California Sets 30-Day Breach Reporting Deadline

Posted by Steve Alder

Individuals and businesses that do business in the state of California will soon be required to notify individuals affected by a data breach within 30 days of the discovery of the breach, and the state attorney general must be notified within 15 calendar days. State Governor Gavin Newsom added his signature to SB 446 earlier this month, with the new data breach reporting requirements taking effect on January 1, 2026.

Previously, data breach notification law in California required notifications to be issued without unreasonable delay, with no maximum timeframe stipulated for when the notifications should be issued. The new law will ensure that individuals affected by a data breach will receive prompt notification, allowing them to take timely action to protect themselves against identity theft and fraud.

There is, however, some flexibility in the new law. Data breach notifications must be issued in the most expedient time possible and without unreasonable delay, and while a 30-day limit is stipulated, the new law does allow for delays to notifications at the request of law enforcement and also to allow for any measures to be taken to determine the scope of the breach and restore the reasonable integrity of the data system.

The new law requires data breach notices to be written in plain language, they must be titled “Notice of Data Breach,” and they should follow a standard format, with the information presented under the following headings:

  • What Happened?
  • What Information Was Involved?
  • What We Are Doing
  • What You Can Do
  • For More Information

There are also minimum content requirements. Data breach notices must include contact information for the individual or entity reporting the breach, the types of information reasonably believed to have been compromised, and contact information for the major credit reporting agencies if the breach involved Social Security numbers, driver’s license numbers, or California identification card numbers. If known at the time of issuing the notifications, notices should state the date of the breach, the estimated date of the breach, or the date range in which the breach occurred. Notices should also include a general description of the breach incident.

If the individual or business reporting the breach was the source of the breach, and the breach involved certain sensitive types of data, then complimentary identity theft prevention and mitigation services should be offered for a minimum of 12 months. Data types requiring those services to be offered are: Social Security number, driver’s license number, California identification card number, tax identification number, passport number, military identification number, or any other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

Entities that fully comply with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule will be deemed to be compliant with the breach notice requirements of SB 446; however, HIPAA-regulated entities are not exempted from other requirements of SB 446. HIPAA-regulated entities should therefore ensure that they thoroughly check those requirements and update their policies and procedures ahead of the compliance deadline.

The post California Sets 30-Day Breach Reporting Deadline appeared first on The HIPAA Journal.

HHS-OIG Announces 10-Year Exclusions for Companies and Individuals

Posted by Steve Alder

The Department of Health and Human Services Office of Inspector General (HHS-OIG) maintains an exclusion list of companies and individuals who are not permitted to participate in federal healthcare programs, including indirectly participating by providing goods or services to entities that are billed to federal healthcare programs.

Exclusion is the most severe civil sanction that can be imposed by HHS-OIG and is most commonly due to conviction of a felony or misdemeanor related to a federally funded healthcare program, although individuals and entities can be added to the exclusion list for a variety of reasons. The duration of the exclusion depends on several factors and can range from months to permanent exclusion.

For permissive exclusions, HHS-OIG has discretion over how long the exclusion period lasts. That could be until an individual who has defaulted on a repayment addresses the default, although most permissive exclusions fall in the range of 1 to 3 years. Mandatory exclusions, such as those for misdemeanor and felony convictions, have minimum exclusion periods of 5 or 10 years, although three convictions will result in permanent exclusion.

If an individual is excluded, they are not permitted to work within the healthcare industry for any company that accepts federal funds, which can severely limit work opportunities. Since excluded individuals may still seek employment in the healthcare field, it is vital for employers to regularly check the exclusion list to ensure that new hires can be employed, and also to conduct regular checks of all employed individuals to ensure they can continue to be employed. Employing or continuing to employ an excluded individual risks civil monetary penalties.

HHS-OIG has recently announced new additions to its exclusion list, all of which see the individuals and entities excluded from federally funded healthcare programs for 10 years. In August, HHS-OIG entered into a settlement agreement with Ideal Health Diagnostics, Inc. (Ideal Health) and Svetlana Dizik (Dizik), of Glenview, Illinois, that requires a payment of $227,193.28 in addition to the 10-year exclusion. HHS-OIG alleged that Ideal Health and Dizik solicited and received improper remuneration from Perry Rudich, MD, in exchange for referrals for radiological interpretative services. Ideal Health and Dizik also caused claims to be submitted to Medicare that falsely identified Dr. Rudich as the rendering provider of items and services that he did not perform. Ideal Health and Dizik were not enrolled in Medicare, so they could not bill Medicare for those services themselves or receive payment for those services from Medicare.

In September, HHS-OIG announced 10-year exclusions for Optimum Faith Lab Corp. and its owner, Opal Mullings. Opal Mullings and Optimum had submitted claims for mileage under HCPCS Code P9603 that were improperly inflated, in excess of the actual mileage driven by phlebotomists, not properly prorated, or both. Further, claims were submitted for travel allowance, when only a fingerstick blood draw was performed, when Medicare rules do not permit travel allowance to be claimed for that purpose, and travel allowance was also claimed for laboratory services that were never rendered.

The post HHS-OIG Announces 10-Year Exclusions for Companies and Individuals appeared first on The HIPAA Journal.

Skagit Regional Health Settles Meta Pixel Class Action Litigation

Posted by Steve Alder

Skagit County Public Hospital District No. 1, doing business as Skagit Regional Health, the operator of Skagit Regional Hospital in Mount Vernon, Washington, has agreed to settle class action litigation stemming from its use of Meta Pixel and other tracking tools on its website, which may have disclosed patient information to third parties.

Like many hospital operators, Skagit Regional Health added tracking technologies such as Meta Pixel to its website. These tools track user activity on websites, such as the pages visited and time spent on each page; however, they can collect a range of information that can be tied to individuals via various identifiers, including IP addresses. The data collected by these tools is typically transmitted to the providers of these tools, and in the case of Meta Pixel, the data can be used to serve targeted advertisements.

On November 8, 2024, a lawsuit was filed in Skagit County Superior Court in Washington by Dave Suther – Dave Suther v. Skagit County Public Hospital District No. 1, d/b/a Skagit Regional Hospital – alleging the defendant had used tracking tools on the hospital website which collected and transmitted protected health information to Meta and other third parties without the knowledge or consent of website users. The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, invasion of privacy-disclosure of private facts, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of both the Washington Consumer Protection Act and the Washington Privacy Act.

The defendant denies any wrongdoing or liability and believes it would prevail at summary judgment; however, after taking into account the costs, time, and distraction of continuing with the litigation and the uncertainty and risks associated with any litigation, it agreed to engage in settlement discussions. A settlement has now been agreed that is acceptable to all parties, and the settlement has received preliminary approval from the court. Under the terms of the settlement, Skagit Regional Health has agreed to cover the cost of attorneys’ fees and expenses, settlement administration costs, class representative awards, and a cash payment of $20 for all class members.

The class consists of individuals who were patients of Skagit Regional Hospital who navigated to, signed up for, logged in, or used its patient portal between May 1, 2021, and September 5, 2025. Individuals wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims for cash payments must be submitted by November 3, 2025, and the final fairness hearing has been scheduled for November 21, 2025. Further information can be found on the settlement website: https://www.sutherpixelsettlement.com/

The post Skagit Regional Health Settles Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.