BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015 - 2016 Regular Session
SB 26 (Hernandez)
Version: December 1, 2014
Hearing Date: April 28, 2015
Fiscal: Yes
Urgency: No
TH
SUBJECT
California Health Care Cost and Quality Database
DESCRIPTION
This bill would require the Secretary of California Health and
Human Services to enter into a contract with one or more
independent, nonprofit organizations to develop and administer
the California Health Care Cost and Quality Database. The bill
would require certain health care entities, including health
care service plans, to provide medical claims, cost, and quality
information to the California Health Care Cost and Quality
Database in order to create a publicly available web-based,
searchable database. The bill would require all data
disclosures to comply with all applicable state and federal laws
for the protection of the privacy and security of data and would
prohibit the public disclosure of any unaggregated, individually
identifiable health information. This bill would also require
the Secretary to convene a review committee to, among other
things, develop the parameters for implementing and
administering the California Health Care Cost and Quality
Database.
BACKGROUND
The Health Insurance Portability and Accountability Act (HIPAA),
enacted in 1996, guarantees privacy protection for individuals
with regards to specific health information (Pub.L. 104-191, 110
Stat. 1936). Generally, protected health information (PHI) is
any information held by a covered entity that concerns health
status, provision of health care, or payment for health care
that can be connected to an individual. HIPAA privacy
regulations require health care providers and organizations to
develop and follow procedures that ensure the confidentiality
and security of PHI when it is transferred, received, handled,
�
SB 26 (Hernandez)
Page 2 of ?
or shared. HIPAA further requires reasonable efforts when
using, disclosing, or requesting PHI, to limit disclosure of
that information to the minimum amount necessary to accomplish
the intended purpose.
The California Confidentiality of Medical Information Act (CMIA)
also protects PHI and restricts the disclosure of medical
information by health care providers, and health care service
plans, as specified. Under existing law, a corporation
organized for the purpose of maintaining medical information in
order to make that information available to the patient, or a
provider at the request of the patient for purposes of diagnosis
or treatment, is deemed to be a provider of health care subject
to the requirements of the CMIA. The CMIA empowers adult
patients in California to keep PHI confidential and decide
whether and when to share that information with others.
This bill would create a new publicly available statewide health
care cost and quality database, and would authorize the entity
administering the database to collect and analyze PHI and other
medical claims, cost, and quality information, in order to
provide consumers with comparative medical pricing and quality
information.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const, Art. I, Sec. 1.)
Existing federal law , the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections for
patients' protected health information and generally provides
that a covered entity, as defined (health plan, health care
provider, and health care clearing house), may not use or
disclose protected health information except as specified or as
authorized by the patient in writing. (45 C.F.R. Sec. 164.500
et seq.)
Existing law prohibits, under the State Confidentiality of
Medical Information Act (CMIA), providers of health care, health
care service plans, or contractors, as defined, from sharing
medical information without a patient's written authorization,
subject to certain exceptions. (Civ. Code Sec. 56 et seq.)
�
SB 26 (Hernandez)
Page 3 of ?
Existing law defines "medical information" to mean any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment. Existing law defines
"individually identifiable" to mean that the medical information
includes or contains any element of personal identifying
information sufficient to allow identification of the
individual, such as the patient's name, address, electronic mail
address, telephone number, or social security number, or other
information that, alone or in combination with other publicly
available information, reveals the individual's identity. (Civ.
Code Sec. 56.05(g).)
Existing law provides that any provider of health care, health
care service plan, pharmaceutical company, or contractor who
negligently creates, maintains, preserves, stores, abandons,
destroys, or disposes of written or electronic medical records
shall be subject to damages in a civil action or an
administrative fine, as specified. (Civ. Code Sec. 56.101.)
Existing law provides that a plaintiff may bring an action
against any person or entity that negligently releases his or
her confidential information or records in violation of the
CMIA. Existing law provides, in addition to any other available
remedies, a plaintiff may receive as damages for a violation of
the CMIA both nominal damages of $1,000 and the amount of actual
damages. Existing law provides that any violation of the CMIA
that results in economic loss or personal injury to a patient is
punishable as a misdemeanor. (Civ. Code Sec. 56.36.)
This bill would, for the purpose of developing information for
inclusion in a California Health Care Cost and Quality Database,
require health care service plans and providers, as specified,
to provide the following information to the organization
administering the database:
Utilization data from the health care service plans' and
insurers' medical, dental, and pharmacy claims or encounters,
as specified; and
Pricing information for health care items, services, and
medical and surgical episodes of care gathered from allowed
�
SB 26 (Hernandez)
Page 4 of ?
charges for covered health care items and services or, in the
case of entities that do not use or produce individual claims,
price information that is the best possible proxy, so to allow
for meaningful comparisons of provider prices and treatment
costs.
This bill would direct the Secretary of California Health and
Human Services (Secretary) to contract with one or more
independent, nonprofit organizations in order to administer the
California Health Care Cost and Quality Database.
This bill would direct the Secretary to include as terms in the
contract, requirements that the database administrator:
develop methodologies for the collection, validation,
refinement, analysis, comparison, review, reporting, and
improvement of health care data; and
receive information from health care entities and report that
information in a form that allows valid comparisons across
care delivery systems.
This bill would direct the organization administering the
California Health Care Cost and Quality Database to receive,
process, maintain, and analyze information from data sources,
including, but not limited to, claims from private and public
payers, disease and chronic condition registries, third-party
surveys of quality and patient satisfaction, reviews by
licensing and accrediting bodies, and local and regional public
health data.
This bill would direct the organization administering the
California Health Care Cost and Quality Database to analyze,
among other things:
population-level data on prevention, screening, and wellness
utilization;
population-level data on behavioral and medical risk factors,
interventions, and outcomes;
population-level data on chronic conditions, management, and
outcomes;
population-level data on trends in utilization of procedures
for treatment of similar conditions to evaluate medical
appropriateness;
facility and physician organization risk adjusted performance
information on the quality, efficiency, and outcomes of care
that are aligned with national efforts, including, but not
�
SB 26 (Hernandez)
Page 5 of ?
limited to, those of the National Quality Forum, related to
defining cost and quality measures; and
data that permits consideration of socioeconomic status and
disparities in care due to race, ethnicity, gender, sexual
orientation, and gender identity.
This bill would direct the organization administering the
California Health Care Cost and Quality Database to make its
analyses publicly available via a web-based, searchable
database. This bill would specify that the information and
analysis included in the database shall be presented in a way
that facilitates comparisons of cost, quality, and satisfaction
across payers, provider organizations, and other suppliers of
health care services, and that the database shall be regularly
updated to reflect new data submissions.
This bill would direct the Secretary to include as terms in the
contract, a prohibition on using the data received during the
execution of the contract for any purpose not specified in this
bill or in the contract.
This bill would specify that all uses and disclosures of data
shall comply with all applicable state and federal laws for the
protection of the privacy and security of data, including, but
not limited to, the federal Health Insurance Portability and
Accountability Act of 1996 (Public Law 104-191) and the federal
Health Information Technology for Economic and Clinical Health
Act, Title XIII of the federal American Recovery and
Reinvestment Act of 2009 (Public Law 111-5), and implementing
regulations.
This bill would specify that all policies and protocols
developed in the performance of the contract shall ensure that
the privacy, security, and confidentiality of individually
identifiable health information is protected.
This bill would specify that the organization administering the
California Health Care Cost and Quality Database shall not
publicly disclose any unaggregated, individually identifiable
health information and shall develop a protocol for assessing
the risk of reidentification stemming from public disclosure of
any health information that is aggregated, individually
identifiable health information.
�
SB 26 (Hernandez)
Page 6 of ?
This bill would direct the Secretary of California Health and
Human Services shall convene a review committee, composed of a
broad spectrum of health care stakeholders and experts to
develop the parameters for the establishment, implementation,
and ongoing administration of the California Health Care Cost
and Quality Database.
COMMENT
1.Stated need for the bill
According to the author:
Although the [Affordable Care Act] was the most fundamental
legislative transformation of the US health care system in 40
years, and expanded coverage like no other program since the
creation of Medicare, it did little in the way to control
health care costs. Data show that the cost of health care has
been rising at a slower pace in the last few years, but health
care costs take up a growing portion of private and public
funds, and consumers continue to feel the financial burden of
health care costs. Changes in health care business practices
and advances in technology and pharmaceuticals will continue
to influence the price of health care in the future. According
to a 2013 Action Brief by the Catalyst for Payment Reform,
price information must be available to those who make
decisions or those who guide consumers in making decisions.
Several state and national transparency initiatives have
highlighted variation in health care costs based on geographic
differences. Factors that can contribute to variation can
include: market power and competition, payment methodology,
technology, patient mix, and cost-shifting. With the proper
data, purchasers, policymakers, and stakeholders can learn
more about price and payment differences.
This bill will help make available valid performance
information to encourage health care providers and facilities
to provide care that is safe, medically effective,
patient-centered, timely, efficient, affordable and equitable.
Additionally, it will put provider cost and performance
information into the hands of consumers and purchasers so that
�
SB 26 (Hernandez)
Page 7 of ?
they can understand their financial liability and realize the
best quality and value available to them.
2.Improving Healthcare Cost Transparency
According to the Kaiser Family Foundation:
Health care accounts for a remarkably large slice of the U.S.
economic pie. Each year health-related spending grows,
virtually always outpacing spending on other goods and
services, meaning that the size of that slice increases.
These cost increases have a significant effect on households,
businesses, and federal, state, and local governments. Among
other things, rising health care costs make health insurance
less affordable for individuals, families, and businesses; put
pressure on businesses that offer insurance coverage to their
employees; can be a major financial burden to families, even
those that have insurance; and can result in individuals not
receiving the health care services they need. For taxpayers,
government programs such as Medicare and Medicaid are major
parts of federal and state budgets, and increasing costs
require either additional revenue or reductions in benefits,
eligibility, or payment rates.
. . .
Health care investment and spending are influenced by federal
and state programs with differing payment systems, incentives,
and reimbursement levels; by numerous private health insurers,
each with their own payment policies and practices; and by
direct family payments for services that are covered or not
covered by public or private insurance. (Kaiser Family
Foundation, Health Care Costs: A Primer (May 2012)
[as of Apr. 25, 2015].)
This bill is intended to increase cost and quality transparency
in California's healthcare marketplace. According to United
Ways of California, this bill would:
make available to the public valid, timely, and comprehensive
health care performance information. Our coalition believes
that every child and family should have access to
high-quality, affordable, and safe health care. Currently,
families shopping for health insurance and selecting health
�
SB 26 (Hernandez)
Page 8 of ?
care providers have a difficult time assessing the quality and
value of the options available to them due to insufficient
information and a wide variety of options that can greatly
impact out-of-pocket spending. SB 26 would help address this
problem by requiring the construction of a web-based,
searchable database containing comprehensive health care cost,
quality, and satisfaction information that will be designed to
help families navigate the complex choices that they face . .
. New data will show utilization, risk factors, outcomes, and
disparities. The database will help provide the basis for
payers, providers, policymakers, advocates, and other
stakeholders to seek further changes to improve the quality,
efficiency, timeliness, and equity of California's health care
system.
3.Ensuring Confidentiality of Personal Information
California's Confidentiality of Medical Information Act
generally restricts the sharing or disclosure of a person's
medical information without first obtaining their written
consent. The act states that "a provider of health care, health
care service plan, or contractor shall not disclose medical
information regarding a patient of the provider of health care
or an enrollee or subscriber of a health care service plan
without first obtaining an authorization," unless a particular
exception allows the disclosure. (Civ. Code Sec. 56.10.) Some
exceptions that do not require prior authorization include when
information disclosure is "otherwise specifically required by
law" (Civ. Code Sec. 56.10(b)(9).), or when information is
"disclosed to a third party for purposes of encoding,
encrypting, or otherwise anonymizing data"(Civ. Code Sec.
56.10(c)(16).).
Without such an exception, any person or entity that wishes to
obtain medical information must first obtain a valid
authorization, which must be either handwritten by the person
who signs it or in a typeface no smaller than 14-point type; be
clearly separate from any other language present on the same
page and executed by a signature which serves no other purpose
than to execute the authorization; and be signed and dated by an
authorized person. Additionally, in order to be valid, an
authorization must also:
state the specific uses and limitations on the types of
medical information to be disclosed;
�
SB 26 (Hernandez)
Page 9 of ?
state the name or functions of the provider of health care,
health care service plan, pharmaceutical company, or
contractor that may disclose the medical information;
state the name or functions of the persons or entities
authorized to receive the medical information;
state the specific uses and limitations on the use of the
medical information by the persons or entities authorized to
receive the medical information;
state a specific date after which the provider of health care,
health care service plan, pharmaceutical company, or
contractor is no longer authorized to disclose the medical
information; and
advise the person signing the authorization of the right to
receive a copy of the authorization. (Civ. Code Sec. 56.11.)
Several stakeholders have raised concerns that, though they
support the goals of the bill, the new database may undermine
the confidentiality of sensitive medical information. The
Consumer Federation of California (CFC), for example, states:
CFC agrees that greater analysis and transparency of the cost,
quality and utilization of various health services will enable
healthcare consumers, purchasers and policymakers to contain
costs and make better treatment choices. However, the more
information is shared, the more opportunities exist for
sensitive personal medical information to fall into the wrong
hands . . . SB 26 is vague regarding which state privacy and
security laws will apply. SB 26 is silent regarding the
application of CMIA to the entity that the bill would empower
to gather and disseminate health care information. This lack
of specificity creates a concern that a court or a regulator
may find that CMIA, its definitions, its scope of coverage and
its enforcement regime, do not apply to this new entity, it
agents, employees and contractors. SB 26 should be amended to
explicitly apply CMIA to the entity that administers the new
California Health Care Cost and Quality Database, and to its
employees, agents and contractors.
To remove any ambiguity concerning the application of CMIA to
data collected, used, or disclosed by either the administrator
of the California Health Care Cost and Quality Database or any
other person acting pursuant to this bill, the author offers the
following amendment:
�
SB 26 (Hernandez)
Page 10 of ?
Author's Amendment :
On page 6, line 12, following "to," insert "the
Confidentiality of Medical Information Act (Civil Code Section
56 et seq.),"
Staff notes that this bill contains three other provisions that
help to ensure the confidentiality of medical information
collected, used, or disclosed in furtherance of establishing and
operating the California Health Care Cost and Quality Database.
First, this bill explicitly requires the Secretary of Health and
Human Services to include in the contract with the administrator
of the database a prohibition on using data received during the
execution of the contract for any other purpose. Second, the
bill requires that all policies and protocols developed in the
performance of the contract must ensure that the privacy,
security, and confidentiality of individually identifiable
health information is protected. Third, the bill requires the
organization administering the database to not publicly disclose
any unaggregated, individually identifiable health information,
and also to develop a protocol for assessing the risk of
reidentification of individually identifiable health information
stemming from public disclosure of any health information that
is aggregated.
1.Data Security
Stakeholders have also raised concerns regarding the
consequences of a data breach of the information collected or
stored by the administrator of the database. For example, the
American Civil Liberties Union (ACLU) states:
[W]e believe that if the state wishes to compile a database
containing such sensitive information, it should adopt the
most rigorous standards of security protection to ensure as
nearly as possible that this information is not compromised.
In addition, we believe SB 26 should be amended to explicitly
require appropriate notice and remedies for patients whose
information will inevitably be subject to data breaches. The
worthy goal of SB 26 is not inconsistent with the goal of
�
SB 26 (Hernandez)
Page 11 of ?
protecting personal medical information.
Under California's Data Breach Notification Law, the
administrator of this database, like any other agency, person,
or business that owns or licenses computerized data that
includes personal information, would be required to disclose a
breach of its security if unencrypted personal information was,
or is reasonably believed to have been, acquired by an
unauthorized person. The definition of "personal information"
in the Data Breach Notification Law includes both "medical
information" -- information regarding an individual's medical
history, mental or physical condition, or medical treatment or
diagnosis by a health care professional -- and "health insurance
information" -- an individual's health insurance policy number
or subscriber identification number, any unique identifier used
by a health insurer to identify the individual, or any
information in an individual's application and claims history,
including any appeals records. (Civ. Code Secs. 1798.29(h) and
1798.82(i).) If the database neither owns nor licenses the
breached data but instead maintains it on behalf of another, it
still would have an obligation to notify the owner or licensee
of the information of any security breach immediately following
discovery if personal information was, or is reasonably believed
to have been, acquired by an unauthorized person. (Civ. Code
Secs. 1798.29(b), 1798.82(b).) Additionally, the administrator
of this database, like any other business that owns, licenses,
or maintains personal information about California residents,
would have a duty under the Civil Code to implement and maintain
reasonable security procedures and practices appropriate to the
nature of the information, and to protect personal information
from unauthorized access, destruction, use, modification, or
disclosure. (Civ. Code Sec. 1798.81.5.) As noted in Comment 3,
this bill also contains specific data security safeguards to
ensure the confidentiality and integrity of medical information
collected or stored by the database.
To remove any ambiguity concerning the application of
California's Data Breach Notification Law to data collected or
stored by the administrator of the California Health Care Cost
and Quality Database, the author offers the following amendment:
Author's Amendment :
On page 6, line 12, following "to," insert "the Data Breach
�
SB 26 (Hernandez)
Page 12 of ?
Notification Law (Civil Code Sections 1798.29 et seq. and
1798.82 et seq.),"
2.Other Author's Amendments
The author states:
Consumer groups urge adding a greater focus on health equity
to the bill. They believe the databank can be a rich source
of actionable information to help reduce disparities, but only
if those goals are specified in the bill. Categories of data
elements they seek to have specified include race, ethnicity,
primary language spoken, and sexual orientation in order to
ensure these elements are gathered and to allow tracking
impacts. Integrating more explicit health equity provisions
for such data, they assert, would allow for mapping cost and
quality patterns regionally, and even by neighborhood, to make
the database a more accurate and meaningful tool for reducing
disparities and improving population health.
To address these concerns and add a greater focus on health
equity, the author offers the following amendments:
Author's Amendments :
On page 3, line 20, after "value" insert "and to minimize
health disparities"
On page 3, line 25, strike "enrollees." and insert "enrollees,
including recognizing the diversity of California and the
impact of social determinants of health."
On page 4, between lines 26 and 27, insert "Provide that the
database shall have the capacity to map to other datasets,
including public health data sets on morbidity and mortality,
including from the Centers for Disease Control as well the
Department of Public Health as well as other datasets with
data regarding the social determinants of health."
On page 5, line 12, strike "both of"
On page 5, between lines 38 and 39, insert "(C) Information
sufficient to determine the impacts of the social determinants
of health, including age, gender, race, ethnicity, limited
�
SB 26 (Hernandez)
Page 13 of ?
English proficiency, sexual orientation and gender identity,
zip code, and any other factors for which there is
peer-reviewed evidence."
On page 7, strike lines 25 through 29 and insert "(E) Facility
and physician organization risk adjusted performance measures
on the quality, efficiency, and outcomes of care that are
aligned with national efforts, including, but not limited to,
those of the National Quality Forum, related to defining cost
and quality measures. Measures shall be publicly reported
without risk adjustment for sociodemographic factors and shall
also be risk adjusted for sociodemographic factors, where the
peer-reviewed literature indicates an association between
health outcomes and a sociodemographic factor or factors."
On page 7, strike lines 30 through 32 and insert "(F) Data
that permits consideration of socioeconomic status and
disparities in care due to race, ethnicity, gender, limited
English proficiency, zip code, sexual orientation, and gender
identity and other factors for which there is peer-reviewed
evidence of a relationship between a social determinant of
health and health outcomes."
On page 8, between lines 34 and 35, insert "Reducing health
disparities and addressing the social determinants of health."
Support : AARP California; American Federation of State, County,
and Municipal Employees, AFL-CIO; California Coverage and Health
Initiatives; California Primary Care Association; California
Teacher's Association; Children's Defense Fund, California;
Children Now; Kaiser Permanente; National Multiple Sclerosis
Society; Professional and Technical Engineers, Local 21; United
Ways of California
Opposition : American Civil Liberties Union of California;
Consumer Federation of California; Privacy Rights Clearinghouse
HISTORY
Source : Author
�
SB 26 (Hernandez)
Page 14 of ?
Related Pending Legislation : None Known
Prior Legislation :
SB 1322 (Hernandez, 2014) was substantially similar to SB 26.
This bill was held on suspense in the Assembly Appropriations
Committee.
AB 1558 (Hernandez, 2014) would have requested the University of
California to establish the California Health Data Organization
to collect data from payers and establish an all-payer claims
database. This bill would have required certain private payers
to submit claims data to the organization on utilization,
payment, and cost sharing for services delivered to
beneficiaries, and would have requested the organization to
design and maintain an Internet Web site that allowed consumers
to compare the prices paid by payers for procedures. This bill
was held on suspense in the Senate Appropriations Committee.
SB 746 (Leno, 2013) would have required health care service
plans and insurers to disclose specified aggregate data for
products and for rate filings, as specified, in the large group
market on an annual basis. The bill also would have required a
health plan or health insurer that exclusively contracts with no
more than two medical groups in the state to provide claims or
other data to large group purchasers that request the data and
demonstrate the ability to comply with privacy laws, as
specified, and would have required the health care service plan
or health insurer to use only deidentified data in that
disclosure to protect the privacy rights of individuals. This
bill was vetoed by Governor Brown.
Prior Vote : Senate Health Committee (Ayes 7, Noes 0)
**************
�
SB 26 (Hernandez)
Page 15 of ?