January 7, 2008 - California was the first state to require that state residents be notified when their personal information was leaked, lost or stolen. The state's data breach notification law set the standard for many subsequent laws written in other states. Now California is expanding its definition of a "data breach" to also include breaches of electronic medical records.

The expanded definition of what constitutes a data breach went into effect on January 1. The medical records now covered by the law include unencrypted medical histories, information on diagnosis and treatment, and information on mental or physical conditions. In addition to these items, insurance applications, policy numbers, claims histories and appeals are also covered by the law.

In order for the notification requirement to be triggered, the release of a name of a California resident along with one other piece of personally identifiable information is all that is required. For instance, the release of a persons name along with their SSN or insurance policy number would be enough to trigger the notification requirement.

Until January 1, the law only covered data breaches involving financial information. With medical identity theft rates continuing to rise, it is hoped that the expanded law will help to prevent new medical identity theft cases. There were approximately 250,000 such cases reported last year.

The law covers both state government agencies and companies doing business with California state residents, even if the companies don't have offices located in the state. It also prevents any company from releasing electronic medical records to anyone without the patient's permission.

by Jim Malmberg

Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.

Only registered users can write comments.
Please login or register.