BILL ANALYSIS AB 1011 Page 1 Date of Hearing: April 28, 2009 ASSEMBLY COMMITTEE ON HEALTH Dave Jones, Chair AB 1011 (Jones) - As Amended: April 15, 2009 SUBJECT : Office of Health Information Integrity: report. SUMMARY : Requires the Office of Health Information Integrity (OHII) within the California Health and Human Services Agency (CHHSA) to report to the Legislature, as specified, on the impact of federal law changes related to health care technology and the privacy of health and medical information, including state law changes necessary and appropriate to conform state law to federal changes. Specifically, this bill : 1)Requires OHII to report to the appropriate policy and fiscal committees of the Legislature by April 1, 2010 on the impact of federal changes related to health care technology and the privacy of health and medical information. 2)Requires OHII to evaluate and make recommendations for statutory changes to ensure California's medical privacy laws are minimally compliant with or exceed federal privacy laws, including but not limited to, compliance with changes to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), as enacted through the federal American Recovery and Reinvestment Act of 2009 (ARRA), and that California law is updated to reflect and promote the development and expansion of health information technology (HIT), while safeguarding confidential medical information. EXISTING LAW : 1)Establishes OHII within CHHSA to ensure the enforcement of state confidentiality of medical information and to impose administrative fines for the unauthorized use of medical information upon referral from the Department of Public Health (DPH). 2)Requires a licensed clinic, health facility, home health agency, or hospice to prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information, and requires every provider of health care to: AB 1011 Page 2 a) Prevent the unauthorized access or unlawful access, use, or disclosure of a patient's medical information; b) Monitor employees' electronic access to patient medical information, as specified; and, c) Maintain appropriate administrative, organizational, technical, and physical safeguards, policies, and procedures to ensure the privacy, confidentiality, security, and integrity of medical information that is accessed, maintained, retained, modified, recorded, stored, destroyed, or otherwise used or disclosed. 3)Requires a health facility to report any unlawful or unauthorized access to or use or disclosure of a patient's medical information (commonly referred to as a "breach" of medical information) to the affected patient or his or her representative and to DPH no later than five days after the unlawful or unauthorized access, use, or disclosure has been detected by the health facility. 4)Permits DPH, after an investigation, to assess an administrative penalty for a violation of the medical privacy-related protections in 2) above in the amount of $25,000 per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and $17,500 per subsequent occurrence. 5)Prohibits, under the California Confidentiality of Medical Information Act (CMIA), a provider of health care, health care service plan, or health care contractor from disclosing a person's medical information without first obtaining that person's authorization, except as specified. 6)Requires under the CMIA, notwithstanding 2) above, a health care provider, health care service plan, or health care contractor to disclose medical information if required by a subpoena, search warrant, or other court order. Permits a provider, health care service plan, or contractor to disclose information in other specified circumstances, including for purposes of diagnosis or treatment or as necessary to provide billing or other administrative services to the provider or plan. Prohibits a provider, plan, or contractor from disclosing a person's medical information for marketing purposes, or any other purpose not necessary to provide health care services to the patient, without express authorization from that person. AB 1011 Page 3 7)Defines, under CMIA: a) "Medical information" as any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment; and, b) "Provider of health care" as a health professional licensed or certified under the Business and Professions Code, including emergency medical technicians, clinics, health dispensaries, and licensed health facilities. 8)Prohibits under the California Insurance Information and Privacy Protection Act, insurers, including health insurers, from disclosing any personal or privileged individual information collected or received in an insurance transaction, except as specified, including that the information may be disclosed to insurers, agents, or self-insurers if related to an insurance transaction involving the individual, as specified, and to a group policyholder for the purpose of reporting claims experience or conducting an audit of an insurer or agent, as specified. 9)Under HIPAA, prohibits, with exceptions, covered entities from using or disclosing protected health information (PHI), except pursuant to a written authorization signed by the patient or for treatment, payment, or health care operations, and generally requires a covered entity to make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the disclosure. Defines PHI as individually identifiable health information which identifies, or can be used to identify, an individual. 10)Under the federal Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of ARRA, establishes within the federal Department of Health and Human Services (DHHS) the Office of the National Coordinator for Health Information Technology and requires the Secretary of DHHS to adopt an initial set of standards for HIT and health information exchange (HIE), as specified, by December 31, 2009. In addition, among other changes, requires business associates of covered entities subject to HIPAA, as defined in federal law, (generally health care providers, health plans, AB 1011 Page 4 and health care clearinghouses, such as billing services) to notify the covered entity following the discovery of a breach of unsecured PHI and requires DHHS to issue interim final regulations for privacy breach notification by entities subject to HIPAA. FISCAL EFFECT : This bill has not yet been analyzed by a fiscal committee. COMMENTS : 1)PURPOSE OF THIS BILL . According to the author, this bill is needed to prepare California for enhanced and more widespread adoption of HIT and HIE. The author points out that the federal HITECH Act, enacted as one component of the ARRA federal economic stimulus plan signed by President Obama on February 17, 2009, establishes a framework for federal policy, standards setting and investment in the development and dissemination of HIT and HIE. In addition, the author notes, the HITECH Act includes numerous changes to the federal privacy and security provisions of HIPAA, which will have a direct impact on organizations participating in HIE projects in California. The author also notes that California already has stronger and more robust state law provisions affecting the disclosure and the protection of individual, private patient information, such as the state breach notification provisions enacted during the 2008 legislative session in AB 211 (Jones), Chapter 602, Statutes of 2008, and SB 541(Alquist), Chapter 650, Statutes of 2008. The author contends that in order to continue to protect private patient information, but to also ensure that California can move forward toward wider adoption of HIT, this bill requires OHII to do the legal and policy analysis necessary to make recommendations on the statutory changes to better synchronize state and federal medical privacy laws. 2)BACKGROUND . The federal HITECH Act provides more than $36 billion to promote HIT/HIE, including grants, and incentive payments for adoption of electronic health records, chronic disease management systems, and other health-related technologies. The HITECH Act sets forth a framework for development of federal policy and the expenditure of federal stimulus money to advance the design, development, and operation of a nationwide HIT infrastructure that allows for the electronic use and exchange of information. The goal of AB 1011 Page 5 HITECH is to ensure that every person in the United States has an electronic health record by 2014. According to a February 2009 policy brief prepared by the California HealthCare Foundation (CHCF), "An Unprecedented Opportunity: Using Federal Stimulus Funds to advance Health IT in California," in addition to creating a new federal policy and standards setting framework, the HITECH Act strengthens the privacy and security provisions of HIPAA in five key areas: a) Extension of HIPAA to business associates; b) Establishment of a federal security breach notification mandate; c) New restrictions on the use and disclosure of PHI; d) Creation of additional patient rights to allow patients to more fully protect and to obtain their PHI and medical records; and, e) Increased HIPAA enforcement. As one element of the state HITECH implementation effort, CHCF recommends that OHII disseminate technical guidance to all parties that engage in electronic information exchange to clarify the interplay between California and federal privacy laws and to recommend best practices for facilitating legal compliance. 3)STATE IMPLEMENTATION . On April 22, 2009, CHHSA released a preliminary state plan related to the HIT/HIE elements of federal stimulus, entitled "Health Information Exchange: California's High Level Plan to Secure Federal Stimulus Support." The CHHSA plan calls for a rapid four month process to convene and gather input from relevant stakeholders; conduct an assessment on existing HIE infrastructure and projects in the state; analyze and develop success criteria, elements of governance, and technical and business requirements related to the advancement of HIE; and the possibility of a state-issued request for proposal to secure and establish a non-profit, state-designated entity to serve as the lead agency in California regarding HIT/HIE as authorized under the HITECH Act. CHHSA recently appointed a new Deputy Secretary for HIT and a HIE Advisory Board composed of representatives of the Legislature and relevant state agencies, provider, consumer and business stakeholder organizations. 4)RELATED LEGISLATION . a) AB 598 (De La Torre) establishes within CHHSA, the California Health Information Network to review and, after public hearings for the purpose of receiving input from all AB 1011 Page 6 interested parties, recommend adoption of HIE standards to the Governor and the Legislature, and the California Health Information Advisory Board, with specified duties and membership. AB 598 is scheduled to be heard in the Assembly Health Committee on April 28, 2009. b) SB 270 (Alquist), pending in the Senate, will establish the Health Information Technology Advisory Panel, with specified membership, to advise the Governor and the Legislature on HIT implementation. 5)PREVIOUS LEGISLATION . a) AB 211 (Jones) establishes OHII to ensure the enforcement of state confidentiality of medical information and to impose administrative fines for the unauthorized use of medical information upon referral from DPH, and requires providers of health care to establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of patient medical information. b) SB 541 (Alquist) increases the maximum penalties levied against hospitals for immediate jeopardy and other specified violations. Requires specified health facilities to prevent unlawful access to, use, or disclosure of patient medical information; establishes administrative penalties for violations; and requires the patient and DPH to be notified of any unlawful access to, use, or disclosure of a patient's medical information. REGISTERED SUPPORT / OPPOSITION : Support None on file. Opposition None on file. Analysis Prepared by : Deborah Kelch / HEALTH / (916) 319-2097