SB 138, as amended, Hernandez. Confidentiality of medical information.
Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information.
Existing law, the Knox-Keene Health Care Service Plan Act of 1975, provides for the licensure and regulation of health care service plans by the Department of Managed Health Care and makes a willful violation of its provisions a crime. Existing law also provides for the regulation of health insurers by the Department of Insurance.
Existing law, the Confidentiality of Medical Information Act, provides that medical information, as defined, may not be disclosed by providers of health care, health care service plans, or contractors, as defined, without the patient’s written authorization, subject to certain exceptions, including disclosure to a probate court investigator, as specified. A violation of the act resulting in economic loss or personal injury to a patient is a misdemeanor and subjects the violating party to liability for specified damages and administrative fines and penalties. The act defines various terms relevant to its implementation.
This bill would declare the intent of the Legislature to incorporate HIPAA standards into state law and to clarify standards for protecting the confidentiality of medical information in insurance transactions. The bill would define additional terms in connection with maintaining the confidentiality of this information, including
begin delete an “authorization for insurance
communications,”end delete which an insured individual may submit for the purpose of specifying begin delete disclosable medical information and insurance transactions, and permissible recipientsend delete.
This bill would specify the manner in which a health care service plan or health insurer would be required to maintain confidentiality of information regarding the treatment of
begin delete less than 26 years of ageend delete
who are insured as dependents on another person’s begin delete policy, the treatment of an insured individual involving sensitive services, as defined, orend delete situations in which disclosure would endanger the insured begin delete individual, as definedend delete.
This bill would specifically authorize a provider of health care to communicate information regarding benefit cost-sharing arrangements to the health care service plan or health insurer, as specified.
This bill would also prohibit the health care service plan or health insurer from conditioning enrollment in the plan or eligibility for benefits on the provision of an authorization for insurance communications. The bill also would make conforming technical changes. By expanding the scope of a crime, the bill would create a state-mandated local program.
Existing law, the Insurance Information and Privacy Protection Act, generally regulates how insurers collect, use, and disclose information gathered in connection with insurance transactions.
This bill would require a health care services plan or a health insurer, as defined, to comply with the requirements of the Confidentiality of Medical Information Act, if that act conflicts with the Insurance Information and Privacy Protection Act, as specified. Because a willful violation of these provisions by a health care service plan would be a crime, this bill would thus impose a state-mandated local program.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.
The people of the State of California do enact as follows:
The Legislature finds and declares all of the
3(a) Privacy is a fundamental right of all Californians, protected
4by the California Constitution, the federal Health Insurance
5Portability and Accountability Act (HIPAA; Public Law 104-191),
6and the Confidentiality of Medical Information Act, Part 2.6
7(commencing with Section 56) of Division 1 of the Civil Code.
8(b) Implementation of the recently enacted federal Patient
9Protection and Affordable Care Act (Public Law 111-148) will
10expand the number of individuals insured as dependents on a health
11insurance policy held in another person’s name, including adult
12children under 26 years of age insured on a parent’s insurance
14(c) HIPAA explicitly protects the confidentiality of medical
15care obtained by dependents insured under a health insurance
16policy held by another person.
17(d) Therefore, it is the intent of the Legislature in enacting this
18act to incorporate HIPAA standards into state law and to clarify
19the standards for protecting the confidentiality of medical
20information in insurance transactions.
Section 56.05 of the Civil Code is amended to read:
For purposes of this part:
2(a) “Authorization” means permission granted in accordance
3with Section 56.11 or 56.21 for the disclosure of medical
5(b) “Authorization for insurance communications” means
6permission from the individual, that meets the requirements of
7subdivisions (a) to (c), inclusive, of Section 56.11, specifying the
8medical information and insurance transactions that may be
9disclosed and the identity of the people to whom disclosures are
10permitted as part of an insurance communication.
3 11(c)end delete
12 “Authorized recipient” means any person who is authorized
13to receive medical information pursuant to Section 56.10 or 56.20.
5 14(d)end delete
15 “Confidential communications request” means a request by
16an insured individual that insurance communications be
17communicated by a specific method, such as by telephone, email,
18or in a covered envelope rather than postcard, or to a specific mail
19or email address or specific telephone number, as designated by
20the insured individual.
11 21(e)end delete
22 “Contractor” means any person or entity that is a medical
23group, independent practice association, pharmaceutical benefits
24manager, or a medical service organization and is not a health care
25service plan or provider of health care. “Contractor” does not
26include insurance institutions as defined in subdivision (k) of
27Section 791.02 of the Insurance Code or pharmaceutical benefits
28managers licensed pursuant to the Knox-Keene Health Care Service
29Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340)
30of Division 2 of the Health and Safety Code).
20 31(f)end delete
32 “Endanger” means that the insured individual fears
33harassment or abuse resulting from an insurance communication
34sufficient to deter the patient from obtaining health care absent
24 36(g)end delete
37 “Health care service plan” means any entity regulated
38pursuant to the Knox-Keene Health Care Service Plan Act of 1975
39(Chapter 2.2 (commencing with Section 1340) of Division 2 of
40the Health and Safety Code).
28 P5 1(h)end delete
2 “Health insurer” means an entity that issues health insurance,
3as defined in subdivision (b) of Section 106 of the Insurance Code.
30 4(i)end delete
5 “Insured individual” means a person entitled to coverage
6under a health care service plan or health insurer, including the
7policyholder and dependents.
33 8(j)end delete
9 “Insurance communication” means any communication from
10the health care service plan or health insurer to
begin delete policyholders orend delete
11 insured individuals that discloses individually identifiable medical
12information. Insurance communication includes, but is not limited
13to, explanation of benefits forms, scheduling information, notices
14of denial, and notices of contested claims.
39 15(k)end delete
16 “Licensed health care professional” means any person
17licensed or certified pursuant to Division 2 (commencing with
18Section 500) of the Business and Professions Code, the Osteopathic
19Initiative Act or the Chiropractic Initiative Act, or Division 2.5
20(commencing with Section 1797) of the Health and Safety Code.
22 “Marketing” means to make a communication about a
23product or service that encourages recipients of the communication
24to purchase or use the product or service.
25“Marketing” does not include any of the following:
26(1) Communications made orally or in writing for which the
27communicator does not receive direct or indirect remuneration,
28including, but not limited to, gifts, fees, payments, subsidies, or
29other economic benefits, from a third party for making the
31(2) Communications made to current enrollees solely for the
32purpose of describing a provider’s participation in an existing
33health care provider network or health plan network of a
34Knox-Keene licensed health plan to which the enrollees already
35subscribe; communications made to current enrollees solely for
36the purpose of describing if, and the extent to which, a product or
37service, or payment for a product or service, is provided by a
38provider, contractor, or plan or included in a plan of benefits of a
39Knox-Keene licensed health plan to which the enrollees already
P6 1subscribe; or communications made to plan enrollees describing
2the availability of more cost-effective pharmaceuticals.
3(3) Communications that are tailored to the circumstances of a
4particular individual to educate or advise the individual about
5treatment options, and otherwise maintain the individual’s
6adherence to a prescribed course of medical treatment, as provided
7in Section 1399.901 of the Health and Safety Code, for a chronic
8and seriously debilitating or life-threatening condition as defined
9in subdivisions (d) and (e) of Section 1367.21 of the Health and
10Safety Code, if the health care provider, contractor, or health plan
11receives direct or indirect remuneration, including, but not limited
12to, gifts, fees, payments, subsidies, or other economic benefits,
13from a third party for making the communication, if all of the
15(A) The individual receiving the communication is notified in
16the communication in typeface no smaller than 14-point type of
17the fact that the provider, contractor, or health plan has been
18remunerated and the source of the remuneration.
19(B) The individual is provided the opportunity to opt out of
20receiving future remunerated communications.
21(C) The communication contains instructions in typeface no
22smaller than 14-point type describing how the individual can opt
23out of receiving further communications by calling a toll-free
24number of the health care provider, contractor, or health plan
25making the remunerated communications. No further
26communication may be made to an individual who has opted out
27after 30 calendar days from the date the individual makes the opt
30 “Medical information” means any individually identifiable
31information, in electronic or physical form, in possession of or
32derived from a provider of health care, health care service plan,
33pharmaceutical company, or contractor regarding a patient’s
34medical history, mental or physical condition, or treatment.
35“Individually identifiable” means that the medical information
36includes or contains any element of personal identifying
37information sufficient to allow identification of the individual,
38such as the patient’s name, address, electronic mail address,
39 telephone number, or social security number, or other information
P7 1that, alone or in combination with other publicly available
2information, reveals the individual’s identity.
4 “Nondisclosure request” means a written request to withhold
5insurance communications that includes the insured individual’s
6name and address, description of the medical or other information
7that should not be disclosed, identity of the persons from whom
8information shall be withheld, and contact information for the
9individual for additional information or clarification necessary to
10satisfy the request.
12 “Patient” means any natural person, whether or not still
13living, who received health care services from a provider of health
14care and to whom medical information pertains.
16 “Pharmaceutical company” means any company or business,
17or an agent or representative thereof, that manufactures, sells, or
18distributes pharmaceuticals, medications, or prescription drugs.
19“Pharmaceutical company” does not include a pharmaceutical
20benefits manager, as included in subdivision (c), or a provider of
23 “Provider of health care” means any person licensed or
24certified pursuant to Division 2 (commencing with Section 500)
25of the Business and Professions Code; any person licensed pursuant
26to the Osteopathic Initiative Act or the Chiropractic Initiative Act;
27any person certified pursuant to Division 2.5 (commencing with
28Section 1797) of the Health and Safety Code; any clinic, health
29dispensary, or health facility licensed pursuant to Division 2
30(commencing with Section 1200) of the Health and Safety Code.
31“Provider of health care” does not include insurance institutions
32as defined in subdivision (k) of Section 791.02 of the Insurance
35 “Sensitive services” means all health care services described
36in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
37Code, and Sections 121020 and 124260 of the Health and Safety
38Code, obtained by any patient who has reached the minimum age
39specified for consenting to the service specified in the section,
40including patients 18 years of age and older.
Section 56.104 of the Civil Code is amended to read:
(a) Notwithstanding subdivision (c) of Section 56.10,
3except as provided in subdivision (e), no provider of health care,
4health care service plan, or contractor may release medical
5information to persons or entities who have requested that
6information and who are authorized by law to receive that
7information pursuant to subdivision (c) of Section 56.10, if the
8requested information specifically relates to the patient’s
9participation in outpatient treatment with a psychotherapist, unless
10the person or entity requesting that information submits to the
11patient pursuant to subdivision (b) and to the provider of health
12care, health care service plan, or contractor a written request, signed
13by the person requesting the information or an authorized agent
14of the entity requesting the information, that includes all of the
16(1) The specific information relating to a patient’s participation
17in outpatient treatment with a psychotherapist being requested and
18its specific intended use or uses.
19(2) The length of time during which the information will be
20kept before being destroyed or disposed of. A person or entity may
21extend that timeframe, provided that the person or entity notifies
22the provider, plan, or contractor of the extension. Any notification
23of an extension shall include the specific reason for the extension,
24the intended use or uses of the information during the extended
25time, and the expected date of the destruction of the information.
26(3) A statement that the information will not be used for any
27purpose other than its intended use.
28(4) A statement that the person or entity requesting the
29information will destroy the information and all copies in the
30person’s or entity’s possession or control, will cause it to be
31destroyed, or will return the information and all copies of it before
32or immediately after the length of time specified in paragraph (2)
34(b) The person or entity requesting the information shall submit
35a copy of the written request required by this section to the patient
36within 30 days of receipt of the information requested, unless the
37patient has signed a written waiver in the form of a letter signed
38and submitted by the patient to the provider of health care or health
39care service plan waiving notification.
P9 1(c) For purposes of this section, “psychotherapist” means a
2person who is both a “psychotherapist” as defined in Section 1010
3of the Evidence Code and a “provider of health care” as defined
4in Section 56.05.
5(d) This section does not apply to the disclosure or use of
6medical information by a law enforcement agency or a regulatory
7agency when required for an investigation of unlawful activity or
8for licensing, certification, or regulatory purposes, unless the
9disclosure is otherwise prohibited by law.
10(e) This section shall not apply to any of the following:
11(1) Information authorized to be disclosed pursuant to paragraph
12(1) of subdivision (c) of Section 56.10.
13(2) Information requested from a psychotherapist by law
14enforcement or by the target of the threat subsequent to a disclosure
15by that psychotherapist authorized by paragraph (19) of subdivision
16(c) of Section 56.10, in which the additional information is clearly
17necessary to prevent the serious and imminent threat disclosed
18under that paragraph.
19(3) Information disclosed by a psychotherapist pursuant to
20paragraphs (14) and (22) of subdivision (c) of Section 56.10 and
21requested by an agency investigating the abuse reported pursuant
22to those paragraphs.
23(f) Nothing in this section shall be construed to grant any
24additional authority to a provider of health care, health care service
25plan, or contractor to disclose information to a person or entity
26without the patient’s consent.
Section 56.107 is added to the Civil Code, to read:
(a) Notwithstanding any other law, and to the extent
29permitted by federal law, a health care service plan or health insurer
30shall take the following steps to protect the confidentiality of an
31insured individual’s medical information as follows:
begin deleteA end deletehealth care service plan or health insurer shall
35not send insurance communications relating to sensitive
begin delete services:end delete
begin delete36(A) Unless the health care service plan or health insurer has
37received an authorization for insurance communications from an
38insured individual who is under 26 years of age and insured as a
39dependent on another person’s insurance policy.end delete
12 11(B)end delete
12 For an insured individual to whom
begin delete subparagraph (A)end delete
13 does not apply, if that insured individual has submitted a
17(2) A health care service plan or health insurer shall comply
18with a confidential communications request regarding sensitive
19services from an insured individual.
18 20(3) A health care service plan or health insurer shall comply
21with a nondisclosure request or a confidential communications
22request from an insured individual who states that disclosure of
23medical information will endanger the individual, and shall not
24require an explanation as to the basis for the insured individual’s
25statement that disclosure will endanger the individual.
32 Notwithstanding subdivision (a), the provider of health care
33may make arrangements with the insured individual for the
34payment of benefit cost sharing and communicate that arrangement
35with the health care service plan or health insurer.
37 A health care service plan or health insurer shall not
38condition enrollment or coverage in the health plan or health
39insurance policy or eligibility for benefits on the provision of an
40authorization for insurance communications.
Section 56.16 of the Civil Code is amended to read:
For disclosures not addressed by Section 56.1007, unless
3there is a specific written request by the patient to the contrary,
4nothing in this part shall be construed to prevent a general acute
5care hospital, as defined in subdivision (a) of Section 1250 of the
6Health and Safety Code, upon an inquiry concerning a specific
7patient, from releasing at its discretion any of the following
8information: the patient’s name, address, age, and sex; a general
9description of the reason for treatment (whether an injury, a burn,
10poisoning, or some unrelated condition); the general nature of the
11injury, burn, poisoning, or other condition; the general condition
12of the patient; and any information that is not medical information
13as defined in Section 56.05.
Section 1280.15 of the Health and Safety Code is
15amended to read:
(a) A clinic, health facility, home health agency, or
17hospice licensed pursuant to Section 1204, 1250, 1725, or 1745
18shall prevent unlawful or unauthorized access to, and use or
19disclosure of, patients’ medical information, as defined in Section
2056.05 of the Civil Code and consistent with Section 130203. For
21purposes of this section, internal paper records, electronic mail,
22or facsimile transmissions inadvertently misdirected within the
23same facility or health care system within the course of
24coordinating care or delivering services shall not constitute
25unauthorized access to, or use or disclosure of, a patient’s medical
26information. The department, after investigation, may assess an
27administrative penalty for a violation of this section of up to
28 twenty-five thousand dollars ($25,000) per patient whose medical
29information was unlawfully or without authorization accessed,
30used, or disclosed, and up to seventeen thousand five hundred
31dollars ($17,500) per subsequent occurrence of unlawful or
32unauthorized access, use, or disclosure of that patient’s medical
33information. For purposes of the investigation, the department
34shall consider the clinic’s, health facility’s, agency’s, or hospice’s
35history of compliance with this section and other related state and
36federal statutes and regulations, the extent to which the facility
37detected violations and took preventative action to immediately
38correct and prevent past violations from recurring, and factors
39outside its control that restricted the facility’s ability to comply
40with this section. The department shall have full discretion to
P12 1consider all factors when determining the amount of an
2administrative penalty pursuant to this section.
3(b) (1) A clinic, health facility, home health agency, or hospice
4to which subdivision (a) applies shall report any unlawful or
5unauthorized access to, or use or disclosure of, a patient’s medical
6information to the department no later than five business days after
7the unlawful or unauthorized access, use, or disclosure has been
8detected by the clinic, health facility, home health agency, or
10(2) Subject to subdivision (c), a clinic, health facility, home
11health agency, or hospice shall also report any unlawful or
12unauthorized access to, or use or disclosure of, a patient’s medical
13information to the affected patient or the patient’s representative
14at the last known address, no later than five business days after
15the unlawful or unauthorized access, use, or disclosure has been
16detected by the clinic, health facility, home health agency, or
18(c) (1) A clinic, health facility, home health agency, or hospice
19shall delay the reporting, as required pursuant to paragraph (2) of
20subdivision (b), of any unlawful or unauthorized access to, or use
21or disclosure of, a patient’s medical information beyond five
22business days if a law enforcement agency or official provides the
23clinic, health facility, home health agency, or hospice with a written
24or oral statement that compliance with the reporting requirements
25of paragraph (2) of subdivision (b) would likely impede the law
26enforcement agency’s investigation that relates to the unlawful or
27unauthorized access to, and use or disclosure of, a patient’s medical
28information and specifies a date upon which the delay shall end,
29not to exceed 60 days after a written request is made, or 30 days
30after an oral request is made. A law enforcement agency or official
31may request an extension of a delay based upon a written
32declaration that there exists a bona fide, ongoing, significant
33criminal investigation of serious wrongdoing relating to the
34unlawful or unauthorized access to, and use or disclosure of, a
35patient’s medical information, that notification of patients will
36undermine the law enforcement agency’s investigation, and that
37specifies a date upon which the delay shall end, not to exceed 60
38days after the end of the original delay period.
P13 1(2) If the statement of the law enforcement agency or official
2is made orally, then the clinic, health facility, home health agency,
3or hospice shall do both of the following:
4(A) Document the oral statement, including, but not limited to,
5the identity of the law enforcement agency or official making the
6oral statement and the date upon which the oral statement was
8(B) Limit the delay in reporting the unlawful or unauthorized
9access to, or use or disclosure of, the patient’s medical information
10to the date specified in the oral statement, not to exceed 30 calendar
11days from the date that the oral statement is made, unless a written
12statement that complies with the requirements of this subdivision
13is received during that time.
14(3) A clinic, health facility, home health agency, or hospice
15shall submit a report that is delayed pursuant to this subdivision
16not later than five business days after the date designated as the
17end of the delay.
18(d) If a clinic, health facility, home health agency, or hospice
19to which subdivision (a) applies violates subdivision (b), the
20department may assess the licensee a penalty in the amount of one
21hundred dollars ($100) for each day that the unlawful or
22 unauthorized access, use, or disclosure is not reported to the
23department or the affected patient, following the initial five-day
24period specified in subdivision (b). However, the total combined
25penalty assessed by the department under subdivision (a) and this
26subdivision shall not exceed two hundred fifty thousand dollars
27($250,000) per reported event. For enforcement purposes, it shall
28be presumed that the facility did not notify the affected patient if
29the notification was not documented. This presumption may be
30rebutted by a licensee only if the licensee demonstrates, by a
31preponderance of the evidence, that the notification was made.
32(e) In enforcing subdivisions (a) and (d), the department shall
33take into consideration the special circumstances of small and rural
34hospitals, as defined in Section 124840, and primary care clinics,
35 as defined in subdivision (a) of Section 1204, in order to protect
36access to quality care in those hospitals and clinics. When assessing
37a penalty on a skilled nursing facility or other facility subject to
38Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
39only the higher of either a penalty for the violation of this section
P14 1or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
3(f) All penalties collected by the department pursuant to this
4section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited
5into the Internal Departmental Quality Improvement Account,
6which is hereby created within the Special Deposit Fund under
7Section 16370 of the Government Code. Upon appropriation by
8the Legislature, moneys in the account shall be expended for
9internal quality improvement activities in the Licensing and
11(g) If the licensee disputes a determination by the department
12regarding a failure to prevent or failure to timely report unlawful
13or unauthorized access to, or use or disclosure of, patients’ medical
14information, or the imposition of a penalty under this section, the
15licensee may, within 10 days of receipt of the penalty assessment,
16request a hearing pursuant to Section 131071. Penalties shall be
17paid when appeals have been exhausted and the penalty has been
19(h) In lieu of disputing the determination of the department
20regarding a failure to prevent or failure to timely report unlawful
21or unauthorized access to, or use or disclosure of, patients’ medical
22information, transmit to the department 75 percent of the total
23amount of the administrative penalty, for each violation, within
2430 business days of receipt of the administrative penalty.
25(i) Notwithstanding any other law, the department may refer
26violations of this section to the Office of Health Information
27Integrity for enforcement pursuant to Section 130303.
28(j) For purposes of this section, the following definitions shall
30(1) “Reported event” means all breaches included in any single
31report that is made pursuant to subdivision (b), regardless of the
32number of breach events contained in the report.
33(2) “Unauthorized” means the inappropriate access, review, or
34viewing of patient medical information without a direct need for
35medical diagnosis, treatment, or other lawful use as permitted by
36the Confidentiality of Medical Information Act (Part 2.6
37(commencing with Section 56) of Division 1 of the Civil Code)
38or any other statute or regulation governing the lawful access, use,
39or disclosure of medical information.
Section 1348.5 is added to the Health and Safety Code,
(a) A health care service plan shall comply with the
4provisions of Section 56.107 of the Civil Code to the extent
5required by that section. To the extent this chapter conflicts with
6Section 56.107 of the Civil Code, the provisions of Section 56.107
7of the Civil Code shall control.
8(b) The department shall review health care service plan
9contracts and privacy policies for compliance with this section
10only during the normal application approval or modification
11process conducted pursuant to Sections 1351 and 1352.
Section 1627 of the Health and Safety Code is amended
(a) (1) On or before July 1, 2011, the University of
15California is requested to develop a plan to establish and administer
16the Umbilical Cord Blood Collection Program for the purpose of
17collecting units of umbilical cord blood for public use in
18transplantation and providing nonclinical units for research
19pertaining to biology and new clinical utilization of stem cells
20derived from the blood and tissue of the placenta and umbilical
21cord. The program shall conclude no later than January 1, 2018.
22(2) For purposes of this article, “public use” means both of the
24(A) The collection of umbilical cord blood
units from genetically
25diverse donors that will be owned by the University of California.
26This inventory shall be accessible by the National Registry and by
27qualified California-based and other United States and international
28registries and transplant centers to increase the likelihood of
29providing suitably matched donor cord blood units to patients or
30research participants who are in need of a transplant.
31(B) Cord blood units with a lower number of cells than deemed
32necessary for clinical transplantation and units that meet clinical
33requirements, but for other reasons are unsuitable, unlikely to be
34transplanted, or otherwise unnecessary for clinical use, may be
35made available for research.
36(b) (1) In order to implement the collection goals of this
37program, the University of California may, commensurate with
38available funds appropriated to the University of California for
39this program, contract with one or more selected applicant entities
P16 1that have demonstrated the competence to collect and ship cord
2blood units in compliance with federal guidelines and regulations.
3(2) It is the intent of the Legislature that, if the University of
4California contracts with another entity pursuant to this subdivision,
5the following shall apply:
6(A) The University of California may use a competitive process
7to identify the best proposals submitted by applicant entities to
8administer the collection and research objectives of the program,
9to the extent that the University of California chooses not to
10undertake these activities itself.
11(B) In order to qualify for selection under this section to receive,
12process, cryopreserve, or bank cord blood units, the entity shall,
13at a minimum, have obtained an investigational new drug (IND)
14exemption from the FDA or a biologic license from the FDA, as
15appropriate, to manufacture clinical grade cord blood stem cell
16units for clinical indications.
17(C) In order to qualify to receive appropriate cord blood units
18and placental tissue to advance the research goals of this program,
19an entity shall, at a minimum, be a laboratory recognized as having
20performed peer-reviewed research on stem and progenitor cells,
21including those derived from placental or umbilical cord blood
22and postnatal tissue.
23(3) A medical provider
or research facility shall comply with,
24and shall be subject to, existing penalties for violations of all
25applicable state and federal laws with respect to the protection of
26any medical information, as defined in Section 56.05 of the Civil
27Code, and any personally identifiable information contained in the
28umbilical cord blood inventory.
29(c) The University of California is encouraged to make every
30effort to avoid duplication or conflicts with existing and ongoing
31programs and to leverage existing resources.
32(d) (1) All information collected pursuant to the program shall
33be confidential, and shall be used solely for the purposes of the
34program, including research. Access to confidential information
35shall be limited to authorized persons who are bound by appropriate
36institutional policies or who otherwise agree, in writing, to maintain
37the confidentiality of that information.
38(2) Any person who, in violation of applicable institutional
39policies or a written agreement to maintain confidentiality,
40discloses any information provided pursuant to this section, or
P17 1who uses information provided pursuant to this section in a manner
2other than as approved pursuant to this section, may be denied
3further access to any confidential information maintained by the
4University of California, and shall be subject to a civil penalty not
5exceeding one thousand dollars ($1,000). The penalty provided
6for in this section shall not be construed to limit or otherwise
7restrict any remedy, provisional or otherwise, provided by law for
8the benefit of the University of California or any other person
9covered by this section.
10(3) Notwithstanding the restrictions of this section, an individual
11to whom the confidential information pertains shall have access
12to his or her own personal information.
13(e) It is the intent of the Legislature that the plan and
14implementation of the program provide for both of the following:
15(1) Limit fees for access to cord blood units to the reasonable
16 and actual costs of storage, handling, and providing units, as well
17as for related services such as donor matching and testing of cord
18blood and other programs and services typically provided by cord
19blood banks and public use programs.
20(2) The submittal of the plan developed pursuant to subdivision
21(a) to the health and fiscal committees of the Legislature.
22(f) It is additionally the intent of the Legislature that the plan
23and implementation of the program attempt to provide for all of
25(1) Development of a strategy to increase voluntary participation
26by hospitals in the collection and storage of umbilical cord blood
27and identify funding sources to offset the financial impact on
29(2) Consideration of a medical contingency response program
30to prepare for and respond effectively to biological, chemical, or
31radiological attacks, accidents, and other public health emergencies
32where victims potentially benefit from treatment.
33(3) Exploration of the feasibility of operating the program as a
34self-funding program, including the potential for charging users a
Section 117928 of the Health and Safety Code is
37amended to read:
(a) Any common storage facility for the collection
39of medical waste produced by small quantity generators operating
P18 1independently, but sharing common storage facilities, shall have
2a permit issued by the enforcement agency.
3(b) A permit for any common storage facility specified in
4subdivision (a) may be obtained by any one of the following:
5(1) A provider of health care as defined in Section 56.05 of the
7(2) The registered hazardous waste transporter.
8(3) The property owner.
9(4) The property management firm responsible for providing
10tenant services to the medical waste generators.
Section 120985 of the Health and Safety Code is
12amended to read:
(a) Notwithstanding Section 120980, the results of
14an HIV test that identifies or provides identifying characteristics
15of the person to whom the test results apply may be recorded by
16the physician who ordered the test in the test subject’s medical
17record or otherwise disclosed without written authorization of the
18subject of the test, or the subject’s representative as set forth in
19Section 121020, to the test subject’s providers of health care, as
20defined in Section 56.05 of the Civil Code, for purposes of
21diagnosis, care, or treatment of the patient, except that for purposes
22of this section, “providers of health care” does not include a health
23care service plan regulated pursuant to Chapter 2.2 (commencing
24with Section 1340) of Division 2.
25(b) Recording or disclosure of HIV test results pursuant to
26subdivision (a) does not authorize further disclosure unless
27otherwise permitted by law.
Section 121010 of the Health and Safety Code is
29amended to read:
Notwithstanding Section 120975 or 120980, the results
31of a blood test to detect antibodies to the probable causative agent
32of AIDS may be disclosed to any of the following persons without
33written authorization of the subject of the test:
34(a) To the subject of the test or the subject’s legal representative,
35conservator, or to any person authorized to consent to the test
36pursuant to subdivision (b) of Section 120990.
37(b) To a test subject’s provider of health care, as defined in
38Section 56.05 of the Civil Code, except that for purposes of this
39section, “provider of health care” does not include a health care
P19 1service plan regulated pursuant to Chapter 2.2 (commencing with
2Section 1340) of Division 2.
3(c) To an agent or employee of the test subject’s provider of
4health care who provides direct patient care and treatment.
5(d) To a provider of health care who procures, processes,
6distributes, or uses a human body part donated pursuant to the
7Uniform Anatomical Gift Act (Chapter 3.5 (commencing with
8Section 7150) of Part 1 of Division 7).
9(e) (1) To the designated officer of an emergency response
10employee, and from that designated officer to an emergency
11response employee regarding possible exposure to HIV or AIDS,
12but only to the extent necessary to comply with provisions of the
13Ryan White Comprehensive AIDS Resources Emergency Act of
141990 (Public Law 101-381; 42 U.S.C. Sec. 201).
15(2) For purposes of this subdivision, “designated officer” and
16“emergency response employee” have the same meaning as these
17terms are used in the Ryan White Comprehensive AIDS Resources
18Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec.
20(3) The designated officer shall be subject to the confidentiality
21requirements specified in Section 120980, and may be personally
22liable for unauthorized release of any identifying information about
23the HIV results. Further, the designated officer shall inform the
24exposed emergency response employee that the employee is also
25subject to the confidentiality requirements specified in Section
26120980, and may be personally liable for unauthorized release of
27any identifying information about the HIV test results.
Section 130201 of the Health and Safety Code is
29amended to read:
For purposes of this division, the following definitions
32(a) “Director” means the Director of the Office of Health
34(b) “Medical information” means the term as defined in Section
3556.05 of the Civil Code.
36(c) “Office” means the Office of Health Information Integrity.
37(d) “Provider of health care” means the term as defined in
38Sections 56.05 and 56.06 of the Civil Code.
39(e) “Unauthorized access”
means the inappropriate review or
40viewing of patient medical information without a direct need for
P20 1diagnosis, treatment, or other lawful use as permitted by the
2Confidentiality of Medical Information Act (Part 2.6 (commencing
3with Section 56) of Division 1 of the Civil Code) or by other
4statutes or regulations governing the lawful access, use, or
5disclosure of medical information.
Section 791.29 is added to the Insurance Code, to
(a) A health insurer, as defined in subdivision (h) of
9Section 56.05 of the Civil Code, shall comply with the provisions
10of Section 56.107 of the Civil Code to the extent required by that
11section. To the extent this article conflicts with Section 56.107 of
12the Civil Code, the provisions of Section 56.107 of the Civil Code
14(b) The department shall review insurance products and privacy
15policies for compliance with this section only during the normal
16policy issuance process conducted pursuant to Sections 10290 and
Section 3208.05 of the Labor Code is amended to
(a) “Injury” includes a reaction to or a side effect
21arising from health care provided by an employer to a health care
22worker, which health care is intended to prevent the development
23or manifestation of any bloodborne disease, illness, syndrome, or
24condition recognized as occupationally incurred by Cal-OSHA,
25the federal Centers for Disease Control and Prevention, or other
26appropriate governmental entities. This section shall apply only
27to preventive health care that the employer provided to a health
28care worker under the following circumstances: (1) prior to an
29exposure because of risk of occupational exposure to such a
30disease, illness, syndrome, or condition, or (2) where the preventive
31care is provided as a consequence of a documented exposure to
32blood or bodily fluid containing blood that arose out of and in the
33course of employment. Such a disease, illness, syndrome, or
34condition includes, but is not limited to, hepatitis, and the human
35immunodeficiency virus. Such preventive health care, and any
36disability indemnity or other benefits required as a result of the
37preventive health care provided by the employer, shall be
38compensable under the workers’ compensation system. The
39employer may require the health care worker to document that the
40employer provided the preventive health care and that the reaction
P21 1or side effects arising from the preventive health care resulted in
2lost work time, health care costs, or other costs normally
3compensable under workers’ compensation.
4(b) The benefits of this section shall not be provided
to a health
5care worker for a reaction to or side effect from health care
6intended to prevent the development of the human
7immunodeficiency virus if the worker claims a work-related
8exposure and if the worker tests positive within 48 hours of that
9exposure to a test to determine the presence of the human
11(c) For purposes of this section, “health care worker” includes
12any person who is an employee of a provider of health care as
13defined in Section 56.05 of the Civil Code, and who is exposed to
14human blood or other bodily fluids contaminated with blood in
15the course of employment, including, but not limited to, a registered
16nurse, a licensed vocational nurse, a certified nurse aide, clinical
17laboratory technologist, dental hygienist, physician, janitor, and
18housekeeping worker. “Health care worker” does not include an
19 employee who provides employee health services for an employer
20primarily engaged in a business other than providing health care.
No reimbursement is required by this act pursuant to
22Section 6 of Article XIII B of the California Constitution because
23the only costs that may be incurred by a local agency or school
24district will be incurred because this act creates a new crime or
25infraction, eliminates a crime or infraction, or changes the penalty
26for a crime or infraction, within the meaning of Section 17556 of
27the Government Code, or changes the definition of a crime within
28the meaning of Section 6 of Article XIII B of the California