BILL NUMBER: SB 270	AMENDED
	BILL TEXT

	AMENDED IN SENATE  JANUARY 20, 2010
	AMENDED IN SENATE  JANUARY 6, 2010
	AMENDED IN SENATE  MAY 5, 2009
	AMENDED IN SENATE  APRIL 23, 2009

INTRODUCED BY   Senator Alquist

                        FEBRUARY 24, 2009

   An act to amend Sections 1280.15 and 130251 of the Health and
Safety Code, relating to public health.


	LEGISLATIVE COUNSEL'S DIGEST


   SB 270, as amended, Alquist. Health care providers: medical
information.
   (1) Existing law provides for the licensing and regulation of
clinics, health facilities, home health agencies, and hospices by the
State Department of Public Health. Existing law requires these
entities to prevent unlawful or unauthorized access to, and use or
disclosure of, a patient's medical information. A violation of these
provisions is a crime. Existing law requires these entities to report
an instance of unlawful or unauthorized access to, and use or
disclosure of, a patient's medical information to the department and
to the affected patient or patient's representative, as prescribed,
within 5 business days of its detection, except that an entity is
required to delay compliance with this reporting requirement beyond
this 5 business day period if a law enforcement agency or official
provides the entity with a written or oral statement that compliance
with the reporting requirement would impede the law enforcement
agency's activities that relate to the unlawful or unauthorized
access to, and use or disclosure of, a patient's medical information
and specifies the date upon which the delay shall end, as prescribed.

   This bill would, instead, apply the provision requiring a delay in
compliance with the reporting requirement only to a statement that
compliance with that requirement would impede the law enforcement
agency's investigations, rather than activities. By expanding
circumstances to which a crime would apply, the bill would create a
state-mandated local program.
   (2) Existing law establishes the Office of Health Information
Integrity within the California Health and Human Services Agency to
ensure the enforcement of state law mandating confidentiality of
medical information and to impose administrative fines for the
unauthorized use of medical information. Existing law authorizes the
California Health and Human Services Agency, or one of the
departments under its jurisdiction, to apply for federal funds made
available through the federal American Recovery and Reinvestment Act
(ARRA) for health information technology and exchange and, if no
application is made, requires the Governor to designate a nonprofit
entity to be the state-designated entity for purposes of health
information exchange. Existing law requires the agency or
state-designated entity to facilitate and expand the use and
disclosure of health information electronically among organizations,
as prescribed, while protecting individual privacy and the
confidentiality of electronic medical records.
   This bill would, in addition, require the agency or
state-designated entity to facilitate and expand the use and
disclosure of health information electronically among organizations
 with no diminution of rights under   in
accordance with applicable  state  and federal  law.
   The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
   This bill would provide that no reimbursement is required by this
act for a specified reason.
   Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: yes.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

  SECTION 1.  Section 1280.15 of the Health and Safety Code is
amended to read:
   1280.15.  (a) A clinic, health facility, home health agency, or
hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall
prevent unlawful or unauthorized access to, and use or disclosure of,
patients' medical information, as defined in subdivision (g) of
Section 56.05 of the Civil Code and consistent with Section 130203.
The department, after investigation, may assess an administrative
penalty for a violation of this section of up to twenty-five thousand
dollars ($25,000) per patient whose medical information was
unlawfully or without authorization accessed, used, or disclosed, and
up to seventeen thousand five hundred dollars ($17,500) per
subsequent occurrence of unlawful or unauthorized access, use, or
disclosure of that patients' medical information. For purposes of the
investigation, the department shall consider the clinic's, health
facility's, agency's, or hospice's history of compliance with this
section and other related state and federal statutes and regulations,
the extent to which the facility detected violations and took
preventative action to immediately correct and prevent past
violations from recurring, and factors outside its control that
restricted the facility's ability to comply with this section. The
department shall have full discretion to consider all factors when
determining the amount of an administrative penalty pursuant to this
section.
   (b) (1) A clinic, health facility, home health agency, or hospice
to which subdivision (a) applies shall report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the department no later than five business days after
the unlawful or unauthorized access, use, or disclosure has been
detected by the clinic, health facility, home health agency, or
hospice.
   (2) Subject to subdivision (c), a clinic, health facility, home
health agency, or hospice shall also report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the affected patient or the patient's representative
at the last known address, no later than five business days after the
unlawful or unauthorized access, use, or disclosure has been
detected by the clinic, health facility, home health agency, or
hospice.
   (c) (1) A clinic, health facility, home health agency, or hospice
shall delay the reporting, as required pursuant to paragraph (2) of
subdivision (b), of any unlawful or unauthorized access to, or use or
disclosure of, a patient's medical information beyond five business
days if a law enforcement agency or official provides the clinic,
health facility, home health agency, or hospice with a written or
oral statement that compliance with the reporting requirements of
paragraph (2) of subdivision (b) would likely impede the law
enforcement agency's investigation that relates to the unlawful or
unauthorized access to, and use or disclosure of, a patient's medical
information and specifies a date upon which the delay shall end, not
to exceed 60 days after a written request is made, or 30 days after
an oral request is made. A law enforcement agency or official may
request an extension of a delay based upon a written declaration that
there exists a bona fide, ongoing, significant criminal
investigation of serious wrongdoing relating to the unlawful or
unauthorized access to, and use or disclosure of, a patient's medical
information, that notification of patients will undermine the law
enforcement agency's investigation, and that specifies a date upon
which the delay shall end, not to exceed 60 days after the end of the
original delay period.
   (2) If the statement of the law enforcement agency or official is
made orally, then the clinic, health facility, home health agency, or
hospice shall do the following:
   (A) Document the oral statement, including, but not limited to,
the identity of the law enforcement agency or official making the
oral statement and the date upon which the oral statement was made.
   (B) Limit the delay in reporting the unlawful or unauthorized
access to, or use or disclosure of, the patient's medical information
to the date specified in the oral statement, not to exceed 30
calendar days from the date that the oral statement is made, unless a
written statement that complies with the requirements of this
subdivision is received during that time.
   (3) A clinic, health facility, home health agency, or hospice
shall submit a report that is delayed pursuant to this subdivision
not later than five business days after the date designated as the
end of the delay.
   (d) If a clinic, health facility, home health agency, or hospice
to which subdivision (a) applies violates subdivision (b), the
department may assess the licensee a penalty in the amount of one
hundred dollars ($100) for each day that the unlawful or unauthorized
access, use, or disclosure is not reported, following the initial
five-day period specified in subdivision (b). However, the total
combined penalty assessed by the department under subdivision (a) and
this subdivision shall not exceed two hundred fifty thousand dollars
($250,000) per reported event.
   (e) In enforcing subdivisions (a) and (d), the department shall
take into consideration the special circumstances of small and rural
hospitals, as defined in Section 124840, and primary care clinics, as
defined in subdivision (a) of Section 1204, in order to protect
access to quality care in those hospitals and clinics. When assessing
a penalty on a skilled nursing facility or other facility subject to
Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
only the higher of either a penalty for the violation of this section
or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
not both.
   (f) All penalties collected by the department pursuant to this
section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited into
the Internal Departmental Quality Improvement Account, which is
hereby created within the Special Deposit Fund under Section 16370 of
the Government Code. Upon appropriation by the Legislature, moneys
in the account shall be expended for internal quality improvement
activities in the Licensing and Certification Program.
   (g) If the licensee disputes a determination by the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, or the imposition of a penalty under this section, the
licensee may, within 10 days of receipt of the penalty assessment,
request a hearing pursuant to Section 131071. Penalties shall be paid
when appeals have been exhausted and the penalty has been upheld.
   (h) In lieu of disputing the determination of the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, transmit to the department 75 percent of the total
amount of the administrative penalty, for each violation, within 30
business days of receipt of the administrative penalty.
   (i) Notwithstanding any other law, the department may refer
violations of this section to the Office of Health Information
Integrity for enforcement pursuant to Section 130303.
   (j) For purposes of this section, the following definitions shall
apply:
   (1) "Reported event" means all breaches included in any single
report that is made pursuant to subdivision (b), regardless of the
number of breach events contained in the report.
   (2) "Unauthorized" means the inappropriate access, review, or
viewing of patient medical information without a direct need for
medical diagnosis, treatment, or other lawful use as permitted by the
Confidentiality of Medical Information Act (Part 2.6 (commencing
with Section 56) of Division 1 of the Civil Code) or any other
statute or regulation governing the lawful access, use, or disclosure
of medical information.
  SEC. 2.  Section 130251 of the Health and Safety Code is amended to
read:
   130251.  (a) The California Health and Human Services Agency or
one of the departments under its jurisdiction may apply for federal
funds made available through the federal American Recovery and
Reinvestment Act of 2009 (Public Law 111-5) for health information
technology and exchange.
   (b) In the event that the California Health and Human Services
Agency or one of the departments under its jurisdiction elects not to
submit an application described in subdivision (a), the Governor
shall designate a qualified nonprofit entity to be the
state-designated entity for the purposes of health information
exchange, pursuant to the requirements set forth in ARRA.
   (c) The agency or state-designated entity shall execute tasks
related to accessing federal stimulus funds made available through
ARRA, and facilitate and expand the use and disclosure of health
information electronically among organizations according to
nationally recognized standards and implementation specifications
while protecting, to the greatest extent possible, individual privacy
and the confidentiality of electronic medical records  , and
with no diminution of rights under state   in
accordance with applicable state and federal  law.
   (d) The agency or state-designated entity shall develop a plan to
ensure that health information exchange capabilities are available,
adopted, and utilized statewide so that patients do not experience
disparities in access to the benefits of this technology by age,
race, ethnicity, language, income, insurance status, geography, or
otherwise.
   (e) The agency or state-designated entity shall create a plan for
a self-sustaining funding mechanism that does not include use of
General Fund moneys that shall cover all reasonable costs of the
administration of health information exchange when federal ARRA funds
expire or are exhausted.
   (f) The state-designated entity shall continually meet any
conditions for being so designated as determined by the Secretary of
California Health and Human Services. Failure to comply with this
subdivision may result in the entity losing its designation.
   (g) As a condition of receiving the state designation, the
state-designated entity shall comply with all of the following
requirements:
   (1) It shall be subject to oversight by the California Health and
Human Services Agency.
   (2) (A) It shall be governed by a board with a diverse composition
from multiple types of organizations from multiple regions
throughout the state. The governing board shall include, at a
minimum, all of the following:
   (i) The Secretary of California Health and Human Services or his
or her designee.
   (ii) The Chair of the Senate Committee on Health or his or her
designee.
   (iii) The Chair of the Assembly Committee on Health or his or her
designee.
   (iv) At least two consumer representatives, one of whom shall have
expertise in privacy and security of health information.
   (B) The majority of the board shall be comprised of
`nongovernmental employees.
   (3) If the board convenes workgroups or subcommittees, the
workgroups or subcommittees shall be comprised of representatives
from multiple types of organizations from multiple regions throughout
the state, and meetings of any workgroup or subcommittee shall be
held in an open, public, and transparent way.
   (4) It shall have nondiscrimination and conflict-of-interest
policies that demonstrate a commitment to open, fair, and
nondiscriminatory participation by stakeholders.
   (h) The state-designated entity shall report to the California
Health and Human Services Agency and the Legislature on its progress
and activities at least annually.
  SEC. 3.  No reimbursement is required by this act pursuant to
Section 6 of Article XIII B of the California Constitution because
the only costs that may be incurred by a local agency or school
district will be incurred because this act creates a new crime or
infraction, eliminates a crime or infraction, or changes the penalty
for a crime or infraction, within the meaning of Section 17556 of the
Government Code, or changes the definition of a crime within the
meaning of Section 6 of Article XIII B of the California
Constitution.