BILL ANALYSIS �
AB 1011
Page 1
Date of Hearing: April 28, 2009
ASSEMBLY COMMITTEE ON HEALTH
Dave Jones, Chair
AB 1011 (Jones) - As Amended: April 15, 2009
SUBJECT : Office of Health Information Integrity: report.
SUMMARY : Requires the Office of Health Information Integrity
(OHII) within the California Health and Human Services Agency
(CHHSA) to report to the Legislature, as specified, on the
impact of federal law changes related to health care technology
and the privacy of health and medical information, including
state law changes necessary and appropriate to conform state law
to federal changes. Specifically, this bill :
1)Requires OHII to report to the appropriate policy and fiscal
committees of the Legislature by April 1, 2010 on the impact
of federal changes related to health care technology and the
privacy of health and medical information.
2)Requires OHII to evaluate and make recommendations for
statutory changes to ensure California's medical privacy laws
are minimally compliant with or exceed federal privacy laws,
including but not limited to, compliance with changes to the
federal Health Insurance Portability and Accountability Act of
1996 (HIPAA), as enacted through the federal American Recovery
and Reinvestment Act of 2009 (ARRA), and that California law
is updated to reflect and promote the development and
expansion of health information technology (HIT), while
safeguarding confidential medical information.
EXISTING LAW :
1)Establishes OHII within CHHSA to ensure the enforcement of
state confidentiality of medical information and to impose
administrative fines for the unauthorized use of medical
information upon referral from the Department of Public Health
(DPH).
2)Requires a licensed clinic, health facility, home health
agency, or hospice to prevent unlawful or unauthorized access
to, and use or disclosure of, patients' medical information,
and requires every provider of health care to:
�
AB 1011
Page 2
a) Prevent the unauthorized access or unlawful access, use,
or disclosure of a patient's medical information;
b) Monitor employees' electronic access to patient medical
information, as specified; and,
c) Maintain appropriate administrative, organizational,
technical, and physical safeguards, policies, and
procedures to ensure the privacy, confidentiality,
security, and integrity of medical information that is
accessed, maintained, retained, modified, recorded, stored,
destroyed, or otherwise used or disclosed.
3)Requires a health facility to report any unlawful or
unauthorized access to or use or disclosure of a patient's
medical information (commonly referred to as a "breach" of
medical information) to the affected patient or his or her
representative and to DPH no later than five days after the
unlawful or unauthorized access, use, or disclosure has been
detected by the health facility.
4)Permits DPH, after an investigation, to assess an
administrative penalty for a violation of the medical
privacy-related protections in 2) above in the amount of
$25,000 per patient whose medical information was unlawfully
or without authorization accessed, used, or disclosed, and
$17,500 per subsequent occurrence.
5)Prohibits, under the California Confidentiality of Medical
Information Act (CMIA), a provider of health care, health care
service plan, or health care contractor from disclosing a
person's medical information without first obtaining that
person's authorization, except as specified.
6)Requires under the CMIA, notwithstanding 2) above, a health
care provider, health care service plan, or health care
contractor to disclose medical information if required by a
subpoena, search warrant, or other court order. Permits a
provider, health care service plan, or contractor to disclose
information in other specified circumstances, including for
purposes of diagnosis or treatment or as necessary to provide
billing or other administrative services to the provider or
plan. Prohibits a provider, plan, or contractor from
disclosing a person's medical information for marketing
purposes, or any other purpose not necessary to provide health
care services to the patient, without express authorization
from that person.
�
AB 1011
Page 3
7)Defines, under CMIA:
a) "Medical information" as any individually identifiable
information, in electronic or physical form, in possession
of or derived from a provider of health care, health care
service plan, pharmaceutical company, or contractor
regarding a patient's medical history, mental or physical
condition, or treatment; and,
b) "Provider of health care" as a health professional
licensed or certified under the Business and Professions
Code, including emergency medical technicians, clinics,
health dispensaries, and licensed health facilities.
8)Prohibits under the California Insurance Information and
Privacy Protection Act, insurers, including health insurers,
from disclosing any personal or privileged individual
information collected or received in an insurance transaction,
except as specified, including that the information may be
disclosed to insurers, agents, or self-insurers if related to
an insurance transaction involving the individual, as
specified, and to a group policyholder for the purpose of
reporting claims experience or conducting an audit of an
insurer or agent, as specified.
9)Under HIPAA, prohibits, with exceptions, covered entities from
using or disclosing protected health information (PHI), except
pursuant to a written authorization signed by the patient or
for treatment, payment, or health care operations, and
generally requires a covered entity to make reasonable efforts
to limit the use or disclosure of PHI to the minimum necessary
to accomplish the intended purpose of the disclosure. Defines
PHI as individually identifiable health information which
identifies, or can be used to identify, an individual.
10)Under the federal Health Information Technology for Economic
and Clinical Health (HITECH) Act, enacted as part of ARRA,
establishes within the federal Department of Health and Human
Services (DHHS) the Office of the National Coordinator for
Health Information Technology and requires the Secretary of
DHHS to adopt an initial set of standards for HIT and health
information exchange (HIE), as specified, by December 31,
2009. In addition, among other changes, requires business
associates of covered entities subject to HIPAA, as defined in
federal law, (generally health care providers, health plans,
�
AB 1011
Page 4
and health care clearinghouses, such as billing services) to
notify the covered entity following the discovery of a breach
of unsecured PHI and requires DHHS to issue interim final
regulations for privacy breach notification by entities
subject to HIPAA.
FISCAL EFFECT : This bill has not yet been analyzed by a fiscal
committee.
COMMENTS :
1)PURPOSE OF THIS BILL . According to the author, this bill is
needed to prepare California for enhanced and more widespread
adoption of HIT and HIE. The author points out that the
federal HITECH Act, enacted as one component of the ARRA
federal economic stimulus plan signed by President Obama on
February 17, 2009, establishes a framework for federal policy,
standards setting and investment in the development and
dissemination of HIT and HIE. In addition, the author notes,
the HITECH Act includes numerous changes to the federal
privacy and security provisions of HIPAA, which will have a
direct impact on organizations participating in HIE projects
in California. The author also notes that California already
has stronger and more robust state law provisions affecting
the disclosure and the protection of individual, private
patient information, such as the state breach notification
provisions enacted during the 2008 legislative session in AB
211 (Jones), Chapter 602, Statutes of 2008, and SB
541(Alquist), Chapter 650, Statutes of 2008. The author
contends that in order to continue to protect private patient
information, but to also ensure that California can move
forward toward wider adoption of HIT, this bill requires OHII
to do the legal and policy analysis necessary to make
recommendations on the statutory changes to better synchronize
state and federal medical privacy laws.
2)BACKGROUND . The federal HITECH Act provides more than $36
billion to promote HIT/HIE, including grants, and incentive
payments for adoption of electronic health records, chronic
disease management systems, and other health-related
technologies. The HITECH Act sets forth a framework for
development of federal policy and the expenditure of federal
stimulus money to advance the design, development, and
operation of a nationwide HIT infrastructure that allows for
the electronic use and exchange of information. The goal of
�
AB 1011
Page 5
HITECH is to ensure that every person in the United States has
an electronic health record by 2014.
According to a February 2009 policy brief prepared by the
California HealthCare Foundation (CHCF), "An Unprecedented
Opportunity: Using Federal Stimulus Funds to advance Health IT
in California," in addition to creating a new federal policy
and standards setting framework, the HITECH Act strengthens
the privacy and security provisions of HIPAA in five key
areas: a) Extension of HIPAA to business associates; b)
Establishment of a federal security breach notification
mandate; c) New restrictions on the use and disclosure of PHI;
d) Creation of additional patient rights to allow patients to
more fully protect and to obtain their PHI and medical
records; and, e) Increased HIPAA enforcement. As one element
of the state HITECH implementation effort, CHCF recommends
that OHII disseminate technical guidance to all parties that
engage in electronic information exchange to clarify the
interplay between California and federal privacy laws and to
recommend best practices for facilitating legal compliance.
3)STATE IMPLEMENTATION . On April 22, 2009, CHHSA released a
preliminary state plan related to the HIT/HIE elements of
federal stimulus, entitled "Health Information Exchange:
California's High Level Plan to Secure Federal Stimulus
Support." The CHHSA plan calls for a rapid four month process
to convene and gather input from relevant stakeholders;
conduct an assessment on existing HIE infrastructure and
projects in the state; analyze and develop success criteria,
elements of governance, and technical and business
requirements related to the advancement of HIE; and the
possibility of a state-issued request for proposal to secure
and establish a non-profit, state-designated entity to serve
as the lead agency in California regarding HIT/HIE as
authorized under the HITECH Act. CHHSA recently appointed a
new Deputy Secretary for HIT and a HIE Advisory Board composed
of representatives of the Legislature and relevant state
agencies, provider, consumer and business stakeholder
organizations.
4)RELATED LEGISLATION .
a) AB 598 (De La Torre) establishes within CHHSA, the
California Health Information Network to review and, after
public hearings for the purpose of receiving input from all
�
AB 1011
Page 6
interested parties, recommend adoption of HIE standards to
the Governor and the Legislature, and the California Health
Information Advisory Board, with specified duties and
membership. AB 598 is scheduled to be heard in the
Assembly Health Committee on April 28, 2009.
b) SB 270 (Alquist), pending in the Senate, will establish
the Health Information Technology Advisory Panel, with
specified membership, to advise the Governor and the
Legislature on HIT implementation.
5)PREVIOUS LEGISLATION .
a) AB 211 (Jones) establishes OHII to ensure the
enforcement of state confidentiality of medical information
and to impose administrative fines for the unauthorized use
of medical information upon referral from DPH, and requires
providers of health care to establish and implement
appropriate administrative, technical, and physical
safeguards to protect the privacy of patient medical
information.
b) SB 541 (Alquist) increases the maximum penalties levied
against hospitals for immediate jeopardy and other
specified violations. Requires specified health facilities
to prevent unlawful access to, use, or disclosure of
patient medical information; establishes administrative
penalties for violations; and requires the patient and DPH
to be notified of any unlawful access to, use, or
disclosure of a patient's medical information.
REGISTERED SUPPORT / OPPOSITION :
Support
None on file.
Opposition
None on file.
Analysis Prepared by : Deborah Kelch / HEALTH / (916) 319-2097