Regulatory Update for Medical Information Breach Administrative Penalties and Reporting Requirements

Print Friendly, PDF & Email

AFL 21-21 From the California Department of Public Health

July 2, 2021

TO: All Facilities
SUBJECT: Regulatory Update for Medical Information Breach Administrative Penalties and Reporting Requirements

AUTHORITY: California Health and Safety Code (HSC) section 1208.15 

All Facilities Letter (AFL) Summary

This AFL informs health care facilities of adopted regulations, effective July 1, 2021.

  • The regulations are available at the Office of Regulations website.
  • The regulations clarify how administrative penalties for violations of medical information breach will be assessed.
  • The regulations also specify reporting requirements and procedures that health care facilities must follow for medical information breaches.

This AFL notifies health care facilities that the California Department of Public Health (CDPH) has adopted new Title 22 California Code of Regulations (CCR) sections 79900 – 79905. These regulations are effective July 1, 2021. Health care facilities should update any facility/entity policies and procedures as appropriate.

Administrative Penalties

CDPH may impose an administrative penalty on a health care facility if it determines that the facility has committed a breach of a patient’s health information. The base penalty amount is $15,000 and the penalty must not exceed the maximum penalty amount specified in HSC section 1280.15. The penalty may be adjusted based on the penalty adjustment factors described in the adopted regulations. In addition, CDPH may modify the penalty for small and rural hospitals if they submit a request to CDPH. CDPH may also adjust the penalties for primary care clinics and skilled nursing facilities under specified conditions.

Medical Information Breach – Reporting Requirements

The regulations require health care facilities to report a medical information breach to CDPH no later than 15 days after the breach has been detected. The regulations describe the information the health care facility must provide to CDPH. Delays in reporting may result in additional administrative penalties.

Medical Information Breach – Patient Notification Requirements

Additionally, the regulations specify information that facilities must provide to each patient whose information was breached. CDPH may assess additional penalties to health care facilities that do not report a breach of a patient’s medical information to the patient or their representative.

Facilities are responsible for following all applicable laws. CDPH’s failure to expressly notify facilities of statutory or regulatory requirements does not relieve facilities of their responsibility to follow all laws and regulations. Facilities should refer to the full text of all applicable sections of the HSC and Title 22 CCR.

If you have questions about the content of this AFL, please contact the CHCQ Regulations Unit at


Original signed by Cassie Dunham

Cassie Dunham

Acting Deputy Director