California Attorney General Issues Guidance on Health Data Privacy Issues
Tuesday, October 19, 2021
Health Data Privacy Issue Guidance California Attorney General
Print Mail Download i

Citing “multiple unreported ramsomware attacks” targeting the healthcare sector, last month the California Attorney General (CA AG) issued guidance reminding healthcare entities of their requirements under state and federal health data privacy laws to implement adequate security measures and comply with breach notification requirements. Although the document does not provide any “new” guidance, it signals that the California AG is prioritizing breaches in the health care sector and serves as a reminder that entities subject to HIPAA are not exempt from California’s more stringent breach notification requirements.

In particular, the AG’s bulletin reminds Covered Entities under HIPAA that California state law imposes additional requirements, such as notice to the Attorney General when a breach impacts more than 500 people.  Although the generally applicable California data breach law exempts entities subject to HIPAA from California’s requirements regarding the content of breach notification letters, that law does not exempt Covered Entities or Business Associates from the AG notice provisions.  California also has other breach reporting requirements that are stricter than HIPAA, such as the California Department of Public Health’s 15-day deadline for “healthcare facilities” to report “medical information breaches” experienced by the facility or its business associates.

The AG’s bulletin recommends entities implement the following minimum preventive measures:

  • Keep all operating systems and software housing health data current with the latest security patches;

  • Install and maintain virus protection software;

  • Provide regular data security training for staff members that includes education on not clicking on suspicious web links and guarding against phishing emails;

  • Restrict users from downloading, installing, and running unapproved software; and

  • Maintain and regularly test a data backup and recovery plan for all critical information to limit the impact of data or system loss in the event of a data security incident.

  • Other security safeguards required under other laws (such as HIPAA) and recommended in government publications (such as data security best practices available in the CISA Cyber Resource Hub).

© Copyright 2024 Squire Patton Boggs (US) LLP

Current Legal Analysis

More from Squire Patton Boggs (US) LLP

Singapore Progresses Towards Amended Cybersecurity Law
by: Charmian Aw
UK Litigation Funding Post PACCAR – Tying up Loose Ends
by: Helena Clarke , Rachael Markham
New York’s Renewed Efforts to Pass Sovereign Debt Legislation (US)
by: Jeffrey N. Rothleder , Tara Peramatukorn
I Won’t Take This Sitting Down – How To Escape Liability for Kind Thoughts in The Workplace (UK)
by: David Whincup
Heavyweight Fight, Did the US or EU KO the AI Treaty?
by: Andrea Otaola , Claire Murphy
Are you Ready for Washington and Nevada’s Consumer Health Data Laws?
by: Alan L. Friel , Kyle R. Fath
Navigating AI Risks: A Guide to Enhancing Corporate Compliance Programs
by: Colin R. Jennings , Ayako Russell
EEOC Releases Final Rule Implementing Pregnant Workers Fairness Act (US)
by: Laura Lawless
Top Tips for Identifying and Addressing Poor Service in Pensions
by: Victoria Leigh
New CFIUS Rules to Enhance Enforcement and Investigation Activities
by: Ben Squires

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins