Skip to Content

Reporting of Unlawful or Unauthorized Access or Disclosure of Patient Medical Information – Cal. Health & Safety Code § 1280.15

Link to the law
This will open in a new window

A licensed hospital, community health clinic, nursing facility, or other health facility must prevent unlawful or unauthorized access or disclosure of patient medical information.  Internal mail, fax or other means of transmission that is accidently misdirected does not qualify as unlawful or unauthorized access or disclosure of medical information.  If the Department of Health Services finds that there was unlawful or unauthorized access or disclosure of patient medical information, it may impose a fine of up to $25,000 per patient for the violation, and up to $17,500 per every violation thereafter.  In investigating the violation, the Department must look at the health facility’s history of compliance, preventative action that was taken, and any other relevant factors.

A licensed hospital, community health clinic, nursing facility or other health facility must report any instances of unlawful or unauthorized disclosure or access of patient information to the Department within five (5) days.  The health facility must also notify the patient or the patient’s representative of the incident within five (5) days at the last known address.  The health facility can delay the reporting requirement if law enforcement gives written or oral notice that reporting the event would impede an ongoing investigation.  If a health facility does not report such events in a timely manner, the Department can fine the facility $100 per day the report is late, at a maximum fine of $250,000. 

Related Laws:  Health & Safety Code §130203


Current as of June 2015