BILL ANALYSIS                                                                                                                                                                                                    



                                                                       



           ------------------------------------------------------------ 
          |SENATE RULES COMMITTEE            |                   SB 270|
          |Office of Senate Floor Analyses   |                         |
          |1020 N Street, Suite 524          |                         |
          |(916) 651-1520         Fax: (916) |                         |
          |327-4478                          |                         |
           ------------------------------------------------------------ 
           
                                         
                                 THIRD READING


          Bill No:  SB 270
          Author:   Alquist (D)
          Amended:  1/20/10
          Vote:     21

           
           SENATE HEALTH COMMITTEE  :  7-0, 1/13/10
          AYES:  Strickland, Cedillo, Cox, Leno, Negrete McLeod,  
            Pavley, Romero

           SENATE APPROPRIATIONS  :  Senate Rule 28.8


           SUBJECT :    Health care providers:  medical information

           SOURCE  :     Author


           DIGEST  :    This bill specifies that a provision in existing  
          law requiring a delay in compliance with reporting  
          requirements, in the event of a medical privacy breach,  
          applies when notification of the breach impedes a law  
          enforcement agency's investigations, rather than  
          activities, and requires the California Health and Human  
          Services Agency or a non-profit entity designated by the  
          state, for the purposes of establishing health information  
          exchange, to facilitate and expand the use and disclosure  
          of health information electronically, in accordance with  
          applicable state and federal law.

           ANALYSIS  :    

           Existing Law
                                                           CONTINUED





                                                               SB 270
                                                                Page  
          2


           1.Provides for the licensing and regulation of clinics,  
            health facilities, home health agencies, and hospices by  
            the Department of Public Health (DPH).

          2.Requires these entities to prevent unlawful or  
            unauthorized access to, and use or disclosure of, a  
            patient's medical information.  A violation of these  
            provisions is a crime.

          3.Requires these entities to report an instance of unlawful  
            or unauthorized access top, and use or disclosure of, a  
            patient's medical information to DPH and to the affected  
            patient or patient's representative, as prescribed,  
            within five business days of its detection, except that  
            an entity is required to delay compliance with this  
            reporting requirement beyond this five business day  
            period if a law enforcement agency or official provides  
            the entity with a written or oral statement that  
            compliance with the reporting requirement would impede  
            the law enforcement agency's activities that relate to  
            the unlawful or unauthorized access to, and use or  
            disclosure of, a patient's medical information and  
            specifies the date upon which the delay shall end, as  
            prescribed.

          4.Establishes the Office of Health Information Integrity  
            within the California Health and Human Services Agency  
            (CHHSA) to ensure the enforcement of state law mandating  
            confidentiality of medical information and to impose  
            administrative fines for the unauthorized use of medical  
            information.

          5.Authorizes CHHSA, or one of the departments under its  
            jurisdiction, to apply for federal funds made available  
            through the federal American Recovery and Reinvestment  
            Act (ARRA) for health information technology and exchange  
            and, if no application is made, requires the Governor to  
            designate a nonprofit entity to be the state-designated  
            entity for purposes of health information exchange.

          6.Requires the agency or state-designated entity to  
            facilitate and expand the use and disclosure of health  
            information electronically among organizations, as  

                                                           CONTINUED





                                                                SB 270
                                                                Page  
          3

            prescribed, while protecting individual privacy and the  
            confidentiality of electronic medical records.

          This bill:

          1.Specifies that delays in reporting unlawful or  
            unauthorized access, use, or disclosure of a patient's  
            medical information to DPH by a clinic, health facility,  
            home health agency, or hospice can only occur if a law  
            enforcement agency or official provides the entity with a  
            written or oral statement that compliance with the  
            reporting requirement would be likely to impede the law  
            enforcement agency's investigation, that relates to the  
            unlawful or unauthorized access to, and use or disclosure  
            of, a patient's medical information, rather than the  
            agency's activities in that regard.

          2.Allows a law enforcement agency or official to request an  
            extension of the 60-day delay based upon a written  
            declaration that there exists a bona fide, ongoing,  
            significant criminal investigation of serious wrongdoing,  
            that notification of patients will undermine the law  
            enforcement agency's investigation, as opposed to  
            activities.

          3.Requires CHHSA or the state-designated agency to  
            facilitate and expand the use of electronic health  
            information according to nationally recognized standards  
            and specifications, and execute tasks related to  
            accessing ARRA funds while, to the greatest extent  
            possible, protecting the privacy and confidentiality of  
            medical records, and in accordance with applicable state  
            and federal law.

          4.Makes other minor, technical changes.

           Background

           Under the medical privacy provisions of the recently  
          enacted federal legislation, ARRA, entities that transmit  
          health information in an electronic form are required to  
          provide notice of a medical privacy breach to an individual  
          whose information has been subject to a breach, within 60  
          days of the discovery of the breach.  The 60-day  

                                                           CONTINUED





                                                                SB 270
                                                                Page  
          4

          requirement is delayed in the case that a law enforcement  
          official determines that notice of a medical privacy breach  
          would impede a criminal investigation or cause damage to  
          national security.  However, the ARRA provides that state  
          medical privacy breach notification laws that are more  
          protective of medical privacy are not preempted.

          The Confidentiality of Medical Information Act (CMIA)  
          provides statutory protection for confidentiality of  
          medical information of all persons and restricts the  
          dissemination and use of such information.  It covers all  
          medical information, including electronic health  
          information.  State law also differs from federal law by  
          requiring all medical privacy breaches to be reported to  
          DPH and the individual within five days of the discovery of  
          the breach, unless the notification would be likely to  
          impede a law enforcement agency's investigation of that  
          breach.  In the event that an entity is requested to delay  
          notification of a breach by law enforcement, state law also  
          specifies when that delay shall end, depending if the  
          request was submitted to the entity orally or in writing.

          Note:  For more extensive background information, please  
          refer to the 
                     Senate Health Committee analysis.

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  Yes    
          Local:  Yes

           SUPPORT  :   (Verified  1/20/10)

          American Civil Liberties Union

           ARGUMENTS IN SUPPORT  :    The American Civil Liberties Union  
          (ACLU) writes in strong support of the privacy  
          clarification language in this bill to ensure that there is  
          no diminution of individual privacy rights under California  
          law while the state or state-designated entities are  
          accessing federal stimulus funds.  The ACLU further states  
          that most people would agree that there is little  
          information that they hold more private that medical and  
          health information, and that the state has a strong  
          interest in encouraging people to seek prompt treatment for  
          health conditions.

                                                           CONTINUED





                                                                SB 270
                                                                Page  
          5



          CTW:cm  1/20/10   Senate Floor Analyses 

                         SUPPORT/OPPOSITION:  SEE ABOVE

                                ****  END  ****






































                                                           CONTINUED