Amended in Senate April 8, 2013

Amended in Senate March 13, 2013

Senate BillNo. 138


Introduced by Senator Hernandez

(Coauthors: Senators DeSaulnier and Leno)

January 28, 2013


An act to amend Sections 56.05, 56.104, and 56.16 of, and to add Section 56.107 to, the Civil Code, to amend Sections 1280.15, 1627, 117928, 120985, 121010, and 130201 of the Health and Safety Code,begin insert to add Section 791.29 to the Insurance Code,end insert and to amend Section 3208.05 of the Labor Code, relating to medical information.

LEGISLATIVE COUNSEL’S DIGEST

SB 138, as amended, Hernandez. Confidentiality of medical information.

Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information.

Existing state law, the Confidentiality of Medical Information Act, provides that medical information, as defined, may not be disclosed by providers of health care, health care service plans, or contractors, as defined, without the patient’s written authorization, subject to certain exceptions, including disclosure to a probate court investigator, as specified. A violation of the act resulting in economic loss or personal injury to a patient is a misdemeanor and subjects the violating party to liability for specified damages and administrative fines and penalties. The act defines various terms relevant to its implementation.

This bill would declare the intent of the Legislature to incorporate HIPAA standards into state law and to clarify standards for protecting the confidentiality of medical information in insurance transactions. The bill would define additional terms in connection with maintaining the confidentiality of this information, including an “authorization for insurance communications,” which an insured individual may submit for the purpose of specifying disclosable medical information and insurance transactions, and permissible recipients.

This bill would specify the manner in which a health care service plan or health insurer would be required to maintain confidentiality of information regarding the treatment of insured individuals less than 26 years of age who are insured as dependents on another person’s policy, the treatment of an insured individual involving sensitive services, as defined, or situations in which disclosure would endanger the insured individual, as defined.

This bill would specifically authorize a provider of health care to communicate information regarding benefit cost-sharing arrangements to the health care service plan or health insurer, as specified.

This bill would also prohibit the health care service plan or health insurer from conditioning enrollment in the plan or eligibility for benefits on the provision of an authorization for insurance communications. The bill also would make conforming technical changes. By expanding the scope of a crime, the bill would create a state-mandated local program.

begin insert

Existing state law, the Insurance Information and Privacy Protection Act, generally regulates how insurers collect, use, and disclose information gathered in connection with insurance transactions.

end insert
begin insert

This bill would specify that a health insurer, as defined, shall comply with the requirements of the Confidentiality of Medical Information Act, if that act conflicts with the Insurance Information and Privacy Protection Act.

end insert

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.

The people of the State of California do enact as follows:

P3    1

SECTION 1.  

The Legislature finds and declares all of the
2following:

3(a) Privacy is a fundamental right of all Californians, protected
4by the California Constitution, the federal Health Insurance
5Portability and Accountability Act (HIPAA; Public Law 104-191),
6and the Confidentiality of Medical Information Act, Part 2.6
7(commencing with Section 56) of Division 1 of the Civil Code.

8(b) Implementation of the recently enacted federal Patient
9Protection and Affordable Care Act (Public Law 111-148) will
10expand the number of individuals insured as dependents on a health
11insurance policy held in another person’s name, including adult
12children under 26 years of age insured on a parent’s insurance
13policy.

14(c) HIPAA explicitly protects the confidentiality of medical
15care obtained by dependents insured under a health insurance
16policy held by another person.

17(d) Therefore, it is the intent of the Legislature in enacting this
18act to incorporate HIPAA standards into state law and to clarify
19the standards for protecting the confidentiality of medical
20information in insurance transactions.

21

SEC. 2.  

Section 56.05 of the Civil Code is amended to read:

22

56.05.  

For purposes of this part:

23(a) “Authorization” means permission granted in accordance
24with Section 56.11 or 56.21 for the disclosure of medical
25information.

26(b) “Authorization for insurance communications” means
27permission from the individual, that meets the requirements of
28subdivisions (a) to (c), inclusive, of Section 56.11, specifying the
29medical information and insurance transactions that may be
30disclosed and the identity of the people to whom disclosures are
31permitted as part of an insurance communication.

32(c) “Authorized recipient” means any person who is authorized
33to receive medical information pursuant to Section 56.10 or 56.20.

34(d) “Confidential communications request” means a request by
35an insured individual that insurance communications be
36communicated by a specific method, such as by telephone, email,
37or in a covered envelope rather than postcard, or to a specific mail
P4    1or email address or specific telephone number, as designated by
2the insured individual.

3(e) “Contractor” means any person or entity that is a medical
4group, independent practice association, pharmaceutical benefits
5manager, or a medical service organization and is not a health care
6service plan or provider of health care. “Contractor” does not
7include insurance institutions as defined in subdivision (k) of
8Section 791.02 of the Insurance Code or pharmaceutical benefits
9managers licensed pursuant to the Knox-Keene Health Care Service
10Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340)
11of Division 2 of the Health and Safety Code).

12(f) “Endanger” means that the insured individual fears
13harassment or abuse resulting from an insurance communication
14sufficient to deter the patient from obtaining health care absent
15confidentiality.

16(g) “Health care service plan” means any entity regulated
17pursuant to the Knox-Keene Health Care Service Plan Act of 1975
18(Chapter 2.2 (commencing with Section 1340) of Division 2 of
19the Health and Safety Code).

20(h) “Health insurer” means an entitybegin insert that issues health insurance,
21asend insert
defined inbegin insert subdivision (b) ofend insert Section 106 of the Insurance Code.

22(i) “Insured individual” means a person entitled to coverage
23under a health care service plan or health insurer, including the
24policyholder and dependents.

25(j) “Insurance communication” means any communication from
26the health care service plan or health insurer to policyholders or
27insured individuals that discloses individually identifiable medical
28information. Insurance communication includes, but is not limited
29to, explanation of benefits forms, scheduling information, notices
30of denial, and notices of contested claims.

31(k) “Licensed health care professional” means any person
32licensed or certified pursuant to Division 2 (commencing with
33Section 500) of the Business and Professions Code, the Osteopathic
34Initiative Act or the Chiropractic Initiative Act, or Division 2.5
35(commencing with Section 1797) of the Health and Safety Code.

36(l) “Marketing” means to make a communication about a product
37or service that encourages recipients of the communication to
38purchase or use the product or service.

39“Marketing” does not include any of the following:

P5    1(1) Communications made orally or in writing for which the
2communicator does not receive direct or indirect remuneration,
3including, but not limited to, gifts, fees, payments, subsidies, or
4other economic benefits, from a third party for making the
5communication.

6(2) Communications made to current enrollees solely for the
7purpose of describing a provider’s participation in an existing
8health care provider network or health plan network of a
9Knox-Keene licensed health plan to which the enrollees already
10subscribe; communications made to current enrollees solely for
11the purpose of describing if, and the extent to which, a product or
12service, or payment for a product or service, is provided by a
13provider, contractor, or plan or included in a plan of benefits of a
14Knox-Keene licensed health plan to which the enrollees already
15subscribe; or communications made to plan enrollees describing
16the availability of more cost-effective pharmaceuticals.

17(3) Communications that are tailored to the circumstances of a
18particular individual to educate or advise the individual about
19treatment options, and otherwise maintain the individual’s
20adherence to a prescribed course of medical treatment, as provided
21in Section 1399.901 of the Health and Safety Code, for a chronic
22and seriously debilitating or life-threatening condition as defined
23in subdivisions (d) and (e) of Section 1367.21 of the Health and
24Safety Code, if the health care provider, contractor, or health plan
25receives direct or indirect remuneration, including, but not limited
26to, gifts, fees, payments, subsidies, or other economic benefits,
27from a third party for making the communication, if all of the
28following apply:

29(A) The individual receiving the communication is notified in
30the communication in typeface no smaller than 14-point type of
31the fact that the provider, contractor, or health plan has been
32remunerated and the source of the remuneration.

33(B) The individual is provided the opportunity to opt out of
34receiving future remunerated communications.

35(C) The communication contains instructions in typeface no
36smaller than 14-point type describing how the individual can opt
37out of receiving further communications by calling a toll-free
38number of the health care provider, contractor, or health plan
39making the remunerated communications. No further
40communication may be made to an individual who has opted out
P6    1after 30 calendar days from the date the individual makes the opt
2out request.

3(m) “Medical information” means any individually identifiable
4information, in electronic or physical form, in possession of or
5derived from a provider of health care, health care service plan,
6pharmaceutical company, or contractor regarding a patient’s
7medical history, mental or physical condition, or treatment.
8“Individually identifiable” means that the medical information
9includes or contains any element of personal identifying
10information sufficient to allow identification of the individual,
11such as the patient’s name, address, electronic mail address,
12 telephone number, or social security number, or other information
13that, alone or in combination with other publicly available
14information, reveals the individual’s identity.

15(n) “Nondisclosure request” means a written request to withhold
16insurance communications that includes the insured individual’s
17name and address, description of the medical or other information
18that should not be disclosed, identity of the persons from whom
19information shall be withheld, and contact information for the
20individual for additional information or clarification necessary to
21satisfy the request.

22(o) “Patient” means any natural person, whether or not still
23living, who received health care services from a provider of health
24care and to whom medical information pertains.

25(p) “Pharmaceutical company” means any company or business,
26or an agent or representative thereof, that manufactures, sells, or
27distributes pharmaceuticals, medications, or prescription drugs.
28“Pharmaceutical company” does not include a pharmaceutical
29benefits manager, as included in subdivision (c), or a provider of
30health care.

31(q) “Provider of health care” means any person licensed or
32certified pursuant to Division 2 (commencing with Section 500)
33of the Business and Professions Code; any person licensed pursuant
34to the Osteopathic Initiative Act or the Chiropractic Initiative Act;
35any person certified pursuant to Division 2.5 (commencing with
36Section 1797) of the Health and Safety Code; any clinic, health
37dispensary, or health facility licensed pursuant to Division 2
38(commencing with Section 1200) of the Health and Safety Code.
39“Provider of health care” does not include insurance institutions
P7    1as defined in subdivision (k) of Section 791.02 of the Insurance
2Code.

3(r) “Sensitive services” means all health care services described
4in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
5Code, and Sections 121020 and 124260 of the Health and Safety
6Code, obtained by any patient who has reached the minimum age
7specified for consenting to the service specified in the section,
8including patients 18 years of age and older.

9

SEC. 3.  

Section 56.104 of the Civil Code is amended to read:

10

56.104.  

(a) Notwithstanding subdivision (c) of Section 56.10,
11except as provided in subdivision (e), no provider of health care,
12health care service plan, or contractor may release medical
13information to persons or entities who have requested that
14information and who are authorized by law to receive that
15information pursuant to subdivision (c) of Section 56.10, if the
16requested information specifically relates to the patient’s
17participation in outpatient treatment with a psychotherapist, unless
18the person or entity requesting that information submits to the
19patient pursuant to subdivision (b) and to the provider of health
20care, health care service plan, or contractor a written request, signed
21by the person requesting the information or an authorized agent
22of the entity requesting the information, that includes all of the
23following:

24(1) The specific information relating to a patient’s participation
25in outpatient treatment with a psychotherapist being requested and
26its specific intended use or uses.

27(2) The length of time during which the information will be
28kept before being destroyed or disposed of. A person or entity may
29extend that timeframe, provided that the person or entity notifies
30the provider, plan, or contractor of the extension. Any notification
31of an extension shall include the specific reason for the extension,
32the intended use or uses of the information during the extended
33time, and the expected date of the destruction of the information.

34(3) A statement that the information will not be used for any
35purpose other than its intended use.

36(4) A statement that the person or entity requesting the
37information will destroy the information and all copies in the
38person’s or entity’s possession or control, will cause it to be
39destroyed, or will return the information and all copies of it before
P8    1or immediately after the length of time specified in paragraph (2)
2has expired.

3(b) The person or entity requesting the information shall submit
4a copy of the written request required by this section to the patient
5within 30 days of receipt of the information requested, unless the
6patient has signed a written waiver in the form of a letter signed
7and submitted by the patient to the provider of health care or health
8care service plan waiving notification.

9(c) For purposes of this section, “psychotherapist” means a
10person who is both a “psychotherapist” as defined in Section 1010
11of the Evidence Code and a “provider of health care” as defined
12in Section 56.05.

13(d) This section does not apply to the disclosure or use of
14medical information by a law enforcement agency or a regulatory
15agency when required for an investigation of unlawful activity or
16for licensing, certification, or regulatory purposes, unless the
17disclosure is otherwise prohibited by law.

18(e) This section shall not apply to any of the following:

19(1) Information authorized to be disclosed pursuant to paragraph
20(1) of subdivision (c) of Section 56.10.

21(2) Information requested from a psychotherapist by law
22enforcement or by the target of the threat subsequent to a disclosure
23by that psychotherapist authorized by paragraph (19) of subdivision
24(c) of Section 56.10, in which the additional information is clearly
25necessary to prevent the serious and imminent threat disclosed
26under that paragraph.

27(3) Information disclosed by a psychotherapist pursuant to
28paragraphs (14) and (22) of subdivision (c) of Section 56.10 and
29requested by an agency investigating the abuse reported pursuant
30to those paragraphs.

31(f) Nothing in this section shall be construed to grant any
32additional authority to a provider of health care, health care service
33plan, or contractor to disclose information to a person or entity
34without the patient’s consent.

35

SEC. 4.  

Section 56.107 is added to the Civil Code, to read:

36

56.107.  

(a) Notwithstanding any other law, and to the extent
37permitted by federal law, a health care service plan or health insurer
38shall take the following steps to protect the confidentiality of an
39insured individual’s medical information as follows:

P9    1(1) A health care service plan or health insurer shall not send
2insurance communications relating to sensitive services:

3(A) Unless the health care service plan or health insurer has
4received an authorization for insurance communications from an
5insured individual who is under 26 years of age and insured as a
6dependent on another person’s insurance policy.

7(B) For an insured individual to whom subparagraph (A) does
8not apply, if that insured individual has submitted a nondisclosure
9request.

10(2) A health care service plan or health insurer shall comply
11with a confidential communications request regarding sensitive
12services from an insured individual.

13(3) A health care service plan or health insurer shall comply
14with a nondisclosure request or a confidential communications
15request from an insured individual who states that disclosure of
16begin delete healthend deletebegin insert medicalend insert information will endanger the individual, and shall
17not require an explanation as to the basis for the insured
18individual’s statement that disclosure will endanger the individual.

19(b) Notwithstanding subdivision (a), the provider of health care
20may make arrangements with the insured individual for the
21payment of benefit cost sharing and communicate that arrangement
22with the health care service plan or health insurer.

23(c) A health care service plan or health insurer shall not
24condition enrollment or coverage in the health plan or health
25insurance policy or eligibility for benefits on the provision of an
26authorization for insurance communications.

27

SEC. 5.  

Section 56.16 of the Civil Code is amended to read:

28

56.16.  

For disclosures not addressed by Section 56.1007, unless
29there is a specific written request by the patient to the contrary,
30nothing in this part shall be construed to prevent a general acute
31care hospital, as defined in subdivision (a) of Section 1250 of the
32Health and Safety Code, upon an inquiry concerning a specific
33patient, from releasing at its discretion any of the following
34information: the patient’s name, address, age, and sex; a general
35description of the reason for treatment (whether an injury, a burn,
36poisoning, or some unrelated condition); the general nature of the
37injury, burn, poisoning, or other condition; the general condition
38of the patient; and any information that is not medical information
39as defined in Section 56.05.

P10   1

SEC. 6.  

Section 1280.15 of the Health and Safety Code is
2amended to read:

3

1280.15.  

(a) A clinic, health facility, home health agency, or
4hospice licensed pursuant to Section 1204, 1250, 1725, or 1745
5shall prevent unlawful or unauthorized access to, and use or
6disclosure of, patients’ medical information, as defined in Section
756.05 of the Civil Code and consistent with Section 130203. For
8purposes of this section, internal paper records, electronic mail,
9or facsimile transmissions inadvertently misdirected within the
10same facility or health care system within the course of
11coordinating care or delivering services shall not constitute
12unauthorized access to, or use or disclosure of, a patient’s medical
13information. The department, after investigation, may assess an
14administrative penalty for a violation of this section of up to
15twenty-five thousand dollars ($25,000) per patient whose medical
16information was unlawfully or without authorization accessed,
17used, or disclosed, and up to seventeen thousand five hundred
18dollars ($17,500) per subsequent occurrence of unlawful or
19unauthorized access, use, or disclosure of thatbegin delete patients’end deletebegin insert patient’send insert
20 medical information. For purposes of the investigation, the
21department shall consider the clinic’s, health facility’s, agency’s,
22or hospice’s history of compliance with this section and other
23related state and federal statutes and regulations, the extent to
24which the facility detected violations and took preventative action
25to immediately correct and prevent past violations from recurring,
26and factors outside its control that restricted the facility’s ability
27to comply with this section. The department shall have full
28discretion to consider all factors when determining the amount of
29an administrative penalty pursuant to this section.

30(b) (1) A clinic, health facility, home health agency, or hospice
31to which subdivision (a) applies shall report any unlawful or
32unauthorized access to, or use or disclosure of, a patient’s medical
33information to the department no later than five business days after
34the unlawful or unauthorized access, use, or disclosure has been
35detected by the clinic, health facility, home health agency, or
36hospice.

37(2) Subject to subdivision (c), a clinic, health facility, home
38health agency, or hospice shall also report any unlawful or
39unauthorized access to, or use or disclosure of, a patient’s medical
40information to the affected patient or the patient’s representative
P11   1at the last known address, no later than five business days after
2the unlawful or unauthorized access, use, or disclosure has been
3detected by the clinic, health facility, home health agency, or
4hospice.

5(c) (1) A clinic, health facility, home health agency, or hospice
6shall delay the reporting, as required pursuant to paragraph (2) of
7subdivision (b), of any unlawful or unauthorized access to, or use
8or disclosure of, a patient’s medical information beyond five
9business days if a law enforcement agency or official provides the
10clinic, health facility, home health agency, or hospice with a written
11or oral statement that compliance with the reporting requirements
12of paragraph (2) of subdivision (b) would likely impede the law
13enforcement agency’s investigation that relates to the unlawful or
14unauthorized access to, and use or disclosure of, a patient’s medical
15information and specifies a date upon which the delay shall end,
16not to exceed 60 days after a written request is made, or 30 days
17after an oral request is made. A law enforcement agency or official
18may request an extension of a delay based upon a written
19declaration that there exists a bona fide, ongoing, significant
20criminal investigation of serious wrongdoing relating to the
21unlawful or unauthorized access to, and use or disclosure of, a
22patient’s medical information, that notification of patients will
23undermine the law enforcement agency’s investigation, and that
24specifies a date upon which the delay shall end, not to exceed 60
25days after the end of the original delay period.

26(2) If the statement of the law enforcement agency or official
27is made orally, then the clinic, health facility, home health agency,
28or hospice shall do both of the following:

29(A) Document the oral statement, including, but not limited to,
30the identity of the law enforcement agency or official making the
31oral statement and the date upon which the oral statement was
32made.

33(B) Limit the delay in reporting the unlawful or unauthorized
34access to, or use or disclosure of, the patient’s medical information
35to the date specified in the oral statement, not to exceed 30 calendar
36days from the date that the oral statement is made, unless a written
37statement that complies with the requirements of this subdivision
38is received during that time.

39(3) A clinic, health facility, home health agency, or hospice
40shall submit a report that is delayed pursuant to this subdivision
P12   1not later than five business days after the date designated as the
2end of the delay.

3(d) If a clinic, health facility, home health agency, or hospice
4to which subdivision (a) applies violates subdivision (b), the
5department may assess the licensee a penalty in the amount of one
6hundred dollars ($100) for each day that the unlawful or
7 unauthorized access, use, or disclosure is not reported to the
8department or the affected patient, following the initial five-day
9period specified in subdivision (b). However, the total combined
10penalty assessed by the department under subdivision (a) and this
11subdivision shall not exceed two hundred fifty thousand dollars
12($250,000) per reported event. For enforcement purposes, it shall
13be presumed that the facility did not notify the affected patient if
14the notification was not documented. This presumption may be
15rebutted by a licensee only if the licensee demonstrates, by a
16preponderance of the evidence, that the notification was made.

17(e) In enforcing subdivisions (a) and (d), the department shall
18take into consideration the special circumstances of small and rural
19hospitals, as defined in Section 124840, and primary care clinics,
20as defined in subdivision (a) of Section 1204, in order to protect
21access to quality care in those hospitals and clinics. When assessing
22a penalty on a skilled nursing facility or other facility subject to
23Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
24only the higher of either a penalty for the violation of this section
25or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
26not both.

27(f) All penalties collected by the department pursuant to this
28section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited
29into the Internal Departmental Quality Improvement Account,
30which is hereby created within the Special Deposit Fund under
31Section 16370 of the Government Code. Upon appropriation by
32the Legislature, moneys in the account shall be expended for
33internal quality improvement activities in the Licensing and
34Certification Program.

35(g) If the licensee disputes a determination by the department
36regarding a failure to prevent or failure to timely report unlawful
37or unauthorized access to, or use or disclosure of, patients’ medical
38information, or the imposition of a penalty under this section, the
39licensee may, within 10 days of receipt of the penalty assessment,
40request a hearing pursuant to Section 131071. Penalties shall be
P13   1paid when appeals have been exhausted and the penalty has been
2upheld.

3(h) In lieu of disputing the determination of the department
4regarding a failure to prevent or failure to timely report unlawful
5or unauthorized access to, or use or disclosure of, patients’ medical
6information, transmit to the department 75 percent of the total
7amount of the administrative penalty, for each violation, within
830 business days of receipt of the administrative penalty.

9(i) Notwithstanding any other law, the department may refer
10violations of this section to the Office of Health Information
11Integrity for enforcement pursuant to Section 130303.

12(j) For purposes of this section, the following definitions shall
13apply:

14(1) “Reported event” means all breaches included in any single
15report that is made pursuant to subdivision (b), regardless of the
16number of breach events contained in the report.

17(2) “Unauthorized” means the inappropriate access, review, or
18viewing of patient medical information without a direct need for
19medical diagnosis, treatment, or other lawful use as permitted by
20the Confidentiality of Medical Information Act (Part 2.6
21(commencing with Section 56) of Division 1 of the Civil Code)
22or any other statute or regulation governing the lawful access, use,
23or disclosure of medical information.

24

SEC. 7.  

Section 1627 of the Health and Safety Code is amended
25to read:

26

1627.  

(a) (1) On or before July 1, 2011, the University of
27California is requested to develop a plan to establish and administer
28the Umbilical Cord Blood Collection Program for the purpose of
29collecting units of umbilical cord blood for public use in
30transplantation and providing nonclinical units for research
31pertaining to biology and new clinical utilization of stem cells
32derived from the blood and tissue of the placenta and umbilical
33cord. The program shall conclude no later than January 1, 2018.

34(2) For purposes of this article, “public use” means both of the
35following:

36(A) The collection of umbilical cord blood units from genetically
37diverse donors that will be owned by the University of California.
38This inventory shall be accessible by the National Registry and by
39qualified California-based and other United States and international
40registries and transplant centers to increase the likelihood of
P14   1providing suitably matched donor cord blood units to patients or
2research participants who are in need of a transplant.

3(B) Cord blood units with a lower number of cells than deemed
4necessary for clinical transplantation and units that meet clinical
5requirements, but for other reasons are unsuitable, unlikely to be
6transplanted, or otherwise unnecessary for clinical use, may be
7made available for research.

8(b) (1) In order to implement the collection goals of this
9program, the University of California may, commensurate with
10available funds appropriated to the University of California for
11this program, contract with one or more selected applicant entities
12that have demonstrated the competence to collect and ship cord
13blood units in compliance with federal guidelines and regulations.

14(2) It is the intent of the Legislature that, if the University of
15California contracts with another entity pursuant to this subdivision,
16the following shall apply:

17(A) The University of California may use a competitive process
18to identify the best proposals submitted by applicant entities to
19administer the collection and research objectives of the program,
20to the extent that the University of California chooses not to
21undertake these activities itself.

22(B) In order to qualify for selection under this section to receive,
23process, cryopreserve, or bank cord blood units, the entity shall,
24at a minimum, have obtained an investigational new drug (IND)
25exemption from the FDA or a biologic license from the FDA, as
26appropriate, to manufacture clinical grade cord blood stem cell
27units for clinical indications.

28(C) In order to qualify to receive appropriate cord blood units
29and placental tissue to advance the research goals of this program,
30an entity shall, at a minimum, be a laboratory recognized as having
31performed peer-reviewed research on stem and progenitor cells,
32including those derived from placental or umbilical cord blood
33and postnatal tissue.

34(3) A medical provider or research facility shall comply with,
35and shall be subject to, existing penalties for violations of all
36applicable state and federal laws with respect to the protection of
37any medical information, as defined in Section 56.05 of the Civil
38Code, and any personally identifiable information contained in the
39umbilical cord blood inventory.

P15   1(c) The University of California is encouraged to make every
2effort to avoid duplication or conflicts with existing and ongoing
3programs and to leverage existing resources.

4(d) (1) All information collected pursuant to the program shall
5be confidential, and shall be used solely for the purposes of the
6program, including research. Access to confidential information
7shall be limited to authorized persons who are bound by appropriate
8institutional policies or who otherwise agree, in writing, to maintain
9the confidentiality of that information.

10(2) Any person who, in violation of applicable institutional
11policies or a written agreement to maintain confidentiality,
12discloses any information provided pursuant to this section, or
13who uses information provided pursuant to this section in a manner
14other than as approved pursuant to this section, may be denied
15further access to any confidential information maintained by the
16University of California, and shall be subject to a civil penalty not
17exceeding one thousand dollars ($1,000). The penalty provided
18for in this section shall not be construed to limit or otherwise
19restrict any remedy, provisional or otherwise, provided by law for
20the benefit of the University of California or any other person
21covered by this section.

22(3) Notwithstanding the restrictions of this section, an individual
23to whom the confidential information pertains shall have access
24to his or her own personal information.

25(e) It is the intent of the Legislature that the plan and
26implementation of the program provide for both of the following:

27(1) Limit fees for access to cord blood units to the reasonable
28 and actual costs of storage, handling, and providing units, as well
29as for related services such as donor matching and testing of cord
30blood and other programs and services typically provided by cord
31blood banks and public use programs.

32(2) The submittal of the plan developed pursuant to subdivision
33(a) to the health and fiscal committees of the Legislature.

34(f) It is additionally the intent of the Legislature that the plan
35and implementation of the program attempt to provide for all of
36the following:

37(1) Development of a strategy to increase voluntary participation
38by hospitals in the collection and storage of umbilical cord blood
39and identify funding sources to offset the financial impact on
40hospitals.

P16   1(2) Consideration of a medical contingency response program
2to prepare for and respond effectively to biological, chemical, or
3radiological attacks, accidents, and other public health emergencies
4where victims potentially benefit from treatment.

5(3) Exploration of the feasibility of operating the program as a
6self-funding program, including the potential for charging users a
7reimbursement fee.

8

SEC. 8.  

Section 117928 of the Health and Safety Code is
9amended to read:

10

117928.  

(a)  Any common storage facility for the collection
11of medical waste produced by small quantity generators operating
12independently, but sharing common storage facilities, shall have
13a permit issued by the enforcement agency.

14(b)  A permit for any common storage facility specified in
15subdivision (a) may be obtained by any one of the following:

16(1)  A provider of health care as defined in Section 56.05 of the
17Civil Code.

18(2)  The registered hazardous waste transporter.

19(3)  The property owner.

20(4)  The property management firm responsible for providing
21tenant services to the medical waste generators.

22

SEC. 9.  

Section 120985 of the Health and Safety Code is
23amended to read:

24

120985.  

(a)  Notwithstanding Section 120980, the results of
25an HIV test that identifies or provides identifying characteristics
26of the person to whom the test results apply may be recorded by
27the physician who ordered the test in the test subject’s medical
28record or otherwise disclosed without written authorization of the
29subject of the test, or the subject’s representative as set forth in
30Section 121020, to the test subject’s providers of health care, as
31defined in Section 56.05 of the Civil Code, for purposes of
32diagnosis, care, or treatment of the patient, except that for purposes
33of this sectionbegin insert,end insert “providers of health care” does not include a health
34care service plan regulated pursuant to Chapter 2.2 (commencing
35with Section 1340) of Division 2.

36(b)  Recording or disclosure of HIV test results pursuant to
37subdivision (a) does not authorize further disclosure unless
38otherwise permitted by law.

39

SEC. 10.  

Section 121010 of the Health and Safety Code is
40amended to read:

P17   1

121010.  

Notwithstanding Section 120975 or 120980, the results
2of a blood test to detect antibodies to the probable causative agent
3of AIDS may be disclosed to any of the following persons without
4written authorization of the subject of the test:

5(a) To the subject of the test or the subject’s legal representative,
6conservator, or to any person authorized to consent to the test
7pursuant to subdivision (b) of Section 120990.

8(b) To a test subject’s provider of health care, as defined in
9Section 56.05 of the Civil Code, except that for purposes of this
10section, “provider of health care” does not include a health care
11service plan regulated pursuant to Chapter 2.2 (commencing with
12Section 1340) of Division 2.

13(c) To an agent or employee of the test subject’s provider of
14health care who provides direct patient care and treatment.

15(d) To a provider of health care who procures, processes,
16distributes, or uses a human body part donated pursuant to the
17Uniform Anatomical Gift Act (Chapter 3.5 (commencing with
18Section 7150) of Part 1 of Division 7).

19(e) (1) To the designated officer of an emergency response
20employee, and from that designated officer to an emergency
21response employee regarding possible exposure to HIV or AIDS,
22but only to the extent necessary to comply with provisions of the
23Ryan White Comprehensive AIDS Resources Emergency Act of
241990 (Public Law 101-381; 42 U.S.C. Sec. 201).

25(2) For purposes of this subdivision, “designated officer” and
26“emergency response employee” have the same meaning as these
27terms are used in the Ryan White Comprehensive AIDS Resources
28Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec.
29201).

30(3) The designated officer shall be subject to the confidentiality
31requirements specified in Section 120980, and may be personally
32liable for unauthorized release of any identifying information about
33the HIV results. Further, the designated officer shall inform the
34exposed emergency response employee that the employee is also
35subject to the confidentiality requirements specified in Section
36120980, and may be personally liable for unauthorized release of
37any identifying information about the HIV test results.

38

SEC. 11.  

Section 130201 of the Health and Safety Code is
39amended to read:

P18   1

130201.  

For purposes of this division, the following definitions
2apply:

3(a) “Director” means the Director of the Office of Health
4Information Integrity.

5(b) “Medical information” means the term as defined in Section
656.05 of the Civil Code.

7(c) “Office” means the Office of Health Information Integrity.

8(d) “Provider of health care” means the term as defined in
9Sections 56.05 and 56.06 of the Civil Code.

10(e) “Unauthorized access” means the inappropriate review or
11viewing of patient medical information without a direct need for
12diagnosis, treatment, or other lawful use as permitted by the
13Confidentiality of Medical Information Act (Part 2.6 (commencing
14with Section 56) of Division 1 of the Civil Code) or by other
15statutes or regulations governing the lawful access, use, or
16disclosure of medical information.

17begin insert

begin insertSEC. 12.end insert  

end insert

begin insertSection 791.29 is added to the end insertbegin insertInsurance Codeend insertbegin insert, to
18read:end insert

begin insert
19

begin insert791.29.end insert  

A health insurer, as defined in subdivision (h) of
20Section 56.05 of the Civil Code, shall comply with the provisions
21of Section 56.107 of the Civil Code to the extent required by that
22section. To the extent this article conflicts with Section 56.107 of
23the Civil Code, the provisions of Section 56.107 of the Civil Code
24shall control.

end insert
25

begin deleteSEC. 12.end delete
26begin insertSEC. 13.end insert  

Section 3208.05 of the Labor Code is amended to
27read:

28

3208.05.  

(a) “Injury” includes a reaction to or a side effect
29arising from health care provided by an employer to a health care
30worker, which health care is intended to prevent the development
31or manifestation of any bloodborne disease, illness, syndrome, or
32condition recognized as occupationally incurred by Cal-OSHA,
33the federal Centers for Disease Control and Prevention, or other
34appropriate governmental entities. This section shall apply only
35to preventive health care that the employer provided to a health
36care worker under the following circumstances: (1) prior to an
37exposure because of risk of occupational exposure to such a
38disease, illness, syndrome, or condition, or (2) where the preventive
39care is provided as a consequence of a documented exposure to
40blood or bodily fluid containing blood that arose out of and in the
P19   1course of employment. Such a disease, illness, syndrome, or
2condition includes, but is not limited to, hepatitis, and the human
3immunodeficiency virus. Such preventive health care, and any
4disability indemnity or other benefits required as a result of the
5preventive health care provided by the employer, shall be
6compensable under the workers’ compensation system. The
7employer may require the health care worker to document that the
8employer provided the preventive health care and that the reaction
9or side effects arising from the preventive health care resulted in
10lost work time, health care costs, or other costs normally
11compensable under workers’ compensation.

12(b) The benefits of this section shall not be provided to a health
13care worker for a reaction to or side effect from health care
14intended to prevent the development of the human
15immunodeficiency virus if the worker claims a work-related
16exposure and if the worker tests positive within 48 hours of that
17exposure to a test to determine the presence of the human
18immunodeficiency virus.

19(c) For purposes of this section, “health care worker” includes
20any person who is an employee of a provider of health care as
21defined in Section 56.05 of the Civil Code, and who is exposed to
22human blood or other bodily fluids contaminated with blood in
23the course of employment, including, but not limited to, a registered
24nurse, a licensed vocational nurse, a certified nurse aide, clinical
25laboratory technologist, dental hygienist, physician, janitor, and
26housekeeping worker. “Health care worker” does not include an
27employee who provides employee health services for an employer
28primarily engaged in a business other than providing health care.

29

begin deleteSEC. 13.end delete
30begin insertSEC. 14.end insert  

No reimbursement is required by this act pursuant to
31Section 6 of Article XIII B of the California Constitution because
32the only costs that may be incurred by a local agency or school
33district will be incurred because this act creates a new crime or
34infraction, eliminates a crime or infraction, or changes the penalty
35for a crime or infraction, within the meaning of Section 17556 of
36the Government Code, or changes the definition of a crime within
37the meaning of Section 6 of Article XIII B of the California
38Constitution.



O

    97