Senate BillNo. 138


Introduced by Senator Hernandez

January 28, 2013


An act to amend Sections 56.05, 56.104, and 56.16 of, and to add Section 56.107 to, the Civil Code, to amend Sections 1280.15, 1627, 117928, 120985, 121010, and 130201 of the Health and Safety Code, and to amend Section 3208.05 of the Labor Code, relating to medical information.

LEGISLATIVE COUNSEL’S DIGEST

SB 138, as introduced, Hernandez. Confidentiality of medical information.

Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information.

Existing state law, the Confidentiality of Medical Information Act, provides that medical information, as defined, may not be disclosed by providers of health care, health care service plans, or contractors, as defined, without the patient’s written authorization, subject to certain exceptions, including disclosure to a probate court investigator, as specified. A violation of the act resulting in economic loss or personal injury to a patient is a misdemeanor and subjects the violating party to liability for specified damages and administrative fines and penalties. The act defines various terms relevant to its implementation.

This bill would declare the intent of the Legislature to incorporate HIPAA standards into state law and to clarify standards for protecting the confidentiality of medical information in insurance transactions. The bill would define additional terms in connection with maintaining the confidentiality of this information, including an “authorization for insurance communications,” which an insured individual may submit for the purpose of specifying disclosable medical information and insurance transactions, and permissible recipients.

This bill would specify the manner in which a health care service plan or health insurer would be required to maintain confidentiality of information regarding the treatment of insured individuals less than 26 years of age who are insured as dependents on another person’s policy, the treatment of an insured individual involving sensitive services, as defined, or situations in which disclosure would endanger the insured individual, as defined.

This bill would specifically authorize a provider of health care to communicate information regarding benefit cost-sharing arrangements to the health care service plan or health insurer, as specified.

This bill would also prohibit the health care service plan or health insurer from conditioning enrollment in the plan or eligibility for benefits on the provision of an authorization for insurance communications. The bill also would make conforming technical changes. By expanding the scope of a crime, the bill would create a state-mandated local program.

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.

The people of the State of California do enact as follows:

P2    1

SECTION 1.  

The Legislature finds and declares all of the
2following:

3(a) Privacy is a fundamental right of all Californians, protected
4by the California Constitution, the federal Health Insurance
5Portability and Accountability Act (HIPAA; Public Law 104-191),
6and the Confidentiality of Medical Information Act, Part 2.6
7(commencing with Section 56) of Division 1 of the Civil Code.

8(b) Implementation of the recently enacted federal Patient
9Protection and Affordable Care Act (Public Law 111-148) will
10expand the number of individuals insured as dependents on a health
11insurance policy held in another person’s name, including adult
P3    1children under 26 years of age insured on a parent’s insurance
2policy.

3(c) HIPAA explicitly protects the confidentiality of medical
4care obtained by dependents insured under a health insurance
5policy held by another person.

6(d) Therefore, it is the intent of the Legislature in enacting this
7act to incorporate HIPAA standards into state law and to clarify
8the standards for protecting the confidentiality of medical
9information in insurance transactions.

10

SEC. 2.  

Section 56.05 of the Civil Code is amended to read:

11

56.05.  

For purposes of this part:

12(a) “Authorization” means permission granted in accordance
13with Section 56.11 or 56.21 for the disclosure of medical
14information.

begin insert

15(b) “Authorization for insurance communications” means
16permission from the individual, that meets the requirements of
17subdivisions (a) to (c), inclusive, of Section 56.11, specifying the
18medical information and insurance transactions that may be
19disclosed and the identity of the people to whom disclosures are
20permitted as part of an insurance communication.

end insert
begin delete

21(b)

end delete

22begin insert(c)end insert “Authorized recipient” means any person who is authorized
23to receive medical information pursuant to Section 56.10 or 56.20.

begin insert

24(d) “Confidential communications request” means a request
25by an insured individual that insurance communications be
26communicated by a specific method, such as by telephone, e-mail,
27or in a covered envelope rather than postcard, or to a specific
28mail or e-mail address or specific telephone number, as designated
29by the insured individual.

end insert
begin delete

30(c)

end delete

31begin insert(e)end insert “Contractor” means any person or entity that is a medical
32group, independent practice association, pharmaceutical benefits
33manager, or a medical service organization and is not a health care
34service plan or provider of health care. “Contractor” does not
35include insurance institutions as defined in subdivision (k) of
36Section 791.02 of the Insurance Code or pharmaceutical benefits
37managers licensed pursuant to the Knox-Keene Health Care Service
38Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340)
39of Division 2 of the Health and Safety Code).

begin insert

P4    1(f) “Endanger” means that the insured individual fears
2harassment or abuse resulting from an insurance communication
3sufficient to deter the patient from obtaining health care absent
4confidentiality.

end insert
begin delete

5(d)

end delete

6begin insert(g)end insert “Health care service plan” means any entity regulated
7pursuant to the Knox-Keene Health Care Service Plan Act of 1975
8(Chapter 2.2 (commencing with Section 1340) of Division 2 of
9the Health and Safety Code).

begin insert

10(h) “Health insurer” means an entity defined in Section 106 of
11the Insurance Code.

end insert
begin insert

12(i) “Insured individual” means a person entitled to coverage
13under a health care service plan or other health plan carrier,
14 including the policyholder and dependents.

end insert
begin insert

15(j) “Insurance communication” means any communication from
16the health care service plan or other health plan carrier to
17policyholders or insured individuals that discloses individually
18identifiable medical information. Insurance communication
19includes, but is not limited to, explanation of benefits forms,
20scheduling information, notices of denial, and notices of contested
21claims.

end insert
begin delete

22(e)

end delete

23begin insert(k)end insert “Licensed health care professional” means any person
24licensed or certified pursuant to Division 2 (commencing with
25Section 500) of the Business and Professions Code, the Osteopathic
26Initiative Act or the Chiropractic Initiative Act, or Division 2.5
27(commencing with Section 1797) of the Health and Safety Code.

begin delete

28(f)

end delete

29begin insert(l)end insert “Marketing” means to make a communication about a product
30or service that encourages recipients of the communication to
31purchase or use the product or service.

32“Marketing” does not include any of the following:

33(1) Communications made orally or in writing for which the
34communicator does not receive direct or indirect remuneration,
35including, but not limited to, gifts, fees, payments, subsidies, or
36other economic benefits, from a third party for making the
37communication.

38(2) Communications made to current enrollees solely for the
39purpose of describing a provider’s participation in an existing
40health care provider network or health plan network of a
P5    1Knox-Keene licensed health plan to which the enrollees already
2subscribe; communications made to current enrollees solely for
3the purpose of describing if, and the extent to which, a product or
4service, or payment for a product or service, is provided by a
5provider, contractor, or plan or included in a plan of benefits of a
6Knox-Keene licensed health plan to which the enrollees already
7subscribe; or communications made to plan enrollees describing
8the availability of more cost-effective pharmaceuticals.

9(3) Communications that are tailored to the circumstances of a
10particular individual to educate or advise the individual about
11treatment options, and otherwise maintain the individual’s
12adherence to a prescribed course of medical treatment, as provided
13in Section 1399.901 of the Health and Safety Code, for a chronic
14and seriously debilitating or life-threatening condition as defined
15in subdivisions (d) and (e) of Section 1367.21 of the Health and
16Safety Code, if the health care provider, contractor, or health plan
17receives direct or indirect remuneration, including, but not limited
18to, gifts, fees, payments, subsidies, or other economic benefits,
19from a third party for making the communication, if all of the
20following apply:

21(A) The individual receiving the communication is notified in
22the communication in typeface no smaller than 14-point type of
23the fact that the provider, contractor, or health plan has been
24remunerated and the source of the remuneration.

25(B) The individual is provided the opportunity to opt out of
26receiving future remunerated communications.

27(C) The communication contains instructions in typeface no
28smaller than 14-point type describing how the individual can opt
29out of receiving further communications by calling a toll-free
30number of the health care provider, contractor, or health plan
31making the remunerated communications. No further
32communication may be made to an individual who has opted out
33after 30 calendar days from the date the individual makes the opt
34out request.

begin delete

35(g)

end delete

36begin insert(m)end insert “Medical information” means any individually identifiable
37information, in electronic or physical form, in possession of or
38derived from a provider of health care, health care service plan,
39pharmaceutical company, or contractor regarding a patient’s
40medical history, mental or physical condition, or treatment.
P6    1“Individually identifiable” means that the medical information
2includes or contains any element of personal identifying
3information sufficient to allow identification of the individual,
4such as the patient’s name, address, electronic mail address,
5telephone number, or social security number, or other information
6that, alone or in combination with other publicly available
7information, reveals the individual’s identity.

begin insert

8(n) “Nondisclosure request” means a written request to withhold
9insurance communications that includes the insured individual’s
10name and address, description of the medical or other information
11that should not be disclosed, identity of the persons from whom
12information shall be withheld, and contact information for the
13individual for additional information or clarification necessary to
14satisfy the request.

end insert
begin delete

15(h)

end delete

16begin insert(o)end insert “Patient” means any natural person, whether or not still
17living, who received health care services from a provider of health
18care and to whom medical information pertains.

begin delete

19(i)

end delete

20begin insert(p)end insert “Pharmaceutical company” means any company or business,
21or an agent or representative thereof, that manufactures, sells, or
22distributes pharmaceuticals, medications, or prescription drugs.
23“Pharmaceutical company” does not include a pharmaceutical
24benefits manager, as included in subdivision (c), or a provider of
25health care.

begin delete

26(j)

end delete

27begin insert(q)end insert “Provider of health care” means any person licensed or
28certified pursuant to Division 2 (commencing with Section 500)
29of the Business and Professions Code; any person licensed pursuant
30to the Osteopathic Initiative Act or the Chiropractic Initiative Act;
31any person certified pursuant to Division 2.5 (commencing with
32Section 1797) of the Health and Safety Code; any clinic, health
33dispensary, or health facility licensed pursuant to Division 2
34(commencing with Section 1200) of the Health and Safety Code.
35“Provider of health care” does not include insurance institutions
36as defined in subdivision (k) of Section 791.02 of the Insurance
37Code.

begin insert

38(r) “Sensitive services” means prevention, counseling,
39diagnosis, and treatment related to sexual and reproductive health,
40including HIV/AIDS, substance use, and mental health.

end insert
P7    1

SEC. 3.  

Section 56.104 of the Civil Code is amended to read:

2

56.104.  

(a) Notwithstanding subdivision (c) of Section 56.10,
3except as provided in subdivision (e), no provider of health care,
4health care service plan, or contractor may release medical
5information to persons or entities who have requested that
6information and who are authorized by law to receive that
7information pursuant to subdivision (c) of Section 56.10, if the
8requested information specifically relates to the patient’s
9participation in outpatient treatment with a psychotherapist, unless
10the person or entity requesting that information submits to the
11patient pursuant to subdivision (b) and to the provider of health
12care, health care service plan, or contractor a written request, signed
13by the person requesting the information or an authorized agent
14of the entity requesting the information, that includes all of the
15following:

16(1) The specific information relating to a patient’s participation
17in outpatient treatment with a psychotherapist being requested and
18its specific intended use or uses.

19(2) The length of time during which the information will be
20kept before being destroyed or disposed of. A person or entity may
21extend that timeframe, provided that the person or entity notifies
22the provider, plan, or contractor of the extension. Any notification
23of an extension shall include the specific reason for the extension,
24the intended use or uses of the information during the extended
25time, and the expected date of the destruction of the information.

26(3) A statement that the information will not be used for any
27purpose other than its intended use.

28(4) A statement that the person or entity requesting the
29information will destroy the information and all copies in the
30person’s or entity’s possession or control, will cause it to be
31destroyed, or will return the information and all copies of it before
32or immediately after the length of time specified in paragraph (2)
33has expired.

34(b) The person or entity requesting the information shall submit
35a copy of the written request required by this section to the patient
36within 30 days of receipt of the information requested, unless the
37patient has signed a written waiver in the form of a letter signed
38and submitted by the patient to the provider of health care or health
39care service plan waiving notification.

P8    1(c) For purposes of this section, “psychotherapist” means a
2person who is both a “psychotherapist” as defined in Section 1010
3of the Evidence Code and a “provider of health care” as defined
4inbegin delete subdivision (i) ofend delete Section 56.05.

5(d) This section does not apply to the disclosure or use of
6medical information by a law enforcement agency or a regulatory
7agency when required for an investigation of unlawful activity or
8for licensing, certification, or regulatory purposes, unless the
9disclosure is otherwise prohibited by law.

10(e) This section shall not apply to any of the following:

11(1) Information authorized to be disclosed pursuant to paragraph
12(1) of subdivision (c) of Section 56.10.

13(2) Information requested from a psychotherapist by law
14enforcement or by the target of the threat subsequent to a disclosure
15by that psychotherapist authorized by paragraph (19) of subdivision
16(c) of Section 56.10, in which the additional information is clearly
17necessary to prevent the serious and imminent threat disclosed
18under that paragraph.

19(3) Information disclosed by a psychotherapist pursuant to
20paragraphs (14) and (22) of subdivision (c) of Section 56.10 and
21requested by an agency investigating the abuse reported pursuant
22to those paragraphs.

23(f) Nothing in this section shall be construed to grant any
24additional authority to a provider of health care, health care service
25plan, or contractor to disclose information to a person or entity
26without the patient’s consent.

27

SEC. 4.  

Section 56.107 is added to the Civil Code, to read:

28

56.107.  

(a) Notwithstanding any other law, and to the extent
29permitted by federal law, a health care service plan or health insurer
30shall take the following steps to protect the confidentiality of an
31insured individual’s medical information as follows:

32(1) A health care service plan or health insurer shall not send
33insurance communications relating to sensitive services:

34(A) Unless the plan or insurer has received an authorization for
35insurance communications from an insured individual who is under
3626 years of age and insured as a dependent on another person’s
37insurance policy.

38(B) For an insured individual to whom subparagraph (A) does
39not apply, if that insured individual has submitted a nondisclosure
40request.

P9    1(2) A health care service plan or health insurer shall comply
2with a confidential communications request regarding sensitive
3services from an insured individual.

4(3) A health care service plan or health insurer shall comply
5with a nondisclosure request or a confidential communications
6request from an insured individual who states that disclosure of
7health information will endanger the individual, and shall not
8require an explanation as to the basis for the insured individual’s
9statement that disclosure will endanger the individual.

10(b) Notwithstanding subdivision (a), the provider of health care
11may make arrangements with the insured individual for the
12payment of benefit cost sharing and communicate that arrangement
13 with the health care service plan or health insurer.

14(c) A health care service plan or health insurer shall not
15condition enrollment or coverage in the health plan or health
16insurance policy or eligibility for benefits on the provision of an
17authorization for insurance communications.

18

SEC. 5.  

Section 56.16 of the Civil Code is amended to read:

19

56.16.  

For disclosures not addressed by Section 56.1007, unless
20there is a specific written request by the patient to the contrary,
21nothing in this part shall be construed to prevent a general acute
22care hospital, as defined in subdivision (a) of Section 1250 of the
23Health and Safety Code, upon an inquiry concerning a specific
24patient, from releasing at its discretion any of the following
25information: the patient’s name, address, age, and sex; a general
26description of the reason for treatment (whether an injury, a burn,
27poisoning, or some unrelated condition); the general nature of the
28injury, burn, poisoning, or other condition; the general condition
29of the patient; and any information that is not medical information
30as defined inbegin delete subdivision (c) ofend delete Section 56.05.

31

SEC. 6.  

Section 1280.15 of the Health and Safety Code is
32amended to read:

33

1280.15.  

(a) A clinic, health facility, home health agency, or
34hospice licensed pursuant to Section 1204, 1250, 1725, or 1745
35shall prevent unlawful or unauthorized access to, and use or
36disclosure of, patients’ medical information, as defined in
37begin delete subdivision (g) ofend delete Section 56.05 of the Civil Code and consistent
38with Section 130203. For purposes of this section, internal paper
39records, electronic mail, or facsimile transmissions inadvertently
40misdirected within the same facility or health care system within
P10   1the course of coordinating care or delivering services shall not
2constitute unauthorized access to, or use or disclosure of, a patient’s
3medical information. The department, after investigation, may
4assess an administrative penalty for a violation of this section of
5up to twenty-five thousand dollars ($25,000) per patient whose
6medical information was unlawfully or without authorization
7accessed, used, or disclosed, and up to seventeen thousand five
8hundred dollars ($17,500) per subsequent occurrence of unlawful
9or unauthorized access, use, or disclosure of that patients’ medical
10information. For purposes of the investigation, the department
11shall consider the clinic’s, health facility’s, agency’s, or hospice’s
12history of compliance with this section and other related state and
13federal statutes and regulations, the extent to which the facility
14detected violations and took preventative action to immediately
15correct and prevent past violations from recurring, and factors
16outside its control that restricted the facility’s ability to comply
17with this section. The department shall have full discretion to
18consider all factors when determining the amount of an
19administrative penalty pursuant to this section.

20(b) (1) A clinic, health facility, home health agency, or hospice
21to which subdivision (a) applies shall report any unlawful or
22unauthorized access to, or use or disclosure of, a patient’s medical
23information to the department no later than five business days after
24the unlawful or unauthorized access, use, or disclosure has been
25detected by the clinic, health facility, home health agency, or
26hospice.

27(2) Subject to subdivision (c), a clinic, health facility, home
28health agency, or hospice shall also report any unlawful or
29unauthorized access to, or use or disclosure of, a patient’s medical
30information to the affected patient or the patient’s representative
31at the last known address, no later than five business days after
32the unlawful or unauthorized access, use, or disclosure has been
33detected by the clinic, health facility, home health agency, or
34hospice.

35(c) (1) A clinic, health facility, home health agency, or hospice
36shall delay the reporting, as required pursuant to paragraph (2) of
37subdivision (b), of any unlawful or unauthorized access to, or use
38or disclosure of, a patient’s medical information beyond five
39business days if a law enforcement agency or official provides the
40clinic, health facility, home health agency, or hospice with a written
P11   1or oral statement that compliance with the reporting requirements
2of paragraph (2) of subdivision (b) would likely impede the law
3enforcement agency’s investigation that relates to the unlawful or
4unauthorized access to, and use or disclosure of, a patient’s medical
5information and specifies a date upon which the delay shall end,
6not to exceed 60 days after a written request is made, or 30 days
7after an oral request is made. A law enforcement agency or official
8may request an extension of a delay based upon a written
9declaration that there exists a bona fide, ongoing, significant
10 criminal investigation of serious wrongdoing relating to the
11unlawful or unauthorized access to, and use or disclosure of, a
12patient’s medical information, that notification of patients will
13undermine the law enforcement agency’s investigation, and that
14specifies a date upon which the delay shall end, not to exceed 60
15days after the end of the original delay period.

16(2) If the statement of the law enforcement agency or official
17is made orally, then the clinic, health facility, home health agency,
18or hospice shall do the following:

19(A) Document the oral statement, including, but not limited to,
20the identity of the law enforcement agency or official making the
21oral statement and the date upon which the oral statement was
22made.

23(B) Limit the delay in reporting the unlawful or unauthorized
24access to, or use or disclosure of, the patient’s medical information
25to the date specified in the oral statement, not to exceed 30 calendar
26days from the date that the oral statement is made, unless a written
27statement that complies with the requirements of this subdivision
28is received during that time.

29(3) A clinic, health facility, home health agency, or hospice
30shall submit a report that is delayed pursuant to this subdivision
31not later than five business days after the date designated as the
32end of the delay.

33(d) If a clinic, health facility, home health agency, or hospice
34to which subdivision (a) applies violates subdivision (b), the
35department may assess the licensee a penalty in the amount of one
36hundred dollars ($100) for each day that the unlawful or
37unauthorized access, use, or disclosure is not reported to the
38department or the affected patient, following the initial five-day
39period specified in subdivision (b). However, the total combined
40penalty assessed by the department under subdivision (a) and this
P12   1subdivision shall not exceed two hundred fifty thousand dollars
2($250,000) per reported event. For enforcement purposes, it shall
3be presumed that the facility did not notify the affected patient if
4the notification was not documented. This presumption may be
5rebutted by a licensee only if the licensee demonstrates, by a
6preponderance of the evidence, that the notification was made.

7(e) In enforcing subdivisions (a) and (d), the department shall
8take into consideration the special circumstances of small and rural
9hospitals, as defined in Section 124840, and primary care clinics,
10as defined in subdivision (a) of Section 1204, in order to protect
11access to quality care in those hospitals and clinics. When assessing
12a penalty on a skilled nursing facility or other facility subject to
13Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
14only the higher of either a penalty for the violation of this section
15or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
16not both.

17(f) All penalties collected by the department pursuant to this
18section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited
19into the Internal Departmental Quality Improvement Account,
20which is hereby created within the Special Deposit Fund under
21Section 16370 of the Government Code. Upon appropriation by
22the Legislature, moneys in the account shall be expended for
23internal quality improvement activities in the Licensing and
24Certification Program.

25(g) If the licensee disputes a determination by the department
26regarding a failure to prevent or failure to timely report unlawful
27or unauthorized access to, or use or disclosure of, patients’ medical
28information, or the imposition of a penalty under this section, the
29licensee may, within 10 days of receipt of the penalty assessment,
30request a hearing pursuant to Section 131071. Penalties shall be
31paid when appeals have been exhausted and the penalty has been
32upheld.

33(h) In lieu of disputing the determination of the department
34regarding a failure to prevent or failure to timely report unlawful
35or unauthorized access to, or use or disclosure of, patients’ medical
36information, transmit to the department 75 percent of the total
37amount of the administrative penalty, for each violation, within
3830 business days of receipt of the administrative penalty.

P13   1(i) Notwithstanding any other law, the department may refer
2violations of this section to the Office of Health Information
3Integrity for enforcement pursuant to Section 130303.

4(j) For purposes of this section, the following definitions shall
5 apply:

6(1) “Reported event” means all breaches included in any single
7report that is made pursuant to subdivision (b), regardless of the
8number of breach events contained in the report.

9(2) “Unauthorized” means the inappropriate access, review, or
10viewing of patient medical information without a direct need for
11medical diagnosis, treatment, or other lawful use as permitted by
12the Confidentiality of Medical Information Act (Part 2.6
13(commencing with Section 56) of Division 1 of the Civil Code)
14or any other statute or regulation governing the lawful access, use,
15or disclosure of medical information.

16

SEC. 7.  

Section 1627 of the Health and Safety Code is amended
17to read:

18

1627.  

(a) (1) On or before July 1, 2011, the University of
19California is requested to develop a plan to establish and administer
20the Umbilical Cord Blood Collection Program for the purpose of
21collecting units of umbilical cord blood for public use in
22transplantation and providing nonclinical units for research
23pertaining to biology and new clinical utilization of stem cells
24derived from the blood and tissue of the placenta and umbilical
25cord. The program shall conclude no later than January 1, 2018.

26(2) For purposes of this article, “public use” means both of the
27following:

28(A) The collection of umbilical cord blood units from genetically
29diverse donors that will be owned by the University of California.
30This inventory shall be accessible by the National Registry and by
31qualified California-based and other United States and international
32registries and transplant centers to increase the likelihood of
33providing suitably matched donor cord blood units to patients or
34research participants who are in need of a transplant.

35(B) Cord blood units with a lower number of cells than deemed
36necessary for clinical transplantation and units that meet clinical
37requirements, but for other reasons are unsuitable, unlikely to be
38transplanted, or otherwise unnecessary for clinical use, may be
39made available for research.

P14   1(b) (1) In order to implement the collection goals of this
2program, the University of California may, commensurate with
3available funds appropriated to the University of California for
4this program, contract with one or more selected applicant entities
5that have demonstrated the competence to collect and ship cord
6blood units in compliance with federal guidelines and regulations.

7(2) It is the intent of the Legislature that, if the University of
8California contracts with another entity pursuant to this subdivision,
9the following shall apply:

10(A) The University of California may use a competitive process
11to identify the best proposals submitted by applicant entities to
12administer the collection and research objectives of the program,
13to the extent that the University of California chooses not to
14undertake these activities itself.

15(B) In order to qualify for selection under this section to receive,
16process, cryopreserve, or bank cord blood units, the entity shall,
17at a minimum, have obtained an investigational new drug (IND)
18exemption from the FDA or a biologic license from the FDA, as
19appropriate, to manufacture clinical grade cord blood stem cell
20units for clinical indications.

21(C) In order to qualify to receive appropriate cord blood units
22and placental tissue to advance the research goals of this program,
23an entity shall, at a minimum, be a laboratory recognized as having
24performed peer-reviewed research on stem and progenitor cells,
25including those derived from placental or umbilical cord blood
26and postnatal tissue.

27(3) A medical provider or research facility shall comply with,
28and shall be subject to, existing penalties for violations of all
29applicable state and federal laws with respect to the protection of
30any medical information, as defined inbegin delete subdivision (g) ofend delete Section
3156.05 of the Civil Code, and any personally identifiable information
32contained in the umbilical cord blood inventory.

33(c) The University of California is encouraged to make every
34effort to avoid duplication or conflicts with existing and ongoing
35programs and to leverage existing resources.

36(d) (1) All information collected pursuant to the program shall
37be confidential, and shall be used solely for the purposes of the
38program, including research. Access to confidential information
39shall be limited to authorized persons who are bound by appropriate
P15   1institutional policies or who otherwise agree, in writing, to maintain
2the confidentiality of that information.

3(2) Any person who, in violation of applicable institutional
4policies or a written agreement to maintain confidentiality,
5discloses any information provided pursuant to this section, or
6who uses information provided pursuant to this section in a manner
7other than as approved pursuant to this section, may be denied
8further access to any confidential information maintained by the
9University of California, and shall be subject to a civil penalty not
10exceeding one thousand dollars ($1,000). The penalty provided
11for in this section shall not be construed to limit or otherwise
12restrict any remedy, provisional or otherwise, provided by law for
13the benefit of the University of California or any other person
14covered by this section.

15(3) Notwithstanding the restrictions of this section, an individual
16to whom the confidential information pertains shall have access
17to his or her own personal information.

18(e) It is the intent of the Legislature that the plan and
19implementation of the program provide for both of the following:

20(1) Limit fees for access to cord blood units to the reasonable
21and actual costs of storage, handling, and providing units, as well
22as for related services such as donor matching and testing of cord
23blood and other programs and services typically provided by cord
24blood banks and public use programs.

25(2) The submittal of the plan developed pursuant to subdivision
26(a) to the health and fiscal committees of the Legislature.

27(f) It is additionally the intent of the Legislature that the plan
28and implementation of the program attempt to provide for all of
29the following:

30(1) Development of a strategy to increase voluntary participation
31by hospitals in the collection and storage of umbilical cord blood
32and identify funding sources to offset the financial impact on
33hospitals.

34(2) Consideration of a medical contingency response program
35to prepare for and respond effectively to biological, chemical, or
36radiological attacks, accidents, and other public health emergencies
37where victims potentially benefit from treatment.

38(3) Exploration of the feasibility of operating the program as a
39self-funding program, including the potential for charging users a
40reimbursement fee.

P16   1

SEC. 8.  

Section 117928 of the Health and Safety Code is
2amended to read:

3

117928.  

(a)  Any common storage facility for the collection
4of medical waste produced by small quantity generators operating
5independently, but sharing common storage facilities, shall have
6a permit issued by the enforcement agency.

7(b)  A permit for any common storage facility specified in
8subdivision (a) may be obtained by any one of the following:

9(1)  A provider of health care as defined inbegin delete subdivision (d) ofend delete
10 Section 56.05 of the Civil Code.

11(2)  The registered hazardous waste transporter.

12(3)  The property owner.

13(4)  The property management firm responsible for providing
14tenant services to the medical waste generators.

15

SEC. 9.  

Section 120985 of the Health and Safety Code is
16amended to read:

17

120985.  

(a)  Notwithstanding Section 120980, the results of
18an HIV test that identifies or provides identifying characteristics
19of the person to whom the test results apply may be recorded by
20the physician who ordered the test in the test subject’s medical
21record or otherwise disclosed without written authorization of the
22subject of the test, or the subject’s representative as set forth in
23Section 121020, to the test subject’s providers of health care, as
24defined inbegin delete subdivision (d) ofend delete Section 56.05 of the Civil Code, for
25purposes of diagnosis, care, or treatment of the patient, except that
26for purposes of this section “providers of health care” does not
27include a health care service plan regulated pursuant to Chapter
282.2 (commencing with Section 1340) of Division 2.

29(b)  Recording or disclosure of HIV test results pursuant to
30subdivision (a) does not authorize further disclosure unless
31otherwise permitted by law.

32

SEC. 10.  

Section 121010 of the Health and Safety Code is
33amended to read:

34

121010.  

Notwithstanding Section 120975 or 120980, the results
35of a blood test to detect antibodies to the probable causative agent
36of AIDS may be disclosed to any of the following persons without
37written authorization of the subject of the test:

38(a) To the subject of the test or the subject’s legal representative,
39conservator, or to any person authorized to consent to the test
40pursuant to subdivision (b) of Section 120990.

P17   1(b) To a test subject’s provider of health care, as defined in
2begin delete subdivision (d) ofend delete Section 56.05 of the Civil Code, except that for
3purposes of this section, “provider of health care” does not include
4a health care service plan regulated pursuant to Chapter 2.2
5(commencing with Section 1340) of Division 2.

6(c) To an agent or employee of the test subject’s provider of
7health care who provides direct patient care and treatment.

8(d) To a provider of health care who procures, processes,
9distributes, or uses a human body part donated pursuant to the
10Uniform Anatomical Gift Act (Chapter 3.5 (commencing with
11Section 7150) of Part 1 of Division 7).

12(e) (1) To the designated officer of an emergency response
13employee, and from that designated officer to an emergency
14response employee regarding possible exposure to HIV or AIDS,
15but only to the extent necessary to comply with provisions of the
16Ryan White Comprehensive AIDS Resources Emergency Act of
171990 (P.L. 101-381; 42 U.S.C. Sec. 201).

18(2) For purposes of this subdivision, “designated officer” and
19“emergency response employee” have the same meaning as these
20terms are used in the Ryan White Comprehensive AIDS Resources
21Emergency Act of 1990 (P.L. 101-381; 42 U.S.C. Sec. 201).

22(3) The designated officer shall be subject to the confidentiality
23requirements specified in Section 120980, and may be personally
24liable for unauthorized release of any identifying information about
25the HIV results. Further, the designated officer shall inform the
26exposed emergency response employee that the employee is also
27subject to the confidentiality requirements specified in Section
28120980, and may be personally liable for unauthorized release of
29any identifying information about the HIV test results.

30

SEC. 11.  

Section 130201 of the Health and Safety Code is
31amended to read:

32

130201.  

For purposes of this division, the following definitions
33apply:

34(a) “Director” means the Director of the Office of Health
35Information Integrity.

36(b) “Medical information” means the term as defined in
37begin delete subdivision (g) ofend delete Section 56.05 of the Civil Code.

38(c) “Office” means the Office of Health Information Integrity.

P18   1(d) “Provider of health care” means the term as defined in
2begin delete subdivision (j) of Section 56.05 and Sectionend deletebegin insert Sections 56.05 andend insert
3 56.06 of the Civil Code.

4(e) “Unauthorized access” means the inappropriate review or
5viewing of patient medical information without a direct need for
6diagnosis, treatment, or other lawful use as permitted by the
7Confidentiality of Medical Information Act (Part 2.6 (commencing
8with Section 56) of Division 1 of the Civil Code) or by other
9statutes or regulations governing the lawful access, use, or
10disclosure of medical information.

11

SEC. 12.  

Section 3208.05 of the Labor Code is amended to
12read:

13

3208.05.  

(a) “Injury” includes a reaction to or a side effect
14arising from health care provided by an employer to a health care
15worker, which health care is intended to prevent the development
16or manifestation of any bloodborne disease, illness, syndrome, or
17condition recognized as occupationally incurred by Cal-OSHA,
18the Federal Centers for Disease Control, or other appropriate
19governmental entities. This section shall apply only to preventive
20health care that the employer provided to a health care worker
21under the following circumstances: (1) prior to an exposure because
22of risk of occupational exposure to such a disease, illness,
23syndrome, or condition, or (2) where the preventive care is
24provided as a consequence of a documented exposure to blood or
25bodily fluid containing blood that arose out of and in the course
26of employment. Such a disease, illness, syndrome, or condition
27includes, but is not limited to, hepatitis, and the human
28immunodeficiency virus. Such preventive health care, and any
29disability indemnity or other benefits required as a result of the
30preventive health care provided by the employer, shall be
31compensable under the workers’ compensation system. The
32employer may require the health care worker to document that the
33employer provided the preventive health care and that the reaction
34or side effects arising from the preventive health care resulted in
35lost work time, health care costs, or other costs normally
36compensable under workers’ compensation.

37(b) The benefits of this section shall not be provided to a health
38care worker for a reaction to or side effect from health care
39intended to prevent the development of the human
40immunodeficiency virus if the worker claims a work-related
P19   1exposure and if the worker tests positive within 48 hours of that
2exposure to a test to determine the presence of the human
3immunodeficiency virus.

4(c) For purposes of this section, “health care worker” includes
5any person who is an employee of a provider of health care as
6defined inbegin delete subdivision (d) ofend delete Section 56.05 of the Civil Code, and
7who is exposed to human blood or other bodily fluids contaminated
8with blood in the course of employment, including, but not limited
9to, a registered nurse, a licensed vocational nurse, a certified nurse
10aide, clinical laboratory technologist, dental hygienist, physician,
11janitor, and housekeeping worker. “Health care worker” does not
12include an employee who provides employee health services for
13an employer primarily engaged in a business other than providing
14health care.

15

SEC. 13.  

No reimbursement is required by this act pursuant to
16Section 6 of Article XIII B of the California Constitution because
17the only costs that may be incurred by a local agency or school
18district will be incurred because this act creates a new crime or
19infraction, eliminates a crime or infraction, or changes the penalty
20for a crime or infraction, within the meaning of Section 17556 of
21the Government Code, or changes the definition of a crime within
22the meaning of Section 6 of Article XIII B of the California
23Constitution.



O

    99