Amended in Senate July 1, 2014

Amended in Assembly March 28, 2014

California Legislature—2013–14 Regular Session

Assembly BillNo. 1755


Introduced by Assembly Member Gomez

February 14, 2014


An act to amend Section 1280.15 of the Health and Safety Code, relating to public health.

LEGISLATIVE COUNSEL’S DIGEST

AB 1755, as amended, Gomez. Medical information.

Existing law requires a clinic, health facility, home health agency, or hospice to prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined. Existing law requires the clinic, health facility, home health agency, or hospice to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the State Department of Public Health and to the affected patient or the patient’s representative no later than 5 business days after the unlawful or unauthorized access, use, or disclosure has been detected.begin insert Existing law requires that the report to the patient or the patient’s representative be made to that person’s last known address. Existing law requires these entities to delay the report for specified law enforcement purposes and requires that the delayed report be submitted within 5 days of the end of the delay.end insert Existing law authorizes the State Department of Public Health to assess administrative penalties for violation of these provisionsbegin insert and gives the department discretion to consider all factors when determining the amount of a penaltyend insert.

This bill would instead require those entitiesbegin delete to prevent breaches of patients’ medical information, as defined, and to report any breach of a patient’s medical information to the department and to the affected patient or the patient’s representative without unreasonable delay and in no case later than 60 calendarend deletebegin insert to make those reports no later than 15 businessend insert days after thebegin delete breachend deletebegin insert unlawful or unauthorized access, use, or disclosureend insert has been detectedbegin delete, as specifiedend deletebegin insert and would authorize the report made to the patient or the patient’s representative to be made by alternative means, including email, as specified. The bill would also require a delayed report for law enforcement purposes to be made within 15 business days of the end of the delay. The bill would give the department full discretion to consider all factors when determining whether to investigate under these provisionsend insert.

Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1begin insert

begin insertSECTION 1.end insert  

end insert

begin insertSection 1280.15 of the end insertbegin insertHealth and Safety Codeend insert
2begin insert is amended to read:end insert

3

1280.15.  

(a) A clinic, health facility, home health agency, or
4hospice licensed pursuant to Section 1204, 1250, 1725, or 1745
5shall prevent unlawful or unauthorized access to, and use or
6disclosure of, patients’ medical information, as defined in Section
756.05 of the Civil Code and consistent with Section 130203. For
8purposes of this section, internal paper records, electronic mail,
9or facsimile transmissions inadvertently misdirected within the
10same facility or health care system within the course of
11coordinating care or delivering services shall not constitute
12unauthorized access to, or use or disclosure of, a patient’s medical
13information. The department, after investigation, may assess an
14administrative penalty for a violation of this section of up to
15twenty-five thousand dollars ($25,000) per patient whose medical
16information was unlawfully or without authorization accessed,
17used, or disclosed, and up to seventeen thousand five hundred
18dollars ($17,500) per subsequent occurrence of unlawful or
19unauthorized access, use, or disclosure of that patient’s medical
20information. For purposes of the investigation, the department
21shall consider the clinic’s, health facility’s, agency’s, or hospice’s
22history of compliance with this section and other related state and
P3    1federal statutes and regulations, the extent to which the facility
2detected violations and took preventative action to immediately
3correct and prevent past violations from recurring, and factors
4outside its control that restricted the facility’s ability to comply
5with this section. The department shall have full discretion to
6consider all factors when determiningbegin insert whether to investigate andend insert
7 the amount of an administrative penaltybegin insert, if any,end insert pursuant to this
8section.

9(b) (1) A clinic, health facility, home health agency, or hospice
10to which subdivision (a) applies shall report any unlawful or
11unauthorized access to, or use or disclosure of, a patient’s medical
12information to the department no later thanbegin delete fiveend deletebegin insert 15end insert business days
13after the unlawful or unauthorized access, use, or disclosure has
14been detected by the clinic, health facility, home health agency,
15or hospice.

16(2) Subject to subdivision (c), a clinic, health facility, home
17health agency, or hospice shall also report any unlawful or
18unauthorized access to, or use or disclosure of, a patient’s medical
19information to the affected patient or the patient’s representative
20at the last known address,begin insert or by an alternative means or at an
21alternative location as specified by the patient or the patient’s
22representative in writing pursuant to Section 164.522(b) of Title
2345 of the Code of Federal Regulations,end insert
no later thanbegin delete fiveend deletebegin insert 15end insert
24 business days after the unlawful or unauthorized access, use, or
25disclosure has been detected by the clinic, health facility, home
26health agency, or hospice.begin insert Notice may be provided by email only
27if the patient has previously agreed in writing to electronic notice
28by email.end insert

29(c) (1) A clinic, health facility, home health agency, or hospice
30shall delay the reporting, as required pursuant to paragraph (2) of
31subdivision (b), of any unlawful or unauthorized access to, or use
32or disclosure of, a patient’s medical information beyondbegin delete fiveend deletebegin insert 15end insert
33 business days if a law enforcement agency or official provides the
34clinic, health facility, home health agency, or hospice with a written
35or oral statement that compliance with the reporting requirements
36of paragraph (2) of subdivision (b) would likely impede the law
37enforcement agency’s investigation that relates to the unlawful or
38unauthorized access to, and use or disclosure of, a patient’s medical
39information and specifies a date upon which the delay shall end,
40not to exceed 60 days after a written request is made, or 30 days
P4    1after an oral request is made. A law enforcement agency or official
2may request an extension of a delay based upon a written
3declaration that there exists a bona fide, ongoing, significant
4criminal investigation of serious wrongdoing relating to the
5unlawful or unauthorized access to, and use or disclosure of, a
6patient’s medical information, that notification of patients will
7undermine the law enforcement agency’s investigation, and that
8specifies a date upon which the delay shall end, not to exceed 60
9days after the end of the original delay period.

10(2) If the statement of the law enforcement agency or official
11is made orally, then the clinic, health facility, home health agency,
12or hospice shall do both of the following:

13(A) Document the oral statement, including, but not limited to,
14the identity of the law enforcement agency or official making the
15oral statement and the date upon which the oral statement was
16made.

17(B) Limit the delay in reporting the unlawful or unauthorized
18access to, or use or disclosure of, the patient’s medical information
19to the date specified in the oral statement, not to exceed 30 calendar
20days from the date that the oral statement is made, unless a written
21statement that complies with the requirements of this subdivision
22is received during that time.

23(3) A clinic, health facility, home health agency, or hospice
24shall submit a report that is delayed pursuant to this subdivision
25not later thanbegin delete fiveend deletebegin insert 15end insert business days after the date designated as the
26end of the delay.

27(d) If a clinic, health facility, home health agency, or hospice
28to which subdivision (a) applies violates subdivision (b), the
29department may assess the licensee a penalty in the amount of one
30hundred dollars ($100) for each day that the unlawful or
31unauthorized access, use, or disclosure is not reported to the
32department or the affected patient, following the initialbegin delete five-dayend delete
33begin insert 15-dayend insert period specified in subdivision (b). However, the total
34combined penalty assessed by the department under subdivision
35(a) and this subdivision shall not exceed two hundred fifty thousand
36dollars ($250,000) per reported event. For enforcement purposes,
37it shall be presumed that the facility did not notify the affected
38patient if the notification was not documented. This presumption
39may be rebutted by a licensee only if the licensee demonstrates,
40by a preponderance of the evidence, that the notification was made.

P5    1(e) In enforcing subdivisions (a) and (d), the department shall
2take into consideration the special circumstances of small and rural
3hospitals, as defined in Section 124840, and primary care clinics,
4as defined in subdivision (a) of Section 1204, in order to protect
5access to quality care in those hospitals and clinics. When assessing
6a penalty on a skilled nursing facility or other facility subject to
7Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
8only the higher of either a penalty for the violation of this section
9or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
10not both.

11(f) All penalties collected by the department pursuant to this
12section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited
13into the Internal Departmental Quality Improvement Account,
14which is hereby created within the Special Deposit Fund under
15Section 16370 of the Government Code. Upon appropriation by
16the Legislature, moneys in the account shall be expended for
17internal quality improvement activities in the Licensing and
18Certification Program.

19(g) If the licensee disputes a determination by the department
20regarding a failure to prevent or failure to timely report unlawful
21or unauthorized access to, or use or disclosure of, patients’ medical
22information, or the imposition of a penalty under this section, the
23licensee may, within 10 days of receipt of the penalty assessment,
24request a hearing pursuant to Section 131071. Penalties shall be
25paid when appeals have been exhausted and the penalty has been
26upheld.

27(h) In lieu of disputing the determination of the department
28regarding a failure to prevent or failure to timely report unlawful
29or unauthorized access to, or use or disclosure of, patients’ medical
30information, transmit to the department 75 percent of the total
31amount of the administrative penalty, for each violation, within
3230 business days of receipt of the administrative penalty.

33(i) Notwithstanding any other law, the department may refer
34violations of this section to the Office of Health Information
35Integrity for enforcement pursuant to Section 130303.

36(j) For purposes of this section, the following definitions shall
37apply:

38(1) “Reported event” means all breaches included in any single
39report that is made pursuant to subdivision (b), regardless of the
40number of breach events contained in the report.

P6    1(2) “Unauthorized” means the inappropriate access, review, or
2viewing of patient medical information without a direct need for
3medical diagnosis, treatment, or other lawful use as permitted by
4the Confidentiality of Medical Information Act (Part 2.6
5(commencing with Section 56) of Division 1 of the Civil Code)
6or any other statute or regulation governing the lawful access, use,
7or disclosure of medical information.

begin delete
8

SECTION 1.  

Section 1280.15 of the Health and Safety Code
9 is amended to read:

10

1280.15.  

(a) A clinic, health facility, home health agency, or
11hospice licensed pursuant to Section 1204, 1250, 1725, or 1747
12shall prevent breaches of patients’ medical information as required
13by Section 130203. For purposes of this section, internal paper
14records, e-mail, or facsimile transmissions inadvertently
15misdirected within the same facility or health care system within
16the course of coordinating care or delivering services shall not
17constitute a breach of a patient’s medical information. The
18department, after investigation, may assess an administrative
19penalty for a violation of this section of up to twenty-five thousand
20dollars ($25,000) per patient whose medical information was
21 breached, and up to seventeen thousand five hundred dollars
22($17,500) per subsequent breach of that patient’s medical
23information. For purposes of the investigation, the department
24shall consider the clinic’s, health facility’s, agency’s, or hospice’s
25history of compliance with this section and other related state and
26federal statutes and regulations, the extent to which the facility
27detected violations and took preventative action to immediately
28correct and prevent past violations from recurring, and factors
29outside its control that restricted the facility’s ability to comply
30with this section. The department shall have full discretion to
31consider all factors when determining the amount of an
32 administrative penalty pursuant to this section.

33(b) (1) A clinic, health facility, home health agency, or hospice
34to which subdivision (a) applies shall report any breach of a
35patient’s medical information to the department without
36unreasonable delay and in no case later than 60 calendar days after
37the breach has been detected by the clinic, health facility, home
38health agency, or hospice.

39(2) Subject to subdivision (c), a clinic, health facility, home
40health agency, or hospice shall also report any breach of a patient’s
P7    1medical information to the affected patient or the patient’s
2representative at the last known address,, or by an alternative means
3or at an alternative location as specified by the patient or the
4patient’s representative in writing pursuant to Section 164.522(b)
5of Title 45 of the Code of Federal Regulations, without
6unreasonable delay and in no case later than 60 calendar days after
7the breach has been detected by the clinic, health facility, home
8health agency, or hospice. Notice may be provided by e-mail only
9if the patient has previously agreed in writing to electronic notice
10by e-mail.

11(c) (1) A clinic, health facility, home health agency, or hospice
12shall delay the reporting, as required pursuant to paragraph (2) of
13subdivision (b), of any breach of a patient’s medical information
14 if a law enforcement agency or official provides the clinic, health
15facility, home health agency, or hospice with a written or oral
16statement that compliance with the reporting requirements of
17paragraph (2) of subdivision (b) would likely impede the law
18enforcement agency’s investigation that relates to the breach of a
19patient’s medical information and specifies a date upon which the
20delay shall end, not to exceed 60 days after a written request is
21made, or 30 days after an oral request is made. A law enforcement
22agency or official may request an extension of a delay based upon
23a written declaration that there exists a bona fide, ongoing,
24significant criminal investigation of serious wrongdoing relating
25to the breach of a patient’s medical information, that notification
26of patients will undermine the law enforcement agency’s
27investigation, and that specifies a date upon which the delay shall
28end, not to exceed 60 days after the end of the original delay period.

29(2) If the statement of the law enforcement agency or official
30is made orally, then the clinic, health facility, home health agency,
31or hospice shall do both of the following:

32(A) Document the oral statement, including, but not limited to,
33the identity of the law enforcement agency or official making the
34oral statement and the date upon which the oral statement was
35made.

36(B) Limit the delay in reporting the breach of the patient’s
37medical information to the date specified in the oral statement, not
38to exceed 30 calendar days from the date that the oral statement
39is made, unless a written statement that complies with the
40requirements of this subdivision is received during that time.

P8    1(3) A clinic, health facility, home health agency, or hospice
2shall submit a report that is delayed pursuant to this subdivision
3not later than five business days after the date designated as the
4end of the delay.

5(d) If a clinic, health facility, home health agency, or hospice
6to which subdivision (a) applies violates subdivision (b), the
7department may assess the licensee a penalty in the amount of one
8hundred dollars ($100) for each day that the breach is not reported
9to the department or the affected patient, following the initial period
10specified in subdivision (b). However, the total combined penalty
11assessed by the department under subdivision (a) and this
12subdivision shall not exceed two hundred fifty thousand dollars
13($250,000) per reported event. For enforcement purposes, it shall
14be presumed that the facility did not notify the affected patient if
15the notification was not documented. This presumption may be
16rebutted by a licensee only if the licensee demonstrates, by a
17preponderance of the evidence, that the notification was made.

18(e) In enforcing subdivisions (a) and (d), the department shall
19take into consideration the special circumstances of small and rural
20hospitals, as defined in Section 124840, and primary care clinics,
21as defined in subdivision (a) of Section 1204, in order to protect
22access to quality care in those hospitals and clinics. When assessing
23a penalty on a skilled nursing facility or other facility subject to
24Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
25only the higher of either a penalty for the violation of this section
26or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
27not both.

28(f) All penalties collected by the department pursuant to this
29section and Sections 1280.1, 1280.3, and 1280.4 shall be deposited
30into the Internal Departmental Quality Improvement Account,
31which is hereby created within the Special Deposit Fund under
32 Section 16370 of the Government Code. Upon appropriation by
33the Legislature, moneys in the account shall be expended for
34internal quality improvement activities in the Licensing and
35Certification Program.

36(g) If the licensee disputes a determination by the department
37regarding a failure to prevent or failure to timely report a breach
38of patients’ medical information, or the imposition of a penalty
39under this section, the licensee may, within 10 days of receipt of
40the penalty assessment, request a hearing pursuant to Section
P9    1131071. Penalties shall be paid when appeals have been exhausted
2and the penalty has been upheld.

3(h) In lieu of disputing the determination of the department
4regarding a failure to prevent or failure to timely report a breach
5of patients’ medical information, transmit to the department 75
6percent of the total amount of the administrative penalty, for each
7violation, within 30 business days of receipt of the administrative
8penalty.

9(i) Notwithstanding any other law, the department may refer
10violations of this section to the Office of Health Information
11Integrity for enforcement pursuant to Section 130303.

12(j) For purposes of this section, the following definitions shall
13apply:

14(1) “Breach” means the acquisition, access, use, or disclosure
15of unsecured medical information in a manner not permitted under
16state or federal health information privacy laws that compromises
17the security or privacy of the medical information.

18(A) “Breach” does not include any of the following:

19(i) Any unintentional acquisition, access, or use of medical
20information by a workforce member or person acting under the
21authority of a clinic, health facility, home health agency, or hospice
22to which subdivision (a) applies, or a business associate, if that
23acquisition, access, or use was made in good faith and within the
24scope of authority and does not result in further use or disclosure
25in a manner not permitted under state or federal health information
26privacy laws.

27(ii) Any inadvertent disclosure by a person who is authorized
28to access medical information at a clinic, health facility, home
29health agency, or hospice to which subdivision (a) applies or a
30business associate to another person authorized to access medical
31information at the same entity or business associate, or organized
32health care arrangement in which the clinic, health facility, home
33health agency, or hospice to which subdivision (a) participates,
34and the information received as a result of the disclosure is not
35further used or disclosed in a manner not permitted under state or
36federal health information privacy laws.

37(iii) A disclosure of medical information when a clinic, health
38facility, home health agency, or hospice to which subdivision (a)
39applies or business associate has a good faith belief that an
P10   1unauthorized person to whom the disclosure was made would not
2reasonably have been able to retain the information.

3(B) Except as provided in subdivision (a) and subparagraph (A),
4an acquisition, access, use, or disclosure of medical information
5in a manner not permitted under state or federal health information
6privacy laws is presumed to be a breach unless the clinic, health
7facility, home health agency, or hospice to which subdivision (a)
8applies or business associate, as applicable, demonstrates that there
9is a low probability that the medical information has been
10compromised based on a risk assessment of at least the following
11factors:

12(i) The nature and extent of the medical information involved,
13including the types of identifiers and the likelihood of
14reidentification.

15(ii) The unauthorized person who used the medical information
16or to whom the disclosure was made.

17(iii) Whether the medical information was actually acquired or
18viewed.

19(iv) The extent to which the risk to the medical information has
20been mitigated.

21(2) “Business associate” has the meaning provided in regulations
22issued pursuant to the Health Information Portability and
23Accountability Act of 1996 (Public Law 104-191)(HIPAA) found
24in Parts 160 and 164 of Title 45 of the Code of Federal Regulations.

25(3) “Detected” means that sufficient facts are known about an
26incident such that a reasonable person would believe that a breach
27of a patient’s medical information has taken place.

28(4) “Medical information” has the meaning provided in Section
2956.05 of the Civil Code.

30(5) “Organized health care arrangement” has the meaning
31provided in regulations issued pursuant to HIPAA found in Parts
32160 and 164 of Title 45 of the Code of Federal Regulations.

33(6) “Reported event” means all breaches included in any single
34report that is made pursuant to subdivision (b), regardless of the
35number of breach events contained in the report.

36(7) “Unauthorized” means the inappropriate access, review, or
37viewing of patient medical information without a direct need for
38medical diagnosis, treatment, or other lawful use as permitted by
39the Confidentiality of Medical Information Act (Part 2.6
40(commencing with Section 56) of Division 1 of the Civil Code)
P11   1or any other statute or regulation governing the lawful access, use,
2or disclosure of medical information.

3(8) “Unsecured medical information” means medical information
4that is not rendered unusable, unreadable, or indecipherable to
5unauthorized persons though use of a technology or methodology
6specified by the United States Secretary of Health and Human
7Services in the guidance issued under Section 13402(h)(2) of the
8American Recovery and Reinvestment Act of 2009 (Public Law
9111-5).

10(9) “Workforce” has the meaning provided in regulations issued
11pursuant to HIPAA found in Parts 160 and 164 of Title 45 of the
12Code of Federal Regulations.

end delete


O

    97