AB 1755, as introduced, Gomez. Medical information.
Existing law requires a clinic, health facility, home health agency, or hospice to prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined. Existing law requires the clinic, health facility, home health agency, or hospice to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the State Department of Public Health and to the affected patient or the patient’s representative, as prescribed. Existing law authorizes the State Department of Public Health to assess administrative penalties for violation of these provisions.
This bill would make technical, nonsubstantive changes to these provisions.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 1280.15 of the Health and Safety Code
2 is amended to read:
(a) A clinic, health facility, home health agency, or
4hospice licensed pursuant to Section 1204, 1250, 1725, orbegin delete 1745end delete
P2 1begin insert 1747end insert shall prevent unlawful or unauthorized access to, and use or
2disclosure of, patients’ medical information, as defined in Section
356.05 of the Civil Code and consistent with Section 130203. For
4purposes of this section, internal paper records, electronic mail,
5or facsimile transmissions inadvertently misdirected within the
6same facility or health care system within the course of
7coordinating care or delivering services shall not constitute
8unauthorized access to, or use or disclosure of, a patient’s medical
9information.
The department, after investigation, may assess an
10administrative penalty for a violation of this section of up to
11twenty-five thousand dollars ($25,000) per patient whose medical
12information was unlawfully or without authorization accessed,
13used, or disclosed, and up to seventeen thousand five hundred
14dollars ($17,500) per subsequent occurrence of unlawful or
15unauthorized access, use, or disclosure of that patient’s medical
16information. For purposes of the investigation, the department
17shall consider the clinic’s, health facility’s, agency’s, or hospice’s
18history of compliance with this section and other related state and
19federal statutes and regulations, the extent to which the facility
20detected violations and took preventative action to immediately
21correct and prevent past violations from recurring, and factors
22outside its control that restricted the facility’s ability to comply
23with this section. The department shall have full discretion to
24consider all factors when determining the amount of an
25
administrative penalty pursuant to this section.
26(b) (1) A clinic, health facility, home health agency, or hospice
27to which subdivision (a) applies shall report any unlawful or
28unauthorized access to, or use or disclosure of, a patient’s medical
29information to the department no later than five business days after
30the unlawful or unauthorized access, use, or disclosure has been
31detected by the clinic, health facility, home health agency, or
32hospice.
33(2) Subject to subdivision (c), a clinic, health facility, home
34health agency, or hospice shall also report any unlawful or
35unauthorized access to, or use or disclosure of, a patient’s medical
36information to the affected patient or the patient’s representative
37at the last known address, no later than five business days after
38the unlawful or unauthorized access, use, or disclosure has been
39detected by the clinic,
health facility, home health agency, or
40hospice.
P3 1(c) (1) A clinic, health facility, home health agency, or hospice
2shall delay the reporting, as required pursuant to paragraph (2) of
3subdivision (b), of any unlawful or unauthorized access to, or use
4or disclosure of, a patient’s medical information beyond five
5business days if a law enforcement agency or official provides the
6clinic, health facility, home health agency, or hospice with a written
7or oral statement that compliance with the reporting requirements
8of paragraph (2) of subdivision (b) would likely impede the law
9enforcement agency’s investigation that relates to the unlawful or
10unauthorized access to, and use or disclosure of, a patient’s medical
11information and specifies a date upon which the delay shall end,
12not to exceed 60 days after a written request is made, or 30 days
13after an oral request is made. A law enforcement agency or official
14may request an
extension of a delay based upon a written
15declaration that there exists a bona fide, ongoing, significant
16criminal investigation of serious wrongdoing relating to the
17unlawful or unauthorized access to, and use or disclosure of, a
18patient’s medical information, that notification of patients will
19undermine the law enforcement agency’s investigation, and that
20specifies a date upon which the delay shall end, not to exceed 60
21days after the end of the original delay period.
22(2) If the statement of the law enforcement agency or official
23is made orally, then the clinic, health facility, home health agency,
24or hospice shall do both of the following:
25(A) Document the oral statement, including, but not limited to,
26the identity of the law enforcement agency or official making the
27oral statement and the date upon which the oral statement was
28made.
29(B) Limit the delay in reporting the unlawful or unauthorized
30access to, or use or disclosure of, the patient’s medical information
31to the date specified in the oral statement, not to exceed 30 calendar
32days from the date that the oral statement is made, unless a written
33statement that complies with the requirements of this subdivision
34is received during that time.
35(3) A clinic, health facility, home health agency, or hospice
36shall submit a report that is delayed pursuant to this subdivision
37not later than five business days after the date designated as the
38end of the delay.
39(d) If a clinic, health facility, home health agency, or hospice
40to which subdivision (a) applies violates subdivision (b), the
P4 1department may assess the licensee a penalty in the amount of one
2hundred dollars ($100) for each day that the unlawful or
3
unauthorized access, use, or disclosure is not reported to the
4department or the affected patient, following the initial five-day
5period specified in subdivision (b). However, the total combined
6penalty assessed by the department under subdivision (a) and this
7subdivision shall not exceed two hundred fifty thousand dollars
8($250,000) per reported event. For enforcement purposes, it shall
9be presumed that the facility did not notify the affected patient if
10the notification was not documented. This presumption may be
11rebutted by a licensee only if the licensee demonstrates, by a
12preponderance of the evidence, that the notification was made.
13(e) In enforcing subdivisions (a) and (d), the department shall
14take into consideration the special circumstances of small and rural
15hospitals, as defined in Section 124840, and primary care clinics,
16as defined in subdivision (a) of Section 1204, in order to protect
17access to quality care in those hospitals
and clinics. When assessing
18a penalty on a skilled nursing facility or other facility subject to
19Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
20only the higher of either a penalty for the violation of this section
21or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
22not both.
23(f) All penalties collected by the department pursuant to this
24begin delete section,end deletebegin insert section andend insert Sections 1280.1, 1280.3, andbegin delete 1280.4,end deletebegin insert 1280.4end insert
25 shall be deposited into the Internal Departmental Quality
26Improvement Account, which is hereby created within the Special
27Deposit Fund
under Section 16370 of the Government Code. Upon
28appropriation by the Legislature, moneys in the account shall be
29expended for internal quality improvement activities in the
30Licensing and Certification Program.
31(g) If the licensee disputes a determination by the department
32regarding a failure to prevent or failure to timely report unlawful
33or unauthorized access to, or use or disclosure of, patients’ medical
34information, or the imposition of a penalty under this section, the
35licensee may, within 10 days of receipt of the penalty assessment,
36request a hearing pursuant to Section 131071. Penalties shall be
37paid when appeals have been exhausted and the penalty has been
38upheld.
39(h) In lieu of disputing the determination of the department
40regarding a failure to prevent or failure to timely report unlawful
P5 1or unauthorized access to, or use or disclosure of, patients’ medical
2
information, transmit to the department 75 percent of the total
3amount of the administrative penalty, for each violation, within
430 business days of receipt of the administrative penalty.
5(i) Notwithstanding any other law, the department may refer
6violations of this section to the Office of Health Information
7Integrity for enforcement pursuant to Section 130303.
8(j) For purposes of this section, the following definitions shall
9apply:
10(1) “Reported event” means all breaches included in any single
11report that is made pursuant to subdivision (b), regardless of the
12number of breach events contained in the report.
13(2) “Unauthorized” means the inappropriate access, review, or
14viewing of patient medical information without a direct need for
15medical diagnosis,
treatment, or other lawful use as permitted by
16the Confidentiality of Medical Information Act (Part 2.6
17(commencing with Section 56) of Division 1 of the Civil Code)
18or any other statute or regulation governing the lawful access, use,
19or disclosure of medical information.
O
99