BILL ANALYSIS                                                                                                                                                                                                    






                             SENATE JUDICIARY COMMITTEE
                         Senator Hannah-Beth Jackson, Chair
                              2013-2014 Regular Session


          AB 1755 (Gomez)
          As Amended March 28, 2014
          Hearing Date: June 24, 2014
          Fiscal: No
          Urgency: No
          NR


                                        SUBJECT
                                           
                                 Medical information

                                      DESCRIPTION  

          Existing law requires a clinic, health facility, home health  
          agency, or hospice (facility) to prevent unlawful or  
          unauthorized access to, and use or disclosure of, patients'  
          medical information, as defined, and requires the facility  
          report any unlawful or unauthorized access to, or use or  
          disclosure of, a patient's medical information to the State  
          Department of Public Health (Department) and the affected  
          patient, within five business days. Existing law authorizes the  
          Department to assess administrative penalties for violation of  
          these provisions.

          This bill would, instead, require those facilities to prevent  
          breaches of patients' medical information and to report any  
          breach of a patient's medical information to the Department and  
          to the affected patient within 60 calendar days.  This bill  
          would allow a patient to be notified by alternative means or at  
          an alternative location if previously specified by the patient  
          in writing.

          This bill would define "breach" as the acquisition, access, use,  
          or disclosure of unsecured medical information in a manner not  
          permitted under state or federal health information privacy laws  
          that compromises the security or privacy of the medical  
          information. This bill would provide that, except as indicated  
          below, acquisition, access, use, or disclosure of medical  
          information in a manner not permitted under state or federal law  
          is presumed to be a breach unless the facility demonstrates that  
                                                                (more)



          AB 1755 (Gomez)
          Page 2 of ?



          there is a low probability that the medical information has been  
          compromised based on a risk assessment, as specified. 

          This bill would exempt the following circumstances from the  
          definition of breach:
           any unintentional acquisition, access, or use of medical  
            information by a workforce member or business associate, if it  
            does not result in further use or disclosure in a manner not  
            permitted under state or federal health information privacy  
            laws;
           any inadvertent disclosure by a person who is authorized to  
            access medical information to another authorized person to  
            access medical information at the same facility if the  
            information is not further used or disclosed in a manner not  
            permitted under state or federal health information privacy  
            laws; and
           a disclosure of medical information when a facility or  
            business associate has a good faith belief that an  
            unauthorized person to whom the disclosure was made would not  
            reasonably have been able to retain the information.

                                      BACKGROUND  

          The Health Insurance Portability and Accountability Act (HIPAA),  
          enacted in 1996, guarantees privacy protection for individuals  
          with regards to specific health information. (Pub.L. 104-191,  
          110 Stat. 1936.)  Generally, protected health information (PHI)  
          is any information held by a covered entity which concerns  
          health status, provision of health care, or payment for health  
          care that can be connected to an individual. HIPAA privacy  
          regulations require health care providers and organizations to  
          develop and follow procedures that ensure the confidentiality  
          and security of PHI when it is transferred, received, handled,  
          or shared.  HIPAA further requires reasonable efforts when  
          using, disclosing, or requesting PHI, to limit disclosure of  
          that information to the minimum amount necessary to accomplish  
          the intended purpose.  California's Confidentiality of Medical  
          Information Act (CMIA) (Civ. Code Sec. 56 et seq.) allows adult  
          patients in California to keep PHI confidential and decide  
          whether and when to share that information with their partners  
          and parents.  

          HIPAA established federal protections for patient's health  
          information held by "covered entities" and any "business  
          associates" that the covered entity that a covered entity  
          engages to help it carry out its health care activities. A  
                                                                      



          AB 1755 (Gomez)
          Page 3 of ?



          covered entity can be a provider, a health plan, or a health  
          care clearinghouse that processes health information it receives  
          from another entity. While HIPAA establishes a floor for minimum  
          privacy protections, states may enact laws that provide greater  
          protection. In 2009, the Health Information Technology for  
          Economic and Clinical Health (HITECH) Act was enacted to  
          accelerate the adoption of electronic health record systems  
          among providers.  Among other provisions, the HITECH Act  
          requires HIPAA covered entities to provide notification to  
          individuals whose medical information has been disclosed within  
          60 days following the discovery of a breach of medical  
          information. Breaches affecting fewer than 500 individuals are  
          required to be reported to the Department of Health and Human  
          Services on an annual basis. Under California law, when a  
          disclosure of confidential medical information is made to an  
          unauthorized individual, the health care entity must notify the  
          affected patient and the Department of Public Health  
          (Department) within five business days.

          This bill, sponsored by the California Medical Association and  
          Planned Parenthood, seeks to align California's medical privacy  
          disclosure reporting and notification requirements to the  
          federal HITECH requirements, which would allow more exceptions  
          to notification to the patient and the Department, and allow a  
          longer timeframe in which those notifications must be made. 

                                CHANGES TO EXISTING LAW
           
           Existing law  , the California Constitution, provides that all  
          people have inalienable rights, including the right to pursue  
          and obtain privacy.  (Cal. Const., art. I, Sec. 1.)
           
          Existing federal law  , the Health Insurance Portability and  
          Accountability Act (HIPAA), specifies privacy protections for  
          patients' protected health information and generally provides  
          that a covered entity, as defined (health plan, health care  
          provider, and health care clearinghouse), may not use or  
          disclose protected health information except as specified or as  
          authorized by the patient in writing.  (45 C.F.R. Sec. 164.500  
          et seq.)  

           Existing law  prohibits, under the State Confidentiality of  
          Medical Information Act (CMIA), providers of health care, health  
          care service plans, or contractors, as defined, from sharing  
          medical information without the patient's written authorization,  
          subject to certain exceptions.  (Civ. Code Sec. 56 et seq.) 
                                                                      



          AB 1755 (Gomez)
          Page 4 of ?



          
           Existing law  defines "medical information" to mean any  
          individually identifiable information, in electronic or physical  
          form, in possession of or derived from a provider of health  
          care, health care service plan, pharmaceutical company, or  
          contractor regarding a patient's medical history, mental or  
          physical condition, or treatment.  Existing law defines  
          "individually identifiable" to mean that the medical information  
          includes or contains any element of personal identifying  
          information sufficient to allow identification of the  
          individual, such as the patient's name, address, electronic mail  
          address, telephone number, or social security number, or other  
          information that, alone or in combination with other publicly  
          available information, reveals the individual's identity.  (Civ.  
          Code Sec. 56.05(g).)
          
           Existing law  requires a licensed clinic, health facility, home  
          health agency, or hospice to prevent unlawful or unauthorized  
          access to, and use or disclosure of, patients' medical  
          information, as defined in the CMIA, and authorizes the  
          California Department of Public Health (Department), after  
          investigation, to assess an administrative penalty of $25,000  
          per patient whose medical information was unlawfully accessed or  
          disclosed, and up to $17,500 per subsequent occurrence of  
          unlawful access or disclosure of that patient's medical  
          information. (Health & Saf. Code Sec. 1280.15(a).)

           Existing law  provides that internal paper records, electronic  
          mail, or facsimile transmissions inadvertently misdirected  
          within the same facility or health care system within the course  
          of coordinating care or delivering services are not an  
          unauthorized disclosure. (Health & Saf. Code Sec. 1280.15(a).)

           Existing law  requires a licensed health facility to report any  
          unlawful or unauthorized access to, or use or disclosure of, a  
          patient's medical information to the Department and to the  
          affected patient at his or her last known address no later than  
          five business days after the unlawful or unauthorized access,  
          use, or disclosure has been detected by the facility. (Health &  
          Saf. Code Sec. 1280.15(b).)

           This bill  would, instead, require licensed health facilities to  
          "prevent breaches of a patients' medical information" as  
          required under specified provisions of existing law, and would  
          require the facility to report the breach to the patient and the  
          Department without unreasonable delay, but in no case later than  
                                                                      



          AB 1755 (Gomez)
          Page 5 of ?



          60 calendar days after the breach has been detected. 

           This bill  would authorize the facility to report the breach to  
          the affected patient by an alternative means, including email,  
          or at an alternative location, as specified by the patient in  
          writing. 

           This bill  would define "breach" as the acquisition, access, use,  
          or disclosure of unsecured medical information in a manner not  
          permitted under state or federal health information privacy laws  
          that compromises the security or privacy of the medical  
          information, and would exempt from the definition of breach any  
          of the following: 
           any unintentional access, as specified, of medical information  
            by a workforce member or person acting under the authority of  
            a licensed health facility, if that access was made in good  
            faith, within the scope of authority, and does not result in  
            further use or disclosure in a manner not permitted under  
            state or federal laws;
           any inadvertent disclosure by a person who is authorized to  
            access medical information at a licensed health facility to  
            another person authorized to access medical information at the  
            same facility, or organized health care arrangement in which  
            the licensed health facility participates and the information  
            received as a result of the disclosure is not further used or  
            disclosed in a manner not permitted under state or federal  
            laws; or
           a disclosure of medical information when a licensed health  
            facility has a good faith belief that an authorized person to  
            whom the disclosure was made would not reasonably have been  
            able to retain the information.

           This bill  would provide that unless otherwise exempted from the  
          definition of a breach of medical information, disclosure of  
          medical information in a manner not permitted under state or  
          federal laws is presumed to be a breach unless the facility  
          demonstrates that there is a low probability that the medical  
          information has been compromised based on a risk assessment of  
          the following factors:
           the nature and extent of the medical information involved,  
            including the types of identifiers and the likelihood of  
            re-identification;
           the unauthorized person who used the medical information or to  
            whom the disclosure was made;
           whether the medical information was actually acquired or  
            viewed; and
                                                                      



          AB 1755 (Gomez)
          Page 6 of ?



           the extent to which the risk to the medical information has  
            been mitigated.

           This bill  would provide that "detected" means that sufficient  
          facts are known about an incident such that a reasonable person  
          would believe that a breach of a patient's medical information  
          has taken place.

                                        COMMENT
           
           1.Stated need for the bill
           
          According to the author: 

            Protections to secure personal health information are vital  
            and ensure patients can safely access needed health care  
            services. Unfortunately, the notification requirement in  
            California law overly burdens providers and clinics requiring  
            them to spend significant resources responding to minor and  
            inconsequential incidents that do not endanger patient privacy  
            but divert resources away from patient care. 

            Better aligning state law with the updated and thoroughly  
            vetted federal regulations will reduce the administrative  
            burden on health facilities, freeing up resources. This is  
            especially important in safety-net settings that serve the  
            increasing Medi-Cal population and the remaining uninsured.  
            The four part test and the option of alternate notification  
            method will protect privacy and ensure patients are adequately  
            alerted to serious medical information breaches. 

           2.Shifting focus from unauthorized disclosure to breach of  
            patient medical information
           
          When a patient's medical information is disclosed to an  
          unauthorized person or entity, existing law requires  
          notification of the affected patient and the Department of  
          Public Health (Department) within 5 business days.  The author  
          argues that this notification requirement is excessive, takes  
          significant administrative resources, and is nearly impossible  
          because California does not allow for "risk assessment" and must  
          send a notification even in the event of a minor breach.  
          Accordingly, this bill would remove the requirement that a  
          facility notify the Department and the affected patient after an  
          unauthorized disclosure and instead require notification only in  
          the event of a "breach" of a patient's medical information.   
                                                                      



          AB 1755 (Gomez)
          Page 7 of ?



          "Breach" would be defined as the acquisition, access, use, or  
          disclosure of unsecured medical information in a manner not  
          permitted under state or federal health information privacy laws  
          that compromise the security or privacy of the medical  
          information.  This bill would also exempt a number of situations  
          from the definition of "breach" and allow the facility to  
          conduct a risk assessment to determine whether there is a low  
          probability that the medical information was compromised.




                a.     Situations exempted from definition of breach

                This bill would exempt the following situations from the  
               definition of breach: (1) unintentional access or use of  
               medical information by an employee that does not result in  
               further use or disclosure that would not be permitted under  
               federal or state law; (2) inadvertent disclosures by an  
               authorized person to another authorized person within the  
               same facility if the information is not further used or  
               disclosed in a manner not permitted under state or federal  
               law; or (3) a disclosure of medical information the  
               facility has a good faith belief that the unauthorized  
               person to whom the disclosure was made would not reasonably  
               have been able to retain the information.
                
                In opposition to this bill, the American Civil Liberties  
               Union (ACLU) argues that the bill would weaken data breach  
               reporting and notification regulations by changing the  
               focus from unauthorized disclosure to "breach" and  
               permitting the compromise of medical information under  
               certain circumstances.  Regarding the above exemptions, the  
               ACLU writes: 

                 [these exemptions] become especially problematic when  
                 combined with the definition of "detect" ?  The bill  
                 defines "detect" in such a way that detecting a breach is  
                 only possible at the conclusion of an investigation into  
                 the compromise of medical information.  When combined  
                 with the changes to the reporting and notification  
                 requirements in (b)(1) and (b)(2), this bill changes the  
                 point at which the reporting and notification  
                 requirements are triggered in significant ways that delay  
                 the reporting and notification.  The way the code is  
                 written now, a health facility has to notify the  
                                                                      



          AB 1755 (Gomez)
          Page 8 of ?



                 patient(s) involved and report to the department when it  
                 becomes aware of the compromise of medical information.   
                 This bill would change the trigger point so that the  
                 health facility would only need to report and notify  
                 after concluding its investigation into the compromise of  
                 medical information and determining that a breach has  
                 occurred.

                b.     Ability of facility to conduct risk assessment and  
                 forgo notification if probability of risk determined low

                This bill would provide that, except for the circumstances  
               described immediately above,  a disclosure of medical  
               information not permitted under state or federal law is  
               presumed to be a breach unless the facility demonstrates  
               that there is a low probability that the medical  
               information has been compromised based on a risk assessment  
               of a number of factors including (1) nature and extent of  
               the medical information involved, (2) the person to whom  
               the disclosure was made, (3) whether the medical  
               information was actually acquired or viewed, and (4) the  
               extent to which the risk to the medical information has  
               been mitigated.

               Thus, this bill would allow a facility where an  
               unauthorized disclosure has taken place to evaluate the  
               seriousness of the disclosure and whether or not to  
               designate it as a breach, thereby avoiding notification  
               requirements.  In opposition, the Consumer Federation of  
               California writes, "AB 1755 undermines the Health and  
               Safety Code's privacy standard by establishing a new  
               concept of a "breach" which the bill defines to eliminate  
               virtually every instance of medial privacy violation except  
               for willful criminal theft of records, and further  
               exonerates most willful violations by entitling the health  
               care entity to use its own internal, subjective, and  
               ill-defined process to conclude that there is a likelihood  
               that no harm to a patient resulted."

          Given the concerns described above, the author offers amendments  
          which would maintain existing law, but clarify that the  
          Department has the discretion to investigate unauthorized  
          disclosures (see Comment 5).

           3.Time period for notification

                                                                      



          AB 1755 (Gomez)
          Page 9 of ?



           When an unauthorized disclosure of medical information has been  
          made, existing law requires that the patient and Department are  
          notified within five business days.  This bill would instead  
          provide that notification must be made, without unreasonable  
          delay, and in no case later than 60 calendar days. The author  
          argues that the "excessive notification requirement takes  
          significant administrative resources and with the short five day  
          timeline in California law, is nearly unworkable." In opposition  
          to this bill the Privacy Rights Clearinghouse writes:

            Medical data is among the most sensitive personal information  
            and is entitled to the highest level of legal protection.  
            Providers often also maintain other information (such as  
            Social Security numbers) about their patients that is also  
            considered sensitive.  This bill would significantly weaken  
            medical data breach reporting and notification standards in  
            California by increasing the delay in reporting unlawful  
            access or disclosure and to decrease the amount of actual  
            reporting of unauthorized access or disclosure?This bill would  
            also increase the time period a provider has to report the  
            breach and notify patients from five business days to sixty  
            calendar days.   The notification window should remain closer  
            to the five day time frame.  This is necessary to enable  
            Californians to take appropriate steps to mitigate the harm  
            caused by the compromise of their medical information. 

          In response to those concerns, the author offers an amendment to  
          instead extend the timeframe in which a facility must notify a  
          patient from 5 to 15 business days (see Comment 5).  Those  
          amendments would give facilities more time to notify patients  
          than found under existing law, but ensure that patients receive  
          information early enough to address any negative consequences of  
          the unauthorized disclosure.  



           4.Alternative means of notification

           Under existing law, when a patient's medical information is  
          disclosed to an unauthorized individual, the facility is  
          required to report the unauthorized disclosure to the patient by  
          mail at his or her last known address.  This bill would also  
          allow notification by an alternative means, including email, or  
          at an alternative location if previously specified by the  
          patient in writing. 

                                                                      



          AB 1755 (Gomez)
          Page 10 of ?



          These provisions will ensure timely notification for patients  
          who check alternative means of communication more frequently  
          than mail, and greater privacy for patients who do not feel that  
          mail delivered to their home address is secure.     
           
           5.Author's amendments
           
          The author offers amendments which would restore Health & Safety  
          Code Section 1280.15 to existing law with a series of changes.   
          The changes would:  
           clarify that the Department has discretion whether to  
            investigate unauthorized disclosures of medical information;
           extend the period in which an affected patient and the  
            Department must be notified of an unauthorized disclosure from  
            5 to 15 business days; and
           allow notification by an alternative means or at an  
            alternative location as specified by the patient or the  
            patient's representative in writing.
 
           
           Support  :  California Hospital Association; California Society of  
          Anesthesiologists; Planned Parenthood Advocacy Project Los  
          Angeles County; Planned Parenthood Mar Monte; Planned Parenthood  
          of Orange and San Bernardino Counties; Planned Parenthood of  
          Santa Barbara, Ventura & San Luis Obispo Counties, Inc.; Planned  
          Parenthood of the Pacific Southwest; Planned Parenthood Pasadena  
          and San Gabriel Valley; Planned Parenthood Shasta Pacific Action  
          Fund; Six Rivers Planned Parenthood

           Opposition  :  American Civil Liberties Union; Consumer Federation  
          of California; Electronic Frontier Foundation

                                        HISTORY
           
          Source  :  California Medical Association; Planned Parenthood  
          Affiliates of California

           Related Pending Legislation  : None Known

           Prior Legislation  : 

          SB 337 (Alquist, Chapter 180, Statutes of 2009) among other  
          provisions, increased the requirement to report any unauthorized  
          disclosure of a patient's medical information to the affected  
          patient and the Department of Public Health from five days to  
          five business days. 
                                                                      



          AB 1755 (Gomez)
          Page 11 of ?



          AB 1298 (Snyder, Chapter 699, Statutes of 2007) subjected any  
          business organized to maintain medical information for purposes  
          of making that information available to an individual or to a  
          health care provider, as specified, to the provisions of the  
          Confidentiality of Medical Information Act (CMIA).

           Prior Vote  :

          Senate Health Committee (Ayes 8, Noes 0)
          Assembly Floor (Ayes 75, Noes 0)
          Assembly Health Committee (Ayes 19, Noes 0)

                                   **************