BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                      



           ------------------------------------------------------------ 
          |SENATE RULES COMMITTEE            |                   AB 439|
          |Office of Senate Floor Analyses   |                         |
          |1020 N Street, Suite 524          |                         |
          |(916) 651-1520         Fax: (916) |                         |
          |327-4478                          |                         |
           ------------------------------------------------------------ 
           
                                         
                                 THIRD READING


          Bill No:  AB 439
          Author:   Skinner (D)
          Amended:  8/24/12 in Senate
          Vote:     21

           
           SENATE JUDICIARY COMMITTEE  :  4-1, 7/3/12
          AYES:  Evans, Harman, Corbett, Leno
          NOES:  Blakeslee
           
          ASSEMBLY FLOOR  :  78-0, 5/23/11 - See last page for vote


           SUBJECT  :    Confidentiality of Medical Information Act

           SOURCE  :     Author


           DIGEST  :    This bill provides an affirmative defense for 
          specified actions taken under the Confidentiality of 
          Medical Information Act (CMIA) such an action, so that the 
          plaintiff may not be awarded nominal damages if the 
          defendant establishes that defense, as specified.  This 
          bill applies to actions brought on or after January 1, 
          2013.

           Senate Floor Amendments of 8/24/12 allow courts to consider 
          nature of prior violations; and limit disclosure of medical 
          and personal information.

           ANALYSIS  :    Existing law, the California Constitution, 
          provides that all people have inalienable rights, including 
          the right to pursue and obtain privacy.  (California 
                                                           CONTINUED





                                                                AB 439
                                                                Page 
          2

          Constitution Article I, Section 1)

          Existing law prohibits a health care provider, health care 
          service plan, or contractor from disclosing medical 
          information regarding a patient, enrollee, or subscriber 
          without first obtaining an authorization, except as 
          specified.  (Civil Code (CIV) Section 56.10(a))  

          Existing law requires a health care provider, health care 
          service plan, or contractor to disclose medical information 
          if the disclosure is compelled as specified (CIV Section 
          56.10(b)) and permits a health care provider or service 
          plan to disclose medical information in specified 
          circumstances.  (CIV Section 56.10(c))

          Existing law defines "medical information" to mean any 
          individually identifiable information, in electronic or 
          physical form, in possession of or derived from a provider 
          of health care, health care service plan, pharmaceutical 
          company, or contractor regarding a patient's medical 
          history, mental or physical condition, or treatment.  
          Existing law defines "individually identifiable" to mean 
          that the medical information includes or contains any 
          element of personal identifying information sufficient to 
          allow identification of the individual, such as the 
          patient's name, address, electronic mail address, telephone 
          number, or social security number, or other information 
          that, alone or in combination with other publicly available 
          information, reveals the individual's identity.  (CIV 
          Section 56.05(g))

          Existing federal law, the Health Insurance Portability and 
          Accountability Act (HIPAA), specifies privacy protections 
          for patients' protected health information and generally 
          provides that a covered entity, as defined (health plan, 
          health care provider, and health care clearing house), may 
          not use or disclose protected health information except as 
          specified or as authorized by the patient in writing.  (45 
          Code of Federal Regulations Section 164.500 et seq.)  

          Existing law requires a health care provider, health care 
          service plan, pharmaceutical company, or contractor who 
          creates, maintains, preserves, stores, abandons, destroys, 
          or disposes of medical records to do so in a manner that 

                                                           CONTINUED





                                                                AB 439
                                                                Page 
          3

          preserves the confidentiality of the information contained 
          within those records.  Existing law provides that any 
          health care provider of health care, health care service 
          plan, pharmaceutical company, or contractor who negligently 
          creates, maintains, preserves, stores, abandons, destroys, 
          or disposes of medical records shall be subject to existing 
          remedies and penalties, as specified.  (CIV Section 56.101)

          Existing law provides that a plaintiff may bring an action 
          against any person or entity who has negligently released 
          his/her confidential information or records in violation of 
          the CMIA as follows:

             nominal damages of $1,000; and 
             the amount of actual damages.  (CIV Section 56.36(b))

          Existing law specifies that in order to recover nominal 
          damages, it is not necessary that the plaintiff suffered or 
          was threatened with actual damages.  (CIV Section 56.36(b))

          This bill provides that, in an action brought by an 
          individual pursuant to the above provisions (CIV Section 
          56.36(b)) on or after January 1, 2013, a court shall award 
          any actual damages and reasonable attorney's fees and 
          costs, but may not award any nominal damages if the 
          defendant establishes all of the following as an 
          affirmative defense: 

          1. The defendant is a covered entity or business associate 
             as of January 1, 2012, as defined under HIPAA; 

          2. The defendant has complied with any obligations to 
             notify all persons entitled to receive notice regarding 
             the release of the information or records; 

          3. The release of confidential information or records was 
             solely to another covered entity or business associate;

          4. The release of confidential information or records was 
             not an incident of medical identity theft, defined to 
             mean the use of an individual's personal information, as 
             defined in CIV Section 1798.80, without the individual's 
             knowledge or consent, to obtain medical goods or 
             services or to submit false claims for medical services;

                                                           CONTINUED





                                                                AB 439
                                                                Page 
          4


          5. The defendant took appropriate preventive actions to 
             protect the confidential information or records against 
             release consistent with the defendant's obligations 
             under the CMIA, any other applicable state law, and 
             HIPAA, including:

                   developing and implementing security policies and 
                procedures;

                   designating a security official who is 
                responsible for developing and implementing its 
                security policies and procedures, including educating 
                and training the workforce; and 

                   encrypting the information or records and 
                protecting against the release or use of the 
                encryption key and passwords, or transmitting the 
                information or records in a manner designed to 
                provide equal or greater protections against improper 
                disclosures; 

          6. The defendant took reasonable and appropriate corrective 
             action after the release of the confidential records or 
             information, and the covered entity or business 
             associate that received the information or records 
             destroyed or returned the information or records in the 
             most expedient time possible and without unreasonable 
             delay, consistent with any measures necessary to 
             determine the scope of the breach and restore the 
             reasonable integrity of the data system.  If the 
             information or records could not be destroyed or 
             returned because of the technology utilized, the 
             defendant may establish that fact;

          7. The covered entity or business associate that received 
             the confidential information or records, or any of its 
             agents, independent contractors, or employees, 
             regardless of the scope of the employee's employment, 
             did not retain, use, or release the information or 
             records; 

          8. After the release of the information or records, the 
             defendant took reasonable and appropriate action to 

                                                           CONTINUED





                                                                AB 439
                                                                Page 
          5

             prevent a future similar release of confidential 
             information or records; and 

          9. The defendant has not previously established an 
             affirmative defense pursuant to this bill, or the court 
             determines, in its discretion that application of the 
             affirmative defense is found to be compelling and 
             consistent with the purposes of this section to promote 
             reasonable conduct in light of all the facts.

          This bill provides that a court may consider the equity of 
          the situation, including whether the defendant had 
          previously violated CMIA, regardless of whether an action 
          had previously been brought, in determining whether the 
          affirmative defense may be established.  The court would 
          also take into consideration the nature of the prior 
          violations.

          This bill requires, to the extent the court allows 
          discovery to determine whether there has been any other 
          violation of this part that the court will consider in 
          balancing the equities, the defendant shall not provide any 
          medical information, as defined in Section 56.05.  The 
          court, in its discretion, may enter a protective order 
          prohibiting the further use of any personal information, as 
          defined in Section 1798.80, about the individual hose 
          medical information may have been disclosed in a prior 
          violation.

          This bill provides that a plaintiff shall be entitled to 
          recover reasonable attorney's fees and costs without regard 
          to an award of actual or nominal damages or the imposition 
          of administrative fines or civil penalties.

          This bill specifies that in an action brought by an 
          individual pursuant to CIV Section 56.36(b) on or after 
          January 1, 2013, in which the defendant establishes the 
          affirmative defense, a defendant shall not be liable for 
          more than one judgment on the merits under this subdivision 
          for releases arising out of the same event, transaction, or 
          occurrence.

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  No   
          Local:  No

                                                           CONTINUED





                                                                AB 439
                                                                Page 
          6


           SUPPORT  :   (Verified  8/23/12)

          California Association of Health Plans
          California Association of Physician Groups
          California Chamber of Commerce
          California Healthcare Institute
          California Hospital Association
          California Pharmacists Association
          California Retailers Association
          McKesson Corporation
          National Association of Chain Drug Stores

           ARGUMENTS IN SUPPORT  :    The author writes:

             AB 439 establishes an affirmative defense against 
             liability for nominal damages under the CMIA.  The 
             defense is narrowly crafted to strike a balance between 
             the need to preserve strong deterrents to protect 
             against careless release of confidential patient 
             information and the need to recognize the real 
             complexities imposed on California businesses by current 
             privacy laws.

             The CMIA allows patients whose medical information is 
             released in violation of the act to sue for damages.  In 
             addition to actual damages, nominal damages of $1,000 
             are permitted.  When a health care provider's improper 
             release of information involves many patients, current 
             law authorizes a large award of nominal damages since 
             $1,000 may be recovered for each patient affected.  This 
             may result under current law despite the fact that the 
             health care provider has taken appropriate steps to 
             protect the information before its release and also 
             taken corrective actions after the release-even if the 
             patients suffered no actual provable damages from the 
             violation.


           ASSEMBLY FLOOR  :  78-0, 5/23/11
          AYES:  Achadjian, Alejo, Allen, Ammiano, Atkins, Beall, 
            Bill Berryhill, Block, Blumenfield, Bonilla, Bradford, 
            Brownley, Buchanan, Butler, Charles Calderon, Campos, 
            Carter, Cedillo, Chesbro, Conway, Davis, Dickinson, 

                                                           CONTINUED





                                                                AB 439
                                                                Page 
          7

            Donnelly, Eng, Feuer, Fletcher, Fong, Fuentes, Furutani, 
            Beth Gaines, Galgiani, Garrick, Gatto, Gordon, Grove, 
            Hagman, Halderman, Hall, Harkey, Hayashi, Roger 
            Hernández, Hill, Huber, Hueso, Huffman, Jeffries, Jones, 
            Knight, Lara, Logue, Bonnie Lowenthal, Ma, Mansoor, 
            Mendoza, Miller, Mitchell, Monning, Morrell, Nestande, 
            Nielsen, Norby, Olsen, Pan, Perea, V. Manuel Pérez, 
            Portantino, Silva, Skinner, Smyth, Solorio, Swanson, 
            Torres, Valadao, Wagner, Wieckowski, Williams, Yamada, 
            John A. Pérez
          NO VOTE RECORDED:  Cook, Gorell


          RJG:km  8/24/12   Senate Floor Analyses 

                         SUPPORT/OPPOSITION:  SEE ABOVE

                                ****  END  ****



























                                                           CONTINUED