Amended in Senate August 4, 2014

Amended in Senate July 1, 2014

Amended in Assembly March 28, 2014

California Legislature—2013–14 Regular Session

Assembly BillNo. 1755


Introduced by Assembly Member Gomez

February 14, 2014


An act to amend Section 1280.15 of the Health and Safety Code, relating to public health.

LEGISLATIVE COUNSEL’S DIGEST

AB 1755, as amended, Gomez. Medical information.

Existing law requires a clinic, health facility, home health agency, or hospice to prevent unlawful or unauthorized access to, and use or disclosure of, patients’ medical information, as defined. Existing law requires the clinic, health facility, home health agency, or hospice to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the State Department of Public Health and to the affected patient or the patient’s representative no later than 5 business days after the unlawful or unauthorized access, use, or disclosure has been detected. Existing law requires that the report to the patient or the patient’s representative be made to that person’s last known address. Existing law requires these entities to delay the report for specified law enforcement purposes and requires that the delayed report be submitted within 5 days of the end of the delay. Existing law authorizes the State Department of Public Health to assess administrative penalties for violation of these provisions and gives the department discretion to consider all factors when determining the amount of a penalty.

This bill would instead require those entities to make those reports no later than 15 business days after the unlawful or unauthorized access, use, or disclosure has been detected and would authorize the report made to the patient or the patient’s representative to be made by alternative means, including email, as specified. The bill would also require a delayed report for law enforcement purposes to be made within 15 business days of the end of the delay. The bill would give the department full discretion to consider all factors when determining whether to investigate under these provisions.

Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.

The people of the State of California do enact as follows:

P2    1begin insert

begin insertSECTION 1.end insert  

end insert

begin insertSection 1280.15 of the end insertbegin insertHealth and Safety Codeend insert
2begin insert is amended to read:end insert

3

1280.15.  

(a) A clinic, health facility, home health agency, or
4hospice licensed pursuant to Section 1204, 1250, 1725, or 1745
5shall prevent unlawful or unauthorized access to, and use or
6disclosure of, patients’ medical information, as defined in Section
756.05 of the Civil Code and consistent with Section 1280.18. For
8purposes of this section, internal paper records, electronic mail,
9or facsimile transmissions inadvertently misdirected within the
10same facility or health care system within the course of
11coordinating care or delivering services shall not constitute
12unauthorized access to, or use or disclosure of, a patient’s medical
13information. The department, after investigation, may assess an
14administrative penalty for a violation of this section of up to
15twenty-five thousand dollars ($25,000) per patient whose medical
16information was unlawfully or without authorization accessed,
17used, or disclosed, and up to seventeen thousand five hundred
18dollars ($17,500) per subsequent occurrence of unlawful or
19unauthorized access, use, or disclosure of that patient’s medical
20information. For purposes of the investigation, the department
21shall consider the clinic’s, health facility’s, agency’s, or hospice’s
22history of compliance with this section and other related state and
23federal statutes and regulations, the extent to which the facility
24detected violations and took preventative action to immediately
P3    1correct and prevent past violations from recurring, and factors
2outside its control that restricted the facility’s ability to comply
3with this section. The department shall have full discretion to
4consider all factors when determiningbegin insert whether to investigate andend insert
5 the amount of an administrative penaltybegin insert, if any,end insert pursuant to this
6section.

7(b) (1) A clinic, health facility, home health agency, or hospice
8to which subdivision (a) applies shall report any unlawful or
9unauthorized access to, or use or disclosure of, a patient’s medical
10information to the department no later thanbegin delete fiveend deletebegin insert 15end insert business days
11after the unlawful or unauthorized access, use, or disclosure has
12been detected by the clinic, health facility, home health agency,
13or hospice.

14(2) Subject to subdivision (c), a clinic, health facility, home
15health agency, or hospice shall also report any unlawful or
16unauthorized access to, or use or disclosure of, a patient’s medical
17information to the affected patient or the patient’s representative
18at the last known address,begin insert or by an alternative means or at an
19alternative location as specified by the patient or the patient’s
20representative in writing pursuant to Section 164.522(b) of Title
2145 of the Code of Federal Regulations,end insert
no later thanbegin delete fiveend deletebegin insert 15end insert
22 business days after the unlawful or unauthorized access, use, or
23disclosure has been detected by the clinic, health facility, home
24health agency, or hospice.begin insert Notice may be provided by email only
25if the patient has previously agreed in writing to electronic notice
26by email.end insert

27(c) (1) A clinic, health facility, home health agency, or hospice
28shall delay the reporting, as required pursuant to paragraph (2) of
29subdivision (b), of any unlawful or unauthorized access to, or use
30or disclosure of, a patient’s medical information beyondbegin delete fiveend deletebegin insert 15end insert
31 business days if a law enforcement agency or official provides the
32clinic, health facility, home health agency, or hospice with a written
33or oral statement that compliance with the reporting requirements
34of paragraph (2) of subdivision (b) would likely impede the law
35enforcement agency’s investigation that relates to the unlawful or
36unauthorized access to, and use or disclosure of, a patient’s medical
37information and specifies a date upon which the delay shall end,
38not to exceed 60 days after a written request is made, or 30 days
39after an oral request is made. A law enforcement agency or official
40may request an extension of a delay based upon a written
P4    1declaration that there exists a bona fide, ongoing, significant
2criminal investigation of serious wrongdoing relating to the
3unlawful or unauthorized access to, and use or disclosure of, a
4patient’s medical information, that notification of patients will
5undermine the law enforcement agency’s investigation, and that
6specifies a date upon which the delay shall end, not to exceed 60
7days after the end of the original delay period.

8(2) If the statement of the law enforcement agency or official
9is made orally, then the clinic, health facility, home health agency,
10or hospice shall do both of the following:

11(A) Document the oral statement, including, but not limited to,
12the identity of the law enforcement agency or official making the
13oral statement and the date upon which the oral statement was
14made.

15(B) Limit the delay in reporting the unlawful or unauthorized
16access to, or use or disclosure of, the patient’s medical information
17to the date specified in the oral statement, not to exceed 30 calendar
18days from the date that the oral statement is made, unless a written
19statement that complies with the requirements of this subdivision
20is received during that time.

21(3) A clinic, health facility, home health agency, or hospice
22shall submit a report that is delayed pursuant to this subdivision
23not later thanbegin delete fiveend deletebegin insert 15end insert business days after the date designated as the
24end of the delay.

25(d) If a clinic, health facility, home health agency, or hospice
26to which subdivision (a) applies violates subdivision (b), the
27department may assess the licensee a penalty in the amount of one
28hundred dollars ($100) for each day that the unlawful or
29unauthorized access, use, or disclosure is not reported to the
30department or the affected patient, following the initialbegin delete five-dayend delete
31begin insert 15-dayend insert period specified in subdivision (b). However, the total
32combined penalty assessed by the department under subdivision
33(a) and this subdivision shall not exceed two hundred fifty thousand
34dollars ($250,000) per reported event. For enforcement purposes,
35it shall be presumed that the facility did not notify the affected
36patient if the notification was not documented. This presumption
37may be rebutted by a licensee only if the licensee demonstrates,
38by a preponderance of the evidence, that the notification was made.

39(e) In enforcing subdivisions (a) and (d), the department shall
40take into consideration the special circumstances of small and rural
P5    1hospitals, as defined in Section 124840, and primary care clinics,
2as defined in subdivision (a) of Section 1204, in order to protect
3access to quality care in those hospitals and clinics. When assessing
4a penalty on a skilled nursing facility or other facility subject to
5Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
6only the higher of either a penalty for the violation of this section
7or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
8not both.

9(f) All penalties collected by the department pursuant to this
10section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited
11into the Internal Departmental Quality Improvement Account,
12which is hereby created within the Special Deposit Fund under
13Section 16370 of the Government Code. Upon appropriation by
14the Legislature, moneys in the account shall be expended for
15internal quality improvement activities in the Licensing and
16Certification Program.

17(g) If the licensee disputes a determination by the department
18regarding a failure to prevent or failure to timely report unlawful
19or unauthorized access to, or use or disclosure of, patients’ medical
20information, or the imposition of a penalty under this section, the
21licensee may, within 10 days of receipt of the penalty assessment,
22request a hearing pursuant to Section 131071. Penalties shall be
23paid when appeals have been exhausted and the penalty has been
24upheld.

25(h) In lieu of disputing the determination of the department
26regarding a failure to prevent or failure to timely report unlawful
27or unauthorized access to, or use or disclosure of, patients’ medical
28information, transmit to the department 75 percent of the total
29amount of the administrative penalty, for each violation, within
3030 business days of receipt of the administrative penalty.

31(i) For purposes of this section, the following definitions shall
32apply:

33(1) “Reported event” means all breaches included in any single
34report that is made pursuant to subdivision (b), regardless of the
35number of breach events contained in the report.

36(2) “Unauthorized” means the inappropriate access, review, or
37viewing of patient medical information without a direct need for
38medical diagnosis, treatment, or other lawful use as permitted by
39the Confidentiality of Medical Information Act (Part 2.6
40(commencing with Section 56) of Division 1 of the Civil Code)
P6    1or any other statute or regulation governing the lawful access, use,
2or disclosure of medical information.

begin delete
3

SECTION 1.  

Section 1280.15 of the Health and Safety Code
4 is amended to read:

5

1280.15.  

(a) A clinic, health facility, home health agency, or
6hospice licensed pursuant to Section 1204, 1250, 1725, or 1745
7shall prevent unlawful or unauthorized access to, and use or
8disclosure of, patients’ medical information, as defined in Section
956.05 of the Civil Code and consistent with Section 130203. For
10purposes of this section, internal paper records, electronic mail,
11or facsimile transmissions inadvertently misdirected within the
12same facility or health care system within the course of
13coordinating care or delivering services shall not constitute
14unauthorized access to, or use or disclosure of, a patient’s medical
15information. The department, after investigation, may assess an
16administrative penalty for a violation of this section of up to
17twenty-five thousand dollars ($25,000) per patient whose medical
18information was unlawfully or without authorization accessed,
19used, or disclosed, and up to seventeen thousand five hundred
20dollars ($17,500) per subsequent occurrence of unlawful or
21unauthorized access, use, or disclosure of that patient’s medical
22information. For purposes of the investigation, the department
23shall consider the clinic’s, health facility’s, agency’s, or hospice’s
24history of compliance with this section and other related state and
25federal statutes and regulations, the extent to which the facility
26detected violations and took preventative action to immediately
27correct and prevent past violations from recurring, and factors
28outside its control that restricted the facility’s ability to comply
29with this section. The department shall have full discretion to
30consider all factors when determining whether to investigate and
31the amount of an administrative penalty, if any, pursuant to this
32section.

33(b) (1) A clinic, health facility, home health agency, or hospice
34to which subdivision (a) applies shall report any unlawful or
35unauthorized access to, or use or disclosure of, a patient’s medical
36information to the department no later than 15 business days after
37the unlawful or unauthorized access, use, or disclosure has been
38detected by the clinic, health facility, home health agency, or
39hospice.

P7    1(2) Subject to subdivision (c), a clinic, health facility, home
2health agency, or hospice shall also report any unlawful or
3unauthorized access to, or use or disclosure of, a patient’s medical
4information to the affected patient or the patient’s representative
5at the last known address, or by an alternative means or at an
6alternative location as specified by the patient or the patient’s
7representative in writing pursuant to Section 164.522(b) of Title
845 of the Code of Federal Regulations, no later than 15 business
9days after the unlawful or unauthorized access, use, or disclosure
10has been detected by the clinic, health facility, home health agency,
11or hospice. Notice may be provided by email only if the patient
12has previously agreed in writing to electronic notice by email.

13(c) (1) A clinic, health facility, home health agency, or hospice
14shall delay the reporting, as required pursuant to paragraph (2) of
15subdivision (b), of any unlawful or unauthorized access to, or use
16or disclosure of, a patient’s medical information beyond 15
17business days if a law enforcement agency or official provides the
18clinic, health facility, home health agency, or hospice with a written
19or oral statement that compliance with the reporting requirements
20of paragraph (2) of subdivision (b) would likely impede the law
21enforcement agency’s investigation that relates to the unlawful or
22unauthorized access to, and use or disclosure of, a patient’s medical
23information and specifies a date upon which the delay shall end,
24not to exceed 60 days after a written request is made, or 30 days
25after an oral request is made. A law enforcement agency or official
26may request an extension of a delay based upon a written
27declaration that there exists a bona fide, ongoing, significant
28criminal investigation of serious wrongdoing relating to the
29unlawful or unauthorized access to, and use or disclosure of, a
30patient’s medical information, that notification of patients will
31undermine the law enforcement agency’s investigation, and that
32specifies a date upon which the delay shall end, not to exceed 60
33days after the end of the original delay period.

34(2) If the statement of the law enforcement agency or official
35is made orally, then the clinic, health facility, home health agency,
36or hospice shall do both of the following:

37(A) Document the oral statement, including, but not limited to,
38the identity of the law enforcement agency or official making the
39oral statement and the date upon which the oral statement was
40made.

P8    1(B) Limit the delay in reporting the unlawful or unauthorized
2access to, or use or disclosure of, the patient’s medical information
3to the date specified in the oral statement, not to exceed 30 calendar
4days from the date that the oral statement is made, unless a written
5statement that complies with the requirements of this subdivision
6is received during that time.

7(3) A clinic, health facility, home health agency, or hospice
8shall submit a report that is delayed pursuant to this subdivision
9not later than 15 business days after the date designated as the end
10of the delay.

11(d) If a clinic, health facility, home health agency, or hospice
12to which subdivision (a) applies violates subdivision (b), the
13department may assess the licensee a penalty in the amount of one
14hundred dollars ($100) for each day that the unlawful or
15unauthorized access, use, or disclosure is not reported to the
16department or the affected patient, following the initial 15-day
17period specified in subdivision (b). However, the total combined
18penalty assessed by the department under subdivision (a) and this
19subdivision shall not exceed two hundred fifty thousand dollars
20($250,000) per reported event. For enforcement purposes, it shall
21be presumed that the facility did not notify the affected patient if
22the notification was not documented. This presumption may be
23rebutted by a licensee only if the licensee demonstrates, by a
24preponderance of the evidence, that the notification was made.

25(e) In enforcing subdivisions (a) and (d), the department shall
26take into consideration the special circumstances of small and rural
27hospitals, as defined in Section 124840, and primary care clinics,
28as defined in subdivision (a) of Section 1204, in order to protect
29access to quality care in those hospitals and clinics. When assessing
30a penalty on a skilled nursing facility or other facility subject to
31Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
32only the higher of either a penalty for the violation of this section
33or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
34not both.

35(f) All penalties collected by the department pursuant to this
36section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited
37into the Internal Departmental Quality Improvement Account,
38which is hereby created within the Special Deposit Fund under
39Section 16370 of the Government Code. Upon appropriation by
40the Legislature, moneys in the account shall be expended for
P9    1internal quality improvement activities in the Licensing and
2Certification Program.

3(g) If the licensee disputes a determination by the department
4regarding a failure to prevent or failure to timely report unlawful
5or unauthorized access to, or use or disclosure of, patients’ medical
6information, or the imposition of a penalty under this section, the
7licensee may, within 10 days of receipt of the penalty assessment,
8request a hearing pursuant to Section 131071. Penalties shall be
9paid when appeals have been exhausted and the penalty has been
10upheld.

11(h) In lieu of disputing the determination of the department
12regarding a failure to prevent or failure to timely report unlawful
13or unauthorized access to, or use or disclosure of, patients’ medical
14information, transmit to the department 75 percent of the total
15amount of the administrative penalty, for each violation, within
1630 business days of receipt of the administrative penalty.

17(i) Notwithstanding any other law, the department may refer
18violations of this section to the Office of Health Information
19Integrity for enforcement pursuant to Section 130303.

20(j) For purposes of this section, the following definitions shall
21apply:

22(1) “Reported event” means all breaches included in any single
23report that is made pursuant to subdivision (b), regardless of the
24number of breach events contained in the report.

25(2) “Unauthorized” means the inappropriate access, review, or
26viewing of patient medical information without a direct need for
27medical diagnosis, treatment, or other lawful use as permitted by
28the Confidentiality of Medical Information Act (Part 2.6
29(commencing with Section 56) of Division 1 of the Civil Code)
30or any other statute or regulation governing the lawful access, use,
31or disclosure of medical information.

end delete


O

    96