BILL ANALYSIS �Ó
SENATE COMMITTEE ON HEALTH
Senator Ed Hernandez, O.D., Chair
BILL NO: AB 1755
AUTHOR: Gomez
AMENDED: March 28, 2014
HEARING DATE: June 18, 2014
CONSULTANT: Marchand
SUBJECT : Medical information.
SUMMARY : Revises provisions of law requiring licensed health
facilities to prevent disclosure of patients' medical
information by extending the deadline for health facilities to
report unauthorized disclosures from five business days to 60
calendar days after detection of a breach, and by establishing
several exemptions to when a breach of medical information is
required to be reported based on unintentional disclosures where
no further use was made of the patient's medical information.
Existing law:
1.Licenses clinics, health facilities, home health agencies, and
hospices through the California Department of Public Health
(CDPH).
2.Requires a licensed clinic, health facility, home health
agency, or hospice to prevent (collectively, licensed health
facilities) unlawful or unauthorized access to, and use or
disclosure of, patients' medical information, as defined in
the Confidentiality of Medical Information Act (CMIA).
3.Permits CDPH, after investigation, to assess an administrative
penalty of $25,000 per patient whose medical information was
unlawfully accessed or disclosed, and up to $17,500 per
subsequent occurrence of unlawful access or disclosure of that
patient's medical information.
4.Requires a licensed health facility to report any unlawful or
unauthorized access to, or use or disclosure of, a patient's
medical information to CDPH no later than five business days
after the unlawful or unauthorized access, use, or disclosure
has been detected by the facility.
5.Requires a licensed health facility to report any unlawful
access or unauthorized access to, or use or disclosure of, a
patient's medical information to the affected patient or the
Continued---
�
AB 1755 | Page 2
patient's representative at the last known address, no later
than five business days after the unlawful access, use, or
disclosure has been detected, except under specified
circumstances.
6.Specifies that for purposes of the provisions of existing law
in 2) through 5) above, internal paper records, electronic
mail, or facsimile transmissions inadvertently misdirected
within the same facility or health care system within the
course of coordinating care or delivering services does not
constitute unauthorized access to, or use or disclosure of, a
patient's medical information.
7.Establishes the CMIA, which prohibits a health care provider,
health care service plan, or contractor from disclosing
medical information regarding a patient without first
obtaining authorization. Defines "medical information" as any
individually identifiable information, in electronic or
physical form, in possession of, or derived from, a health
care provider, health plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment.
8.Authorizes, under CMIA, administrative fines and civil
penalties, ranging from $1,000 to $250,000, against any person
or entity that negligently discloses, or knowingly and
willfully obtains, discloses, or uses medical information in
violation of its provisions. Authorizes the Attorney General,
any district attorney, any county counsel acting pursuant to
an agreement with the district attorney, or a city attorney,
to seek civil penalties for violations of CMIA.
This bill:
1.Revises provisions of law requiring licensed health facilities
to prevent disclosure of patients' medical information, by
deleting the use of the term "prevent unlawful or unauthorized
access to, and use or disclosure of, patients' medical
information," and replacing it with the term "prevent breaches
of a patients' medical information" as required under
specified provisions of existing law.
2.Extends the deadline for a licensed health facility to report
any unlawful or unauthorized access of a patient's medical
information to CDPH from no later than five business days
after the unlawful access or use has been detected, to instead
require this reporting to be done without unreasonable delay
�
AB 1755 | Page
3
and in no case later than 60 calendar days after the breach
has been detected.
3.Extends the deadline for a licensed health facility to report
unlawful access or use of a patient's medical information to
the affected patient or the patient's representative from no
later than five business days after detection, to instead
require this report be done without unreasonable delay and in
no case later than 60 calendar days after the breach has been
detected.
4.Permits the reporting to the affected patient or the patient's
representative to be made by an alternative means or at an
alternative location, rather than the last known address, as
specified by the patient or the patient's representative in
writing pursuant to specified federal regulations. Permits
this notice to be provided by e-mail only if the patient has
previously agreed in writing to electronic notice by e-mail.
5.Defines "breach" as the acquisition, access, use, or
disclosure of unsecured medical information in a manner not
permitted under state or federal health information privacy
laws that compromises the security or privacy of the medical
information.
6.Exempts from the definition of "breach" any of the following:
a. Any unintentional acquisition, access, or use
of medical information by a workforce member or person
acting under the authority of a licensed health
facility, or a business associate, if that
acquisition, access, or use was made in good faith and
within the scope of authority and does not result in
further use or disclosure in a manner not permitted
under state or federal health information privacy
laws;
b. Any inadvertent disclosure by a person who is
authorized to access medical information at a licensed
health facility or a business associate to another
person authorized to access medical information at the
same facility or business associate, or organized
health care arrangement in which the licensed health
facility participates and the information received as
a result of the disclosure is not further used or
disclosed in a manner not permitted under state or
�
AB 1755 | Page 4
federal health information privacy laws; and,
c. A disclosure of medical information when a
licensed health facility or business associate has a
good faith belief that an authorized person to whom
the disclosure was made would not reasonably have been
able to retain the information.
7.Specifies that unless otherwise exempted from the definition
of a breach of medical information, an acquisition, access,
use, or disclosure of medical information in a manner not
permitted under state or federal health information privacy
laws is presumed to be a breach unless the licensed health
facility or business associate, as applicable, demonstrates
that there is a low probability that the medical information
has been compromised based on a risk assessment of the
following factors:
a. The nature and extent of the medical
information involved, including the types of
identifiers and the likelihood of reidentification;
b. The unauthorized person who used the medical
information or to whom the disclosure was made;
c. Whether the medical information was actually
acquired or viewed; and,
d. The extent to which the risk to the medical
information has been mitigated.
8.Defines "business associate," "workforce," and "organized
health care arrangement" as having the meanings specified in
the federal Health Information Portability and Accountability
Act of 1996 (HIPAA).
9.Defines "detected" as meaning that sufficient facts are known
about an incident such that a reasonable person would believe
that a breach of a patient's medical information has taken
place.
10.Defines "unsecured medical information" as medical
information that is not rendered unusable, unreadable, or
indecipherable to unauthorized persons through use of a
technology or methodology specified by the United States
Secretary of Health and Human Services (HHS), as specified.
FISCAL EFFECT : This bill has been keyed non-fiscal.
PRIOR VOTES :
�
AB 1755 | Page
5
Assembly Health: 19- 0
Assembly Floor: 75- 0
COMMENTS :
1.Author's statement. According to the author, this bill
improves California's notice requirement specific to breaches
of medical information by streamlining the protocol to more
closely align with federal law. By increasing administrative
efficiency, this bill removes unnecessary costs to the health
care system and state administration while ensuring patients
are adequately alerted to serious medical information
breaches. This bill will improve California's notice
requirement specific to breaches of medical information by
moving it closer to federal law and removing an extra
administrative layer that requires health facilities covered
by state and federal laws to analyze all potential breaches
under both schemes and take different action depending on the
circumstances of the potential breach. The bill adopts the
Health Information Technology for Economic and Clinical Health
Act (HITECH) standard, which was adopted in January 2013 after
extensive public comment and negotiation. It would clarify
what must be reported, change the timing of the notification
to "as soon as reasonably possible but no later than 60
calendar days after discovery of the breach," and given the
sensitivity of medical information, ensure that patients have
the option of designating an alternate address where notice
may be sent or received.
2.Background on federal law. HIPAA established federal
protections for patient's health information held by "covered
entities" and any "business associates" that the covered
entity that a covered entity engages to help it carry out its
health care activities. A covered entity can be a provider, a
health plan, or a health care clearinghouse that processes
health information it receives from another entity. While
HIPAA establishes a federal floor for minimum privacy
protections, states are permitted to enact laws that provide
greater privacy protections or rights.
In 2009, as part of the American Recovery and Reinvestment Act,
the HITECH Act was enacted to promote and expand the adoption
of health information technology. Among other provisions, the
HITECH Act, under the implementing regulations adopted in
January 2013, requires HIPAA covered entities to provide
notification to affected individuals within 60 days following
�
AB 1755 | Page 6
the discovery of a breach of medical information. If the
breach affects 500 or more individuals, the covered entity
must report this breach to the media and to the Secretary of
HHS within 60 days. Breaches affecting fewer than 500
individuals are required to be reported to HHS on an annual
basis.
Under the HITECH Act, there are three exceptions to the
definitions of "breach," that, when these exceptions apply,
would not trigger the reporting and notification requirements.
The first exception applies to the unintentional acquisition,
access, or use of protected health information by a person
acting under the authority of a covered entity, if the access
or use was made in good faith and within the scope of that
authority, and the information is not further used or
disclosed. The second exception applies to the inadvertent
disclosure of protected health information by a person
authorized to access protected health information at a covered
entity to another person authorized to access protected health
information at the covered entity or organized health care
arrangement in which the covered entity participates. Again,
in this second exception, the information cannot be further
used or disclosed. Finally, there is an exception if the
covered entity has a good faith belief that the unauthorized
person to whom the impermissible disclosure was made would not
have been able to retain the information.
This bill is attempting to align California's medical privacy
breach reporting and notification requirements to the recently
adopted federal HITECH requirements, which allow for more
exceptions to what would trigger a notification and report,
and a much longer timeframe for the notification and report
(from 5 business days to 60 calendar days).
3.Double referral. This bill is double referred. Should it pass
out of this committee, it will be referred to the Senate
Judiciary Committee.
4.Prior legislation. AB 541 (Alquist), Chapter 605, Statutes of
2008, required health care facilities to prevent unlawful or
unauthorized access to, use, or disclosure of, patients'
medical information and established safeguards to protect the
privacy of patients' medical information. AB 541 also
authorizes CDPH to levy administrative penalties against
facilities for failure to prevent unlawful or unauthorized
access, use, or disclosure of patients' medical information,
�
AB 1755 | Page
7
and for failure to report instances of unlawful or
unauthorized access, use, or disclosure of information.
AB 211 (Jones), Chapter 602, Statutes of 2008, established an
Office of Health Information Integrity to ensure the
enforcement of state confidentiality of medical information,
to impose administrative fines for the unauthorized use of
medical information upon referral from CDPH, and required
health care providers to establish and implement appropriate
administrative, technical, and physical safeguards to protect
the privacy of patient's medical information.
AB 439 (Skinner), Chapter 437, Statutes of 2012, provided an
affirmative defense for civil actions taken under CMIA, such
that the plaintiff may not be awarded nominal damages if the
defendant establishes that defense, as specified.
5.Support. This bill is co-sponsored by Planned Parenthood
Affiliates of California (PPAC) and the California Medical
Association (CMA). PPAC states that both federal and state law
require health care providers to protect patient medical
information by preventing unlawful or unauthorized access,
require notification to a patient if their medical information
has been breached, and apply penalties for not complying with
these requirements. However, PPAC and CMA state that there are
significant differences between the two laws and licensed
health facilities are accountable under both schemes, making
compliance with the various provisions more complicated. PPAC
states that the California law requiring reporting of
unauthorized disclosure was enacted in 2008 following several
high profile incidents involving celebrity medical records
that were improperly accessed by hospital staff. PPAC states
that a number of provisions in that law place tremendous
administrative costs on both providers and the state while
doing little to add to the protection and security of patient
information. PPAC notes that California law does not allow for
a risk assessment, requiring health facilities to send a
patient notification even in the event of a minor breach,
resulting in over notification that can undermine patient
trust in their provider and the health care system. PPAC
states that better aligning state law with the updated and
thoroughly vetted federal regulations will reduce the
administrative burden on health facilities. CMA states that
making state law requirements consistent with federal
regulations will create one clear, objective standard for
�
AB 1755 | Page 8
medical information breach notifications.
6.Oppose unless amended. The American Civil Liberties Union
(ACLU) is opposed unless amended, stating that this bill
weakens the data breach reporting and notification standards
for medical information at a time when public concern over
data breaches is high. ACLU states that it sympathizes that
the five day report and notification period is difficult to
comply with, but states that two months is too long a period
of time, and suggests a window closer to the five day
timeframe. ACLU also opposes the provisions of this bill that
would exclude certain disclosures that "do not result in
further use or disclosure in a manner not permitted under
state or federal health information privacy laws." ACLU states
that this means the bill would exempt from medical data breach
reporting rules some instances of patients' medical
information having been compromised. ACLU states that this
exemption is especially problematic because this bill defines
"detect" in such a way that detecting a data breach is only
possible at the conclusion of an investigation into the
compromise of medical information, which would change the
trigger point so that the health facility would only need to
report and notify after concluding its investigation and
determining that a breach occurred. The Consumer Federation of
California (CFC) also opposes this bill unless amended,
stating that this bill undermines the existing privacy
standard by establishing a new concept of a "breach" that is
defined to eliminate virtually every instance of medical
privacy violations except for willful criminal theft of
records, and further exonerates most willful violations by
entitling the health facility to use its own internal,
subjective, and ill-defined process to conclude that there is
a likelihood that no harm to a patient resulted. CFC states
that this bill greatly delays the reporting of those few
"breaches" that survive the bill's various new reporting
exemptions from the current five business days to 60 calendar
days after "detection." CFC states that this lengthy delay is
an invitation to those health care providers who are already
failing to adequately secure patient records to relax their
vigilance even further.
7.Opposition. The Electronic Frontier Foundation (EFF) opposes
this bill, stating that the most obvious problem is that any
breach reporting will be greatly delayed, from the current
five business days to 60 calendar days. EFF states that more
significantly, however, this bill will weaken existing data
�
AB 1755 | Page
9
breach reporting regulations by excluding certain disclosures.
8.Policy comment. The author and sponsor indicate that this bill
is intended to more closely track with recently adopted
federal notification and reporting requirements for medical
information breaches, and in doing so, it adopts a definition
of "breach" that includes several exemptions. One of the
exemptions is when an unauthorized disclosure was made to
someone whom the health facility has a "good faith
belief?would not reasonably have been able to retain the
information." It is unclear how the health facility would be
able to make a determination as to whether the person is able
to retain information. Additionally, this bill creates a new
definition of "detected" that is the basis for triggering any
notification and reporting of a breach of medical information.
Under this new definition, in order for a breach to meet the
definition of "detected," sufficient facts would have to be
known about an incident "such that a reasonable person would
believe that a breach of patients' medical information has
taken place." As opponents have pointed out, this would mean
that an investigation would first be necessary to collect
"sufficient facts," and determine whether these facts meet the
"reasonable person" definition, before even starting the 60
calendar day clock. If part of the rationale of having a
longer period of time to notify and report on a breach is to
allow time to first determine if the breach rises to the level
of notification and reporting, it is unclear why this
definition of "detection" is even necessary, since it would
mean breaches wouldn't be required to be reported until after
the conclusion of an investigation, plus an additional 60
days.
9.Amendments in discussion. The author's staff, supporters, and
opponents have been meeting and working to resolve
differences. Opponents are requesting language that would
restore much of the language back to existing law (removing
the new "breach" language, and restoring existing
"unauthorized disclosure" language). To accommodate the
problems that proponents are trying to address, opponents have
offered language that would exempt from immediate reporting to
CDPH the "inadvertent" disclosure of a patient's medical
information to an unauthorized individual on the premises,
where the medical information does not leave the premises, and
the entity promptly retrieves the information. Negotiations
are also ongoing about the period of time entities are
�
AB 1755 | Page 10
required to notify patients, and report to CDPH, any
unauthorized disclosure; opponents have offered 20 days,
rather than the 5 days in current law, but less than the 60
days in the current version of this bill. However, at the time
of this writing, no agreement on amendments had been reached.
SUPPORT AND OPPOSITION :
Support: California Medical Association (co-sponsor)
Planned Parenthood Affiliates of California
(co-sponsor)
California Association of Health Facilities
California Hospital Association
California Primary Care Association
California Society of Anesthesiologists
Oppose: American Civil Liberties Union (unless amended)
Consumer Federation of California (unless amended)
Electronic Frontier Foundation
-- END --