BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                  SB 138
                                                                  Page  1

          Date of Hearing:  July 2, 2013

                            ASSEMBLY COMMITTEE ON HEALTH
                                 Richard Pan, Chair
                  SB 138 (Ed Hernandez) - As Amended:  June 26, 2013

           SENATE VOTE  :  26-11
           
          SUBJECT  :  Confidentiality of medical information.

           SUMMARY  :  Requires health care service plans (health plans) and  
          health insurers to take specified steps to protect the  
          confidentiality of an insured individual's medical information  
          including dependents for purposes of sensitive services or if  
          disclosure will endanger an insured individual, as specified.   
          Specifically,  this bill  : 

          1)Prohibits, for an insured individual who is insured or covered  
            as a  dependent  on another person's health plan or health  
            insurance policy, a health plan or health insurer from sending  
            insurance communications relating to  sensitive services  unless  
            the insurance communication is required by federal law.   
            Requires, if the insurance communication is required by  
            federal law, the insurance communication to comply with either  
            of the following:

             a)   The health plan or health insurer must send the required  
               insurance communication to the insured individual in  
               compliance with a confidential communications request  
               received from the insured individual; or,

             b)   If there is no confidential communications request, a  
               health plan or health insurer must send the required  
               insurance communication to the insured individual and may  
               do so at the address furnished by the policy holder.

          2)Prohibits a health plan or health insurer, for an insured  
            individual to whom 1) above does not apply and who has  
            submitted a nondisclosure request, from sending insurance  
            communication related to sensitive services. 

          3)Requires a health plan or health insurer to comply with a  
            nondisclosure request or a confidential communications request  
            from an insured individual who states that disclosure of  
            medical information will  endanger  the individual, and not  








                                                                  SB 138
                                                                  Page  2

            require an explanation as to the basis for the insured  
            individual's statement that disclosure will endanger the  
            individual.

          4)Deems confidential communications or nondisclosure requests to  
            be received by the health plan or health insurer within 24  
            hours of electronic transmission or 72 hours of posting by  
            first class mail.

          5)Authorizes a provider of health care to make arrangements with  
            the insured individual for the payment of benefit cost sharing  
            and communicate that arrangement with the health plan or  
            health insurer.

          6)Prohibits a health plan or health insurer from conditioning  
            enrollment or coverage in the health plan or health policy or  
            eligibility for benefits on the provision of an authorization  
            for insurance communications.
          7)Provides that to the extent that the Knox-Keene Health Care  
            Service Plan Act of 1975 (Knox-Keene) and the provisions of  
            the Insurance Code that apply to health insurers conflicts  
            with this bill's provisions, this bill controls.

          8)Requires the Department of Managed Health Care (DMHC) and  
            Department of Insurance (CDI) to review health plan contracts  
            or health insurance products and privacy policies for  
            compliance only during the normal application  
            approval/issuance or modification process, as specified.

          9)Defines the following terms, including:

             a)   Confidential communications request is a request by an  
               insured individual that insurance communications be  
               communicated by a specific method, such as by telephone,  
               email, or in a covered envelope rather than postcard, or to  
               a specific mail or email address or specific telephone  
               number, as designated by the insured individual.

             b)   Endanger means that an insured individual fears  
               harassment or abuse resulting from an insurance  
               communication sufficient to deter the patient from  
               obtaining health care absent confidentiality.

             c)   Insured individual means a person entitled to coverage  
               under a health plan or health insurer, including the  








                                                                  SB 138
                                                                  Page  3

               policyholder, enrollee, and dependents.

             d)   Insurance communication means any communication from the  
               health plan or health insurer to insured individuals that  
               discloses individually identifiable medical information.   
               Insurance communication includes, but is not limited to,  
               explanation of benefits (EOB) forms, scheduling  
               information, notices of denial, and notices of contested  
               claims.

             e)   Nondisclosure request means a written request to  
               withhold insurance communications that includes the insured  
               individual's name and address, description of the medical  
               or other information that should not be disclosed, identity  
               of the persons from whom information shall be withheld, and  
               contact information for the individual for additional  
               information or clarification necessary to satisfy the  
               request.

             f)   Sensitive services means all health care services that  
               minors can consent to, including: mental health treatment  
               or counseling services; residential shelter services;  
               medical care related to the prevention or treatment of  
               pregnancy, as specified; diagnosis or treatment related to  
               infectious, contagious, or communicable disease; prevention  
               of sexually transmitted diseases, as specified; and human  
               immunodeficiency virus (HIV) services, obtained by any  
               patient who has reached the minimum age specified for  
               consenting to the service as specified including patients  
               18 years of age and older.

          10)States that it is the intent of the Legislature to  
            incorporate Health Insurance Portability and Accountability  
            Act (HIPAA) standards into state law and to clarify the  
            standards for protecting the confidentiality of medical  
            information in insurance transactions.

          11)Makes other technical, conforming, and clarifying changes.

           EXISTING LAW  :  

          1)Establishes DMHC to regulate health plans under Knox-Keene in  
            the Health and Safety Code and CDI to regulate health insurers  
            under the Insurance Code.









                                                                  SB 138
                                                                  Page  4

          2)Establishes under federal law, the HIPAA, which among various  
            provisions, mandates industry-wide standards for health care  
            information on electronic billing and other processes; and,  
            requires the protection and confidential handling of protected  
            health information. 

          3)Establishes under state law the Confidentiality of Medical  
            Information Act (CMIA) which governs the disclosure of medical  
            information by health care providers, Knox-Keene regulated  
            plans, health care clearinghouses and employers.

          4)Authorizes a minor who is 12 years of age or older and who may  
            have come into contact with an infectious, contagious, or  
            communicable disease to consent to medical care related to the  
            diagnosis or treatment of the disease, if the disease or  
            condition is one that is required by law or regulation to be  
            reported to the local health officer, or is a related sexually  
            transmitted disease (STD), as may be determined by the  
            Department of Public Health.  Authorizes a minor who is 12  
            years of age or older to consent to medical care related to  
            the prevention of STDs.  Provides that the minor's parents or  
            guardian are not liable for payment for medical care provided  
            under these provisions.

          5)Provides that a minor may consent to medical care or dental  
            care if all of the following conditions are satisfied:

             a)   The minor is 15 years of age or older;
             b)   The minor is living separate and apart from his/her  
               parents or guardians, whether with or without the consent  
               of a parent or guardian and regardless of the duration of  
               the separate residence;
             c)   The minor is managing his/her own financial affairs,  
               regardless of the source of the minor's income; and,
             d)   The parents or guardians are not liable for medical care  
               or dental care provided, as specified.

           FISCAL EFFECT  : According to the Senate Appropriations Committee:

          1)One-time costs between $500,000 and $600,000 for review of  
            health plan contracts and other documents by DMHC to ensure  
            that health plan privacy policies comply with this bill's  
            requirements (Managed Care Fund).

          2)Potential ongoing enforcement costs, likely in the tens of  








                                                                  SB 138
                                                                  Page  5

            thousands annually, based on complaints for violations of the  
            bill's requirements by health plans (Managed Care Fund).

          3)One-time costs between $500,000 and $600,000 for review of  
            insurance plan contracts and other documents by CDI to ensure  
            that health plan privacy policies comply with the bill's  
            requirements (Insurance Fund).  While CDI indicates that costs  
            under the bill are absorbable, the initial review of insurance  
            plan contracts and other documents to ensure compliance with  
            this bill will likely impose additional workload on CDI. 

          4)Potential ongoing enforcement costs, likely in the tens of  
            thousands annually, based on complaints for violations of this  
            bill's requirements by health insurers (Insurance Fund).

           COMMENTS  :

           1)PURPOSE OF THIS BILL  .  The California Family Health Council is  
            the sponsor of this bill.  According to the author, when it  
            comes to the sharing of patient information for insured  
            dependents, there is a lack of clear definitions and clarity  
            around requirements and restrictions in existing state and  
            federal law, there are different regulations for different  
            insurance products, there are not standardized forms or  
            processes, and there is an undue burden on the insured  
            dependent to opt-in to confidentiality protections. This bill  
            will bring clarity to the existing patchwork of state and  
            federal statutes and regulations related to the sharing of  
            patient information, and will protect patient confidentiality  
            for insured dependents accessing services related to sexual  
            and reproductive health, HIV/AIDS, substance use and mental  
            health care or any other health care service when disclosure  
            could cause harm.

           2)BACKGROUND  .  

              a)   HIPAA  .  HIPAA, among various provisions, requires the  
               protection and confidential handling of protected health  
               information (this is commonly referred to as HIPAA Privacy  
               Rules).  The HIPAA Privacy Rules provide federal  
               protections for personal health information (PHI) held by  
               covered entities and give patients an array of rights with  
               respect to that information.  Disclosure of PHI is  
               permitted when needed for patient care and other important  
               purposes.  On the other hand, HIPAA's Security Rule  








                                                                  SB 138
                                                                  Page  6

               specifies a series of administrative, physical, and  
               technical safeguards for covered entities to use to assure  
               the confidentiality, integrity, and availability of  
               electronic PHI.

             Under HIPAA regulations, health plans and covered health care  
               providers must permit individuals to request an alternative  
               means or location for receiving communications of PHI by  
               means other than those that the covered entity typically  
               employs.  For example, an individual may request that the  
               provider communicate with the individual through a  
               designated address or phone number.  Similarly, an  
               individual may request that the provider send  
               communications in a closed envelope rather than a post  
               card.

             Additionally, health plans must accommodate reasonable  
               requests if the individual indicates that the disclosure of  
               all or part of the PHI could  endanger  the individual.  The  
               health plan may not question the individual's statement of  
               endangerment.  Any covered entity may condition compliance  
               with a confidential communication request on the individual  
               specifying an alternative address or method of contact and  
               explaining how any payment will be handled.

              b)   CMIA  .  In California, the CMIA governs the disclosure of  
               medical information by health care providers, Knox-Keene  
               regulated plans, contractors, health care clearinghouses,  
               and employers.  Specifically, the CMIA prohibits a provider  
               of health care, health plan, or contractor from disclosing  
               medical information regarding a patient or an enrollee or  
               subscriber without first obtaining an authorization, unless  
               the disclosure is permitted.  Below are examples of when  
               disclosure is permitted:

               i)     Medical information may be disclosed to a person or  
                 entity that provides billing, claims management, medical  
                 data processing, or other administrative services for  
                 providers of health care or health plans, as specified;

               ii)    For purposes of administering the health plan, the  
                 information may additionally be disclosed to a health  
                 plan by providers of health care that contract with the  
                 health plan and may be transferred among providers of  
                 health care that contract with the health plan; and,








                                                                  SB 138
                                                                  Page  7


               iii)   The disclosure is for the purpose of determining  
                 eligibility, coordinating benefits, or allowing the  
                 employee welfare benefit plan, or the contracting entity,  
                 to advocate on the behalf of a patient or enrollee with a  
                 provider, a health plan, or a state or federal regulatory  
                 agency.

               There are various remedies for a violation of CMIA,  
               including recovery of compensatory damages, punitive  
               damages, and payment of attorneys' fees if an individual  
               has sustained economic loss or personal injury from the  
               disclosure.   

              c)   Minors Consenting to Medical Care  .  The Family Code  
               includes several provisions relating to a minor's ability  
               to consent to medical or dental care.  Specifically, a  
               minor may consent to medical or dental care if the minor is  
               15 years or age or older, is living apart from his or her  
               parents or guardian, as specified, and, the minor is  
               managing his or her own financial affairs.  Additionally, a  
               minor is authorized to consent to medical care related to  
               the prevention or treatment of pregnancy.  

             To prevent transmission of STDs, AB 499 (Atkins) Chapter 652,  
               Statutes of 2011, authorizes a minor who is 12 years of age  
               or older to consent to medical care related to the  
               diagnosis or treatment of STDs.  Moreover, a minor who is  
               12 years of age or older and who is alleged to have been  
               raped is authorized to consent to medical care related to  
               the diagnosis or treatment of the condition and the  
               collection of medical evidence with regard to the alleged  
               rape.  Other conditions that a minor who is 12 years of age  
               or older may consent to include diagnosis and treatment of  
               a drug-or-alcohol related problem, and mental health  
               treatment or counseling, as specified.

              d)   Study on State Policies Regarding Confidentiality  .  The  
               Centers for Disease Control and Prevention funded an  
               analysis of state laws and regulations regarding the  
               potential for the sharing of information as part of  
               communications with a private health plan.  This July 2012  
               report submitted by the Guttmacher Institute reviewed  
               state-level requirements related to confidentiality in  
               private insurance.  The report assessed laws that can  








                                                                  SB 138
                                                                  Page  8

               compromise confidentiality through a number of different  
               avenues.  According to the report, despite the widespread  
               recognition of the importance of maintaining patient  
               confidentiality, billing, and insurance claims (most  
               notably the practice of sending EOBs to a policyholder  
               whenever care is provided under his or her policy)  
               routinely violate confidentiality for anyone, often a minor  
               or a young adult, insured as a dependent on someone else's  
               policy.  EOBs inform policyholders of claims made and  
               actions taken in response to those claims, for anyone  
               covered under their policy.  EOBs typically identify the  
               individual who received care, the health care provider, and  
               the type of care obtained. They also include information on  
               the amount charged for the care, the amount reimbursed by  
               the insurer, and any remaining financial obligation on the  
               part of the policyholder or patient.  The report found  
               provisions in the laws of almost all states that lead to  
               disclosure to a policyholder or other third party of  
               confidential health information for dependents seeking  
               sensitive health care services.

              e)   Patient Protection and Affordable Care Act (ACA)  .  On  
               March 23, 2010, President Obama signed the ACA (Public Law  
               111-148), as amended by the Health Care and Education  
               Reconciliation Act of 2010 (Public Law 111-152).  Among  
               other provisions, the new law requires most U.S. citizens  
               and legal residents to have health insurance; creates  
               state-based American Health Benefit Exchanges through which  
               individuals can purchase coverage, with premium and cost  
               sharing credits, as specified, and creates separate  
               exchanges through which small businesses can purchase  
               coverage.  According to estimates, the ACA will extend  
               health coverage to approximately 4-6 million Californians,  
               including people with HIV.  Starting in 2014, new health  
               coverage options will be available in the private health  
               insurance market and in the Exchanges.  As part of ACA  
               implementation, there are many new requirements on health  
               insurers and plans such as elimination of preexisting  
               conditions requirements, limitations on enrollee cost  
               sharing, guaranteed issue of plans and policies, and  
               restrictions on the factors health plans and insurers can  
               use to determine premium rates.  Additionally, the Exchange  
               will create better information and more competition in the  
               insurance market.









                                                                  SB 138
                                                                  Page  9

           3)SUPPORT  .  The California Family Health Council, the Privacy  
            Rights Clearinghouse, the American Civil Liberties Union of  
            California, all state that the inability to guarantee  
            confidential access to services can lead to harm.  Some minors  
            and adults may choose not to seek care for sensitive services  
            such as STDs, birth control, drug treatment, and mental health  
            services for fear a parent or partner will find out.   
            Survivors of domestic violence may choose not to seek medical  
            or mental health services knowing an abusive spouse may have  
            access to this information.  In addition, there are concerns  
            about confidentiality protections, patients with private  
            insurance may choose to enroll in public programs in order to  
            avoid possible privacy breaches, and this unnecessarily shifts  
            health care costs to the state. 

           4)OPPOSITION  .  The Association of California Life and Health  
            Insurance Companies and the California Association of Health  
            Plans indicate they have implementation and workability  
            concerns.  They state that this bill gives no indication on  
            how the opt-in process would work nor does it suggest how  
            insurers would comply when they have little contact with  
            anyone other than the primary policy holder.  Additionally,  
            this process would require insurers to invest a considerable  
            amount of time and resources toward upgrading all their  
            information technology systems so that they may fully comply  
            with the provisions of this bill.  Furthermore, they are  
            concern that the insured will not be receiving important  
            information such as EOB forms, scheduling information, notices  
            of denial, notices of contested claims, and appeal rights if  
            claims are denied and the potential financial liability that  
            exists related to the services received.

           5)RELATED LEGISLATION  .  AB 599 (Donnelly) provides that existing  
            law which allows a minor who is 12 years of age or older and  
            who may have come into contact with an infectious, contagious,  
            or communicable disease to consent to medical care, as  
            specified, does not authorize a minor to receive a vaccine  
            without the consent of the parent or guardian of the minor.   
            AB 599 is pending in this Committee.

           6)PREVIOUS LEGISLATION  .  AB 499 allows a minor who is 12 years  
            of age or older to consent to medical care related to the  
            prevention of STDs.

           7)DOUBLE-REFERRAL  .  This bill was double-referred and passed out  








                                                                  SB 138
                                                                  Page  10

            of the Assembly Judiciary on June 25, 2013 on a 7-3 vote.

           8)TECHNICAL AMENDMENTS  . 

             a)   The author would like to amend this bill to do the  
               following:

               i)     On pages 9, line 40 and page 10 lines 1 -2, clarify  
                 that if insurance communication is required by federal  
                 law, the plan must comply with this bill's requirements,  
                 as follows:

                    If required by federal law, the health care service  
                    plan or health insurer  insurance communication  shall  
                    comply with either of the following:

               ii)    On page10, delete lines 12-16 relating to insureds  
                 who are not dependents, as follows:

                     (2)  For an insured individual to whom paragraph (1)  
                    does not apply, a health care service plan or health  
                     insurer shall not send the insurance communication  
                    related to sensitive services.
                     
             b)   To address a technical drafting concern, the Committee  
               may wish to amend page 9, lines 28-40 as follows: 

                 56.107. (a) Notwithstanding any other law, and to the  
                 extent permitted by federal law, a health care service  
                 plan or health insurer shall take the following steps  
                 to protect the confidentiality of an insured  
                 individual's medical information as follows:

                 (1)  For an insured individual who is insured or covered  
                 as a dependent on another person's health care service  
                 plan or health insurance policy, a health care service  
                 plan or health insurer shall not send insurance  
                 communications relating to sensitive services,   A health  
                 care service plan or health insurer shall not send  
                 insurance communications relating to sensitive services  
                 for an insured individual who is insured or covered as  
                 a dependent on another person's health care service  
                 plan or health insurance policy  unless the insurance  
                 communication is required by federal law. 









                                                                  SB 138
                                                                  Page  11

             c)   To clarify the definition of nondisclosure request  
               specified on page 7, lines 4 - 10, the Committee may wish  
               to amend this definition as follows: 

                 Nondisclosure request means a  written  request  by an  
                 insured individual  to withhold insurance communications  
                 that includes the insured individual's name and  
                 address, description of the medical or other  
                 information that should not be disclosed,  identity of  
                 the persons from whom the information shall be  
                 withheld,  and  alternative  contact information of the  
                 insured individual for additional information or  
                 clarification necessary to satisfy the request.
           REGISTERED SUPPORT / OPPOSITION  :

           Support 
           
          California Family Health Council (sponsor)
          ACCESS Women's Health Justice
          American Association of University Women
          American Civil Liberties Union of California
          American Congress of Obstetricians and Gynecologists, District  
          IX (California)
          California Academy of Physician Assistants
          California Adolescent Health Collaborative 
          California Association of Marriage and Family Therapists
          California National Organization of Women
          California Partnership to End Domestic Violence
          California Primary Care Association
          Center on Reproductive Rights and Justice at UC Berkeley School  
          of Law 
          Citizens for Choice
          Los Angeles Trust for Children's Health
          National Center for Youth Law 
          National Health Law Program 
          Physicians for Reproductive Health 
          Planned Parenthood Affiliates of California
          Privacy Rights Clearinghouse 
          Women's Community Clinic
           
            Opposition 
           
          Association of California Life and Health Insurance Companies 
          California Association of Health Plans 









                                                                  SB 138
                                                                  Page  12


           Analysis Prepared by :    Rosielyn Pulmano / HEALTH / (916)  
          319-2097