BILL NUMBER: AB 715 CHAPTERED 09/29/03 CHAPTER 562 FILED WITH SECRETARY OF STATE SEPTEMBER 29, 2003 APPROVED BY GOVERNOR SEPTEMBER 28, 2003 PASSED THE ASSEMBLY SEPTEMBER 12, 2003 PASSED THE SENATE SEPTEMBER 11, 2003 AMENDED IN SENATE SEPTEMBER 10, 2003 AMENDED IN SENATE SEPTEMBER 8, 2003 AMENDED IN SENATE JULY 16, 2003 AMENDED IN ASSEMBLY JUNE 2, 2003 AMENDED IN ASSEMBLY MARCH 24, 2003 INTRODUCED BY Assembly Member Chan (Coauthors: Assembly Members Hancock and Levine) FEBRUARY 19, 2003 An act to amend Sections 56.05, 56.10, 56.11, 56.17, and 56.21 of the Civil Code, relating to personal information. LEGISLATIVE COUNSEL'S DIGEST AB 715, Chan. Personal information. (1) Existing law prohibits a provider of health care, a health care service plan, contractor, or corporation and its subsidiaries and affiliates from intentionally sharing, selling, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as expressly authorized by the patient, enrollee, or subscriber, as specified, or as otherwise required or authorized by law. Violations of these provisions are subject to a civil action for compensatory and punitive damages, and, if a violation results in economic loss or personal injury to a patient, it is punishable as a misdemeanor. This bill would provide that this prohibition also applies to the marketing of medical information, as defined, excluding from the definition of marketing, for these purposes, communications for which the communicator does not receive remuneration from a 3rd party or for specified descriptive purposes, or that are tailored to the circumstances of a particular individual, as specified. (2) Existing law requires that specified printed authorizations for the disclosure of medical information be in 8-point type. This bill would require that those authorizations be printed in 14-point type. (3) By expanding the definition of the above crimes, this bill would impose a state-mandated local program. (4) The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. This bill would provide that no reimbursement is required by this act for a specified reason. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 56.05 of the Civil Code is amended to read: 56.05. For purposes of this part: (a) "Authorization" means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information. (b) "Authorized recipient" means any person who is authorized to receive medical information pursuant to Section 56.10 or 56.20. (c) "Contractor" means any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. "Contractor" does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code). (d) "Health care service plan" means any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code). (e) "Licensed health care professional" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code. (f) "Marketing" means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. "Marketing" does not include any of the following: (1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication. (2) Communications made to current enrollees solely for the purpose of describing a provider's participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals. (3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual's adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply: (A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration. (B) The individual is provided the opportunity to opt out of receiving future remunerated communications. (C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. No further communication may be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt out request. (g) "Medical information" means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment. "Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. (h) "Patient" means any natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains. (i) "Pharmaceutical company" means any company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. "Pharmaceutical company" does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care. (j) "Provider of health care" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; any person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; any clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. "Provider of health care" does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code. SEC. 2. Section 56.10 of the Civil Code is amended to read: 56.10. (a) No provider of health care, health care service plan, or contractor shall disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided in subdivision (b) or (c). (b) A provider of health care, a health care service plan, or a contractor shall disclose medical information if the disclosure is compelled by any of the following: (1) By a court pursuant to an order of that court. (2) By a board, commission, or administrative agency for purposes of adjudication pursuant to its lawful authority. (3) By a party to a proceeding before a court or administrative agency pursuant to a subpoena, subpoena duces tecum, notice to appear served pursuant to Section 1987 of the Code of Civil Procedure, or any provision authorizing discovery in a proceeding before a court or administrative agency. (4) By a board, commission, or administrative agency pursuant to an investigative subpoena issued under Article 2 (commencing with Section 11180) of Chapter 2 of Part 1 of Division 3 of Title 2 of the Government Code. (5) By an arbitrator or arbitration panel, when arbitration is lawfully requested by either party, pursuant to a subpoena duces tecum issued under Section 1282.6 of the Code of Civil Procedure, or any other provision authorizing discovery in a proceeding before an arbitrator or arbitration panel. (6) By a search warrant lawfully issued to a governmental law enforcement agency. (7) By the patient or the patient's representative pursuant to Chapter 1 (commencing with Section 123100) of Part 1 of Division 106 of the Health and Safety Code. (8) By a coroner, when requested in the course of an investigation by the coroner's office for the purpose of identifying the decedent or locating next of kin, or when investigating deaths that may involve public health concerns, organ or tissue donation, child abuse, elder abuse, suicides, poisonings, accidents, sudden infant death, suspicious deaths, unknown deaths, or criminal deaths, or when otherwise authorized by the decedent's representative. Medical information requested by the coroner under this paragraph shall be limited to information regarding the patient who is the decedent and who is the subject of the investigation and shall be disclosed to the coroner without delay upon request. (9) When otherwise specifically required by law. (c) A provider of health care or a health care service plan may disclose medical information as follows: (1) The information may be disclosed to providers of health care, health care service plans, contractors, or other health care professionals or facilities for purposes of diagnosis or treatment of the patient. This includes, in an emergency situation, the communication of patient information by radio transmission or other means between emergency medical personnel at the scene of an emergency, or in an emergency medical transport vehicle, and emergency medical personnel at a health facility licensed pursuant to Chapter 2 (commencing with Section 1250) of Division 2 of the Health and Safety Code. (2) The information may be disclosed to an insurer, employer, health care service plan, hospital service plan, employee benefit plan, governmental authority, contractor, or any other person or entity responsible for paying for health care services rendered to the patient, to the extent necessary to allow responsibility for payment to be determined and payment to be made. If (A) the patient is, by reason of a comatose or other disabling medical condition, unable to consent to the disclosure of medical information and (B) no other arrangements have been made to pay for the health care services being rendered to the patient, the information may be disclosed to a governmental authority to the extent necessary to determine the patient's eligibility for, and to obtain, payment under a governmental program for health care services provided to the patient. The information may also be disclosed to another provider of health care or health care service plan as necessary to assist the other provider or health care service plan in obtaining payment for health care services rendered by that provider of health care or health care service plan to the patient. (3) The information may be disclosed to any person or entity that provides billing, claims management, medical data processing, or other administrative services for providers of health care or health care service plans or for any of the persons or entities specified in paragraph (2). However, no information so disclosed shall be further disclosed by the recipient in any way that would be violative of this part. (4) The information may be disclosed to organized committees and agents of professional societies or of medical staffs of licensed hospitals, licensed health care service plans, professional standards review organizations, independent medical review organizations and their selected reviewers, utilization and quality control peer review organizations as established by Congress in Public Law 97-248 in 1982, contractors, or persons or organizations insuring, responsible for, or defending professional liability that a provider may incur, if the committees, agents, health care service plans, organizations, reviewers, contractors, or persons are engaged in reviewing the competence or qualifications of health care professionals or in reviewing health care services with respect to medical necessity, level of care, quality of care, or justification of charges. (5) The information in the possession of any provider of health care or health care service plan may be reviewed by any private or public body responsible for licensing or accrediting the provider of health care or health care service plan. However, no patient-identifying medical information may be removed from the premises except as expressly permitted or required elsewhere by law, nor shall that information be further disclosed by the recipient in any way that would violate this part. (6) The information may be disclosed to the county coroner in the course of an investigation by the coroner's office when requested for all purposes not included in paragraph (8) of subdivision (b). (7) The information may be disclosed to public agencies, clinical investigators, including investigators conducting epidemiologic studies, health care research organizations, and accredited public or private nonprofit educational or health care institutions for bona fide research purposes. However, no information so disclosed shall be further disclosed by the recipient in any way that would disclose the identity of any patient or be violative of this part. (8) A provider of health care or health care service plan that has created medical information as a result of employment-related health care services to an employee conducted at the specific prior written request and expense of the employer may disclose to the employee's employer that part of the information that: (A) Is relevant in a lawsuit, arbitration, grievance, or other claim or challenge to which the employer and the employee are parties and in which the patient has placed in issue his or her medical history, mental or physical condition, or treatment, provided that information may only be used or disclosed in connection with that proceeding. (B) Describes functional limitations of the patient that may entitle the patient to leave from work for medical reasons or limit the patient's fitness to perform his or her present employment, provided that no statement of medical cause is included in the information disclosed. (9) Unless the provider of health care or health care service plan is notified in writing of an agreement by the sponsor, insurer, or administrator to the contrary, the information may be disclosed to a sponsor, insurer, or administrator of a group or individual insured or uninsured plan or policy that the patient seeks coverage by or benefits from, if the information was created by the provider of health care or health care service plan as the result of services conducted at the specific prior written request and expense of the sponsor, insurer, or administrator for the purpose of evaluating the application for coverage or benefits. (10) The information may be disclosed to a health care service plan by providers of health care that contract with the health care service plan and may be transferred among providers of health care that contract with the health care service plan, for the purpose of administering the health care service plan. Medical information may not otherwise be disclosed by a health care service plan except in accordance with the provisions of this part. (11) Nothing in this part shall prevent the disclosure by a provider of health care or a health care service plan to an insurance institution, agent, or support organization, subject to Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code, of medical information if the insurance institution, agent, or support organization has complied with all requirements for obtaining the information pursuant to Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code. (12) The information relevant to the patient's condition and care and treatment provided may be disclosed to a probate court investigator engaged in determining the need for an initial conservatorship or continuation of an existent conservatorship, if the patient is unable to give informed consent, or to a probate court investigator, probation officer, or domestic relations investigator engaged in determining the need for an initial guardianship or continuation of an existent guardianship. (13) The information may be disclosed to an organ procurement organization or a tissue bank processing the tissue of a decedent for transplantation into the body of another person, but only with respect to the donating decedent, for the purpose of aiding the transplant. For the purpose of this paragraph, the terms "tissue bank" and "tissue" have the same meaning as defined in Section 1635 of the Health and Safety Code. (14) The information may be disclosed when the disclosure is otherwise specifically authorized by law, such as the voluntary reporting, either directly or indirectly, to the federal Food and Drug Administration of adverse events related to drug products or medical device problems. (15) Basic information, including the patient's name, city of residence, age, sex, and general condition, may be disclosed to a state or federally recognized disaster relief organization for the purpose of responding to disaster welfare inquiries. (16) The information may be disclosed to a third party for purposes of encoding, encrypting, or otherwise anonymizing data. However, no information so disclosed shall be further disclosed by the recipient in any way that would be violative of this part, including the unauthorized manipulation of coded or encrypted medical information that reveals individually identifiable medical information. (17) For purposes of disease management programs and services as defined in Section 1399.901 of the Health and Safety Code, information may be disclosed as follows: (A) to any entity contracting with a health care service plan or the health care service plan's contractors to monitor or administer care of enrollees for a covered benefit, provided that the disease management services and care are authorized by a treating physician, or (B) to any disease management organization, as defined in Section 1399.900 of the Health and Safety Code, that complies fully with the physician authorization requirements of Section 1399.902 of the Health and Safety Code, provided that the health care service plan or its contractor provides or has provided a description of the disease management services to a treating physician or to the health care service plan's or contractor's network of physicians. Nothing in this paragraph shall be construed to require physician authorization for the care or treatment of the adherents of any well-recognized church or religious denomination who depend solely upon prayer or spiritual means for healing in the practice of the religion of that church or denomination. (d) Except to the extent expressly authorized by the patient or enrollee or subscriber or as provided by subdivisions (b) and (c), no provider of health care, health care service plan, contractor, or corporation and its subsidiaries and affiliates shall intentionally share, sell, use for marketing, or otherwise use any medical information for any purpose not necessary to provide health care services to the patient. (e) Except to the extent expressly authorized by the patient or enrollee or subscriber or as provided by subdivisions (b) and (c), no contractor or corporation and its subsidiaries and affiliates shall further disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan or insurer or self-insured employer received under this section to any person or entity that is not engaged in providing direct health care services to the patient or his or her provider of health care or health care service plan or insurer or self-insured employer. SEC. 3. Section 56.11 of the Civil Code is amended to read: 56.11. Any person or entity that wishes to obtain medical information pursuant to subdivision (a) of Section 56.10, other than a person or entity authorized to receive medical information pursuant to subdivision (b) or (c) of Section 56.10, shall obtain a valid authorization for the release of this information. An authorization for the release of medical information by a provider of health care, health care service plan, pharmaceutical company, or contractor shall be valid if it: (a) Is handwritten by the person who signs it or is in a typeface no smaller than 14-point type. (b) Is clearly separate from any other language present on the same page and is executed by a signature which serves no other purpose than to execute the authorization. (c) Is signed and dated by one of the following: (1) The patient. A patient who is a minor may only sign an authorization for the release of medical information obtained by a provider of health care, health care service plan, pharmaceutical company, or contractor in the course of furnishing services to which the minor could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60). (2) The legal representative of the patient, if the patient is a minor or an incompetent. However, authorization may not be given under this subdivision for the disclosure of medical information obtained by the provider of health care, health care service plan, pharmaceutical company, or contractor in the course of furnishing services to which a minor patient could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60). (3) The spouse of the patient or the person financially responsible for the patient, where the medical information is being sought for the sole purpose of processing an application for health insurance or for enrollment in a nonprofit hospital plan, a health care service plan, or an employee benefit plan, and where the patient is to be an enrolled spouse or dependent under the policy or plan. (4) The beneficiary or personal representative of a deceased patient. (d) States the specific uses and limitations on the types of medical information to be disclosed. (e) States the name or functions of the provider of health care, health care service plan, pharmaceutical company, or contractor that may disclose the medical information. (f) States the name or functions of the persons or entities authorized to receive the medical information. (g) States the specific uses and limitations on the use of the medical information by the persons or entities authorized to receive the medical information. (h) States a specific date after which the provider of health care, health care service plan, pharmaceutical company, or contractor is no longer authorized to disclose the medical information. (i) Advises the person signing the authorization of the right to receive a copy of the authorization. SEC. 4. Section 56.17 of the Civil Code is amended to read: 56.17. (a) This section shall apply to the disclosure of genetic test results contained in an applicant's or enrollee's medical records by a health care service plan. (b) Any person who negligently discloses results of a test for a genetic characteristic to any third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization as described in subdivision (g), shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court, which penalty and costs shall be paid to the subject of the test. (c) Any person who willfully discloses the results of a test for a genetic characteristic to any third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization as described in subdivision (g), shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and no more than five thousand dollars ($5,000) plus court costs, as determined by the court, which penalty and costs shall be paid to the subject of the test. (d) Any person who willfully or negligently discloses the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization as described in subdivision (g), that results in economic, bodily, or emotional harm to the subject of the test, is guilty of a misdemeanor punishable by a fine not to exceed ten thousand dollars ($10,000). (e) In addition to the penalties listed in subdivisions (b) and (c), any person who commits any act described in subdivision (b) or (c) shall be liable to the subject for all actual damages, including damages for economic, bodily, or emotional harm which is proximately caused by the act. (f) Each disclosure made in violation of this section is a separate and actionable offense. (g) The applicant's "written authorization," as used in this section, shall satisfy the following requirements: (1) Is written in plain language and is in a typeface no smaller than 14-point type. (2) Is dated and signed by the individual or a person authorized to act on behalf of the individual. (3) Specifies the types of persons authorized to disclose information about the individual. (4) Specifies the nature of the information authorized to be disclosed. (5) States the name or functions of the persons or entities authorized to receive the information. (6) Specifies the purposes for which the information is collected. (7) Specifies the length of time the authorization shall remain valid. (8) Advises the person signing the authorization of the right to receive a copy of the authorization. Written authorization is required for each separate disclosure of the test results. (h) This section shall not apply to disclosures required by the Department of Health Services necessary to monitor compliance with Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code, nor to disclosures required by the Department of Managed Care necessary to administer and enforce compliance with Section 1374.7 of the Health and Safety Code. (i) For purposes of this section, "genetic characteristic" has the same meaning as that set forth in subdivision (d) of Section 1374.7 of the Health and Safety Code. SEC. 5. Section 56.21 of the Civil Code is amended to read: 56.21. An authorization for an employer to disclose medical information shall be valid if it: (a) Is handwritten by the person who signs it or is a in typeface no smaller than 14-point type. (b) Is clearly separate from any other language present on the same page and is executed by a signature which serves no purpose other than to execute the authorization. (c) Is signed and dated by one of the following: (1) The patient, except that a patient who is a minor may only sign an authorization for the disclosure of medical information obtained by a provider of health care in the course of furnishing services to which the minor could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60) of Division 1. (2) The legal representative of the patient, if the patient is a minor or incompetent. However, authorization may not be given under this subdivision for the disclosure of medical information which pertains to a competent minor and which was created by a provider of health care in the course of furnishing services to which a minor patient could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60) of Division 1. (3) The beneficiary or personal representative of a deceased patient. (d) States the limitations, if any, on the types of medical information to be disclosed. (e) States the name or functions of the employer or person authorized to disclose the medical information. (f) States the names or functions of the persons or entities authorized to receive the medical information. (g) States the limitations, if any, on the use of the medical information by the persons or entities authorized to receive the medical information. (h) States a specific date after which the employer is no longer authorized to disclose the medical information. (i) Advises the person who signed the authorization of the right to receive a copy of the authorization. SEC. 6. No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.