BILL NUMBER: AB 211	AMENDED
	BILL TEXT

	AMENDED IN SENATE  AUGUST 22, 2008
	AMENDED IN SENATE  AUGUST 12, 2008
	AMENDED IN SENATE  AUGUST 6, 2008
	AMENDED IN SENATE  JULY 1, 2008
	AMENDED IN SENATE  JUNE 12, 2008
	AMENDED IN SENATE  SEPTEMBER 5, 2007

INTRODUCED BY   Assembly Member Jones
   (Coauthors: Senators  Kuehl   Alquist, 
 Kuehl,  and Torlakson)

                        JANUARY 25, 2007

   An act to amend Section 56.36 of the Civil Code,   to add
Section 101037 to,   and to add  and Division 109
(commencing with Section 130200) to, the Health and Safety Code,
relating to health.



	LEGISLATIVE COUNSEL'S DIGEST


   AB 211, as amended, Jones. Public health. 
   Existing law permits the establishment of the position of county
health officer for the performance of various duties and powers
relating to public health.  
   This bill would authorize the local health officer to provide
assistance to cities and counties with regard to public health issues
as they relate to local land use planning and transportation
planning processes. 
   Existing law prohibits a health care provider, health care service
plan, or contractor from disclosing medical information regarding a
patient of the provider or an enrollee or subscriber of the health
care service plan without authorization, except as specified.
Existing law makes it a misdemeanor to violate these provisions
resulting in economic loss or personal injury to a patient, as
specified. In addition, existing law authorizes administrative fines
and civil penalties against any person or entity that negligently
discloses, or knowingly and willfully obtains, discloses, or uses
medical information in violation of these provisions, as specified.
Existing law specifies the entities that may bring a civil action to
recover civil penalties.
   This bill would require every provider of health care  , 
as defined, to  prevent the unlawful access, use, or
disclosure   implement appropriate specified safeguards
to protect the privacy  of a patient's medical information. The
bill would require every provider of health care to  monitor
employees who have access to patient medical information, as
specified, to ensure compliance. The bill would also require a
provider to establish and maintain appropriate safeguards and
policies to ensure the confidentiality and security of medical
information, as specified   reasonably safeguard
confidential medical information from unauthorized or unlawful
access, use, or disclosure  . The bill would establish within
the California Health and Human Services Agency the Office of Health
Information Integrity to assess and impose administrative fines for a
violation of these provisions, as provided. The director would be
appointed by the Secretary of California Health and Human Services.
The bill would establish the Internal Health Information Integrity
Quality Improvement Account for the deposit of funds derived from
these penalties. Upon appropriation by the Legislature, the bill
would authorize money in the account to be used to support quality
improvement activities. The bill would also authorize the director to
 make   send  a recommendation  to
the licensing authority of a health care provider  for 
further  investigation  of,  or discipline  of
the licensee, as specified, and to recommend that a civil action to
collect penalties be commenced   for, a potential
violation to the licensee's relevant licensing authority  . 

   This bill would provide that any costs created pursuant to this
act associated with the implementation and operation of the Office of
Health Information Integrity shall be funded through non-General
Fund sources. 
   Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Section 56.36 of the Civil Code is amended to read:
   56.36.  (a) Any violation of the provisions of this part that
results in economic loss or personal injury to a patient is
punishable as a misdemeanor.
   (b) In addition to any other remedies available at law, any
individual may bring an action against any person or entity who has
negligently released confidential information or records concerning
him or her in violation of this part, for either or both of the
following:
   (1) Nominal damages of one thousand dollars ($1,000). In order to
recover under this paragraph, it shall not be necessary that the
plaintiff suffered or was threatened with actual damages.
   (2) The amount of actual damages, if any, sustained by the
patient.
   (c) (1) In addition, any person or entity that negligently
discloses medical information in violation of the provisions of this
part shall also be liable, irrespective of the amount of damages
suffered by the patient as a result of that violation, for an
administrative fine or civil penalty not to exceed two thousand five
hundred dollars ($2,500) per violation.
   (2) (A) Any person or entity, other than a licensed health care
professional, who knowingly and willfully obtains, discloses, or uses
medical information in violation of this part shall be liable for an
administrative fine or civil penalty not to exceed twenty-five
thousand dollars ($25,000) per violation.
   (B) Any licensed health care professional, who knowingly and
willfully obtains, discloses, or uses medical information in
violation of this part shall be liable on a first violation, for an
administrative fine or civil penalty not to exceed two thousand five
hundred dollars ($2,500) per violation, or on a second violation for
an administrative fine or civil penalty not to exceed ten thousand
dollars ($10,000) per violation, or on a third and subsequent
violation for an administrative fine or civil penalty not to exceed
twenty-five thousand dollars ($25,000) per violation. Nothing in this
subdivision shall be construed to limit the liability of a health
care service plan, a contractor, or a provider of health care that is
not a licensed health care professional for any violation of this
part.
   (3) (A) Any person or entity, other than a licensed health care
professional, who knowingly or willfully obtains or uses medical
information in violation of this part for the purpose of financial
gain shall be liable for an administrative fine or civil penalty not
to exceed two hundred fifty thousand dollars ($250,000) per violation
and shall also be subject to disgorgement of any proceeds or other
consideration obtained as a result of the violation.
   (B) Any licensed health care professional, who knowingly and
willfully obtains, discloses, or uses medical information in
violation of this part for financial gain shall be liable on a first
violation, for an administrative fine or civil penalty not to exceed
five thousand dollars ($5,000) per violation, or on a second
violation for an administrative fine or civil penalty not to exceed
twenty-five thousand dollars ($25,000) per violation, or on a third
and subsequent violation for an administrative fine or civil penalty
not to exceed two hundred fifty thousand dollars ($250,000) per
violation and shall also be subject to disgorgement of any proceeds
or other consideration obtained as a result of the violation. Nothing
in this subdivision shall be construed to limit the liability of a
health care service plan, a contractor, or a provider of health care
that is not a licensed health care professional for any violation of
this part.
   (4) Nothing in this subdivision shall be construed as authorizing
an administrative fine or civil penalty under both paragraphs (2) and
(3) for the same violation.
   (5) Any person or entity who is not permitted to receive medical
information pursuant to this part and who knowingly and willfully
obtains, discloses, or uses medical information without written
authorization from the patient shall be liable for a civil penalty
not to exceed two hundred fifty thousand dollars ($250,000) per
violation.
   (d) In assessing the amount of an administrative fine or civil
penalty pursuant to subdivision (c), the Office of Health Information
Integrity, licensing agency, or certifying board or court shall
consider any one or more of the relevant circumstances presented by
any of the parties to the case including, but not limited to, the
following:
   (1) Whether the defendant has made a reasonable, good faith
attempt to comply with this part.
   (2) The nature and seriousness of the misconduct.
   (3) The harm to the patient, enrollee, or subscriber.
   (4) The number of violations.
   (5) The persistence of the misconduct.
   (6) The length of time over which the misconduct occurred.
   (7) The willfulness of the defendant's misconduct.
   (8) The defendant's assets, liabilities, and net worth.
   (e) (1) The civil penalty pursuant to subdivision (c) shall be
assessed and recovered in a civil action brought in the name of the
people of the State of California in any court of competent
jurisdiction by any of the following:
   (A) The Attorney General.
   (B) Any district attorney.
   (C) Any county counsel authorized by agreement with the district
attorney in actions involving violation of a county ordinance.
   (D) Any city attorney of a city.
   (E) Any city attorney of a city and county having a population in
excess of 750,000, with the consent of the district attorney.
   (F) A city prosecutor in any city having a full-time city
prosecutor or, with the consent of the district attorney, by a city
attorney in any city and county.
   (G) The Director of the Office of Health Information Integrity may
recommend that any person described in subparagraphs (A) to (F),
inclusive, bring a civil action under this section.
   (2) If the action is brought by the Attorney General, one-half of
the penalty collected shall be paid to the treasurer of the county in
which the judgment was entered, and one-half to the General Fund. If
the action is brought by a district attorney or county counsel, the
penalty collected shall be paid to the treasurer of the county in
which the judgment was entered. Except as provided in paragraph (3),
if the action is brought by a city attorney or city prosecutor,
one-half of the penalty collected shall be paid to the treasurer of
the city in which the judgment was entered and one-half to the
treasurer of the county in which the judgment was entered.
   (3) If the action is brought by a city attorney of a city and
county, the entire amount of the penalty collected shall be paid to
the treasurer of the city and county in which the judgment was
entered.
   (4) Nothing in this section shall be construed as authorizing both
an administrative fine and civil penalty for the same violation.
   (5) Imposition of a fine or penalty provided for in this section
shall not preclude imposition of any other sanctions or remedies
authorized by law.
   (6) Administrative fines or penalties issued pursuant to Section
1280.15 of the Health and Safety Code shall offset any other
administrative fine or civil penalty imposed under this section for
the same violation.
   (f) For purposes of this section, "knowing" and "willful" shall
have the same meanings as in Section 7 of the Penal Code.
   (g) No person who discloses protected medical information in
accordance with the provisions of this part shall be subject to the
penalty provisions of this part.
   (h) Paragraph (6) of subdivision (e) shall only become operative
if Senate Bill 541 of the 2007-08 Regular Session is enacted and
becomes effective on or before January 1, 2009. 
  SEC. 2.    Section 101037 is added to the Health
and Safety Code, to read:
   101037.  The county local health officer may provide assistance to
cities and counties with regard to public health issues as they
relate to local land use planning and transportation planning
processes. This assistance may relate to areas that include, but are
not limited to, all of the following:
   (a) The prevention of obesity and chronic diseases, such as
diabetes, some forms of cancer, arthritis and stroke in relation to
physical activity, and issues of ease of walking and biking and
vehicle miles traveled.
   (b) Respiratory disease and air quality.
   (c) Injury prevention and motor vehicle crashes.
   (d) Healthier eating opportunities and community design.
   (e) Drinking water quality.
   (f) Mental well-being and parks, trails, and open space.
   (g) Social capital and sense of community.
   (h) Violence prevention and street safety. 
   SEC. 3.   SEC. 2.   Division 109
(commencing with Section 130200) is added to the Health and Safety
Code, to read:

      DIVISION 109.  OFFICE OF HEALTH INFORMATION INTEGRITY


   130200.  There is hereby established within the California Health
and Human Services Agency the Office of Health Information Integrity
to ensure the enforcement of state law mandating the confidentiality
of medical information and to impose administrative fines for the
unauthorized use of medical information. The Office of Health
Information Integrity shall be administered by a director who shall
be appointed by the Secretary of California Health and Human
Services.
   130201.  For purposes of this division, the following definitions
apply:
   (a) "Director" means the Director of the Office of Health
Information Integrity.
   (b) "Medical information" means the term as defined in subdivision
(g) of Section 56.05 of the Civil Code.
   (c) "Office" means the Office of Health Information Integrity.
   (d) "Provider of health care" means the term as defined in
subdivision (j) of Section 56.05 and Section 56.06 of the Civil Code.

   (e) "Unauthorized access" means the inappropriate review or
viewing of patient medical information without a direct need for
 medical  diagnosis, treatment, or other lawful use
 as permitted by the Confidentiality of Medical Information Act
(Part 2.6 (commencing with Section 56) of Division 1 of the Civil
Code) or by other statutes or regulations governing the lawful
access, use, or disclos   ure of medical information  .

   130202.  (a) (1) Upon receipt of a referral from the State
Department of Public Health, the office may assess an administrative
fine against any person or any provider of health care  , whether
licensed or unlicensed,  for any violation of this division in
an amount as provided in Section 56.36 of the Civil Code. Proceedings
against any person or entity for a violation of this section shall
be held in accordance with administrative adjudication provisions of
Chapter 4.5 (commencing with Section 11400) and Chapter 5 (commencing
with Section 11500) of Part 1 of Division 3 of Title 2 of the
Government Code. 
   (2) Paragraph (1) shall not apply to a clinic, health facility,
agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or
1745 if Senate Bill 541 of the 2007-08 Regular Session is enacted and
becomes effective on or before January 1, 2009.  
   (2) 
    (3)  Nothing in paragraph (1) shall be construed as
authorizing the office to assess the administrative penalties
described in Section 1280.15 of the Health and Safety Code.
   (b) The office shall adopt, amend, or repeal, in accordance with
the provisions of Chapter 3.5 (commencing with Section 11340) of Part
1 of Division 3 of Title 2 of the Government Code, such rules and
regulations as may be reasonable and proper to carry out the purposes
and intent of this division, and to enable the authority to exercise
the powers and perform the duties conferred upon it by this division
not inconsistent with any other provision of law.
   (c) Paragraph  (2)   (3)  of subdivision
(a) shall only become operative if Senate Bill 541 of the 2007-08
Regular Session is enacted and becomes effective on or before January
1, 2009.
   130203.  (a) Every provider of health care shall  prevent
the unauthorized access or unlawful access, use, or disclosure of a
patient's medical information. Every provider of health care whose
employees have access to medical information shall monitor the
electronic access to patient medical information to ensure compliance
with this section. Every provider of health care shall establish and
maintain appropriate administrative, organizational, technical, and
physical safeguards, and policies and procedures to ensure the
privacy, confidentiality, security, and integrity of medical
information that is accessed, maintained, retained, modified,
recorded, stored, destroyed, or otherwise used or disclosed.
  establish and implement appropriate administrative,
technic   al, and physical safeguards to protect the privacy
of a patient's medical information. Every provider of health care
shall reasonably safeguard confidential medical information from any
unauthorized access or unlawful access, use, or disclosure. 
   (b) In exercising its duties pursuant to this division, the office
 may consider the provider's   shall consider
the provider's capability, complexity, size, and  history of
compliance with this section and other related state and federal
statutes and regulations, the extent to which the provider detected
violations and took steps to immediately correct and prevent past
violations from reoccurring, and factors beyond the provider's
immediate control that restricted the facility's ability to comply
with this section.
   130204.  The Internal Health Information Integrity Quality
Improvement Account is hereby created in the State Treasury.  All
administrative fines assessed by the office pursuant to Section
56.36 of the Civil Code shall be deposited in the Internal Health
Information Integrity Quality Improvement Account. Notwithstanding
Section 16305.7 of the Government Code, all interest earned on the
moneys deposited in the account shall be retained in the account.
 Upon appropriation by the Legislature, money in the account
shall be used for the purpose of supporting quality improvement
 activities in the office. Notwithstanding Section 16505.7 of
the Government Code, all interest earned on the moneys deposited in
the fund shall be retained in the fund.   activities in
the office.  
   130205.  When information comes to the attention of the director
that a provider of health care has committed any act or omission that
appears to constitute a violation of this division, the director
shall send a recommendation to the licensing authority of the
provider of health care for further investigation or discipline of
the licensee. 
    130205.    Notwithstanding any other provision of
law, the director may send a recommendation for further investigation
of, or discipline for, a potential violation of this division to the
licensee's relevant licensing authority.  The recommendation
shall include all documentary evidence collected by the director in
evaluating whether or not to make that recommendation. The
recommendation and accompanying evidence shall be deemed in the
nature of an investigative communication and be protected by Section
6254 of the Government Code. The licensing authority of the provider
of health care shall review all evidence submitted by the director
and may take action for further investigation or discipline of the
licensee.
   SEC. 3.    Any costs created pursuant to this act
associated with the implementation and operation of the Office of
Health Information Integrity or the implementation of Division 109
(commencing with Section 130200) of the Health and Safety Code shall
be funded through non-General Fund sources.