BILL ANALYSIS                                                                                                                                                                                                    



                                                                       



           ------------------------------------------------------------ 
          |SENATE RULES COMMITTEE            |                   SB 270|
          |Office of Senate Floor Analyses   |                         |
          |1020 N Street, Suite 524          |                         |
          |(916) 651-1520         Fax: (916) |                         |
          |327-4478                          |                         |
           ------------------------------------------------------------ 
           
                                         
                              UNFINISHED BUSINESS


          Bill No:  SB 270
          Author:   Alquist (D)
          Amended:  8/2/10
          Vote:     27 - Urgency

           
           SENATE HEALTH COMMITTEE  :  7-0, 1/13/10
          AYES:  Strickland, Cedillo, Cox, Leno, Negrete McLeod,  
            Pavley, Romero

           SENATE APPROPRIATIONS COMMITTEE  :  Senate Rule 28.8

           SENATE FLOOR  :  33-0, 1/25/10
          AYES:  Aanestad, Ashburn, Cedillo, Cogdill, Corbett,  
            Correa, Cox, Denham, DeSaulnier, Ducheny, Hancock,  
            Harman, Hollingsworth, Huff, Kehoe, Leno, Liu, Lowenthal,  
            Negrete McLeod, Oropeza, Padilla, Pavley, Price, Romero,  
            Runner, Steinberg, Strickland, Walters, Wiggins, Wolk,  
            Wright, Wyland, Yee
          NO VOTE RECORDED:  Alquist, Calderon, Dutton, Florez,  
            Maldonado, Simitian, Vacancy

           ASSEMBLY FLOOR  :  79-0, 8/19/10 - See last page for vote


           SUBJECT  :    Health care providers:  medical information

           SOURCE  :     Health and Human Services Agency 


           DIGEST  :    This bill clarifies existing law related to  
          delays in reporting unauthorized access to, and use or  
          disclosure of, a patient's medical information to the  
                                                           CONTINUED





                                                                SB 270
                                                                Page  
          2

          Department of Public Health, makes other specified  
          clarifications, and extends the sunset of the California  
          Office of HIPAA [Health Insurance Portability and  
          Accountability Act] Implementation (CalOHI). 

           Assembly Amendments  extend the sunset of CalOHI until  
          January 1, 2013, and make technical clarifications. 

           ANALYSIS  :    

          Existing law:
           
           1.Provides for the licensing and regulation of clinics,  
            health facilities, home health agencies, and hospices by  
            the Department of Public Health (DPH).

          2.Requires these entities to prevent unlawful or  
            unauthorized access to, and use or disclosure of, a  
            patient's medical information.  A violation of these  
            provisions is a crime.

          3.Requires these entities to report an instance of unlawful  
            or unauthorized access top, and use or disclosure of, a  
            patient's medical information to DPH and to the affected  
            patient or patient's representative, as prescribed,  
            within five business days of its detection, except that  
            an entity is required to delay compliance with this  
            reporting requirement beyond this five business day  
            period if a law enforcement agency or official provides  
            the entity with a written or oral statement that  
            compliance with the reporting requirement would impede  
            the law enforcement agency's activities that relate to  
            the unlawful or unauthorized access to, and use or  
            disclosure of, a patient's medical information and  
            specifies the date upon which the delay shall end, as  
            prescribed.

          4.Establishes the Office of Health Information Integrity  
            within the Health and Human Services Agency (HHSA) to  
            ensure the enforcement of state law mandating  
            confidentiality of medical information and to impose  
            administrative fines for the unauthorized use of medical  
            information.








                                                               SB 270
                                                                Page  
          3

          5.Authorizes HHSA, or one of the departments under its  
            jurisdiction, to apply for federal funds made available  
            through the federal American Recovery and Reinvestment  
            Act (ARRA) for health information technology and exchange  
            and, if no application is made, requires the Governor to  
            designate a nonprofit entity to be the state-designated  
            entity for purposes of health information exchange.

          6.Requires the agency or state-designated entity to  
            facilitate and expand the use and disclosure of health  
            information electronically among organizations, as  
            prescribed, while protecting individual privacy and the  
            confidentiality of electronic medical records.

          This bill:

          1. Authorizes a clinic, health facility, home health  
             agency, or hospice to delay reporting unlawful or  
             unauthorized access, use, or disclosure of a patient's  
             medical information to DPH if a law enforcement agency  
             or official provides the entity with a written or oral  
             statement that compliance with the reporting requirement  
             would likely impede the law enforcement agency's  
             investigation, rather than activities, that relates to  
             the unlawful or unauthorized access to, and use or  
             disclosure of, a patient's medical information. 

          2. Authorizes a law enforcement agency or official to  
             request an extension of the 60-day delay based upon a  
             written declaration that there exists a bona fide,  
             ongoing, significant criminal investigation of serious  
             wrongdoing, that notification of patients will undermine  
             the law enforcement agency's investigation, rather than  
             activities. 

          3. Clarifies for purposes of this bill, that internal paper  
             records, electronic mail, or facsimile transmissions  
             inadvertently misdirected within the same facility or  
             health care, as specified, shall not constitute  
             unauthorized access to, or use or disclosure of a  
             patient's medical information. 

          4. Clarifies, for enforcement purposes, that it shall be  
             presumed that the facility did not notify the affected  







                                                                SB 270
                                                                Page  
          4

             patient if the notification was not documented and  
             authorizes this presumption to be rebutted by a licensee  
             only if it demonstrates, by a preponderance of evidence,  
             that the notification was made. 

          5. Extends the sunset date of CalOHI from July 1, 2010, to  
             January 1, 2013. 

           Background

           Under the medical privacy provisions of the recently  
          enacted federal legislation, ARRA, entities that transmit  
          health information in an electronic form are required to  
          provide notice of a medical privacy breach to an individual  
          whose information has been subject to a breach, within 60  
          days of the discovery of the breach.  The 60-day  
          requirement is delayed in the case that a law enforcement  
          official determines that notice of a medical privacy breach  
          would impede a criminal investigation or cause damage to  
          national security.  However, the ARRA provides that state  
          medical privacy breach notification laws that are more  
          protective of medical privacy are not preempted.

          The Confidentiality of Medical Information Act provides  
          statutory protection for confidentiality of medical  
          information of all persons and restricts the dissemination  
          and use of such information.  It covers all medical  
          information, including electronic health information.   
          State law also differs from federal law by requiring all  
          medical privacy breaches to be reported to DPH and the  
          individual within five days of the discovery of the breach,  
          unless the notification would be likely to impede a law  
          enforcement agency's investigation of that breach.  In the  
          event that an entity is requested to delay notification of  
          a breach by law enforcement, state law also specifies when  
          that delay shall end, depending if the request was  
          submitted to the entity orally or in writing.

           NOTE:  For more extensive background information, please  
                 refer to the            Senate Health Committee  
                 analysis.

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  Yes    
          Local:  Yes







                                                                SB 270
                                                                Page  
          5


           SUPPORT  :   (Verified  8/19/10)

          Health and Human Services Agency (source)
          American Civil Liberties Union
          Community Health Partnership
          Department of Public Health
          El Camino Hospital

           ARGUMENTS IN SUPPORT  :    The American Civil Liberties Union  
          (ACLU) writes in strong support of the privacy  
          clarification language in this bill to ensure that there is  
          no diminution of individual privacy rights under California  
          law while the state or state-designated entities are  
          accessing federal stimulus funds.  The ACLU further states  
          that most people would agree that there is little  
          information that they hold more private that medical and  
          health information, and that the state has a strong  
          interest in encouraging people to seek prompt treatment for  
          health conditions.


           ASSEMBLY FLOOR  : 
          AYES:  Adams, Ammiano, Anderson, Arambula, Bass, Beall,  
            Bill Berryhill, Tom Berryhill, Blakeslee, Block,  
            Blumenfield, Bradford, Brownley, Buchanan, Caballero,  
            Charles Calderon, Carter, Chesbro, Conway, Cook, Coto,  
            Davis, De La Torre, De Leon, DeVore, Eng, Evans, Feuer,  
            Fletcher, Fong, Fuentes, Fuller, Furutani, Gaines,  
            Galgiani, Garrick, Gatto, Gilmore, Hagman, Hall, Harkey,  
            Hayashi, Hernandez, Hill, Huber, Huffman, Jeffries,  
            Jones, Knight, Lieu, Logue, Bonnie Lowenthal, Ma,  
            Mendoza, Miller, Monning, Nava, Nestande, Niello,  
            Nielsen, Norby, V. Manuel Perez, Portantino, Ruskin,  
            Salas, Saldana, Silva, Skinner, Smyth, Solorio, Audra  
            Strickland, Swanson, Torlakson, Torres, Torrico, Tran,  
            Villines, Yamada, John A. Perez
          NO VOTE RECORDED:  Vacancy


          CTW:mwk  8/20/10   Senate Floor Analyses 

                         SUPPORT/OPPOSITION:  SEE ABOVE








                                                                SB 270
                                                                Page  
          6

                                ****  END  ****