BILL ANALYSIS �Ó
SB 850
Page 1
Date of Hearing: June 28, 2011
ASSEMBLY COMMITTEE ON JUDICIARY
Mike Feuer, Chair
SB 850 (Leno) - As Amended: June 22, 2011
SENATE VOTE : 21-15
SUBJECT : Medical Records: Confidential Information
key issue : Should changes to a person's electronic medical
information be automatically recorded and preserved in order to
better preserve the integrity of electronic medical information?
FISCAL EFFECT : As currently in print this bill is keyed
non-fiscal.
SYNOPSIS
As recently amended, this bill requires that any change or
deletion in electronic medical information be automatically
recorded and preserved in order to better protect the integrity
of electronic medical information. The bill affirms a patient's
right to access those records so long as the request is
consistent with current state and federal law governing patient
access to medical information. This bill, like the federal law
that it tracks, reflects technological changes in the way that
medical records are created, stored, and accessed. In the past,
modifications to paper records were readily apparent through an
examination of those paper records; however, changes or
deletions in electronic records are either lost entirely or are
only ascertainable through examination of an "audit log," but
those changes are not necessarily apparent from the face of the
record. According to the author, missing or inaccurate medical
history can lead to less than fully informed treatment
decisions, or, even worse, information could potentially be
altered or deleted to conceal medical errors. Although several
groups representing medical providers initially opposed or
expressed concerns about the bill, and the way that it interacts
with federal regulations, the author has worked diligently to
address those concerns. With the amendments agreed to in the
Assembly Health Committee last week, all opposition to the bill
has apparently been removed. The bill passed out the Assembly
Health Committee on a 14-0 vote.
�
SB 850
Page 2
SUMMARY : Requires an electronic health or medical record system
to protect the integrity of electronic medical information and
automatically record and preserve any change or deletion of
electronically stored information, and affirms the patient's
right to access the information consistent with federal and
state law. Specifically, this bill :
1)Requires an electronic health record system or electronic
medical record system to protect and preserve the integrity of
electronic medical information, and to automatically record
and preserve any change or deletion of any electronically
stored medical information. Specifies that the record of any
change or deletion shall include the following:
a) The identity of the person who accessed and changed the
medical record.
b) The date and time the medical information was accessed.
c) The change that was made to the medical information.
1)Provides that a patient's right to access or receive a copy of
his or her electronic medical records upon request shall be
consistent with current applicable state and federal laws
governing patient access to, and the use of disclosures of,
medical information.
EXISTING LAW :
1)Prohibits a health care provider, health care service plan, or
contractor from disclosing medical information regarding a
patient, enrollee, or subscriber without first obtaining an
authorization, subject to certain mandatory and permissive
exemptions, as enumerated. (Civil Code Section 56.10 (a) -
(c).)
2)Provides that any provider of health care, health care service
plan, pharmaceutical company, or contractor who negligently
creates, maintains preserves, stores, abandons, destroys, or
disposes of written or electronic medical records shall be
subject to damages in a civil action or an administrative
fine, as specified. (Civil Code Section 56.36.)
3)Requires a health care provider, health care service plan,
pharmaceutical company, or contractor who creates, maintains,
preserves, stores, abandons, destroys, or disposes of written
�
SB 850
Page 3
or electronic medical records to do so in a manner that
preserves the confidentiality, accuracy, and integrity of the
information contained therein. (Civil Code Section 56.101.)
4)Defines "medical information" to mean any individually
identifiable information, in electronic or physical form, in
possession of or derived from a provider of health care,
health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, condition,
or treatment. Existing law defines "individually
identifiable" to mean that the medical information includes or
contains an element of personal information sufficient to
allow identification of the individual, such as the patient's
name, address, electronic mail address, telephone number, or
social security number, or other information that, alone or in
combination with other publicly available information, reveals
the individual's identity. (Civil Code Section 56.05 (g).)
5)Requires, under federal regulations, that specified
information, including the date, time, patient identification,
and user identification must be recorded whenever electronic
health information is created, modified, accessed, or deleted,
and requires that an indication of what actions occurred and
by whom must also be recorded. Provides that an electronic
health information system must use a specified "hashing
algorithm" to verify that electronic health information has
not been altered. (45 CFR 170.210.)
COMMENTS : According to the author, existing law regarding the
accuracy and integrity of medical information was enacted prior
to the development of electronic health records. For the most
part, the use of electronic medical information has the
potential to greatly enhance the exchange of information and
medical history in a manner that improves medical treatment and
reduces the possibility of errors. At the same time, the shift
to electronic medical information also carries certain risk.
Most notably, while alterations and deletions in paper records
are generally visible upon inspection, the same is not always
true of medical information recorded and stored electronically.
Electronic alterations and deletions are not obvious to the
naked eye, and in the absence of technology that can detect
alterations and deletion, such changes may leave no trace at
all. Accordingly, this bill requires that any alteration or
deletion in electronic medical information system be "recorded
and preserved" in order to better protect the integrity of
�
SB 850
Page 4
electronic medical information. The bill would require not only
that the change be recorded and preserved, but also that the
record contain specified information, including the identity of
the person who accessed and changed the medical information, the
date and time the medical information was accessed, and the
change that was made to the medical information.
Interaction with Federal Law : Federal regulations set forth
standards that must be used whenever health information is
electronically created, maintained, or exchanged. For example,
federal law requires that the appropriate date, time, patient
identification, and user identification be recorded when
electronic health information is created, modified, accessed, or
deleted, and that the record must indicate which action or
actions occurred and by whom. In addition, federal law requires
that a "hashing algorithm" that meets standards set by the
National Institute of Standards and Technology (NIST) must be
used to verify that electronic health information has not been
altered. (45 CFR Section 170.210.)
According to the author, however, despite these federal
regulations, existing systems only make it possible to decipher
alterations or deletions by examining a separate "audit trail,"
also known as an "access log" or "audit log." That is, federal
law requires a system to record changes, but the change is only
recorded in the audit log and does not necessarily appear on the
face of a record and or in a user friendly format. Although the
author originally sought to address this issue as well, the bill
presently would not require that the information be provided to
the patient in a more user friendly or readily apparent format.
Rather, like federal law, this bill would only require that
changes and alterations be recorded and preserved. It may still
be the case under this bill and under federal law, depending on
the kind of system used, that those changes and alterations can
only be determined by requesting an audit log, which may or may
not be understandable to the patient.
Although opponents, including the California Hospital
Association (CHA) and Kaiser Permanente, were concerned that the
bill might be inconsistent with efforts to address these
problems of accessing electronic health information at the
federal level, the most recent amendments address these concerns
by specifying that a patient's right to access a copy of
electronic health records shall be consistent with federal law.
As a result of these amendments, CHA has submitted a letter
�
SB 850
Page 5
removing its opposition to the bill, and Kaiser has informed the
Committee that it intends to do so as well. To the best of the
Committee's knowledge, all other opposition has been removed as
well.
Recent Federal Draft Regulations Relating to "Access Logs" and
"Access Reports" : Since this bill was introduced, the United
States Department of Health and Human Services (HSS) proposed
rule changes to modify the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule and the Health
Information Technology for Economic and Clinical Health (HITECH)
Act. These proposed changes also address the manner in which
changes in health information records are recorded and
disclosed. Among other things, HSS is proposing a rule change
that would provide individuals with a right to receive an
"access report" that indicates who has accessed the electronic
information. The proposed rules would apparently distinguish
between "access logs," which would consist of the raw data that
the system collects each time a record is accessed, and an
"access report," which would be "a document that a system
administrator or other appropriate person generates from the
access log in a format that is understandable to the
individual." (See "HIPAA Privacy Rule Accounting of Disclosures
Under the Health Information Technology for Economic and
Clinical Health Act," Federal Register, Vol. 76, No. 104, May
31, 2011, p. 31436.) However, these changes, even if they
occur, would not be inconsistent with this bill, since this bill
speaks to the recording and preserving of alterations or
deletions in the record, and not to the format in which
information shall be presented to the patient upon request.
ARGUMENTS IN SUPPORT : The sponsor of this bill, the Consumer
Attorneys of California (CAOC), argues that this bill will help
to prevent medical errors and improve the quality of patient
care "by ensuring that electronic medical records accurately
reflect a patient's medical treatment and history, by preserving
a record of any modification or deletion made to a patient's
medical record." The purpose of the bill, according CAOC, "is
to ensure that information that was previously accessible to the
patient in a paper format continues to be available to the
patient in an electronic format." CAOC also points out that
recent federal health care reform, enacted in 2009, gives
providers incentives to switch to "certified" electronic health
record systems, so that by 2015 most if not all providers will
use electronic systems exclusively. However, while CAOC
�
SB 850
Page 6
recognizes the potential benefits of this change, it contends
that "some health care providers have unscrupulously taken
advantage of these shortfalls to cover-up errors by modifying or
deleting earlier entries," citing, for example, a case against
Stanford Hospital where such a cover-up of mistakes allegedly
occurred. CAOC notes that federal law already requires that
electronic health record systems have the ability to record
changes in a medical record, and states that "this bill simply
requires actual recordation and preservation of the change."
REGISTERED SUPPORT / OPPOSITION :
Support
Consumer Attorneys of California (sponsor)
California Association of Health Underwriters
Consumer Federation of California
Opposition
None on file
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334