Risk
10/18/2008
02:32 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

New Calif. State Legislation Threatens Stiff Medical Privacy Penalties

Two new state medical privacy laws, AB211 and SB541, make it possible for institutions and individuals to be fined up to $250,000 for being lax when it comes to the medical privacy of California residents. It's about time.

Two new state medical privacy laws, AB211 and SB541, make it possible for institutions and individuals to be fined up to $250,000 for being lax when it comes to the medical privacy of California residents. It's about time.The fines can't roll enough as far as I'm concerned.

From this story, which originally appeared in the AIS's Health Business Daily:

Hospitals and other covered entities in California may have to beef up their privacy and security compliance programs in light of recently enacted state legislation that slaps stiffer penalties on entities and employees who violate patient privacy. The legislation, approved in mid-September and signed by Gov. Arnold Schwarzenegger (R) on Sept. 29, follows privacy breaches of several high-profile celebrities, including singer Britney Spears and California First Lady Maria Shriver.

We covered the Britney Spears UCLA fiasco when that story broke, and I delivered an overview of these two new California laws on my other blog at TransformationEnablers.com.

In a nutshell, AB211 requires health care providers to take appropriate safeguards to protect patient medical information, while SB541 sees that those in violation could be penalized $100 a day, up to $250,000.

Some say that these security requirements aren't necessary, because we already have HIPAA. This quote is from the same story as above:

"There is an argument to be made that a law like this isn't absolutely necessary, because certainly HIPAA required reasonable safeguards of patient information or protected health information," says Reece Hirsch, a partner in Sonnenschein Nath & Rosenthal's San Francisco office.

Still, the California legislation is significant in some respects, he tells RPP. It takes data-security concepts found in federal law and applies them at the state-law level, he says.

"Perhaps most significantly, it also attaches a whole new regime of fines and penalties related to violations of those standards," Hirsch adds. "Some people might say the HIPAA privacy and security rule has not been very vigorously enforced thus far by HHS. This sort of provides a basis for state authorities to impose some fairly significant penalties when there is a perceived privacy or security breach."

I say the stronger argument is that HIPAA has not been vigorously enforced, and it's about time a state has stood up to do so.

California set the precedent with SB 1386, and the state is about to do it again.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4793
Published: 2014-12-27
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

CVE-2013-5958
Published: 2014-12-27
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a si...

CVE-2013-6041
Published: 2014-12-27
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.

CVE-2013-6043
Published: 2014-12-27
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests.

CVE-2013-6227
Published: 2014-12-27
Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location specified by the format param...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.