BILL ANALYSIS �Ó
SB 138
Page 1
Date of Hearing: July 2, 2013
ASSEMBLY COMMITTEE ON HEALTH
Richard Pan, Chair
SB 138 (Ed Hernandez) - As Amended: June 26, 2013
SENATE VOTE : 26-11
SUBJECT : Confidentiality of medical information.
SUMMARY : Requires health care service plans (health plans) and
health insurers to take specified steps to protect the
confidentiality of an insured individual's medical information
including dependents for purposes of sensitive services or if
disclosure will endanger an insured individual, as specified.
Specifically, this bill :
1)Prohibits, for an insured individual who is insured or covered
as a dependent on another person's health plan or health
insurance policy, a health plan or health insurer from sending
insurance communications relating to sensitive services unless
the insurance communication is required by federal law.
Requires, if the insurance communication is required by
federal law, the insurance communication to comply with either
of the following:
a) The health plan or health insurer must send the required
insurance communication to the insured individual in
compliance with a confidential communications request
received from the insured individual; or,
b) If there is no confidential communications request, a
health plan or health insurer must send the required
insurance communication to the insured individual and may
do so at the address furnished by the policy holder.
2)Prohibits a health plan or health insurer, for an insured
individual to whom 1) above does not apply and who has
submitted a nondisclosure request, from sending insurance
communication related to sensitive services.
3)Requires a health plan or health insurer to comply with a
nondisclosure request or a confidential communications request
from an insured individual who states that disclosure of
medical information will endanger the individual, and not
�
SB 138
Page 2
require an explanation as to the basis for the insured
individual's statement that disclosure will endanger the
individual.
4)Deems confidential communications or nondisclosure requests to
be received by the health plan or health insurer within 24
hours of electronic transmission or 72 hours of posting by
first class mail.
5)Authorizes a provider of health care to make arrangements with
the insured individual for the payment of benefit cost sharing
and communicate that arrangement with the health plan or
health insurer.
6)Prohibits a health plan or health insurer from conditioning
enrollment or coverage in the health plan or health policy or
eligibility for benefits on the provision of an authorization
for insurance communications.
7)Provides that to the extent that the Knox-Keene Health Care
Service Plan Act of 1975 (Knox-Keene) and the provisions of
the Insurance Code that apply to health insurers conflicts
with this bill's provisions, this bill controls.
8)Requires the Department of Managed Health Care (DMHC) and
Department of Insurance (CDI) to review health plan contracts
or health insurance products and privacy policies for
compliance only during the normal application
approval/issuance or modification process, as specified.
9)Defines the following terms, including:
a) Confidential communications request is a request by an
insured individual that insurance communications be
communicated by a specific method, such as by telephone,
email, or in a covered envelope rather than postcard, or to
a specific mail or email address or specific telephone
number, as designated by the insured individual.
b) Endanger means that an insured individual fears
harassment or abuse resulting from an insurance
communication sufficient to deter the patient from
obtaining health care absent confidentiality.
c) Insured individual means a person entitled to coverage
under a health plan or health insurer, including the
�
SB 138
Page 3
policyholder, enrollee, and dependents.
d) Insurance communication means any communication from the
health plan or health insurer to insured individuals that
discloses individually identifiable medical information.
Insurance communication includes, but is not limited to,
explanation of benefits (EOB) forms, scheduling
information, notices of denial, and notices of contested
claims.
e) Nondisclosure request means a written request to
withhold insurance communications that includes the insured
individual's name and address, description of the medical
or other information that should not be disclosed, identity
of the persons from whom information shall be withheld, and
contact information for the individual for additional
information or clarification necessary to satisfy the
request.
f) Sensitive services means all health care services that
minors can consent to, including: mental health treatment
or counseling services; residential shelter services;
medical care related to the prevention or treatment of
pregnancy, as specified; diagnosis or treatment related to
infectious, contagious, or communicable disease; prevention
of sexually transmitted diseases, as specified; and human
immunodeficiency virus (HIV) services, obtained by any
patient who has reached the minimum age specified for
consenting to the service as specified including patients
18 years of age and older.
10)States that it is the intent of the Legislature to
incorporate Health Insurance Portability and Accountability
Act (HIPAA) standards into state law and to clarify the
standards for protecting the confidentiality of medical
information in insurance transactions.
11)Makes other technical, conforming, and clarifying changes.
EXISTING LAW :
1)Establishes DMHC to regulate health plans under Knox-Keene in
the Health and Safety Code and CDI to regulate health insurers
under the Insurance Code.
�
SB 138
Page 4
2)Establishes under federal law, the HIPAA, which among various
provisions, mandates industry-wide standards for health care
information on electronic billing and other processes; and,
requires the protection and confidential handling of protected
health information.
3)Establishes under state law the Confidentiality of Medical
Information Act (CMIA) which governs the disclosure of medical
information by health care providers, Knox-Keene regulated
plans, health care clearinghouses and employers.
4)Authorizes a minor who is 12 years of age or older and who may
have come into contact with an infectious, contagious, or
communicable disease to consent to medical care related to the
diagnosis or treatment of the disease, if the disease or
condition is one that is required by law or regulation to be
reported to the local health officer, or is a related sexually
transmitted disease (STD), as may be determined by the
Department of Public Health. Authorizes a minor who is 12
years of age or older to consent to medical care related to
the prevention of STDs. Provides that the minor's parents or
guardian are not liable for payment for medical care provided
under these provisions.
5)Provides that a minor may consent to medical care or dental
care if all of the following conditions are satisfied:
a) The minor is 15 years of age or older;
b) The minor is living separate and apart from his/her
parents or guardians, whether with or without the consent
of a parent or guardian and regardless of the duration of
the separate residence;
c) The minor is managing his/her own financial affairs,
regardless of the source of the minor's income; and,
d) The parents or guardians are not liable for medical care
or dental care provided, as specified.
FISCAL EFFECT : According to the Senate Appropriations Committee:
1)One-time costs between $500,000 and $600,000 for review of
health plan contracts and other documents by DMHC to ensure
that health plan privacy policies comply with this bill's
requirements (Managed Care Fund).
2)Potential ongoing enforcement costs, likely in the tens of
�
SB 138
Page 5
thousands annually, based on complaints for violations of the
bill's requirements by health plans (Managed Care Fund).
3)One-time costs between $500,000 and $600,000 for review of
insurance plan contracts and other documents by CDI to ensure
that health plan privacy policies comply with the bill's
requirements (Insurance Fund). While CDI indicates that costs
under the bill are absorbable, the initial review of insurance
plan contracts and other documents to ensure compliance with
this bill will likely impose additional workload on CDI.
4)Potential ongoing enforcement costs, likely in the tens of
thousands annually, based on complaints for violations of this
bill's requirements by health insurers (Insurance Fund).
COMMENTS :
1)PURPOSE OF THIS BILL . The California Family Health Council is
the sponsor of this bill. According to the author, when it
comes to the sharing of patient information for insured
dependents, there is a lack of clear definitions and clarity
around requirements and restrictions in existing state and
federal law, there are different regulations for different
insurance products, there are not standardized forms or
processes, and there is an undue burden on the insured
dependent to opt-in to confidentiality protections. This bill
will bring clarity to the existing patchwork of state and
federal statutes and regulations related to the sharing of
patient information, and will protect patient confidentiality
for insured dependents accessing services related to sexual
and reproductive health, HIV/AIDS, substance use and mental
health care or any other health care service when disclosure
could cause harm.
2)BACKGROUND .
a) HIPAA . HIPAA, among various provisions, requires the
protection and confidential handling of protected health
information (this is commonly referred to as HIPAA Privacy
Rules). The HIPAA Privacy Rules provide federal
protections for personal health information (PHI) held by
covered entities and give patients an array of rights with
respect to that information. Disclosure of PHI is
permitted when needed for patient care and other important
purposes. On the other hand, HIPAA's Security Rule
�
SB 138
Page 6
specifies a series of administrative, physical, and
technical safeguards for covered entities to use to assure
the confidentiality, integrity, and availability of
electronic PHI.
Under HIPAA regulations, health plans and covered health care
providers must permit individuals to request an alternative
means or location for receiving communications of PHI by
means other than those that the covered entity typically
employs. For example, an individual may request that the
provider communicate with the individual through a
designated address or phone number. Similarly, an
individual may request that the provider send
communications in a closed envelope rather than a post
card.
Additionally, health plans must accommodate reasonable
requests if the individual indicates that the disclosure of
all or part of the PHI could endanger the individual. The
health plan may not question the individual's statement of
endangerment. Any covered entity may condition compliance
with a confidential communication request on the individual
specifying an alternative address or method of contact and
explaining how any payment will be handled.
b) CMIA . In California, the CMIA governs the disclosure of
medical information by health care providers, Knox-Keene
regulated plans, contractors, health care clearinghouses,
and employers. Specifically, the CMIA prohibits a provider
of health care, health plan, or contractor from disclosing
medical information regarding a patient or an enrollee or
subscriber without first obtaining an authorization, unless
the disclosure is permitted. Below are examples of when
disclosure is permitted:
i) Medical information may be disclosed to a person or
entity that provides billing, claims management, medical
data processing, or other administrative services for
providers of health care or health plans, as specified;
ii) For purposes of administering the health plan, the
information may additionally be disclosed to a health
plan by providers of health care that contract with the
health plan and may be transferred among providers of
health care that contract with the health plan; and,
�
SB 138
Page 7
iii) The disclosure is for the purpose of determining
eligibility, coordinating benefits, or allowing the
employee welfare benefit plan, or the contracting entity,
to advocate on the behalf of a patient or enrollee with a
provider, a health plan, or a state or federal regulatory
agency.
There are various remedies for a violation of CMIA,
including recovery of compensatory damages, punitive
damages, and payment of attorneys' fees if an individual
has sustained economic loss or personal injury from the
disclosure.
c) Minors Consenting to Medical Care . The Family Code
includes several provisions relating to a minor's ability
to consent to medical or dental care. Specifically, a
minor may consent to medical or dental care if the minor is
15 years or age or older, is living apart from his or her
parents or guardian, as specified, and, the minor is
managing his or her own financial affairs. Additionally, a
minor is authorized to consent to medical care related to
the prevention or treatment of pregnancy.
To prevent transmission of STDs, AB 499 (Atkins) Chapter 652,
Statutes of 2011, authorizes a minor who is 12 years of age
or older to consent to medical care related to the
diagnosis or treatment of STDs. Moreover, a minor who is
12 years of age or older and who is alleged to have been
raped is authorized to consent to medical care related to
the diagnosis or treatment of the condition and the
collection of medical evidence with regard to the alleged
rape. Other conditions that a minor who is 12 years of age
or older may consent to include diagnosis and treatment of
a drug-or-alcohol related problem, and mental health
treatment or counseling, as specified.
d) Study on State Policies Regarding Confidentiality . The
Centers for Disease Control and Prevention funded an
analysis of state laws and regulations regarding the
potential for the sharing of information as part of
communications with a private health plan. This July 2012
report submitted by the Guttmacher Institute reviewed
state-level requirements related to confidentiality in
private insurance. The report assessed laws that can
�
SB 138
Page 8
compromise confidentiality through a number of different
avenues. According to the report, despite the widespread
recognition of the importance of maintaining patient
confidentiality, billing, and insurance claims (most
notably the practice of sending EOBs to a policyholder
whenever care is provided under his or her policy)
routinely violate confidentiality for anyone, often a minor
or a young adult, insured as a dependent on someone else's
policy. EOBs inform policyholders of claims made and
actions taken in response to those claims, for anyone
covered under their policy. EOBs typically identify the
individual who received care, the health care provider, and
the type of care obtained. They also include information on
the amount charged for the care, the amount reimbursed by
the insurer, and any remaining financial obligation on the
part of the policyholder or patient. The report found
provisions in the laws of almost all states that lead to
disclosure to a policyholder or other third party of
confidential health information for dependents seeking
sensitive health care services.
e) Patient Protection and Affordable Care Act (ACA) . On
March 23, 2010, President Obama signed the ACA (Public Law
111-148), as amended by the Health Care and Education
Reconciliation Act of 2010 (Public Law 111-152). Among
other provisions, the new law requires most U.S. citizens
and legal residents to have health insurance; creates
state-based American Health Benefit Exchanges through which
individuals can purchase coverage, with premium and cost
sharing credits, as specified, and creates separate
exchanges through which small businesses can purchase
coverage. According to estimates, the ACA will extend
health coverage to approximately 4-6 million Californians,
including people with HIV. Starting in 2014, new health
coverage options will be available in the private health
insurance market and in the Exchanges. As part of ACA
implementation, there are many new requirements on health
insurers and plans such as elimination of preexisting
conditions requirements, limitations on enrollee cost
sharing, guaranteed issue of plans and policies, and
restrictions on the factors health plans and insurers can
use to determine premium rates. Additionally, the Exchange
will create better information and more competition in the
insurance market.
�
SB 138
Page 9
3)SUPPORT . The California Family Health Council, the Privacy
Rights Clearinghouse, the American Civil Liberties Union of
California, all state that the inability to guarantee
confidential access to services can lead to harm. Some minors
and adults may choose not to seek care for sensitive services
such as STDs, birth control, drug treatment, and mental health
services for fear a parent or partner will find out.
Survivors of domestic violence may choose not to seek medical
or mental health services knowing an abusive spouse may have
access to this information. In addition, there are concerns
about confidentiality protections, patients with private
insurance may choose to enroll in public programs in order to
avoid possible privacy breaches, and this unnecessarily shifts
health care costs to the state.
4)OPPOSITION . The Association of California Life and Health
Insurance Companies and the California Association of Health
Plans indicate they have implementation and workability
concerns. They state that this bill gives no indication on
how the opt-in process would work nor does it suggest how
insurers would comply when they have little contact with
anyone other than the primary policy holder. Additionally,
this process would require insurers to invest a considerable
amount of time and resources toward upgrading all their
information technology systems so that they may fully comply
with the provisions of this bill. Furthermore, they are
concern that the insured will not be receiving important
information such as EOB forms, scheduling information, notices
of denial, notices of contested claims, and appeal rights if
claims are denied and the potential financial liability that
exists related to the services received.
5)RELATED LEGISLATION . AB 599 (Donnelly) provides that existing
law which allows a minor who is 12 years of age or older and
who may have come into contact with an infectious, contagious,
or communicable disease to consent to medical care, as
specified, does not authorize a minor to receive a vaccine
without the consent of the parent or guardian of the minor.
AB 599 is pending in this Committee.
6)PREVIOUS LEGISLATION . AB 499 allows a minor who is 12 years
of age or older to consent to medical care related to the
prevention of STDs.
7)DOUBLE-REFERRAL . This bill was double-referred and passed out
�
SB 138
Page 10
of the Assembly Judiciary on June 25, 2013 on a 7-3 vote.
8)TECHNICAL AMENDMENTS .
a) The author would like to amend this bill to do the
following:
i) On pages 9, line 40 and page 10 lines 1 -2, clarify
that if insurance communication is required by federal
law, the plan must comply with this bill's requirements,
as follows:
If required by federal law, the health care service
plan or health insurer insurance communication shall
comply with either of the following:
ii) On page10, delete lines 12-16 relating to insureds
who are not dependents, as follows:
(2) For an insured individual to whom paragraph (1)
does not apply, a health care service plan or health
insurer shall not send the insurance communication
related to sensitive services.
b) To address a technical drafting concern, the Committee
may wish to amend page 9, lines 28-40 as follows:
56.107. (a) Notwithstanding any other law, and to the
extent permitted by federal law, a health care service
plan or health insurer shall take the following steps
to protect the confidentiality of an insured
individual's medical information as follows:
(1) For an insured individual who is insured or covered
as a dependent on another person's health care service
plan or health insurance policy, a health care service
plan or health insurer shall not send insurance
communications relating to sensitive services, A health
care service plan or health insurer shall not send
insurance communications relating to sensitive services
for an insured individual who is insured or covered as
a dependent on another person's health care service
plan or health insurance policy unless the insurance
communication is required by federal law.
�
SB 138
Page 11
c) To clarify the definition of nondisclosure request
specified on page 7, lines 4 - 10, the Committee may wish
to amend this definition as follows:
Nondisclosure request means a written request by an
insured individual to withhold insurance communications
that includes the insured individual's name and
address, description of the medical or other
information that should not be disclosed, identity of
the persons from whom the information shall be
withheld, and alternative contact information of the
insured individual for additional information or
clarification necessary to satisfy the request.
REGISTERED SUPPORT / OPPOSITION :
Support
California Family Health Council (sponsor)
ACCESS Women's Health Justice
American Association of University Women
American Civil Liberties Union of California
American Congress of Obstetricians and Gynecologists, District
IX (California)
California Academy of Physician Assistants
California Adolescent Health Collaborative
California Association of Marriage and Family Therapists
California National Organization of Women
California Partnership to End Domestic Violence
California Primary Care Association
Center on Reproductive Rights and Justice at UC Berkeley School
of Law
Citizens for Choice
Los Angeles Trust for Children's Health
National Center for Youth Law
National Health Law Program
Physicians for Reproductive Health
Planned Parenthood Affiliates of California
Privacy Rights Clearinghouse
Women's Community Clinic
Opposition
Association of California Life and Health Insurance Companies
California Association of Health Plans
�
SB 138
Page 12
Analysis Prepared by : Rosielyn Pulmano / HEALTH / (916)
319-2097