BILL ANALYSIS �Ó
AB 1755
Page 1
Date of Hearing: May 6, 2014
ASSEMBLY COMMITTEE ON HEALTH
Richard Pan, Chair
AB 1755 (Gomez) - As Amended: March 28, 2014
SUBJECT : Medical information.
SUMMARY : Changes the requirements for specified health
facilities, regarding the protection of patients' medical
information, from preventing unlawful or unauthorized access to,
and use or disclosure of, medical information, to a requirement
that these health facilities must prevent breaches of patients'
medical information. Specifically, this bill :
1)Requires reporting an incident involving a breach of patient
information to the Department of Public Health (DPH) without
unreasonable delay and no later than 60 days after the breach.
2)Extends the time requirement for notifying a patient about an
incident involving potential access to patient information
from five working days to contact a patient without
unreasonable delay and no later than 60 days after the breach.
3)Allows the notification to a patient to be by an alternative
means or at alternative location as specified by the patient.
4)Allows a specified health care facility to delay reporting if
informed by law enforcement that disclosure would likely
impede the law enforcement agency's investigation.
EXISTING LAW :
1)Requires specified health care facilities, which are defined as a
clinic, health facility, home health agency, or licensed
hospice, to report unlawful or unauthorized access to, and use
or disclosure of, medical information to DPH within five
working days.
2)Requires specified health care facilities to report unlawful or
unauthorized access to, and use or disclosure of, medical
information to a patient within five working days at the
patient's last known address.
3)Establishes, under the federal Health Insurance Portability and
�
AB 1755
Page 2
Accountability Act of 1996 (HIPAA), requirements relating to
the provision of health insurance, and the protection of
privacy of individually identifiable health information.
4)Prohibits, under the state Confidentiality of Medical Information
Act (CMIA), providers of health care, health care service
plans, or contractors, as defined, from sharing medical
information without the patient's written authorization,
subject to certain exceptions.
FISCAL EFFECT : None
COMMENTS :
1)PURPOSE OF THIS BILL . According to the author, this bill will
improve California's notice requirement specific to breaches
of medical information by moving it closer to federal law and
removing an extra administrative layer that requires health
facilities covered by state and federal laws to analyze all
potential breaches under the both schemes and take different
action depending on the circumstances of the potential breach.
The bill adopts the Health Information Technology for
Economic and Clinical Health (HITECH) Act standard, which was
adopted in regulation January 2013 after extensive public
comment and negotiation. The author states the bill clarifies
what must be reported, changes the timing of the notification
to "as soon as reasonably possible but no later than 60
calendar days after discovery of the breach," and given the
sensitivity of medical information, ensures that patients have
the option of designating an alternate address where notice
may be sent or received.
The author argues the existing state scheme specific to
medical information, on the other hand applies to the
"unlawful or unauthorized" access to, or use or disclosure of
a patient's medical information, requiring notification within
five business days without allowing for any consideration of
risk or harm to the patient. The author explains that because
California law does not allow for a risk assessment, health
facilities must send a notification even in the event of a
minor breach that may unnecessarily alarm a patient.
According to the author, this excessive notification
�
AB 1755
Page 3
requirement takes significant administrative resources and
with the short five day timeline in California law, is nearly
unworkable. The author concludes, by strictly specifying how
patients must be notified of these breaches, California's law
does not provide adequate security for patients, such as
minors, who live at home but who have exercised their
constitutional right to keep their health issues confidential.
2)BACKGROUND . HIPAA, among various provisions, requires the
protection and confidential handling of protected health
information. The HIPAA privacy rules provide federal
protections for personal health information (PHI) held by
covered entities and give patients an array of rights with
respect to that information. Disclosure of PHI is permitted
when needed for patient care and other important purposes. On
the other hand, HIPAA regulations specify a series of
administrative, physical, and technical safeguards for covered
entities to use to assure the confidentiality, integrity, and
availability of electronic PHI.
Under HIPAA regulations, health plans and covered health care
providers must permit individuals to request an alternative
means or location for receiving communications of PHI by means
other than those that the covered entity typically employs.
For example, an individual may request that the provider
communicate with the individual through a designated address
or phone number. Similarly, an individual may request that
the provider send communications in a closed envelope rather
than a post card.
The HITECH Act was enacted as part of the American Recovery and
Reinvestment Act of 2009. In general, the HITECH Act requires
that patients be notified of any unsecured breach. If a
breach impacts 500 patients or more then the federal
Department of Health and Human Services (HHS) must also be
notified, which triggers posting the breaching entity's name
on HHS' Website. Under certain conditions local media will
also need to be notified. Furthermore, notification is
triggered whether the unsecured breach occurred externally or
internally. Civil penalties for willful neglect are increased
under the HITECH Act. These penalties can extend up to
$250,000, with repeat/uncorrected violations extending up to
$1.5 million.
The federal requirements require covered entities to provide
notification following a breach of unsecured protected health
�
AB 1755
Page 4
information. In addition, it provides a 60 day timeline and
allows for a risk assessment prior to notification, ensuring
that patients are made aware when there has been a breach of
their information and should take seriously the notification
in order to respond appropriately.
3)CMIA . In California, the CMIA governs the disclosure of
medical information by health care providers, Knox-Keene
Health Care Service Plan Act of 1975 regulated plans,
contractors, health care clearinghouses, and employers.
Specifically, the CMIA prohibits a provider of health care,
health plan, or contractor from disclosing medical information
regarding a patient or an enrollee or subscriber without first
obtaining an authorization, unless the disclosure is
permitted. There are various remedies for a violation of
CMIA, including recovery of compensatory damages, punitive
damages, and payment of attorneys' fees if an individual has
sustained economic loss or personal injury from the
disclosure.
4)SUPPORT . According to the sponsors, Planned Parenthood
Affiliates of California and the California Medical
Association, there are significant differences between the two
main schemes related to notification requirements under state
and federal law. The sponsors state that each of the two main
schemes have different timelines and method requirements for
notification, a different standard for what types of data is
covered and a different standard for what qualifies as a
breach and must be reported. The co-sponsors argue this bill
ensures patients are adequately alerted to serious medical
information breaches and streamlines requirements on health
facilities saving healthcare costs and allowing healthcare
providers to put those resources back into patient care. The
California Hospital Association supports the bill because it
would address the problems that state and federal law are
inconsistent and simplify administrative requirements for
health facilities. Other supporters argue that better
aligning of state law with the updated and thoroughly vetted
federal regulations will reduce the administrative burden on
health facilities and free up resources for patient care.
5)OPPOSITION . The Electronic Frontier Foundation (EFF) argues
this bill will weaken existing data breach reporting
requirements by greatly delaying reporting, from the current
five business days to 60 calendar days after detection. EFF
�
AB 1755
Page 5
is also concerned with the new standard using the definition
of breach which excludes certain disclosures that must be
reported in existing law but would not be in this bill. The
American Civil Liberties Union (ACLU) opposes the bill unless
it is amended to address the current bill's weakening of
breach reporting and notification standards. The ACLU is
particularly concerned that this bill significantly lengthens
the time allowed before reporting to a patient or DPH must
occur.
6)PREVIOUS LEGISLATION . SB 541 (Alquist), Chapter of 605,
Statutes of 2008, among its other provisions, requires
licensed clinics, health facilities, hospices, and home health
agencies to prevent unlawful access to, use, or disclosure of
patients' medical information, establishes administrative
penalties for violations, and requires the patient and DPH be
notified of any unlawful access to, use, or disclosure of a
patient's medical information.
REGISTERED SUPPORT / OPPOSITION :
Support
California Medical Association (cosponsor)
Planned Parenthood Affiliates of California (cosponsor)
California Hospital Association
Planned Parenthood Advocacy Project Los Angeles County
Planned Parenthood Mar Monte
Planned Parenthood of Orange and San Bernardino Counties
Planned Parenthood of Santa Barbara, Ventura & San Luis Obispo
Counties, Inc.
Planned Parenthood of the Pacific Southwest
Planned Parenthood Pasadena and San Gabriel Valley
Planned Parenthood Shasta Pacific Action Fund
Six Rivers Planned Parenthood
Opposition
American Civil Liberties Union (unless amended)
Electronic Frontier Foundation
Analysis Prepared by : Roger Dunstan / HEALTH / (916) 319-2097
�
AB 1755
Page 6