With the proliferation of healthcare information outsourcing, regional health information organizations (RHIOs) and personal health record companies, an increasing volume of medical information is maintained by organizations that are not directly subject to state medical privacy laws and HIPAA. On January 1, 2008, that will begin to change with the effective date of Californa's A.B. 1298 (discussed above).
A.B. 1298 expands the scope of the Confidentialty of Medical Information Act (CMIA), California's medical privacy law, to a wide range of previously unregulated entities, including many health care technology companies. A.B. 1298. A.B. 1298 amends Section 56.06 of the California Civil Code to provide: "Any business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis or treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of [the CMIA]." What does this mean? Among other things, it means that when an application service provider, billing company or personal health records company engages in an unauthorized disclosure of medical information of California patients, it will no longer just be violating the terms of its agreement with a hospital or other health care provider ... it will be violating California medical privacy law.