BILL ANALYSIS                                                                                                                                                                                                    



                                                                  SB 850
                                                                  Page  1

           Date of Hearing:   June 28, 2011

                           ASSEMBLY COMMITTEE ON JUDICIARY
                                  Mike Feuer, Chair
                      SB 850 (Leno) - As Amended: June 22, 2011

           SENATE VOTE  :   21-15
           
          SUBJECT  :  Medical Records: Confidential Information 

           key issue  :  Should changes to a person's electronic medical 
          information be automatically recorded and preserved in order to 
          better preserve the integrity of electronic medical information? 


           FISCAL EFFECT  :  As currently in print this bill is keyed 
          non-fiscal.

                                      SYNOPSIS
                                          
          As recently amended, this bill requires that any change or 
          deletion in electronic medical information be automatically 
          recorded and preserved in order to better protect the integrity 
          of electronic medical information.  The bill affirms a patient's 
          right to access those records so long as the request is 
          consistent with current state and federal law governing patient 
          access to medical information.  This bill, like the federal law 
          that it tracks, reflects technological changes in the way that 
          medical records are created, stored, and accessed.  In the past, 
          modifications to paper records were readily apparent through an 
          examination of those paper records; however, changes or 
          deletions in electronic records are either lost entirely or are 
          only ascertainable through examination of an "audit log," but 
          those changes are not necessarily apparent from the face of the 
          record.  According to the author, missing or inaccurate medical 
          history can lead to less than fully informed treatment 
          decisions, or, even worse, information could potentially be 
          altered or deleted to conceal medical errors.  Although several 
          groups representing medical providers initially opposed or 
          expressed concerns about the bill, and the way that it interacts 
          with federal regulations, the author has worked diligently to 
          address those concerns.  With the amendments agreed to in the 
          Assembly Health Committee last week, all opposition to the bill 
          has apparently been removed.  The bill passed out the Assembly 
          Health Committee on a 14-0 vote. 








                                                                  SB 850
                                                                  Page  2

           
           SUMMARY  :  Requires an electronic health or medical record system 
          to protect the integrity of electronic medical information and 
          automatically record and preserve any change or deletion of 
          electronically stored information, and affirms the patient's 
          right to access the information consistent with federal and 
          state law.  Specifically,  this bill  :   

          1)Requires an electronic health record system or electronic 
            medical record system to protect and preserve the integrity of 
            electronic medical information, and to automatically record 
            and preserve any change or deletion of any electronically 
            stored medical information.  Specifies that the record of any 
            change or deletion shall include the following:

             a)   The identity of the person who accessed and changed the 
               medical record.
             b)   The date and time the medical information was accessed.
             c)   The change that was made to the medical information.

          1)Provides that a patient's right to access or receive a copy of 
            his or her electronic medical records upon request shall be 
            consistent with current applicable state and federal laws 
            governing patient access to, and the use of disclosures of, 
            medical information.

           EXISTING LAW  :   

          1)Prohibits a health care provider, health care service plan, or 
            contractor from disclosing medical information regarding a 
            patient, enrollee, or subscriber without first obtaining an 
            authorization, subject to certain mandatory and permissive 
            exemptions, as enumerated.  (Civil Code Section 56.10 (a) - 
            (c).) 
                
          2)Provides that any provider of health care, health care service 
            plan, pharmaceutical company, or contractor who negligently 
            creates, maintains preserves, stores, abandons, destroys, or 
            disposes of written or electronic medical records shall be 
            subject to damages in a civil action or an administrative 
            fine, as specified.  (Civil Code Section 56.36.)

          3)Requires a health care provider, health care service plan, 
            pharmaceutical company, or contractor who creates, maintains, 
            preserves, stores, abandons, destroys, or disposes of written 








                                                                  SB 850
                                                                  Page  3

            or electronic medical records to do so in a manner that 
            preserves the confidentiality, accuracy, and integrity of the 
            information contained therein.  (Civil Code Section 56.101.) 

          4)Defines "medical information" to mean any individually 
            identifiable information, in electronic or physical form, in 
            possession of or derived from a provider of health care, 
            health care service plan, pharmaceutical company, or 
            contractor regarding a patient's medical history, condition, 
            or treatment.  Existing law defines "individually 
            identifiable" to mean that the medical information includes or 
            contains an element of personal information sufficient to 
            allow identification of the individual, such as the patient's 
            name, address, electronic mail address, telephone number, or 
            social security number, or other information that, alone or in 
            combination with other publicly available information, reveals 
            the individual's identity.  (Civil Code Section 56.05 (g).)

          5)Requires, under federal regulations, that specified 
            information, including the date, time, patient identification, 
            and user identification must be recorded whenever electronic 
            health information is created, modified, accessed, or deleted, 
            and requires that an indication of what actions occurred and 
            by whom must also be recorded.  Provides that an electronic 
            health information system must use a specified "hashing 
            algorithm" to verify that electronic health information has 
            not been altered.  (45 CFR 170.210.) 

           COMMENTS  :  According to the author, existing law regarding the 
          accuracy and integrity of medical information was enacted prior 
          to the development of electronic health records.  For the most 
          part, the use of electronic medical information has the 
          potential to greatly enhance the exchange of information and 
          medical history in a manner that improves medical treatment and 
          reduces the possibility of errors.  At the same time, the shift 
          to electronic medical information also carries certain risk.  
          Most notably, while alterations and deletions in paper records 
          are generally visible upon inspection, the same is not always 
          true of medical information recorded and stored electronically.  
          Electronic alterations and deletions are not obvious to the 
          naked eye, and in the absence of technology that can detect 
          alterations and deletion, such changes may leave no trace at 
          all.  Accordingly, this bill requires that any alteration or 
          deletion in electronic medical information system be "recorded 
          and preserved" in order to better protect the integrity of 








                                                                  SB 850
                                                                  Page  4

          electronic medical information.  The bill would require not only 
          that the change be recorded and preserved, but also that the 
          record contain specified information, including the identity of 
          the person who accessed and changed the medical information, the 
          date and time the medical information was accessed, and the 
          change that was made to the medical information. 

           Interaction with Federal Law :  Federal regulations set forth 
          standards that must be used whenever health information is 
          electronically created, maintained, or exchanged.  For example, 
          federal law requires that the appropriate date, time, patient 
          identification, and user identification be recorded when 
          electronic health information is created, modified, accessed, or 
          deleted, and that the record must indicate which action or 
          actions occurred and by whom.  In addition, federal law requires 
          that a "hashing algorithm" that meets standards set by the 
          National Institute of Standards and Technology (NIST) must be 
          used to verify that electronic health information has not been 
          altered.  (45 CFR Section 170.210.)

          According to the author, however, despite these federal 
          regulations, existing systems only make it possible to decipher 
          alterations or deletions by examining a separate "audit trail," 
          also known as an "access log" or "audit log."  That is, federal 
          law requires a system to record changes, but the change is only 
          recorded in the audit log and does not necessarily appear on the 
          face of a record and or in a user friendly format.  Although the 
          author originally sought to address this issue as well, the bill 
          presently would not require that the information be provided to 
          the patient in a more user friendly or readily apparent format.  
          Rather, like federal law, this bill would only require that 
          changes and alterations be recorded and preserved.  It may still 
          be the case under this bill and under federal law, depending on 
          the kind of system used, that those changes and alterations can 
          only be determined by requesting an audit log, which may or may 
          not be understandable to the patient.

          Although opponents, including the California Hospital 
          Association (CHA) and Kaiser Permanente, were concerned that the 
          bill might be inconsistent with efforts to address these 
          problems of accessing electronic health information at the 
          federal level, the most recent amendments address these concerns 
          by specifying that a patient's right to access a copy of 
          electronic health records shall be consistent with federal law.  
          As a result of these amendments, CHA has submitted a letter 








                                                                  SB 850
                                                                  Page  5

          removing its opposition to the bill, and Kaiser has informed the 
          Committee that it intends to do so as well.  To the best of the 
          Committee's knowledge, all other opposition has been removed as 
          well. 

           Recent Federal Draft Regulations Relating to "Access Logs" and 
          "Access Reports"  :   Since this bill was introduced, the United 
          States Department of Health and Human Services (HSS) proposed 
          rule changes to modify the Health Insurance Portability and 
          Accountability Act (HIPAA) Privacy Rule and the Health 
          Information Technology for Economic and Clinical Health (HITECH) 
          Act.  These proposed changes also address the manner in which 
          changes in health information records are recorded and 
          disclosed.  Among other things, HSS is proposing a rule change 
          that would provide individuals with a right to receive an 
          "access report" that indicates who has accessed the electronic 
          information.  The proposed rules would apparently distinguish 
          between "access logs," which would consist of the raw data that 
          the system collects each time a record is accessed, and an 
          "access report," which would be "a document that a system 
          administrator or other appropriate person generates from the 
          access log in a format that is understandable to the 
          individual."  (See "HIPAA Privacy Rule Accounting of Disclosures 
          Under the Health Information Technology for Economic and 
          Clinical Health Act," Federal Register, Vol. 76, No. 104, May 
          31, 2011, p. 31436.)  However, these changes, even if they 
          occur, would not be inconsistent with this bill, since this bill 
          speaks to the recording and preserving of alterations or 
          deletions in the record, and not to the format in which 
          information shall be presented to the patient upon request. 

           ARGUMENTS IN SUPPORT  :  The sponsor of this bill, the Consumer 
          Attorneys of California (CAOC), argues that this bill will help 
          to prevent medical errors and improve the quality of patient 
          care "by ensuring that electronic medical records accurately 
          reflect a patient's medical treatment and history, by preserving 
          a record of any modification or deletion made to a patient's 
          medical record."  The purpose of the bill, according CAOC, "is 
          to ensure that information that was previously accessible to the 
          patient in a paper format continues to be available to the 
          patient in an electronic format."  CAOC also points out that 
          recent federal health care reform, enacted in 2009, gives 
          providers incentives to switch to "certified" electronic health 
          record systems, so that by 2015 most if not all providers will 
          use electronic systems exclusively.  However, while CAOC 








                                                                  SB 850
                                                                  Page  6

          recognizes the potential benefits of this change, it contends 
          that "some health care providers have unscrupulously taken 
          advantage of these shortfalls to cover-up errors by modifying or 
          deleting earlier entries," citing, for example, a case against 
          Stanford Hospital where such a cover-up of mistakes allegedly 
          occurred.  CAOC notes that federal law already requires that 
          electronic health record systems have the ability to record 
          changes in a medical record, and states that "this bill simply 
          requires actual recordation and preservation of the change."  

           REGISTERED SUPPORT / OPPOSITION  :

           Support 
           
          Consumer Attorneys of California (sponsor)
          California Association of Health Underwriters 
          Consumer Federation of California
           
            Opposition 
           
          None on file


           Analysis Prepared by  :    Thomas Clark / JUD. / (916) 319-2334