BILL ANALYSIS Ó SB 138 Page 1 Date of Hearing: July 2, 2013 ASSEMBLY COMMITTEE ON HEALTH Richard Pan, Chair SB 138 (Ed Hernandez) - As Amended: June 26, 2013 SENATE VOTE : 26-11 SUBJECT : Confidentiality of medical information. SUMMARY : Requires health care service plans (health plans) and health insurers to take specified steps to protect the confidentiality of an insured individual's medical information including dependents for purposes of sensitive services or if disclosure will endanger an insured individual, as specified. Specifically, this bill : 1)Prohibits, for an insured individual who is insured or covered as a dependent on another person's health plan or health insurance policy, a health plan or health insurer from sending insurance communications relating to sensitive services unless the insurance communication is required by federal law. Requires, if the insurance communication is required by federal law, the insurance communication to comply with either of the following: a) The health plan or health insurer must send the required insurance communication to the insured individual in compliance with a confidential communications request received from the insured individual; or, b) If there is no confidential communications request, a health plan or health insurer must send the required insurance communication to the insured individual and may do so at the address furnished by the policy holder. 2)Prohibits a health plan or health insurer, for an insured individual to whom 1) above does not apply and who has submitted a nondisclosure request, from sending insurance communication related to sensitive services. 3)Requires a health plan or health insurer to comply with a nondisclosure request or a confidential communications request from an insured individual who states that disclosure of medical information will endanger the individual, and not SB 138 Page 2 require an explanation as to the basis for the insured individual's statement that disclosure will endanger the individual. 4)Deems confidential communications or nondisclosure requests to be received by the health plan or health insurer within 24 hours of electronic transmission or 72 hours of posting by first class mail. 5)Authorizes a provider of health care to make arrangements with the insured individual for the payment of benefit cost sharing and communicate that arrangement with the health plan or health insurer. 6)Prohibits a health plan or health insurer from conditioning enrollment or coverage in the health plan or health policy or eligibility for benefits on the provision of an authorization for insurance communications. 7)Provides that to the extent that the Knox-Keene Health Care Service Plan Act of 1975 (Knox-Keene) and the provisions of the Insurance Code that apply to health insurers conflicts with this bill's provisions, this bill controls. 8)Requires the Department of Managed Health Care (DMHC) and Department of Insurance (CDI) to review health plan contracts or health insurance products and privacy policies for compliance only during the normal application approval/issuance or modification process, as specified. 9)Defines the following terms, including: a) Confidential communications request is a request by an insured individual that insurance communications be communicated by a specific method, such as by telephone, email, or in a covered envelope rather than postcard, or to a specific mail or email address or specific telephone number, as designated by the insured individual. b) Endanger means that an insured individual fears harassment or abuse resulting from an insurance communication sufficient to deter the patient from obtaining health care absent confidentiality. c) Insured individual means a person entitled to coverage under a health plan or health insurer, including the SB 138 Page 3 policyholder, enrollee, and dependents. d) Insurance communication means any communication from the health plan or health insurer to insured individuals that discloses individually identifiable medical information. Insurance communication includes, but is not limited to, explanation of benefits (EOB) forms, scheduling information, notices of denial, and notices of contested claims. e) Nondisclosure request means a written request to withhold insurance communications that includes the insured individual's name and address, description of the medical or other information that should not be disclosed, identity of the persons from whom information shall be withheld, and contact information for the individual for additional information or clarification necessary to satisfy the request. f) Sensitive services means all health care services that minors can consent to, including: mental health treatment or counseling services; residential shelter services; medical care related to the prevention or treatment of pregnancy, as specified; diagnosis or treatment related to infectious, contagious, or communicable disease; prevention of sexually transmitted diseases, as specified; and human immunodeficiency virus (HIV) services, obtained by any patient who has reached the minimum age specified for consenting to the service as specified including patients 18 years of age and older. 10)States that it is the intent of the Legislature to incorporate Health Insurance Portability and Accountability Act (HIPAA) standards into state law and to clarify the standards for protecting the confidentiality of medical information in insurance transactions. 11)Makes other technical, conforming, and clarifying changes. EXISTING LAW : 1)Establishes DMHC to regulate health plans under Knox-Keene in the Health and Safety Code and CDI to regulate health insurers under the Insurance Code. SB 138 Page 4 2)Establishes under federal law, the HIPAA, which among various provisions, mandates industry-wide standards for health care information on electronic billing and other processes; and, requires the protection and confidential handling of protected health information. 3)Establishes under state law the Confidentiality of Medical Information Act (CMIA) which governs the disclosure of medical information by health care providers, Knox-Keene regulated plans, health care clearinghouses and employers. 4)Authorizes a minor who is 12 years of age or older and who may have come into contact with an infectious, contagious, or communicable disease to consent to medical care related to the diagnosis or treatment of the disease, if the disease or condition is one that is required by law or regulation to be reported to the local health officer, or is a related sexually transmitted disease (STD), as may be determined by the Department of Public Health. Authorizes a minor who is 12 years of age or older to consent to medical care related to the prevention of STDs. Provides that the minor's parents or guardian are not liable for payment for medical care provided under these provisions. 5)Provides that a minor may consent to medical care or dental care if all of the following conditions are satisfied: a) The minor is 15 years of age or older; b) The minor is living separate and apart from his/her parents or guardians, whether with or without the consent of a parent or guardian and regardless of the duration of the separate residence; c) The minor is managing his/her own financial affairs, regardless of the source of the minor's income; and, d) The parents or guardians are not liable for medical care or dental care provided, as specified. FISCAL EFFECT : According to the Senate Appropriations Committee: 1)One-time costs between $500,000 and $600,000 for review of health plan contracts and other documents by DMHC to ensure that health plan privacy policies comply with this bill's requirements (Managed Care Fund). 2)Potential ongoing enforcement costs, likely in the tens of SB 138 Page 5 thousands annually, based on complaints for violations of the bill's requirements by health plans (Managed Care Fund). 3)One-time costs between $500,000 and $600,000 for review of insurance plan contracts and other documents by CDI to ensure that health plan privacy policies comply with the bill's requirements (Insurance Fund). While CDI indicates that costs under the bill are absorbable, the initial review of insurance plan contracts and other documents to ensure compliance with this bill will likely impose additional workload on CDI. 4)Potential ongoing enforcement costs, likely in the tens of thousands annually, based on complaints for violations of this bill's requirements by health insurers (Insurance Fund). COMMENTS : 1)PURPOSE OF THIS BILL . The California Family Health Council is the sponsor of this bill. According to the author, when it comes to the sharing of patient information for insured dependents, there is a lack of clear definitions and clarity around requirements and restrictions in existing state and federal law, there are different regulations for different insurance products, there are not standardized forms or processes, and there is an undue burden on the insured dependent to opt-in to confidentiality protections. This bill will bring clarity to the existing patchwork of state and federal statutes and regulations related to the sharing of patient information, and will protect patient confidentiality for insured dependents accessing services related to sexual and reproductive health, HIV/AIDS, substance use and mental health care or any other health care service when disclosure could cause harm. 2)BACKGROUND . a) HIPAA . HIPAA, among various provisions, requires the protection and confidential handling of protected health information (this is commonly referred to as HIPAA Privacy Rules). The HIPAA Privacy Rules provide federal protections for personal health information (PHI) held by covered entities and give patients an array of rights with respect to that information. Disclosure of PHI is permitted when needed for patient care and other important purposes. On the other hand, HIPAA's Security Rule SB 138 Page 6 specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic PHI. Under HIPAA regulations, health plans and covered health care providers must permit individuals to request an alternative means or location for receiving communications of PHI by means other than those that the covered entity typically employs. For example, an individual may request that the provider communicate with the individual through a designated address or phone number. Similarly, an individual may request that the provider send communications in a closed envelope rather than a post card. Additionally, health plans must accommodate reasonable requests if the individual indicates that the disclosure of all or part of the PHI could endanger the individual. The health plan may not question the individual's statement of endangerment. Any covered entity may condition compliance with a confidential communication request on the individual specifying an alternative address or method of contact and explaining how any payment will be handled. b) CMIA . In California, the CMIA governs the disclosure of medical information by health care providers, Knox-Keene regulated plans, contractors, health care clearinghouses, and employers. Specifically, the CMIA prohibits a provider of health care, health plan, or contractor from disclosing medical information regarding a patient or an enrollee or subscriber without first obtaining an authorization, unless the disclosure is permitted. Below are examples of when disclosure is permitted: i) Medical information may be disclosed to a person or entity that provides billing, claims management, medical data processing, or other administrative services for providers of health care or health plans, as specified; ii) For purposes of administering the health plan, the information may additionally be disclosed to a health plan by providers of health care that contract with the health plan and may be transferred among providers of health care that contract with the health plan; and, SB 138 Page 7 iii) The disclosure is for the purpose of determining eligibility, coordinating benefits, or allowing the employee welfare benefit plan, or the contracting entity, to advocate on the behalf of a patient or enrollee with a provider, a health plan, or a state or federal regulatory agency. There are various remedies for a violation of CMIA, including recovery of compensatory damages, punitive damages, and payment of attorneys' fees if an individual has sustained economic loss or personal injury from the disclosure. c) Minors Consenting to Medical Care . The Family Code includes several provisions relating to a minor's ability to consent to medical or dental care. Specifically, a minor may consent to medical or dental care if the minor is 15 years or age or older, is living apart from his or her parents or guardian, as specified, and, the minor is managing his or her own financial affairs. Additionally, a minor is authorized to consent to medical care related to the prevention or treatment of pregnancy. To prevent transmission of STDs, AB 499 (Atkins) Chapter 652, Statutes of 2011, authorizes a minor who is 12 years of age or older to consent to medical care related to the diagnosis or treatment of STDs. Moreover, a minor who is 12 years of age or older and who is alleged to have been raped is authorized to consent to medical care related to the diagnosis or treatment of the condition and the collection of medical evidence with regard to the alleged rape. Other conditions that a minor who is 12 years of age or older may consent to include diagnosis and treatment of a drug-or-alcohol related problem, and mental health treatment or counseling, as specified. d) Study on State Policies Regarding Confidentiality . The Centers for Disease Control and Prevention funded an analysis of state laws and regulations regarding the potential for the sharing of information as part of communications with a private health plan. This July 2012 report submitted by the Guttmacher Institute reviewed state-level requirements related to confidentiality in private insurance. The report assessed laws that can SB 138 Page 8 compromise confidentiality through a number of different avenues. According to the report, despite the widespread recognition of the importance of maintaining patient confidentiality, billing, and insurance claims (most notably the practice of sending EOBs to a policyholder whenever care is provided under his or her policy) routinely violate confidentiality for anyone, often a minor or a young adult, insured as a dependent on someone else's policy. EOBs inform policyholders of claims made and actions taken in response to those claims, for anyone covered under their policy. EOBs typically identify the individual who received care, the health care provider, and the type of care obtained. They also include information on the amount charged for the care, the amount reimbursed by the insurer, and any remaining financial obligation on the part of the policyholder or patient. The report found provisions in the laws of almost all states that lead to disclosure to a policyholder or other third party of confidential health information for dependents seeking sensitive health care services. e) Patient Protection and Affordable Care Act (ACA) . On March 23, 2010, President Obama signed the ACA (Public Law 111-148), as amended by the Health Care and Education Reconciliation Act of 2010 (Public Law 111-152). Among other provisions, the new law requires most U.S. citizens and legal residents to have health insurance; creates state-based American Health Benefit Exchanges through which individuals can purchase coverage, with premium and cost sharing credits, as specified, and creates separate exchanges through which small businesses can purchase coverage. According to estimates, the ACA will extend health coverage to approximately 4-6 million Californians, including people with HIV. Starting in 2014, new health coverage options will be available in the private health insurance market and in the Exchanges. As part of ACA implementation, there are many new requirements on health insurers and plans such as elimination of preexisting conditions requirements, limitations on enrollee cost sharing, guaranteed issue of plans and policies, and restrictions on the factors health plans and insurers can use to determine premium rates. Additionally, the Exchange will create better information and more competition in the insurance market. SB 138 Page 9 3)SUPPORT . The California Family Health Council, the Privacy Rights Clearinghouse, the American Civil Liberties Union of California, all state that the inability to guarantee confidential access to services can lead to harm. Some minors and adults may choose not to seek care for sensitive services such as STDs, birth control, drug treatment, and mental health services for fear a parent or partner will find out. Survivors of domestic violence may choose not to seek medical or mental health services knowing an abusive spouse may have access to this information. In addition, there are concerns about confidentiality protections, patients with private insurance may choose to enroll in public programs in order to avoid possible privacy breaches, and this unnecessarily shifts health care costs to the state. 4)OPPOSITION . The Association of California Life and Health Insurance Companies and the California Association of Health Plans indicate they have implementation and workability concerns. They state that this bill gives no indication on how the opt-in process would work nor does it suggest how insurers would comply when they have little contact with anyone other than the primary policy holder. Additionally, this process would require insurers to invest a considerable amount of time and resources toward upgrading all their information technology systems so that they may fully comply with the provisions of this bill. Furthermore, they are concern that the insured will not be receiving important information such as EOB forms, scheduling information, notices of denial, notices of contested claims, and appeal rights if claims are denied and the potential financial liability that exists related to the services received. 5)RELATED LEGISLATION . AB 599 (Donnelly) provides that existing law which allows a minor who is 12 years of age or older and who may have come into contact with an infectious, contagious, or communicable disease to consent to medical care, as specified, does not authorize a minor to receive a vaccine without the consent of the parent or guardian of the minor. AB 599 is pending in this Committee. 6)PREVIOUS LEGISLATION . AB 499 allows a minor who is 12 years of age or older to consent to medical care related to the prevention of STDs. 7)DOUBLE-REFERRAL . This bill was double-referred and passed out SB 138 Page 10 of the Assembly Judiciary on June 25, 2013 on a 7-3 vote. 8)TECHNICAL AMENDMENTS . a) The author would like to amend this bill to do the following: i) On pages 9, line 40 and page 10 lines 1 -2, clarify that if insurance communication is required by federal law, the plan must comply with this bill's requirements, as follows: If required by federal law, the health care service plan or health insurerinsurance communicationshall comply with either of the following: ii) On page10, delete lines 12-16 relating to insureds who are not dependents, as follows:(2) For an insured individual to whom paragraph (1) does not apply, a health care service plan or health insurer shall not send the insurance communication related to sensitive services.b) To address a technical drafting concern, the Committee may wish to amend page 9, lines 28-40 as follows: 56.107. (a) Notwithstanding any other law, and to the extent permitted by federal law, a health care service plan or health insurer shall take the following steps to protect the confidentiality of an insured individual's medical information as follows: (1)For an insured individual who is insured or covered as a dependent on another person's health care service plan or health insurance policy, a health care service plan or health insurer shall not send insurance communications relating to sensitive services,A health care service plan or health insurer shall not send insurance communications relating to sensitive services for an insured individual who is insured or covered as a dependent on another person's health care service plan or health insurance policy unless the insurance communication is required by federal law. SB 138 Page 11 c) To clarify the definition of nondisclosure request specified on page 7, lines 4 - 10, the Committee may wish to amend this definition as follows: Nondisclosure request means awrittenrequest by an insured individual to withhold insurance communications that includes the insured individual's name and address, description of the medical or other information that should not be disclosed,identity of the persons from whom the information shall be withheld,and alternative contact information of the insured individual for additional information or clarification necessary to satisfy the request. REGISTERED SUPPORT / OPPOSITION : Support California Family Health Council (sponsor) ACCESS Women's Health Justice American Association of University Women American Civil Liberties Union of California American Congress of Obstetricians and Gynecologists, District IX (California) California Academy of Physician Assistants California Adolescent Health Collaborative California Association of Marriage and Family Therapists California National Organization of Women California Partnership to End Domestic Violence California Primary Care Association Center on Reproductive Rights and Justice at UC Berkeley School of Law Citizens for Choice Los Angeles Trust for Children's Health National Center for Youth Law National Health Law Program Physicians for Reproductive Health Planned Parenthood Affiliates of California Privacy Rights Clearinghouse Women's Community Clinic Opposition Association of California Life and Health Insurance Companies California Association of Health Plans SB 138 Page 12 Analysis Prepared by : Rosielyn Pulmano / HEALTH / (916) 319-2097