BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | SB 138| |Office of Senate Floor Analyses | | |1020 N Street, Suite 524 | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: SB 138 Author: Hernandez (D), et al. Amended: 5/28/13 Vote: 21 SENATE HEALTH COMMITTEE : 7-2, 4/3/13 AYES: Hernandez, Beall, De León, DeSaulnier, Monning, Pavley, Wolk NOES: Anderson, Nielsen SENATE APPROPRIATIONS COMMITTEE : 5-2, 5/23/13 AYES: De León, Hill, Lara, Padilla, Steinberg NOES: Walters, Gaines SUBJECT : Confidentiality of medical information SOURCE : California Family Health Council DIGEST : This bill prohibits a health plan or insurer (carriers) from sending insurance communications relating to sensitive services, as defined, unless the carrier has received an authorization for insurance communications, as defined, from an insured individual who is under 26 years of age and insured as a dependent on another person's insurance policy. In addition, this bill prohibits carriers from sending communications related to sensitive services for insured dependents over the age of 26 if he/she has submitted a nondisclosure request, as defined. ANALYSIS : Existing law: CONTINUED SB 138 Page 2 1.Establishes, under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information. 2.Prohibits, under the state Confidentiality of Medical Information Act, providers of health care, health care service plans, or contractors, as defined, from sharing medical information without the patient's written authorization, subject to certain exceptions, including disclosure to a probate court investigator, as specified. 3.Provides for regulation of health insurers by the California Department of Insurance (CDI) under the Insurance Code, and provides for the regulation of health plans by the Department of Managed Health Care (DMHC) pursuant to the Knox-Keene Health Care Service Plan Act of 1975. This bill: 1.Prohibits carriers from sending insurance communications relating to sensitive services, as defined, unless the carrier has received an authorization for insurance communications, as defined, from an insured individual who is under 26 and insured as a dependent on another person's insurance policy. Prohibits carriers from sending communications related to sensitive services for insured dependents over the age of 26 if he/she has submitted a nondisclosure request, as defined. 2.Requires carriers to comply with a confidential communications request, as defined, regarding sensitive services from an insured individual. 3.Requires carriers to comply with a nondisclosure request, as defined, or a confidential communications request from an insured individual who states that disclosure of health information will endanger the individual. Prohibits carriers from requiring an explanation as to the basis for the insured individual's statement that disclosure will endanger the individual. 4.Permits the provider of health care to make arrangements with the insured individual for the payment of benefit cost-sharing CONTINUED SB 138 Page 3 and communicate that arrangement with the carrier. 5.Prohibits carriers from conditioning enrollment or coverage in the health plan or insurance policy or eligibility for benefits on the provision of an authorization for insurance communications. 6.Requires a health plan to comply with specified provisions of the Civil Code. To the extent there are conflicts with the Health and Safety Code, requires specified provisions of the Civil Code to control. 7.Requires DMHC and CDI to review products and privacy policies for compliance only during the normal policy issuance process, as defined. 8.Defines a number of terms, including: A. "Authorization for insurance communications" means permission from the individual, that meets specified requirements of existing law which specifies the medical information and insurance transactions that may be disclosed and the identity of the people to whom disclosures are permitted as part of an insurance communication. B. "Confidential communications request" means a request by an insured individual that insurance communications be communicated by a specific method, such as by telephone, e-mail, or in a covered envelope rather than postcard, or to a specific mail or e-mail address or specific telephone number, as designated by the insured individual. C. "Insurance communication" means any communication from the carrier to policyholders or insured individuals that discloses individually identifiable medical information. Insurance communication includes, but is not limited to, explanation of benefits forms, scheduling information, notices of denial, and notices of contested claims. D. "Sensitive services" means specified health care services described in existing law (including services related to HIV, family planning, drug and alcohol use, and mental health) obtained by any patient who has reached the CONTINUED SB 138 Page 4 minimum age specified for consenting to the service specified in the section, including patients 18 years of age and older. Background Federal and state laws regarding confidentiality . Existing state and federal law provides some protection of sensitive health information for patients. For example: Adult patients in California have a right to keep health information confidential and decide whether and when to share that information with their partners and parents. Adolescent patients in California have a right to keep certain health information confidential and decide whether and when to share that information with parents, including information about sexual and reproductive health services, drug treatment and most mental health counseling. HIPAA and California confidentiality laws make an exception to the general confidentiality rules above, allowing providers and insurers to use and disclose information for payment and health care operations purposes. With such disclosures, HIPAA requires "reasonable efforts" to limit them to the "minimum necessary" to accomplish the intended purpose of the disclosure. HIPAA allows patients to ask their carriers and providers to send communications of protected health information by alternate means (e.g. by phone) or to alternate locations (e.g. a friend's address). Carriers and providers are required to accommodate "reasonable requests" if as part of the request "the individual clearly states that the disclosure of all or part of the information could endanger the individual." California law does not further define this right. HIPAA allows patients to ask their carriers and providers to restrict communications. HIPAA permits but does not require that carriers and providers accept these requests. California law does not further define this right. Federal and state insurance laws and regulations permit many CONTINUED SB 138 Page 5 insurance communications, or may require certain communications. For example, some types of insurance plans are required to send explanation of benefits (EOBs) under California law while others are not. Confidentiality for individuals insured as dependents. A July 2012 Guttmacher Institute report reviewed state-level requirements related to confidentiality in private insurance. According to the report, the billing and insurance claims (most notably the practice of sending EOBs to a policyholder whenever care is provided under his or her policy) routinely violate confidentiality of those, often a minor or a young adult, insured as a dependent on someone else's policy. EOBs typically identify the individual who received care, the health care provider and the type of care obtained. They also include information on the amount charged for the care, the amount reimbursed by the insurer and any remaining financial obligation on the part of the policyholder or patient. The report found provisions in the laws in almost all states that lead to disclosure to a policyholder or other third party of confidential health information for dependents seeking sensitive health care services. FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes Local: Yes According to the Senate Appropriations Committee: One-time costs between $500,000 and $600,000 for review of health plan contracts and other documents by DMHC to ensure that health plan privacy policies comply with the bill's requirements (Managed Care Fund). Potential ongoing enforcement costs, likely in the tens of thousands annually, based on complaints for violations of the bill's requirements by health plans (Managed Care Fund). One-time costs between $500,000 and $600,000 for review of insurance plan contracts and other documents by CDI to ensure that health plan privacy policies comply with the bill's requirements (Insurance Fund). While the Department indicates that costs under the bill are absorbable, the initial review of insurance plan contracts and other documents to ensure compliance with the bill will likely impose additional CONTINUED SB 138 Page 6 workload on CDI. Potential ongoing enforcement costs, likely in the tens of thousands annually, based on complaints for violations of the bill's requirements by health insurers (Insurance Fund). SUPPORT : (Verified 5/24/13) California Family Health Council (source) ACCESS Women's Health Justice American Civil Liberties Union American Congress of Obstetricians and Gynecologists, District IX (California) California Adolescent Health Collaborative California Association of Marriage and Family Therapists California National Organization for Women California Partnership to End Domestic Violence California Primary Care Association California Women's Law Center Center on Reproductive Rights and Justice at UC Berkeley School of Law Citizens for Choice Los Angeles Trust for Children's Health National Center for Youth Law National Health Law Program Physicians for Reproductive Health Planned Parenthood Affiliates of California Privacy Rights Clearinghouse The Women's Community Clinic OPPOSITION : (Verified 5/24/13) Association of California Life & Health Insurance Companies California Association of Health Plans ARGUMENTS IN SUPPORT : The author claims this bill will bring clarity to the existing patchwork of state and federal statutes and regulations related to the sharing of patient information, and will protect patient confidentiality for insured dependents accessing services related to sexual and reproductive health, HIV/AIDS, substance use, mental health care, or any other health care service where disclosure could cause harm. ARGUMENTS IN OPPOSITION : According to Association of CONTINUED SB 138 Page 7 California Life & Health Insurance Companies, the bill gives no indication how the opt-in process would work nor does it suggest how insurers would comply when they have little initial contact with anyone other than the primary policy holder. Additionally, this new opt-in process, in and of itself, would require insurers to invest a considerable amount of time and resources toward upgrading all their IT systems so that they may fully comply with the provisions of this bill. JA:JL:nl 5/28/13 Senate Floor Analyses SUPPORT/OPPOSITION: SEE ABOVE **** END **** CONTINUED