BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 1755|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 1755
Author: Gomez (D)
Amended: 8/4/14 in Senate
Vote: 21
SENATE HEALTH COMMITTEE : 8-0, 6/18/14
AYES: Hernandez, Morrell, Beall, DeSaulnier, Evans, Monning,
Nielsen, Wolk
NO VOTE RECORDED: De León
SENATE JUDICIARY COMMITTEE : 7-0, 6/24/14
AYES: Jackson, Anderson, Corbett, Lara, Leno, Monning, Vidak
ASSEMBLY FLOOR : 75-0, 5/23/14 - See last page for vote
SUBJECT : Medical information
SOURCE : California Medical Association
Planned Parenthood Affiliates of California
DIGEST : This bill revises provisions of law requiring
licensed health facilities to prevent disclosure of patients
medical information by extending the deadline for health
facilities to report unauthorized disclosures from five to 15
business days after unlawful or unauthorized access, use, or
disclosure has been detected, and authorizes the report made to
the patient or the patient's representative to be made by
alternative means, including email, as specified. The bill also
requires a delayed report for law enforcement purposes to be
made within 15 business days of the end of the delay. The bill
CONTINUED
�
AB 1755
Page
2
gives the Department of Health (DPH) full discretion to consider
all factors when determining whether to investigate under these
provisions.
Senate Floor Amendments of 8/4/14 add language to avoid
chaptering out issues in the event that this bill, AB 1462
(Assembly Budget Committee), and SB 857 (Senate Budget
Committee) are enacted.
ANALYSIS : Existing law:
1.Licenses clinics, health facilities, home health agencies, and
hospices through DPH.
2.Requires a licensed clinic, health facility, home health
agency, or hospice to prevent (collectively, licensed health
facilities) unlawful or unauthorized access to, and use or
disclosure of, patients' medical information, as defined in
the Confidentiality of Medical Information Act (CMIA).
3.Permits DPH, after investigation, to assess an administrative
penalty of $25,000 per patient whose medical information was
unlawfully accessed or disclosed, and up to $17,500 per
subsequent occurrence of unlawful access or disclosure of that
patient's medical information.
4.Requires a licensed health facility to report any unlawful or
unauthorized access to, or use or disclosure of, a patient's
medical information to DPH no later than five business days
after the unlawful or unauthorized access, use, or disclosure
has been detected by the facility.
5.Requires a licensed health facility to report any unlawful
access or unauthorized access to, or use or disclosure of, a
patient's medical information to the affected patient or the
patient's representative at the last known address, no later
than five business days after the unlawful access, use, or
disclosure has been detected, except under specified
circumstances.
6.Specifies that for purposes of the provisions of existing law
in #2 through #5 above, internal paper records, electronic
mail, or facsimile transmissions inadvertently misdirected
within the same facility or health care system within the
CONTINUED
�
AB 1755
Page
3
course of coordinating care or delivering services does not
constitute unauthorized access to, or use or disclosure of, a
patient's medical information.
7.Establishes the CMIA, which prohibits a health care provider,
health care service plan, or contractor from disclosing
medical information regarding a patient without first
obtaining authorization. Defines "medical information" as any
individually identifiable information, in electronic or
physical form, in possession of, or derived from, a health
care provider, health plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment.
8.Authorizes, under CMIA, administrative fines and civil
penalties, ranging from $1,000 to $250,000, against any person
or entity that negligently discloses, or knowingly and
willfully obtains, discloses, or uses medical information in
violation of its provisions. Authorizes the Attorney General,
any district attorney, any county counsel acting pursuant to
an agreement with the district attorney, or a city attorney,
to seek civil penalties for violations of CMIA.
This bill:
1.Authorizes DPH to have full discretion to consider all factors
when determining whether to investigate any unlawful or
unauthorized disclosure of patients' medical information and
the amount of an administrative penalty, if any, as specified.
2.Requires a licensed health facility to report any unlawful or
unauthorized access to, or use or disclosure of, a patient's
medical information to DPH no later than 15 business days
after the unlawful or unauthorized access, use, or disclosure
has been detected.
3.Permits a licensed health facility when reporting any unlawful
or unauthorized access to, or use or disclosure of, a
patient's medical information to the affected patient or the
patient's representative to also be completed by an
alternative means or at an alternative location as specified
by the patient or the patient's representative in writing, no
later than 15 business days after the unlawful or unauthorized
access, use, or disclosure has been detected by the clinic,
CONTINUED
�
AB 1755
Page
4
health facility, home health agency, or hospice. Specifies
that this notice may be provided by email only if the patient
has previously agreed in writing to electronic notice by
email.
4.Requires a licensed health facility to delay the reporting of
any unlawful or unauthorized access to, or use or disclosure
of, a patient's medical information beyond 15 business days,
as specified, and not later than 15 business days after the
date designated as the end of the delay.
5.Permits DPH to assess the licensee a penalty in the amount of
$100 for each day that the unlawful or unauthorized access,
use, or disclosure is not reported to DPH or the affected
patient, following the initial 15-day period, as specified.
Background
Federal Law . The Health Information Portability and
Accountability Act of 1996 (HIPAA) established federal
protections for patient's health information held by "covered
entities" and any "business associates" that the covered entity
that a covered entity engages to help it carry out its health
care activities. A covered entity can be a provider, a health
plan, or a health care clearinghouse that processes health
information it receives from another entity. While HIPAA
establishes a federal floor for minimum privacy protections,
states are permitted to enact laws that provide greater privacy
protections or rights.
In 2009, as part of the American Recovery and Reinvestment Act,
the Health Information Technology for Economic and Clinical
Health (HITECH) Act was enacted to promote and expand the
adoption of health information technology. Among other
provisions, the HITECH Act, under the implementing regulations
adopted in January 2013, requires HIPAA covered entities to
provide notification to affected individuals within 60 days
following the discovery of a breach of medical information. If
the breach affects 500 or more individuals, the covered entity
must report this breach to the media and to the Secretary of HHS
within 60 days. Breaches affecting fewer than 500 individuals
are required to be reported to HHS on an annual basis.
CONTINUED
�
AB 1755
Page
5
Prior Legislation
AB 541 (Alquist, Chapter 605, Statutes of 2008) requires health
care facilities to prevent unlawful or unauthorized access to,
use, or disclosure of, patients' medical information and
established safeguards to protect the privacy of patients'
medical information.
AB 211 (Jones, Chapter 602, Statutes of 2008) establishes an
Office of Health Information Integrity to ensure the enforcement
of state confidentiality of medical information, to impose
administrative fines for the unauthorized use of medical
information upon referral from DPH, and required health care
providers to establish and implement appropriate administrative,
technical, and physical safeguards to protect the privacy of
patient's medical information.
AB 439 (Skinner, Chapter 437, Statutes of 2012) provides an
affirmative defense for civil actions taken under CMIA, such
that the plaintiff may not be awarded nominal damages if the
defendant establishes that defense, as specified.
FISCAL EFFECT : Appropriation: No Fiscal Com.: No Local:
No
SUPPORT : (Verified 8/5/14)
California Medical Assocation (co-source)
Planned Parenthood Affiliates of California (co-source)
California Hospital Association
California Society of Anesthesiologists
Planned Parenthood Advocacy Project Los Angeles County
Planned Parenthood Mar Monte
Planned Parenthood of Orange and San Bernardino Counties
Planned Parenthood of Santa Barbara, Ventura & San Luis Obispo
Counties, Inc.
Planned Parenthood of the Pacific Southwest
Planned Parenthood Pasadena and San Gabriel Valley
Planned Parenthood Shasta Pacific Action Fund
Six Rivers Planned Parenthood
ARGUMENTS IN SUPPORT : This bill is co-sponsored by Planned
Parenthood Affiliates of California (PPAC) and the California
Medical Association (CMA). PPAC states that the changes to
CONTINUED
�
AB 1755
Page
6
current law related to unlawful or unauthorized access to, and
use or disclosure of, a patient's medical information help limit
the burden on facilities when reporting and responding to
breaches of medical information while increasing protections for
patient confidentiality.
CMA believes that at a time when managing health care costs and
maintaining access to care are essential, this bill ensures
patients are adequately altered to serious medical information
breaches and given the sensitivity of medical information,
ensures that patients have the option of designating an
alternate address where notices can be sent or received.
ASSEMBLY FLOOR : 75-0, 5/23/14
AYES: Achadjian, Alejo, Allen, Ammiano, Bigelow, Bloom,
Bocanegra, Bonta, Bradford, Brown, Buchanan, Ian Calderon,
Campos, Chau, Chávez, Chesbro, Conway, Cooley, Dababneh,
Dahle, Daly, Dickinson, Donnelly, Eggman, Fong, Fox, Frazier,
Beth Gaines, Garcia, Gatto, Gomez, Gonzalez, Gordon, Gorell,
Gray, Grove, Hagman, Hall, Holden, Jones, Jones-Sawyer,
Levine, Linder, Logue, Lowenthal, Maienschein, Mansoor,
Medina, Melendez, Mullin, Muratsuchi, Nazarian, Nestande,
Olsen, Pan, Patterson, Perea, John A. Pérez, Quirk,
Quirk-Silva, Rendon, Ridley-Thomas, Rodriguez, Salas, Skinner,
Stone, Ting, Wagner, Waldron, Weber, Wieckowski, Wilk,
Williams, Yamada, Atkins
NO VOTE RECORDED: Bonilla, Harkey, Roger Hernández, V. Manuel
Pérez, Vacancy
JL:nl 8/5/14 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED