BILL ANALYSIS Ó SB 850 Page 1 Date of Hearing: June 21, 2011 ASSEMBLY COMMITTEE ON HEALTH William W. Monning, Chair SB 850 (Leno) - As Amended: May 2, 2011 SENATE VOTE : 21-15 SUBJECT : Medical Records: confidential information SUMMARY : Requires an electronic health record (EHR) system or electronic medical record (EMR) system to automatically record any change or deletion of any electronically stored medical information. Establishes requirements for the record of any change or deletion, as specified, including that the record be made part of the patient's medical information. Specifically, this bill : 1)Replaces the term medical "records" with the term medical "information" in existing law which requires medical records to be handled in a manner that preserves the confidentiality of the information. 2)Requires an EHR or EMR system to automatically record any change or deletion of any electronically stored medical information. 3)Requires the record of any change or deletion to: a) Include the identity of the person who accessed and changed the medical information, the date and time the medical information was accessed, and the change that was made to the medical information; and, b) Be made part of the patient's medical information, and to be accessible upon request of a patient or his or her representative to review the medical information. EXISTING FEDERAL LAW : 1)Prohibits, under federal regulations implementing the federal Health Insurance Portability and Accountability Act (HIPAA), a health plan, health care clearinghouse, or a health care provider, who transmits health information in electronic form, from using or disclosing protected health information, for SB 850 Page 2 purposes other than medical treatment or payment, or health care operations, as defined, without written authorization of the patient, with exceptions. 2)Requires, under the federal American Reinvestment and Recovery Act (ARRA), covered entities and their business associates to provide notice of medical privacy breaches involving the unauthorized acquisition, access, use, or disclosure of protected health information to each individual whose information has been subject to a breach within 60 days of the discovery of the breach. 3)Establishes, under ARRA, the federal Health Information Technology for Economic and Clinical Health (HITECH) Act, to provide grants to states to promote the electronic movement and use of health information among organizations using nationally recognized interoperability standards and incentive payments to providers for Health Information Technology / Health Information Exchange adoption. EXISTING STATE LAW : 1)Prohibits, under the Confidentiality of Medical Information Act (CMIA), licensed or certified health care professionals, clinics and health facilities, health plans, and contracting entities, as defined, from disclosing or using a patient's medical information for any purpose not necessary to provide health care services to the patient and related administrative functions, without first obtaining authorization from the patient or the patient's representative, as specified, with exceptions. 2)Provides for administrative fines and civil penalties for persons and entities subject to the CMIA who negligently disclose, or who knowingly and willfully obtain, disclose, or use, medical information in violation of the CMIA, and authorizes the Attorney General, any district attorney, any county counsel acting pursuant to an agreement with the district attorney, or a city attorney, to seek civil penalties for violations. 3)Requires every provider of health care to establish and implement administrative, technical, and physical safeguards to protect the privacy of patients' medical information, and requires every provider to reasonably safeguard confidential SB 850 Page 3 medical information from any unauthorized access or unlawful access, use, or disclosure. 4)Provides that altering or modifying the medical record of any person, with fraudulent intent, or creating any false medical record, with fraudulent intent, constitutes unprofessional conduct. In addition to any other disciplinary action, the Division of Medical Quality or the California Board of Podiatric Medicine may impose a civil penalty of $500. 5)Provides that the failure of a physician and surgeon to maintain adequate and accurate records relating to the provision of services to their patients constitutes unprofessional conduct. FISCAL EFFECT : None COMMENTS : 1)PURPOSE OF THIS BILL . According to the author, in 2009, the U.S. Congress passed the HITECH Act sections of ARRA. HITECH allocates $44,000 in Medicare incentives to each individual provider in order to promote the use of EHRs and to address the significant financial obstacles to the adoption and use of such systems, particularly among smaller or independent physician offices. Beginning in 2015, physicians who elect not to use an EHR will be penalized, starting with a 1% Medicare fee reduction. In 2017 this penalty grows to 3%. As a result of these incentives, it is expected that there will be a dramatic increase in the use of EHRs by individual physician practices. A recent study published in the Journal of Health Affairs found that less than one in five physicians, or 18%, reported having at least a basic EHR system. By 2015 it is expected that most physicians will begin doing so. The author states that this bill is intended to ensure that regulations governing medical records appropriately account for the inherent differences between paper and electronic record systems. The author asserts that an electronic format makes it possible for medical information or errors to be deleted or changed, without those deletions or changes being reflected in the medical record. According to the author, at Stanford Hospital, doctors failed to treat a patient who suffered from complications following a surgery; and as a result, she died. The patient's surviving SB 850 Page 4 family members had to request records from Stanford six times only to be told the information did not exist. The author states that further investigations revealed that many records were not produced because of a technicality and because several records were destroyed after the error was made and the patient had died. In other situations, patients have received conflicting records when requesting their records from their health care provider. Another example provided by the author is that in Northern California, a patient had requested his records three times because there was no record of a particular visit to a doctor. It wasn't until the third request that this visit was reflected in his records, with no explanation as to why the record was initially missing. 2)EHRs and EMRs . According to the Centers for Medicaid and Medicare Services, an EHR is an electronic version of a patient's medical history, that is maintained by the provider over time, and may include all of the key administrative clinical data relevant to that person's care under a particular provider, including demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data, and radiology reports. The EHR automates access to information and has the potential to streamline the clinician's workflow. Sometimes people use the terms "EMR" when talking about EHR technology. Very often an EMR is just another way to describe an EHR and both providers and vendors sometimes use the terms interchangeably. 3)MEANINGFUL USE . For the purposes of the Medicare and Medicaid Incentive Programs, eligible professionals, eligible hospitals, and critical access hospitals (CAHs) must use certified EHR technology, which gives assurance to purchasers and other users that an EHR system offers the necessary technological capability, functionality, and security to meet the meaningful use criteria. Certification also helps providers and patients be confident that the electronic health information technology products and systems they use are secure, can maintain data confidentially, and can work with other systems to share information. Existing federal regulations require the date, time, patient identification, and user identification to be recorded when electronic health information is created, modified, accessed, or deleted; and an indication of which actions(s) occurred and by whom. The federal regulations also include verification that electronic health information has not been altered in transit. For SB 850 Page 5 disclosures of treatment, payment, and health care operations, the date, time, patient identification, user identification, and description of the disclosure must also be recorded. The Medicaid EHR Incentive Program provides incentive payments beginning in 2011 to eligible professionals, eligible hospitals, and CAHs as they adopt, implement, upgrade, or demonstrate meaningful use of certified EHR technology in their first year of participation and demonstrate meaningful use for up to five remaining participation years. The Medicare EHR Incentive Program will provide incentive payments beginning in 2012 to eligible professionals, eligible hospitals, and CAHs that demonstrate meaningful use of certified EHR technology. 4)HIPAA PRIVACY RULE . The HIPAA Privacy Rule requires "covered entities" (health care providers who conduct covered health care transactions electronically, health plans and health care clearinghouses) to make available to an individual upon request an accounting of certain disclosures (release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information) of the individual's protected health information (PHI), which is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. A revision to this rule has been proposed which would divide this right into two separate rights: a right to an accounting of disclosures, and a right to an access report (which would include electronic access by members of the workforce and persons outside the covered entities). Under the rule, the right to an access report would provide information on who has accessed electronic PHI in a designated record set (including access for purposes of treatment, payment, and health care operations). The proposal applies to covered entities and business associates beginning January 1, 2013 for electronic designated record set systems acquired after January 1, 2009, and beginning on January 1, 2014 for electronic designated record set systems acquired as of January 1, 2009. Comments about this proposed rule change must be submitted on or before August 1, 2011. In a request for information from the federal Department of Health and Human Services in preparation for the proposed SB 850 Page 6 rule, comments reflected a variety of audit log experiences, representative of the wide range of systems used for various functions in the health care system. According to the comments, most current audit logs retain at least the name or other identification of the individual who accessed the record, the name or other identification of the record that was accessed, the date, the time and the area, module, or screen of the EHR that was accessed. The comments generally indicated that maintaining current audit logs for three years would incur minimal additional burden; however, increasing the information retained to include additional information about treatment, payment, and health care operations disclosures would create additional storage space burden. 5)SUPPORT . This bill is sponsored by the Consumer Attorneys of California (CAC) to ensure that information that was previously accessible to the patient in a paper format continues to be available to the patient in an electronic format. According to CAC, paper records have traditionally included a clear record of a change made to the record but EHR systems do not use the same protocols and only reference a change in the audit trail which is not accessible or readable to a patient - and the original entry may be lost. CAC believes that neither health reform nor subsequent regulations related to certified EHRs have done much to ensure the integrity and accuracy of a patient's medical record is preserved. CAC states that some providers have unscrupulously taken advantage of these shortfalls to cover-up errors by modifying or deleting entries. CAC argues that deletions and modifications of a record put a patient's safety at risk whether intentional or unintentional. A simple inadvertent mistake, such as deleting entire entries from a patient's multiple visits to the doctor while undergoing a series of treatment, which did occur at a San Diego medical specialist's office, can have detrimental effects in the future, writes CAC. 6)OPPOSTION UNLESS AMENDED . The California Hospital Association (CHA), Kaiser Permanente (Kaiser), the California Children's Hospital Association (CCHA), the California Medical Association (CMA), the California Association of Physician Groups (CAPG), the California Academy of Family Physicians (CAFP) all request amendments to this bill. The CMA asks that this bill be amended to include provisions that mirror federal requirements related to EHR systems. CMA believes that the SB 850 Page 7 provisions of this bill are misplaced in the CMIA which is designed to protect and preserve the confidentiality of records derived by health services providers, not preserve the accuracy and integrity of the information in the medical record. CMA also indicates that there are laws in place that mandate providers to maintain the accuracy and integrity of medical records and prevent fraudulent destruction. CMA also raises concerns that this bill will interfere with federal efforts to incentivize meaningful use of an EHR system by forcing EHR companies to develop "California-only" versions. Kaiser believes this bill is unnecessary, because current law already requires information about changes and deletions to information in electronic records be audited and maintained. Kaiser also believes that including audit log information in the EMR without context or interpretation could lead to privacy violations and confusion or frustration for patients. Kaiser agrees with CMA that at a time when federal standards and HIPAA regulations are under development this bill sets up a separate state standard. CHA and CCHA request the removal of a provision in this bill that states: "The record of the change or deletion shall be made part of the patient's medical information, and shall be accessible upon request of a patient or his or her representative to review the medical information." CAPG is concerned about the audit log being included as part of the EMR. CAPG also points out that should California impose a longer period of time for the preservation of audit trails beyond that selected in the federal rule, additional cost will be added to the health care system. CAFP argues that the cost to add the functionality required by this bill serves as yet another deterrent to many providers who still need to be convinced that EHR adoption and meaningful use will improve patient care. 7)AMENDMENTS PRPOSED BY CHA . (b) An electronic health record system or electronic medical record system shall protect and preserve the integrity of electronic medical information. An electronic health record system or electronic medical record system shall automatically record and preserve a record of any change or deletion of any electronically stored medical information. Any recording of a change or deletion shall include the identity of the person who accessed and changed the medical information, the date and time the medical information was accessed, and the change that was made to the medical information. SB 850 Page 8 (c) 56.101(b) shall become effective and shall be integrated with the clinical chart 18 months following federally required standards of electronic health record security and clinical documentation integration. (d) All requests for access to patient records by the patient or the patient's representative shall be consistent with current applicable state and federal laws governing patient access to and the uses and disclosures of medical information . 8)AUTHOR'S AMENDMENTS . In an effort to address the critics of this bill, the author has offered to take the amendments described below, which would delay implementation subject to the availability of the functionality and at the time the federally required standards are integrated. The amendments also would maintain a variation from federal certification standards in that the law, if enacted, would require the existence of the change to be indicated in the patient's' medical record. (b) An electronic health record system or electronic medical record system shall protect and preserve the integrity of electronic medical information. An electronic health record system or electronic medical record system shall automatically record and preserve any change or deletion of any electronically stored medical information. Any change or deletion shall include the identity of the person who accessed and changed the medical information, the date and time the medical information was accessed, and the change that was made to the medical information. The existence of a change to a clinical entry shall be indicated in the patients' medical record.The record of the change or deletion shall be made part of the patient's medical information, and shall be accessible upon request of a patient or his or her representative to review the medical information.(c) Existing EHR systems shall comply with 56.101 (b) subject to the availability of this functionality for the existing system and shall apply at the time that an EHR system is updated pursuant to federally required standards of electronic health record security and clinical documentation integration. (d) A patient's right to access or receive a copy of his or her electronic medical records upon request shall be consistent with current applicable state and federal laws governing patient access to and the uses and disclosures of medical information. SB 850 Page 9 9)DOUBLE REFERRAL . This bill has been double referred. Should this bill pass out of this committee it will be referred to the Assembly Committee on Judiciary. REGISTERED SUPPORT / OPPOSITION : Support Consumer Attorneys of California Opposition None on file. Analysis Prepared by : Teri Boughton / HEALTH / (916) 319-2097