SB 138, as amended, Hernandez. Confidentiality of medical information.
Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information.
Existing law, the Knox-Keene Health Care Service Plan Act of 1975, provides for the licensure and regulation of health care service plans by the Department of Managed Health Care and makes a willful violation of its provisions a crime. Existing law also provides for the regulation of health insurers by the Department of Insurance.
Existing law, the Confidentiality of Medical Information Act, provides that medical information, as defined, may not be disclosed by providers of health care, health care service plans, or contractors, as defined, without the patient’s written authorization, subject to certain exceptions, including disclosure to a probate court investigator, as specified. A violation of the act resulting in economic loss or personal injury to a patient is a misdemeanor and subjects the violating party to liability for specified damages and administrative fines and penalties. The act defines various terms relevant to its implementation.
This bill would declare the intent of the Legislature to incorporate HIPAA standards into state law and to clarify standards for protecting the confidentiality of medical information in insurance transactions. The bill would define
additional terms in connection with maintaining the confidentiality of this information, including a “confidential communications request” which an insured
begin delete individualend delete may submit for the purpose of specifying the method for transmitting begin delete insuranceend delete communications.
This bill would specify the manner in which a health care service plan or health insurer
would be required to maintain confidentiality of medical information regarding the treatment of insured
begin delete individuals that involves sensitive services, as defined, including such treatment of those individuals who are insured or covered as dependents on another person’s health care service plan or health insurance policy. The bill would requireend delete a health care service plan or health insurer to begin delete comply with a nondisclosure request or a confidential communications request from an insured individual, as defined,end delete in situations in which disclosure would endanger the begin delete insuredend delete individual.
This bill would specifically authorize a provider of health care to communicate information regarding benefit cost-sharing arrangements to the health care service plan or health insurer, as specified.
This bill would also prohibit the health care service plan or health insurer from conditioning enrollment in the plan or eligibility for benefits on the
begin delete provision of an authorization for insurance communicationsend delete. The bill also would make conforming technical changes. begin delete By expandingend delete the scope of a crime, the bill would create a state-mandated local program.
Existing law, the Insurance Information and Privacy Protection Act, generally regulates how insurers collect, use, and disclose information gathered in connection with insurance transactions.end delete
This bill would require a health care services plan or a health insurer, as defined, to comply with the requirements of the Confidentiality of Medical Information Act, if that act conflicts with the Insurance Information and Privacy Protection Act, as specified. Because a willful violation of these provisions by a health care service plan would be a crime, this bill would thus impose a state-mandated local program.end delete
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.
The people of the State of California do enact as follows:
The Legislature finds and declares all of the
3(a) Privacy is a fundamental right of all Californians, protected
4by the California Constitution, the federal Health Insurance
5Portability and Accountability Act (HIPAA; Public Law 104-191),
6and the Confidentiality of Medical Information Act, Part 2.6
7(commencing with Section 56) of Division 1 of the Civil Code.
8(b) Implementation of the recently enacted federal Patient
9Protection and Affordable Care Act (Public Law 111-148) will
10expand the number of individuals insured as dependents on a health
P4 1insurance policy held in another person’s name, including adult
2children under 26 years of age insured on a parent’s insurance
4(c) HIPAA explicitly protects the confidentiality of medical
5care obtained by dependents insured under a health insurance
6policy held by another person.
7(d) Therefore, it is the intent of the Legislature in enacting this
8act to incorporate HIPAA standards into state law and to clarify
9the standards for protecting the confidentiality of medical
10information in insurance transactions.
Section 56.05 of the Civil Code is amended to read:
For purposes of this part:
13(a) “Authorization” means permission granted in accordance
14with Section 56.11 or 56.21 for the disclosure of medical
16(b) “Authorized recipient” means any person who is authorized
17to receive medical information pursuant to Section 56.10 or 56.20.
18(c) “Confidential communications request” means a request by
begin delete an insured individual that insurance communications be a specific mail or
20communicated by a specific method, such as by telephone, email,
21or in a covered envelope rather than postcard, or toend delete
begin delete emailend delete address or specific telephone
25number, as designated by the
begin delete insured individualend delete.
27(d) “Contractor” means any person or entity that is a medical
28group, independent practice association, pharmaceutical benefits
29manager, or a medical service organization and is not a health care
30service plan or provider of health care. “Contractor” does not
31include insurance institutions as defined in subdivision (k) of
32Section 791.02 of the Insurance Code or pharmaceutical benefits
33managers licensed pursuant to the Knox-Keene Health Care Service
34Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340)
35of Division 2 of the Health and Safety Code).
36(e) “Endanger” means that the
begin delete insured individual fears .
37harassment or abuse resulting from an insurance communication
38sufficient to deter the patient from obtaining health care absent
6 “Health care service plan” means any entity regulated
7pursuant to the Knox-Keene Health Care Service Plan Act of 1975
8(Chapter 2.2 (commencing with Section 1340) of Division 2 of
9the Health and Safety Code).
10(g) “Health insurer” means an entity that issues health insurance,
11as defined in subdivision (b) of Section 106 of the Insurance Code.
12(h) “Insured individual” means a person entitled to coverage
13under a health care service plan or health insurer, including the
14policyholder, enrollee, and dependents.
15(i) “Insurance communication” means any communication from
16the health care service plan or health insurer to insured individuals
17that discloses individually identifiable medical information.
18Insurance communication includes, but is not limited to,
19explanation of benefits forms, scheduling information, notices of
20denial, and notices of contested claims.
22 “Licensed health care professional” means any person
23licensed or certified pursuant to Division 2 (commencing with
24Section 500) of the Business and Professions Code, the Osteopathic
25Initiative Act or the Chiropractic Initiative Act, or Division 2.5
26(commencing with Section 1797) of the Health and Safety Code.
28 “Marketing” means to make a communication about a product
29or service that encourages recipients of the communication to
30purchase or use the product or service.
31“Marketing” does not include any of the following:
32(1) Communications made orally or in writing for which the
33communicator does not receive direct or indirect remuneration,
34including, but not limited to, gifts, fees, payments, subsidies, or
35other economic benefits, from a third party for making the
37(2) Communications made to current enrollees solely for the
38purpose of describing a provider’s participation in an existing
39health care provider network or health plan network of a
40Knox-Keene licensed health plan to which the enrollees already
P6 1subscribe; communications made to current enrollees solely for
2the purpose of describing if, and the extent to which, a product or
3service, or payment for a product or service, is provided by a
4provider, contractor, or plan or included in a plan of benefits of a
5Knox-Keene licensed health plan to which the enrollees already
6subscribe; or communications made to plan enrollees describing
7the availability of more cost-effective pharmaceuticals.
8(3) Communications that are tailored to the circumstances of a
9particular individual to educate or advise the individual about
10treatment options, and otherwise maintain the individual’s
11adherence to a prescribed course of medical treatment, as provided
12in Section 1399.901 of the Health and Safety Code, for a chronic
13and seriously debilitating or life-threatening condition as defined
14in subdivisions (d) and (e) of Section 1367.21 of the Health and
15Safety Code, if the health care provider, contractor, or health plan
16receives direct or indirect remuneration, including, but not limited
17to, gifts, fees, payments, subsidies, or other economic benefits,
18from a third party for making the communication, if all of the
20(A) The individual receiving the communication is notified in
21the communication in typeface no smaller than 14-point type of
22the fact that the provider, contractor, or health plan has been
23remunerated and the source of the remuneration.
24(B) The individual is provided the opportunity to opt out of
25receiving future remunerated communications.
26(C) The communication contains instructions in typeface no
27smaller than 14-point type describing how the individual can opt
28out of receiving further communications by calling a toll-free
29number of the health care provider, contractor, or health plan
30making the remunerated communications. No further
31communication may be made to an individual who has opted out
32after 30 calendar days from the date the individual makes the opt
35 “Medical information” means any individually identifiable
36information, in electronic or physical form, in possession of or
37derived from a provider of health care, health care service plan,
38pharmaceutical company, or contractor regarding a patient’s
39medical history, mental or physical condition, or treatment.
40“Individually identifiable” means that the medical information
P7 1includes or contains any element of personal identifying
2information sufficient to allow identification of the individual,
3such as the patient’s name, address, electronic mail address,
4 telephone number, or social security number, or other information
5that, alone or in combination with other publicly available
6information, reveals the individual’s identity.
7(m) “Nondisclosure request” means a request by an insured
8individual to withhold insurance communications that includes
9the insured individual’s name and address, description of the
10medical or other information that should not be disclosed, and
11alternative contact information for the individual for additional
12information or clarification necessary to satisfy the request.
14 “Patient” means any natural person, whether or not still
15living, who received health care services from a provider of health
16care and to whom medical information pertains.
18 “Pharmaceutical company” means any company or business,
19or an agent or representative thereof, that manufactures, sells, or
20distributes pharmaceuticals, medications, or prescription drugs.
21“Pharmaceutical company” does not include a pharmaceutical
22benefits manager, as included in subdivision (c), or a provider of
25 “Provider of health care” means any person licensed or
26certified pursuant to Division 2 (commencing with Section 500)
27of the Business and Professions Code; any person licensed pursuant
28to the Osteopathic Initiative Act or the Chiropractic Initiative Act;
29any person certified pursuant to Division 2.5 (commencing with
30Section 1797) of the Health and Safety Code; any clinic, health
31dispensary, or health facility licensed pursuant to Division 2
32(commencing with Section 1200) of the Health and Safety Code.
33“Provider of health care” does not include insurance institutions
34as defined in subdivision (k) of Section 791.02 of the Insurance
37 “Sensitive services” means all health care services described
38in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
39Code, and Sections 121020 and 124260 of the Health and Safety
40Code, obtained by
begin delete any patient who has reachedend delete the minimum age specified for consenting to the service
2specified in the
begin delete section, including patients 18 years of age and
Section 56.104 of the Civil Code is amended to read:
(a) Notwithstanding subdivision (c) of Section 56.10,
8except as provided in subdivision (e), no provider of health care,
9health care service plan, or contractor may release medical
10information to persons or entities who have requested that
11information and who are authorized by law to receive that
12information pursuant to subdivision (c) of Section 56.10, if the
13requested information specifically relates to the patient’s
14participation in outpatient treatment with a psychotherapist, unless
15the person or entity requesting that information submits to the
16patient pursuant to subdivision (b) and to the provider of health
17care, health care service plan, or contractor a written request, signed
18by the person requesting the information or an authorized agent
19of the entity requesting the information, that includes all of the
21(1) The specific information relating to a patient’s participation
22in outpatient treatment with a psychotherapist being requested and
23its specific intended use or uses.
24(2) The length of time during which the information will be
25kept before being destroyed or disposed of. A person or entity may
26extend that timeframe, provided that the person or entity notifies
27the provider, plan, or contractor of the extension. Any notification
28of an extension shall include the specific reason for the extension,
29the intended use or uses of the information during the extended
30time, and the expected date of the destruction of the information.
31(3) A statement that the information will not be used for any
32purpose other than its intended use.
33(4) A statement that the person or entity requesting the
34information will destroy the information and all copies in the
35person’s or entity’s possession or control, will cause it to be
36destroyed, or will return the information and all copies of it before
37or immediately after the length of time specified in paragraph (2)
39(b) The person or entity requesting the information shall submit
40a copy of the written request required by this section to the patient
P9 1within 30 days of receipt of the information requested, unless the
2patient has signed a written waiver in the form of a letter signed
3and submitted by the patient to the provider of health care or health
4care service plan waiving notification.
5(c) For purposes of this section, “psychotherapist” means a
6person who is both a “psychotherapist” as defined in Section 1010
7of the Evidence Code and a “provider of health care” as defined
8in Section 56.05.
9(d) This section does not apply to the disclosure or use of
10medical information by a law enforcement agency or a regulatory
11agency when required for an investigation of unlawful activity or
12for licensing, certification, or regulatory purposes, unless the
13disclosure is otherwise prohibited by law.
14(e) This section shall not apply to any of the following:
15(1) Information authorized to be disclosed pursuant to paragraph
16(1) of subdivision (c) of Section 56.10.
17(2) Information requested from a psychotherapist by law
18enforcement or by the target of the threat subsequent to a disclosure
19by that psychotherapist authorized by paragraph (19) of subdivision
20(c) of Section 56.10, in which the additional information is clearly
21necessary to prevent the serious and imminent threat disclosed
22under that paragraph.
23(3) Information disclosed by a psychotherapist pursuant to
24paragraphs (14) and (22) of subdivision (c) of Section 56.10 and
25requested by an agency investigating the abuse reported pursuant
26to those paragraphs.
27(f) Nothing in this section shall be construed to grant any
28additional authority to a provider of health care, health care service
29plan, or contractor to disclose information to a person or entity
30without the patient’s consent.
Section 56.107 is added to the Civil Code, to read:
(a) Notwithstanding any other law, and to the extent
33permitted by federal law, a health care service plan
begin deleteor health insurerend delete
34 shall take the following steps to protect the confidentiality of
begin delete an medical
35insured individual’send delete
begin delete as follows:end delete
37(1) A health care service plan or health insurer shall not send
38insurance communications relating to sensitive services for an
39insured individual who is insured or covered as a dependent on
40another person’s health care service plan or health insurance policy,
P10 1unless the insurance communication is required by federal law. If
2required by federal law, the health care service plan or health
3insurer shall comply with either of the following:
4(A) The health care service plan or health insurer shall send the
5required insurance communication to the insured individual in
6compliance with a confidential communications request received
7from the insured individual.
8(B) If the health care service plan or health insurer has not
9received a confidential communications request, it shall send the
10required insurance communication to the insured individual, and
11may do so at the address furnished by the policyholder.
12(2) A health care service plan or health insurer shall comply
13with a nondisclosure request or a confidential communications
14request from an insured individual who states that disclosure of
15medical information will endanger the individual, and shall not
16require an explanation as to the basis for the insured individual’s
17statement that disclosure will endanger the individual.
5 For the purposes of this section, a confidential
begin delete or a
nondisclosure request is deemed
7received by the health care service plan or the health insurer within
824 hours of electronic transmission or within 72 hours of posting
9by first class mailend delete
18 Notwithstanding subdivision (a), the provider of health care
19may make arrangements with the
begin delete insured individualend delete for the payment of benefit cost sharing and communicate
21that arrangement with the health care service plan
begin delete or health insurerend delete.
23 A health care service plan
begin delete or health insurerend delete
24condition enrollment or coverage
begin delete in the health plan or health .
25insurance policy or eligibility for benefits on the provision of an
26authorization for insurance communicationsend delete
Section 56.16 of the Civil Code is amended to read:
For disclosures not addressed by Section 56.1007, unless
30there is a specific written request by the patient to the contrary,
31nothing in this part shall be construed to prevent a general acute
32care hospital, as defined in subdivision (a) of Section 1250 of the
33Health and Safety Code, upon an inquiry concerning a specific
34patient, from releasing at its discretion any of the following
35information: the patient’s name, address, age, and sex; a general
36description of the reason for treatment (whether an injury, a burn,
37poisoning, or some unrelated condition); the general nature of the
38injury, burn, poisoning, or other condition; the general condition
39of the patient; and any information that is not medical information
40as defined in Section 56.05.
The following terms as used in this title have the
3meaning expressed in this section:
4(a) The term “person” means any individual, partnership,
5corporation, limited liability company, trust, estate, cooperative,
6association, government or governmental subdivision or agency,
7or other entity. The term “person” as used in this title shall not be
8construed to require duplicative reporting by any individual,
9corporation, trust, estate, cooperative, association, government, or
10governmental subdivision or agency, or other entity involved in
11the same transaction.
12(b) The term “consumer” means a natural individual who has
13made application to a person for employment purposes, for
14insurance for personal, family, or household purposes, or the hiring
15of a dwelling unit, as defined in subdivision (c) of Section 1940.
16(c) The term “investigative consumer report” means a consumer
17report in which information on a consumer’s character, general
18reputation, personal characteristics, or mode of living is obtained
19through any means. The term does not include a consumer report
20or other compilation of information that is limited to specific
21factual information relating to a consumer’s credit record or manner
22of obtaining credit obtained directly from a creditor of the
23consumer or from a consumer reporting agency when that
24information was obtained directly from a potential or existing
25creditor of the consumer or from the consumer. Notwithstanding
26the foregoing, for transactions between investigative consumer
27reporting agencies and insurance institutions, agents, or
28insurance-support organizations subject to Article 6.6 (commencing
29with Section 791) of Chapter 1 of Part 2 of Division 1 of the
30Insurance Code, the term “investigative consumer report” shall
31have the meaning set forth in
begin delete subdivision (n) ofend delete
Section 791.02 of
32the Insurance Code.
33(d) The term “investigative consumer reporting agency” means
34any person who, for monetary fees or dues, engages in whole or
35in part in the practice of collecting, assembling, evaluating,
36compiling, reporting, transmitting, transferring, or communicating
37information concerning consumers for the purposes of furnishing
38investigative consumer reports to third parties, but does not include
39any governmental agency whose records are maintained primarily
40for traffic safety, law enforcement, or licensing purposes, or any
P13 1licensed insurance agent, insurance broker, or solicitor, insurer,
2or life insurance agent.
3(e) The term “file,” when used in connection with information
4on any consumer, means all of the information on that consumer
5recorded and retained by an investigative consumer reporting
6agency regardless of how the information is stored.
7(f) The term “employment purposes,” when used in connection
8with an investigative consumer report, means a report used for the
9 purpose of evaluating a consumer for employment, promotion,
10reassignment, or retention as an employee.
11(g) The term “medical information” means information on a
12person’s medical history or condition obtained directly or indirectly
13from a licensed physician, medical practitioner, hospital, clinic,
14or other medical or medically related facility.
(a) For purposes of this title, the following definitions
18(1) “Direct marketing purposes” means the use of personal
19information for marketing or advertising products, goods, or
20services directly to individuals. “Direct marketing purposes” does
21not include the use of personal information (A) by bona fide tax
22exempt charitable or religious organizations to solicit charitable
23contributions or (B) to raise funds from and communicate with
24individuals regarding politics and government.
25(2) “Medical information” means any individually identifiable
26information, in electronic or physical form, regarding the
27individual’s medical history, or medical treatment or diagnosis by
28a health care professional. “Individually identifiable” means that
29the medical information includes or contains any element of
30personal identifying information sufficient to allow identification
31of the individual, such as the individual’s name, address, electronic
32mail address, telephone number, or social security number, or other
33information that, alone or in combination with other publicly
34available information, reveals the individual’s identity. For
35purposes of this section, “medical information” does not mean a
36subscription to, purchase of, or request for a periodical, book,
37pamphlet, video, audio, or other multimedia product or nonprofit
39(3) “Clear and conspicuous” means in larger type than the
40surrounding text, or in contrasting type, font, or color to the
P14 1surrounding text of the same size, or set off from the surrounding
2text of the same size by symbols or other marks that call attention
3 to the language.
4(4) For purposes of this section, the collection of medical
5information online constitutes “in writing.” For purposes of this
6section, “written consent” includes consent obtained online.
7(b) A business may not orally request medical information
8directly from an individual regardless of whether the information
9pertains to the individual or not, and use, share, or otherwise
10disclose that information for direct marketing purposes, without
11doing both of the following prior to obtaining that information:
12(1) Orally disclosing to the individual in the same conversation
13during which the business seeks to obtain the information, that it
14is obtaining the information to market or advertise products, goods,
15or services to the individual.
16(2) Obtaining the consent of either the individual to whom the
17information pertains or a person legally authorized to consent for
18the individual, to permit his or her medical information to be used
19or shared to market or advertise products, goods, or services to the
20individual, and making and maintaining for two years after the
21date of the conversation, an audio recording of the entire
23(c) A business may not request in writing medical information
24directly from an individual regardless of whether the information
25pertains to the individual or not, and use, share, or otherwise
26disclose that information for direct marketing purposes, without
27doing both of the following prior to obtaining that information:
28(1) Disclosing in a clear and conspicuous manner that it is
29obtaining the information to market or advertise products, goods,
30or services to the individual.
31(2) Obtaining the written consent of either the individual to
32whom the information pertains or a person legally authorized to
33consent for the individual, to permit his or her medical information
34to be used or shared to market or advertise products, goods, or
35services to the individual.
36(d) This section does not apply to a provider of health care,
37health care service plan, or contractor, as defined in Section 56.05.
38(e) This section shall not apply to an insurance institution, agent,
39or support organization, as defined in Section 791.02 of the
40Insurance Code, when engaged in an insurance transaction, as
P15 1defined in
begin delete subdivision (m) ofend delete Section 791.02 of the Insurance
2Code, pursuant to all the requirements of Article 6.6 (commencing
3with Section 791) of Chapter 1 of Part 2 of Division 1 of the
4Insurance Code, and the regulations promulgated thereunder.
5(f) This section does not apply to a telephone corporation, as
6defined in Section 234 of the Public Utilities Code, when that
7corporation is engaged in providing telephone services and products
8pursuant to Sections 2881, 2881.1, and 2881.2 of the Public
9Utilities Code, if the corporation does not share or disclose medical
10information obtained as a consequence of complying with those
11sections of the Public Utilities Code, to third parties for direct
(a) (1) A financial institution shall not disclose to, or
16share a consumer’s nonpublic personal information with, any
17nonaffiliated third party as prohibited by Section 4052.5, unless
18the financial institution has obtained a consent acknowledgment
19from the consumer that complies with paragraph (2) that authorizes
20the financial institution to disclose or share the nonpublic personal
21information. Nothing in this section shall prohibit or otherwise
22apply to the disclosure of nonpublic personal information as
23allowed in Section 4056. A financial institution shall not
24discriminate against or deny an otherwise qualified consumer a
25financial product or a financial service because the consumer has
26not provided consent pursuant to this subdivision and Section
274052.5 to authorize the financial institution to disclose or share
28nonpublic personal information pertaining to him or her with any
29nonaffiliated third party. Nothing in this section shall prohibit a
30financial institution from denying a consumer a financial product
31or service if the financial institution could not provide the product
32or service to a consumer without the consent to disclose the
33consumer’s nonpublic personal information required by this
34subdivision and Section 4052.5, and the consumer has failed to
35provide consent. A financial institution shall not be liable for failing
36to offer products and services to a consumer solely because that
37consumer has failed to provide consent pursuant to this subdivision
38and Section 4052.5 and the financial institution could not offer the
39product or service without the consent to disclose the consumer’s
40nonpublic personal information required by this subdivision and
P16 1Section 4052.5, and the consumer has failed to provide consent.
2Nothing in this section is intended to prohibit a financial institution
3from offering incentives or discounts to elicit a specific response
4to the notice.
5(2) A financial institution shall utilize a form, statement, or
6writing to obtain consent to disclose nonpublic personal
7information to nonaffiliated third parties as required by Section
84052.5 and this subdivision. The form, statement, or writing shall
9meet all of the following criteria:
10(A) The form, statement, or writing is a separate document, not
11attached to any other document.
12(B) The form, statement, or writing is dated and signed by the
14(C) The form, statement, or writing clearly and conspicuously
15discloses that by signing, the consumer is consenting to the
16disclosure to nonaffiliated third parties of nonpublic personal
17 information pertaining to the consumer.
18(D) The form, statement, or writing clearly and conspicuously
19discloses (i) that the consent will remain in effect until revoked or
20modified by the consumer; (ii) that the consumer may revoke the
21consent at any time; and (iii) the procedure for the consumer to
23(E) The form, statement, or writing clearly and conspicuously
24informs the consumer that (i) the financial institution will maintain
25the document or a true and correct copy; (ii) the consumer is
26entitled to a copy of the document upon request; and (iii) the
27consumer may want to make a copy of the document for the
29(b) (1) A financial institution shall not disclose to, or share a
30consumer’s nonpublic personal information with, an affiliate unless
31the financial institution has clearly and conspicuously notified the
32consumer annually in writing pursuant to subdivision (d) that the
33nonpublic personal information may be disclosed to an affiliate of
34the financial institution and the consumer has not directed that the
35nonpublic personal information not be disclosed. A financial
36institution does not disclose information to, or share information
37with, its affiliate merely because information is maintained in
38common information systems or databases, and employees of the
39financial institution and its affiliate have access to those common
40information systems or databases, or a consumer accesses a Web
P17 1site jointly operated or maintained under a common name by or
2on behalf of the financial institution and its affiliate, provided that
3where a consumer has exercised his or her right to prohibit
4disclosure pursuant to this division, nonpublic personal information
5is not further disclosed or used by an affiliate except as permitted
6by this division.
7(2) Subdivision (a) shall not prohibit the release of nonpublic
8personal information by a financial institution with whom the
9consumer has a relationship to a nonaffiliated financial institution
10for purposes of jointly offering a financial product or financial
11service pursuant to a written agreement with the financial
12institution that receives the nonpublic personal information
13provided that all of the following requirements are met:
14(A) The financial product or service offered is a product or
15service of, and is provided by, at least one of the financial
16institutions that is a party to the written agreement.
17(B) The financial product or service is jointly offered, endorsed,
18or sponsored, and clearly and conspicuously identifies for the
19consumer the financial institutions that disclose and receive the
20disclosed nonpublic personal information.
21(C) The written agreement provides that the financial institution
22that receives that nonpublic personal information is required to
23maintain the confidentiality of the information and is prohibited
24from disclosing or using the information other than to carry out
25the joint offering or servicing of a financial product or financial
26service that is the subject of the written agreement.
27(D) The financial institution that releases the nonpublic personal
28information has complied with subdivision (d) and the consumer
29has not directed that the nonpublic personal information not be
31(E) Notwithstanding this section, until January 1, 2005, a
32financial institution may disclose nonpublic personal information
33to a nonaffiliated financial institution pursuant to a preexisting
34contract with the nonaffiliated financial institution, for purposes
35of offering a financial product or financial service, if that contract
36was entered into on or before January 1, 2004. Beginning on
37January 1, 2005, no nonpublic personal information may be
38disclosed pursuant to that contract unless all the requirements of
39this subdivision are met.
P18 1(3) Nothing in this subdivision shall prohibit a financial
2institution from disclosing or sharing nonpublic personal
3information as otherwise specifically permitted by this division.
4(4) A financial institution shall not discriminate against or deny
5an otherwise qualified consumer a financial product or a financial
6service because the consumer has directed pursuant to this
7subdivision that nonpublic personal information pertaining to him
8or her not be disclosed. A financial institution shall not be required
9to offer or provide products or services offered through affiliated
10entities or jointly with nonaffiliated financial institutions pursuant
11to paragraph (2) where the consumer has directed that nonpublic
12personal information not be disclosed pursuant to this subdivision
13and the financial institution could not offer or provide the products
14or services to the consumer without disclosure of the consumer’s
15nonpublic personal information that the consumer has directed not
16be disclosed pursuant to this subdivision. A financial institution
17shall not be liable for failing to offer or provide products or services
18offered through affiliated entities or jointly with nonaffiliated
19financial institutions pursuant to paragraph (2) solely because the
20consumer has directed that nonpublic personal information not be
21disclosed pursuant to this subdivision and the financial institution
22could not offer or provide the products or services to the consumer
23without disclosure of the consumer’s nonpublic personal
24information that the consumer has directed not be disclosed to
25 affiliates pursuant to this subdivision. Nothing in this section is
26intended to prohibit a financial institution from offering incentives
27or discounts to elicit a specific response to the notice set forth in
28this division. Nothing in this section shall prohibit the disclosure
29of nonpublic personal information allowed by Section 4056.
30(5) The financial institution may, at its option, choose instead
31to comply with the requirements of subdivision (a).
32(c) Nothing in this division shall restrict or prohibit the sharing
33of nonpublic personal information between a financial institution
34and its wholly owned financial institution subsidiaries; among
35financial institutions that are each wholly owned by the same
36financial institution; among financial institutions that are wholly
37owned by the same holding company; or among the insurance and
38management entities of a single insurance holding company system
39consisting of one or more reciprocal insurance exchanges which
40has a single corporation or its wholly owned subsidiaries providing
P19 1management services to the reciprocal insurance exchanges,
2provided that in each case all of the following requirements are
4(1) The financial institution disclosing the nonpublic personal
5information and the financial institution receiving it are regulated
6by the same functional regulator; provided, however, that for
7purposes of this subdivision, financial institutions regulated by the
8Office of the Comptroller of the Currency, Office of Thrift
9Supervision, National Credit Union Administration, or a state
10regulator of depository institutions shall be deemed to be regulated
11by the same functional regulator; financial institutions regulated
12by the Securities and Exchange Commission, the United States
13Department of Labor, or a state securities regulator shall be deemed
14to be regulated by the same functional regulator; and insurers
15admitted in this state to transact insurance and licensed to write
16insurance policies shall be deemed to be in compliance with this
18(2) The financial institution disclosing the nonpublic personal
19information and the financial institution receiving it are both
20principally engaged in the same line of business. For purposes of
21this subdivision, “same line of business” shall be one and only one
22of the following:
26(3) The financial institution disclosing the nonpublic personal
27information and the financial institution receiving it share a
28common brand, excluding a brand consisting solely of a graphic
29 element or symbol, within their trademark, service mark, or trade
30name, which is used to identify the source of the products and
32A wholly owned subsidiary shall include a subsidiary wholly
33owned directly or wholly owned indirectly in a chain of wholly
35Nothing in this subdivision shall permit the disclosure by a
36financial institution of medical record information, as defined in
begin delete subdivision (q) ofend delete Section 791.02 of the Insurance Code, except
38in compliance with the requirements of this division, including the
39requirements set forth in subdivisions (a) and (b).
P20 1(d) (1) A financial institution shall be conclusively presumed
2to have satisfied the notice requirements of subdivision (b) if it
3uses the form set forth in this subdivision. The form set forth in
4this subdivision or a form that complies with subparagraphs (A)
5to (L), inclusive, of this paragraph shall be sent by the financial
6institution to the consumer so that the consumer may make a
7decision and provide direction to the financial institution regarding
8the sharing of his or her nonpublic personal information. If a
9financial institution does not use the form set forth in this
10subdivision, the financial institution shall use a form that meets
11all of the following requirements:
12(A) The form uses the same title (“IMPORTANT PRIVACY
13CHOICES FOR CONSUMERS”) and the headers, if applicable,
14as follows: “Restrict Information Sharing With Companies We
15Own Or Control (Affiliates)” and “Restrict Information Sharing
16With Other Companies We Do Business With To Provide Financial
17Products And Services.”
18(B) The titles and headers in the form are clearly
19conspicuously displayed, and no text in the form is smaller than
21(C) The form is a separate document, except as provided by
22subparagraph (D) of paragraph (2), and Sections 4054 and 4058.7.
23(D) The choice or choices pursuant to subdivision (b) and
24Section 4054.6, if applicable, provided in the form are stated
25separately and may be selected by checking a box.
26(E) The form is designed to call attention to the nature and
27significance of the information in the document.
28(F) The form presents information in clear and concise
29sentences, paragraphs, and sections.
30(G) The form uses short explanatory sentences (an average of
3115-20 words) or bullet lists whenever possible.
32(H) The form avoids multiple negatives, legal terminology, and
33highly technical terminology whenever possible.
34(I) The form avoids explanations that are imprecise and readily
35subject to different interpretations.
36(J) The form achieves a minimum Flesch reading ease score of
3750, as defined in Section 2689.4(a)(7) of Title 10 of the California
38Code of Regulations, in effect on March 24, 2003, except that the
39information in the form included to comply with subparagraph (A)
40shall not be included in the calculation of the Flesch reading ease
P21 1score, and the information used to describe the choice or choices
2pursuant to subparagraph (D) shall score no lower than the
3information describing the comparable choice or choices set forth
4in the form in this subdivision.
5(K) The form provides wide margins, ample line spacing and
6uses boldface or italics for key words.
7(L) The form is not more than one page.
8(2) (A) None of the instructional items appearing in brackets
9in the form set forth in this subdivision shall appear in the form
10provided to the consumer, as those items are for explanation
11purposes only. If a financial institution does not disclose or share
12nonpublic personal information as described in a header of the
13form, the financial institution may omit the applicable header or
14headers, and the accompanying information and box, in the form
15it provides pursuant to this subdivision. The form with those
16omissions shall be conclusively presumed to satisfy the notice
17requirements of this subdivision.
P23 1(B) If a financial institution uses a form other than that set forth
2in this subdivision, the financial institution may submit that form
3to its functional regulator for approval, and for forms filed with
4the Office of Privacy Protection prior to July 1, 2007, that approval
5shall constitute a rebuttable presumption that the form complies
6with this section.
7(C) A financial institution shall not be in violation of this
8subdivision solely because it includes in the form one or more
9brief examples or explanations of the purpose or purposes, or
10context, within which information will be shared, as long as those
11examples meet the clarity and readability standards set forth in
13(D) The outside of the envelope in which the form is sent to the
14consumer shall clearly state in 16-point boldface type
15“IMPORTANT PRIVACY CHOICES,” except that a financial
16institution sending the form to a consumer in the same envelope
17as a bill, account statement, or application requested by the
18consumer does not have to include the wording “IMPORTANT
19PRIVACY CHOICES” on that envelope. The form shall be sent
20in any of the following ways:
21(i) With a bill, other statement of account, or application
22requested by the consumer, in which case the information required
23by Title V of the Gramm-Leach-Bliley Act may also be included
24in the same envelope.
25(ii) As a separate notice or with the information required by
26Title V of the Gramm-Leach-Bliley Act, and including only
27information related to privacy.
28(iii) With any other mailing, in which case it shall be the first
29page of the mailing.
30(E) If a financial institution uses a form other than that set forth
31in this subdivision, that form shall be filed with the Office of
32Privacy Protection within 30 days after it is first used.
33(3) The consumer shall be provided a reasonable opportunity
34prior to disclosure of nonpublic personal information to direct that
35nonpublic personal information not be disclosed. A consumer may
36direct at any time that his or her nonpublic personal information
37not be disclosed. A financial institution shall comply with a
38consumer’s directions concerning the sharing of his or her
39nonpublic personal information within 45 days of receipt by the
40financial institution. When a consumer directs that nonpublic
P24 1personal information not be disclosed, that direction is in effect
2until otherwise stated by the consumer. A financial institution that
3has not provided a consumer with annual notice pursuant to
4 subdivision (b) shall provide the consumer with a form that meets
5the requirements of this subdivision, and shall allow 45 days to
6lapse from the date of providing the form in person or the postmark
7or other postal verification of mailing before disclosing nonpublic
8personal information pertaining to the consumer.
9Nothing in this subdivision shall prohibit the disclosure of
10nonpublic personal information as allowed by subdivision (c) or
12(4) A financial institution may elect to comply with the
13requirements of subdivision (a) with respect to disclosure of
14nonpublic personal information to an affiliate or with respect to
15nonpublic personal information disclosed pursuant to paragraph
16(2) of subdivision (b), or subdivision (c) of Section 4054.6.
17(5) If a financial institution does not have a continuing
18relationship with a consumer other than the initial transaction in
19which the product or service is provided, no annual disclosure
20requirement exists pursuant to this section as long as the financial
21institution provides the consumer with the form required by this
22section at the time of the initial transaction. As used in this section,
23“annually” means at least once in any period of 12 consecutive
24months during which that relationship exists. The financial
25institution may define the 12-consecutive-month period, but shall
26apply it to the consumer on a consistent basis. If, for example, a
27financial institution defines the 12-consecutive-month period as a
28calendar year and provides the annual notice to the consumer once
29in each calendar year, it complies with the requirement to send the
31(6) A financial institution with assets in excess of twenty-five
32million dollars ($25,000,000) shall include a self-addressed first
33class business reply return envelope with the notice. A financial
34institution with assets of up to and including twenty-five million
35dollars ($25,000,000) shall include a self-addressed return envelope
36with the notice. In lieu of the first class business reply return
37envelope required by this paragraph, a financial institution may
38offer a self-addressed return envelope with the notice and at least
39two alternative cost-free means for consumers to communicate
40their privacy choices, such as calling a toll-free number, sending
P25 1a facsimile to a toll-free telephone number, or using electronic
2means. A financial institution shall clearly and conspicuously
3disclose in the form required by this subdivision the information
4necessary to direct the consumer on how to communicate his or
5her choices, including the toll-free or facsimile number or Web
6site address that may be used, if those means of communication
7are offered by the financial institution.
8(7) A financial institution may
provide a joint notice from it and
9one or more of its affiliates or other financial institutions, as
10identified in the notice, so long as the notice is accurate with
11respect to the financial institution and the affiliates and other
13(e) Nothing in this division shall prohibit a financial institution
14from marketing its own products and services or the products and
15services of affiliates or nonaffiliated third parties to customers of
16the financial institution as long as (1) nonpublic personal
17information is not disclosed in connection with the delivery of the
18applicable marketing materials to those customers except as
19permitted by Section 4056 and (2) in cases in which the applicable
20nonaffiliated third party may extrapolate nonpublic personal
21information about the consumer responding to those marketing
22materials, the applicable nonaffiliated third party has signed a
23contract with the financial institution under the terms of which (A)
24the nonaffiliated third party is prohibited from using that
25information for any purpose other than the purpose for which it
26was provided, as set forth in the contract, and (B) the financial
27institution has the right by audit, inspections, or other means to
28verify the nonaffiliated third party’s compliance with that contract.
Section 1280.15 of the Health and Safety Code is
31amended to read:
(a) A clinic, health facility, home health agency, or
33hospice licensed pursuant to Section 1204, 1250, 1725, or 1745
34shall prevent unlawful or unauthorized access to, and use or
35disclosure of, patients’ medical information, as defined in Section
3656.05 of the Civil Code and consistent with Section 130203. For
37purposes of this section, internal paper records, electronic mail,
38or facsimile transmissions inadvertently misdirected within the
39same facility or health care system within the course of
40coordinating care or delivering services shall not constitute
P26 1unauthorized access to, or use or disclosure of, a patient’s medical
2information. The department, after investigation, may assess an
3administrative penalty for a violation of this section of up to
4 twenty-five thousand dollars ($25,000) per patient whose medical
5information was unlawfully or without authorization accessed,
6used, or disclosed, and up to seventeen thousand five hundred
7dollars ($17,500) per subsequent occurrence of unlawful or
8unauthorized access, use, or disclosure of that patient’s medical
9information. For purposes of the investigation, the department
10shall consider the clinic’s, health facility’s, agency’s, or hospice’s
11history of compliance with this section and other related state and
12federal statutes and regulations, the extent to which the facility
13detected violations and took preventative action to immediately
14correct and prevent past violations from recurring, and factors
15outside its control that restricted the facility’s ability to comply
16with this section. The department shall have full discretion to
17consider all factors when determining the amount of an
18administrative penalty pursuant to this section.
19(b) (1) A clinic, health facility, home health agency, or hospice
20to which subdivision (a) applies shall report any unlawful or
21unauthorized access to, or use or disclosure of, a patient’s medical
22information to the department no later than five business days after
23the unlawful or unauthorized access, use, or disclosure has been
24detected by the clinic, health facility, home health agency, or
26(2) Subject to subdivision (c), a clinic, health facility, home
27health agency, or hospice shall also report any unlawful or
28unauthorized access to, or use or disclosure of, a patient’s medical
29information to the affected patient or the patient’s representative
30at the last known address, no later than five business days after
31the unlawful or unauthorized access, use, or disclosure has been
32detected by the clinic, health facility, home health agency, or
34(c) (1) A clinic, health facility, home health agency, or hospice
35shall delay the reporting, as required pursuant to paragraph (2) of
36subdivision (b), of any unlawful or unauthorized access to, or use
37or disclosure of, a patient’s medical information beyond five
38business days if a law enforcement agency or official provides the
39clinic, health facility, home health agency, or hospice with a written
40or oral statement that compliance with the reporting requirements
P27 1of paragraph (2) of subdivision (b) would likely impede the law
2enforcement agency’s investigation that relates to the unlawful or
3unauthorized access to, and use or disclosure of, a patient’s medical
4information and specifies a date upon which the delay shall end,
5not to exceed 60 days after a written request is made, or 30 days
6after an oral request is made. A law enforcement agency or official
7may request an extension of a delay based upon a written
8declaration that there exists a bona fide, ongoing, significant
9criminal investigation of serious wrongdoing relating to the
10unlawful or unauthorized access to, and use or disclosure of, a
11patient’s medical information, that notification of patients will
12undermine the law enforcement agency’s investigation, and that
13specifies a date upon which the delay shall end, not to exceed 60
14days after the end of the original delay period.
15(2) If the statement of the law enforcement agency or official
16is made orally, then the clinic, health facility, home health agency,
17or hospice shall do both of the following:
18(A) Document the oral statement, including, but not limited to,
19the identity of the law enforcement agency or official making the
20oral statement and the date upon which the oral statement was
22(B) Limit the delay in reporting the unlawful or unauthorized
23access to, or use or disclosure of, the patient’s medical information
24to the date specified in the oral statement, not to exceed 30 calendar
25days from the date that the oral statement is made, unless a written
26statement that complies with the requirements of this subdivision
27is received during that time.
28(3) A clinic, health facility, home health agency, or hospice
29shall submit a report that is delayed pursuant to this subdivision
30not later than five business days after the date designated as the
31end of the delay.
32(d) If a clinic, health facility, home health agency, or hospice
33to which subdivision (a) applies violates subdivision (b), the
34department may assess the licensee a penalty in the amount of one
35hundred dollars ($100) for each day that the unlawful or
36 unauthorized access, use, or disclosure is not reported to the
37department or the affected patient, following the initial five-day
38period specified in subdivision (b). However, the total combined
39penalty assessed by the department under subdivision (a) and this
40subdivision shall not exceed two hundred fifty thousand dollars
P28 1($250,000) per reported event. For enforcement purposes, it shall
2be presumed that the facility did not notify the affected patient if
3the notification was not documented. This presumption may be
4rebutted by a licensee only if the licensee demonstrates, by a
5preponderance of the evidence, that the notification was made.
6(e) In enforcing subdivisions (a) and (d), the department shall
7take into consideration the special circumstances of small and rural
8hospitals, as defined in Section 124840, and primary care clinics,
9 as defined in subdivision (a) of Section 1204, in order to protect
10access to quality care in those hospitals and clinics. When assessing
11a penalty on a skilled nursing facility or other facility subject to
12Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
13only the higher of either a penalty for the violation of this section
14or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
16(f) All penalties collected by the department pursuant to this
17section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited
18into the Internal Departmental Quality Improvement Account,
19which is hereby created within the Special Deposit Fund under
20Section 16370 of the Government Code. Upon appropriation by
21the Legislature, moneys in the account shall be expended for
22internal quality improvement activities in the Licensing and
24(g) If the licensee disputes a determination by the department
25regarding a failure to prevent or failure to timely report unlawful
26or unauthorized access to, or use or disclosure of, patients’ medical
27information, or the imposition of a penalty under this section, the
28licensee may, within 10 days of receipt of the penalty assessment,
29request a hearing pursuant to Section 131071. Penalties shall be
30paid when appeals have been exhausted and the penalty has been
32(h) In lieu of disputing the determination of the department
33regarding a failure to prevent or failure to timely report unlawful
34or unauthorized access to, or use or disclosure of, patients’ medical
35information, transmit to the department 75 percent of the total
36amount of the administrative penalty, for each violation, within
3730 business days of receipt of the administrative penalty.
38(i) Notwithstanding any other law, the department may refer
39violations of this section to the Office of Health Information
40Integrity for enforcement pursuant to Section 130303.
P29 1(j) For purposes of this section, the following definitions shall
3(1) “Reported event” means all breaches included in any single
4report that is made pursuant to subdivision (b), regardless of the
5number of breach events contained in the report.
6(2) “Unauthorized” means the inappropriate access, review, or
7viewing of patient medical information without a direct need for
8medical diagnosis, treatment, or other lawful use as permitted by
9the Confidentiality of Medical Information Act (Part 2.6
10(commencing with Section 56) of Division 1 of the Civil Code)
11or any other statute or regulation governing the lawful access, use,
12or disclosure of medical information.
Section 1348.5 is added to the Health and Safety
15Code, to read:
begin delete(a)end delete begin delete end deleteA health care service plan shall comply with the
17provisions of Section 56.107 of the Civil Code to the extent
18required by that section. To the extent this chapter conflicts with
19Section 56.107 of the Civil Code, the provisions of Section 56.107
20of the Civil Code shall control.
21(b) The department shall review health care service plan
22contracts and privacy policies for compliance with this section
23only during the normal application approval or modification
24process conducted pursuant to Sections 1351 and 1352.
Section 1627 of the Health and Safety Code is
27amended to read:
(a) (1) On or before July 1, 2011, the University of
29California is requested to develop a plan to establish and administer
30the Umbilical Cord Blood Collection Program for the purpose of
31collecting units of umbilical cord blood for public use in
32transplantation and providing nonclinical units for research
33pertaining to biology and new clinical utilization of stem cells
34derived from the blood and tissue of the placenta and umbilical
35cord. The program shall conclude no later than January 1, 2018.
36(2) For purposes of this article, “public use” means both of the
38(A) The collection of umbilical cord
blood units from genetically
39diverse donors that will be owned by the University of California.
40This inventory shall be accessible by the National Registry and by
P30 1qualified California-based and other United States and international
2registries and transplant centers to increase the likelihood of
3providing suitably matched donor cord blood units to patients or
4research participants who are in need of a transplant.
5(B) Cord blood units with a lower number of cells than deemed
6necessary for clinical transplantation and units that meet clinical
7requirements, but for other reasons are unsuitable, unlikely to be
8transplanted, or otherwise unnecessary for clinical use, may be
9made available for research.
10(b) (1) In order to implement the collection goals of this
11program, the University of California may, commensurate with
12available funds appropriated to the University of California for
13this program, contract with one or more selected applicant entities
14that have demonstrated the competence to collect and ship cord
15blood units in compliance with federal guidelines and regulations.
16(2) It is the intent of the Legislature that, if the University of
17California contracts with another entity pursuant to this subdivision,
18the following shall apply:
19(A) The University of California may use a competitive process
20to identify the best proposals submitted by applicant entities to
21administer the collection and research objectives of the program,
22to the extent that the University of California chooses not to
23undertake these activities itself.
24(B) In order to qualify for selection under this section to receive,
25process, cryopreserve, or bank cord blood units, the entity shall,
26at a minimum, have obtained an investigational new drug (IND)
27exemption from the FDA or a biologic license from the FDA, as
28appropriate, to manufacture clinical grade cord blood stem cell
29units for clinical indications.
30(C) In order to qualify to receive appropriate cord blood units
31and placental tissue to advance the research goals of this program,
32an entity shall, at a minimum, be a laboratory recognized as having
33performed peer-reviewed research on stem and progenitor cells,
34including those derived from placental or umbilical cord blood
35and postnatal tissue.
36(3) A medical provider
or research facility shall comply with,
37and shall be subject to, existing penalties for violations of all
38applicable state and federal laws with respect to the protection of
39any medical information, as defined in Section 56.05 of the Civil
P31 1Code, and any personally identifiable information contained in the
2umbilical cord blood inventory.
3(c) The University of California is encouraged to make every
4effort to avoid duplication or conflicts with existing and ongoing
5 programs and to leverage existing resources.
6(d) (1) All information collected pursuant to the program shall
7be confidential, and shall be used solely for the purposes of the
8program, including research. Access to confidential information
9shall be limited to authorized persons who are bound by appropriate
10institutional policies or who otherwise agree, in writing, to maintain
11the confidentiality of that information.
12(2) Any person who, in violation of applicable institutional
13policies or a written agreement to maintain confidentiality,
14discloses any information provided pursuant to this section, or
15who uses information provided pursuant to this section in a manner
16other than as approved pursuant to this section, may be denied
17further access to any confidential information maintained by the
18University of California, and shall be subject to a civil penalty not
19exceeding one thousand dollars ($1,000). The penalty provided
20for in this section shall not be construed to limit or otherwise
21restrict any remedy, provisional or otherwise, provided by law for
22the benefit of the University of California or any other person
23covered by this section.
24(3) Notwithstanding the restrictions of this section, an individual
25to whom the confidential information pertains shall have access
26to his or her own personal information.
27(e) It is the intent of the Legislature that the plan and
28implementation of the program provide for both of the following:
29(1) Limit fees for access to cord blood units to the reasonable
30 and actual costs of storage, handling, and providing units, as well
31as for related services such as donor matching and testing of cord
32blood and other programs and services typically provided by cord
33blood banks and public use programs.
34(2) The submittal of the plan developed pursuant to subdivision
35(a) to the health and fiscal committees of the Legislature.
36(f) It is additionally the intent of the Legislature that the plan
37and implementation of the program attempt to provide for all of
39(1) Development of a strategy to increase voluntary participation
40by hospitals in the collection and storage of umbilical cord blood
P32 1and identify funding sources to offset the financial impact on
3(2) Consideration of a medical contingency response program
4to prepare for and respond effectively to biological, chemical, or
5radiological attacks, accidents, and other public health emergencies
6where victims potentially benefit from treatment.
7(3) Exploration of the feasibility of operating the program as a
8self-funding program, including the potential for charging users a
“Medical waste generator” means any person whose
13act or process produces medical waste and includes, but is not
14limited to, a provider of health care, as defined in
begin delete subdivision (d) Section 56.05 of the Civil Code. All of the following are
16examples of businesses that generate medical waste:
17(a) Medical and dental offices, clinics, hospitals, surgery
18centers, laboratories, research laboratories, unlicensed health
19facilities, those facilities required to be licensed pursuant to
20Division 2 (commencing with Section 1200), chronic dialysis
21clinics, as regulated pursuant to Division 2 (commencing with
22Section 1200), and education and research facilities.
23(b) Veterinary offices, veterinary clinics, and veterinary
25(c) Pet shops.
26(d) Trauma scene waste management practitioners.
Section 117928 of the Health and Safety Code is
29amended to read:
(a) Any common storage facility for the collection
31of medical waste produced by small quantity generators operating
32independently, but sharing common storage facilities, shall have
33a permit issued by the enforcement agency.
34(b) A permit for any common storage facility specified in
35subdivision (a) may be obtained by any one of the following:
36(1) A provider of health care as defined in Section 56.05 of the
38(2) The registered hazardous waste transporter.
39(3) The property owner.
P33 1(4) The property management firm responsible for providing
2tenant services to the medical waste generators.
Section 120985 of the Health and Safety Code is
5amended to read:
(a) Notwithstanding Section 120980, the results of
7an HIV test that identifies or provides identifying characteristics
8of the person to whom the test results apply may be recorded by
9the physician who ordered the test in the test subject’s medical
10record or otherwise disclosed without written authorization of the
11subject of the test, or the subject’s representative as set forth in
12Section 121020, to the test subject’s providers of health care, as
13defined in Section 56.05 of the Civil Code, for purposes of
14diagnosis, care, or treatment of the patient, except that for purposes
15of this section, “providers of health care” does not include a health
16care service plan regulated pursuant to Chapter 2.2 (commencing
17with Section 1340) of Division 2.
18(b) Recording or disclosure of HIV test results pursuant to
19subdivision (a) does not authorize further disclosure unless
20otherwise permitted by law.
Section 121010 of the Health and Safety Code is
23amended to read:
Notwithstanding Section 120975 or 120980, the results
25of a blood test to detect antibodies to the probable causative agent
26of AIDS may be disclosed to any of the following persons without
27written authorization of the subject of the test:
28(a) To the subject of the test or the subject’s legal representative,
29conservator, or to any person authorized to consent to the test
30pursuant to subdivision (b) of Section 120990.
31(b) To a test subject’s provider of health care, as defined in
32Section 56.05 of the Civil Code, except that for purposes of this
33section, “provider of health care” does not include a health care
34service plan regulated pursuant to Chapter 2.2 (commencing with
35Section 1340) of Division 2.
36(c) To an agent or employee of the test subject’s provider of
37health care who provides direct patient care and treatment.
38(d) To a provider of health care who procures, processes,
39distributes, or uses a human body part donated pursuant to the
P34 1Uniform Anatomical Gift Act (Chapter 3.5 (commencing with
2Section 7150) of Part 1 of Division 7).
3(e) (1) To the designated officer of an emergency response
4employee, and from that designated officer to an emergency
5response employee regarding possible exposure to HIV or AIDS,
6but only to the extent necessary to comply with provisions of the
7Ryan White Comprehensive AIDS Resources Emergency Act of
81990 (Public Law 101-381; 42 U.S.C. Sec. 201).
9(2) For purposes of this subdivision, “designated officer” and
10“emergency response employee” have the same meaning as these
11terms are used in the Ryan White Comprehensive AIDS Resources
12Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec.
14(3) The designated officer shall be subject to the confidentiality
15requirements specified in Section 120980, and may be personally
16liable for unauthorized release of any identifying information about
17the HIV results. Further, the designated officer shall inform the
18exposed emergency response employee that the employee is also
19subject to the confidentiality requirements specified in Section
20120980, and may be personally liable for unauthorized release of
21any identifying information about the HIV test results.
Section 130201 of the Health and Safety Code is
24amended to read:
For purposes of this division, the following definitions
27(a) “Director” means the Director of the Office of Health
29(b) “Medical information” means the term as defined in Section
3056.05 of the Civil Code.
31(c) “Office” means the Office of Health Information Integrity.
32(d) “Provider of health care” means the term as defined in
33Sections 56.05 and 56.06 of the Civil Code.
34(e) “Unauthorized access”
means the inappropriate review or
35viewing of patient medical information without a direct need for
36diagnosis, treatment, or other lawful use as permitted by the
37Confidentiality of Medical Information Act (Part 2.6 (commencing
38with Section 56) of Division 1 of the Civil Code) or by other
39statutes or regulations governing the lawful access, use, or
40disclosure of medical information.
As used in this act:
4(a) (1) “Adverse underwriting decision” means any of the
5following actions with respect to insurance transactions involving
6insurance coverage that is individually underwritten:
7(A) A declination of insurance coverage.
8(B) A termination of insurance coverage.
9(C) Failure of an agent to apply for insurance coverage with a
10specific insurance institution that the agent represents and that is
11requested by an applicant.
12(D) In the case of a property or casualty insurance coverage:
13(i) Placement by an insurance institution or agent of a risk with
14a residual market mechanism, with an unauthorized insurer, or
15with an insurance institution that provides insurance to other than
16preferred or standard risks, if in fact the placement is at other than
17a preferred or standard rate. An adverse underwriting decision, in
18case of placement with an insurance institution that provides
19insurance to other than preferred or standard risks, shall not include
20placement if the applicant or insured did not specify or apply for
21placement as a preferred or standard risk or placement with a
22particular company insuring preferred or standard risks, or
23(ii) The charging of a higher rate on the basis of information
24which differs from that which the applicant or policyholder
the case of a life, health, or disability insurance coverage,
27an offer to insure at higher than standard rates.
28(2) Notwithstanding paragraph (1), any of the following actions
29shall not be considered adverse underwriting decisions but the
30insurance institution or agent responsible for their occurrence shall
31nevertheless provide the applicant or policyholder with the specific
32reason or reasons for their occurrence:
33(A) The termination of an individual policy form on a class or
35(B) A declination of insurance coverage solely because coverage
36is not available on a class or statewide basis.
37(C) The rescission of a policy.
38(b) “Affiliate” or “affiliated” means a person that
39indirectly through one or more intermediaries, controls, is
40controlled by or is under common control with another person.
P36 1(c) “Agent” means any person licensed pursuant to Chapter 5
2(commencing with Section 1621), Chapter 5A (commencing with
3Section 1759), Chapter 6 (commencing with Section 1760), Chapter
47 (commencing with Section 1800), or Chapter 8 (commencing
5with Section 1831).
6(d) “Applicant” means any person who seeks to contract for
7insurance coverage other than a person seeking group insurance
8that is not individually underwritten.
9(e) “Consumer report” means any written, oral, or other
10communication of information bearing on a natural person’s
11creditworthiness, credit standing, credit capacity, character, general
12reputation, personal characteristics, or mode of living that is used
13or expected to be used in connection with an insurance transaction.
14(f) “Consumer reporting agency” means any person who:
15(1) Regularly engages, in whole or in part, in the practice of
16assembling or preparing consumer reports for a monetary fee.
17(2) Obtains information primarily from sources other than
19(3) Furnishes consumer reports to other persons.
20(g) “Control,” including the terms “controlled by” or “under
21common control with,” means the possession, direct or indirect,
22of the power to direct or cause the direction of the management
23and policies of a person, whether through the ownership of voting
24securities, by contract other than a commercial contract for goods
25or nonmanagement services, or otherwise, unless the power is the
26result of an official position with or corporate office held by the
28(h) “Declination of insurance coverage” means a denial, in
29whole or in part, by an insurance institution or agent of requested
31(i) “Individual” means any natural person who is any of the
33(1) In the case of property or casualty insurance, is a past,
34present, or proposed named insured or certificate holder.
35(2) In the case of life or disability insurance, is a past, present,
36or proposed principal insured or certificate holder.
37(3) Is a past, present, or proposed policyowner.
38(4) Is a past or present applicant.
39(5) Is a past or present claimant.
P37 1(6) Derived, derives, or is proposed to derive insurance coverage
2under an insurance policy or certificate subject to this act.
3(j) “Institutional source” means any person or governmental
4entity that provides information about an individual to an agent,
5insurance institution, or insurance-support organization, other than
6any of the following:
7(1) An agent.
8(2) The individual who is the subject of the information.
9(3) A natural person acting in a personal capacity rather than in
10a business or professional capacity.
11(k) “Insurance institution” means any corporation, association,
12partnership, reciprocal exchange, interinsurer, Lloyd’s insurer,
13fraternal benefit society, or other person engaged in the business
14of insurance. “Insurance institution” shall not include agents,
15insurance-support organizations, or health care service plans
16regulated pursuant to the Knox-Keene Health Care Service Plan
17Act, Chapter 2.2 (commencing with Section 1340) of Division 2
18of the Health and Safety Code.
19(l) “Insurance-support organization” means:
20(1) Any person who regularly engages, in whole or in part, in
21the business of assembling or collecting information about natural
22persons for the primary purpose of providing the information to
23an insurance institution or agent for insurance transactions,
24including either of the following:
25(A) The furnishing of consumer reports or investigative
26consumer reports to an insurance institution or agent for use in
27connection with an insurance transaction.
28(B) The collection of personal information from insurance
29institutions, agents, or other insurance-support organizations for
30the purpose of detecting or preventing fraud, material
31misrepresentation or material nondisclosure in connection with
32insurance underwriting or insurance claim activity.
33(2) Notwithstanding paragraph (1), the following persons shall
34not be considered “insurance-support organizations”: agents,
35governmental institutions, insurance institutions, medical care
36institutions, medical professionals, and peer review committees.
37(m) “Insurance transaction” means any transaction
38insurance primarily for personal, family, or household needs rather
39than business or professional needs that entails either of the
P38 1(1) The determination of an individual’s eligibility for an
2insurance coverage, benefit, or payment.
3(2) The servicing of an insurance application, policy, contract,
5(n) “Investigative consumer report” means a consumer report
6or portion thereof in which information about a natural person’s
7character, general reputation, personal characteristics, or mode of
8living is obtained through personal interviews with the person’s
9neighbors, friends, associates, acquaintances, or others who may
10have knowledge concerning those items of information.
11(o) “Medical care institution” means any facility or
12that is licensed to provide health care services to natural persons,
13including but not limited to, hospitals, skilled nursing facilities,
14home health agencies, medical clinics, rehabilitation agencies, and
15public health agencies.
16(p) “Medical professional” means any person licensed or
17certified to provide health care services to natural persons,
18including but not limited to, a physician, dentist, nurse, optometrist,
19physical or occupational therapist, psychiatric social worker,
20clinical dietitian, clinical psychologist, chiropractor, pharmacist,
21or speech therapist.
22(q) “Medical record information” means personal information
23that is both of the following:
24(1) Relates to an individual’s physical or mental condition,
25medical history or medical treatment.
26(2) Is obtained from a medical professional or medical care
27institution, from the individual, or from the individual’s spouse,
28parent, or legal guardian.
29(r) “Person” means any natural person, corporation, association,
30partnership, limited liability company, or other legal entity.
31(s) “Personal information” means any individually identifiable
32information gathered in connection with an insurance transaction
33from which judgments can be made about an individual’s character,
34habits, avocations, finances, occupation, general reputation, credit,
35health, or any other personal characteristics. “Personal information”
36includes an individual’s name and address and “medical record
37information” but does not include “privileged information.”
38(t) “Policyholder” means any person who is any of the following:
39(1) In the case of individual property or casualty insurance, is
40a present named insured.
P39 1(2) In the case of individual life or disability insurance, is a
3(3) In the case of group insurance, which is individually
4underwritten, is a present group certificate holder.
5(u) “Pretext interview” means an interview whereby a person,
6in an attempt to obtain information about a natural person, performs
7one or more of the following acts:
8(1) Pretends to be someone he or she is not.
9(2) Pretends to represent a person he or she is not in fact
11(3) Misrepresents the true purpose of the interview.
12(4) Refuses to identify himself or herself upon request.
13(v) “Privileged information” means any individually identifiable
14information that both:
15(1) Relates to a claim for insurance benefits or a civil or criminal
16proceeding involving an individual.
17(2) Is collected in connection with or in reasonable anticipation
18of a claim for insurance benefits or civil or criminal proceeding
19involving an individual. However, information otherwise meeting
20the requirements of this division shall nevertheless be considered
21“personal information” under this act if it is disclosed in violation
22of Section 791.13.
23(w) “Residual market
mechanism” means the California FAIR
24Plan Association, Chapter 10 (commencing with Section 10101)
25of Part 1 of Division 2, and the assigned risk plan, Chapter 1
26(commencing with Section 11550) of Part 3 of Division 2.
27(x) “Termination of insurance coverage” or “termination of an
28insurance policy” means either a cancellation or nonrenewal of an
29insurance policy, in whole or in part, for any reason other than the
30failure to pay a premium as required by the policy.
31(y) “Unauthorized insurer” means an insurance institution that
32has not been granted a certificate of authority by the director to
33transact the business of insurance in this state.
34(z) “Commissioner” means the Insurance Commissioner.
Section 791.29 is added to the Insurance Code, to
(a) A health insurer, as defined in subdivision (h) of
27Section 56.05 of the Civil Code, shall comply with the provisions
28of Section 56.107 of the Civil Code to the extent required by that
29section. To the extent this article conflicts with Section 56.107 of
30the Civil Code, the provisions of Section 56.107 of the Civil Code
32(b) The department shall review insurance products and privacy
33policies for compliance with this section only during the normal
34policy issuance process conducted pursuant to Sections 10290 and
Section 3208.05 of the Labor Code is amended to
(a) “Injury” includes a reaction to or a side effect
40arising from health care provided by an employer to a health care
P42 1worker, which health care is intended to prevent the development
2or manifestation of any bloodborne disease, illness, syndrome, or
3condition recognized as occupationally incurred by Cal-OSHA,
4the federal Centers for Disease Control and Prevention, or other
5appropriate governmental entities. This section shall apply only
6to preventive health care that the employer provided to a health
7care worker under the following circumstances: (1) prior to an
8exposure because of risk of occupational exposure to such a
9disease, illness, syndrome, or condition, or (2) where the preventive
10care is provided as a consequence of a documented exposure to
11blood or bodily fluid containing blood that arose out of and in the
12course of employment. Such a disease, illness, syndrome, or
13condition includes, but is not limited to, hepatitis, and the human
14immunodeficiency virus. Such preventive health care, and any
15disability indemnity or other benefits required as a result of the
16preventive health care provided by the employer, shall be
17compensable under the workers’ compensation system. The
18employer may require the health care worker to document that the
19employer provided the preventive health care and that the reaction
20or side effects arising from the preventive health care resulted in
21lost work time, health care costs, or other costs normally
22compensable under workers’ compensation.
23(b) The benefits of this section shall not be provided to a
24care worker for a reaction to or side effect from health care
25intended to prevent the development of the human
26immunodeficiency virus if the worker claims a work-related
27exposure and if the worker tests positive within 48 hours of that
28exposure to a test to determine the presence of the human
30(c) For purposes of this section, “health care worker” includes
31any person who is an employee of a provider of health care as
32defined in Section 56.05 of the Civil Code, and who is exposed to
33human blood or other bodily fluids contaminated with blood in
34the course of employment, including, but not limited to, a registered
35nurse, a licensed vocational nurse, a certified nurse aide, clinical
36laboratory technologist, dental hygienist, physician, janitor, and
37housekeeping worker. “Health care worker” does not include an
38 employee who provides employee health services for an employer
39primarily engaged in a business other than providing health care.
(a) Except as provided in subdivisions (b) and (c), the
2insurer shall discuss all elements of the claim file that affect the
3employer’s premium with the employer, and shall supply copies
4of the documents that affect the premium at the employer’s expense
5during reasonable business hours.
6(b) The right provided by this section shall not extend to any
7document that the insurer is prohibited from disclosing to the
8employer under the attorney-client privilege, any other applicable
9privilege, or statutory prohibition upon disclosure, or under Section
101877.4 of the Insurance Code.
11(c) An insurer, third-party administrator retained by a
12self-insured employer pursuant to Section 3702.1 to administer
13the employer’s workers’ compensation claims, and those employees
14and agents specified by a self-insured employer to administer the
15employer’s workers’ compensation claims, are prohibited from
16disclosing or causing to be disclosed to an employer, any medical
17information, as defined in
begin delete subdivision (b) ofend delete Section 56.05 of the
18Civil Code, about an employee who has filed a workers’
19compensation claim, except as follows:
20(1) Medical information limited to the diagnosis of the mental
21or physical condition for which workers’ compensation is claimed
22and the treatment provided for this condition.
23(2) Medical information regarding the injury for which workers’
24compensation is claimed that is necessary for the employer to have
25in order for the employer to modify the employee’s work duties.
(a) In the case of the death of a health care worker, a
28worker described in Section 3212, or a worker described in Section
29830.5 of the Penal Code from an HIV-related disease, the period
30within which proceedings may be commenced for the collection
31of benefits provided by Article 4 (commencing with Section 4700)
32of Chapter 2 of Part 2 is one year from the date of death, providing
33that one or more of the following events has occurred:
34(1) A report of the injury or exposure was made to the employer
35or to a governmental agency authorized to administer industrial
36injury claims, within one year of the date of the injury.
37(2) The worker has complied with the
notice provisions of this
38chapter and the claim has not been finally determined to be
P44 1(3) The employer provided, or was ordered to provide, workers’
2compensation benefits for the injury prior to the date of death.
3(b) For the purposes of this section, “health care worker” means
4an employee who has direct contact, in the course of his or her
5employment, with blood or other bodily fluids contaminated with
6blood, or with other bodily fluids identified by the Division of
7Occupational Safety and Health as capable of transmitting HIV,
8who is either (1) any person who is an employee of a provider of
9health care, as defined in
begin delete subdivision (d) ofend delete Section 56.05 of the
10Civil Code, including, but not limited to, a registered nurse,
11licensed vocational nurse, certified nurse aide, clinical laboratory
12technologist, dental hygienist, physician, janitor, or housekeeping
13worker, or (2) an employee who provides direct patient care.
No reimbursement is required by this act pursuant to
16Section 6 of Article XIII B of the California Constitution because
17the only costs that may be incurred by a local agency or school
18district will be incurred because this act creates a new crime or
19infraction, eliminates a crime or infraction, or changes the penalty
20for a crime or infraction, within the meaning of Section 17556 of
21the Government Code, or changes the definition of a crime within
22the meaning of Section 6 of Article XIII B of the California