health and Safety Code. Reference: Section 1280.15, Health and Safety Code.

1. New section filed 6-28-2021; operative 7/1/2021 pursuant to Government Code section 11343.4(b)(3) (Register 2021, No. 27). Filing deadline specified in Government Code section 11349.3(a) extended 60 calendar days pursuant to Executive Order N-40-20 and an additional 60 calendar days pursuant to Executive Order N-71-20.