BILL ANALYSIS Ó AB 1755 Page 1 Date of Hearing: May 6, 2014 ASSEMBLY COMMITTEE ON HEALTH Richard Pan, Chair AB 1755 (Gomez) - As Amended: March 28, 2014 SUBJECT : Medical information. SUMMARY : Changes the requirements for specified health facilities, regarding the protection of patients' medical information, from preventing unlawful or unauthorized access to, and use or disclosure of, medical information, to a requirement that these health facilities must prevent breaches of patients' medical information. Specifically, this bill : 1)Requires reporting an incident involving a breach of patient information to the Department of Public Health (DPH) without unreasonable delay and no later than 60 days after the breach. 2)Extends the time requirement for notifying a patient about an incident involving potential access to patient information from five working days to contact a patient without unreasonable delay and no later than 60 days after the breach. 3)Allows the notification to a patient to be by an alternative means or at alternative location as specified by the patient. 4)Allows a specified health care facility to delay reporting if informed by law enforcement that disclosure would likely impede the law enforcement agency's investigation. EXISTING LAW : 1)Requires specified health care facilities, which are defined as a clinic, health facility, home health agency, or licensed hospice, to report unlawful or unauthorized access to, and use or disclosure of, medical information to DPH within five working days. 2)Requires specified health care facilities to report unlawful or unauthorized access to, and use or disclosure of, medical information to a patient within five working days at the patient's last known address. 3)Establishes, under the federal Health Insurance Portability and AB 1755 Page 2 Accountability Act of 1996 (HIPAA), requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information. 4)Prohibits, under the state Confidentiality of Medical Information Act (CMIA), providers of health care, health care service plans, or contractors, as defined, from sharing medical information without the patient's written authorization, subject to certain exceptions. FISCAL EFFECT : None COMMENTS : 1)PURPOSE OF THIS BILL . According to the author, this bill will improve California's notice requirement specific to breaches of medical information by moving it closer to federal law and removing an extra administrative layer that requires health facilities covered by state and federal laws to analyze all potential breaches under the both schemes and take different action depending on the circumstances of the potential breach. The bill adopts the Health Information Technology for Economic and Clinical Health (HITECH) Act standard, which was adopted in regulation January 2013 after extensive public comment and negotiation. The author states the bill clarifies what must be reported, changes the timing of the notification to "as soon as reasonably possible but no later than 60 calendar days after discovery of the breach," and given the sensitivity of medical information, ensures that patients have the option of designating an alternate address where notice may be sent or received. The author argues the existing state scheme specific to medical information, on the other hand applies to the "unlawful or unauthorized" access to, or use or disclosure of a patient's medical information, requiring notification within five business days without allowing for any consideration of risk or harm to the patient. The author explains that because California law does not allow for a risk assessment, health facilities must send a notification even in the event of a minor breach that may unnecessarily alarm a patient. According to the author, this excessive notification AB 1755 Page 3 requirement takes significant administrative resources and with the short five day timeline in California law, is nearly unworkable. The author concludes, by strictly specifying how patients must be notified of these breaches, California's law does not provide adequate security for patients, such as minors, who live at home but who have exercised their constitutional right to keep their health issues confidential. 2)BACKGROUND . HIPAA, among various provisions, requires the protection and confidential handling of protected health information. The HIPAA privacy rules provide federal protections for personal health information (PHI) held by covered entities and give patients an array of rights with respect to that information. Disclosure of PHI is permitted when needed for patient care and other important purposes. On the other hand, HIPAA regulations specify a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic PHI. Under HIPAA regulations, health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communications of PHI by means other than those that the covered entity typically employs. For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card. The HITECH Act was enacted as part of the American Recovery and Reinvestment Act of 2009. In general, the HITECH Act requires that patients be notified of any unsecured breach. If a breach impacts 500 patients or more then the federal Department of Health and Human Services (HHS) must also be notified, which triggers posting the breaching entity's name on HHS' Website. Under certain conditions local media will also need to be notified. Furthermore, notification is triggered whether the unsecured breach occurred externally or internally. Civil penalties for willful neglect are increased under the HITECH Act. These penalties can extend up to $250,000, with repeat/uncorrected violations extending up to $1.5 million. The federal requirements require covered entities to provide notification following a breach of unsecured protected health AB 1755 Page 4 information. In addition, it provides a 60 day timeline and allows for a risk assessment prior to notification, ensuring that patients are made aware when there has been a breach of their information and should take seriously the notification in order to respond appropriately. 3)CMIA . In California, the CMIA governs the disclosure of medical information by health care providers, Knox-Keene Health Care Service Plan Act of 1975 regulated plans, contractors, health care clearinghouses, and employers. Specifically, the CMIA prohibits a provider of health care, health plan, or contractor from disclosing medical information regarding a patient or an enrollee or subscriber without first obtaining an authorization, unless the disclosure is permitted. There are various remedies for a violation of CMIA, including recovery of compensatory damages, punitive damages, and payment of attorneys' fees if an individual has sustained economic loss or personal injury from the disclosure. 4)SUPPORT . According to the sponsors, Planned Parenthood Affiliates of California and the California Medical Association, there are significant differences between the two main schemes related to notification requirements under state and federal law. The sponsors state that each of the two main schemes have different timelines and method requirements for notification, a different standard for what types of data is covered and a different standard for what qualifies as a breach and must be reported. The co-sponsors argue this bill ensures patients are adequately alerted to serious medical information breaches and streamlines requirements on health facilities saving healthcare costs and allowing healthcare providers to put those resources back into patient care. The California Hospital Association supports the bill because it would address the problems that state and federal law are inconsistent and simplify administrative requirements for health facilities. Other supporters argue that better aligning of state law with the updated and thoroughly vetted federal regulations will reduce the administrative burden on health facilities and free up resources for patient care. 5)OPPOSITION . The Electronic Frontier Foundation (EFF) argues this bill will weaken existing data breach reporting requirements by greatly delaying reporting, from the current five business days to 60 calendar days after detection. EFF AB 1755 Page 5 is also concerned with the new standard using the definition of breach which excludes certain disclosures that must be reported in existing law but would not be in this bill. The American Civil Liberties Union (ACLU) opposes the bill unless it is amended to address the current bill's weakening of breach reporting and notification standards. The ACLU is particularly concerned that this bill significantly lengthens the time allowed before reporting to a patient or DPH must occur. 6)PREVIOUS LEGISLATION . SB 541 (Alquist), Chapter of 605, Statutes of 2008, among its other provisions, requires licensed clinics, health facilities, hospices, and home health agencies to prevent unlawful access to, use, or disclosure of patients' medical information, establishes administrative penalties for violations, and requires the patient and DPH be notified of any unlawful access to, use, or disclosure of a patient's medical information. REGISTERED SUPPORT / OPPOSITION : Support California Medical Association (cosponsor) Planned Parenthood Affiliates of California (cosponsor) California Hospital Association Planned Parenthood Advocacy Project Los Angeles County Planned Parenthood Mar Monte Planned Parenthood of Orange and San Bernardino Counties Planned Parenthood of Santa Barbara, Ventura & San Luis Obispo Counties, Inc. Planned Parenthood of the Pacific Southwest Planned Parenthood Pasadena and San Gabriel Valley Planned Parenthood Shasta Pacific Action Fund Six Rivers Planned Parenthood Opposition American Civil Liberties Union (unless amended) Electronic Frontier Foundation Analysis Prepared by : Roger Dunstan / HEALTH / (916) 319-2097 AB 1755 Page 6