BILL ANALYSIS                                                                                                                                                                                                    






                                    SENATE HEALTH
                                 COMMITTEE ANALYSIS
                          Senator Elaine K. Alquist, Chair


          BILL NO:       SB 270                                      S
          AUTHOR:        Alquist                                     B
          AMENDED:       January 6, 2010                              
          HEARING DATE:  January 13, 2010                            2
          CONSULTANT:                                                7
          Chan-Sawin                                                 0
                                        SUBJECT
                                           
                     Health care providers:  medical information

                                        SUMMARY  

          Specifies that a provision in existing law requiring a delay in  
          compliance with reporting requirements, in the event of a  
          medical privacy breach, applies when notification of the breach  
          would impede a law enforcement agency's investigations, rather  
          than activities.  Also requires the California Health and Human  
          Services Agency (CHHSA) or a non-profit entity designated by the  
          state, for the purposes of establishing health information  
          exchange (HIE), to facilitate and expand the use and disclosure  
          of health information electronically with no diminution of  
          individual rights under state law.

                                CHANGES TO EXISTING LAW  

          Existing federal law:
          Prohibits, under federal regulations implementing the federal  
          Health Insurance Portability and Accountability Act (HIPAA), a  
          health plan, health care clearinghouse or a health care  
          provider, who transmits health information in electronic form  
          (covered entity), from using or disclosing protected health  
          information, for purposes other than medical treatment or  
          payment, or health care operations, as defined, without written  
          authorization of the patient, with exceptions.

          Requires covered entities, and their business associates, to  
          provide notice of medical privacy breaches involving the  
          unauthorized acquisition, access, use, or disclosure of  
          protected health information to each individual whose  
          information has been subject to a breach within 60 days of the  
          discovery of the breach.  
                                                         Continued---



          STAFF ANALYSIS OF SENATE BILL  SB 270 (Alquist)Page 2


          


          Provides that if a law enforcement official determines that  
          notice of a medical privacy breach would impede a criminal  
          investigation or cause damage to national security, the notice  
          shall be delayed, in a specified manner.

          Allows, under the federal American Recovery and Reinvestment Act  
          of 2009 (ARRA), certain medical providers to receive incentive  
          payments for meaningful use of health information technology  
          (HIT), as specified, and provides other funding related to HIT  
          promotion and HIE.

          Existing state law:
          Medical Privacy Provisions
          Prohibits, under the Confidentiality of Medical Information Act  
          (CMIA), licensed or certified health care professionals, clinics  
          and health facilities, health plans, and contracting entities,  
          as defined, from disclosing or using a patient's medical  
          information for any purpose not necessary to provide health care  
          services to the patient and related administrative functions,  
          without first obtaining authorization from the patient or the  
          patient's representative, as specified, with exceptions.

          Provides for administrative fines and civil penalties for  
          persons and entities subject to the CMIA who negligently  
          disclose, or who knowingly and willfully obtain, disclose, or  
          use, medical information in violation of the CMIA, and  
          authorizes the Attorney General, any district attorney, any  
          county counsel acting pursuant to an agreement with the district  
          attorney, or a city attorney, to seek civil penalties for  
          violations.  

          Requires every provider of health care services to establish and  
          implement administrative, technical, and physical safeguards to  
          protect the privacy of patients' medical information, and  
          requires every provider to reasonably safeguard confidential  
          medical information from any unauthorized access or unlawful  
          access, use, or disclosure.  

          Defines unauthorized access as the inappropriate review or  
          viewing of patient medical information without a direct need for  
          diagnosis, treatment, or other lawful use of the information.

          Requires a clinic, health facility, home health agency, or  
          hospice to report any unlawful or unauthorized access to, or use  
          or disclosure of, a patient's medical information to the  




          STAFF ANALYSIS OF SENATE BILL  SB 270 (Alquist)Page 3


          

          Department of Public Health (DPH) and to the affected patient or  
          patient's representative, no later than five days after the  
          unlawful or unauthorized access, use, or disclosure has been  
          detected by the entity.  

          Allows DPH to assess a penalty of $100 for each day the unlawful  
          or unauthorized access, use, or disclosure is not reported,  
          following the initial five-day period, not to exceed $250,000  
          per reported event.  

          Requires a clinic, health facility, home health agency, or  
          hospice to delay reporting any unlawful or unauthorized access,  
          use, or disclosure of a patient's medical information to DPH if  
          a law enforcement agency or official provides the entity with a  
          written or oral statement that compliance with the reporting  
          requirement would be likely to impede the law enforcement  
          agency's activities that relate to the unlawful or unauthorized  
          access to, and use or disclosure of, a patient's medical  
          information, and specifies a date upon which the delay shall  
          end, not to exceed 60 days after a written request was made, or  
          30 days after an oral request is made.

          Allows a law enforcement agency or official to request an  
          extension of the 60-day delay based upon a written declaration  
          that there exists a bona fide, ongoing, significant criminal  
          investigation of serious wrongdoing, that notification of  
          patients will undermine the law enforcement agency's activities,  
          and that specifies a date upon which the delay shall end, not to  
          exceed 60 days after the end of the original 60-day period.
          Health Information Technology and Exchange Provisions
          Authorizes CHHSA, or one of its departments, to apply for  
          federal HIT and HIE grants, pursuant to requirements set forth  
          in ARRA.  Requires the Governor to designate a nonprofit entity,  
          as specified, to apply for federal funds and establish HIE if no  
          application is made by the state.

          Requires CHHSA or the state-designated entity (SDE) to develop a  
          plan to ensure that HIE capabilities are developed, adopted, and  
          utilized statewide while minimizing disparities in access to  
          HIT, as specified.

          Specifies that the governing board of the SDE must contain, at a  
          minimum, the secretary of CHHSA, chairs of the Senate and  
          Assembly Committees on Health, and two consumer representatives,  
          as specified.





          STAFF ANALYSIS OF SENATE BILL  SB 270 (Alquist)Page 4


          

          Requires CHHSA or the SDE to facilitate and expand the use of  
          electronic health information according to nationally recognized  
          standards and specifications, and execute tasks related to  
          accessing ARRA funds while, to the greatest extent possible,  
          protecting the privacy and confidentiality of medical records. 

          This bill:
          Medical Privacy Provisions
          Specifies that delays in reporting unlawful or unauthorized  
          access, use, or disclosure of a patient's medical information to  
          DPH by a clinic, health facility, home health agency, or hospice  
          can only occur if a law enforcement agency or official provides  
          the entity with a written or oral statement that compliance with  
          the reporting requirement would be likely to impede the law  
          enforcement agency's investigation, that relates to the unlawful  
          or unauthorized access to, and use or disclosure of, a patient's  
          medical information, rather than the agency's activities in that  
          regard.

          Allows a law enforcement agency or official to request an  
          extension of the 60-day delay based upon a written declaration  
          that there exists a bona fide, ongoing, significant criminal  
          investigation of serious wrongdoing, that notification of  
          patients will undermine the law enforcement agency's  
          investigation, as opposed to activities.

          Health Information Technology and Exchange Provisions
          Requires CHHSA or the SDE to facilitate and expand the use of  
          electronic health information according to nationally recognized  
          standards and specifications, and execute tasks related to  
          accessing ARRA funds while, to the greatest extent possible,  
          protecting the privacy and confidentiality of medical records,  
          and with no diminution of rights under state law.

          Makes other minor, technical changes.

                                     FISCAL IMPACT  

          This bill, as amended, has not been analyzed by a fiscal  
          committee.

                               BACKGROUND AND DISCUSSION 

          According to the author, SB 270 makes technical and clarifying  
          amendments to SB 337 (Alquist), Chapter 180, Statutes of 2009,  
          which addressed medical privacy breach notifications, authorized  




          STAFF ANALYSIS OF SENATE BILL  SB 270 (Alquist)Page 5


          

          CHHSA to apply for federal HIT and HIE grants.  In particular,  
          this bill clarifies that expanding the use and disclosure of  
          electronic health information, as authorized in SB 337, shall  
          not diminish individual privacy rights under existing state law.

          Notification of Breaches of Medical Privacy under Federal and  
          State Law
          Under the medical privacy provisions of the recently enacted  
          federal legislation, ARRA, entities that transmit health  
          information in an electronic form are required to provide notice  
          of a medical privacy breach to an individual whose information  
          has been subject to a breach, within 60 days of the discovery of  
          the breach.  The 60-day requirement is delayed in the case that  
          a law enforcement official determines that notice of a medical  
          privacy breach would impede a criminal investigation or cause  
          damage to national security.  However, the ARRA provides that  
          state medical privacy breach notification laws that are more  
          protective of medical privacy (such as the notification  
          requirements in SB 541) are not preempted.  

          The CMIA provides statutory protection for confidentiality of  
          medical information of all persons and restricts the  
          dissemination and use of such information.  It covers all  
          medical information, including electronic health information,  
          but does not directly address the sharing of electronic health  
          information.  State law also differs from federal law by  
          requiring all medical privacy breaches to be reported to DPH and  
          the individual within five days of the discovery of the breach,  
          unless the notification would be likely to impede a law  
          enforcement agency's investigation of the breach.  In the event  
          that an entity is requested to delay notification of a breach by  
          law enforcement, state law also specifies when that delay shall  
          end, depending if the request was submitted to the entity orally  
          or in writing.

          Health Information Technology and Health Information Exchange
          The potential for HIT to improve health care safety, cost and  
          quality is now nationally recognized, as both governments and  
          the private sector confront spiraling health care costs and  
          inefficiencies in delivering care.  To fully realize the  
          benefits of HIT requires a pervasive underlying infrastructure  
          that supports the use of patient-focused electronic health  
          information.  This infrastructure must go beyond the limitations  
          of HIT systems used by individual providers, health plans or  
          even delivery systems.  It requires wide-scale systemic, state  
          and nationwide infrastructure that incorporates protections for  




          STAFF ANALYSIS OF SENATE BILL  SB 270 (Alquist)Page 6


          

          patient privacy and confidentiality.  

          The building blocks for this infrastructure include electronic  
          medical records (EMRs) used by providers to manage patient  
          information, personal health records (PHRs) for individual  
          access to their own records, and HIE to facilitate the  
          electronic exchange of EMRs and PHRs.  HIE is the capability to  
          electronically move health information among disparate health  
          care information systems while maintaining the meaning of the  
          information being exchanged.  In many instances, HIE is used to  
          describe both the process of moving health information  
          electronically, and the entity overseeing and governing the  
          exchange.  The goal of HIE is to facilitate access to, and  
          retrieval of, clinical data to provide safer, more timely,  
          efficient, effective, equitable, patient-centered care.  
          
          The American Recovery and Reinvestment Act of 2009
          Last January, President Barack Obama challenged states and  
          health care providers to computerize the nation's health  
          records.  To assist states in their efforts, Congress passed the  
          ARRA in February 2009, which includes roughly $41 billion for  
          national HIT and HIE investments over the next four years.  

          The majority of these funds ($34 billion) are incentive payments  
          that will go to Medicaid and Medicare providers who are able to  
          demonstrate "meaningful use" of HIT.  In addition, ARRA provides  
          $2 billion for HIT promotion, including $564 million in planning  
          and implementation grants for HIE.  These funds can be used, at  
          the discretion of the federal Secretary of Health and Human  
          Service's discretion to fund a number of initiatives, including  
          grants to states to develop HIEs, HIT workforce training grants,  
          and grants to states to develop loan funds, to name a few.

          Out of the $2 billion, $564 million in federal grant funds are  
          available to states to develop state and local/regional HIEs,  
          which are intended to ultimately connect to a national health  
          information network.  These funds are to create an exchange  
          mechanism within California that allows health information to  
          move across disparate health care systems.  

          These federal actions have served as a catalyst for California  
          and the rest of the nation to build HIT infrastructure that will  
          allow pervasive sharing of electronic health information.   
          California is expected to receive roughly $4 billion of the  
          available ARRA HIT stimulus funds.  





          STAFF ANALYSIS OF SENATE BILL  SB 270 (Alquist)Page 7


          

          State Implementation of Health Information Technology and  
          Exchange
          In the past year, under the leadership of CHHSA, the state has  
          developed an HIT and HIE strategic plan aimed towards maximizing  
          the opportunities provided under ARRA as part of a more  
          comprehensive vision of the state's HIT infrastructure.  In  
          addition to coordinating activities across various state  
          departments and stakeholders, who are planning and implementing  
          various HIT elements in ARRA, CHHSA is the state entity  
          responsible for establishing HIE for California.  CHHSA has  
          submitted an application on behalf of the state and is estimated  
          to receive $38.8 million early 2010.  

          The strategic plan calls for the Governor to designate a  
          separate nonprofit entity, commonly referred to in federal  
          guidance as the "state-designated entity," or within CHHSA, as  
          the "HIE governance board," to implement the requirements of the  
          federal HIE grant.
          
          Privacy and Security of Medical Information
          Continued progress toward widespread HIE will depend on  
          successfully addressing a number of major privacy and security  
          concerns.  The California Office of HIPAA Implementation  
          (CalOHI), under the supervision of CHHSA, is currently working  
          with a wide spectrum of health care stakeholders, including  
          representatives from the health care industry, consumers, and  
          privacy and security advocates, to develop new privacy and  
          security standards to enable the adoption and application of HIE  
          in California.  

          CalOHI has convened the California Privacy and Security Advisory  
          Board (CalPSAB) to develop and recommend these new standards.  
          Adoption of privacy and security standards for HIE will ensure  
          that a person's critical health information can move safely and  
          securely to the point of care. An individual could benefit from  
          improved treatment outcomes and the opportunity to better manage  
          their health. Electronic HIE could also lead to more transparent  
          care and contribute to a more effective and efficient health  
          care system. 

          Over the last two years, CalPSAB has been working towards  
          developing recommendations for creation of a privacy and  
          security framework for sharing of electronic health information.  
           Recommendations are expected early in 2010.






          STAFF ANALYSIS OF SENATE BILL  SB 270 (Alquist)Page 8


          

          Support
          The American Civil Liberties Union (ACLU) writes in strong  
          support of the privacy clarification language in this bill to  
          ensure that there is no diminution of individual privacy rights  
          under California law while the state or state-designated  
          entities are accessing federal stimulus funds.  ACLU further  
          states that most people would agree that there is little  
          information that they hold more private than medical and health  
          information, and that the state has a strong interest in  
          encouraging people to seek prompt treatment for health  
          conditions.

          Prior Legislation
          SB 337 (Alquist) Chapter 180, Statutes of 2009, revises the  
          timelines for reporting of unauthorized access to, or use or  
          disclosure of, patients' medical information, and provides  
          limited exemptions to the reporting timelines in cases where law  
          enforcement agencies are investigating such privacy breaches.   
          This bill also authorizes the California Health and Human  
          Services Agency to apply for federal health information  
          technology and health information exchange grants, and requires  
          the Governor to designate a qualified non-profit entity to apply  
          for federal health information exchange grants on behalf of the  
          state if no application is made by the state.  
          
          AB 211 (Jones) Chapter 602, Statutes of 2008, establishes OHII  
          to ensure the enforcement of state confidentiality of medical  
          information, to impose administrative fines for the unauthorized  
          use of medical information upon referral from DPH, and require  
          providers of health care to establish and implement appropriate  
          administrative, technical, and physical safeguards to protect  
          the privacy of patient's medical information.

          SB 541 (Alquist) Chapter 605, Statutes of 2008, requires  
          licensed clinics, health facilities, hospices, and home health  
          agencies to prevent unlawful access to, use, or disclosure of  
          patients' medical information, establishes administrative  
          penalties for violations, and requires the patient and the DPH  
          be notified of any unlawful access to, use, or disclosure of a  
          patient's medical information.
          
          SB 320 (Alquist) of 2007 would have required the California  
          Office of HIPAA Implementation, in consultation with the others,  
          to develop a plan for implementation of the California Health  
          Care Information Infrastructure Program no later than March 1,  
          2009, that would seek to provide the opportunity for every  




          STAFF ANALYSIS OF SENATE BILL  SB 270 (Alquist)Page 9


          

          resident of the state to have an electronic health record.  
          Vetoed.

          SB 1338 (Alquist) of 2006 would have required CHHSA, in  
          conjunction with certain other state departments, to develop a  
          strategic plan to foster the adoption of HIT. This plan would  
          have included, among other provisions, HIT standards and  
          identified incentives to promote the use of electronic health  
          records (EHRs) and personal health records. Held in the Assembly  
          Appropriations Committee.
          
          AB 1672 (Nation, Richman) of 2005, in an early version, would  
          have established deadlines for various health care entities to  
          adopt EHRs, provided enhanced Medi-Cal reimbursement for EHR  
          adoption, and provided state funding to promote HIT development.  
          These provisions were amended out of the bill. 


































          STAFF ANALYSIS OF SENATE BILL  SB 270 (Alquist)Page 10


          


                                       POSITIONS  

          Support:  American Civil Liberties Union
          
          Oppose:   None.

                                      -- END --