BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
SB 1159 (Hernandez)
Version: March 28, 2016
Hearing Date: April 19, 2016
Fiscal: Yes
Urgency: No
TH
SUBJECT
California Health Care Cost and Quality Database
DESCRIPTION
This bill would require certain health care entities, including
health care service plans, to provide medical claims, cost, and
quality information to the Secretary of the California Health
and Human Services Agency solely for the purpose of developing
information for inclusion in a health care cost and quality
database. The bill would require all use and disclosure of data
obtained to comply with applicable state and federal laws for
the protection of the privacy and security of data, and would
prohibit the public disclosure of any unaggregated, individually
identifiable health information. This bill would also require
the Secretary to convene an advisory committee to, among other
things, develop parameters for implementing and administering a
health care cost and quality database.
BACKGROUND
The Health Insurance Portability and Accountability Act (HIPAA),
enacted in 1996, guarantees privacy protection for individuals
with regards to specific health information in the possession of
covered entities. (See Pub. L. 104-191, 110 Stat. 1936.)
Generally, protected health information (PHI) is any information
held by a covered entity that concerns health status, provision
of health care, or payment for health care that can be connected
to an individual. HIPAA privacy regulations require health care
providers and organizations to develop and follow procedures
that ensure the confidentiality and security of PHI when it is
�
SB 1159 (Hernandez)
Page 2 of ?
transferred, received, handled, or shared. HIPAA further
requires reasonable efforts when using, disclosing, or
requesting PHI, to limit disclosure of that information to the
minimum amount necessary to accomplish the intended purpose.
The California Confidentiality of Medical Information Act (CMIA)
also protects PHI and restricts the disclosure of medical
information by health care providers and health care service
plans, as specified. Under existing law, a corporation
organized for the purpose of maintaining medical information in
order to make that information available to the patient, or a
provider at the request of the patient for purposes of diagnosis
or treatment, is deemed to be a provider of health care subject
to the requirements of the CMIA. The CMIA empowers adult
patients in California to keep
PHI confidential and decide whether and when to share that
information with others.
This bill would direct certain health care entities to provide
medical claims, cost, and quality information to the Secretary
of California Health and Human Services solely for the purpose
of developing information for inclusion in a health care cost
and quality database. This bill states that, through this
database, the Legislature intends to establish a system to
provide valid, timely, and comprehensive health care performance
information that is publicly available and can be used to
improve the safety, appropriateness, and medical effectiveness
of health care, and to provide care that is patient-centered,
timely, affordable, and equitable.
This bill was approved by the Senate Health Committee on April
6, 2016, by a vote of 8-0.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const, art. I, Sec. 1.)
Existing federal law , the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections for
patients' protected health information and generally provides
that a covered entity, as defined (health plan, health care
provider, and health care clearing house), may not use or
disclose protected health information except as specified or as
�
SB 1159 (Hernandez)
Page 3 of ?
authorized by the patient in writing. (45 C.F.R. Sec. 164.500
et seq.)
Existing law prohibits, under the State Confidentiality of
Medical Information Act (CMIA), providers of health care, health
care service plans, or contractors, as defined, from sharing
medical information without a patient's written authorization,
subject to certain exceptions. (Civ. Code Sec. 56 et seq.)
Existing law defines "medical information" to mean any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment. Existing law defines
"individually identifiable" to mean medical information that
includes or contains any element of personal identifying
information sufficient to allow identification of the
individual, such as the patient's name, address, electronic mail
address, telephone number, or social security number, or other
information that, alone or in combination with other publicly
available information, reveals the individual's identity. (Civ.
Code Sec. 56.05(g).)
Existing law provides that a provider of health care, health
care service plan, pharmaceutical company, or contractor who
negligently creates, maintains, preserves, stores, abandons,
destroys, or disposes of written or electronic medical records
shall be subject to damages in a civil action or an
administrative fine, as specified. (Civ. Code Sec. 56.101.)
Existing law provides that a plaintiff may bring an action
against any person or entity that negligently releases his or
her confidential information or records in violation of the
CMIA. Existing law provides, in addition to any other available
remedies, a plaintiff may receive as damages for a violation of
the CMIA both nominal damages of $1,000 and the amount of actual
damages. Existing law provides that any violation of the CMIA
that results in economic loss or personal injury to a patient is
punishable as a misdemeanor. (Civ. Code Sec. 56.36.)
This bill would, for the sole purpose of developing information
for inclusion in a health care cost and quality database,
require health care service plans and providers, as specified,
to provide the following information to the Secretary of the
�
SB 1159 (Hernandez)
Page 4 of ?
California Health and Human Services Agency (Secretary):
utilization data from the health care service plans' and
insurers' medical, dental, and pharmacy claims or encounters,
as specified;
pricing information for health care items, services, and
medical and surgical episodes of care gathered from allowed
charges for covered health care items and services, or, in the
case of entities that do not use or produce individual claims,
price information that is the best possible proxy, so as to
allow for meaningful comparisons of provider prices and
treatment costs; and
information sufficient to determine the impacts of social
determinants of health, including age, gender, race,
ethnicity, limited English proficiency, sexual orientation,
gender identity, ZIP Code, and any other factors for which
there is peer-reviewed evidence.
This bill would specify that all uses and disclosures of data
shall comply with all applicable state and federal laws for the
protection of the privacy and security of data, including, but
not limited to, the federal Health Insurance Portability and
Accountability Act of 1996 (Public Law 104-191), the federal
Health Information Technology for Economic and Clinical Health
Act, Title XIII of the federal American Recovery and
Reinvestment Act of 2009 (Public Law 111-5), and implementing
regulations, the State Confidentiality of Medical Information
Act (Civ. Code Sec. 56 et seq.), the Information Practices Act
of 1977 (Civ. Code Sec. 1798 et seq.), and the data breach
notification law (Civ. Code Sec. 1798.80 et seq.).
This bill would specify that all policies and protocols created
in the development of the database shall ensure that the
privacy, security, and confidentiality of individually
identifiable health information is protected.
This bill would specify that the Secretary shall not publicly
disclose any unaggregated, individually identifiable health
information and shall develop a protocol for assessing the risk
of reidentification stemming from public disclosure of any
health information that is aggregated, individually identifiable
health information.
This bill would direct the Secretary of California Health and
Human Services to convene an advisory committee composed of a
broad spectrum of health care stakeholders and experts to
�
SB 1159 (Hernandez)
Page 5 of ?
develop the parameters for the establishment, implementation,
and ongoing administration of a health care cost and quality
database.
This bill would make related legislative findings and
declarations.
COMMENT
1.Stated need for the bill
According to the author:
While reports indicate that health care costs are increasing
at a slower pace in recent years, health care still accounts
for over 17 percent of the U.S. Gross Domestic Product and
health care costs continue to consume significantly large
percentages of federal, state and personal budgets. Whereas
most sectors keep pace with the overall economy, health care
continues to grow at higher rates than inflation. According to
a 2013 Health Care Almanac report on health care costs
published by the California Health Care Foundation (CHCF), the
average annual growth rate has declined since 1981 and has
remained flat over the last three years at a historic low of
3.9 percent. Health spending in 2011 was only slightly higher
than inflation. Annual average health care spending has been
in the single digits (as compared to double digits) for the
last two decades, influenced recently by the recession.
However, some provisions of the [Affordable Care Act] are
expected to cause a one-time spike in growth. According to a
May 2012 Primer published by the Kaiser Family Foundation, the
U.S. spends substantially more on health care than other
developed countries. In 2009, U.S. spending was 90 percent
higher than many other industrialized countries. Some
researchers believe the U.S. pays more for health care because
prices are higher, technology is more readily available, and
Americans have greater rates of chronic disease.
This bill will help make available valid performance
information to encourage health care providers and facilities
to provide care that is safe, medically effective,
patient-centered, timely, efficient, affordable and equitable.
Additionally, it will put provider cost and performance
information into the hands of consumers and purchasers so that
they can understand their financial liability and realize the
�
SB 1159 (Hernandez)
Page 6 of ?
best quality and value available to them.
2.Improving Healthcare Cost Transparency
According to the Western Center on Law and Poverty:
Today it is incredibly difficult for health care consumers to
access clear, reliable information about the cost of a given
health care service or product, or the level of quality of
providers offering that care, and there is broad variation in
both cost and quality. While the Affordable [C]are Act has
been transformative in providing coverage to millions of
additional Californians who were previously uninsured,
consumers with commercial coverage still have grave concerns
with the affordability of health care. Many plans have
deductibles of more than $6,000 for individuals so health care
consumers are paying for a significant portion of their care
out-of-pocket. They need to be able to access trustworthy
cost information. In addition to allowing consumers to make
more informed decisions about both the cost and quality of the
care they are receiving, transparency of cost and quality data
also encourages improved quality of care and applies market
pressures on cost.
This bill is intended to increase cost and quality transparency
in California's healthcare marketplace. By requiring plans and
providers to submit cost, usage, and outcome data to the
Secretary of California Health and Human Services, this bill
would enable the Secretary to construct a statewide cost and
quality database that could equip consumers with comparative
cost and outcome data when choosing health care plans and
providers.
3.Ensuring Confidentiality of Personal Information
California's Confidentiality of Medical Information Act (CMIA)
generally restricts the sharing or disclosure of a person's
medical information without first obtaining their written
consent. The act states that "a provider of health care, health
care service plan, or contractor shall not disclose medical
information regarding a patient of the provider of health care
or an enrollee or subscriber of a health care service plan
without first obtaining an authorization," unless a particular
exception allows the disclosure. (Civ. Code Sec. 56.10.) Some
exceptions that do not require prior authorization include when
�
SB 1159 (Hernandez)
Page 7 of ?
information disclosure is "otherwise specifically required by
law" (Civ. Code Sec. 56.10(b)(9).), or when information is
"disclosed to a third party for purposes of encoding,
encrypting, or otherwise anonymizing data"(Civ. Code Sec.
56.10(c)(16).).
Without such an exception, any person or entity that wishes to
obtain medical information must first obtain a valid
authorization, which must be either handwritten by the person
who signs it or in a typeface no smaller than 14-point type; be
clearly separate from any other language present on the same
page and executed by a signature which serves no other purpose
than to execute the authorization; and be signed and dated by an
authorized person. Additionally, in order to be valid, an
authorization must also:
state the specific uses and limitations on the types of
medical information to be disclosed;
state the name or functions of the provider of health care,
health care service plan, pharmaceutical company, or
contractor that may disclose the medical information;
state the name or functions of the persons or entities
authorized to receive the medical information;
state the specific uses and limitations on the use of the
medical information by the persons or entities authorized to
receive the medical information;
state a specific date after which the provider of health care,
health care service plan, pharmaceutical company, or
contractor is no longer authorized to disclose the medical
information; and
advise the person signing the authorization of the right to
receive a copy of the authorization. (Civ. Code Sec. 56.11.)
This bill explicitly states that the CMIA, in addition to other
privacy and data security laws, shall govern all uses and
disclosures of data made pursuant to the bill.
The American Civil Liberties Union, writing in opposition,
opines that the CMIA would not provide "privacy protections for
the medical data being analyzed because [the] Secretary of
California Health and Human Services and the database itself are
not covered entities under CMIA." Whether or not this statement
about the scope of entities covered by the CMIA is accurate, the
Secretary, as well as any data collected by him or her pursuant
to this bill, would be subject to restrictions in the
�
SB 1159 (Hernandez)
Page 8 of ?
Information Practices Act of 1977, which, like the CMIA, limits
the disclosure of personal information held by governmental
agencies in order to protect the privacy of affected
individuals.
In general, the Information Practices Act prohibits the
disclosure of personal information to another party without
first obtaining the permission of the affected individual. In
certain circumstances, disclosure may be authorized without such
permission when, as here, the information may be necessary for
an agency "to perform its constitutional or statutory duties."
(Civ. Code Sec. 1798.24.) Even when permission from an affected
individual is not obtained, the Information Practices Act
requires governmental agencies to "establish appropriate and
reasonable administrative, technical, and physical safeguards to
ensure compliance with the [act], to ensure the security and
confidentiality of records, and to protect against anticipated
threats or hazards to their security or integrity which could
result in any injury." (Civ. Code Sec. 1798.21.) Consequently,
whether or not the CMIA applies to information obtained by the
Secretary pursuant to this bill, he or she would nonetheless be
duty bound to protect the confidentiality of that information
under the Information Practices Act, and would be legally
required to limit any disclosure of those records as required by
the act, whether to the public in the form of a healthcare cost
and quality database, or privately within the Health and Human
Services Agency.
1.Data Security
The American Civil Liberties Union (ACLU), in opposition,
states, "[i]f the state wishes to compile a database containing
such sensitive [health] information, it should adopt the most
rigorous standards of security protection to ensure as nearly as
possible that this information is not compromised," and requests
that the bill require information collected for, or contained
within, a health care cost and quality database to be encrypted.
As noted above, the Information Practices Act already requires
state agencies to protect personal information, including health
information, in their possession with "reasonable
administrative, technical, and physical safeguards." (Civ. Code
Sec. 1798.21.) To date, the Legislature has not explicitly
required data encryption to be one of those safeguards. When
the Legislature amended the Information Practices Act in 2002 to
create California's data breach notification law (SB 1386,
�
SB 1159 (Hernandez)
Page 9 of ?
Peace, Ch. 915, Stats. 2002), it included a safe harbor that
generally exempted the exposure of encrypted personal
information from the law's notification provisions. The
inclusion of an encryption safe harbor was meant to incentivize
organizations to encrypt personal information under their
control.
However, recent data breaches have revealed instances where
encrypted information was breached along with the encryption
key. For example, the ride-hailing company Uber reported in
late 2014 that "[t]housands of Uber driver names and driver's
license numbers may be in the hands of an unauthorized third
party due to a data breach," and that "one of its many databases
could have potentially been accessed because one of the
encryption keys required to unlock it had been compromised."
(Tracey Lien, Uber Security Breach May Have Affected up to
50,000 Drivers, Los Angeles Times (Feb. 27, 2015)
[as of Apr. 10, 2016].) In breaches
such as this where an encryption key is taken along with
encrypted information, the compromised information has lost the
effectiveness of its encryption protection.
While it may be beyond the scope of this bill, the Committee may
wish to consider the data breach notification law's encryption
safe harbor and how best to address the problem of compromised
encryption keys in future legislation.
2.Other Stakeholder Concerns
A number of stakeholders not officially supporting or opposing
this bill have raised concerns about the advisory committee this
bill would establish to help develop parameters for the
creation, implementation, and ongoing administration of a health
care cost and quality database. Representative of these
concerns, the Service Employees International Union, California
State Council (SEIU), writes:
[This bill] as currently drafted would grant the Secretary of
the California Health and Human Services Agency with the sole
discretion to act unilaterally in the formation of the
database with guidance from a multi-stakeholder review
committee which would include plans, providers, purchasers . .
. and consumers. Past health care transparency efforts in
California have shown that influence by the industry groups
�
SB 1159 (Hernandez)
Page 10 of ?
over the analysis and use of provider-specific performance
information results in far more limited data analysis and
reporting than is needed or desired, and could greatly limit
the value of the state's investment in a cost and quality
database. . . . SEIU would like to see SB 1159 amended to
include a more robust public governance structure which brings
consumers, labor, and purchasers together with the state to
oversee the rules and administration of the database informed
by recommendations and input from a separate group of those
entities required to submit data to the database.
Stakeholders also raise concerns with a provision of the bill
excluding confidentially negotiated contract terms and
proprietary contract information from disclosure. Also
representative of these concerns, SEIU writes:
As currently drafted, SB 1159 would protect confidentially
negotiated contract terms, which includes prices, between
commercial health plans and providers. SEIU believes that
this protection of prices is unnecessary and should be removed
to ensure that health care purchasers and consumers can access
information on the prices paid for health care services.
Support : AARP California; California Association of Physician
Groups; California Pan-Ethnic Health Network; League of
California Cities; National Multiple Sclerosis Society; Western
Center on Law and Poverty
Opposition : American Civil Liberties Union of California;
Consumer Federation of California
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation :
SB 26 (Hernandez, 2015) would have required the Secretary of
Health and Human Services to enter into a contract with one or
�
SB 1159 (Hernandez)
Page 11 of ?
more independent, nonprofit organizations to develop and
administer the California Health Care Cost and Quality Database.
This bill would have required certain health care entities,
including health care service plans, to provide medical claims,
cost, and quality information to the California Health Care Cost
and Quality Database in order to create a publicly available
web-based, searchable database. This bill would have required
all data disclosures involving the database to comply with
applicable state and federal laws for the protection of the
privacy and security of data, and would have prohibited public
disclosure of any unaggregated, individually identifiable health
information. This bill was held on suspense in the Senate
Appropriations Committee.
SB 1322 (Hernandez, 2014) was substantially similar to SB 26
(Hernandez, 2015). This bill was held on suspense in the
Assembly Appropriations Committee.
AB 1558 (Hernandez, 2014) would have requested the University of
California to establish the California Health Data Organization
to collect data from payers and establish an all-payer claims
database. This bill would have required certain private payers
to submit claims data to the organization on utilization,
payment, and cost sharing for services delivered to
beneficiaries, and would have requested the organization to
design and maintain an Internet Web site that allowed consumers
to compare the prices paid by payers for procedures. This bill
was held on suspense in the Senate Appropriations Committee.
SB 746 (Leno, 2013) would have required health care service
plans and insurers to disclose specified aggregate data for
products and for rate filings, as specified, in the large group
market on an annual basis. The bill also would have required a
health plan or health insurer that exclusively contracts with no
more than two medical groups in the state to provide claims or
other data to large group purchasers that request the data and
demonstrate the ability to comply with privacy laws, as
specified, and would have required the health care service plan
or health insurer to use only deidentified data in that
disclosure to protect the privacy rights of individuals. This
bill was vetoed by Governor Brown.
Prior Vote : Senate Health Committee (Ayes 8, Noes 0)
**************
�
SB 1159 (Hernandez)
Page 12 of ?