BILL ANALYSIS �Ó
SB 850
Page 1
Date of Hearing: June 21, 2011
ASSEMBLY COMMITTEE ON HEALTH
William W. Monning, Chair
SB 850 (Leno) - As Amended: May 2, 2011
SENATE VOTE : 21-15
SUBJECT : Medical Records: confidential information
SUMMARY : Requires an electronic health record (EHR) system or
electronic medical record (EMR) system to automatically record
any change or deletion of any electronically stored medical
information. Establishes requirements for the record of any
change or deletion, as specified, including that the record be
made part of the patient's medical information. Specifically,
this bill :
1)Replaces the term medical "records" with the term medical
"information" in existing law which requires medical records
to be handled in a manner that preserves the confidentiality
of the information.
2)Requires an EHR or EMR system to automatically record any
change or deletion of any electronically stored medical
information.
3)Requires the record of any change or deletion to:
a) Include the identity of the person who accessed and
changed the medical information, the date and time the
medical information was accessed, and the change that was
made to the medical information; and,
b) Be made part of the patient's medical information, and
to be accessible upon request of a patient or his or her
representative to review the medical information.
EXISTING FEDERAL LAW :
1)Prohibits, under federal regulations implementing the federal
Health Insurance Portability and Accountability Act (HIPAA), a
health plan, health care clearinghouse, or a health care
provider, who transmits health information in electronic form,
from using or disclosing protected health information, for
�
SB 850
Page 2
purposes other than medical treatment or payment, or health
care operations, as defined, without written authorization of
the patient, with exceptions.
2)Requires, under the federal American Reinvestment and Recovery
Act (ARRA), covered entities and their business associates to
provide notice of medical privacy breaches involving the
unauthorized acquisition, access, use, or disclosure of
protected health information to each individual whose
information has been subject to a breach within 60 days of the
discovery of the breach.
3)Establishes, under ARRA, the federal Health Information
Technology for Economic and Clinical Health (HITECH) Act, to
provide grants to states to promote the electronic movement
and use of health information among organizations using
nationally recognized interoperability standards and incentive
payments to providers for Health Information Technology /
Health Information Exchange adoption.
EXISTING STATE LAW :
1)Prohibits, under the Confidentiality of Medical Information
Act (CMIA), licensed or certified health care professionals,
clinics and health facilities, health plans, and contracting
entities, as defined, from disclosing or using a patient's
medical information for any purpose not necessary to provide
health care services to the patient and related administrative
functions, without first obtaining authorization from the
patient or the patient's representative, as specified, with
exceptions.
2)Provides for administrative fines and civil penalties for
persons and entities subject to the CMIA who negligently
disclose, or who knowingly and willfully obtain, disclose, or
use, medical information in violation of the CMIA, and
authorizes the Attorney General, any district attorney, any
county counsel acting pursuant to an agreement with the
district attorney, or a city attorney, to seek civil penalties
for violations.
3)Requires every provider of health care to establish and
implement administrative, technical, and physical safeguards
to protect the privacy of patients' medical information, and
requires every provider to reasonably safeguard confidential
�
SB 850
Page 3
medical information from any unauthorized access or unlawful
access, use, or disclosure.
4)Provides that altering or modifying the medical record of any
person, with fraudulent intent, or creating any false medical
record, with fraudulent intent, constitutes unprofessional
conduct. In addition to any other disciplinary action, the
Division of Medical Quality or the California Board of
Podiatric Medicine may impose a civil penalty of $500.
5)Provides that the failure of a physician and surgeon to
maintain adequate and accurate records relating to the
provision of services to their patients constitutes
unprofessional conduct.
FISCAL EFFECT : None
COMMENTS :
1)PURPOSE OF THIS BILL . According to the author, in 2009, the
U.S. Congress passed the HITECH Act sections of ARRA. HITECH
allocates $44,000 in Medicare incentives to each individual
provider in order to promote the use of EHRs and to address
the significant financial obstacles to the adoption and use of
such systems, particularly among smaller or independent
physician offices. Beginning in 2015, physicians who elect
not to use an EHR will be penalized, starting with a 1%
Medicare fee reduction. In 2017 this penalty grows to 3%. As
a result of these incentives, it is expected that there will
be a dramatic increase in the use of EHRs by individual
physician practices. A recent study published in the Journal
of Health Affairs found that less than one in five physicians,
or 18%, reported having at least a basic EHR system. By 2015
it is expected that most physicians will begin doing so. The
author states that this bill is intended to ensure that
regulations governing medical records appropriately account
for the inherent differences between paper and electronic
record systems. The author asserts that an electronic format
makes it possible for medical information or errors to be
deleted or changed, without those deletions or changes being
reflected in the medical record.
According to the author, at Stanford Hospital, doctors failed
to treat a patient who suffered from complications following a
surgery; and as a result, she died. The patient's surviving
�
SB 850
Page 4
family members had to request records from Stanford six times
only to be told the information did not exist. The author
states that further investigations revealed that many records
were not produced because of a technicality and because
several records were destroyed after the error was made and
the patient had died. In other situations, patients have
received conflicting records when requesting their records
from their health care provider. Another example provided by
the author is that in Northern California, a patient had
requested his records three times because there was no record
of a particular visit to a doctor. It wasn't until the third
request that this visit was reflected in his records, with no
explanation as to why the record was initially missing.
2)EHRs and EMRs . According to the Centers for Medicaid and
Medicare Services, an EHR is an electronic version of a
patient's medical history, that is maintained by the provider
over time, and may include all of the key administrative
clinical data relevant to that person's care under a
particular provider, including demographics, progress notes,
problems, medications, vital signs, past medical history,
immunizations, laboratory data, and radiology reports. The
EHR automates access to information and has the potential to
streamline the clinician's workflow. Sometimes people use the
terms "EMR" when talking about EHR technology. Very often an
EMR is just another way to describe an EHR and both providers
and vendors sometimes use the terms interchangeably.
3)MEANINGFUL USE . For the purposes of the Medicare and Medicaid
Incentive Programs, eligible professionals, eligible
hospitals, and critical access hospitals (CAHs) must use
certified EHR technology, which gives assurance to purchasers
and other users that an EHR system offers the necessary
technological capability, functionality, and security to meet
the meaningful use criteria. Certification also helps
providers and patients be confident that the electronic health
information technology products and systems they use are
secure, can maintain data confidentially, and can work with
other systems to share information. Existing federal
regulations require the date, time, patient identification,
and user identification to be recorded when electronic health
information is created, modified, accessed, or deleted; and an
indication of which actions(s) occurred and by whom. The
federal regulations also include verification that electronic
health information has not been altered in transit. For
�
SB 850
Page 5
disclosures of treatment, payment, and health care operations,
the date, time, patient identification, user identification,
and description of the disclosure must also be recorded.
The Medicaid EHR Incentive Program provides incentive payments
beginning in 2011 to eligible professionals, eligible
hospitals, and CAHs as they adopt, implement, upgrade, or
demonstrate meaningful use of certified EHR technology in
their first year of participation and demonstrate meaningful
use for up to five remaining participation years. The
Medicare EHR Incentive Program will provide incentive payments
beginning in 2012 to eligible professionals, eligible
hospitals, and CAHs that demonstrate meaningful use of
certified EHR technology.
4)HIPAA PRIVACY RULE . The HIPAA Privacy Rule requires "covered
entities" (health care providers who conduct covered health
care transactions electronically, health plans and health care
clearinghouses) to make available to an individual upon
request an accounting of certain disclosures (release,
transfer, provision of access to, or divulging in any other
manner of information outside the entity holding the
information) of the individual's protected health information
(PHI), which is any information in the medical record or
designated record set that can be used to identify an
individual and that was created, used, or disclosed in the
course of providing a health care service such as diagnosis or
treatment. A revision to this rule has been proposed which
would divide this right into two separate rights: a right to
an accounting of disclosures, and a right to an access report
(which would include electronic access by members of the
workforce and persons outside the covered entities). Under
the rule, the right to an access report would provide
information on who has accessed electronic PHI in a designated
record set (including access for purposes of treatment,
payment, and health care operations). The proposal applies to
covered entities and business associates beginning January 1,
2013 for electronic designated record set systems acquired
after January 1, 2009, and beginning on January 1, 2014 for
electronic designated record set systems acquired as of
January 1, 2009. Comments about this proposed rule change
must be submitted on or before August 1, 2011.
In a request for information from the federal Department of
Health and Human Services in preparation for the proposed
�
SB 850
Page 6
rule, comments reflected a variety of audit log experiences,
representative of the wide range of systems used for various
functions in the health care system. According to the
comments, most current audit logs retain at least the name or
other identification of the individual who accessed the
record, the name or other identification of the record that
was accessed, the date, the time and the area, module, or
screen of the EHR that was accessed. The comments generally
indicated that maintaining current audit logs for three years
would incur minimal additional burden; however, increasing the
information retained to include additional information about
treatment, payment, and health care operations disclosures
would create additional storage space burden.
5)SUPPORT . This bill is sponsored by the Consumer Attorneys of
California (CAC) to ensure that information that was
previously accessible to the patient in a paper format
continues to be available to the patient in an electronic
format. According to CAC, paper records have traditionally
included a clear record of a change made to the record but EHR
systems do not use the same protocols and only reference a
change in the audit trail which is not accessible or readable
to a patient - and the original entry may be lost. CAC
believes that neither health reform nor subsequent regulations
related to certified EHRs have done much to ensure the
integrity and accuracy of a patient's medical record is
preserved. CAC states that some providers have unscrupulously
taken advantage of these shortfalls to cover-up errors by
modifying or deleting entries. CAC argues that deletions and
modifications of a record put a patient's safety at risk
whether intentional or unintentional. A simple inadvertent
mistake, such as deleting entire entries from a patient's
multiple visits to the doctor while undergoing a series of
treatment, which did occur at a San Diego medical specialist's
office, can have detrimental effects in the future, writes
CAC.
6)OPPOSTION UNLESS AMENDED . The California Hospital Association
(CHA), Kaiser Permanente (Kaiser), the California Children's
Hospital Association (CCHA), the California Medical
Association (CMA), the California Association of Physician
Groups (CAPG), the California Academy of Family Physicians
(CAFP) all request amendments to this bill. The CMA asks that
this bill be amended to include provisions that mirror federal
requirements related to EHR systems. CMA believes that the
�
SB 850
Page 7
provisions of this bill are misplaced in the CMIA which is
designed to protect and preserve the confidentiality of
records derived by health services providers, not preserve the
accuracy and integrity of the information in the medical
record. CMA also indicates that there are laws in place that
mandate providers to maintain the accuracy and integrity of
medical records and prevent fraudulent destruction. CMA also
raises concerns that this bill will interfere with federal
efforts to incentivize meaningful use of an EHR system by
forcing EHR companies to develop "California-only" versions.
Kaiser believes this bill is unnecessary, because current law
already requires information about changes and deletions to
information in electronic records be audited and maintained.
Kaiser also believes that including audit log information in
the EMR without context or interpretation could lead to
privacy violations and confusion or frustration for patients.
Kaiser agrees with CMA that at a time when federal standards
and HIPAA regulations are under development this bill sets up
a separate state standard. CHA and CCHA request the removal
of a provision in this bill that states: "The record of the
change or deletion shall be made part of the patient's medical
information, and shall be accessible upon request of a patient
or his or her representative to review the medical
information." CAPG is concerned about the audit log being
included as part of the EMR. CAPG also points out that should
California impose a longer period of time for the preservation
of audit trails beyond that selected in the federal rule,
additional cost will be added to the health care system. CAFP
argues that the cost to add the functionality required by this
bill serves as yet another deterrent to many providers who
still need to be convinced that EHR adoption and meaningful
use will improve patient care.
7)AMENDMENTS PRPOSED BY CHA .
(b) An electronic health record system or electronic medical
record system shall protect and preserve the integrity of
electronic medical information. An electronic health record
system or electronic medical record system shall automatically
record and preserve a record of any change or deletion of any
electronically stored medical information. Any recording of a
change or deletion shall include the identity of the person
who accessed and changed the medical information, the date and
time the medical information was accessed, and the change that
was made to the medical information.
�
SB 850
Page 8
(c) 56.101(b) shall become effective and shall be integrated
with the clinical chart 18 months following federally required
standards of electronic health record security and clinical
documentation integration.
(d) All requests for access to patient records by the patient
or the patient's representative shall be consistent with
current applicable state and federal laws governing patient
access to and the uses and disclosures of medical information .
8)AUTHOR'S AMENDMENTS . In an effort to address the critics of
this bill, the author has offered to take the amendments
described below, which would delay implementation subject to
the availability of the functionality and at the time the
federally required standards are integrated. The amendments
also would maintain a variation from federal certification
standards in that the law, if enacted, would require the
existence of the change to be indicated in the patient's'
medical record.
(b) An electronic health record system or electronic medical
record system shall protect and preserve the integrity of
electronic medical information. An electronic health record
system or electronic medical record system shall automatically
record and preserve any change or deletion of any
electronically stored medical information. Any change or
deletion shall include the identity of the person who accessed
and changed the medical information, the date and time the
medical information was accessed, and the change that was made
to the medical information. The existence of a change to a
clinical entry shall be indicated in the patients' medical
record. The record of the change or deletion shall be made
part of the patient's medical information, and shall be
accessible upon request of a patient or his or her
representative to review the medical information.
(c) Existing EHR systems shall comply with 56.101 (b) subject
to the availability of this functionality for the existing
system and shall apply at the time that an EHR system is
updated pursuant to federally required standards of electronic
health record security and clinical documentation integration.
(d) A patient's right to access or receive a copy of his or
her electronic medical records upon request shall be
consistent with current applicable state and federal laws
governing patient access to and the uses and disclosures of
medical information.
�
SB 850
Page 9
9)DOUBLE REFERRAL . This bill has been double referred. Should
this bill pass out of this committee it will be referred to
the Assembly Committee on Judiciary.
REGISTERED SUPPORT / OPPOSITION :
Support
Consumer Attorneys of California
Opposition
None on file.
Analysis Prepared by : Teri Boughton / HEALTH / (916) 319-2097