BILL ANALYSIS                                                                                                                                                                                                    



                             SENATE JUDICIARY COMMITTEE
                         Senator Hannah-Beth Jackson, Chair
                            2015 - 2016  Regular  Session


          SB 26 (Hernandez)
          Version: December 1, 2014
          Hearing Date: April 28, 2015
          Fiscal: Yes
          Urgency: No
          TH   
                    

                                        SUBJECT
                                           
                  California Health Care Cost and Quality Database

                                      DESCRIPTION  

          This bill would require the Secretary of California Health and  
          Human Services to enter into a contract with one or more  
          independent, nonprofit organizations to develop and administer  
          the California Health Care Cost and Quality Database.  The bill  
          would require certain health care entities, including health  
          care service plans, to provide medical claims, cost, and quality  
          information to the California Health Care Cost and Quality  
          Database in order to create a publicly available web-based,  
          searchable database.  The bill would require all data  
          disclosures to comply with all applicable state and federal laws  
          for the protection of the privacy and security of data and would  
          prohibit the public disclosure of any unaggregated, individually  
          identifiable health information.  This bill would also require  
          the Secretary to convene a review committee to, among other  
          things, develop the parameters for implementing and  
          administering the California Health Care Cost and Quality  
          Database.

                                      BACKGROUND  

          The Health Insurance Portability and Accountability Act (HIPAA),  
          enacted in 1996, guarantees privacy protection for individuals  
          with regards to specific health information (Pub.L. 104-191, 110  
          Stat. 1936).  Generally, protected health information (PHI) is  
          any information held by a covered entity that concerns health  
          status, provision of health care, or payment for health care  
          that can be connected to an individual. HIPAA privacy  
          regulations require health care providers and organizations to  
          develop and follow procedures that ensure the confidentiality  
          and security of PHI when it is transferred, received, handled,  







          SB 26 (Hernandez)
          Page 2 of ? 


          or shared.  HIPAA further requires reasonable efforts when  
          using, disclosing, or requesting PHI, to limit disclosure of  
          that information to the minimum amount necessary to accomplish  
          the intended purpose.

          The California Confidentiality of Medical Information Act (CMIA)  
          also protects PHI and restricts the disclosure of medical  
          information by health care providers, and health care service  
          plans, as specified.  Under existing law, a corporation  
          organized for the purpose of maintaining medical information in  
          order to make that information available to the patient, or a  
          provider at the request of the patient for purposes of diagnosis  
          or treatment, is deemed to be a provider of health care subject  
          to the requirements of the CMIA.  The CMIA empowers adult  
          patients in California to keep PHI confidential and decide  
          whether and when to share that information with others.

          This bill would create a new publicly available statewide health  
          care cost and quality database, and would authorize the entity  
          administering the database to collect and analyze PHI and other  
          medical claims, cost, and quality information, in order to  
          provide consumers with comparative medical pricing and quality  
          information.

                                CHANGES TO EXISTING LAW
           
           Existing law  , the California Constitution, provides that all  
          people have inalienable rights, including the right to pursue  
          and obtain privacy.  (Cal. Const, Art. I, Sec. 1.)

           Existing federal law  , the Health Insurance Portability and  
          Accountability Act (HIPAA), specifies privacy protections for  
          patients' protected health information and generally provides  
          that a covered entity, as defined (health plan, health care  
          provider, and health care clearing house), may not use or  
          disclose protected health information except as specified or as  
          authorized by the patient in writing.  (45 C.F.R. Sec. 164.500  
          et seq.) 

           Existing law  prohibits, under the State Confidentiality of  
          Medical Information Act (CMIA), providers of health care, health  
          care service plans, or contractors, as defined, from sharing  
          medical information without a patient's written authorization,  
          subject to certain exceptions. (Civ. Code Sec. 56 et seq.) 








          SB 26 (Hernandez)
          Page 3 of ? 



           Existing law  defines "medical information" to mean any  
          individually identifiable information, in electronic or physical  
          form, in possession of or derived from a provider of health  
          care, health care service plan, pharmaceutical company, or  
          contractor regarding a patient's medical history, mental or  
          physical condition, or treatment.  Existing law defines  
          "individually identifiable" to mean that the medical information  
          includes or contains any element of personal identifying  
          information sufficient to allow identification of the  
          individual, such as the patient's name, address, electronic mail  
          address, telephone number, or social security number, or other  
          information that, alone or in combination with other publicly  
          available information, reveals the individual's identity.  (Civ.  
          Code Sec. 56.05(g).)

           Existing law  provides that any provider of health care, health  
          care service plan, pharmaceutical company, or contractor who  
          negligently creates, maintains, preserves, stores, abandons,  
          destroys, or disposes of written or electronic medical records  
          shall be subject to damages in a civil action or an  
          administrative fine, as specified.  (Civ. Code Sec. 56.101.)
           
          Existing law  provides that a plaintiff may bring an action  
          against any person or entity that negligently releases his or  
          her confidential information or records in violation of the  
          CMIA.  Existing law provides, in addition to any other available  
          remedies, a plaintiff may receive as damages for a violation of  
          the CMIA both nominal damages of $1,000 and the amount of actual  
          damages.  Existing law provides that any violation of the CMIA  
          that results in economic loss or personal injury to a patient is  
          punishable as a misdemeanor. (Civ. Code Sec. 56.36.)


           This bill  would, for the purpose of developing information for  
          inclusion in a California Health Care Cost and Quality Database,  
          require health care service plans and providers, as specified,  
          to provide the following information to the organization  
          administering the database:
           Utilization data from the health care service plans' and  
            insurers' medical, dental, and pharmacy claims or encounters,  
            as specified; and 
           Pricing information for health care items, services, and  
            medical and surgical episodes of care gathered from allowed  








          SB 26 (Hernandez)
          Page 4 of ? 


            charges for covered health care items and services or, in the  
            case of entities that do not use or produce individual claims,  
            price information that is the best possible proxy, so to allow  
            for meaningful comparisons of provider prices and treatment  
            costs.

           This bill  would direct the Secretary of California Health and  
          Human Services (Secretary) to contract with one or more  
          independent, nonprofit organizations in order to administer the  
          California Health Care Cost and Quality Database.

           This bill  would direct the Secretary to include as terms in the  
          contract, requirements that the database administrator:
           develop methodologies for the collection, validation,  
            refinement, analysis, comparison, review, reporting, and  
            improvement of health care data; and
           receive information from health care entities and report that  
            information in a form that allows valid comparisons across  
            care delivery systems.

           This bill  would direct the organization administering the  
          California Health Care Cost and Quality Database to receive,  
          process, maintain, and analyze information from data sources,  
          including, but not limited to, claims from private and public  
          payers, disease and chronic condition registries, third-party  
          surveys of quality and patient satisfaction, reviews by  
          licensing and accrediting bodies, and local and regional public  
          health data.

           This bill  would direct the organization administering the  
          California Health Care Cost and Quality Database to analyze,  
          among other things:
           population-level data on prevention, screening, and wellness  
            utilization;
           population-level data on behavioral and medical risk factors,  
            interventions, and outcomes;
           population-level data on chronic conditions, management, and  
            outcomes;
           population-level data on trends in utilization of procedures  
            for treatment of similar conditions to evaluate medical  
            appropriateness;
           facility and physician organization risk adjusted performance  
            information on the quality, efficiency, and outcomes of care  
            that are aligned with national efforts, including, but not  








          SB 26 (Hernandez)
          Page 5 of ? 


            limited to, those of the National Quality Forum, related to  
            defining cost and quality measures; and
           data that permits consideration of socioeconomic status and  
            disparities in care due to race, ethnicity, gender, sexual  
            orientation, and gender identity.

           This bill  would direct the organization administering the  
          California Health Care Cost and Quality Database to make its  
          analyses publicly available via a web-based, searchable  
          database.  This bill would specify that the information and  
          analysis included in the database shall be presented in a way  
          that facilitates comparisons of cost, quality, and satisfaction  
          across payers, provider organizations, and other suppliers of  
          health care services, and that the database shall be regularly  
          updated to reflect new data submissions.

           This bill  would direct the Secretary to include as terms in the  
          contract, a prohibition on using the data received during the  
          execution of the contract for any purpose not specified in this  
          bill or in the contract.

           This bill  would specify that all uses and disclosures of data  
          shall comply with all applicable state and federal laws for the  
          protection of the privacy and security of data, including, but  
          not limited to, the federal Health Insurance Portability and  
          Accountability Act of 1996 (Public Law 104-191) and the federal  
          Health Information Technology for Economic and Clinical Health  
          Act, Title XIII of the federal American Recovery and  
          Reinvestment Act of 2009 (Public Law 111-5), and implementing  
          regulations.

           This bill  would specify that all policies and protocols  
          developed in the performance of the contract shall ensure that  
          the privacy, security, and confidentiality of individually  
          identifiable health information is protected.

           This bill  would specify that the organization administering the  
          California Health Care Cost and Quality Database shall not  
          publicly disclose any unaggregated, individually identifiable  
          health information and shall develop a protocol for assessing  
          the risk of reidentification stemming from public disclosure of  
          any health information that is aggregated, individually  
          identifiable health information.









          SB 26 (Hernandez)
          Page 6 of ? 


           This bill  would direct the Secretary of California Health and  
          Human Services shall convene a review committee, composed of a  
          broad spectrum of health care stakeholders and experts to  
          develop the parameters for the establishment, implementation,  
          and ongoing administration of the California Health Care Cost  
          and Quality Database.




                                        COMMENT
           
           1.Stated need for the bill
           
          According to the author:

            Although the [Affordable Care Act] was the most fundamental  
            legislative transformation of the US health care system in 40  
            years, and expanded coverage like no other program since the  
            creation of Medicare, it did little in the way to control  
            health care costs.  Data show that the cost of health care has  
            been rising at a slower pace in the last few years, but health  
            care costs take up a growing portion of private and public  
            funds, and consumers continue to feel the financial burden of  
            health care costs.  Changes in health care business practices  
            and advances in technology and pharmaceuticals will continue  
            to influence the price of health care in the future. According  
            to a 2013 Action Brief by the Catalyst for Payment Reform,  
            price information must be available to those who make  
            decisions or those who guide consumers in making decisions.   
            Several state and national transparency initiatives have  
            highlighted variation in health care costs based on geographic  
            differences. Factors that can contribute to variation can  
            include: market power and competition, payment methodology,  
            technology, patient mix, and cost-shifting.  With the proper  
            data, purchasers, policymakers, and stakeholders can learn  
            more about price and payment differences.

            This bill will help make available valid performance  
            information to encourage health care providers and facilities  
            to provide care that is safe, medically effective,  
            patient-centered, timely, efficient, affordable and equitable.  
             Additionally, it will put provider cost and performance  
            information into the hands of consumers and purchasers so that  








          SB 26 (Hernandez)
          Page 7 of ? 


            they can understand their financial liability and realize the  
            best quality and value available to them.

           2.Improving Healthcare Cost Transparency
           
          According to the Kaiser Family Foundation: 

            Health care accounts for a remarkably large slice of the U.S.  
            economic pie.  Each year health-related spending grows,  
            virtually always outpacing spending on other goods and  
            services, meaning that the size of that slice increases.    
            These cost increases have a significant effect on households,  
            businesses, and federal, state, and local governments.  Among  
            other things, rising health care costs make health insurance  
            less affordable for individuals, families, and businesses; put  
            pressure on businesses that offer insurance coverage to their  
            employees; can be a major financial burden to families, even  
            those that have insurance; and can result in individuals not  
            receiving the health care services they need.  For taxpayers,  
            government programs such as Medicare and Medicaid are major  
            parts of federal and state budgets, and increasing costs  
            require either additional revenue or reductions in benefits,  
            eligibility, or payment rates.
            . . . 

            Health care investment and spending are influenced by federal  
            and state programs with differing payment systems, incentives,  
            and reimbursement levels; by numerous private health insurers,  
            each with their own payment policies and practices; and by  
            direct family payments for services that are covered or not  
            covered by public or private insurance.  (Kaiser Family  
            Foundation, Health Care Costs: A Primer (May 2012)  
            [as of Apr. 25, 2015].)

          This bill is intended to increase cost and quality transparency  
          in California's healthcare marketplace.  According to United  
          Ways of California, this bill would:

            make available to the public valid, timely, and comprehensive  
            health care performance information.  Our coalition believes  
            that every child and family should have access to  
            high-quality, affordable, and safe health care.  Currently,  
            families shopping for health insurance and selecting health  








          SB 26 (Hernandez)
          Page 8 of ? 


            care providers have a difficult time assessing the quality and  
            value of the options available to them due to insufficient  
            information and a wide variety of options that can greatly  
            impact out-of-pocket spending.  SB 26 would help address this  
            problem by requiring the construction of a web-based,  
            searchable database containing comprehensive health care cost,  
            quality, and satisfaction information that will be designed to  
            help families navigate the complex choices that they face . .  
            . New data will show utilization, risk factors, outcomes, and  
            disparities.  The database will help provide the basis for  
            payers, providers, policymakers, advocates, and other  
            stakeholders to seek further changes to improve the quality,  
            efficiency, timeliness, and equity of California's health care  
            system.

           3.Ensuring Confidentiality of Personal Information 
           
          California's Confidentiality of Medical Information Act  
          generally restricts the sharing or disclosure of a person's  
          medical information without first obtaining their written  
          consent. The act states that "a provider of health care, health  
          care service plan, or contractor shall not disclose medical  
          information regarding a patient of the provider of health care  
          or an enrollee or subscriber of a health care service plan  
          without first obtaining an authorization," unless a particular  
          exception allows the disclosure.  (Civ. Code Sec. 56.10.)  Some  
          exceptions that do not require prior authorization include when  
          information disclosure is "otherwise specifically required by  
          law" (Civ. Code Sec. 56.10(b)(9).), or when information is  
          "disclosed to a third party for purposes of encoding,  
          encrypting, or otherwise anonymizing data"(Civ. Code Sec.  
          56.10(c)(16).).

          Without such an exception, any person or entity that wishes to  
          obtain medical information must first obtain a valid  
          authorization, which must be either handwritten by the person  
          who signs it or in a typeface no smaller than 14-point type; be  
          clearly separate from any other language present on the same  
          page and executed by a signature which serves no other purpose  
          than to execute the authorization; and be signed and dated by an  
          authorized person.  Additionally, in order to be valid, an  
          authorization must also:
           state the specific uses and limitations on the types of  
            medical information to be disclosed;








          SB 26 (Hernandez)
          Page 9 of ? 


           state the name or functions of the provider of health care,  
            health care service plan, pharmaceutical company, or  
            contractor that may disclose the medical information;
           state the name or functions of the persons or entities  
            authorized to receive the medical information;
           state the specific uses and limitations on the use of the  
            medical information by the persons or entities authorized to  
            receive the medical information;
           state a specific date after which the provider of health care,  
            health care service plan, pharmaceutical company, or  
            contractor is no longer authorized to disclose the medical  
            information; and
           advise the person signing the authorization of the right to  
            receive a copy of the authorization.  (Civ. Code Sec. 56.11.)   


          Several stakeholders have raised concerns that, though they  
          support the goals of the bill, the new database may undermine  
          the confidentiality of sensitive medical information.  The  
          Consumer Federation of California (CFC), for example, states:

            CFC agrees that greater analysis and transparency of the cost,  
            quality and utilization of various health services will enable  
            healthcare consumers, purchasers and policymakers to contain  
            costs and make better treatment choices.  However, the more  
            information is shared, the more opportunities exist for  
            sensitive personal medical information to fall into the wrong  
            hands . . . SB 26 is vague regarding which state privacy and  
            security laws will apply.  SB 26 is silent regarding the  
            application of CMIA to the entity that the bill would empower  
            to gather and disseminate health care information.  This lack  
            of specificity creates a concern that a court or a regulator  
            may find that CMIA, its definitions, its scope of coverage and  
            its enforcement regime, do not apply to this new entity, it  
            agents, employees and contractors.  SB 26 should be amended to  
            explicitly apply CMIA to the entity that administers the new  
            California Health Care Cost and Quality Database, and to its  
            employees, agents and contractors.

          To remove any ambiguity concerning the application of CMIA to  
          data collected, used, or disclosed by either the administrator  
          of the California Health Care Cost and Quality Database or any  
          other person acting pursuant to this bill, the author offers the  
          following amendment:








          SB 26 (Hernandez)
          Page 10 of ? 






             Author's Amendment  :

            On page 6, line 12, following "to," insert "the  
            Confidentiality of Medical Information Act (Civil Code Section  
            56 et seq.),"

          Staff notes that this bill contains three other provisions that  
          help to ensure the confidentiality of medical information  
          collected, used, or disclosed in furtherance of establishing and  
          operating the California Health Care Cost and Quality Database.   
          First, this bill explicitly requires the Secretary of Health and  
          Human Services to include in the contract with the administrator  
          of the database a prohibition on using data received during the  
          execution of the contract for any other purpose.  Second, the  
          bill requires that all policies and protocols developed in the  
          performance of the contract must ensure that the privacy,  
          security, and confidentiality of individually identifiable  
          health information is protected.  Third, the bill requires the  
          organization administering the database to not publicly disclose  
          any unaggregated, individually identifiable health information,  
          and also to develop a protocol for assessing the risk of  
          reidentification of individually identifiable health information  
          stemming from public disclosure of any health information that  
          is aggregated.

           1.Data Security 
           
          Stakeholders have also raised concerns regarding the  
          consequences of a data breach of the information collected or  
          stored by the administrator of the database.  For example, the  
          American Civil Liberties Union (ACLU) states:

            [W]e believe that if the state wishes to compile a database  
            containing such sensitive information, it should adopt the  
            most rigorous standards of security protection to ensure as  
            nearly as possible that this information is not compromised.   
            In addition, we believe SB 26 should be amended to explicitly  
            require appropriate notice and remedies for patients whose  
            information will inevitably be subject to data breaches.  The  
            worthy goal of SB 26 is not inconsistent with the goal of  








          SB 26 (Hernandez)
                     Page 11 of ? 


            protecting personal medical information.

          Under California's Data Breach Notification Law, the  
          administrator of this database, like any other agency, person,  
          or business that owns or licenses computerized data that  
          includes personal information, would be required to disclose a  
          breach of its security if unencrypted personal information was,  
          or is reasonably believed to have been, acquired by an  
          unauthorized person.  The definition of "personal information"  
          in the Data Breach Notification Law includes both "medical  
          information" -- information regarding an individual's medical  
          history, mental or physical condition, or medical treatment or  
          diagnosis by a health care professional -- and "health insurance  
          information" -- an individual's health insurance policy number  
          or subscriber identification number, any unique identifier used  
          by a health insurer to identify the individual, or any  
          information in an individual's application and claims history,  
          including any appeals records.  (Civ. Code Secs. 1798.29(h) and  
          1798.82(i).)  If the database neither owns nor licenses the  
          breached data but instead maintains it on behalf of another, it  
          still would have an obligation to notify the owner or licensee  
          of the information of any security breach immediately following  
          discovery if personal information was, or is reasonably believed  
          to have been, acquired by an unauthorized person.  (Civ. Code  
          Secs. 1798.29(b), 1798.82(b).)  Additionally, the administrator  
          of this database, like any other business that owns, licenses,  
          or maintains personal information about California residents,  
          would have a duty under the Civil Code to implement and maintain  
          reasonable security procedures and practices appropriate to the  
          nature of the information, and to protect personal information  
          from unauthorized access, destruction, use, modification, or  
          disclosure.  (Civ. Code Sec. 1798.81.5.)  As noted in Comment 3,  
          this bill also contains specific data security safeguards to  
          ensure the confidentiality and integrity of medical information  
          collected or stored by the database.

          To remove any ambiguity concerning the application of  
          California's Data Breach Notification Law to data collected or  
          stored by the administrator of the California Health Care Cost  
          and Quality Database, the author offers the following amendment:

             Author's Amendment  :

            On page 6, line 12, following "to," insert "the Data Breach  








          SB 26 (Hernandez)
          Page 12 of ? 


            Notification Law (Civil Code Sections 1798.29 et seq. and  
            1798.82 et seq.),"

           2.Other Author's Amendments
           
          The author states:

            Consumer groups urge adding a greater focus on health equity  
            to the bill.  They believe the databank can be a rich source  
            of actionable information to help reduce disparities, but only  
            if those goals are specified in the bill.  Categories of data  
            elements they seek to have specified include race, ethnicity,  
            primary language spoken, and sexual orientation in order to  
            ensure these elements are gathered and to allow tracking  
            impacts.  Integrating more explicit health equity provisions  
            for such data, they assert, would allow for mapping cost and  
            quality patterns regionally, and even by neighborhood, to make  
            the database a more accurate and meaningful tool for reducing  
            disparities and improving population health.

          To address these concerns and add a greater focus on health  
          equity, the author offers the following amendments:

             Author's Amendments  :

            On page 3, line 20, after "value" insert "and to minimize  
            health disparities"

            On page 3, line 25, strike "enrollees." and insert "enrollees,  
            including recognizing the diversity of California and the  
            impact of social determinants of health."

            On page 4, between lines 26 and 27, insert "Provide that the  
            database shall have the capacity to map to other datasets,  
            including public health data sets on morbidity and mortality,  
            including from the Centers for Disease Control as well the  
            Department of Public Health as well as other datasets with  
            data regarding the social determinants of health."

            On page 5, line 12, strike "both of"

            On page 5, between lines 38 and 39, insert "(C) Information  
            sufficient to determine the impacts of the social determinants  
            of health, including age, gender, race, ethnicity, limited  








          SB 26 (Hernandez)
          Page 13 of ? 


            English proficiency, sexual orientation and gender identity,  
            zip code, and any other factors for which there is  
            peer-reviewed evidence."

            On page 7, strike lines 25 through 29 and insert "(E) Facility  
            and physician organization risk adjusted performance measures  
            on the quality, efficiency, and outcomes of care that are  
            aligned with national efforts, including, but not limited to,  
            those of the National Quality Forum, related to defining cost  
            and quality measures.  Measures shall be publicly reported  
            without risk adjustment for sociodemographic factors and shall  
            also be risk adjusted for sociodemographic factors, where the  
            peer-reviewed literature indicates an association between  
            health outcomes and a sociodemographic factor or factors."

            On page 7, strike lines 30 through 32 and insert "(F) Data  
            that permits consideration of socioeconomic status and  
            disparities in care due to race, ethnicity, gender, limited  
            English proficiency, zip code, sexual orientation, and gender  
            identity and other factors for which there is peer-reviewed  
            evidence of a relationship between a social determinant of  
            health and health outcomes."

            On page 8, between lines 34 and 35, insert "Reducing health  
            disparities and addressing the social determinants of health."


           Support  :  AARP California; American Federation of State, County,  
          and Municipal Employees, AFL-CIO; California Coverage and Health  
          Initiatives; California Primary Care Association; California  
          Teacher's Association; Children's Defense Fund, California;  
          Children Now; Kaiser Permanente; National Multiple Sclerosis  
          Society; Professional and Technical Engineers, Local 21; United  
          Ways of California

           Opposition  :  American Civil Liberties Union of California;  
          Consumer Federation of California; Privacy Rights Clearinghouse




                                        HISTORY
           
           Source  :  Author








          SB 26 (Hernandez)
          Page 14 of ? 



           Related Pending Legislation  :  None Known

           Prior Legislation  :

          SB 1322 (Hernandez, 2014) was substantially similar to SB 26.   
          This bill was held on suspense in the Assembly Appropriations  
          Committee.

          AB 1558 (Hernandez, 2014) would have requested the University of  
          California to establish the California Health Data Organization  
          to collect data from payers and establish an all-payer claims  
          database.  This bill would have required certain private payers  
          to submit claims data to the organization on utilization,  
          payment, and cost sharing for services delivered to  
          beneficiaries, and would have requested the organization to  
          design and maintain an Internet Web site that allowed consumers  
          to compare the prices paid by payers for procedures.  This bill  
          was held on suspense in the Senate Appropriations Committee.

          SB 746 (Leno, 2013) would have required health care service  
          plans and insurers to disclose specified aggregate data for  
          products and for rate filings, as specified, in the large group  
          market on an annual basis.  The bill also would have required a  
          health plan or health insurer that exclusively contracts with no  
          more than two medical groups in the state to provide claims or  
          other data to large group purchasers that request the data and  
          demonstrate the ability to comply with privacy laws, as  
          specified, and would have required the health care service plan  
          or health insurer to use only deidentified data in that  
          disclosure to protect the privacy rights of individuals.  This  
          bill was vetoed by Governor Brown.

           Prior Vote  :  Senate Health Committee (Ayes 7, Noes 0)

                                   **************
                                          















          SB 26 (Hernandez)
          Page 15 of ?