Amended in Senate May 28, 2013

Amended in Senate April 8, 2013

Amended in Senate March 13, 2013

Senate BillNo. 138


Introduced by Senator Hernandez

(Coauthors: Senators DeSaulnier and Leno)

January 28, 2013


An act to amend Sections 56.05, 56.104, and 56.16 of, and to add Section 56.107 to, the Civil Code, to amend Sections 1280.15, 1627, 117928, 120985, 121010, and 130201 ofbegin insert, and to add Section 1348.5 to,end insert the Health and Safety Code, to add Section 791.29 to the Insurance Code, and to amend Section 3208.05 of the Labor Code, relating to medical information.

LEGISLATIVE COUNSEL’S DIGEST

SB 138, as amended, Hernandez. Confidentiality of medical information.

Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information.

begin insert

Existing law, the Knox-Keene Health Care Service Plan Act of 1975, provides for the licensure and regulation of health care service plans by the Department of Managed Health Care and makes a willful violation of its provisions a crime. Existing law also provides for the regulation of health insurers by the Department of Insurance.

end insert

Existingbegin delete stateend delete law, the Confidentiality of Medical Information Act, provides that medical information, as defined, may not be disclosed by providers of health care, health care service plans, or contractors, as defined, without the patient’s written authorization, subject to certain exceptions, including disclosure to a probate court investigator, as specified. A violation of the act resulting in economic loss or personal injury to a patient is a misdemeanor and subjects the violating party to liability for specified damages and administrative fines and penalties. The act defines various terms relevant to its implementation.

This bill would declare the intent of the Legislature to incorporate HIPAA standards into state law and to clarify standards for protecting the confidentiality of medical information in insurance transactions. The bill would define additional terms in connection with maintaining the confidentiality of this information, including an “authorization for insurance communications,” which an insured individual may submit for the purpose of specifying disclosable medical information and insurance transactions, and permissible recipients.

This bill would specify the manner in which a health care service plan or health insurer would be required to maintain confidentiality of information regarding the treatment of insured individuals less than 26 years of age who are insured as dependents on another person’s policy, the treatment of an insured individual involving sensitive services, as defined, or situations in which disclosure would endanger the insured individual, as defined.

This bill would specifically authorize a provider of health care to communicate information regarding benefit cost-sharing arrangements to the health care service plan or health insurer, as specified.

This bill would also prohibit the health care service plan or health insurer from conditioning enrollment in the plan or eligibility for benefits on the provision of an authorization for insurance communications. The bill also would make conforming technical changes. By expanding the scope of a crime, the bill would create a state-mandated local program.

Existingbegin delete stateend delete law, the Insurance Information and Privacy Protection Act, generally regulates how insurers collect, use, and disclose information gathered in connection with insurance transactions.

This bill wouldbegin delete specify that aend deletebegin insert require a health care services plan or aend insert health insurer, as defined,begin delete shallend deletebegin insert toend insert comply with the requirements of the Confidentiality of Medical Information Act, if that act conflicts with the Insurance Information and Privacy Protection Actbegin insert, as specified. Because a willful violation of these provisions by a health care service plan would be a crime, this bill would thus impose a state-mandated local programend insert.

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.

The people of the State of California do enact as follows:

P3    1

SECTION 1.  

The Legislature finds and declares all of the
2following:

3(a) Privacy is a fundamental right of all Californians, protected
4by the California Constitution, the federal Health Insurance
5Portability and Accountability Act (HIPAA; Public Law 104-191),
6and the Confidentiality of Medical Information Act, Part 2.6
7(commencing with Section 56) of Division 1 of the Civil Code.

8(b) Implementation of the recently enacted federal Patient
9Protection and Affordable Care Act (Public Law 111-148) will
10expand the number of individuals insured as dependents on a health
11insurance policy held in another person’s name, including adult
12children under 26 years of age insured on a parent’s insurance
13policy.

14(c) HIPAA explicitly protects the confidentiality of medical
15care obtained by dependents insured under a health insurance
16policy held by another person.

17(d) Therefore, it is the intent of the Legislature in enacting this
18act to incorporate HIPAA standards into state law and to clarify
19the standards for protecting the confidentiality of medical
20information in insurance transactions.

21

SEC. 2.  

Section 56.05 of the Civil Code is amended to read:

22

56.05.  

For purposes of this part:

23(a) “Authorization” means permission granted in accordance
24with Section 56.11 or 56.21 for the disclosure of medical
25information.

26(b) “Authorization for insurance communications” means
27permission from the individual, that meets the requirements of
28subdivisions (a) to (c), inclusive, of Section 56.11, specifying the
29medical information and insurance transactions that may be
P4    1disclosed and the identity of the people to whom disclosures are
2permitted as part of an insurance communication.

3(c) “Authorized recipient” means any person who is authorized
4to receive medical information pursuant to Section 56.10 or 56.20.

5(d) “Confidential communications request” means a request by
6an insured individual that insurance communications be
7communicated by a specific method, such as by telephone, email,
8or in a covered envelope rather than postcard, or to a specific mail
9or email address or specific telephone number, as designated by
10the insured individual.

11(e) “Contractor” means any person or entity that is a medical
12group, independent practice association, pharmaceutical benefits
13manager, or a medical service organization and is not a health care
14service plan or provider of health care. “Contractor” does not
15include insurance institutions as defined in subdivision (k) of
16Section 791.02 of the Insurance Code or pharmaceutical benefits
17managers licensed pursuant to the Knox-Keene Health Care Service
18Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340)
19of Division 2 of the Health and Safety Code).

20(f) “Endanger” means that the insured individual fears
21harassment or abuse resulting from an insurance communication
22sufficient to deter the patient from obtaining health care absent
23confidentiality.

24(g) “Health care service plan” means any entity regulated
25pursuant to the Knox-Keene Health Care Service Plan Act of 1975
26(Chapter 2.2 (commencing with Section 1340) of Division 2 of
27the Health and Safety Code).

28(h) “Health insurer” means an entity that issues health insurance,
29as defined in subdivision (b) of Section 106 of the Insurance Code.

30(i) “Insured individual” means a person entitled to coverage
31under a health care service plan or health insurer, including the
32policyholder and dependents.

33(j) “Insurance communication” means any communication from
34the health care service plan or health insurer to policyholders or
35insured individuals that discloses individually identifiable medical
36information. Insurance communication includes, but is not limited
37to, explanation of benefits forms, scheduling information, notices
38of denial, and notices of contested claims.

39(k) “Licensed health care professional” means any person
40licensed or certified pursuant to Division 2 (commencing with
P5    1Section 500) of the Business and Professions Code, the Osteopathic
2Initiative Act or the Chiropractic Initiative Act, or Division 2.5
3(commencing with Section 1797) of the Health and Safety Code.

4(l) “Marketing” means to make a communication about a product
5or service that encourages recipients of the communication to
6purchase or use the product or service.

7“Marketing” does not include any of the following:

8(1) Communications made orally or in writing for which the
9communicator does not receive direct or indirect remuneration,
10including, but not limited to, gifts, fees, payments, subsidies, or
11other economic benefits, from a third party for making the
12communication.

13(2) Communications made to current enrollees solely for the
14purpose of describing a provider’s participation in an existing
15health care provider network or health plan network of a
16Knox-Keene licensed health plan to which the enrollees already
17subscribe; communications made to current enrollees solely for
18the purpose of describing if, and the extent to which, a product or
19service, or payment for a product or service, is provided by a
20provider, contractor, or plan or included in a plan of benefits of a
21Knox-Keene licensed health plan to which the enrollees already
22subscribe; or communications made to plan enrollees describing
23the availability of more cost-effective pharmaceuticals.

24(3) Communications that are tailored to the circumstances of a
25particular individual to educate or advise the individual about
26treatment options, and otherwise maintain the individual’s
27adherence to a prescribed course of medical treatment, as provided
28in Section 1399.901 of the Health and Safety Code, for a chronic
29and seriously debilitating or life-threatening condition as defined
30in subdivisions (d) and (e) of Section 1367.21 of the Health and
31Safety Code, if the health care provider, contractor, or health plan
32receives direct or indirect remuneration, including, but not limited
33to, gifts, fees, payments, subsidies, or other economic benefits,
34from a third party for making the communication, if all of the
35following apply:

36(A) The individual receiving the communication is notified in
37the communication in typeface no smaller than 14-point type of
38the fact that the provider, contractor, or health plan has been
39remunerated and the source of the remuneration.

P6    1(B) The individual is provided the opportunity to opt out of
2receiving future remunerated communications.

3(C) The communication contains instructions in typeface no
4smaller than 14-point type describing how the individual can opt
5out of receiving further communications by calling a toll-free
6number of the health care provider, contractor, or health plan
7making the remunerated communications. No further
8communication may be made to an individual who has opted out
9after 30 calendar days from the date the individual makes the opt
10out request.

11(m) “Medical information” means any individually identifiable
12information, in electronic or physical form, in possession of or
13derived from a provider of health care, health care service plan,
14pharmaceutical company, or contractor regarding a patient’s
15medical history, mental or physical condition, or treatment.
16“Individually identifiable” means that the medical information
17includes or contains any element of personal identifying
18information sufficient to allow identification of the individual,
19such as the patient’s name, address, electronic mail address,
20 telephone number, or social security number, or other information
21that, alone or in combination with other publicly available
22information, reveals the individual’s identity.

23(n) “Nondisclosure request” means a written request to withhold
24insurance communications that includes the insured individual’s
25name and address, description of the medical or other information
26that should not be disclosed, identity of the persons from whom
27information shall be withheld, and contact information for the
28individual for additional information or clarification necessary to
29satisfy the request.

30(o) “Patient” means any natural person, whether or not still
31living, who received health care services from a provider of health
32care and to whom medical information pertains.

33(p) “Pharmaceutical company” means any company or business,
34or an agent or representative thereof, that manufactures, sells, or
35distributes pharmaceuticals, medications, or prescription drugs.
36“Pharmaceutical company” does not include a pharmaceutical
37benefits manager, as included in subdivision (c), or a provider of
38health care.

39(q) “Provider of health care” means any person licensed or
40certified pursuant to Division 2 (commencing with Section 500)
P7    1of the Business and Professions Code; any person licensed pursuant
2to the Osteopathic Initiative Act or the Chiropractic Initiative Act;
3any person certified pursuant to Division 2.5 (commencing with
4Section 1797) of the Health and Safety Code; any clinic, health
5dispensary, or health facility licensed pursuant to Division 2
6(commencing with Section 1200) of the Health and Safety Code.
7“Provider of health care” does not include insurance institutions
8as defined in subdivision (k) of Section 791.02 of the Insurance
9Code.

10(r) “Sensitive services” means all health care services described
11in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
12Code, and Sections 121020 and 124260 of the Health and Safety
13Code, obtained by any patient who has reached the minimum age
14specified for consenting to the service specified in the section,
15including patients 18 years of age and older.

16

SEC. 3.  

Section 56.104 of the Civil Code is amended to read:

17

56.104.  

(a) Notwithstanding subdivision (c) of Section 56.10,
18except as provided in subdivision (e), no provider of health care,
19health care service plan, or contractor may release medical
20information to persons or entities who have requested that
21information and who are authorized by law to receive that
22information pursuant to subdivision (c) of Section 56.10, if the
23requested information specifically relates to the patient’s
24participation in outpatient treatment with a psychotherapist, unless
25the person or entity requesting that information submits to the
26patient pursuant to subdivision (b) and to the provider of health
27care, health care service plan, or contractor a written request, signed
28by the person requesting the information or an authorized agent
29of the entity requesting the information, that includes all of the
30following:

31(1) The specific information relating to a patient’s participation
32in outpatient treatment with a psychotherapist being requested and
33its specific intended use or uses.

34(2) The length of time during which the information will be
35kept before being destroyed or disposed of. A person or entity may
36extend that timeframe, provided that the person or entity notifies
37the provider, plan, or contractor of the extension. Any notification
38of an extension shall include the specific reason for the extension,
39the intended use or uses of the information during the extended
40time, and the expected date of the destruction of the information.

P8    1(3) A statement that the information will not be used for any
2purpose other than its intended use.

3(4) A statement that the person or entity requesting the
4information will destroy the information and all copies in the
5person’s or entity’s possession or control, will cause it to be
6destroyed, or will return the information and all copies of it before
7or immediately after the length of time specified in paragraph (2)
8has expired.

9(b) The person or entity requesting the information shall submit
10a copy of the written request required by this section to the patient
11within 30 days of receipt of the information requested, unless the
12patient has signed a written waiver in the form of a letter signed
13and submitted by the patient to the provider of health care or health
14care service plan waiving notification.

15(c) For purposes of this section, “psychotherapist” means a
16person who is both a “psychotherapist” as defined in Section 1010
17of the Evidence Code and a “provider of health care” as defined
18in Section 56.05.

19(d) This section does not apply to the disclosure or use of
20medical information by a law enforcement agency or a regulatory
21agency when required for an investigation of unlawful activity or
22for licensing, certification, or regulatory purposes, unless the
23disclosure is otherwise prohibited by law.

24(e) This section shall not apply to any of the following:

25(1) Information authorized to be disclosed pursuant to paragraph
26(1) of subdivision (c) of Section 56.10.

27(2) Information requested from a psychotherapist by law
28enforcement or by the target of the threat subsequent to a disclosure
29by that psychotherapist authorized by paragraph (19) of subdivision
30(c) of Section 56.10, in which the additional information is clearly
31necessary to prevent the serious and imminent threat disclosed
32under that paragraph.

33(3) Information disclosed by a psychotherapist pursuant to
34paragraphs (14) and (22) of subdivision (c) of Section 56.10 and
35requested by an agency investigating the abuse reported pursuant
36to those paragraphs.

37(f) Nothing in this section shall be construed to grant any
38additional authority to a provider of health care, health care service
39plan, or contractor to disclose information to a person or entity
40without the patient’s consent.

P9    1

SEC. 4.  

Section 56.107 is added to the Civil Code, to read:

2

56.107.  

(a) Notwithstanding any other law, and to the extent
3permitted by federal law, a health care service plan or health insurer
4shall take the following steps to protect the confidentiality of an
5insured individual’s medical information as follows:

6(1) A health care service plan or health insurer shall not send
7insurance communications relating to sensitive services:

8(A) Unless the health care service plan or health insurer has
9received an authorization for insurance communications from an
10insured individual who is under 26 years of age and insured as a
11dependent on another person’s insurance policy.

12(B) For an insured individual to whom subparagraph (A) does
13not apply, if that insured individual has submitted a nondisclosure
14request.

15(2) A health care service plan or health insurer shall comply
16with a confidential communications request regarding sensitive
17services from an insured individual.

18(3) A health care service plan or health insurer shall comply
19with a nondisclosure request or a confidential communications
20request from an insured individual who states that disclosure of
21medical information will endanger the individual, and shall not
22require an explanation as to the basis for the insured individual’s
23statement that disclosure will endanger the individual.

24(b) Notwithstanding subdivision (a), the provider of health care
25may make arrangements with the insured individual for the
26payment of benefit cost sharing and communicate that arrangement
27with the health care service plan or health insurer.

28(c) A health care service plan or health insurer shall not
29condition enrollment or coverage in the health plan or health
30insurance policy or eligibility for benefits on the provision of an
31authorization for insurance communications.

32

SEC. 5.  

Section 56.16 of the Civil Code is amended to read:

33

56.16.  

For disclosures not addressed by Section 56.1007, unless
34there is a specific written request by the patient to the contrary,
35nothing in this part shall be construed to prevent a general acute
36care hospital, as defined in subdivision (a) of Section 1250 of the
37Health and Safety Code, upon an inquiry concerning a specific
38patient, from releasing at its discretion any of the following
39information: the patient’s name, address, age, and sex; a general
40description of the reason for treatment (whether an injury, a burn,
P10   1poisoning, or some unrelated condition); the general nature of the
2injury, burn, poisoning, or other condition; the general condition
3of the patient; and any information that is not medical information
4as defined in Section 56.05.

5

SEC. 6.  

Section 1280.15 of the Health and Safety Code is
6amended to read:

7

1280.15.  

(a) A clinic, health facility, home health agency, or
8hospice licensed pursuant to Section 1204, 1250, 1725, or 1745
9shall prevent unlawful or unauthorized access to, and use or
10disclosure of, patients’ medical information, as defined in Section
1156.05 of the Civil Code and consistent with Section 130203. For
12purposes of this section, internal paper records, electronic mail,
13or facsimile transmissions inadvertently misdirected within the
14same facility or health care system within the course of
15coordinating care or delivering services shall not constitute
16unauthorized access to, or use or disclosure of, a patient’s medical
17information. The department, after investigation, may assess an
18administrative penalty for a violation of this section of up to
19twenty-five thousand dollars ($25,000) per patient whose medical
20information was unlawfully or without authorization accessed,
21used, or disclosed, and up to seventeen thousand five hundred
22dollars ($17,500) per subsequent occurrence of unlawful or
23unauthorized access, use, or disclosure of that patient’s medical
24information. For purposes of the investigation, the department
25shall consider the clinic’s, health facility’s, agency’s, or hospice’s
26history of compliance with this section and other related state and
27federal statutes and regulations, the extent to which the facility
28detected violations and took preventative action to immediately
29correct and prevent past violations from recurring, and factors
30outside its control that restricted the facility’s ability to comply
31with this section. The department shall have full discretion to
32consider all factors when determining the amount of an
33administrative penalty pursuant to this section.

34(b) (1) A clinic, health facility, home health agency, or hospice
35to which subdivision (a) applies shall report any unlawful or
36unauthorized access to, or use or disclosure of, a patient’s medical
37information to the department no later than five business days after
38the unlawful or unauthorized access, use, or disclosure has been
39detected by the clinic, health facility, home health agency, or
40hospice.

P11   1(2) Subject to subdivision (c), a clinic, health facility, home
2health agency, or hospice shall also report any unlawful or
3unauthorized access to, or use or disclosure of, a patient’s medical
4information to the affected patient or the patient’s representative
5at the last known address, no later than five business days after
6the unlawful or unauthorized access, use, or disclosure has been
7detected by the clinic, health facility, home health agency, or
8hospice.

9(c) (1) A clinic, health facility, home health agency, or hospice
10shall delay the reporting, as required pursuant to paragraph (2) of
11subdivision (b), of any unlawful or unauthorized access to, or use
12or disclosure of, a patient’s medical information beyond five
13business days if a law enforcement agency or official provides the
14clinic, health facility, home health agency, or hospice with a written
15or oral statement that compliance with the reporting requirements
16of paragraph (2) of subdivision (b) would likely impede the law
17enforcement agency’s investigation that relates to the unlawful or
18unauthorized access to, and use or disclosure of, a patient’s medical
19information and specifies a date upon which the delay shall end,
20not to exceed 60 days after a written request is made, or 30 days
21after an oral request is made. A law enforcement agency or official
22may request an extension of a delay based upon a written
23declaration that there exists a bona fide, ongoing, significant
24criminal investigation of serious wrongdoing relating to the
25unlawful or unauthorized access to, and use or disclosure of, a
26patient’s medical information, that notification of patients will
27undermine the law enforcement agency’s investigation, and that
28specifies a date upon which the delay shall end, not to exceed 60
29days after the end of the original delay period.

30(2) If the statement of the law enforcement agency or official
31is made orally, then the clinic, health facility, home health agency,
32or hospice shall do both of the following:

33(A) Document the oral statement, including, but not limited to,
34the identity of the law enforcement agency or official making the
35 oral statement and the date upon which the oral statement was
36made.

37(B) Limit the delay in reporting the unlawful or unauthorized
38access to, or use or disclosure of, the patient’s medical information
39to the date specified in the oral statement, not to exceed 30 calendar
40days from the date that the oral statement is made, unless a written
P12   1statement that complies with the requirements of this subdivision
2is received during that time.

3(3) A clinic, health facility, home health agency, or hospice
4shall submit a report that is delayed pursuant to this subdivision
5not later than five business days after the date designated as the
6end of the delay.

7(d) If a clinic, health facility, home health agency, or hospice
8to which subdivision (a) applies violates subdivision (b), the
9department may assess the licensee a penalty in the amount of one
10hundred dollars ($100) for each day that the unlawful or
11 unauthorized access, use, or disclosure is not reported to the
12department or the affected patient, following the initial five-day
13period specified in subdivision (b). However, the total combined
14penalty assessed by the department under subdivision (a) and this
15subdivision shall not exceed two hundred fifty thousand dollars
16($250,000) per reported event. For enforcement purposes, it shall
17be presumed that the facility did not notify the affected patient if
18the notification was not documented. This presumption may be
19rebutted by a licensee only if the licensee demonstrates, by a
20preponderance of the evidence, that the notification was made.

21(e) In enforcing subdivisions (a) and (d), the department shall
22take into consideration the special circumstances of small and rural
23hospitals, as defined in Section 124840, and primary care clinics,
24 as defined in subdivision (a) of Section 1204, in order to protect
25access to quality care in those hospitals and clinics. When assessing
26a penalty on a skilled nursing facility or other facility subject to
27Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
28only the higher of either a penalty for the violation of this section
29or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
30not both.

31(f) All penalties collected by the department pursuant to this
32section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited
33into the Internal Departmental Quality Improvement Account,
34which is hereby created within the Special Deposit Fund under
35Section 16370 of the Government Code. Upon appropriation by
36the Legislature, moneys in the account shall be expended for
37internal quality improvement activities in the Licensing and
38Certification Program.

39(g) If the licensee disputes a determination by the department
40regarding a failure to prevent or failure to timely report unlawful
P13   1or unauthorized access to, or use or disclosure of, patients’ medical
2information, or the imposition of a penalty under this section, the
3licensee may, within 10 days of receipt of the penalty assessment,
4request a hearing pursuant to Section 131071. Penalties shall be
5paid when appeals have been exhausted and the penalty has been
6upheld.

7(h) In lieu of disputing the determination of the department
8regarding a failure to prevent or failure to timely report unlawful
9or unauthorized access to, or use or disclosure of, patients’ medical
10information, transmit to the department 75 percent of the total
11amount of the administrative penalty, for each violation, within
1230 business days of receipt of the administrative penalty.

13(i) Notwithstanding any other law, the department may refer
14violations of this section to the Office of Health Information
15Integrity for enforcement pursuant to Section 130303.

16(j) For purposes of this section, the following definitions shall
17apply:

18(1) “Reported event” means all breaches included in any single
19report that is made pursuant to subdivision (b), regardless of the
20number of breach events contained in the report.

21(2) “Unauthorized” means the inappropriate access, review, or
22viewing of patient medical information without a direct need for
23medical diagnosis, treatment, or other lawful use as permitted by
24the Confidentiality of Medical Information Act (Part 2.6
25(commencing with Section 56) of Division 1 of the Civil Code)
26or any other statute or regulation governing the lawful access, use,
27or disclosure of medical information.

28begin insert

begin insertSEC. 7.end insert  

end insert

begin insertSection 1348.5 is added to the end insertbegin insertHealth and Safety Codeend insertbegin insert,
29to read:end insert

begin insert
30

begin insert1348.5.end insert  

(a) A health care service plan shall comply with the
31provisions of Section 56.107 of the Civil Code to the extent required
32by that section. To the extent this chapter conflicts with Section
3356.107 of the Civil Code, the provisions of Section 56.107 of the
34Civil Code shall control.

35(b) The department shall review health care service plan
36contracts and privacy policies for compliance with this section
37only during the normal application approval or modification
38process conducted pursuant to Sections 1351 and 1352.

end insert
P14   1

begin deleteSEC. 7.end delete
2begin insertSEC. 8.end insert  

Section 1627 of the Health and Safety Code is amended
3to read:

4

1627.  

(a) (1) On or before July 1, 2011, the University of
5California is requested to develop a plan to establish and administer
6the Umbilical Cord Blood Collection Program for the purpose of
7collecting units of umbilical cord blood for public use in
8transplantation and providing nonclinical units for research
9pertaining to biology and new clinical utilization of stem cells
10derived from the blood and tissue of the placenta and umbilical
11cord. The program shall conclude no later than January 1, 2018.

12(2) For purposes of this article, “public use” means both of the
13following:

14(A) The collection of umbilical cord blood units from genetically
15diverse donors that will be owned by the University of California.
16This inventory shall be accessible by the National Registry and by
17qualified California-based and other United States and international
18registries and transplant centers to increase the likelihood of
19providing suitably matched donor cord blood units to patients or
20research participants who are in need of a transplant.

21(B) Cord blood units with a lower number of cells than deemed
22necessary for clinical transplantation and units that meet clinical
23requirements, but for other reasons are unsuitable, unlikely to be
24transplanted, or otherwise unnecessary for clinical use, may be
25made available for research.

26(b) (1) In order to implement the collection goals of this
27program, the University of California may, commensurate with
28available funds appropriated to the University of California for
29this program, contract with one or more selected applicant entities
30that have demonstrated the competence to collect and ship cord
31blood units in compliance with federal guidelines and regulations.

32(2) It is the intent of the Legislature that, if the University of
33California contracts with another entity pursuant to this subdivision,
34the following shall apply:

35(A) The University of California may use a competitive process
36to identify the best proposals submitted by applicant entities to
37administer the collection and research objectives of the program,
38to the extent that the University of California chooses not to
39undertake these activities itself.

P15   1(B) In order to qualify for selection under this section to receive,
2process, cryopreserve, or bank cord blood units, the entity shall,
3at a minimum, have obtained an investigational new drug (IND)
4exemption from the FDA or a biologic license from the FDA, as
5appropriate, to manufacture clinical grade cord blood stem cell
6units for clinical indications.

7(C) In order to qualify to receive appropriate cord blood units
8and placental tissue to advance the research goals of this program,
9an entity shall, at a minimum, be a laboratory recognized as having
10performed peer-reviewed research on stem and progenitor cells,
11including those derived from placental or umbilical cord blood
12and postnatal tissue.

13(3) A medical provider or research facility shall comply with,
14and shall be subject to, existing penalties for violations of all
15applicable state and federal laws with respect to the protection of
16any medical information, as defined in Section 56.05 of the Civil
17Code, and any personally identifiable information contained in the
18umbilical cord blood inventory.

19(c) The University of California is encouraged to make every
20effort to avoid duplication or conflicts with existing and ongoing
21programs and to leverage existing resources.

22(d) (1) All information collected pursuant to the program shall
23be confidential, and shall be used solely for the purposes of the
24program, including research. Access to confidential information
25shall be limited to authorized persons who are bound by appropriate
26institutional policies or who otherwise agree, in writing, to maintain
27the confidentiality of that information.

28(2) Any person who, in violation of applicable institutional
29policies or a written agreement to maintain confidentiality,
30discloses any information provided pursuant to this section, or
31who uses information provided pursuant to this section in a manner
32other than as approved pursuant to this section, may be denied
33further access to any confidential information maintained by the
34University of California, and shall be subject to a civil penalty not
35exceeding one thousand dollars ($1,000). The penalty provided
36for in this section shall not be construed to limit or otherwise
37restrict any remedy, provisional or otherwise, provided by law for
38the benefit of the University of California or any other person
39covered by this section.

P16   1(3) Notwithstanding the restrictions of this section, an individual
2to whom the confidential information pertains shall have access
3to his or her own personal information.

4(e) It is the intent of the Legislature that the plan and
5implementation of the program provide for both of the following:

6(1) Limit fees for access to cord blood units to the reasonable
7 and actual costs of storage, handling, and providing units, as well
8as for related services such as donor matching and testing of cord
9blood and other programs and services typically provided by cord
10blood banks and public use programs.

11(2) The submittal of the plan developed pursuant to subdivision
12(a) to the health and fiscal committees of the Legislature.

13(f) It is additionally the intent of the Legislature that the plan
14and implementation of the program attempt to provide for all of
15the following:

16(1) Development of a strategy to increase voluntary participation
17by hospitals in the collection and storage of umbilical cord blood
18and identify funding sources to offset the financial impact on
19hospitals.

20(2) Consideration of a medical contingency response program
21to prepare for and respond effectively to biological, chemical, or
22radiological attacks, accidents, and other public health emergencies
23where victims potentially benefit from treatment.

24(3) Exploration of the feasibility of operating the program as a
25self-funding program, including the potential for charging users a
26reimbursement fee.

27

begin deleteSEC. 8.end delete
28begin insertSEC. 9.end insert  

Section 117928 of the Health and Safety Code is
29amended to read:

30

117928.  

(a)  Any common storage facility for the collection
31of medical waste produced by small quantity generators operating
32independently, but sharing common storage facilities, shall have
33a permit issued by the enforcement agency.

34(b)  A permit for any common storage facility specified in
35subdivision (a) may be obtained by any one of the following:

36(1)  A provider of health care as defined in Section 56.05 of the
37Civil Code.

38(2)  The registered hazardous waste transporter.

39(3)  The property owner.

P17   1(4)  The property management firm responsible for providing
2tenant services to the medical waste generators.

3

begin deleteSEC. 9.end delete
4begin insertSEC. 10.end insert  

Section 120985 of the Health and Safety Code is
5amended to read:

6

120985.  

(a)  Notwithstanding Section 120980, the results of
7an HIV test that identifies or provides identifying characteristics
8of the person to whom the test results apply may be recorded by
9the physician who ordered the test in the test subject’s medical
10record or otherwise disclosed without written authorization of the
11subject of the test, or the subject’s representative as set forth in
12Section 121020, to the test subject’s providers of health care, as
13defined in Section 56.05 of the Civil Code, for purposes of
14diagnosis, care, or treatment of the patient, except that for purposes
15of this section, “providers of health care” does not include a health
16care service plan regulated pursuant to Chapter 2.2 (commencing
17with Section 1340) of Division 2.

18(b)  Recording or disclosure of HIV test results pursuant to
19subdivision (a) does not authorize further disclosure unless
20otherwise permitted by law.

21

begin deleteSEC. 10.end delete
22begin insertSEC. 11.end insert  

Section 121010 of the Health and Safety Code is
23amended to read:

24

121010.  

Notwithstanding Section 120975 or 120980, the results
25of a blood test to detect antibodies to the probable causative agent
26of AIDS may be disclosed to any of the following persons without
27written authorization of the subject of the test:

28(a) To the subject of the test or the subject’s legal representative,
29conservator, or to any person authorized to consent to the test
30pursuant to subdivision (b) of Section 120990.

31(b) To a test subject’s provider of health care, as defined in
32Section 56.05 of the Civil Code, except that for purposes of this
33section, “provider of health care” does not include a health care
34service plan regulated pursuant to Chapter 2.2 (commencing with
35Section 1340) of Division 2.

36(c) To an agent or employee of the test subject’s provider of
37health care who provides direct patient care and treatment.

38(d) To a provider of health care who procures, processes,
39distributes, or uses a human body part donated pursuant to the
P18   1Uniform Anatomical Gift Act (Chapter 3.5 (commencing with
2Section 7150) of Part 1 of Division 7).

3(e) (1) To the designated officer of an emergency response
4employee, and from that designated officer to an emergency
5response employee regarding possible exposure to HIV or AIDS,
6but only to the extent necessary to comply with provisions of the
7Ryan White Comprehensive AIDS Resources Emergency Act of
81990 (Public Law 101-381; 42 U.S.C. Sec. 201).

9(2) For purposes of this subdivision, “designated officer” and
10“emergency response employee” have the same meaning as these
11terms are used in the Ryan White Comprehensive AIDS Resources
12Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec.
13201).

14(3) The designated officer shall be subject to the confidentiality
15requirements specified in Section 120980, and may be personally
16liable for unauthorized release of any identifying information about
17the HIV results. Further, the designated officer shall inform the
18exposed emergency response employee that the employee is also
19subject to the confidentiality requirements specified in Section
20120980, and may be personally liable for unauthorized release of
21any identifying information about the HIV test results.

22

begin deleteSEC. 11.end delete
23begin insertSEC. 12.end insert  

Section 130201 of the Health and Safety Code is
24amended to read:

25

130201.  

For purposes of this division, the following definitions
26apply:

27(a) “Director” means the Director of the Office of Health
28Information Integrity.

29(b) “Medical information” means the term as defined in Section
3056.05 of the Civil Code.

31(c) “Office” means the Office of Health Information Integrity.

32(d) “Provider of health care” means the term as defined in
33Sections 56.05 and 56.06 of the Civil Code.

34(e) “Unauthorized access” means the inappropriate review or
35viewing of patient medical information without a direct need for
36diagnosis, treatment, or other lawful use as permitted by the
37Confidentiality of Medical Information Act (Part 2.6 (commencing
38with Section 56) of Division 1 of the Civil Code) or by other
39statutes or regulations governing the lawful access, use, or
40disclosure of medical information.

P19   1

begin deleteSEC. 12.end delete
2begin insertSEC. 13.end insert  

Section 791.29 is added to the Insurance Code, to
3read:

4

791.29.  

begin insert(a)end insertbegin insertend insert A health insurer, as defined in subdivision (h) of
5Section 56.05 of the Civil Code, shall comply with the provisions
6of Section 56.107 of the Civil Code to the extent required by that
7section. To the extent this article conflicts with Section 56.107 of
8the Civil Code, the provisions of Section 56.107 of the Civil Code
9shall control.

begin insert

10(b) The department shall review insurance products and privacy
11policies for compliance with this section only during the normal
12policy issuance process conducted pursuant to Sections 10290 and
1310291.

end insert
14

begin deleteSEC. 13.end delete
15begin insertSEC. 14.end insert  

Section 3208.05 of the Labor Code is amended to
16read:

17

3208.05.  

(a) “Injury” includes a reaction to or a side effect
18arising from health care provided by an employer to a health care
19worker, which health care is intended to prevent the development
20or manifestation of any bloodborne disease, illness, syndrome, or
21condition recognized as occupationally incurred by Cal-OSHA,
22the federal Centers for Disease Control and Prevention, or other
23appropriate governmental entities. This section shall apply only
24to preventive health care that the employer provided to a health
25care worker under the following circumstances: (1) prior to an
26exposure because of risk of occupational exposure to such a
27disease, illness, syndrome, or condition, or (2) where the preventive
28care is provided as a consequence of a documented exposure to
29blood or bodily fluid containing blood that arose out of and in the
30course of employment. Such a disease, illness, syndrome, or
31condition includes, but is not limited to, hepatitis, and the human
32immunodeficiency virus. Such preventive health care, and any
33disability indemnity or other benefits required as a result of the
34preventive health care provided by the employer, shall be
35compensable under the workers’ compensation system. The
36employer may require the health care worker to document that the
37employer provided the preventive health care and that the reaction
38or side effects arising from the preventive health care resulted in
39lost work time, health care costs, or other costs normally
40compensable under workers’ compensation.

P20   1(b) The benefits of this section shall not be provided to a health
2care worker for a reaction to or side effect from health care
3intended to prevent the development of the human
4immunodeficiency virus if the worker claims a work-related
5exposure and if the worker tests positive within 48 hours of that
6exposure to a test to determine the presence of the human
7immunodeficiency virus.

8(c) For purposes of this section, “health care worker” includes
9any person who is an employee of a provider of health care as
10defined in Section 56.05 of the Civil Code, and who is exposed to
11human blood or other bodily fluids contaminated with blood in
12the course of employment, including, but not limited to, a registered
13nurse, a licensed vocational nurse, a certified nurse aide, clinical
14laboratory technologist, dental hygienist, physician, janitor, and
15housekeeping worker. “Health care worker” does not include an
16 employee who provides employee health services for an employer
17primarily engaged in a business other than providing health care.

18

begin deleteSEC. 14.end delete
19begin insertSEC. 15.end insert  

No reimbursement is required by this act pursuant to
20Section 6 of Article XIII B of the California Constitution because
21the only costs that may be incurred by a local agency or school
22district will be incurred because this act creates a new crime or
23infraction, eliminates a crime or infraction, or changes the penalty
24for a crime or infraction, within the meaning of Section 17556 of
25the Government Code, or changes the definition of a crime within
26the meaning of Section 6 of Article XIII B of the California
27Constitution.



O

    96