BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2013-2014 Regular Session
AB 1755 (Gomez)
As Amended March 28, 2014
Hearing Date: June 24, 2014
Fiscal: No
Urgency: No
NR
SUBJECT
Medical information
DESCRIPTION
Existing law requires a clinic, health facility, home health
agency, or hospice (facility) to prevent unlawful or
unauthorized access to, and use or disclosure of, patients'
medical information, as defined, and requires the facility
report any unlawful or unauthorized access to, or use or
disclosure of, a patient's medical information to the State
Department of Public Health (Department) and the affected
patient, within five business days. Existing law authorizes the
Department to assess administrative penalties for violation of
these provisions.
This bill would, instead, require those facilities to prevent
breaches of patients' medical information and to report any
breach of a patient's medical information to the Department and
to the affected patient within 60 calendar days. This bill
would allow a patient to be notified by alternative means or at
an alternative location if previously specified by the patient
in writing.
This bill would define "breach" as the acquisition, access, use,
or disclosure of unsecured medical information in a manner not
permitted under state or federal health information privacy laws
that compromises the security or privacy of the medical
information. This bill would provide that, except as indicated
below, acquisition, access, use, or disclosure of medical
information in a manner not permitted under state or federal law
is presumed to be a breach unless the facility demonstrates that
(more)
�
AB 1755 (Gomez)
Page 2 of ?
there is a low probability that the medical information has been
compromised based on a risk assessment, as specified.
This bill would exempt the following circumstances from the
definition of breach:
any unintentional acquisition, access, or use of medical
information by a workforce member or business associate, if it
does not result in further use or disclosure in a manner not
permitted under state or federal health information privacy
laws;
any inadvertent disclosure by a person who is authorized to
access medical information to another authorized person to
access medical information at the same facility if the
information is not further used or disclosed in a manner not
permitted under state or federal health information privacy
laws; and
a disclosure of medical information when a facility or
business associate has a good faith belief that an
unauthorized person to whom the disclosure was made would not
reasonably have been able to retain the information.
BACKGROUND
The Health Insurance Portability and Accountability Act (HIPAA),
enacted in 1996, guarantees privacy protection for individuals
with regards to specific health information. (Pub.L. 104-191,
110 Stat. 1936.) Generally, protected health information (PHI)
is any information held by a covered entity which concerns
health status, provision of health care, or payment for health
care that can be connected to an individual. HIPAA privacy
regulations require health care providers and organizations to
develop and follow procedures that ensure the confidentiality
and security of PHI when it is transferred, received, handled,
or shared. HIPAA further requires reasonable efforts when
using, disclosing, or requesting PHI, to limit disclosure of
that information to the minimum amount necessary to accomplish
the intended purpose. California's Confidentiality of Medical
Information Act (CMIA) (Civ. Code Sec. 56 et seq.) allows adult
patients in California to keep PHI confidential and decide
whether and when to share that information with their partners
and parents.
HIPAA established federal protections for patient's health
information held by "covered entities" and any "business
associates" that the covered entity that a covered entity
engages to help it carry out its health care activities. A
�
AB 1755 (Gomez)
Page 3 of ?
covered entity can be a provider, a health plan, or a health
care clearinghouse that processes health information it receives
from another entity. While HIPAA establishes a floor for minimum
privacy protections, states may enact laws that provide greater
protection. In 2009, the Health Information Technology for
Economic and Clinical Health (HITECH) Act was enacted to
accelerate the adoption of electronic health record systems
among providers. Among other provisions, the HITECH Act
requires HIPAA covered entities to provide notification to
individuals whose medical information has been disclosed within
60 days following the discovery of a breach of medical
information. Breaches affecting fewer than 500 individuals are
required to be reported to the Department of Health and Human
Services on an annual basis. Under California law, when a
disclosure of confidential medical information is made to an
unauthorized individual, the health care entity must notify the
affected patient and the Department of Public Health
(Department) within five business days.
This bill, sponsored by the California Medical Association and
Planned Parenthood, seeks to align California's medical privacy
disclosure reporting and notification requirements to the
federal HITECH requirements, which would allow more exceptions
to notification to the patient and the Department, and allow a
longer timeframe in which those notifications must be made.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const., art. I, Sec. 1.)
Existing federal law , the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections for
patients' protected health information and generally provides
that a covered entity, as defined (health plan, health care
provider, and health care clearinghouse), may not use or
disclose protected health information except as specified or as
authorized by the patient in writing. (45 C.F.R. Sec. 164.500
et seq.)
Existing law prohibits, under the State Confidentiality of
Medical Information Act (CMIA), providers of health care, health
care service plans, or contractors, as defined, from sharing
medical information without the patient's written authorization,
subject to certain exceptions. (Civ. Code Sec. 56 et seq.)
�
AB 1755 (Gomez)
Page 4 of ?
Existing law defines "medical information" to mean any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment. Existing law defines
"individually identifiable" to mean that the medical information
includes or contains any element of personal identifying
information sufficient to allow identification of the
individual, such as the patient's name, address, electronic mail
address, telephone number, or social security number, or other
information that, alone or in combination with other publicly
available information, reveals the individual's identity. (Civ.
Code Sec. 56.05(g).)
Existing law requires a licensed clinic, health facility, home
health agency, or hospice to prevent unlawful or unauthorized
access to, and use or disclosure of, patients' medical
information, as defined in the CMIA, and authorizes the
California Department of Public Health (Department), after
investigation, to assess an administrative penalty of $25,000
per patient whose medical information was unlawfully accessed or
disclosed, and up to $17,500 per subsequent occurrence of
unlawful access or disclosure of that patient's medical
information. (Health & Saf. Code Sec. 1280.15(a).)
Existing law provides that internal paper records, electronic
mail, or facsimile transmissions inadvertently misdirected
within the same facility or health care system within the course
of coordinating care or delivering services are not an
unauthorized disclosure. (Health & Saf. Code Sec. 1280.15(a).)
Existing law requires a licensed health facility to report any
unlawful or unauthorized access to, or use or disclosure of, a
patient's medical information to the Department and to the
affected patient at his or her last known address no later than
five business days after the unlawful or unauthorized access,
use, or disclosure has been detected by the facility. (Health &
Saf. Code Sec. 1280.15(b).)
This bill would, instead, require licensed health facilities to
"prevent breaches of a patients' medical information" as
required under specified provisions of existing law, and would
require the facility to report the breach to the patient and the
Department without unreasonable delay, but in no case later than
�
AB 1755 (Gomez)
Page 5 of ?
60 calendar days after the breach has been detected.
This bill would authorize the facility to report the breach to
the affected patient by an alternative means, including email,
or at an alternative location, as specified by the patient in
writing.
This bill would define "breach" as the acquisition, access, use,
or disclosure of unsecured medical information in a manner not
permitted under state or federal health information privacy laws
that compromises the security or privacy of the medical
information, and would exempt from the definition of breach any
of the following:
any unintentional access, as specified, of medical information
by a workforce member or person acting under the authority of
a licensed health facility, if that access was made in good
faith, within the scope of authority, and does not result in
further use or disclosure in a manner not permitted under
state or federal laws;
any inadvertent disclosure by a person who is authorized to
access medical information at a licensed health facility to
another person authorized to access medical information at the
same facility, or organized health care arrangement in which
the licensed health facility participates and the information
received as a result of the disclosure is not further used or
disclosed in a manner not permitted under state or federal
laws; or
a disclosure of medical information when a licensed health
facility has a good faith belief that an authorized person to
whom the disclosure was made would not reasonably have been
able to retain the information.
This bill would provide that unless otherwise exempted from the
definition of a breach of medical information, disclosure of
medical information in a manner not permitted under state or
federal laws is presumed to be a breach unless the facility
demonstrates that there is a low probability that the medical
information has been compromised based on a risk assessment of
the following factors:
the nature and extent of the medical information involved,
including the types of identifiers and the likelihood of
re-identification;
the unauthorized person who used the medical information or to
whom the disclosure was made;
whether the medical information was actually acquired or
viewed; and
�
AB 1755 (Gomez)
Page 6 of ?
the extent to which the risk to the medical information has
been mitigated.
This bill would provide that "detected" means that sufficient
facts are known about an incident such that a reasonable person
would believe that a breach of a patient's medical information
has taken place.
COMMENT
1.Stated need for the bill
According to the author:
Protections to secure personal health information are vital
and ensure patients can safely access needed health care
services. Unfortunately, the notification requirement in
California law overly burdens providers and clinics requiring
them to spend significant resources responding to minor and
inconsequential incidents that do not endanger patient privacy
but divert resources away from patient care.
Better aligning state law with the updated and thoroughly
vetted federal regulations will reduce the administrative
burden on health facilities, freeing up resources. This is
especially important in safety-net settings that serve the
increasing Medi-Cal population and the remaining uninsured.
The four part test and the option of alternate notification
method will protect privacy and ensure patients are adequately
alerted to serious medical information breaches.
2.Shifting focus from unauthorized disclosure to breach of
patient medical information
When a patient's medical information is disclosed to an
unauthorized person or entity, existing law requires
notification of the affected patient and the Department of
Public Health (Department) within 5 business days. The author
argues that this notification requirement is excessive, takes
significant administrative resources, and is nearly impossible
because California does not allow for "risk assessment" and must
send a notification even in the event of a minor breach.
Accordingly, this bill would remove the requirement that a
facility notify the Department and the affected patient after an
unauthorized disclosure and instead require notification only in
the event of a "breach" of a patient's medical information.
�
AB 1755 (Gomez)
Page 7 of ?
"Breach" would be defined as the acquisition, access, use, or
disclosure of unsecured medical information in a manner not
permitted under state or federal health information privacy laws
that compromise the security or privacy of the medical
information. This bill would also exempt a number of situations
from the definition of "breach" and allow the facility to
conduct a risk assessment to determine whether there is a low
probability that the medical information was compromised.
a. Situations exempted from definition of breach
This bill would exempt the following situations from the
definition of breach: (1) unintentional access or use of
medical information by an employee that does not result in
further use or disclosure that would not be permitted under
federal or state law; (2) inadvertent disclosures by an
authorized person to another authorized person within the
same facility if the information is not further used or
disclosed in a manner not permitted under state or federal
law; or (3) a disclosure of medical information the
facility has a good faith belief that the unauthorized
person to whom the disclosure was made would not reasonably
have been able to retain the information.
In opposition to this bill, the American Civil Liberties
Union (ACLU) argues that the bill would weaken data breach
reporting and notification regulations by changing the
focus from unauthorized disclosure to "breach" and
permitting the compromise of medical information under
certain circumstances. Regarding the above exemptions, the
ACLU writes:
[these exemptions] become especially problematic when
combined with the definition of "detect" ? The bill
defines "detect" in such a way that detecting a breach is
only possible at the conclusion of an investigation into
the compromise of medical information. When combined
with the changes to the reporting and notification
requirements in (b)(1) and (b)(2), this bill changes the
point at which the reporting and notification
requirements are triggered in significant ways that delay
the reporting and notification. The way the code is
written now, a health facility has to notify the
�
AB 1755 (Gomez)
Page 8 of ?
patient(s) involved and report to the department when it
becomes aware of the compromise of medical information.
This bill would change the trigger point so that the
health facility would only need to report and notify
after concluding its investigation into the compromise of
medical information and determining that a breach has
occurred.
b. Ability of facility to conduct risk assessment and
forgo notification if probability of risk determined low
This bill would provide that, except for the circumstances
described immediately above, a disclosure of medical
information not permitted under state or federal law is
presumed to be a breach unless the facility demonstrates
that there is a low probability that the medical
information has been compromised based on a risk assessment
of a number of factors including (1) nature and extent of
the medical information involved, (2) the person to whom
the disclosure was made, (3) whether the medical
information was actually acquired or viewed, and (4) the
extent to which the risk to the medical information has
been mitigated.
Thus, this bill would allow a facility where an
unauthorized disclosure has taken place to evaluate the
seriousness of the disclosure and whether or not to
designate it as a breach, thereby avoiding notification
requirements. In opposition, the Consumer Federation of
California writes, "AB 1755 undermines the Health and
Safety Code's privacy standard by establishing a new
concept of a "breach" which the bill defines to eliminate
virtually every instance of medial privacy violation except
for willful criminal theft of records, and further
exonerates most willful violations by entitling the health
care entity to use its own internal, subjective, and
ill-defined process to conclude that there is a likelihood
that no harm to a patient resulted."
Given the concerns described above, the author offers amendments
which would maintain existing law, but clarify that the
Department has the discretion to investigate unauthorized
disclosures (see Comment 5).
3.Time period for notification
�
AB 1755 (Gomez)
Page 9 of ?
When an unauthorized disclosure of medical information has been
made, existing law requires that the patient and Department are
notified within five business days. This bill would instead
provide that notification must be made, without unreasonable
delay, and in no case later than 60 calendar days. The author
argues that the "excessive notification requirement takes
significant administrative resources and with the short five day
timeline in California law, is nearly unworkable." In opposition
to this bill the Privacy Rights Clearinghouse writes:
Medical data is among the most sensitive personal information
and is entitled to the highest level of legal protection.
Providers often also maintain other information (such as
Social Security numbers) about their patients that is also
considered sensitive. This bill would significantly weaken
medical data breach reporting and notification standards in
California by increasing the delay in reporting unlawful
access or disclosure and to decrease the amount of actual
reporting of unauthorized access or disclosure?This bill would
also increase the time period a provider has to report the
breach and notify patients from five business days to sixty
calendar days. The notification window should remain closer
to the five day time frame. This is necessary to enable
Californians to take appropriate steps to mitigate the harm
caused by the compromise of their medical information.
In response to those concerns, the author offers an amendment to
instead extend the timeframe in which a facility must notify a
patient from 5 to 15 business days (see Comment 5). Those
amendments would give facilities more time to notify patients
than found under existing law, but ensure that patients receive
information early enough to address any negative consequences of
the unauthorized disclosure.
4.Alternative means of notification
Under existing law, when a patient's medical information is
disclosed to an unauthorized individual, the facility is
required to report the unauthorized disclosure to the patient by
mail at his or her last known address. This bill would also
allow notification by an alternative means, including email, or
at an alternative location if previously specified by the
patient in writing.
�
AB 1755 (Gomez)
Page 10 of ?
These provisions will ensure timely notification for patients
who check alternative means of communication more frequently
than mail, and greater privacy for patients who do not feel that
mail delivered to their home address is secure.
5.Author's amendments
The author offers amendments which would restore Health & Safety
Code Section 1280.15 to existing law with a series of changes.
The changes would:
clarify that the Department has discretion whether to
investigate unauthorized disclosures of medical information;
extend the period in which an affected patient and the
Department must be notified of an unauthorized disclosure from
5 to 15 business days; and
allow notification by an alternative means or at an
alternative location as specified by the patient or the
patient's representative in writing.
Support : California Hospital Association; California Society of
Anesthesiologists; Planned Parenthood Advocacy Project Los
Angeles County; Planned Parenthood Mar Monte; Planned Parenthood
of Orange and San Bernardino Counties; Planned Parenthood of
Santa Barbara, Ventura & San Luis Obispo Counties, Inc.; Planned
Parenthood of the Pacific Southwest; Planned Parenthood Pasadena
and San Gabriel Valley; Planned Parenthood Shasta Pacific Action
Fund; Six Rivers Planned Parenthood
Opposition : American Civil Liberties Union; Consumer Federation
of California; Electronic Frontier Foundation
HISTORY
Source : California Medical Association; Planned Parenthood
Affiliates of California
Related Pending Legislation : None Known
Prior Legislation :
SB 337 (Alquist, Chapter 180, Statutes of 2009) among other
provisions, increased the requirement to report any unauthorized
disclosure of a patient's medical information to the affected
patient and the Department of Public Health from five days to
five business days.
�
AB 1755 (Gomez)
Page 11 of ?
AB 1298 (Snyder, Chapter 699, Statutes of 2007) subjected any
business organized to maintain medical information for purposes
of making that information available to an individual or to a
health care provider, as specified, to the provisions of the
Confidentiality of Medical Information Act (CMIA).
Prior Vote :
Senate Health Committee (Ayes 8, Noes 0)
Assembly Floor (Ayes 75, Noes 0)
Assembly Health Committee (Ayes 19, Noes 0)
**************