§ 79902. Breach Reporting Requirements.
22 CA ADC § 79902Barclays Official California Code of Regulations
22 CCR § 79902
§ 79902. Breach Reporting Requirements.
(a) A health care facility, excluding a business associate, shall report to the Department a breach of a patient's medical information, or a breach reasonably believed to have occurred, no later than 15 business days after the breach has been detected. Such breaches shall be reported to the Department by the health care facility by electronic mail, telephone, facsimile transmission, first-class mail, or through an internet website maintained by the Department.
(3) If a health care facility fails to report a breach of a patient's medical information to the Department, the Department may assess a penalty in the amount of $100 for each day that the breach is not reported to the Department, not to exceed the limits set forth in Health and Safety Code section 1280.15.
(4) A breach shall not be deemed reported to the Department unless the health care facility has provided, or made a good faith effort to provide, to the Department the items required in section 79902(a)(1). Any items required for reporting under section 79902(a)(1) not available to the health care facility at the time of the reporting shall be provided to the Department as they are available to the health care facility. Any unreasonable delays in reporting by the health care facility pursuant to this subdivision are subject to an administrative penalty assessed pursuant to section 79902(a)(3). In assessing whether delay is unreasonable, the Department will consider, among other factors, the size of the affected population, lack of sufficient information in the reporting of an incident to make a determination of compliance, time passed between the time of an incident and its discovery, whether the cause of an incident was a business associate or workforce member, and availability of staff to respond to an incident.
(5) In the event a health care facility has performed, pursuant to section 79901(b)(1)(F), a risk assessment and has determined that an incident does not constitute a breach of a patient's medical information, the health care facility shall maintain a centralized record of each non-breach incident, along with all materials the health care facility relied upon in performing the risk assessment. All such centralized records shall be maintained by the health care facility and available for inspection by the Department at all times. A health care facility shall retain records relating to such a risk assessment for a period of at least six years from the time of the incident.
(b) Except as provided in Health and Safety Code section 1280.15(c), a health care facility shall report a breach of a patient's medical information in writing by first-class mail to the patient or the patient's representative at the last known address, or by electronic mail, if the individual agrees and such agreement has not been withdrawn, pursuant to Part 164.404(d) of Title 45 of the Code of Federal Regulations, no later than 15 business days after the breach has been detected by the health care facility. The notification may be provided in one or more mailings as information is available.
(3) If a health care facility does not report a breach of a patient's medical information to a patient or the patient's representative, the Department may assess a penalty in the amount of $100 for each day that the breach is not reported to the patient or the patient's representative, not to exceed the limits set forth in Health and Safety Code section 1280.15.
Credits
Note: Authority cited: Sections 131000, 131050, 131051, 131052 and 131200, Health and Safety Code. Reference: Section 1280.15, Health and Safety Code.
History
1. New section filed 6-28-2021; operative 7-1-2021 pursuant to Government Code section 11343.4(b)(3) (Register 2021, No. 27). Filing deadline specified in Government Code section 11349.3(a) extended 60 calendar days pursuant to Executive Order N-40-20 and an additional 60 calendar days pursuant to Executive Order N-71-20.
This database is current through 5/10/24 Register 2024, No. 19.
Cal. Admin. Code tit. 22, § 79902, 22 CA ADC § 79902
End of Document |