BILL ANALYSIS SB 270 Page 1 Date of Hearing: June 29, 2010 ASSEMBLY COMMITTEE ON HEALTH William W. Monning, Chair SB 270 (Alquist) - As Amended: June 28, 2010 SENATE VOTE : 33-0 SUBJECT : Health care providers: medical information. SUMMARY : Clarifies existing law related to delays in reporting unauthorized access to, and use or disclosure of, a patient's medical information to the Department of Public Health (DPH), makes other specified clarifications, and extends sunset for California Office of Health Insurance Portability and Accountability Act of 2001 (HIPAA) Implementation (CalOHI). Specifically, this bill : 1)Authorizes a clinic, health facility, home health agency, or hospice to delay reporting unlawful or unauthorized access, use, or disclosure of a patient's medical information to DPH if a law enforcement agency or official provides the entity with a written or oral statement that compliance with the reporting requirement would likely impede the law enforcement agency's investigation , rather than activities , that relates to the unlawful or unauthorized access to, and use or disclosure of, a patient's medical information. 2)Authorizes a law enforcement agency or official to request an extension of the 60-day delay based upon a written declaration that there exists a bona fide, ongoing, significant criminal investigation of serious wrongdoing, that notification of patients will undermine the law enforcement agency's investigation , rather than activities . 3)Clarifies for purposes of this bill, that internal paper records, electronic mail, or facsimile transmissions inadvertently misdirected within the same facility or health care, as specified, shall not constitute unauthorized access to, or use or disclosure of a patient's medical information. 4)Clarifies, for enforcement purposes, that it shall be presumed that the facility did not notify the affected patient if the notification was not documented and authorizes this presumption to be rebutted by a licensee only if it SB 270 Page 2 demonstrates, by a preponderance of evidence, that the notification was made. 5)Extends the sunset date CalOHI from July 1, 2010 to January 1, 2013. EXISTING FEDERAL LAW 1)Prohibits, under HIPAA, a health plan, health care clearinghouse, or a health care provider (covered entity), who transmits health information in electronic form, from using or disclosing protected health information, for purposes other than medical treatment or payment, or health care operations, as defined, without written authorization of the patient, with specified exceptions. 2)Requires covered entities and their business associates, to provide notice of medical privacy breaches involving the unauthorized acquisition, access, use, or disclosure of protected health information to each individual whose information has been subject to a breach within 60 days of the discovery of the breach. 3)Provides that if a law enforcement official determines that notice of a medical privacy breach would impede a criminal investigation or cause damage to national security, the notice shall be delayed, in a specified manner. EXISTING STATE LAW : 1)Prohibits, under the Confidentiality of Medical Information Act (CMIA), licensed or certified health care professionals, clinics and health facilities, health plans, and contracting entities, as defined, from disclosing or using a patient's medical information for any purpose not necessary to provide health care services to the patient and related administrative functions, without first obtaining authorization from the patient or the patient's representative, as specified, with exceptions. 2)Provides for administrative fines and civil penalties for persons and specified entities who negligently disclose, or who knowingly and willfully obtain, disclose, or use, medical information in violation of the CMIA, and authorizes the Attorney General, any district attorney, any county counsel SB 270 Page 3 acting pursuant to an agreement with the district attorney, or a city attorney, to seek civil penalties for violations. 3)Requires every provider of health care services to establish and implement administrative, technical, and physical safeguards to protect the privacy of patients' medical information, and requires every provider to reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure. 4)Defines unauthorized access as the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use of the information. 5)Requires a clinic, health facility, home health agency, or hospice to report any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information to DPH and to the affected patient or patient's representative, no later than five days after the unlawful or unauthorized access, use, or disclosure has been detected by the entity. 6)Allows DPH to assess a penalty of $100 for each day the unlawful or unauthorized access, use, or disclosure is not reported, following the initial five-day period, not to exceed $250,000 per reported event. 7)Requires a clinic, health facility, home health agency, or hospice to delay reporting any unlawful or unauthorized access, use, or disclosure of a patient's medical information to DPH if a law enforcement agency or official provides the entity with a written or oral statement that compliance with the reporting requirement would be likely to impede the law enforcement agency's activities that relate to the unlawful or unauthorized access to, and use or disclosure of, a patient's medical information, and specifies a date upon which the delay shall end, not to exceed 60 days after a written request was made, or 30 days after an oral request is made. 8)Allows a law enforcement agency or official to request an extension of the 60-day delay based upon a written declaration that there exists a bona fide, ongoing, significant criminal investigation of serious wrongdoing, that notification of patients will undermine the law enforcement agency's activities, and that specifies a date upon which the delay SB 270 Page 4 shall end, not to exceed 60 days after the end of the original 60-day period Health Information Technology (HIT) and Exchange (HIE) Provisions authorizes the California Health and Human Services Agency (CHHSA), or one of its departments, to apply for federal HIT and HIE grants, pursuant to requirements set forth in the federal American Recovery and Reinvestment Act of 2009 (ARRA). 9)Establishes until July 1, 2010, as part of CalOHI in CHHSA, and directs CalOHI to assume statewide leadership, coordination, policy formulation, direction, and oversight responsibilities of HIPAA implementation. 10)Authorizes CHHSA, or one of its departments, to apply for federal HIT and HIE grants, pursuant to requirements set forth in ARRA. Requires the Governor to designate a nonprofit entity, as specified, to apply for federal funds and establish HIE if no application is made by the state. 11)Requires CHHSA or the state-designated entity (SDE) to develop a plan to ensure that HIE capabilities are developed, adopted, and utilized statewide while minimizing disparities in access to HIT, as specified. 12)Specifies that the governing board of the SDE must contain, at a minimum, the Secretary of CHHSA, Chairs of the Senate and Assembly Committees on Health, and two consumer representatives, as specified. 13)Requires CHHSA or the SDE to facilitate and expand the use of electronic health information according to nationally recognized standards and specifications, and execute tasks related to accessing ARRA funds while, to the greatest extent possible, protecting the privacy and confidentiality of medical records. 14)Establishes CalOHI to ensure the enforcement of state confidentiality of medical information, to impose administrative fines for the unauthorized use of medical information upon referral from DPH, and require providers of health care to establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of patient's medical information. FISCAL EFFECT : According to the Senate Appropriations SB 270 Page 5 Committee Analysis, pursuant to Senate Rule 28.8, negligible state costs. COMMENTS : 1)PURPOSE OF THIS BILL . According to the author, this bill clarifies that disclosure of medical privacy breaches can be suspended for law enforcement investigations, rather than any law enforcement activity, which significantly narrows the limit on disclosure of medical privacy breaches. Additionally, this bill extends the sunset of the state agency responsible for overseeing the federal health information technology infrastructure grants, including the federal health information exchange grant, and serves as the primary resource for state entities on health information privacy and the implementation of HIPAA regulations. The sunset date for CalOHI is currently set for July 1, 2010, which is why the author requests an urgency clause. 2)BACKGROUND . Congress passed ARRA on February 13, 2009 and President Obama signed the bill on February 17, 2009. Under the medical privacy provisions of ARRA, entities that transmit health information in an electronic form are required to provide notice of a medical privacy breach to an individual whose information has been subject to a breach, within 60 days of the discovery of the breach. The 60-day requirement is delayed in the case that a law enforcement official determines that notice of a medical privacy breach would impede a criminal investigation or cause damage to national security. However, ARRA provides that state medical privacy breach notification laws that are more protective of medical privacy (such as the notification requirements in California law) are not preempted. This bill will clarify the notification requirements in CMIA. 3)FEDERAL FUNDING FOR HIE . A component of ARRA, the HITECH Act, provides roughly $41 billion for national HIT and HIE investments over the next four years to promote the sharing of electronic health records (EHR) among organizations using nationally recognized interoperability standards. The state grant program is intended to enable providers to qualify for Medicare and Medicaid financial incentives ($34 billion) authorized by ARRA, provided they meet specified meaningful use requirements. Additionally, ARRA provides $2 billion for HIT promotion, including $564 million in planning and SB 270 Page 6 implementation grants for HIE. These funds can be used, at the discretion of the federal Secretary of the Department of Health and Human Services to fund a number of initiatives, including grants to states to develop HIEs, HIT workforce training grants, and grants to states to develop loan funds, to name a few. Out of the $2 billion, $564 million in federal grant funds are available to states to develop state and local/regional HIEs, which are intended to ultimately connect to a national health information network. These funds will allow California to create an exchange mechanism that allows health information to move across health care systems. Recently, under the leadership of CHHSA, the state has developed an HIT and HIE strategic plan aimed towards maximizing the opportunities provided under ARRA as part of a more comprehensive vision of the state's HIT infrastructure. In addition to coordinating activities across various state departments and stakeholders, who are planning and implementing various HIT elements in ARRA, CHHSA is responsible for establishing HIE for California. In February 2010, CHHSA received a $33.8 million ARRA HIE federal grant, which, which will be distributed by CaleConnect, the state's new non-profit entity that will implement the requirements of the federal HIE grant, which is called CaleConnect. Continued progress toward widespread HIE will depend on successfully addressing a number of major privacy and security concerns. CalOHII, under the supervision of CHHSA, is currently working with a wide spectrum of health care stakeholders, including representatives from the health care industry, consumers, and privacy and security advocates, to develop new privacy and security standards to enable the adoption and application of HIE in California. 4)PRIVACY AND SECURITY STANDARDS . CalOHII has convened the California Privacy and Security Advisory Board (CalPSAB) to develop and recommend these new standards. Adoption of privacy and security standards for HIE will ensure that a person's critical health information can move safely and securely to the point of care. An individual could benefit from improved treatment outcomes and the opportunity to better manage their health. Electronic HIE could also lead to more transparent care and contribute to a more effective and efficient health care system. Over the last year, CalPSAB has been working towards developing privacy and security guidelines for sharing of electronic health information that is based on nationally SB 270 Page 7 recognized standards and harmonizes both state and federal laws. 5)URGENCY CLAUSE . The author intends to add an urgency clause to this measure so its provisions take effect immediately upon enactment as the sunset date for CalOHII is July 1, 2010. 6)RELATED LEGISLATION . AB 278 (Monning) authorizes CalOHI to establish up to four demonstration projects a year to evaluate solutions to facilitate health information exchange that promote quality of care, respect security personal health information, and enhance stakeholder trust. AB 278 is set to be heard in Senate Health Committee on June 30, 2010. 7)PREVIOUS LEGISLATION . a) SB 337 (Alquist) Chapter 180, Statutes of 2009, revises the timelines for reporting of unauthorized access to, or use or disclosure of, patients' medical information, and provides limited exemptions to the reporting timelines in cases where law enforcement agencies are investigating such privacy breaches. SB 337 also authorizes CHHSA to apply for federal health information technology and health information exchange grants, and requires the Governor to designate a qualified non-profit entity to apply for federal health information exchange grants on behalf of the state if no application is made by the state. b) AB 211 (Jones), Chapter 602, Statutes of 2008, establishes CalOHI to ensure the enforcement of state confidentiality of medical information, to impose administrative fines for the unauthorized use of medical information upon referral from DPH, and require providers of health care to establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of patient's medical information. c) AB 1302 (Horton), Chapter 700, Statutes of 2007, extends the sunset on HIPAA and CalOHI from January 1, 2008 to July 1, 2010. d) SB 541 (Alquist), Chapter 605, Statutes of 2008, requires licensed clinics, health facilities, hospices, and home health agencies to prevent unlawful access to, use, or disclosure of patients' medical information, establishes SB 270 Page 8 administrative penalties for violations, and requires the patient and the DPH be notified of any unlawful access to, use, or disclosure of a patient's medical information. e) SB 320 (Alquist) of 2007 would have required the CalOHI, in consultation with the others, to develop a plan for implementation of the California Health Care Information Infrastructure Program no later than March 1, 2009, that would seek to provide the opportunity for every resident of the state to have an electronic health record. SB 320 was vetoed by Governor Schwarzenegger. f) SB 1338 (Alquist) of 2006 would have required CHHSA, in conjunction with certain other state departments, to develop a strategic plan to foster the adoption of HIT. This plan would have included, among other provisions, HIT standards and identified incentives to promote the use of EHRs and personal health records. SB 1338 was held in the Assembly Appropriations Committee. REGISTERED SUPPORT / OPPOSITION : Support California Health and Human Services Agency (sponsor) Opposition None on file. Analysis Prepared by : Martin Radosevich / HEALTH / (916) 319-2097