BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                            



           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                       AB 1755|
          |Office of Senate Floor Analyses   |                              |
          |1020 N Street, Suite 524          |                              |
          |(916) 651-1520         Fax: (916) |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 
           
                                           
                                    THIRD READING


          Bill No:  AB 1755
          Author:   Gomez (D)
          Amended:  7/1/14 in Senate
          Vote:     21

           
           SENATE HEALTH COMMITTEE  :  8-0, 6/18/14
          AYES:  Hernandez, Morrell, Beall, DeSaulnier, Evans, Monning,  
            Nielsen, Wolk
          NO VOTE RECORDED:  De León

           SENATE JUDICIARY COMMITTEE  :  7-0, 6/24/14
          AYES:  Jackson, Anderson, Corbett, Lara, Leno, Monning, Vidak

           ASSEMBLY FLOOR  :  75-0, 5/23/14 - See last page for vote


           SUBJECT  :    Medical information

           SOURCE  :     California Medical Association
                      Planned Parenthood Affiliates of California


           DIGEST  :    This bill revises provisions of law requiring  
          licensed health facilities to prevent disclosure of patients  
          medical information by extending the deadline for health  
          facilities to report unauthorized disclosures from five to 15  
          business days after unlawful or unauthorized access, use, or  
          disclosure has been detected, and authorizes the report made to  
          the patient or the patient's representative to be made by  
          alternative means, including email, as specified.  The bill also  
          requires a delayed report for law enforcement purposes to be  
          made within 15 business days of the end of the delay.  The bill  
                                                                CONTINUED





                                                                    AB 1755
                                                                     Page  
          2

          gives the Department of Health (DPH) full discretion to consider  
          all factors when determining whether to investigate under these  
          provisions.

           
          ANALYSIS  :    Existing law:

          1.Licenses clinics, health facilities, home health agencies, and  
            hospices through DPH.

          2.Requires a licensed clinic, health facility, home health  
            agency, or hospice to prevent (collectively, licensed health  
            facilities) unlawful or unauthorized access to, and use or  
            disclosure of, patients' medical information, as defined in  
            the Confidentiality of Medical   Information Act (CMIA).

          3.Permits DPH, after investigation, to assess an administrative  
            penalty of $25,000 per patient whose medical information was  
            unlawfully accessed or disclosed, and up to $17,500 per  
            subsequent occurrence of unlawful access or disclosure of that  
            patient's medical information.

          4.Requires a licensed health facility to report any unlawful or  
            unauthorized access to, or use or disclosure of, a patient's  
            medical information to DPH no later than five business days  
            after the unlawful or unauthorized access, use, or disclosure  
            has been detected by the facility.

          5.Requires a licensed health facility to report any unlawful  
            access or unauthorized access to, or use or disclosure of, a  
            patient's medical information to the affected patient or the  
            patient's representative at the last known address, no later  
            than five business days after the unlawful access, use, or  
            disclosure has been detected, except under specified  
            circumstances.

          6.Specifies that for purposes of the provisions of existing law  
            in #2 through #5 above, internal paper records, electronic  
            mail, or facsimile transmissions inadvertently misdirected  
            within the same facility or health care system within the  
            course of coordinating care or delivering services does not  
            constitute unauthorized access to, or use or disclosure of, a  
            patient's medical information.


                                                                CONTINUED





                                                                    AB 1755
                                                                     Page  
          3

          7.Establishes the CMIA, which prohibits a health care provider,  
            health care service plan, or contractor from disclosing  
            medical information regarding a patient without first  
            obtaining authorization. Defines "medical information" as any  
            individually identifiable information, in electronic or  
            physical form, in possession of, or derived from, a health  
            care provider, health plan, pharmaceutical company, or  
            contractor regarding a patient's medical history, mental or  
            physical condition, or treatment.

          8.Authorizes, under CMIA, administrative fines and civil  
            penalties, ranging from $1,000 to $250,000, against any person  
            or entity that negligently discloses, or knowingly and  
            willfully obtains, discloses, or uses medical information in  
            violation of its provisions. Authorizes the Attorney General,  
            any district attorney, any county counsel acting pursuant to  
            an agreement with the district attorney, or a city attorney,  
            to seek civil penalties for violations of CMIA.

          This bill:

          1.Authorizes DPH to have full discretion to consider all factors  
            when determining whether to investigate any unlawful or  
            unauthorized disclosure of patients' medical information and  
            the amount of an administrative penalty, if any, as specified.

          2.Requires a licensed health facility to report any unlawful or  
            unauthorized access to, or use or disclosure of, a patient's  
            medical information to DPH no later than 15 business days  
            after the unlawful or unauthorized access, use, or disclosure  
            has been detected. 

          3.Permits a licensed health facility when reporting any unlawful  
            or unauthorized access to, or use or disclosure of, a  
            patient's medical information to the affected patient or the  
            patient's representative to also be completed by an  
            alternative means or at an alternative location as specified  
            by the patient or the patient's representative in writing, no  
            later than 15 business days after the unlawful or unauthorized  
            access, use, or disclosure has been detected by the clinic,  
            health facility, home health agency, or hospice.  Specifies  
            that this notice may be provided by email only if the patient  
            has previously agreed in writing to electronic notice by  
            email.

                                                                CONTINUED





                                                                    AB 1755
                                                                     Page  
          4


          4.Requires a licensed health facility to delay the reporting of  
            any unlawful or unauthorized access to, or use or disclosure  
            of, a patient's medical information beyond 15 business days,  
            as specified, and not later than 15 business days after the  
            date designated as the end of the delay. 

          5.Permits DPH to assess the licensee a penalty in the amount of  
            $100 for each day that the unlawful or unauthorized access,  
            use, or disclosure is not reported to DPH or the affected  
            patient, following the initial 15-day period, as specified. 

          6.Specifies that notwithstanding any other law, DPH may refer  
            violations of these provisions to the Office of Health  
            Information Integrity for enforcement.

           Background

          Federal Law  .  HIPAA established federal protections for  
          patient's health information held by "covered entities" and any  
          "business associates" that the covered entity that a covered  
          entity engages to help it carry out its health care activities.  
          A covered entity can be a provider, a health plan, or a health  
          care clearinghouse that processes health information it receives  
          from another entity. While HIPAA establishes a federal floor for  
          minimum privacy protections, states are permitted to enact laws  
          that provide greater privacy protections or rights. 

          In 2009, as part of the American Recovery and Reinvestment Act,  
          the Health Information Technology for Economic and Clinical  
          Health (HITECH) Act was enacted to promote and expand the  
          adoption of health information technology. Among other  
          provisions, the HITECH Act, under the implementing regulations  
          adopted in January 2013, requires HIPAA covered entities to  
          provide notification to affected individuals within 60 days  
          following the discovery of a breach of medical information. If  
          the breach affects 500 or more individuals, the covered entity  
          must report this breach to the media and to the Secretary of HHS  
          within 60 days. Breaches affecting fewer than 500 individuals  
          are required to be reported to HHS on an annual basis. 

           Prior Legislation

           AB 541 (Alquist, Chapter 605, Statutes of 2008) requires health  

                                                                CONTINUED





                                                                    AB 1755
                                                                     Page  
          5

          care facilities to prevent unlawful or unauthorized access to,  
          use, or disclosure of, patients' medical information and  
          established safeguards to protect the privacy of patients'  
          medical information.  

          AB 211 (Jones, Chapter 602, Statutes of 2008) establishes an  
          Office of Health Information Integrity to ensure the enforcement  
          of state confidentiality of medical information, to impose  
          administrative fines for the unauthorized use of medical  
          information upon referral from DPH, and required health care  
          providers to establish and implement appropriate administrative,  
          technical, and physical safeguards to protect the privacy of  
          patient's medical information.  

          AB 439 (Skinner, Chapter 437, Statutes of 2012) provides an  
          affirmative defense for civil actions taken under CMIA, such  
          that the plaintiff may not be awarded nominal damages if the  
          defendant establishes that defense, as specified.
          
           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  No   Local:  
           No

           SUPPORT  :   (Verified  7/2/14)

          California Medical Association (co-source)
          Planned Parenthood Affiliates of California (co-source)
          California Hospital Association
          California Society of Anesthesiologists
          Planned Parenthood Advocacy Project Los Angeles County
          Planned Parenthood Mar Monte
          Planned Parenthood of Orange and San Bernardino Counties 
          Planned Parenthood of Santa Barbara, Ventura & San Luis Obispo  
          Counties, Inc.
          Planned Parenthood of the Pacific Southwest
          Planned Parenthood Pasadena and San Gabriel Valley
          Planned Parenthood Shasta Pacific Action Fund
          Six Rivers Planned Parenthood

           ARGUMENTS IN SUPPORT  :    This bill is co-sponsored by Planned  
          Parenthood Affiliates of California (PPAC) and the California  
          Medical Association (CMA).  PPAC states that the changes to  
          current law related to unlawful or unauthorized access to, and  
          use or disclosure of, a patient's medical information help limit  
          the burden on facilities when reporting and responding to  

                                                                CONTINUED





                                                                    AB 1755
                                                                     Page  
          6

          breaches of medical information while increasing protections for  
          patient confidentiality. 

          CMA believes that at a time when managing health care costs and  
          maintaining access to care are essential, this bill ensures  
          patients are adequately altered to serious medical information  
          breaches and given the sensitivity of medical information,  
          ensures that patients have the option of designating an  
          alternate address where notices can be sent or received.  

           ASSEMBLY FLOOR  :  75-0, 5/23/14
          AYES:  Achadjian, Alejo, Allen, Ammiano, Bigelow, Bloom,  
            Bocanegra, Bonta, Bradford, Brown, Buchanan, Ian Calderon,  
            Campos, Chau, Chávez, Chesbro, Conway, Cooley, Dababneh,  
            Dahle, Daly, Dickinson, Donnelly, Eggman, Fong, Fox, Frazier,  
            Beth Gaines, Garcia, Gatto, Gomez, Gonzalez, Gordon, Gorell,  
            Gray, Grove, Hagman, Hall, Holden, Jones, Jones-Sawyer,  
            Levine, Linder, Logue, Lowenthal, Maienschein, Mansoor,  
            Medina, Melendez, Mullin, Muratsuchi, Nazarian, Nestande,  
            Olsen, Pan, Patterson, Perea, John A. Pérez, Quirk,  
            Quirk-Silva, Rendon, Ridley-Thomas, Rodriguez, Salas, Skinner,  
            Stone, 




            Ting, Wagner, Waldron, Weber, Wieckowski, Wilk, Williams,  
            Yamada, Atkins
          NO VOTE RECORDED:  Bonilla, Harkey, Roger Hernández, V. Manuel  
            Pérez, Vacancy


          JL:nl  7/2/14   Senate Floor Analyses 

                           SUPPORT/OPPOSITION:  SEE ABOVE

                                   ****  END  ****








                                                                CONTINUED