BILL NUMBER: AB 211 CHAPTERED BILL TEXT CHAPTER 602 FILED WITH SECRETARY OF STATE SEPTEMBER 30, 2008 APPROVED BY GOVERNOR SEPTEMBER 30, 2008 PASSED THE SENATE AUGUST 26, 2008 PASSED THE ASSEMBLY AUGUST 31, 2008 AMENDED IN SENATE AUGUST 22, 2008 AMENDED IN SENATE AUGUST 12, 2008 AMENDED IN SENATE AUGUST 6, 2008 AMENDED IN SENATE JULY 1, 2008 AMENDED IN SENATE JUNE 12, 2008 AMENDED IN SENATE SEPTEMBER 5, 2007 INTRODUCED BY Assembly Member Jones (Coauthors: Senators Alquist, Kuehl, and Torlakson) JANUARY 25, 2007 An act to amend Section 56.36 of the Civil Code, and to add Division 109 (commencing with Section 130200) to, the Health and Safety Code, relating to health. LEGISLATIVE COUNSEL'S DIGEST AB 211, Jones. Public health. Existing law prohibits a health care provider, health care service plan, or contractor from disclosing medical information regarding a patient of the provider or an enrollee or subscriber of the health care service plan without authorization, except as specified. Existing law makes it a misdemeanor to violate these provisions resulting in economic loss or personal injury to a patient, as specified. In addition, existing law authorizes administrative fines and civil penalties against any person or entity that negligently discloses, or knowingly and willfully obtains, discloses, or uses medical information in violation of these provisions, as specified. Existing law specifies the entities that may bring a civil action to recover civil penalties. This bill would require every provider of health care, as defined, to implement appropriate specified safeguards to protect the privacy of a patient's medical information. The bill would require every provider of health care to reasonably safeguard confidential medical information from unauthorized or unlawful access, use, or disclosure. The bill would establish within the California Health and Human Services Agency the Office of Health Information Integrity to assess and impose administrative fines for a violation of these provisions, as provided. The director would be appointed by the Secretary of California Health and Human Services. The bill would establish the Internal Health Information Integrity Quality Improvement Account for the deposit of funds derived from these penalties. Upon appropriation by the Legislature, the bill would authorize money in the account to be used to support quality improvement activities. The bill would also authorize the director to send a recommendation for further investigation of, or discipline for, a potential violation to the licensee's relevant licensing authority. This bill would provide that any costs created pursuant to this act associated with the implementation and operation of the Office of Health Information Integrity shall be funded through non-General Fund sources. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 56.36 of the Civil Code is amended to read: 56.36. (a) Any violation of the provisions of this part that results in economic loss or personal injury to a patient is punishable as a misdemeanor. (b) In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: (1) Nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. (2) The amount of actual damages, if any, sustained by the patient. (c) (1) In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation. (2) (A) Any person or entity, other than a licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. (B) Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable on a first violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation, or on a second violation for an administrative fine or civil penalty not to exceed ten thousand dollars ($10,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part. (3) (A) Any person or entity, other than a licensed health care professional, who knowingly or willfully obtains or uses medical information in violation of this part for the purpose of financial gain shall be liable for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. (B) Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part for financial gain shall be liable on a first violation, for an administrative fine or civil penalty not to exceed five thousand dollars ($5,000) per violation, or on a second violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part. (4) Nothing in this subdivision shall be construed as authorizing an administrative fine or civil penalty under both paragraphs (2) and (3) for the same violation. (5) Any person or entity who is not permitted to receive medical information pursuant to this part and who knowingly and willfully obtains, discloses, or uses medical information without written authorization from the patient shall be liable for a civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation. (d) In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the Office of Health Information Integrity, licensing agency, or certifying board or court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including, but not limited to, the following: (1) Whether the defendant has made a reasonable, good faith attempt to comply with this part. (2) The nature and seriousness of the misconduct. (3) The harm to the patient, enrollee, or subscriber. (4) The number of violations. (5) The persistence of the misconduct. (6) The length of time over which the misconduct occurred. (7) The willfulness of the defendant's misconduct. (8) The defendant's assets, liabilities, and net worth. (e) (1) The civil penalty pursuant to subdivision (c) shall be assessed and recovered in a civil action brought in the name of the people of the State of California in any court of competent jurisdiction by any of the following: (A) The Attorney General. (B) Any district attorney. (C) Any county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance. (D) Any city attorney of a city. (E) Any city attorney of a city and county having a population in excess of 750,000, with the consent of the district attorney. (F) A city prosecutor in any city having a full-time city prosecutor or, with the consent of the district attorney, by a city attorney in any city and county. (G) The Director of the Office of Health Information Integrity may recommend that any person described in subparagraphs (A) to (F), inclusive, bring a civil action under this section. (2) If the action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district attorney or county counsel, the penalty collected shall be paid to the treasurer of the county in which the judgment was entered. Except as provided in paragraph (3), if the action is brought by a city attorney or city prosecutor, one-half of the penalty collected shall be paid to the treasurer of the city in which the judgment was entered and one-half to the treasurer of the county in which the judgment was entered. (3) If the action is brought by a city attorney of a city and county, the entire amount of the penalty collected shall be paid to the treasurer of the city and county in which the judgment was entered. (4) Nothing in this section shall be construed as authorizing both an administrative fine and civil penalty for the same violation. (5) Imposition of a fine or penalty provided for in this section shall not preclude imposition of any other sanctions or remedies authorized by law. (6) Administrative fines or penalties issued pursuant to Section 1280.15 of the Health and Safety Code shall offset any other administrative fine or civil penalty imposed under this section for the same violation. (f) For purposes of this section, "knowing" and "willful" shall have the same meanings as in Section 7 of the Penal Code. (g) No person who discloses protected medical information in accordance with the provisions of this part shall be subject to the penalty provisions of this part. (h) Paragraph (6) of subdivision (e) shall only become operative if Senate Bill 541 of the 2007-08 Regular Session is enacted and becomes effective on or before January 1, 2009. SEC. 2. Division 109 (commencing with Section 130200) is added to the Health and Safety Code, to read: DIVISION 109. OFFICE OF HEALTH INFORMATION INTEGRITY 130200. There is hereby established within the California Health and Human Services Agency the Office of Health Information Integrity to ensure the enforcement of state law mandating the confidentiality of medical information and to impose administrative fines for the unauthorized use of medical information. The Office of Health Information Integrity shall be administered by a director who shall be appointed by the Secretary of California Health and Human Services. 130201. For purposes of this division, the following definitions apply: (a) "Director" means the Director of the Office of Health Information Integrity. (b) "Medical information" means the term as defined in subdivision (g) of Section 56.05 of the Civil Code. (c) "Office" means the Office of Health Information Integrity. (d) "Provider of health care" means the term as defined in subdivision (j) of Section 56.05 and Section 56.06 of the Civil Code. (e) "Unauthorized access" means the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or by other statutes or regulations governing the lawful access, use, or disclosure of medical information. 130202. (a) (1) Upon receipt of a referral from the State Department of Public Health, the office may assess an administrative fine against any person or any provider of health care, whether licensed or unlicensed, for any violation of this division in an amount as provided in Section 56.36 of the Civil Code. Proceedings against any person or entity for a violation of this section shall be held in accordance with administrative adjudication provisions of Chapter 4.5 (commencing with Section 11400) and Chapter 5 (commencing with Section 11500) of Part 1 of Division 3 of Title 2 of the Government Code. (2) Paragraph (1) shall not apply to a clinic, health facility, agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 if Senate Bill 541 of the 2007-08 Regular Session is enacted and becomes effective on or before January 1, 2009. (3) Nothing in paragraph (1) shall be construed as authorizing the office to assess the administrative penalties described in Section 1280.15 of the Health and Safety Code. (b) The office shall adopt, amend, or repeal, in accordance with the provisions of Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code, such rules and regulations as may be reasonable and proper to carry out the purposes and intent of this division, and to enable the authority to exercise the powers and perform the duties conferred upon it by this division not inconsistent with any other provision of law. (c) Paragraph (3) of subdivision (a) shall only become operative if Senate Bill 541 of the 2007-08 Regular Session is enacted and becomes effective on or before January 1, 2009. 130203. (a) Every provider of health care shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information. Every provider of health care shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure. (b) In exercising its duties pursuant to this division, the office shall consider the provider's capability, complexity, size, and history of compliance with this section and other related state and federal statutes and regulations, the extent to which the provider detected violations and took steps to immediately correct and prevent past violations from reoccurring, and factors beyond the provider's immediate control that restricted the facility's ability to comply with this section. 130204. The Internal Health Information Integrity Quality Improvement Account is hereby created in the State Treasury. All administrative fines assessed by the office pursuant to Section 56.36 of the Civil Code shall be deposited in the Internal Health Information Integrity Quality Improvement Account. Notwithstanding Section 16305.7 of the Government Code, all interest earned on the moneys deposited in the account shall be retained in the account. Upon appropriation by the Legislature, money in the account shall be used for the purpose of supporting quality improvement activities in the office. 130205. Notwithstanding any other provision of law, the director may send a recommendation for further investigation of, or discipline for, a potential violation of this division to the licensee's relevant licensing authority. The recommendation shall include all documentary evidence collected by the director in evaluating whether or not to make that recommendation. The recommendation and accompanying evidence shall be deemed in the nature of an investigative communication and be protected by Section 6254 of the Government Code. The licensing authority of the provider of health care shall review all evidence submitted by the director and may take action for further investigation or discipline of the licensee. SEC. 3. Any costs created pursuant to this act associated with the implementation and operation of the Office of Health Information Integrity or the implementation of Division 109 (commencing with Section 130200) of the Health and Safety Code shall be funded through non-General Fund sources.