BILL ANALYSIS �
SB 270
Page 1
Date of Hearing: June 29, 2010
ASSEMBLY COMMITTEE ON HEALTH
William W. Monning, Chair
SB 270 (Alquist) - As Amended: June 28, 2010
SENATE VOTE : 33-0
SUBJECT : Health care providers: medical information.
SUMMARY : Clarifies existing law related to delays in reporting
unauthorized access to, and use or disclosure of, a patient's
medical information to the Department of Public Health (DPH),
makes other specified clarifications, and extends sunset for
California Office of Health Insurance Portability and
Accountability Act of 2001 (HIPAA) Implementation (CalOHI).
Specifically, this bill :
1)Authorizes a clinic, health facility, home health agency, or
hospice to delay reporting unlawful or unauthorized access,
use, or disclosure of a patient's medical information to DPH
if a law enforcement agency or official provides the entity
with a written or oral statement that compliance with the
reporting requirement would likely impede the law enforcement
agency's investigation , rather than activities , that relates
to the unlawful or unauthorized access to, and use or
disclosure of, a patient's medical information.
2)Authorizes a law enforcement agency or official to request an
extension of the 60-day delay based upon a written declaration
that there exists a bona fide, ongoing, significant criminal
investigation of serious wrongdoing, that notification of
patients will undermine the law enforcement agency's
investigation , rather than activities .
3)Clarifies for purposes of this bill, that internal paper
records, electronic mail, or facsimile transmissions
inadvertently misdirected within the same facility or health
care, as specified, shall not constitute unauthorized access
to, or use or disclosure of a patient's medical information.
4)Clarifies, for enforcement purposes, that it shall be presumed
that the facility did not notify the affected patient if the
notification was not documented and authorizes this
presumption to be rebutted by a licensee only if it
�
SB 270
Page 2
demonstrates, by a preponderance of evidence, that the
notification was made.
5)Extends the sunset date CalOHI from July 1, 2010 to January 1,
2013.
EXISTING FEDERAL LAW
1)Prohibits, under HIPAA, a health plan, health care
clearinghouse, or a health care provider (covered entity), who
transmits health information in electronic form, from using or
disclosing protected health information, for purposes other
than medical treatment or payment, or health care operations,
as defined, without written authorization of the patient, with
specified exceptions.
2)Requires covered entities and their business associates, to
provide notice of medical privacy breaches involving the
unauthorized acquisition, access, use, or disclosure of
protected health information to each individual whose
information has been subject to a breach within 60 days of the
discovery of the breach.
3)Provides that if a law enforcement official determines that
notice of a medical privacy breach would impede a criminal
investigation or cause damage to national security, the notice
shall be delayed, in a specified manner.
EXISTING STATE LAW :
1)Prohibits, under the Confidentiality of Medical Information
Act (CMIA), licensed or certified health care professionals,
clinics and health facilities, health plans, and contracting
entities, as defined, from disclosing or using a patient's
medical information for any purpose not necessary to provide
health care services to the patient and related administrative
functions, without first obtaining authorization from the
patient or the patient's representative, as specified, with
exceptions.
2)Provides for administrative fines and civil penalties for
persons and specified entities who negligently disclose, or
who knowingly and willfully obtain, disclose, or use, medical
information in violation of the CMIA, and authorizes the
Attorney General, any district attorney, any county counsel
�
SB 270
Page 3
acting pursuant to an agreement with the district attorney, or
a city attorney, to seek civil penalties for violations.
3)Requires every provider of health care services to establish
and implement administrative, technical, and physical
safeguards to protect the privacy of patients' medical
information, and requires every provider to reasonably
safeguard confidential medical information from any
unauthorized access or unlawful access, use, or disclosure.
4)Defines unauthorized access as the inappropriate review or
viewing of patient medical information without a direct need
for diagnosis, treatment, or other lawful use of the
information.
5)Requires a clinic, health facility, home health agency, or
hospice to report any unlawful or unauthorized access to, or
use or disclosure of, a patient's medical information to DPH
and to the affected patient or patient's representative, no
later than five days after the unlawful or unauthorized
access, use, or disclosure has been detected by the entity.
6)Allows DPH to assess a penalty of $100 for each day the
unlawful or unauthorized access, use, or disclosure is not
reported, following the initial five-day period, not to exceed
$250,000 per reported event.
7)Requires a clinic, health facility, home health agency, or
hospice to delay reporting any unlawful or unauthorized
access, use, or disclosure of a patient's medical information
to DPH if a law enforcement agency or official provides the
entity with a written or oral statement that compliance with
the reporting requirement would be likely to impede the law
enforcement agency's activities that relate to the unlawful or
unauthorized access to, and use or disclosure of, a patient's
medical information, and specifies a date upon which the delay
shall end, not to exceed 60 days after a written request was
made, or 30 days after an oral request is made.
8)Allows a law enforcement agency or official to request an
extension of the 60-day delay based upon a written declaration
that there exists a bona fide, ongoing, significant criminal
investigation of serious wrongdoing, that notification of
patients will undermine the law enforcement agency's
activities, and that specifies a date upon which the delay
�
SB 270
Page 4
shall end, not to exceed 60 days after the end of the original
60-day period Health Information Technology (HIT) and Exchange
(HIE) Provisions authorizes the California Health and Human
Services Agency (CHHSA), or one of its departments, to apply
for federal HIT and HIE grants, pursuant to requirements set
forth in the federal American Recovery and Reinvestment Act
of 2009 (ARRA).
9)Establishes until July 1, 2010, as part of CalOHI in CHHSA,
and directs CalOHI to assume statewide leadership,
coordination, policy formulation, direction, and oversight
responsibilities of HIPAA implementation.
10)Authorizes CHHSA, or one of its departments, to apply for
federal HIT and HIE grants, pursuant to requirements set forth
in ARRA. Requires the Governor to designate a nonprofit
entity, as specified, to apply for federal funds and establish
HIE if no application is made by the state.
11)Requires CHHSA or the state-designated entity (SDE) to
develop a plan to ensure that HIE capabilities are developed,
adopted, and utilized statewide while minimizing disparities
in access to HIT, as specified.
12)Specifies that the governing board of the SDE must contain,
at a minimum, the Secretary of CHHSA, Chairs of the Senate and
Assembly Committees on Health, and two consumer
representatives, as specified.
13)Requires CHHSA or the SDE to facilitate and expand the use of
electronic health information according to nationally
recognized standards and specifications, and execute tasks
related to accessing ARRA funds while, to the greatest extent
possible, protecting the privacy and confidentiality of
medical records.
14)Establishes CalOHI to ensure the enforcement of state
confidentiality of medical information, to impose
administrative fines for the unauthorized use of medical
information upon referral from DPH, and require providers of
health care to establish and implement appropriate
administrative, technical, and physical safeguards to protect
the privacy of patient's medical information.
FISCAL EFFECT : According to the Senate Appropriations
�
SB 270
Page 5
Committee Analysis, pursuant to Senate Rule 28.8, negligible
state costs.
COMMENTS :
1)PURPOSE OF THIS BILL . According to the author, this bill
clarifies that disclosure of medical privacy breaches can be
suspended for law enforcement investigations, rather than any
law enforcement activity, which significantly narrows the
limit on disclosure of medical privacy breaches.
Additionally, this bill extends the sunset of the state agency
responsible for overseeing the federal health information
technology infrastructure grants, including the federal health
information exchange grant, and serves as the primary resource
for state entities on health information privacy and the
implementation of HIPAA regulations. The sunset date for
CalOHI is currently set for July 1, 2010, which is why the
author requests an urgency clause.
2)BACKGROUND . Congress passed ARRA on February 13, 2009 and
President Obama signed the bill on February 17, 2009. Under
the medical privacy provisions of ARRA, entities that transmit
health information in an electronic form are required to
provide notice of a medical privacy breach to an individual
whose information has been subject to a breach, within 60 days
of the discovery of the breach. The 60-day requirement is
delayed in the case that a law enforcement official determines
that notice of a medical privacy breach would impede a
criminal investigation or cause damage to national security.
However, ARRA provides that state medical privacy breach
notification laws that are more protective of medical privacy
(such as the notification requirements in California law) are
not preempted. This bill will clarify the notification
requirements in CMIA.
3)FEDERAL FUNDING FOR HIE . A component of ARRA, the HITECH Act,
provides roughly $41 billion for national HIT and HIE
investments over the next four years to promote the sharing of
electronic health records (EHR) among organizations using
nationally recognized interoperability standards. The state
grant program is intended to enable providers to qualify for
Medicare and Medicaid financial incentives ($34 billion)
authorized by ARRA, provided they meet specified meaningful
use requirements. Additionally, ARRA provides $2 billion for
HIT promotion, including $564 million in planning and
�
SB 270
Page 6
implementation grants for HIE. These funds can be used, at
the discretion of the federal Secretary of the Department of
Health and Human Services to fund a number of initiatives,
including grants to states to develop HIEs, HIT workforce
training grants, and grants to states to develop loan funds,
to name a few.
Out of the $2 billion, $564 million in federal grant funds are
available to states to develop state and local/regional HIEs,
which are intended to ultimately connect to a national health
information network. These funds will allow California to
create an exchange mechanism that allows health information to
move across health care systems. Recently, under the
leadership of CHHSA, the state has developed an HIT and HIE
strategic plan aimed towards maximizing the opportunities
provided under ARRA as part of a more comprehensive vision of
the state's HIT infrastructure. In addition to coordinating
activities across various state departments and stakeholders,
who are planning and implementing various HIT elements in
ARRA, CHHSA is responsible for establishing HIE for
California. In February 2010, CHHSA received a $33.8 million
ARRA HIE federal grant, which, which will be distributed by
CaleConnect, the state's new non-profit entity that will
implement the requirements of the federal HIE grant, which is
called CaleConnect. Continued progress toward widespread HIE
will depend on successfully addressing a number of major
privacy and security concerns. CalOHII, under the supervision
of CHHSA, is currently working with a wide spectrum of health
care stakeholders, including representatives from the health
care industry, consumers, and privacy and security advocates,
to develop new privacy and security standards to enable the
adoption and application of HIE in California.
4)PRIVACY AND SECURITY STANDARDS . CalOHII has convened the
California Privacy and Security Advisory Board (CalPSAB) to
develop and recommend these new standards. Adoption of privacy
and security standards for HIE will ensure that a person's
critical health information can move safely and securely to
the point of care. An individual could benefit from improved
treatment outcomes and the opportunity to better manage their
health. Electronic HIE could also lead to more transparent
care and contribute to a more effective and efficient health
care system. Over the last year, CalPSAB has been working
towards developing privacy and security guidelines for sharing
of electronic health information that is based on nationally
�
SB 270
Page 7
recognized standards and harmonizes both state and federal
laws.
5)URGENCY CLAUSE . The author intends to add an urgency clause
to this measure so its provisions take effect immediately upon
enactment as the sunset date for CalOHII is July 1, 2010.
6)RELATED LEGISLATION . AB 278 (Monning) authorizes CalOHI to
establish up to four demonstration projects a year to evaluate
solutions to facilitate health information exchange that
promote quality of care, respect security personal health
information, and enhance stakeholder trust. AB 278 is set to
be heard in Senate Health Committee on June 30, 2010.
7)PREVIOUS LEGISLATION .
a) SB 337 (Alquist) Chapter 180, Statutes of 2009, revises
the timelines for reporting of unauthorized access to, or
use or disclosure of, patients' medical information, and
provides limited exemptions to the reporting timelines in
cases where law enforcement agencies are investigating such
privacy breaches. SB 337 also authorizes CHHSA to apply
for federal health information technology and health
information exchange grants, and requires the Governor to
designate a qualified non-profit entity to apply for
federal health information exchange grants on behalf of the
state if no application is made by the state.
b) AB 211 (Jones), Chapter 602, Statutes of 2008,
establishes CalOHI to ensure the enforcement of state
confidentiality of medical information, to impose
administrative fines for the unauthorized use of medical
information upon referral from DPH, and require providers
of health care to establish and implement appropriate
administrative, technical, and physical safeguards to
protect the privacy of patient's medical information.
c) AB 1302 (Horton), Chapter 700, Statutes of 2007, extends
the sunset on HIPAA and CalOHI from January 1, 2008 to July
1, 2010.
d) SB 541 (Alquist), Chapter 605, Statutes of 2008,
requires licensed clinics, health facilities, hospices, and
home health agencies to prevent unlawful access to, use, or
disclosure of patients' medical information, establishes
�
SB 270
Page 8
administrative penalties for violations, and requires the
patient and the DPH be notified of any unlawful access to,
use, or disclosure of a patient's medical information.
e) SB 320 (Alquist) of 2007 would have required the CalOHI,
in consultation with the others, to develop a plan for
implementation of the California Health Care Information
Infrastructure Program no later than March 1, 2009, that
would seek to provide the opportunity for every resident of
the state to have an electronic health record. SB 320 was
vetoed by Governor Schwarzenegger.
f) SB 1338 (Alquist) of 2006 would have required CHHSA, in
conjunction with certain other state departments, to
develop a strategic plan to foster the adoption of HIT.
This plan would have included, among other provisions, HIT
standards and identified incentives to promote the use of
EHRs and personal health records. SB 1338 was held in the
Assembly Appropriations Committee.
REGISTERED SUPPORT / OPPOSITION :
Support
California Health and Human Services Agency (sponsor)
Opposition
None on file.
Analysis Prepared by : Martin Radosevich / HEALTH / (916)
319-2097