Amended in Assembly March 28, 2014

California Legislature—2013–14 Regular Session

Assembly BillNo. 1755


Introduced by Assembly Member Gomez

February 14, 2014


An act to amend Section 1280.15 of the Health and Safety Code, relating to public health.

LEGISLATIVE COUNSEL’S DIGEST

AB 1755, as amended, Gomez. Medical information.

Existing law requires a clinic, health facility, home health agency, or hospice to prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined. Existing law requires the clinic, health facility, home health agency, or hospice to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the State Department of Public Health and to the affected patient or the patient’s representativebegin delete, as prescribedend deletebegin insert no later than 5 business days after the unlawful or unauthorized access, use, or disclosure has been detectedend insert. Existing law authorizes the State Department of Public Health to assess administrative penalties for violation of these provisions.

begin delete

This bill would make technical, nonsubstantive changes to these provisions.

end delete
begin insert

This bill would instead require those entities to prevent breaches of patients’ medical information, as defined, and to report any breach of a patient’s medical information to the department and to the affected patient or the patient’s representative without unreasonable delay and in no case later than 60 calendar days after the breach has been detected, as specified.

end insert

Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

Section 1280.15 of the Health and Safety Code
2 is amended to read:

3

1280.15.  

(a) A clinic, health facility, home health agency, or
4hospice licensed pursuant to Section 1204, 1250, 1725, or 1747
5shall preventbegin delete unlawful or unauthorized access to, and use or
6disclosure of,end delete
begin insert breaches ofend insert patients’ medical informationbegin delete, as defined
7in Section 56.05 of the Civil Code and consistent withend delete
begin insert as required
8byend insert
Section 130203. For purposes of this section, internal paper
9records,begin delete electronic mail,end deletebegin insert e-mail, end insert or facsimile transmissions
10inadvertently misdirected within the same facility or health care
11system within the course of coordinating care or delivering services
12shall not constitutebegin delete unauthorized access to, or use or disclosure of,end delete
13begin insert a breach ofend insert a patient’s medical information. The department, after
14investigation, may assess an administrative penalty for a violation
15of this section of up to twenty-five thousand dollars ($25,000) per
16patient whose medical information wasbegin delete unlawfully or without
17authorization accessed, used, or disclosed,end delete
begin insert breached,end insert and up to
18seventeen thousand five hundred dollars ($17,500) per subsequent
19begin delete occurrence of unlawful or unauthorized access, use, or disclosure
20ofend delete
begin insert breach ofend insert that patient’s medical information. For purposes of
21the investigation, the department shall consider the clinic’s, health
22facility’s, agency’s, or hospice’s history of compliance with this
23section and other related state and federal statutes and regulations,
24the extent to which the facility detected violations and took
25preventative action to immediately correct and prevent past
26violations from recurring, and factors outside its control that
27restricted the facility’s ability to comply with this section. The
28department shall have full discretion to consider all factors when
29determining the amount of an administrative penalty pursuant to
30this section.

31(b) (1) A clinic, health facility, home health agency, or hospice
32to which subdivision (a) applies shall report anybegin delete unlawful or
33unauthorized access to, or use or disclosure of,end delete
begin insert breach ofend insert a patient’s
34medical information to the departmentbegin delete no later than five business
35days after the unlawful or unauthorized access, use, or disclosureend delete

P3    1begin insert without unreasonable delay and in no case later than 60 calendar
2days after the breachend insert
has been detected by the clinic, health facility,
3home health agency, or hospice.

4(2) Subject to subdivision (c), a clinic, health facility, home
5health agency, or hospice shall also report anybegin delete unlawful or
6unauthorized access to, or use or disclosure of,end delete
begin insert breach ofend insert a patient’s
7medical information to the affected patient or the patient’s
8representative at the last known address,begin delete no later than five business
9days after the unlawful or unauthorized access, use, or disclosureend delete
begin insert,
10or by an alternative means or at an alternative location as specified
11by the patient or the patient’s representative in writing pursuant
12to Section 164.522(b) of Title 45 of the Code of Federal
13Regulations, without unreasonable delay and in no case later than
1460 calendar days after the breachend insert
has been detected by the clinic,
15health facility, home health agency, or hospice.begin insert Notice may be
16provided by e-mail only if the patient has previously agreed in
17writing to electronic notice by eend insert
begin insert-mail.end insert

18(c) (1) A clinic, health facility, home health agency, or hospice
19shall delay the reporting, as required pursuant to paragraph (2) of
20subdivision (b), of anybegin delete unlawful or unauthorized access to, or use
21or disclosure of,end delete
begin insert breach ofend insert a patient’s medical informationbegin delete beyond
22five business daysend delete
if a law enforcement agency or official provides
23the clinic, health facility, home health agency, or hospice with a
24written or oral statement that compliance with the reporting
25requirements of paragraph (2) of subdivision (b) would likely
26impede the law enforcement agency’s investigation that relates to
27thebegin delete unlawful or unauthorized access to, and use or disclosure of,end delete
28begin insert breach ofend insert a patient’s medical information and specifies a date upon
29which the delay shall end, not to exceed 60 days after a written
30request is made, or 30 days after an oral request is made. A law
31enforcement agency or official may request an extension of a delay
32based upon a written declaration that there exists a bona fide,
33ongoing, significant criminal investigation of serious wrongdoing
34relating to thebegin delete unlawful or unauthorized access to, and use or
35disclosure of,end delete
begin insert breach ofend insert a patient’s medical information, that
36notification of patients will undermine the law enforcement
37agency’s investigation, and that specifies a date upon which the
38delay shall end, not to exceed 60 days after the end of the original
39delay period.

P4    1(2) If the statement of the law enforcement agency or official
2is made orally, then the clinic, health facility, home health agency,
3or hospice shall do both of the following:

4(A) Document the oral statement, including, but not limited to,
5the identity of the law enforcement agency or official making the
6oral statement and the date upon which the oral statement was
7made.

8(B) Limit the delay in reporting thebegin delete unlawful or unauthorized
9access to, or use or disclosure of,end delete
begin insert breach ofend insert the patient’s medical
10information to the date specified in the oral statement, not to exceed
1130 calendar days from the date that the oral statement is made,
12unless a written statement that complies with the requirements of
13this subdivision is received during that time.

14(3) A clinic, health facility, home health agency, or hospice
15shall submit a report that is delayed pursuant to this subdivision
16not later than five business days after the date designated as the
17end of the delay.

18(d) If a clinic, health facility, home health agency, or hospice
19to which subdivision (a) applies violates subdivision (b), the
20department may assess the licensee a penalty in the amount of one
21hundred dollars ($100) for each day that the begin delete unlawful or
22 unauthorized access, use, or disclosureend delete
begin insert breachend insert is not reported to
23the department or the affected patient, following the initialbegin delete five-dayend delete
24 period specified in subdivision (b). However, the total combined
25penalty assessed by the department under subdivision (a) and this
26subdivision shall not exceed two hundred fifty thousand dollars
27($250,000) per reported event. For enforcement purposes, it shall
28be presumed that the facility did not notify the affected patient if
29the notification was not documented. This presumption may be
30rebutted by a licensee only if the licensee demonstrates, by a
31preponderance of the evidence, that the notification was made.

32(e) In enforcing subdivisions (a) and (d), the department shall
33take into consideration the special circumstances of small and rural
34hospitals, as defined in Section 124840, and primary care clinics,
35as defined in subdivision (a) of Section 1204, in order to protect
36access to quality care in those hospitals and clinics. When assessing
37a penalty on a skilled nursing facility or other facility subject to
38Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
39only the higher of either a penalty for the violation of this section
P5    1or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
2not both.

3(f) All penalties collected by the department pursuant to this
4section and Sections 1280.1, 1280.3, and 1280.4 shall be deposited
5into the Internal Departmental Quality Improvement Account,
6which is hereby created within the Special Deposit Fund under
7 Section 16370 of the Government Code. Upon appropriation by
8the Legislature, moneys in the account shall be expended for
9internal quality improvement activities in the Licensing and
10Certification Program.

11(g) If the licensee disputes a determination by the department
12regarding a failure to prevent or failure to timely reportbegin delete unlawful
13or unauthorized access to, or use or disclosure of,end delete
begin insert a breach ofend insert
14 patients’ medical information, or the imposition of a penalty under
15this section, the licensee may, within 10 days of receipt of the
16penalty assessment, request a hearing pursuant to Section 131071.
17Penalties shall be paid when appeals have been exhausted and the
18penalty has been upheld.

19(h) In lieu of disputing the determination of the department
20regarding a failure to prevent or failure to timely reportbegin delete unlawful
21or unauthorized access to, or use or disclosure of,end delete
begin insert a breach ofend insert
22 patients’ medical information, transmit to the department 75
23percent of the total amount of the administrative penalty, for each
24violation, within 30 business days of receipt of the administrative
25penalty.

26(i) Notwithstanding any other law, the department may refer
27violations of this section to the Office of Health Information
28Integrity for enforcement pursuant to Section 130303.

29(j) For purposes of this section, the following definitions shall
30apply:

begin insert

31(1) “Breach” means the acquisition, access, use, or disclosure
32of unsecured medical information in a manner not permitted under
33state or federal health information privacy laws that compromises
34the security or privacy of the medical information.

end insert
begin insert

35(A) “Breach” does not include any of the following:

end insert
begin insert

36(i) Any unintentional acquisition, access, or use of medical
37information by a workforce member or person acting under the
38authority of a clinic, health facility, home health agency, or hospice
39to which subdivision (a) applies, or a business associate, if that
40acquisition, access, or use was made in good faith and within the
P6    1scope of authority and does not result in further use or disclosure
2in a manner not permitted under state or federal health information
3privacy laws.

end insert
begin insert

4(ii) Any inadvertent disclosure by a person who is authorized
5to access medical information at a clinic, health facility, home
6health agency, or hospice to which subdivision (a) applies or a
7business associate to another person authorized to access medical
8information at the same entity or business associate, or organized
9health care arrangement in which the clinic, health facility, home
10health agency, or hospice to which subdivision (a) participates,
11and the information received as a result of the disclosure is not
12further used or disclosed in a manner not permitted under state
13or federal health information privacy laws.

end insert
begin insert

14(iii) A disclosure of medical information when a clinic, health
15facility, home health agency, or hospice to which subdivision (a)
16applies or business associate has a good faith belief that an
17unauthorized person to whom the disclosure was made would not
18reasonably have been able to retain the information.

end insert
begin insert

19(B) Except as provided in subdivision (a) and subparagraph
20(A), an acquisition, access, use, or disclosure of medical
21information in a manner not permitted under state or federal health
22information privacy laws is presumed to be a breach unless the
23clinic, health facility, home health agency, or hospice to which
24subdivision (a) applies or business associate, as applicable,
25demonstrates that there is a low probability that the medical
26 information has been compromised based on a risk assessment of
27at least the following factors:

end insert
begin insert

28(i) The nature and extent of the medical information involved,
29including the types of identifiers and the likelihood of
30reidentification.

end insert
begin insert

31(ii) The unauthorized person who used the medical information
32or to whom the disclosure was made.

end insert
begin insert

33(iii) Whether the medical information was actually acquired or
34viewed.

end insert
begin insert

35(iv) The extent to which the risk to the medical information has
36been mitigated.

end insert
begin insert

37(2) “Business associate” has the meaning provided in
38regulations issued pursuant to the Health Information Portability
39and Accountability Act of 1996 (Public Law 104-191)(HIPAA)
P7    1found in Parts 160 and 164 of Title 45 of the Code of Federal
2Regulations.

end insert
begin insert

3(3) “Detected” means that sufficient facts are known about an
4incident such that a reasonable person would believe that a breach
5of a patient’s medical information has taken place.

end insert
begin insert

6(4) “Medical information” has the meaning provided in Section
756.05 of the Civil Code.

end insert
begin insert

8(5) “Organized health care arrangement” has the meaning
9provided in regulations issued pursuant to HIPAA found in Parts
10160 and 164 of Title 45 of the Code of Federal Regulations.

end insert
begin delete

11(1)

end delete

12begin insert(6)end insert “Reported event” means all breaches included in any single
13report that is made pursuant to subdivision (b), regardless of the
14number of breach events contained in the report.

begin delete

15(2)

end delete

16begin insert(end insertbegin insert7)end insert “Unauthorized” means the inappropriate access, review, or
17viewing of patient medical information without a direct need for
18medical diagnosis, treatment, or other lawful use as permitted by
19the Confidentiality of Medical Information Act (Part 2.6
20(commencing with Section 56) of Division 1 of the Civil Code)
21or any other statute or regulation governing the lawful access, use,
22or disclosure of medical information.

begin insert

23(8) “Unsecured medical information” means medical
24information that is not rendered unusable, unreadable, or
25indecipherable to unauthorized persons though use of a technology
26or methodology specified by the United States Secretary of Health
27and Human Services in the guidance issued under Section
2813402(h)(2) of the American Recovery and Reinvestment Act of
292009 (Public Law 111-5).

end insert
begin insert

30(9) “Workforce” has the meaning provided in regulations issued
31pursuant to HIPAA found in Parts 160 and 164 of Title 45 of the
32Code of Federal Regulations.

end insert


O

    98