BILL ANALYSIS                                                                                                                                                                                                    






                             SENATE COMMITTEE ON HEALTH
                          Senator Ed Hernandez, O.D., Chair

          BILL NO:       AB 1755
          AUTHOR:        Gomez
          AMENDED:       March 28, 2014
          HEARING DATE:  June 18, 2014
          CONSULTANT:    Marchand

           SUBJECT  :  Medical information.
           
          SUMMARY  :  Revises provisions of law requiring licensed health  
          facilities to prevent disclosure of patients' medical  
          information by extending the deadline for health facilities to  
          report unauthorized disclosures from five business days to 60  
          calendar days after detection of a breach, and by establishing  
          several exemptions to when a breach of medical information is  
          required to be reported based on unintentional disclosures where  
          no further use was made of the patient's medical information.

          Existing law:
          1.Licenses clinics, health facilities, home health agencies, and  
            hospices through the California Department of Public Health  
            (CDPH).

          2.Requires a licensed clinic, health facility, home health  
            agency, or hospice to prevent (collectively, licensed health  
            facilities) unlawful or unauthorized access to, and use or  
            disclosure of, patients' medical information, as defined in  
            the Confidentiality of Medical   Information Act (CMIA).

          3.Permits CDPH, after investigation, to assess an administrative  
            penalty of $25,000 per patient whose medical information was  
            unlawfully accessed or disclosed, and up to $17,500 per  
            subsequent occurrence of unlawful access or disclosure of that  
            patient's medical information.

          4.Requires a licensed health facility to report any unlawful or  
            unauthorized access to, or use or disclosure of, a patient's  
            medical information to CDPH no later than five business days  
            after the unlawful or unauthorized access, use, or disclosure  
            has been detected by the facility.

          5.Requires a licensed health facility to report any unlawful  
            access or unauthorized access to, or use or disclosure of, a  
            patient's medical information to the affected patient or the  
                                                         Continued---



          AB 1755 | Page 2




            patient's representative at the last known address, no later  
            than five business days after the unlawful access, use, or  
            disclosure has been detected, except under specified  
            circumstances.
          
          6.Specifies that for purposes of the provisions of existing law  
            in 2) through 5) above, internal paper records, electronic  
            mail, or facsimile transmissions inadvertently misdirected  
            within the same facility or health care system within the  
            course of coordinating care or delivering services does not  
            constitute unauthorized access to, or use or disclosure of, a  
            patient's medical information.

          7.Establishes the CMIA, which prohibits a health care provider,  
            health care service plan, or contractor from disclosing  
            medical information regarding a patient without first  
            obtaining authorization. Defines "medical information" as any  
            individually identifiable information, in electronic or  
            physical form, in possession of, or derived from, a health  
            care provider, health plan, pharmaceutical company, or  
            contractor regarding a patient's medical history, mental or  
            physical condition, or treatment.

          8.Authorizes, under CMIA, administrative fines and civil  
            penalties, ranging from $1,000 to $250,000, against any person  
            or entity that negligently discloses, or knowingly and  
            willfully obtains, discloses, or uses medical information in  
            violation of its provisions. Authorizes the Attorney General,  
            any district attorney, any county counsel acting pursuant to  
            an agreement with the district attorney, or a city attorney,  
            to seek civil penalties for violations of CMIA.

          This bill:
          1.Revises provisions of law requiring licensed health facilities  
            to prevent disclosure of patients' medical information, by  
            deleting the use of the term "prevent unlawful or unauthorized  
            access to, and use or disclosure of, patients' medical  
            information," and replacing it with the term "prevent breaches  
            of a patients' medical information" as required under  
            specified provisions of existing law.

          2.Extends the deadline for a licensed health facility to report  
            any unlawful or unauthorized access of a patient's medical  
            information to CDPH from no later than five business days  
            after the unlawful access or use has been detected, to instead  
            require this reporting to be done without unreasonable delay  




                                                            AB 1755 | Page  
          3


          

            and in no case later than 60 calendar days after the breach  
            has been detected.

          3.Extends the deadline for a licensed health facility to report  
            unlawful access or use of a patient's medical information to  
            the affected patient or the patient's representative from no  
            later than five business days after detection, to instead  
            require this report be done without unreasonable delay and in  
            no case later than 60 calendar days after the breach has been  
            detected.

          4.Permits the reporting to the affected patient or the patient's  
            representative to be made by an alternative means or at an  
            alternative location, rather than the last known address, as  
            specified by the patient or the patient's representative in  
            writing pursuant to specified federal regulations. Permits  
            this notice to be provided by e-mail only if the patient has  
            previously agreed in writing to electronic notice by e-mail.

          5.Defines "breach" as the acquisition, access, use, or  
            disclosure of unsecured medical information in a manner not  
            permitted under state or federal health information privacy  
            laws that compromises the security or privacy of the medical  
            information.

          6.Exempts from the definition of "breach" any of the following:

                  a.        Any unintentional acquisition, access, or use  
                    of medical information by a workforce member or person  
                    acting under the authority of a licensed health  
                    facility, or a business associate, if that  
                    acquisition, access, or use was made in good faith and  
                    within the scope of authority and does not result in  
                    further use or disclosure in a manner not permitted  
                    under state or federal health information privacy  
                    laws;
                  b.        Any inadvertent disclosure by a person who is  
                    authorized to access medical information at a licensed  
                    health facility or a business associate to another  
                    person authorized to access medical information at the  
                    same facility or business associate, or organized  
                    health care arrangement in which the licensed health  
                    facility participates and the information received as  
                    a result of the disclosure is not further used or  
                    disclosed in a manner not permitted under state or  




          AB 1755 | Page 4




                    federal health information privacy laws; and,
                  c.        A disclosure of medical information when a  
                    licensed health facility or business associate has a  
                    good faith belief that an authorized person to whom  
                    the disclosure was made would not reasonably have been  
                    able to retain the information.

          7.Specifies that unless otherwise exempted from the definition  
            of a breach of medical information, an acquisition, access,  
            use, or disclosure of medical information in a manner not  
            permitted under state or federal health information privacy  
            laws is presumed to be a breach unless the licensed health  
            facility or business associate, as applicable, demonstrates  
            that there is a low probability that the medical information  
            has been compromised based on a risk assessment of the  
            following factors:

                  a.        The nature and extent of the medical  
                    information involved, including the types of  
                    identifiers and the likelihood of reidentification;
                  b.        The unauthorized person who used the medical  
                    information or to whom the disclosure was made;
                  c.        Whether the medical information was actually  
                    acquired or viewed; and,
                  d.        The extent to which the risk to the medical  
                    information has been mitigated.

          8.Defines "business associate," "workforce," and "organized  
            health care arrangement" as having the meanings specified in  
            the federal Health Information Portability and Accountability  
            Act of 1996 (HIPAA).

          9.Defines "detected" as meaning that sufficient facts are known  
            about an incident such that a reasonable person would believe  
            that a breach of a patient's medical information has taken  
            place.

          10.Defines "unsecured medical information" as medical  
            information that is not rendered unusable, unreadable, or  
            indecipherable to unauthorized persons through use of a  
            technology or methodology specified by the United States  
            Secretary of Health and Human Services (HHS), as specified.

           FISCAL EFFECT  :  This bill has been keyed non-fiscal.

           PRIOR VOTES  :  




                                                            AB 1755 | Page  
          5


          

          Assembly Health:    19- 0
          Assembly Floor:     75- 0
           
          COMMENTS  :  
           1.Author's statement.  According to the author, this bill  
            improves California's notice requirement specific to breaches  
            of medical information by streamlining the protocol to more  
            closely align with federal law. By increasing administrative  
            efficiency, this bill removes unnecessary costs to the health  
            care system and state administration while ensuring patients  
            are adequately alerted to serious medical information  
            breaches. This bill will improve California's notice  
            requirement specific to breaches of medical information by  
            moving it closer to federal law and removing an extra  
            administrative layer that requires health facilities covered  
            by state and federal laws to analyze all potential breaches  
            under both schemes and take different action depending on the  
            circumstances of the potential breach. The bill adopts the  
            Health Information Technology for Economic and Clinical Health  
            Act (HITECH) standard, which was adopted in January 2013 after  
            extensive public comment and negotiation. It would clarify  
            what must be reported, change the timing of the notification  
            to "as soon as reasonably possible but no later than 60  
            calendar days after discovery of the breach," and given the  
            sensitivity of medical information, ensure that patients have  
            the option of designating an alternate address where notice  
            may be sent or received. 

          2.Background on federal law. HIPAA established federal  
            protections for patient's health information held by "covered  
            entities" and any "business associates" that the covered  
            entity that a covered entity engages to help it carry out its  
            health care activities. A covered entity can be a provider, a  
            health plan, or a health care clearinghouse that processes  
            health information it receives from another entity. While  
            HIPAA establishes a federal floor for minimum privacy  
            protections, states are permitted to enact laws that provide  
            greater privacy protections or rights. 

          In 2009, as part of the American Recovery and Reinvestment Act,  
            the HITECH Act was enacted to promote and expand the adoption  
            of health information technology. Among other provisions, the  
            HITECH Act, under the implementing regulations adopted in  
            January 2013, requires HIPAA covered entities to provide  
            notification to affected individuals within 60 days following  




          AB 1755 | Page 6




            the discovery of a breach of medical information. If the  
            breach affects 500 or more individuals, the covered entity  
            must report this breach to the media and to the Secretary of  
            HHS within 60 days. Breaches affecting fewer than 500  
            individuals are required to be reported to HHS on an annual  
            basis. 

          Under the HITECH Act, there are three exceptions to the  
            definitions of "breach," that, when these exceptions apply,  
            would not trigger the reporting and notification requirements.  
            The first exception applies to the unintentional acquisition,  
            access, or use of protected health information by a person  
            acting under the authority of a covered entity, if the access  
            or use was made in good faith and within the scope of that  
            authority, and the information is not further used or  
            disclosed. The second exception applies to the inadvertent  
            disclosure of protected health information by a person  
            authorized to access protected health information at a covered  
            entity to another person authorized to access protected health  
            information at the covered entity or organized health care  
            arrangement in which the covered entity participates. Again,  
            in this second exception, the information cannot be further  
            used or disclosed. Finally, there is an exception if the  
            covered entity has a good faith belief that the unauthorized  
            person to whom the impermissible disclosure was made would not  
            have been able to retain the information.

          This bill is attempting to align California's medical privacy  
            breach reporting and notification requirements to the recently  
            adopted federal HITECH requirements, which allow for more  
            exceptions to what would trigger a notification and report,  
            and a much longer timeframe for the notification and report  
            (from 5 business days to 60 calendar days). 

          3.Double referral. This bill is double referred.  Should it pass  
            out of this committee, it will be referred to the Senate  
            Judiciary Committee.

          4.Prior legislation. AB 541 (Alquist), Chapter 605, Statutes of  
            2008, required health care facilities to prevent unlawful or  
            unauthorized access to, use, or disclosure of, patients'  
            medical information and established safeguards to protect the  
            privacy of patients' medical information. AB 541 also  
            authorizes CDPH to levy administrative penalties against  
            facilities for failure to prevent unlawful or unauthorized  
            access, use, or disclosure of patients' medical information,  




                                                            AB 1755 | Page  
          7


          

            and for failure to report instances of unlawful or  
            unauthorized access, use, or disclosure of information.  

          AB 211 (Jones), Chapter 602, Statutes of 2008, established an  
            Office of Health Information Integrity to ensure the  
            enforcement of state confidentiality of medical information,  
            to impose administrative fines for the unauthorized use of  
            medical information upon referral from CDPH, and required  
            health care providers to establish and implement appropriate  
            administrative, technical, and physical safeguards to protect  
            the privacy of patient's medical information.  

          AB 439 (Skinner), Chapter 437, Statutes of 2012, provided an  
            affirmative defense for civil actions taken under CMIA, such  
            that the plaintiff may not be awarded nominal damages if the  
            defendant establishes that defense, as specified.
               
          5.Support.  This bill is co-sponsored by Planned Parenthood  
            Affiliates of California (PPAC) and the California Medical  
            Association (CMA). PPAC states that both federal and state law  
            require health care providers to protect patient medical  
            information by preventing unlawful or unauthorized access,  
            require notification to a patient if their medical information  
            has been breached, and apply penalties for not complying with  
            these requirements. However, PPAC and CMA state that there are  
            significant differences between the two laws and licensed  
            health facilities are accountable under both schemes, making  
            compliance with the various provisions more complicated. PPAC  
            states that the California law requiring reporting of  
            unauthorized disclosure was enacted in 2008 following several  
            high profile incidents involving celebrity medical records  
            that were improperly accessed by hospital staff. PPAC states  
            that a number of provisions in that law place tremendous  
            administrative costs on both providers and the state while  
            doing little to add to the protection and security of patient  
            information. PPAC notes that California law does not allow for  
            a risk assessment, requiring health facilities to send a  
            patient notification even in the event of a minor breach,  
            resulting in over notification that can undermine patient  
            trust in their provider and the health care system. PPAC  
            states that better aligning state law with the updated and  
            thoroughly vetted federal regulations will reduce the  
            administrative burden on health facilities.  CMA states that  
            making state law requirements consistent with federal  
            regulations will create one clear, objective standard for  




          AB 1755 | Page 8




            medical information breach notifications.

          6.Oppose unless amended.  The American Civil Liberties Union  
            (ACLU) is opposed unless amended, stating that this bill  
            weakens the data breach reporting and notification standards  
            for medical information at a time when public concern over  
            data breaches is high. ACLU states that it sympathizes that  
            the five day report and notification period is difficult to  
            comply with, but states that two months is too long a period  
            of time, and suggests a window closer to the five day  
            timeframe. ACLU also opposes the provisions of this bill that  
            would exclude certain disclosures that "do not result in  
            further use or disclosure in a manner not permitted under  
            state or federal health information privacy laws." ACLU states  
            that this means the bill would exempt from medical data breach  
            reporting rules some instances of patients' medical  
            information having been compromised. ACLU states that this  
            exemption is especially problematic because this bill defines  
            "detect" in such a way that detecting a data breach is only  
            possible at the conclusion of an investigation into the  
            compromise of medical information, which would change the  
            trigger point so that the health facility would only need to  
            report and notify after concluding its investigation and  
            determining that a breach occurred. The Consumer Federation of  
            California (CFC) also opposes this bill unless amended,  
            stating that this bill undermines the existing privacy  
            standard by establishing a new concept of a "breach" that is  
            defined to eliminate virtually every instance of medical  
            privacy violations except for willful criminal theft of  
            records, and further exonerates most willful violations by  
            entitling the health facility to use its own internal,  
            subjective, and ill-defined process to conclude that there is  
            a likelihood that no harm to a patient resulted. CFC states  
            that this bill greatly delays the reporting of those few  
            "breaches" that survive the bill's various new reporting  
            exemptions from the current five business days to 60 calendar  
            days after "detection." CFC states that this lengthy delay is  
            an invitation to those health care providers who are already  
            failing to adequately secure patient records to relax their  
            vigilance even further.

          7.Opposition.  The Electronic Frontier Foundation (EFF) opposes  
            this bill, stating that the most obvious problem is that any  
            breach reporting will be greatly delayed, from the current  
            five business days to 60 calendar days. EFF states that more  
            significantly, however, this bill will weaken existing data  




                                                            AB 1755 | Page  
          9


          

            breach reporting regulations by excluding certain disclosures.
               
          8.Policy comment. The author and sponsor indicate that this bill  
            is intended to more closely track with recently adopted  
            federal notification and reporting requirements for medical  
            information breaches, and in doing so, it adopts a definition  
            of "breach" that includes several exemptions. One of the  
            exemptions is when an unauthorized disclosure was made to  
            someone whom the health facility has a "good faith  
            belief?would not reasonably have been able to retain the  
            information." It is unclear how the health facility would be  
            able to make a determination as to whether the person is able  
            to retain information. Additionally, this bill creates a new  
            definition of "detected" that is the basis for triggering any  
            notification and reporting of a breach of medical information.  
            Under this new definition, in order for a breach to meet the  
            definition of "detected," sufficient facts would have to be  
            known about an incident "such that a reasonable person would  
            believe that a breach of patients' medical information has  
            taken place." As opponents have pointed out, this would mean  
            that an investigation would first be necessary to collect  
            "sufficient facts," and determine whether these facts meet the  
            "reasonable person" definition, before even  starting  the 60  
            calendar day clock. If part of the rationale of having a  
            longer period of time to notify and report on a breach is to  
            allow time to first determine if the breach rises to the level  
            of notification and reporting, it is unclear why this  
            definition of "detection" is even necessary, since it would  
            mean breaches wouldn't be required to be reported until after  
            the conclusion of an investigation, plus an additional 60  
            days.

          9.Amendments in discussion. The author's staff, supporters, and  
            opponents have been meeting and working to resolve  
            differences. Opponents are requesting language that would  
            restore much of the language back to existing law (removing  
            the new "breach" language, and restoring existing  
            "unauthorized disclosure" language). To accommodate the  
            problems that proponents are trying to address, opponents have  
            offered language that would exempt from immediate reporting to  
            CDPH the "inadvertent" disclosure of a patient's medical  
            information to an unauthorized individual on the premises,  
            where the medical information does not leave the premises, and  
            the entity promptly retrieves the information. Negotiations  
            are also ongoing about the period of time entities are  




          AB 1755 | Page 10




            required to notify patients, and report to CDPH, any  
            unauthorized disclosure; opponents have offered 20 days,  
            rather than the 5 days in current law, but less than the 60  
            days in the current version of this bill. However, at the time  
            of this writing, no agreement on amendments had been reached.
                                            
           SUPPORT AND OPPOSITION  :
          Support:  California Medical Association (co-sponsor)
                    Planned Parenthood Affiliates of California  
                    (co-sponsor)
                    California Association of Health Facilities
                    California Hospital Association
                    California Primary Care Association
                    California Society of Anesthesiologists

          Oppose:   American Civil Liberties Union (unless amended)
                    Consumer Federation of California (unless amended)
                    Electronic Frontier Foundation




                                      -- END --