BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                  AB 1755
                                                                  Page  1

          Date of Hearing:  May 6, 2014

                            ASSEMBLY COMMITTEE ON HEALTH
                                 Richard Pan, Chair
                    AB 1755 (Gomez) - As Amended:  March 28, 2014
           
          SUBJECT  :  Medical information.

           SUMMARY  :  Changes the requirements for specified health  
          facilities, regarding the protection of patients' medical  
          information, from preventing unlawful or unauthorized access to,  
          and use or disclosure of, medical information, to a requirement  
          that these health facilities must prevent breaches of patients'  
          medical information.  Specifically,  this bill  :  

       1)Requires reporting an incident involving a breach of patient  
            information to the Department of Public Health (DPH) without  
            unreasonable delay and no later than 60 days after the breach.

       2)Extends the time requirement for notifying a patient about an  
            incident involving potential access to patient information  
            from five working days to contact a patient without  
            unreasonable delay and no later than 60 days after the breach.

       3)Allows the notification to a patient to be by an alternative  
            means or at alternative location as specified by the patient.

       4)Allows a specified health care facility to delay reporting if  
            informed by law enforcement that disclosure would likely  
            impede the law enforcement agency's investigation.

           EXISTING LAW  :  

       1)Requires specified health care facilities, which are defined as a  
            clinic, health facility, home health agency, or licensed  
            hospice, to report unlawful or unauthorized access to, and use  
            or disclosure of, medical information to DPH within five  
            working days.

       2)Requires specified health care facilities to report unlawful or  
            unauthorized access to, and use or disclosure of, medical  
            information to a patient within five working days at the  
            patient's last known address.

       3)Establishes, under the federal Health Insurance Portability and  








                                                                  AB 1755
                                                                  Page  2

            Accountability Act of 1996 (HIPAA), requirements relating to  
            the provision of health insurance, and the protection of  
            privacy of individually identifiable health information.

       4)Prohibits, under the state Confidentiality of Medical Information  
            Act (CMIA), providers of health care, health care service  
            plans, or contractors, as defined, from sharing medical  
            information without the patient's written authorization,  
            subject to certain exceptions. 

           FISCAL EFFECT  :  None

           


          COMMENTS  :

           1)PURPOSE OF THIS BILL  .  According to the author, this bill will  
            improve California's notice requirement specific to breaches  
            of medical information by moving it closer to federal law and  
            removing an extra administrative layer that requires health  
            facilities covered by state and federal laws to analyze all  
            potential breaches under the both schemes and take different  
            action depending on the circumstances of the potential breach.  
             The bill adopts the Health Information Technology for  
            Economic and Clinical Health (HITECH) Act standard, which was  
            adopted in regulation January 2013 after extensive public  
            comment and negotiation.  The author states the bill clarifies  
            what must be reported, changes the timing of the notification  
            to "as soon as reasonably possible but no later than 60  
            calendar days after discovery of the breach," and given the  
            sensitivity of medical information, ensures that patients have  
            the option of designating an alternate address where notice  
            may be sent or received.
             
             The author argues the existing state scheme specific to  
            medical information, on the other hand applies to the  
            "unlawful or unauthorized" access to, or use or disclosure of  
            a patient's medical information, requiring notification within  
            five business days without allowing for any consideration of  
            risk or harm to the patient.  The author explains that because  
            California law does not allow for a risk assessment, health  
            facilities must send a notification even in the event of a  
            minor breach that may unnecessarily alarm a patient.   
            According to the author, this excessive notification  








                                                                  AB 1755
                                                                  Page  3

            requirement takes significant administrative resources and  
            with the short five day timeline in California law, is nearly  
            unworkable.  The author concludes, by strictly specifying how  
            patients must be notified of these breaches, California's law  
            does not provide adequate security for patients, such as  
            minors, who live at home but who have exercised their  
            constitutional right to keep their health issues confidential.

           2)BACKGROUND  .  HIPAA, among various provisions, requires the  
            protection and confidential handling of protected health  
            information.  The HIPAA privacy rules provide federal  
            protections for personal health information (PHI) held by  
            covered entities and give patients an array of rights with  
            respect to that information.  Disclosure of PHI is permitted  
            when needed for patient care and other important purposes.  On  
            the other hand, HIPAA regulations specify a series of  
            administrative, physical, and technical safeguards for covered  
            entities to use to assure the confidentiality, integrity, and  
            availability of electronic PHI.

          Under HIPAA regulations, health plans and covered health care  
            providers must permit individuals to request an alternative  
            means or location for receiving communications of PHI by means  
            other than those that the covered entity typically employs.   
            For example, an individual may request that the provider  
            communicate with the individual through a designated address  
            or phone number.  Similarly, an individual may request that  
            the provider send communications in a closed envelope rather  
            than a post card.

          The HITECH Act was enacted as part of the American Recovery and  
            Reinvestment Act of 2009.  In general, the HITECH Act requires  
            that patients be notified of any unsecured breach.  If a  
            breach impacts 500 patients or more then the federal  
            Department of Health and Human Services (HHS) must also be  
            notified, which triggers posting the breaching entity's name  
            on HHS' Website.  Under certain conditions local media will  
            also need to be notified.  Furthermore, notification is  
            triggered whether the unsecured breach occurred externally or  
            internally.  Civil penalties for willful neglect are increased  
            under the HITECH Act.  These penalties can extend up to  
            $250,000, with repeat/uncorrected violations extending up to  
            $1.5 million.
            The federal requirements require covered entities to provide  
            notification following a breach of unsecured protected health  








                                                                  AB 1755
                                                                  Page  4

            information.  In addition, it provides a 60 day timeline and  
            allows for a risk assessment prior to notification, ensuring  
            that patients are made aware when there has been a breach of  
            their information and should take seriously the notification  
            in order to respond appropriately.  

           3)CMIA  .  In California, the CMIA governs the disclosure of  
            medical information by health care providers, Knox-Keene  
            Health Care Service Plan Act of 1975 regulated plans,  
            contractors, health care clearinghouses, and employers.   
            Specifically, the CMIA prohibits a provider of health care,  
            health plan, or contractor from disclosing medical information  
            regarding a patient or an enrollee or subscriber without first  
            obtaining an authorization, unless the disclosure is  
            permitted.  There are various remedies for a violation of  
            CMIA, including recovery of compensatory damages, punitive  
            damages, and payment of attorneys' fees if an individual has  
            sustained economic loss or personal injury from the  
            disclosure.   

           4)SUPPORT  .  According to the sponsors, Planned Parenthood  
            Affiliates of California and the California Medical  
            Association, there are significant differences between the two  
            main schemes related to notification requirements under state  
            and federal law.  The sponsors state that each of the two main  
            schemes have different timelines and method requirements for  
            notification, a different standard for what types of data is  
            covered and a different standard for what qualifies as a  
            breach and must be reported.  The co-sponsors argue this bill  
            ensures patients are adequately alerted to serious medical  
            information breaches and streamlines requirements on health  
            facilities saving healthcare costs and allowing healthcare  
            providers to put those resources back into patient care.  The  
            California Hospital Association supports the bill because it  
            would address the problems that state and federal law are  
            inconsistent and simplify administrative requirements for  
            health facilities.  Other supporters argue that better  
            aligning of state law with the updated and thoroughly vetted  
            federal regulations will reduce the administrative burden on  
            health facilities and free up resources for patient care.

           5)OPPOSITION  .  The Electronic Frontier Foundation (EFF) argues  
            this bill will weaken existing data breach reporting  
            requirements by greatly delaying reporting, from the current  
            five business days to 60 calendar days after detection.  EFF  








                                                                  AB 1755
                                                                  Page  5

            is also concerned with the new standard using the definition  
            of breach which excludes certain disclosures that must be  
            reported in existing law but would not be in this bill.  The  
            American Civil Liberties Union (ACLU) opposes the bill unless  
            it is amended to address the current bill's weakening of  
            breach reporting and notification standards.  The ACLU is  
            particularly concerned that this bill significantly lengthens  
            the time allowed before reporting to a patient or DPH must  
            occur.

           6)PREVIOUS LEGISLATION  .  SB 541 (Alquist), Chapter of 605,  
            Statutes of 2008, among its other provisions, requires  
            licensed clinics, health facilities, hospices, and home health  
            agencies to prevent unlawful access to, use, or disclosure of  
            patients' medical information, establishes administrative  
            penalties for violations, and requires the patient and DPH be  
            notified of any unlawful access to, use, or disclosure of a  
            patient's medical information.

           


          REGISTERED SUPPORT / OPPOSITION  :  

           Support 
           
          California Medical Association (cosponsor)
          Planned Parenthood Affiliates of California (cosponsor)
          California Hospital Association
          Planned Parenthood Advocacy Project Los Angeles County
          Planned Parenthood Mar Monte
          Planned Parenthood of Orange and San Bernardino Counties
          Planned Parenthood of Santa Barbara, Ventura & San Luis Obispo  
          Counties, Inc.
          Planned Parenthood of the Pacific Southwest
          Planned Parenthood Pasadena and San Gabriel Valley
          Planned Parenthood Shasta Pacific Action Fund
          Six Rivers Planned Parenthood

           Opposition 
           
          American Civil Liberties Union (unless amended)
          Electronic Frontier Foundation
           
          Analysis Prepared by  :    Roger Dunstan / HEALTH / (916) 319-2097  








                                                                  AB 1755
                                                                  Page  6