BILL NUMBER: SB 456 CHAPTERED
BILL TEXT
CHAPTER 635
FILED WITH SECRETARY OF STATE OCTOBER 9, 2001
APPROVED BY GOVERNOR OCTOBER 8, 2001
PASSED THE SENATE SEPTEMBER 14, 2001
PASSED THE ASSEMBLY SEPTEMBER 10, 2001
AMENDED IN ASSEMBLY SEPTEMBER 5, 2001
AMENDED IN ASSEMBLY AUGUST 20, 2001
AMENDED IN ASSEMBLY JULY 17, 2001
AMENDED IN ASSEMBLY JUNE 28, 2001
AMENDED IN SENATE JUNE 4, 2001
AMENDED IN SENATE MAY 14, 2001
AMENDED IN SENATE APRIL 5, 2001
INTRODUCED BY Senator Speier
(Coauthor: Assembly Member Alquist)
FEBRUARY 22, 2001
An act to add and repeal Division 110 (commencing with Section
130300) of, and to repeal Section 128812 of, the Health and Safety
Code, and to add Item 9909-001-0988 to Section 2.00 of the Budget Act
of 2001 (Chapter 106 of the Statutes of 2001), relating to the
Health Insurance Portability and Accountability Act, making an
appropriation therefor, and declaring the urgency thereof, to take
effect immediately.
LEGISLATIVE COUNSEL'S DIGEST
SB 456, Speier. Health Insurance Portability and Accountability
Act of 2001: compliance activities.
(1) Existing federal law, the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), establishes certain requirements
relating to the provision of health insurance.
This bill would enact the Health Insurance Portability and
Accountability Implementation Act of 2001. The bill would require
the Office of HIPAA Implementation, established by the Governor's
office within the California Health and Human Services Agency, to
perform specified activities required for compliance with this
federal act. The bill would require state entities subject to HIPAA
to complete an assessment prior to January 1, 2002, to determine its
impact on their operations and would require state entities to
cooperate with the office in achieving compliance with HIPAA. The
bill would require the Department of Finance to develop guidelines
relating to obtaining HIPAA funding and to report to the Legislature
regarding expenditures related to HIPAA implementation activities.
The bill would provide that its provisions remain in effect only
until January 1, 2008, and would be repealed on that date.
(2) Existing law requires the Office of Statewide Health Planning
and Development to develop a plan, to prepare a progress report, and
to contract for consulting services leading to recommendations
related to a health data interchange between and among health
facilities, health care service plans, insurers, providers, emergency
medical services providers, local emergency medical services
agencies, and relevant state agencies.
This bill would delete these provisions.
(3) The Budget Act of 2001 makes various appropriations for the
support of state government for the 2001-02 fiscal year.
This bill would make appropriations in augmentation of that act to
support the state's implementation of HIPAA.
(4) The bill would declare that it is to take effect immediately
as an urgency statute.
Appropriation: yes.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Division 110 (commencing with Section 130300) is added
to the Health and Safety Code, to read:
DIVISION 110. THE HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY IMPLEMENTATION ACT OF 2001
130300. This division shall be known and may be cited as the
Health Insurance Portability and Accountability Implementation Act of
2001.
130301. The Legislature finds and declares the following:
(a) The federal Health Insurance Portability and Accountability
Act (42 U.S.C. Sec. 300gg), known as HIPAA, was enacted on August 21,
1996.
(b) HIPAA extends health coverage benefits to workers after they
terminate or change employment by allowing the worker to participate
in existing group coverage plans, thereby avoiding the additional
expense associated with obtaining individual coverage as well as the
potential loss of coverage because of a preexisting health condition.
(c) Administrative simplification is a key feature of HIPAA,
requiring standard national identifiers for providers, employers, and
health plans and the development of uniform standards for the coding
and transmission of claims and health care information.
Administration simplification is intended to promote the use of
information technology, thereby reducing costs and increasing
efficiency in the health care industry.
(d) HIPAA also contains new standards for safeguarding the privacy
and security of health information. Therefore, the development of
policies for safeguarding the privacy and security of health records
is a fundamental and indispensable part of HIPAA implementation that
must accompany or precede the expansion or standardization of
technology for recording or transmitting health information.
(e) The federal Health and Human Services Agency has published,
and continues to publish, rules pertaining to the implementation of
HIPAA. Following a 60-day congressional concurrence period, health
providers and insurers have 24 months in which to implement these
rules.
(f) These federal rules directly apply to state and county
departments that provide health coverage, health care, mental health
services, and alcohol and drug treatment programs. Other state and
county departments are subject to these rules to the extent they use
or exchange information with the departments to which the federal
rules directly apply.
(g) In view of the substantial changes that HIPAA will require in
the practices of both private and public health entities and their
business associates, the ability of California government to continue
the delivery of vital health services will depend upon the
implementation of HIPAA in a manner that is coordinated among state
departments as well as our partners in county government and the
private health sector.
(h) The implementation of HIPAA shall be accomplished as required
by federal law and regulations and shall be a priority for state
departments.
130302. For the purposes of this division, the following
definitions apply:
(a) "Director" means the Director of the Office of HIPAA
Implementation.
(b) "HIPAA" means the federal Health Insurance Portability and
Accountability Act.
(c) "Office" means the Office of HIPAA Implementation established
by the office of the Governor in the Health and Human Services
Agency.
(d) "State entities" means all state departments, boards,
commissions, programs, and other organizational units of the
executive branch of state government.
130303. The office shall assume statewide leadership,
coordination, policy formulation, direction, and oversight
responsibilities for HIPAA implementation. The office shall exercise
full authority relative to state entities to establish policy,
provide direction to state entities, monitor progress, and report on
implementation efforts.
130304. The office shall be under the supervision and control of
a director, known as the Director of the Office of HIPAA
Implementation, who shall be appointed by, and serve at the pleasure
of, the Secretary of the Health and Human Services Agency.
130305. The office shall be staffed, at a minimum, with the
following personnel:
(a) Legal counsel to perform activities that may include, but are
not limited to, determining the application of federal law pertaining
to HIPAA.
(b) Staff with expertise in the rules promulgated by HIPAA.
(c) Staff to oversee the development of training curricula and
tools and to modify the curricula and tools as required by the state'
s ongoing HIPAA compliance effort.
(d) Information technology staff.
(e) Staff, as necessary, to coordinate and monitor the progress
made by all state entities in HIPAA implementation.
(f) Administrative staff, as necessary.
130306. (a) The office shall perform the following functions:
(1) Standardizing the HIPAA implementation process used in all
state entities, which includes the following:
(A) Developing a master plan and overall state strategy for HIPAA
implementation that includes timeframes within which specified
activities will be completed.
(B) Specifying tools, such as protocols for assessment and
reporting, and any other tools as determined by the director for
HIPAA implementation.
(C) Developing uniform policies on privacy, security, and other
matters related to HIPAA that shall be adopted and implemented by all
state entities. In developing these policies, the office shall
consult with representatives from the private sector, state
government, and other public entities affected by HIPAA.
(D) Providing an ongoing evaluation of HIPAA implementation in
California and refining the plans, tools, and policies as required to
effect implementation.
(E) Developing standards for the office to use in determining the
extent of HIPAA compliance.
(2) Representing the State of California in HIPAA discussions with
the federal Department of Health and Human Services and at the
Workgroup for Electronic Data Interchange and other national and
regional groups developing standards for HIPAA implementation,
including those authorized by the federal Department of Health and
Human Services to receive comments related to HIPAA. In preparing
comments for submission to these entities, the office shall work in
coordination with private and public entities to which the comments
relate. The office may review and approve all comments related to
HIPAA that state entities or representatives from the University of
California, to the extent authorized by its Regents, propose for
submission to the federal Department of Health and Human Services or
any other body or organization.
(3) Monitoring the HIPAA implementation activities of state
entities and requiring these entities to report on their
implementation activities at times specified by the director using a
format prescribed by the director. The office shall seek the
cooperation of counties in monitoring HIPAA implementation in
programs that are administered by county government.
(4) Providing state entities with technical assistance as the
director deems necessary and appropriate to advance the state's
implementation of HIPAA as required by the schedule adopted by the
federal Department of Health and Human Services. This assistance
shall also include sharing information obtained by the office
relating to HIPAA.
(5) Providing the Department of Finance with recommendations on
HIPAA implementation expenditures, including proposals submitted by
state entities and a recommendation on the amount to be appropriated
for allocation by the Department of Finance to entities implementing
HIPAA.
(6) Conducting a periodic assessment at least once every three
years to determine whether staff positions established in the office
and in other state entities to perform HIPAA compliance activities
continue to be necessary or whether additional staff positions are
required to complete these activities.
(7) Reviewing and approving contracts relating to HIPAA to which a
state entity is a party prior to the contract's effective date.
(8) Reviewing and approving all HIPAA legislation proposed by
state entities, other than state control agencies, prior to the
proposal's review by any other entity and reviewing all analyses and
positions, other than those prepared by state control agencies, on
HIPAA related legislation being considered by either Congress or the
Legislature.
(9) Ensuring state departments claim federal funding for those
activities that qualify under federal funding criteria.
(10) Establishing a Web site that is accessible to the public to
provide information in a consistent and accessible format concerning
state HIPAA implementation activities, timeframes for completing
those activities, HIPAA implementation requirements that have been
met, and the promulgation of federal regulations pertaining to HIPAA
implementation. The office shall update this Web site quarterly.
(b) In performing these functions, the office shall coordinate its
activities with the State Office of Privacy Protection.
130307. The director shall establish an advisory committee to
obtain information on statewide HIPAA implementation activities,
which shall meet at a minimum of two times per year. It is the
intent of the Legislature that the committee's membership include
representatives from county government, from consumers, and from a
broad range of provider groups, such as physicians and surgeons,
clinics, hospitals, pharmaceutical companies, health care service
plans, disability insurers, long-term care facilities, facilities for
the developmentally disabled, and mental health providers. The
director shall invite key stakeholders from the federal government,
the Judicial Council, health care advocates, nonprofit health care
organizations, public health systems, and the private sector to
provide information to the committee.
130308. The office may contract for the provision of services
required to implement this division. The Legislature finds that
these contracts are for a new state function and authorizes the
performance of this work by independent contractors, pursuant to
paragraph (2) of subdivision (b) of Section 19130 of the Government
Code.
130309. (a) All state entities subject to HIPAA shall complete an
assessment, in a form specified by the office, prior to January 1,
2002, to determine the impact of HIPAA on their operations. The
office shall report the statewide results of the assessment to the
appropriate policy and fiscal committees of the Legislature on or
before May 15, 2002.
(b) Other state entities shall cooperate with the office to
determine whether they are subject to HIPAA, including, but not
limited to, providing a completed assessment as prescribed by the
office.
130310. All state entities shall cooperate with the efforts of
the office to monitor HIPAA implementation activities and to obtain
information on those activities.
130311. All state entities affected by HIPAA shall comply with
the decisions of the director in achieving compliance with HIPAA.
130312. (a) The Department of Finance shall provide a complete
accounting of HIPAA expenditures made by all state entities.
(b) The Department of Finance, in consultation with the office,
shall develop and annually publish prior to August 1, guidelines for
state entities to obtain additional HIPAA funding. All funding
requests from state entities for HIPAA implementation, including, but
not limited to, requests for appropriations through the Budget Act
or other legislation and requests for allocation of lump-sum funds
from the Department of Finance, shall be reviewed and approved by the
office prior to being submitted to the Department of Finance.
Funding requests pertaining to information technology activities
shall also be reviewed and approved by the Department of Information
Technology.
(c) The Department of Finance shall notify the office and the
Chairperson of the Senate Committee on Budget and Fiscal Review and
the Chairperson of the Assembly Budget Committee of each allocation
it approves within 10 working days of the approval. The Department
of Finance shall also report to the Legislature quarterly on HIPAA
allocations, redirections, and expenditures, categorized by state
entity and by project.
130313. To the extent that funds are appropriated in the annual
Budget Act, the office shall perform the following functions in order
to comply with HIPAA requirements:
(a) The establishment and ongoing support of departmental HIPAA
project management offices.
(b) The development, revision, and issuance of HIPAA compliance
policies.
(c) Modifications of programs in accordance with any revised
policies.
(d) Staff training on HIPAA compliance policies and programs.
(e) Coordination and communication with other affected entities.
(f) Modifications to, or replacement of, information technology
systems.
(g) Consultation with appropriate stakeholders.
130314. The office shall report to the Legislature, upon its
request, any services or programs that were temporarily reduced or
suspended due to the redirection of funds for HIPAA compliance
activities.
130315. State entities may adopt emergency regulations in
accordance with the Administrative Procedure Act (Chapter 3.5
(commencing with Section 11340) of Part 1 of Division 3 of Title 2 of
the Government Code) to implement HIPAA requirements set forth in
final federal regulations. This authority shall terminate one year
after the last final rule for HIPAA is issued by the federal
government. The adoption of emergency regulations described in this
section shall be deemed to be an emergency and necessary for the
immediate preservation of the public peace, health and safety, or
general welfare. An emergency regulation adopted under this section
shall remain in effect for not more than two years.
130316. Any funds appropriated for the purpose of this division
that remain unexpended or unencumbered on January 1, 2008, shall
revert to the General Fund on that date unless a statute that is
enacted before January 1, 2008, extends the provisions of this
division.
130317. This division shall remain in effect only until January
1, 2008, and as of that date is repealed, unless a later enacted
statute, that is enacted before January 1, 2008, deletes or extends
that date.
SEC. 2. (a) Thirty-three million one hundred sixty-eight thousand
dollars ($33,168,000) from the Federal Trust Fund is hereby
appropriated for transfer to and in augmentation of Item
9909-001-0890 of the Budget Act of 2001 (Chapter 106 of the Statutes
of 2001) for allocation to various departments by the Department of
Finance in support of HIPAA compliance activities.
(b) Eleven million one hundred twenty thousand dollars
($11,120,000) from the General Fund is hereby appropriated for
transfer to and in augmentation of Item 9909-001-0001 of the Budget
Act of 2001 (Chapter 106 of the Statutes of 2001) for allocation to
various departments by the Department of Finance in support of HIPAA
compliance activities.
(c) One million one hundred forty-one thousand dollars
($1,141,000) from the Statewide HIPAA Compliance Fund is hereby
appropriated for transfer to and in augmentation of Item
9909-001-0494 of the Budget Act of 2001 (Chapter 106 of the Statutes
of 2001) for allocation to various departments by the Department of
Finance in support of HIPAA compliance activities.
SEC. 3. Item 9909-001-0988 is added to Section 2.00 of the Budget
Act of 2001 (Chapter 106 of the Statutes of 2001), to read:
9909-001-0988--For allocation by the Department of Finance
in support of federal Health Insurance Portability and
Accountability Act activities for applicant state
agencies, departments, boards, commissions, or other
entities of state government ..........................
10,000,000
Provisions:
1. Provisions 1 and 2 of Item 9909-001-0001 of
the Budget Act of 2001 (Chapter 106 of the
Statutes of 2001) shall also apply to
allocations authorized by this item.
2. Notwithstanding any other provision of law,
the Director of the Department of Finance may
authorize expenditures in excess of the ten
million dollars ($10,000,000) appropriated
in this item.
SEC. 4. In the event that expenditures in support of the federal
Health Insurance Portability and Accountability Act activities for
applicant state agencies, departments, boards, commissions, or other
entities of state government exceed the appropriations made by the
Budget Act of 2001 (Chapter 106 of the Statutes of 2001), the
Director of Finance shall utilize a process similar to the Section 27
process contained in the Budget Act of 2001 (Chapter 106 of the
Statutes of 2001).
SEC. 5. Section 128812 of the Health and Safety Code is repealed.
SEC. 6. This act is an urgency statute necessary for the immediate
preservation of the public peace, health, or safety within the
meaning of Article IV of the Constitution and shall go into immediate
effect. The facts constituting the necessity are:
Due to the specified deadlines for complying with the requirements
of the federal Health Insurance Portability and Accountability Act,
it is necessary that this act take effect immediately.