Amended in Assembly August 6, 2013

Amended in Assembly June 26, 2013

Amended in Senate May 28, 2013

Amended in Senate April 8, 2013

Amended in Senate March 13, 2013

Senate BillNo. 138


Introduced by Senator Hernandez

(Coauthors: Senators DeSaulnier and Leno)

January 28, 2013


An act to amend Sections 56.05, 56.104, and 56.16 of, and to add Section 56.107 to, the Civil Code, to amend Sections 1280.15, 1627, 117928, 120985, 121010, and 130201 of, and to add Section 1348.5 to, the Health and Safety Code, to add Section 791.29 to the Insurance Code, and to amend Section 3208.05 of the Labor Code, relating to medical information.

LEGISLATIVE COUNSEL’S DIGEST

SB 138, as amended, Hernandez. Confidentiality of medical information.

Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information.

Existing law, the Knox-Keene Health Care Service Plan Act of 1975, provides for the licensure and regulation of health care service plans by the Department of Managed Health Care and makes a willful violation of its provisions a crime. Existing law also provides for the regulation of health insurers by the Department of Insurance.

Existing law, the Confidentiality of Medical Information Act, provides that medical information, as defined, may not be disclosed by providers of health care, health care service plans, or contractors, as defined, without the patient’s written authorization, subject to certain exceptions, including disclosure to a probate court investigator, as specified. A violation of the act resulting in economic loss or personal injury to a patient is a misdemeanor and subjects the violating party to liability for specified damages and administrative fines and penalties. The act defines various terms relevant to its implementation.

This bill would declare the intent of the Legislature to incorporate HIPAA standards into state law and to clarify standards for protecting the confidentiality of medical information in insurance transactions. The bill would define additional terms in connection with maintaining the confidentiality of this information, including a “confidential communications request” which an insured individual may submit for the purpose of specifying the method for transmitting insurance communications.

This bill would specify the manner in which a health care service plan or health insurer would be required to maintain confidentiality of medical information regarding the treatment of insured individuals that involves sensitive services, as defined, including such treatment of those individuals who are insured or covered as dependents on another person’s health care service plan or health insurance policy. The bill would require a health care service plan or health insurer to comply with a nondisclosurebegin delete reuestend deletebegin insert requestend insert or a confidential communications request from an insured individual, as defined, in situations in which disclosure would endanger the insured individual.

This bill would specifically authorize a provider of health care to communicate information regarding benefit cost-sharing arrangements to the health care service plan or health insurer, as specified.

This bill would also prohibit the health care service plan or health insurer from conditioning enrollment in the plan or eligibility for benefits on the provision of an authorization for insurance communications. The bill also would make conforming technical changes. By expanding the scope of a crime, the bill would create a state-mandated local program.

Existing law, the Insurance Information and Privacy Protection Act, generally regulates how insurers collect, use, and disclose information gathered in connection with insurance transactions.

This bill would require a health care services plan or a health insurer, as defined, to comply with the requirements of the Confidentiality of Medical Information Act, if that act conflicts with the Insurance Information and Privacy Protection Act, as specified. Because a willful violation of these provisions by a health care service plan would be a crime, this bill would thus impose a state-mandated local program.

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.

The people of the State of California do enact as follows:

P3    1

SECTION 1.  

The Legislature finds and declares all of the
2following:

3(a) Privacy is a fundamental right of all Californians, protected
4by the California Constitution, the federal Health Insurance
5Portability and Accountability Act (HIPAA; Public Law 104-191),
6and the Confidentiality of Medical Information Act, Part 2.6
7(commencing with Section 56) of Division 1 of the Civil Code.

8(b) Implementation of the recently enacted federal Patient
9Protection and Affordable Care Act (Public Law 111-148) will
10expand the number of individuals insured as dependents on a health
11insurance policy held in another person’s name, including adult
12children under 26 years of age insured on a parent’s insurance
13policy.

14(c) HIPAA explicitly protects the confidentiality of medical
15care obtained by dependents insured under a health insurance
16policy held by another person.

17(d) Therefore, it is the intent of the Legislature in enacting this
18act to incorporate HIPAA standards into state law and to clarify
19the standards for protecting the confidentiality of medical
20information in insurance transactions.

21

SEC. 2.  

Section 56.05 of the Civil Code is amended to read:

22

56.05.  

For purposes of this part:

P4    1(a) “Authorization” means permission granted in accordance
2with Section 56.11 or 56.21 for the disclosure of medical
3information.

4(b) “Authorized recipient” means any person who is authorized
5to receive medical information pursuant to Section 56.10 or 56.20.

6(c) “Confidential communications request” means a request by
7an insured individual that insurance communications be
8communicated by a specific method, such as by telephone, email,
9or in a covered envelope rather than postcard, or to a specific mail
10or email address or specific telephone number, as designated by
11the insured individual.

12(d) “Contractor” means any person or entity that is a medical
13group, independent practice association, pharmaceutical benefits
14manager, or a medical service organization and is not a health care
15service plan or provider of health care. “Contractor” does not
16include insurance institutions as defined in subdivision (k) of
17Section 791.02 of the Insurance Code or pharmaceutical benefits
18managers licensed pursuant to the Knox-Keene Health Care Service
19Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340)
20of Division 2 of the Health and Safety Code).

21(e) “Endanger” means that the insured individual fears
22harassment or abuse resulting from an insurance communication
23sufficient to deter the patient from obtaining health care absent
24confidentiality.

25(f) “Health care service plan” means any entity regulated
26pursuant to the Knox-Keene Health Care Service Plan Act of 1975
27(Chapter 2.2 (commencing with Section 1340) of Division 2 of
28the Health and Safety Code).

29(g) “Health insurer” means an entity that issues health insurance,
30as defined in subdivision (b) of Section 106 of the Insurance Code.

31(h) “Insured individual” means a person entitled to coverage
32under a health care service plan or health insurer, including the
33policyholder, enrollee, and dependents.

34(i) “Insurance communication” means any communication from
35the health care service plan or health insurer to insured individuals
36that discloses individually identifiable medical information.
37Insurance communication includes, but is not limited to,
38explanation of benefits forms, scheduling information, notices of
39denial, and notices of contested claims.

P5    1(j) “Licensed health care professional” means any person
2licensed or certified pursuant to Division 2 (commencing with
3Section 500) of the Business and Professions Code, the Osteopathic
4Initiative Act or the Chiropractic Initiative Act, or Division 2.5
5(commencing with Section 1797) of the Health and Safety Code.

6(k) “Marketing” means to make a communication about a
7product or service that encourages recipients of the communication
8to purchase or use the product or service.

9“Marketing” does not include any of the following:

10(1) Communications made orally or in writing for which the
11communicator does not receive direct or indirect remuneration,
12including, but not limited to, gifts, fees, payments, subsidies, or
13other economic benefits, from a third party for making the
14communication.

15(2) Communications made to current enrollees solely for the
16purpose of describing a provider’s participation in an existing
17health care provider network or health plan network of a
18Knox-Keene licensed health plan to which the enrollees already
19subscribe; communications made to current enrollees solely for
20the purpose of describing if, and the extent to which, a product or
21service, or payment for a product or service, is provided by a
22provider, contractor, or plan or included in a plan of benefits of a
23Knox-Keene licensed health plan to which the enrollees already
24subscribe; or communications made to plan enrollees describing
25the availability of more cost-effective pharmaceuticals.

26(3) Communications that are tailored to the circumstances of a
27particular individual to educate or advise the individual about
28treatment options, and otherwise maintain the individual’s
29adherence to a prescribed course of medical treatment, as provided
30in Section 1399.901 of the Health and Safety Code, for a chronic
31and seriously debilitating or life-threatening condition as defined
32in subdivisions (d) and (e) of Section 1367.21 of the Health and
33Safety Code, if the health care provider, contractor, or health plan
34receives direct or indirect remuneration, including, but not limited
35to, gifts, fees, payments, subsidies, or other economic benefits,
36from a third party for making the communication, if all of the
37following apply:

38(A) The individual receiving the communication is notified in
39the communication in typeface no smaller than 14-point type of
P6    1the fact that the provider, contractor, or health plan has been
2remunerated and the source of the remuneration.

3(B) The individual is provided the opportunity to opt out of
4receiving future remunerated communications.

5(C) The communication contains instructions in typeface no
6smaller than 14-point type describing how the individual can opt
7out of receiving further communications by calling a toll-free
8number of the health care provider, contractor, or health plan
9making the remunerated communications. No further
10communication may be made to an individual who has opted out
11after 30 calendar days from the date the individual makes the opt
12out request.

13(l) “Medical information” means any individually identifiable
14information, in electronic or physical form, in possession of or
15derived from a provider of health care, health care service plan,
16pharmaceutical company, or contractor regarding a patient’s
17medical history, mental or physical condition, or treatment.
18“Individually identifiable” means that the medical information
19includes or contains any element of personal identifying
20information sufficient to allow identification of the individual,
21such as the patient’s name, address, electronic mail address,
22 telephone number, or social security number, or other information
23that, alone or in combination with other publicly available
24information, reveals the individual’s identity.

25(m) “Nondisclosure request” means abegin delete writtenend delete requestbegin insert by an
26insured individualend insert
to withhold insurance communications that
27includes the insured individual’s name and address, description of
28the medical or other information that should not be disclosed,
29begin delete identity of the persons from whom information shall be withheld,end delete
30 andbegin insert alternativeend insert contact information for the individual for additional
31information or clarification necessary to satisfy the request.

32(n) “Patient” means any natural person, whether or not still
33living, who received health care services from a provider of health
34care and to whom medical information pertains.

35(o) “Pharmaceutical company” means any company or business,
36or an agent or representative thereof, that manufactures, sells, or
37distributes pharmaceuticals, medications, or prescription drugs.
38“Pharmaceutical company” does not include a pharmaceutical
39benefits manager, as included in subdivision (c), or a provider of
40health care.

P7    1(p) “Provider of health care” means any person licensed or
2certified pursuant to Division 2 (commencing with Section 500)
3of the Business and Professions Code; any person licensed pursuant
4to the Osteopathic Initiative Act or the Chiropractic Initiative Act;
5any person certified pursuant to Division 2.5 (commencing with
6Section 1797) of the Health and Safety Code; any clinic, health
7dispensary, or health facility licensed pursuant to Division 2
8(commencing with Section 1200) of the Health and Safety Code.
9“Provider of health care” does not include insurance institutions
10as defined in subdivision (k) of Section 791.02 of the Insurance
11Code.

12(q) “Sensitive services” means all health care services described
13in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
14Code, and Sections 121020 and 124260 of the Health and Safety
15Code, obtained by any patient who has reached the minimum age
16specified for consenting to the service specified in the section,
17including patients 18 years of age and older.

18

SEC. 3.  

Section 56.104 of the Civil Code is amended to read:

19

56.104.  

(a) Notwithstanding subdivision (c) of Section 56.10,
20except as provided in subdivision (e), no provider of health care,
21health care service plan, or contractor may release medical
22information to persons or entities who have requested that
23information and who are authorized by law to receive that
24information pursuant to subdivision (c) of Section 56.10, if the
25requested information specifically relates to the patient’s
26participation in outpatient treatment with a psychotherapist, unless
27the person or entity requesting that information submits to the
28patient pursuant to subdivision (b) and to the provider of health
29care, health care service plan, or contractor a written request, signed
30by the person requesting the information or an authorized agent
31of the entity requesting the information, that includes all of the
32following:

33(1) The specific information relating to a patient’s participation
34in outpatient treatment with a psychotherapist being requested and
35its specific intended use or uses.

36(2) The length of time during which the information will be
37kept before being destroyed or disposed of. A person or entity may
38extend that timeframe, provided that the person or entity notifies
39the provider, plan, or contractor of the extension. Any notification
40of an extension shall include the specific reason for the extension,
P8    1the intended use or uses of the information during the extended
2time, and the expected date of the destruction of the information.

3(3) A statement that the information will not be used for any
4purpose other than its intended use.

5(4) A statement that the person or entity requesting the
6information will destroy the information and all copies in the
7person’s or entity’s possession or control, will cause it to be
8destroyed, or will return the information and all copies of it before
9or immediately after the length of time specified in paragraph (2)
10has expired.

11(b) The person or entity requesting the information shall submit
12a copy of the written request required by this section to the patient
13within 30 days of receipt of the information requested, unless the
14patient has signed a written waiver in the form of a letter signed
15and submitted by the patient to the provider of health care or health
16care service plan waiving notification.

17(c) For purposes of this section, “psychotherapist” means a
18person who is both a “psychotherapist” as defined in Section 1010
19of the Evidence Code and a “provider of health care” as defined
20in Section 56.05.

21(d) This section does not apply to the disclosure or use of
22medical information by a law enforcement agency or a regulatory
23agency when required for an investigation of unlawful activity or
24for licensing, certification, or regulatory purposes, unless the
25disclosure is otherwise prohibited by law.

26(e) This section shall not apply to any of the following:

27(1) Information authorized to be disclosed pursuant to paragraph
28(1) of subdivision (c) of Section 56.10.

29(2) Information requested from a psychotherapist by law
30enforcement or by the target of the threat subsequent to a disclosure
31by that psychotherapist authorized by paragraph (19) of subdivision
32(c) of Section 56.10, in which the additional information is clearly
33necessary to prevent the serious and imminent threat disclosed
34under that paragraph.

35(3) Information disclosed by a psychotherapist pursuant to
36paragraphs (14) and (22) of subdivision (c) of Section 56.10 and
37requested by an agency investigating the abuse reported pursuant
38to those paragraphs.

39(f) Nothing in this section shall be construed to grant any
40additional authority to a provider of health care, health care service
P9    1plan, or contractor to disclose information to a person or entity
2without the patient’s consent.

3

SEC. 4.  

Section 56.107 is added to the Civil Code, to read:

4

56.107.  

(a) Notwithstanding any other law, and to the extent
5permitted by federal law, a health care service plan or health insurer
6shall take the following steps to protect the confidentiality of an
7insured individual’s medical information as follows:

begin delete

8(1) For an insured individual who is insured or covered as a
9dependent on another person’s health care service plan or health
10insurance policy, a health care service plan or health insurer shall
11not send insurance communications relating to sensitive

end delete
begin delete

12 services, unless the insurance communication is required by
13federal law. If required by federal law, the insurance
14communication shall comply with either of the following:

end delete
begin insert

15(1) A health care service plan or health insurer shall not send
16insurance communications relating to sensitive services for an
17insured individual who is insured or covered as a dependent on
18another person’s health care service plan or health insurance
19policy, unless the insurance communication is required by federal
20law. If required by federal law, the health care service plan or
21health insurer shall comply with either of the following:

end insert

22(A) The health care service plan or health insurer shall send the
23required insurance communication to the insured individual in
24compliance with a confidential communications request received
25from the insured individual.

26(B) If the health care service plan or health insurer has not
27received a confidential communications request, it shall send the
28required insurance communication to the insured individual, and
29may do so at the address furnished by the policyholder.

begin delete

30(2) For an insured individual to whom paragraph (1) does not
31apply, a health care service plan or health insurer shall not send
32the insurance communication related to sensitive services if that
33insured individual has submitted a nondisclosure request.

34(3)

end delete

35begin insert(2)end insert A health care service plan or health insurer shall comply
36with a nondisclosure request or a confidential communications
37request from an insured individual who states that disclosure of
38medical information will endanger the individual, and shall not
39require an explanation as to the basis for the insured individual’s
40statement that disclosure will endanger the individual.

P10   1(b) For the purposes of this section, a confidential
2communications request or a nondisclosure request is deemed
3received by the health care service plan or the health insurer within
424 hours of electronic transmission or within 72 hours of posting
5by first class mail.

6(c) Notwithstanding subdivision (a), the provider of health care
7may make arrangements with the insured individual for the
8payment of benefit cost sharing and communicate that arrangement
9with the health care service plan or health insurer.

10(d) A health care service plan or health insurer shall not
11condition enrollment or coverage in the health plan or health
12insurance policy or eligibility for benefits on the provision of an
13authorization for insurance communications.

14

SEC. 5.  

Section 56.16 of the Civil Code is amended to read:

15

56.16.  

For disclosures not addressed by Section 56.1007, unless
16there is a specific written request by the patient to the contrary,
17nothing in this part shall be construed to prevent a general acute
18care hospital, as defined in subdivision (a) of Section 1250 of the
19Health and Safety Code, upon an inquiry concerning a specific
20patient, from releasing at its discretion any of the following
21information: the patient’s name, address, age, and sex; a general
22description of the reason for treatment (whether an injury, a burn,
23poisoning, or some unrelated condition); the general nature of the
24injury, burn, poisoning, or other condition; the general condition
25of the patient; and any information that is not medical information
26as defined in Section 56.05.

27

SEC. 6.  

Section 1280.15 of the Health and Safety Code is
28amended to read:

29

1280.15.  

(a) A clinic, health facility, home health agency, or
30hospice licensed pursuant to Section 1204, 1250, 1725, or 1745
31shall prevent unlawful or unauthorized access to, and use or
32disclosure of, patients’ medical information, as defined in Section
3356.05 of the Civil Code and consistent with Section 130203. For
34purposes of this section, internal paper records, electronic mail,
35or facsimile transmissions inadvertently misdirected within the
36same facility or health care system within the course of
37coordinating care or delivering services shall not constitute
38unauthorized access to, or use or disclosure of, a patient’s medical
39information. The department, after investigation, may assess an
40administrative penalty for a violation of this section of up to
P11   1 twenty-five thousand dollars ($25,000) per patient whose medical
2information was unlawfully or without authorization accessed,
3used, or disclosed, and up to seventeen thousand five hundred
4dollars ($17,500) per subsequent occurrence of unlawful or
5unauthorized access, use, or disclosure of that patient’s medical
6information. For purposes of the investigation, the department
7shall consider the clinic’s, health facility’s, agency’s, or hospice’s
8history of compliance with this section and other related state and
9federal statutes and regulations, the extent to which the facility
10detected violations and took preventative action to immediately
11correct and prevent past violations from recurring, and factors
12outside its control that restricted the facility’s ability to comply
13with this section. The department shall have full discretion to
14consider all factors when determining the amount of an
15administrative penalty pursuant to this section.

16(b) (1) A clinic, health facility, home health agency, or hospice
17to which subdivision (a) applies shall report any unlawful or
18unauthorized access to, or use or disclosure of, a patient’s medical
19information to the department no later than five business days after
20the unlawful or unauthorized access, use, or disclosure has been
21detected by the clinic, health facility, home health agency, or
22hospice.

23(2) Subject to subdivision (c), a clinic, health facility, home
24health agency, or hospice shall also report any unlawful or
25unauthorized access to, or use or disclosure of, a patient’s medical
26information to the affected patient or the patient’s representative
27at the last known address, no later than five business days after
28the unlawful or unauthorized access, use, or disclosure has been
29detected by the clinic, health facility, home health agency, or
30hospice.

31(c) (1) A clinic, health facility, home health agency, or hospice
32shall delay the reporting, as required pursuant to paragraph (2) of
33subdivision (b), of any unlawful or unauthorized access to, or use
34or disclosure of, a patient’s medical information beyond five
35business days if a law enforcement agency or official provides the
36clinic, health facility, home health agency, or hospice with a written
37or oral statement that compliance with the reporting requirements
38of paragraph (2) of subdivision (b) would likely impede the law
39enforcement agency’s investigation that relates to the unlawful or
40unauthorized access to, and use or disclosure of, a patient’s medical
P12   1information and specifies a date upon which the delay shall end,
2not to exceed 60 days after a written request is made, or 30 days
3after an oral request is made. A law enforcement agency or official
4may request an extension of a delay based upon a written
5declaration that there exists a bona fide, ongoing, significant
6criminal investigation of serious wrongdoing relating to the
7unlawful or unauthorized access to, and use or disclosure of, a
8patient’s medical information, that notification of patients will
9undermine the law enforcement agency’s investigation, and that
10specifies a date upon which the delay shall end, not to exceed 60
11days after the end of the original delay period.

12(2) If the statement of the law enforcement agency or official
13is made orally, then the clinic, health facility, home health agency,
14or hospice shall do both of the following:

15(A) Document the oral statement, including, but not limited to,
16the identity of the law enforcement agency or official making the
17oral statement and the date upon which the oral statement was
18made.

19(B) Limit the delay in reporting the unlawful or unauthorized
20access to, or use or disclosure of, the patient’s medical information
21to the date specified in the oral statement, not to exceed 30 calendar
22days from the date that the oral statement is made, unless a written
23statement that complies with the requirements of this subdivision
24is received during that time.

25(3) A clinic, health facility, home health agency, or hospice
26shall submit a report that is delayed pursuant to this subdivision
27not later than five business days after the date designated as the
28end of the delay.

29(d) If a clinic, health facility, home health agency, or hospice
30to which subdivision (a) applies violates subdivision (b), the
31department may assess the licensee a penalty in the amount of one
32hundred dollars ($100) for each day that the unlawful or
33 unauthorized access, use, or disclosure is not reported to the
34department or the affected patient, following the initial five-day
35period specified in subdivision (b). However, the total combined
36penalty assessed by the department under subdivision (a) and this
37subdivision shall not exceed two hundred fifty thousand dollars
38($250,000) per reported event. For enforcement purposes, it shall
39be presumed that the facility did not notify the affected patient if
40the notification was not documented. This presumption may be
P13   1rebutted by a licensee only if the licensee demonstrates, by a
2preponderance of the evidence, that the notification was made.

3(e) In enforcing subdivisions (a) and (d), the department shall
4take into consideration the special circumstances of small and rural
5hospitals, as defined in Section 124840, and primary care clinics,
6 as defined in subdivision (a) of Section 1204, in order to protect
7access to quality care in those hospitals and clinics. When assessing
8a penalty on a skilled nursing facility or other facility subject to
9Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
10only the higher of either a penalty for the violation of this section
11or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
12not both.

13(f) All penalties collected by the department pursuant to this
14section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited
15into the Internal Departmental Quality Improvement Account,
16which is hereby created within the Special Deposit Fund under
17Section 16370 of the Government Code. Upon appropriation by
18the Legislature, moneys in the account shall be expended for
19internal quality improvement activities in the Licensing and
20Certification Program.

21(g) If the licensee disputes a determination by the department
22regarding a failure to prevent or failure to timely report unlawful
23or unauthorized access to, or use or disclosure of, patients’ medical
24information, or the imposition of a penalty under this section, the
25licensee may, within 10 days of receipt of the penalty assessment,
26request a hearing pursuant to Section 131071. Penalties shall be
27paid when appeals have been exhausted and the penalty has been
28upheld.

29(h) In lieu of disputing the determination of the department
30regarding a failure to prevent or failure to timely report unlawful
31or unauthorized access to, or use or disclosure of, patients’ medical
32information, transmit to the department 75 percent of the total
33amount of the administrative penalty, for each violation, within
3430 business days of receipt of the administrative penalty.

35(i) Notwithstanding any other law, the department may refer
36violations of this section to the Office of Health Information
37Integrity for enforcement pursuant to Section 130303.

38(j) For purposes of this section, the following definitions shall
39apply:

P14   1(1) “Reported event” means all breaches included in any single
2report that is made pursuant to subdivision (b), regardless of the
3number of breach events contained in the report.

4(2) “Unauthorized” means the inappropriate access, review, or
5viewing of patient medical information without a direct need for
6medical diagnosis, treatment, or other lawful use as permitted by
7the Confidentiality of Medical Information Act (Part 2.6
8(commencing with Section 56) of Division 1 of the Civil Code)
9or any other statute or regulation governing the lawful access, use,
10or disclosure of medical information.

11

SEC. 7.  

Section 1348.5 is added to the Health and Safety Code,
12to read:

13

1348.5.  

(a) A health care service plan shall comply with the
14provisions of Section 56.107 of the Civil Code to the extent
15required by that section. To the extent this chapter conflicts with
16Section 56.107 of the Civil Code, the provisions of Section 56.107
17of the Civil Code shall control.

18(b) The department shall review health care service plan
19contracts and privacy policies for compliance with this section
20only during the normal application approval or modification
21process conducted pursuant to Sections 1351 and 1352.

22

SEC. 8.  

Section 1627 of the Health and Safety Code is amended
23to read:

24

1627.  

(a) (1) On or before July 1, 2011, the University of
25California is requested to develop a plan to establish and administer
26the Umbilical Cord Blood Collection Program for the purpose of
27collecting units of umbilical cord blood for public use in
28transplantation and providing nonclinical units for research
29pertaining to biology and new clinical utilization of stem cells
30derived from the blood and tissue of the placenta and umbilical
31cord. The program shall conclude no later than January 1, 2018.

32(2) For purposes of this article, “public use” means both of the
33following:

34(A) The collection of umbilical cord blood units from genetically
35diverse donors that will be owned by the University of California.
36This inventory shall be accessible by the National Registry and by
37qualified California-based and other United States and international
38registries and transplant centers to increase the likelihood of
39providing suitably matched donor cord blood units to patients or
40research participants who are in need of a transplant.

P15   1(B) Cord blood units with a lower number of cells than deemed
2necessary for clinical transplantation and units that meet clinical
3requirements, but for other reasons are unsuitable, unlikely to be
4transplanted, or otherwise unnecessary for clinical use, may be
5made available for research.

6(b) (1) In order to implement the collection goals of this
7program, the University of California may, commensurate with
8available funds appropriated to the University of California for
9this program, contract with one or more selected applicant entities
10that have demonstrated the competence to collect and ship cord
11blood units in compliance with federal guidelines and regulations.

12(2) It is the intent of the Legislature that, if the University of
13California contracts with another entity pursuant to this subdivision,
14the following shall apply:

15(A) The University of California may use a competitive process
16to identify the best proposals submitted by applicant entities to
17administer the collection and research objectives of the program,
18to the extent that the University of California chooses not to
19undertake these activities itself.

20(B) In order to qualify for selection under this section to receive,
21process, cryopreserve, or bank cord blood units, the entity shall,
22at a minimum, have obtained an investigational new drug (IND)
23exemption from the FDA or a biologic license from the FDA, as
24appropriate, to manufacture clinical grade cord blood stem cell
25units for clinical indications.

26(C) In order to qualify to receive appropriate cord blood units
27and placental tissue to advance the research goals of this program,
28an entity shall, at a minimum, be a laboratory recognized as having
29performed peer-reviewed research on stem and progenitor cells,
30including those derived from placental or umbilical cord blood
31and postnatal tissue.

32(3) A medical provider or research facility shall comply with,
33and shall be subject to, existing penalties for violations of all
34applicable state and federal laws with respect to the protection of
35any medical information, as defined in Section 56.05 of the Civil
36Code, and any personally identifiable information contained in the
37umbilical cord blood inventory.

38(c) The University of California is encouraged to make every
39effort to avoid duplication or conflicts with existing and ongoing
40programs and to leverage existing resources.

P16   1(d) (1) All information collected pursuant to the program shall
2be confidential, and shall be used solely for the purposes of the
3program, including research. Access to confidential information
4shall be limited to authorized persons who are bound by appropriate
5institutional policies or who otherwise agree, in writing, to maintain
6the confidentiality of that information.

7(2) Any person who, in violation of applicable institutional
8policies or a written agreement to maintain confidentiality,
9discloses any information provided pursuant to this section, or
10who uses information provided pursuant to this section in a manner
11other than as approved pursuant to this section, may be denied
12further access to any confidential information maintained by the
13University of California, and shall be subject to a civil penalty not
14exceeding one thousand dollars ($1,000). The penalty provided
15for in this section shall not be construed to limit or otherwise
16restrict any remedy, provisional or otherwise, provided by law for
17the benefit of the University of California or any other person
18covered by this section.

19(3) Notwithstanding the restrictions of this section, an individual
20to whom the confidential information pertains shall have access
21to his or her own personal information.

22(e) It is the intent of the Legislature that the plan and
23implementation of the program provide for both of the following:

24(1) Limit fees for access to cord blood units to the reasonable
25 and actual costs of storage, handling, and providing units, as well
26as for related services such as donor matching and testing of cord
27blood and other programs and services typically provided by cord
28blood banks and public use programs.

29(2) The submittal of the plan developed pursuant to subdivision
30(a) to the health and fiscal committees of the Legislature.

31(f) It is additionally the intent of the Legislature that the plan
32and implementation of the program attempt to provide for all of
33the following:

34(1) Development of a strategy to increase voluntary participation
35by hospitals in the collection and storage of umbilical cord blood
36and identify funding sources to offset the financial impact on
37hospitals.

38(2) Consideration of a medical contingency response program
39to prepare for and respond effectively to biological, chemical, or
P17   1radiological attacks, accidents, and other public health emergencies
2where victims potentially benefit from treatment.

3(3) Exploration of the feasibility of operating the program as a
4self-funding program, including the potential for charging users a
5reimbursement fee.

6

SEC. 9.  

Section 117928 of the Health and Safety Code is
7amended to read:

8

117928.  

(a)  Any common storage facility for the collection
9of medical waste produced by small quantity generators operating
10independently, but sharing common storage facilities, shall have
11a permit issued by the enforcement agency.

12(b)  A permit for any common storage facility specified in
13subdivision (a) may be obtained by any one of the following:

14(1)  A provider of health care as defined in Section 56.05 of the
15Civil Code.

16(2)  The registered hazardous waste transporter.

17(3)  The property owner.

18(4)  The property management firm responsible for providing
19tenant services to the medical waste generators.

20

SEC. 10.  

Section 120985 of the Health and Safety Code is
21amended to read:

22

120985.  

(a)  Notwithstanding Section 120980, the results of
23an HIV test that identifies or provides identifying characteristics
24of the person to whom the test results apply may be recorded by
25the physician who ordered the test in the test subject’s medical
26record or otherwise disclosed without written authorization of the
27subject of the test, or the subject’s representative as set forth in
28Section 121020, to the test subject’s providers of health care, as
29defined in Section 56.05 of the Civil Code, for purposes of
30diagnosis, care, or treatment of the patient, except that for purposes
31of this section, “providers of health care” does not include a health
32care service plan regulated pursuant to Chapter 2.2 (commencing
33with Section 1340) of Division 2.

34(b)  Recording or disclosure of HIV test results pursuant to
35subdivision (a) does not authorize further disclosure unless
36otherwise permitted by law.

37

SEC. 11.  

Section 121010 of the Health and Safety Code is
38amended to read:

39

121010.  

Notwithstanding Section 120975 or 120980, the results
40of a blood test to detect antibodies to the probable causative agent
P18   1of AIDS may be disclosed to any of the following persons without
2written authorization of the subject of the test:

3(a) To the subject of the test or the subject’s legal representative,
4conservator, or to any person authorized to consent to the test
5pursuant to subdivision (b) of Section 120990.

6(b) To a test subject’s provider of health care, as defined in
7Section 56.05 of the Civil Code, except that for purposes of this
8section, “provider of health care” does not include a health care
9service plan regulated pursuant to Chapter 2.2 (commencing with
10Section 1340) of Division 2.

11(c) To an agent or employee of the test subject’s provider of
12health care who provides direct patient care and treatment.

13(d) To a provider of health care who procures, processes,
14distributes, or uses a human body part donated pursuant to the
15Uniform Anatomical Gift Act (Chapter 3.5 (commencing with
16Section 7150) of Part 1 of Division 7).

17(e) (1) To the designated officer of an emergency response
18employee, and from that designated officer to an emergency
19response employee regarding possible exposure to HIV or AIDS,
20but only to the extent necessary to comply with provisions of the
21Ryan White Comprehensive AIDS Resources Emergency Act of
221990 (Public Law 101-381; 42 U.S.C. Sec. 201).

23(2) For purposes of this subdivision, “designated officer” and
24“emergency response employee” have the same meaning as these
25terms are used in the Ryan White Comprehensive AIDS Resources
26Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec.
27201).

28(3) The designated officer shall be subject to the confidentiality
29requirements specified in Section 120980, and may be personally
30liable for unauthorized release of any identifying information about
31the HIV results. Further, the designated officer shall inform the
32exposed emergency response employee that the employee is also
33subject to the confidentiality requirements specified in Section
34120980, and may be personally liable for unauthorized release of
35any identifying information about the HIV test results.

36

SEC. 12.  

Section 130201 of the Health and Safety Code is
37amended to read:

38

130201.  

For purposes of this division, the following definitions
39apply:

P19   1(a) “Director” means the Director of the Office of Health
2Information Integrity.

3(b) “Medical information” means the term as defined in Section
456.05 of the Civil Code.

5(c) “Office” means the Office of Health Information Integrity.

6(d) “Provider of health care” means the term as defined in
7Sections 56.05 and 56.06 of the Civil Code.

8(e) “Unauthorized access” means the inappropriate review or
9viewing of patient medical information without a direct need for
10diagnosis, treatment, or other lawful use as permitted by the
11Confidentiality of Medical Information Act (Part 2.6 (commencing
12with Section 56) of Division 1 of the Civil Code) or by other
13statutes or regulations governing the lawful access, use, or
14disclosure of medical information.

15

SEC. 13.  

Section 791.29 is added to the Insurance Code, to
16read:

17

791.29.  

(a) A health insurer, as defined in subdivision (h) of
18Section 56.05 of the Civil Code, shall comply with the provisions
19of Section 56.107 of the Civil Code to the extent required by that
20section. To the extent this article conflicts with Section 56.107 of
21the Civil Code, the provisions of Section 56.107 of the Civil Code
22shall control.

23(b) The department shall review insurance products and privacy
24policies for compliance with this section only during the normal
25policy issuance process conducted pursuant to Sections 10290 and
2610291.

27

SEC. 14.  

Section 3208.05 of the Labor Code is amended to
28read:

29

3208.05.  

(a) “Injury” includes a reaction to or a side effect
30arising from health care provided by an employer to a health care
31worker, which health care is intended to prevent the development
32or manifestation of any bloodborne disease, illness, syndrome, or
33condition recognized as occupationally incurred by Cal-OSHA,
34the federal Centers for Disease Control and Prevention, or other
35appropriate governmental entities. This section shall apply only
36to preventive health care that the employer provided to a health
37care worker under the following circumstances: (1) prior to an
38exposure because of risk of occupational exposure to such a
39disease, illness, syndrome, or condition, or (2) where the preventive
40care is provided as a consequence of a documented exposure to
P20   1blood or bodily fluid containing blood that arose out of and in the
2course of employment. Such a disease, illness, syndrome, or
3condition includes, but is not limited to, hepatitis, and the human
4immunodeficiency virus. Such preventive health care, and any
5disability indemnity or other benefits required as a result of the
6preventive health care provided by the employer, shall be
7compensable under the workers’ compensation system. The
8employer may require the health care worker to document that the
9employer provided the preventive health care and that the reaction
10or side effects arising from the preventive health care resulted in
11lost work time, health care costs, or other costs normally
12compensable under workers’ compensation.

13(b) The benefits of this section shall not be provided to a health
14care worker for a reaction to or side effect from health care
15intended to prevent the development of the human
16immunodeficiency virus if the worker claims a work-related
17exposure and if the worker tests positive within 48 hours of that
18exposure to a test to determine the presence of the human
19immunodeficiency virus.

20(c) For purposes of this section, “health care worker” includes
21any person who is an employee of a provider of health care as
22defined in Section 56.05 of the Civil Code, and who is exposed to
23human blood or other bodily fluids contaminated with blood in
24the course of employment, including, but not limited to, a registered
25nurse, a licensed vocational nurse, a certified nurse aide, clinical
26laboratory technologist, dental hygienist, physician, janitor, and
27housekeeping worker. “Health care worker” does not include an
28 employee who provides employee health services for an employer
29primarily engaged in a business other than providing health care.

30

SEC. 15.  

No reimbursement is required by this act pursuant to
31Section 6 of Article XIII B of the California Constitution because
32the only costs that may be incurred by a local agency or school
33district will be incurred because this act creates a new crime or
34infraction, eliminates a crime or infraction, or changes the penalty
35for a crime or infraction, within the meaning of Section 17556 of
36the Government Code, or changes the definition of a crime within
37the meaning of Section 6 of Article XIII B of the California
38Constitution.



O

    94