BILL ANALYSIS Ó ------------------------------------------------------------ |SENATE RULES COMMITTEE | AB 439| |Office of Senate Floor Analyses | | |1020 N Street, Suite 524 | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ------------------------------------------------------------ THIRD READING Bill No: AB 439 Author: Skinner (D) Amended: 8/24/12 in Senate Vote: 21 SENATE JUDICIARY COMMITTEE : 4-1, 7/3/12 AYES: Evans, Harman, Corbett, Leno NOES: Blakeslee ASSEMBLY FLOOR : 78-0, 5/23/11 - See last page for vote SUBJECT : Confidentiality of Medical Information Act SOURCE : Author DIGEST : This bill provides an affirmative defense for specified actions taken under the Confidentiality of Medical Information Act (CMIA) such an action, so that the plaintiff may not be awarded nominal damages if the defendant establishes that defense, as specified. This bill applies to actions brought on or after January 1, 2013. Senate Floor Amendments of 8/24/12 allow courts to consider nature of prior violations; and limit disclosure of medical and personal information. ANALYSIS : Existing law, the California Constitution, provides that all people have inalienable rights, including the right to pursue and obtain privacy. (California CONTINUED AB 439 Page 2 Constitution Article I, Section 1) Existing law prohibits a health care provider, health care service plan, or contractor from disclosing medical information regarding a patient, enrollee, or subscriber without first obtaining an authorization, except as specified. (Civil Code (CIV) Section 56.10(a)) Existing law requires a health care provider, health care service plan, or contractor to disclose medical information if the disclosure is compelled as specified (CIV Section 56.10(b)) and permits a health care provider or service plan to disclose medical information in specified circumstances. (CIV Section 56.10(c)) Existing law defines "medical information" to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment. Existing law defines "individually identifiable" to mean that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. (CIV Section 56.05(g)) Existing federal law, the Health Insurance Portability and Accountability Act (HIPAA), specifies privacy protections for patients' protected health information and generally provides that a covered entity, as defined (health plan, health care provider, and health care clearing house), may not use or disclose protected health information except as specified or as authorized by the patient in writing. (45 Code of Federal Regulations Section 164.500 et seq.) Existing law requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records to do so in a manner that CONTINUED AB 439 Page 3 preserves the confidentiality of the information contained within those records. Existing law provides that any health care provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records shall be subject to existing remedies and penalties, as specified. (CIV Section 56.101) Existing law provides that a plaintiff may bring an action against any person or entity who has negligently released his/her confidential information or records in violation of the CMIA as follows: nominal damages of $1,000; and the amount of actual damages. (CIV Section 56.36(b)) Existing law specifies that in order to recover nominal damages, it is not necessary that the plaintiff suffered or was threatened with actual damages. (CIV Section 56.36(b)) This bill provides that, in an action brought by an individual pursuant to the above provisions (CIV Section 56.36(b)) on or after January 1, 2013, a court shall award any actual damages and reasonable attorney's fees and costs, but may not award any nominal damages if the defendant establishes all of the following as an affirmative defense: 1. The defendant is a covered entity or business associate as of January 1, 2012, as defined under HIPAA; 2. The defendant has complied with any obligations to notify all persons entitled to receive notice regarding the release of the information or records; 3. The release of confidential information or records was solely to another covered entity or business associate; 4. The release of confidential information or records was not an incident of medical identity theft, defined to mean the use of an individual's personal information, as defined in CIV Section 1798.80, without the individual's knowledge or consent, to obtain medical goods or services or to submit false claims for medical services; CONTINUED AB 439 Page 4 5. The defendant took appropriate preventive actions to protect the confidential information or records against release consistent with the defendant's obligations under the CMIA, any other applicable state law, and HIPAA, including: developing and implementing security policies and procedures; designating a security official who is responsible for developing and implementing its security policies and procedures, including educating and training the workforce; and encrypting the information or records and protecting against the release or use of the encryption key and passwords, or transmitting the information or records in a manner designed to provide equal or greater protections against improper disclosures; 6. The defendant took reasonable and appropriate corrective action after the release of the confidential records or information, and the covered entity or business associate that received the information or records destroyed or returned the information or records in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. If the information or records could not be destroyed or returned because of the technology utilized, the defendant may establish that fact; 7. The covered entity or business associate that received the confidential information or records, or any of its agents, independent contractors, or employees, regardless of the scope of the employee's employment, did not retain, use, or release the information or records; 8. After the release of the information or records, the defendant took reasonable and appropriate action to CONTINUED AB 439 Page 5 prevent a future similar release of confidential information or records; and 9. The defendant has not previously established an affirmative defense pursuant to this bill, or the court determines, in its discretion that application of the affirmative defense is found to be compelling and consistent with the purposes of this section to promote reasonable conduct in light of all the facts. This bill provides that a court may consider the equity of the situation, including whether the defendant had previously violated CMIA, regardless of whether an action had previously been brought, in determining whether the affirmative defense may be established. The court would also take into consideration the nature of the prior violations. This bill requires, to the extent the court allows discovery to determine whether there has been any other violation of this part that the court will consider in balancing the equities, the defendant shall not provide any medical information, as defined in Section 56.05. The court, in its discretion, may enter a protective order prohibiting the further use of any personal information, as defined in Section 1798.80, about the individual hose medical information may have been disclosed in a prior violation. This bill provides that a plaintiff shall be entitled to recover reasonable attorney's fees and costs without regard to an award of actual or nominal damages or the imposition of administrative fines or civil penalties. This bill specifies that in an action brought by an individual pursuant to CIV Section 56.36(b) on or after January 1, 2013, in which the defendant establishes the affirmative defense, a defendant shall not be liable for more than one judgment on the merits under this subdivision for releases arising out of the same event, transaction, or occurrence. FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local: No CONTINUED AB 439 Page 6 SUPPORT : (Verified 8/23/12) California Association of Health Plans California Association of Physician Groups California Chamber of Commerce California Healthcare Institute California Hospital Association California Pharmacists Association California Retailers Association McKesson Corporation National Association of Chain Drug Stores ARGUMENTS IN SUPPORT : The author writes: AB 439 establishes an affirmative defense against liability for nominal damages under the CMIA. The defense is narrowly crafted to strike a balance between the need to preserve strong deterrents to protect against careless release of confidential patient information and the need to recognize the real complexities imposed on California businesses by current privacy laws. The CMIA allows patients whose medical information is released in violation of the act to sue for damages. In addition to actual damages, nominal damages of $1,000 are permitted. When a health care provider's improper release of information involves many patients, current law authorizes a large award of nominal damages since $1,000 may be recovered for each patient affected. This may result under current law despite the fact that the health care provider has taken appropriate steps to protect the information before its release and also taken corrective actions after the release-even if the patients suffered no actual provable damages from the violation. ASSEMBLY FLOOR : 78-0, 5/23/11 AYES: Achadjian, Alejo, Allen, Ammiano, Atkins, Beall, Bill Berryhill, Block, Blumenfield, Bonilla, Bradford, Brownley, Buchanan, Butler, Charles Calderon, Campos, Carter, Cedillo, Chesbro, Conway, Davis, Dickinson, CONTINUED AB 439 Page 7 Donnelly, Eng, Feuer, Fletcher, Fong, Fuentes, Furutani, Beth Gaines, Galgiani, Garrick, Gatto, Gordon, Grove, Hagman, Halderman, Hall, Harkey, Hayashi, Roger Hernández, Hill, Huber, Hueso, Huffman, Jeffries, Jones, Knight, Lara, Logue, Bonnie Lowenthal, Ma, Mansoor, Mendoza, Miller, Mitchell, Monning, Morrell, Nestande, Nielsen, Norby, Olsen, Pan, Perea, V. Manuel Pérez, Portantino, Silva, Skinner, Smyth, Solorio, Swanson, Torres, Valadao, Wagner, Wieckowski, Williams, Yamada, John A. Pérez NO VOTE RECORDED: Cook, Gorell RJG:km 8/24/12 Senate Floor Analyses SUPPORT/OPPOSITION: SEE ABOVE **** END **** CONTINUED