AB 1755, as amended, Gomez. Medical information.
Existing law requires a clinic, health facility, home health agency, or hospice to prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined. Existing law requires the clinic, health facility, home health agency, or hospice to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the State Department of Public Health and to the affected patient or the patient’s representativebegin delete, as prescribedend deletebegin insert no later than 5 business days after the unlawful or unauthorized access, use, or disclosure has been detectedend insert. Existing law authorizes the State Department of Public Health to assess administrative
penalties for violation of these provisions.
This bill would make technical, nonsubstantive changes to these provisions.
end deleteThis bill would instead require those entities to prevent breaches of patients’ medical information, as defined, and to report any breach of a patient’s medical information to the department and to the affected patient or the patient’s representative without unreasonable delay and in no case later than 60 calendar days after the breach has been detected, as specified.
end insertVote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 1280.15 of the Health and Safety Code
2 is amended to read:
(a) A clinic, health facility, home health agency, or
4hospice licensed pursuant to Section 1204, 1250, 1725, or 1747
5shall preventbegin delete unlawful or unauthorized access to, and use or begin insert breaches ofend insert patients’ medical information
6disclosure of,end deletebegin delete, as defined begin insert as required
7in Section 56.05 of the Civil Code and consistent withend delete
8byend insert Section 130203. For purposes of this section, internal paper
9records,begin delete electronic mail,end deletebegin insert
e-mail, end insert or facsimile transmissions
10inadvertently misdirected within the same facility or health care
11system within the course of coordinating care or delivering services
12shall not constitutebegin delete unauthorized access to, or use or disclosure of,end delete
13begin insert a breach ofend insert a patient’s medical information. The department, after
14investigation, may assess an administrative penalty for a violation
15of this section of up to twenty-five thousand dollars ($25,000) per
16patient whose medical information wasbegin delete unlawfully or without begin insert
breached,end insert
and up to
17authorization accessed, used, or disclosed,end delete
18seventeen thousand five hundred dollars ($17,500) per subsequent
19begin delete occurrence of unlawful or unauthorized access, use, or disclosure begin insert breach ofend insert that patient’s medical information. For purposes of
20ofend delete
21the investigation, the department shall consider the clinic’s, health
22facility’s, agency’s, or hospice’s history of compliance with this
23section and other related state and federal statutes and regulations,
24the extent to which the facility detected violations and took
25preventative action to immediately correct and prevent past
26violations from recurring, and factors outside its control that
27restricted the facility’s ability to comply with this section. The
28department shall have full discretion to consider all
factors when
29determining the amount of an
administrative penalty pursuant to
30this section.
31(b) (1) A clinic, health facility, home health agency, or hospice
32to which subdivision (a) applies shall report anybegin delete unlawful or begin insert breach ofend insert a patient’s
33unauthorized access to, or use or disclosure of,end delete
34medical information to the departmentbegin delete no later than five business
35days after the unlawful or unauthorized access, use, or disclosureend delete
P3 1begin insert without unreasonable delay and in no case later than 60 calendar
2days after the breachend insert has been detected
by the clinic, health facility,
3home health agency, or hospice.
4(2) Subject to subdivision (c), a clinic, health facility, home
5health agency, or hospice shall also report anybegin delete unlawful or begin insert breach ofend insert a patient’s
6unauthorized access to, or use or disclosure of,end delete
7medical information to the affected patient or the patient’s
8representative at the last known address,begin delete no later than five business begin insert,
9days after the unlawful or unauthorized access, use, or disclosureend delete
10or by an alternative means or at an alternative location as specified
11by
the patient or the patient’s representative in writing pursuant
12to Section 164.522(b) of Title 45 of the Code of Federal
13Regulations, without unreasonable delay and in no case later than
1460 calendar days after the breachend insert has been detected by the clinic,
15health facility, home health agency, or hospice.begin insert Notice may be
16provided by e-mail only if the patient has previously agreed in
17writing to electronic notice by eend insertbegin insert-mail.end insert
18(c) (1) A clinic, health facility, home health agency, or hospice
19shall delay the reporting, as required pursuant to paragraph (2) of
20subdivision (b), of anybegin delete unlawful or unauthorized access to, or use begin insert
breach ofend insert a patient’s medical information
21or disclosure of,end deletebegin delete beyond
if a law enforcement agency or official provides
22five business daysend delete
23the clinic, health facility, home health agency, or hospice with a
24written or oral statement that compliance with the reporting
25requirements of paragraph (2) of subdivision (b) would likely
26impede the law enforcement agency’s investigation that relates to
27thebegin delete unlawful or unauthorized access to, and use or disclosure of,end delete
28begin insert breach ofend insert a patient’s medical information and specifies a date upon
29which the delay shall end, not to exceed 60 days after a written
30request is made, or 30 days after an oral request is made. A law
31enforcement agency or official may request an extension of a delay
32based upon a written declaration that there exists a bona fide,
33ongoing, significant criminal
investigation of serious wrongdoing
34relating to thebegin delete unlawful or unauthorized access to, and use or begin insert
breach ofend insert a patient’s medical information, that
35disclosure of,end delete
36notification of patients will undermine the law enforcement
37agency’s investigation, and that specifies a date upon which the
38delay shall end, not to exceed 60 days after the end of the original
39delay period.
P4 1(2) If the statement of the law enforcement agency or official
2is made orally, then the clinic, health facility, home health agency,
3or hospice shall do both of the following:
4(A) Document the oral statement, including, but not limited to,
5the identity of the law enforcement agency or official making the
6oral statement and the date upon which the oral statement was
7made.
8(B) Limit the delay in reporting thebegin delete unlawful or unauthorized begin insert
breach ofend insert the patient’s medical
9access to, or use or disclosure of,end delete
10information to the date specified in the oral statement, not to exceed
1130 calendar days from the date that the oral statement is made,
12unless a written statement that complies with the requirements of
13this subdivision is received during that time.
14(3) A clinic, health facility, home health agency, or hospice
15shall submit a report that is delayed pursuant to this subdivision
16not later than five business days after the date designated as the
17end of the delay.
18(d) If a clinic, health facility, home health agency, or hospice
19to which subdivision (a) applies violates subdivision (b), the
20department may assess the licensee a penalty in the amount of one
21hundred dollars ($100) for each day that thebegin delete unlawful or
22
unauthorized access, use, or disclosureend delete
23the department or the affected patient, following the initialbegin delete five-dayend delete
24 period specified in subdivision (b). However, the total combined
25penalty assessed by the department under subdivision (a) and this
26subdivision shall not exceed two hundred fifty thousand dollars
27($250,000) per reported event. For enforcement purposes, it shall
28be presumed that the facility did not notify the affected patient if
29the notification was not documented. This presumption may be
30rebutted by a licensee only if the licensee demonstrates, by a
31preponderance of the evidence, that the notification was made.
32(e) In enforcing subdivisions
(a) and (d), the department shall
33take into consideration the special circumstances of small and rural
34hospitals, as defined in Section 124840, and primary care clinics,
35as defined in subdivision (a) of Section 1204, in order to protect
36access to quality care in those hospitals and clinics. When assessing
37a penalty on a skilled nursing facility or other facility subject to
38Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
39only the higher of either a penalty for the violation of this section
P5 1or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
2not both.
3(f) All penalties collected by the department pursuant to this
4section and Sections 1280.1, 1280.3, and 1280.4 shall be deposited
5into the Internal Departmental Quality Improvement Account,
6which is hereby created within the Special Deposit Fund under
7
Section 16370 of the Government Code. Upon appropriation by
8the Legislature, moneys in the account shall be expended for
9internal quality improvement activities in the Licensing and
10Certification Program.
11(g) If the licensee disputes a determination by the department
12regarding a failure to prevent or failure to timely reportbegin delete unlawful begin insert a breach ofend insert
13or unauthorized access to, or use or disclosure of,end delete
14 patients’ medical information, or the imposition of a penalty under
15this section, the licensee may, within 10 days of receipt of the
16penalty assessment, request a hearing pursuant to Section 131071.
17Penalties shall be paid when appeals have been exhausted and the
18penalty has been
upheld.
19(h) In lieu of disputing the determination of the department
20regarding a failure to prevent or failure to timely reportbegin delete unlawful begin insert a breach ofend insert
21or unauthorized access to, or use or disclosure of,end delete
22 patients’ medical
information, transmit to the department 75
23percent of the total amount of the administrative penalty, for each
24violation, within 30 business days of receipt of the administrative
25penalty.
26(i) Notwithstanding any other law, the department may refer
27violations of this section to the Office of Health Information
28Integrity for enforcement pursuant to Section 130303.
29(j) For purposes of this section, the following definitions shall
30apply:
31(1) “Breach” means the acquisition, access, use, or disclosure
32of unsecured medical information in a manner not permitted under
33state or federal health information privacy laws that compromises
34the security or privacy of the medical information.
35(A) “Breach” does not include any of the following:
end insertbegin insert
36(i) Any unintentional acquisition, access, or use of medical
37information by a workforce member or person acting under the
38authority of a clinic, health facility, home health agency, or hospice
39to which subdivision (a) applies, or a business associate, if that
40acquisition, access, or use was made in good faith and within the
P6 1scope of authority and does not result in further use or disclosure
2in a manner not permitted under state or federal health information
3privacy laws.
4(ii) Any inadvertent disclosure by a person who is authorized
5to access medical information at a clinic, health facility, home
6health agency, or hospice to which subdivision (a) applies or a
7business associate to another person authorized to access medical
8information at the same entity or business associate, or organized
9health care arrangement in which the clinic, health facility, home
10health agency, or hospice to
which subdivision (a) participates,
11and the information received as a result of the disclosure is not
12further used or disclosed in a manner not permitted under state
13or federal health information privacy laws.
14(iii) A disclosure of medical information when a clinic, health
15facility, home health agency, or hospice to which subdivision (a)
16applies or business associate has a good faith belief that an
17unauthorized person to whom the disclosure was made would not
18reasonably have been able to retain the information.
19(B) Except as provided in subdivision (a) and subparagraph
20(A), an acquisition, access, use, or disclosure of medical
21information in a manner not permitted under state or federal health
22information privacy laws is presumed to be a breach unless the
23clinic, health facility, home health agency, or hospice to which
24subdivision (a) applies or business associate, as applicable,
25demonstrates that there is a low probability that the medical
26
information has been compromised based on a risk assessment of
27at least the following factors:
28(i) The nature and extent of the medical information involved,
29including the types of identifiers and the likelihood of
30reidentification.
31(ii) The unauthorized person who used the medical information
32or to whom the disclosure was made.
33(iii) Whether the medical information was actually acquired or
34viewed.
35(iv) The extent to which the risk to the medical information has
36been mitigated.
37(2) “Business associate” has the meaning provided in
38regulations issued pursuant to the Health Information Portability
39and Accountability Act of 1996 (Public Law 104-191)(HIPAA)
P7 1found in Parts 160 and 164 of Title 45 of the Code of Federal
2Regulations.
3(3) “Detected” means that sufficient facts are known about an
4incident such that a reasonable person would
believe that a breach
5of a patient’s medical information has taken place.
6(4) “Medical information” has the meaning provided in Section
756.05 of the Civil Code.
8(5) “Organized health care arrangement” has the meaning
9provided in regulations issued pursuant to HIPAA found in Parts
10160 and 164 of Title 45 of the Code of Federal Regulations.
11(1)
end delete
12begin insert(6)end insert “Reported event” means all breaches included in any single
13report that is made pursuant to subdivision (b), regardless of
the
14number of breach events contained in the report.
15(2)
end delete
16begin insert(end insertbegin insert7)end insert “Unauthorized” means the inappropriate access, review, or
17viewing of patient medical information without a direct need for
18medical diagnosis, treatment, or other lawful use as permitted by
19the Confidentiality of Medical Information Act (Part 2.6
20(commencing with Section 56) of Division 1 of the Civil Code)
21or any other statute or regulation governing the lawful access, use,
22or disclosure of medical information.
23(8) “Unsecured medical information” means medical
24information that is not rendered unusable, unreadable, or
25indecipherable to unauthorized persons though use of a technology
26or methodology specified by the United States Secretary of Health
27and Human Services in the guidance issued under Section
2813402(h)(2) of the American Recovery and Reinvestment Act of
292009 (Public Law 111-5).
30(9) “Workforce” has the meaning provided in regulations issued
31pursuant to HIPAA found in Parts 160 and 164 of Title 45 of the
32Code of Federal Regulations.
O
98