BILL NUMBER: AB 262 INTRODUCED BILL TEXT INTRODUCED BY Assembly Member Chan FEBRUARY 4, 2003 An act to amend Sections 56.05 and 56.10 of the Civil Code, relating to personal information. LEGISLATIVE COUNSEL'S DIGEST AB 262, as introduced, Chan. Personal information. (1) Existing law prohibits a provider of health care, a health care service plan contractor, or corporation and its subsidiaries and affiliates from intentionally sharing, selling, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as expressly authorized by the patient, enrollee, or subscriber, as specified, or as otherwise required or authorized by law. Violation of these provisions are subject to a civil action for compensatory and punitive damages; and if a violation results in economic loss of personal injury to a patient, it is punishable as a misdemeanor. This bill would provide that this prohibition also applies to the marketing of medical information, as defined, excluding from the definition of marketing communications that are not made for compensation from a 3rd party or for specified descriptive purposes, or that are tailored to the circumstances of a particular individual, as specified. (2) The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. This bill would provide that no reimbursement is required by this act for a specified reason. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 56.05 of the Civil Code is amended to read: 56.05. For purposes of this part: (a) "Authorization" means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information. (b) "Authorized recipient" means any person who is authorized to receive medical information pursuant to Section 56.10 or 56.20. (c) "Contractor" means any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. "Contractor" does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code). (d) "Health care service plan" means any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code). (e) "Licensed health care professional" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code. (f) "Market" means to make a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service. "Marketing" does not include any of the following: (1) Communications made orally for which the writer does not receive direct or indirect remuneration from a third party for making the communication. (2) Communications made for the purpose of describing a provider's participation in a health care provider network or health plan network, or for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider or plan or included in a plan of benefits. (3) Communications that are tailored to the circumstances of a particular individual, if the communications are either made by a health care provider to an individual as part of the treatment of the individual, and for the purpose of furthering the treatment of that individual, or made by a health care provider or health plan to an individual in the course of managing the treatment of that individual or for the purpose of directing or recommending to that individual alternative treatments, therapies, health care providers, or settings of care, so long as the health care provider or health plan is not separately remunerated by a third party solely for making the communication. (g) "Medical information" means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment. "Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity.(g)(h) "Patient" means any natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.(h)(i) "Pharmaceutical company" means any company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. "Pharmaceutical company" does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.(i)(j) "Provider of health care" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; any person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; any clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. "Provider of health care" does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code. SEC. 2. Section 56.10 of the Civil Code is amended to read: 56.10. (a) No provider of health care, health care service plan, or contractor shall disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided in subdivision (b) or (c). (b) A provider of health care, a health care service plan, or a contractor shall disclose medical information if the disclosure is compelled by any of the following: (1) By a court pursuant to an order of that court. (2) By a board, commission, or administrative agency for purposes of adjudication pursuant to its lawful authority. (3) By a party to a proceeding before a court or administrative agency pursuant to a subpoena, subpoena duces tecum, notice to appear served pursuant to Section 1987 of the Code of Civil Procedure, or any provision authorizing discovery in a proceeding before a court or administrative agency. (4) By a board, commission, or administrative agency pursuant to an investigative subpoena issued under Article 2 (commencing with Section 11180) of Chapter 2 of Part 1 of Division 3 of Title 2 of the Government Code. (5) By an arbitrator or arbitration panel, when arbitration is lawfully requested by either party, pursuant to a subpoena duces tecum issued under Section 1282.6 of the Code of Civil Procedure, or any other provision authorizing discovery in a proceeding before an arbitrator or arbitration panel. (6) By a search warrant lawfully issued to a governmental law enforcement agency. (7) By the patient or the patient's representative pursuant to Chapter 1 (commencing with Section 123100) of Part 1 of Division 106 of the Health and Safety Code. (8) By a coroner, when requested in the course of an investigation by the coroner's office for the purpose of identifying the decedent or locating next of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse, elder abuse, suicides, poisonings, accidents, sudden infant death, suspicious deaths, unknown deaths, or criminal deaths, or when otherwise authorized by the decedent's representative. Medical information requested by the coroner under this paragraph shall be limited to information regarding the patient who is the decedent and who is the subject of the investigation and shall be disclosed to the coroner without delay upon request. (9) When otherwise specifically required by law. (c) A provider of health care, or a health care service plan may disclose medical information as follows: (1) The information may be disclosed to providers of health care, health care service plans, contractors, or other health care professionals or facilities for purposes of diagnosis or treatment of the patient. This includes, in an emergency situation, the communication of patient information by radio transmission or other means between emergency medical personnel at the scene of an emergency, or in an emergency medical transport vehicle, and emergency medical personnel at a health facility licensed pursuant to Chapter 2 (commencing with Section 1250) of Division 2 of the Health and Safety Code. (2) The information may be disclosed to an insurer, employer, health care service plan, hospital service plan, employee benefit plan, governmental authority, contractor, or any other person or entity responsible for paying for health care services rendered to the patient, to the extent necessary to allow responsibility for payment to be determined and payment to be made. If (A) the patient is, by reason of a comatose or other disabling medical condition, unable to consent to the disclosure of medical information and (B) no other arrangements have been made to pay for the health care services being rendered to the patient, the information may be disclosed to a governmental authority to the extent necessary to determine the patient's eligibility for, and to obtain, payment under a governmental program for health care services provided to the patient. The information may also be disclosed to another provider of health care or health care service plan as necessary to assist the other provider or health care service plan in obtaining payment for health care services rendered by that provider of health care or health care service plan to the patient. (3) The information may be disclosed to any person or entity that provides billing, claims management, medical data processing, or other administrative services for providers of health care or health care service plans or for any of the persons or entities specified in paragraph (2). However, no information so disclosed shall be further disclosed by the recipient in any way that would be violative of this part. (4) The information may be disclosed to organized committees and agents of professional societies or of medical staffs of licensed hospitals, licensed health care service plans, professional standards review organizations, independent medical review organizations and their selected reviewers, utilization and quality control peer review organizations as established by Congress in Public Law 97-248 in 1982, contractors, or persons or organizations insuring, responsible for, or defending professional liability that a provider may incur, if the committees, agents, health care service plans, organizations, reviewers, contractors, or persons are engaged in reviewing the competence or qualifications of health care professionals or in reviewing health care services with respect to medical necessity, level of care, quality of care, or justification of charges. (5) The information in the possession of any provider of health care or health care service plan may be reviewed by any private or public body responsible for licensing or accrediting the provider of health care or health care service plan. However, no patient-identifying medical information may be removed from the premises except as expressly permitted or required elsewhere by law, nor shall that information be further disclosed by the recipient in any way that would violate this part. (6) The information may be disclosed to the county coroner in the course of an investigation by the coroner's office when requested for all purposes not included in paragraph (8) of subdivision (b). (7) The information may be disclosed to public agencies, clinical investigators, including investigators conducting epidemiologic studies, health care research organizations, and accredited public or private nonprofit educational or health care institutions for bona fide research purposes. However, no information so disclosed shall be further disclosed by the recipient in any way that would disclose the identity of any patient or be violative of this part. (8) A provider of health care or health care service plan that has created medical information as a result of employment-related health care services to an employee conducted at the specific prior written request and expense of the employer may disclose to the employee's employer that part of the information that: (A) Is relevant in a lawsuit, arbitration, grievance, or other claim or challenge to which the employer and the employee are parties and in which the patient has placed in issue his or her medical history, mental or physical condition, or treatment, provided that information may only be used or disclosed in connection with that proceeding. (B) Describes functional limitations of the patient that may entitle the patient to leave from work for medical reasons or limit the patient's fitness to perform his or her present employment, provided that no statement of medical cause is included in the information disclosed. (9) Unless the provider of health care or health care service plan is notified in writing of an agreement by the sponsor, insurer, or administrator to the contrary, the information may be disclosed to a sponsor, insurer, or administrator of a group or individual insured or uninsured plan or policy that the patient seeks coverage by or benefits from, if the information was created by the provider of health care or health care service plan as the result of services conducted at the specific prior written request and expense of the sponsor, insurer, or administrator for the purpose of evaluating the application for coverage or benefits. (10) The information may be disclosed to a health care service plan by providers of health care that contract with the health care service plan and may be transferred among providers of health care that contract with the health care service plan, for the purpose of administering the health care service plan. Medical information may not otherwise be disclosed by a health care service plan except in accordance with the provisions of this part. (11) Nothing in this part shall prevent the disclosure by a provider of health care or a health care service plan to an insurance institution, agent, or support organization, subject to Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code, of medical information if the insurance institution, agent, or support organization has complied with all requirements for obtaining the information pursuant to Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code. (12) The information relevant to the patient's condition and care and treatment provided may be disclosed to a probate court investigator engaged in determining the need for an initial conservatorship or continuation of an existent conservatorship, if the patient is unable to give informed consent, or to a probate court investigator, probation officer, or domestic relations investigator engaged in determining the need for an initial guardianship or continuation of an existent guardianship. (13) The information may be disclosed to an organ procurement organization or a tissue bank processing the tissue of a decedent for transplantation into the body of another person, but only with respect to the donating decedent, for the purpose of aiding the transplant. For the purpose of this paragraph, the terms "tissue bank" and "tissue" have the same meaning as defined in Section 1635 of the Health and Safety Code. (14) The information may be disclosed when the disclosure is otherwise specifically authorized by law, such as the voluntary reporting, either directly or indirectly, to the federal Food and Drug Administration of adverse events related to drug products or medical device problems. (15) Basic information, including the patient's name, city of residence, age, sex, and general condition, may be disclosed to a state or federally recognized disaster relief organization for the purpose of responding to disaster welfare inquiries. (16) The information may be disclosed to a third party for purposes of encoding, encrypting, or otherwise anonymizing data. However, no information so disclosed shall be further disclosed by the recipient in any way that would be violative of this part, including the unauthorized manipulation of coded or encrypted medical information that reveals individually identifiable medical information. (17) For purposes of disease management programs and services as defined in Section 1399.901 of the Health and Safety Code, information may be disclosed as follows: (A) to any entity contracting with a health care service plan or the health care service plan's contractors to monitor or administer care of enrollees for a covered benefit, provided that the disease management services and care are authorized by a treating physician, or (B) to any disease management organization, as defined in Section 1399.900 of the Health and Safety Code, that complies fully with the physician authorization requirements of Section 1399.902 of the Health and Safety Code, provided that the health care service plan or its contractor provides or has provided a description of the disease management services to a treating physician or to the health care service plan's or contractor's network of physicians. Nothing in this paragraph shall be construed to require physician authorization for the care or treatment of the adherents of any well-recognized church or religious denomination who depend solely upon prayer or spiritual means for healing in the practice of the religion of that church or denomination. (d) Except to the extent expressly authorized by the patient or enrollee or subscriber or as provided by subdivisions (b) and (c), no provider of health care, health care service plan contractor, or corporation and its subsidiaries and affiliates shall intentionally share, sell, market, or otherwise use any medical information for any purpose not necessary to provide health care services to the patient. (e) Except to the extent expressly authorized by the patient or enrollee or subscriber or as provided by subdivisions (b) and (c), no contractor or corporation and its subsidiaries and affiliates shall further disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan or insurer or self-insured employer received under this section to any person or entity that is not engaged in providing direct health care services to the patient or his or her provider of health care or health care service plan or insurer or self-insured employer.(f) This section shall become operative January 1, 2003.SEC. 3. No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.