California breach disclosure law covers medical records
AB 1298, which took effect Tuesday, adds unencrypted medical histories and information on mental or physical conditions or diagnoses to the types of records covered by the
A data loss incident must include a
Sponsored by California Assemblyman Dave Jones, D-Sacramento, AB 1298 was inspired by a recommendation in a 2006 report on medical identity theft by the World Privacy Forum, a California-based public interest research group, according to Pam Dixon, the organization's executive director.
"Medical identity theft operates differently than financial ID theft. Any piece of medical information -- in some cases, even just a name -- can be used to commit a crime, and an insurance card number is pure gold for medical ID theft,” she said. "Social Security numbers sell for a couple of dollars on the black market, but medical records files command a very high price -- they can sell for $50 on the black market."
Stolen medical records can be used to submit fraudulent insurance claims to both public and private health insurance organizations. Stolen or falsified medical records can have a far-ranging impact on patient care, as well,
She recalled the case of one woman whose stolen, and altered, medical records indicated she asked for prescription pain killers at a hospital emergency room, when, in fact, she didn't. "Her files now reflect that behavior, even though she had nothing to do with it,” said
William Miaoulis, manager of consulting services at Phoenix Health Systems, a health care consulting firm, told SCMagazineUS.com today that the law will “absolutely” add to the cost of managing medical records because firms will be forced to implement improved control of mobile media.
"I think we'll see increased use of encryption on mobile devices, such as PDAs, thumb drives and laptops. We'll see increased effort to know what medical information is where,” he said. "It sounds simple, knowing where your information is. But what's occurred is that information has become much more fluid, and is easily transferable, only a few clicks and information can go from computer to computer, and knowing where you sent that information can be very important."