BILL ANALYSIS                                                                                                                                                                                                    Ó





                             SENATE JUDICIARY COMMITTEE
                         Senator Hannah-Beth Jackson, Chair
                             2015-2016  Regular  Session


          SB 1159 (Hernandez)
          Version: March 28, 2016
          Hearing Date: April 19, 2016
          Fiscal: Yes
          Urgency: No
          TH   


                                        SUBJECT
                                           
                  California Health Care Cost and Quality Database

                                      DESCRIPTION  

          This bill would require certain health care entities, including  
          health care service plans, to provide medical claims, cost, and  
          quality information to the Secretary of the California Health  
          and Human Services Agency solely for the purpose of developing  
          information for inclusion in a health care cost and quality  
          database.  The bill would require all use and disclosure of data  
          obtained to comply with applicable state and federal laws for  
          the protection of the privacy and security of data, and would  
          prohibit the public disclosure of any unaggregated, individually  
          identifiable health information.  This bill would also require  
          the Secretary to convene an advisory committee to, among other  
          things, develop parameters for implementing and administering a  
          health care cost and quality database.

                                      BACKGROUND  

          The Health Insurance Portability and Accountability Act (HIPAA),  
          enacted in 1996, guarantees privacy protection for individuals  
          with regards to specific health information in the possession of  
          covered entities.  (See Pub. L. 104-191, 110 Stat. 1936.)   
          Generally, protected health information (PHI) is any information  
          held by a covered entity that concerns health status, provision  
          of health care, or payment for health care that can be connected  
          to an individual.  HIPAA privacy regulations require health care  
          providers and organizations to develop and follow procedures  
          that ensure the confidentiality and security of PHI when it is  








          SB 1159 (Hernandez)
          Page 2 of ? 

          transferred, received, handled, or shared. HIPAA further  
          requires reasonable efforts when using, disclosing, or  
          requesting PHI, to limit disclosure of that information to the  
          minimum amount necessary to accomplish the intended purpose.

          The California Confidentiality of Medical Information Act (CMIA)  
          also protects PHI and restricts the disclosure of medical  
          information by health care providers and health care service  
          plans, as specified.  Under existing law, a corporation  
          organized for the purpose of maintaining medical information in  
          order to make that information available to the patient, or a  
          provider at the request of the patient for purposes of diagnosis  
          or treatment, is deemed to be a provider of health care subject  
          to the requirements of the CMIA.  The CMIA empowers adult  
          patients in California to keep
          PHI confidential and decide whether and when to share that  
          information with others.

          This bill would direct certain health care entities to provide  
          medical claims, cost, and quality information to the Secretary  
          of California Health and Human Services solely for the purpose  
          of developing information for inclusion in a health care cost  
          and quality database.  This bill states that, through this  
          database, the Legislature intends to establish a system to  
          provide valid, timely, and comprehensive health care performance  
          information that is publicly available and can be used to  
          improve the safety, appropriateness, and medical effectiveness  
          of health care, and to provide care that is patient-centered,  
          timely, affordable, and equitable.

          This bill was approved by the Senate Health Committee on April  
          6, 2016, by a vote of 8-0.

                                CHANGES TO EXISTING LAW
           
           Existing law  , the California Constitution, provides that all  
          people have inalienable rights, including the right to pursue  
          and obtain privacy.  (Cal. Const, art. I, Sec. 1.)
          
           Existing federal law  , the Health Insurance Portability and  
          Accountability Act (HIPAA), specifies privacy protections for  
          patients' protected health information and generally provides  
          that a covered entity, as defined (health plan, health care  
          provider, and health care clearing house), may not use or  
          disclose protected health information except as specified or as  







          SB 1159 (Hernandez)
          Page 3 of ? 

          authorized by the patient in writing.  (45 C.F.R. Sec. 164.500  
          et seq.)

           Existing law  prohibits, under the State Confidentiality of  
          Medical Information Act (CMIA), providers of health care, health  
          care service plans, or contractors, as defined, from sharing  
          medical information without a patient's written authorization,  
          subject to certain exceptions.  (Civ. Code Sec. 56 et seq.)

           Existing law  defines "medical information" to mean any  
          individually identifiable information, in electronic or physical  
          form, in possession of or derived from a provider of health  
          care, health care service plan, pharmaceutical company, or  
          contractor regarding a patient's medical history, mental or  
          physical condition, or treatment. Existing law defines  
          "individually identifiable" to mean medical information that  
          includes or contains any element of personal identifying  
          information sufficient to allow identification of the  
          individual, such as the patient's name, address, electronic mail  
          address, telephone number, or social security number, or other  
          information that, alone or in combination with other publicly  
          available information, reveals the individual's identity.  (Civ.  
          Code Sec. 56.05(g).)

           Existing law  provides that a provider of health care, health  
          care service plan, pharmaceutical company, or contractor who  
          negligently creates, maintains, preserves, stores, abandons,  
          destroys, or disposes of written or electronic medical records  
          shall be subject to damages in a civil action or an  
          administrative fine, as specified.  (Civ. Code Sec. 56.101.)

           Existing law  provides that a plaintiff may bring an action  
          against any person or entity that negligently releases his or  
          her confidential information or records in violation of the  
          CMIA.  Existing law provides, in addition to any other available  
          remedies, a plaintiff may receive as damages for a violation of  
          the CMIA both nominal damages of $1,000 and the amount of actual  
          damages.  Existing law provides that any violation of the CMIA  
          that results in economic loss or personal injury to a patient is  
          punishable as a misdemeanor. (Civ. Code Sec. 56.36.)

           This bill  would, for the sole purpose of developing information  
          for inclusion in a health care cost and quality database,  
          require health care service plans and providers, as specified,  
          to provide the following information to the Secretary of the  







          SB 1159 (Hernandez)
          Page 4 of ? 

          California Health and Human Services Agency (Secretary): 
           utilization data from the health care service plans' and  
            insurers' medical, dental, and pharmacy claims or encounters,  
            as specified; 
           pricing information for health care items, services, and  
            medical and surgical episodes of care gathered from allowed  
            charges for covered health care items and services, or, in the  
            case of entities that do not use or produce individual claims,  
            price information that is the best possible proxy, so as to  
            allow for meaningful comparisons of provider prices and  
            treatment costs; and
           information sufficient to determine the impacts of social  
            determinants of health, including age, gender, race,  
            ethnicity, limited English proficiency, sexual orientation,  
            gender identity, ZIP Code, and any other factors for which  
            there is peer-reviewed evidence.

           This bill  would specify that all uses and disclosures of data  
          shall comply with all applicable state and federal laws for the  
          protection of the privacy and security of data, including, but  
          not limited to, the federal Health Insurance Portability and  
          Accountability Act of 1996 (Public Law 104-191), the federal  
          Health Information Technology for Economic and Clinical Health  
          Act, Title XIII of the federal American Recovery and  
          Reinvestment Act of 2009 (Public Law 111-5), and implementing  
          regulations, the State Confidentiality of Medical Information  
          Act (Civ. Code Sec. 56 et seq.), the Information Practices Act  
          of 1977 (Civ. Code Sec. 1798 et seq.), and the data breach  
          notification law (Civ. Code Sec. 1798.80 et seq.).

           This bill would specify that all policies and protocols created  
          in the development of the database shall ensure that the  
          privacy, security, and confidentiality of individually  
          identifiable health information is protected.

           This bill  would specify that the Secretary shall not publicly  
          disclose any unaggregated, individually identifiable health  
          information and shall develop a protocol for assessing the risk  
          of reidentification stemming from public disclosure of any  
          health information that is aggregated, individually identifiable  
          health information.

           This bill  would direct the Secretary of California Health and  
          Human Services to convene an advisory committee composed of a  
          broad spectrum of health care stakeholders and experts to  







          SB 1159 (Hernandez)
          Page 5 of ? 

          develop the parameters for the establishment, implementation,  
          and ongoing administration of a health care cost and quality  
          database.

           This bill  would make related legislative findings and  
          declarations.

                                        COMMENT
           
           1.Stated need for the bill
           
          According to the author:

            While reports indicate that health care costs are increasing  
            at a slower pace in recent years, health care still accounts  
            for over 17 percent of the U.S. Gross Domestic Product and  
            health care costs continue to consume significantly large  
            percentages of federal, state and personal budgets.  Whereas  
            most sectors keep pace with the overall economy, health care  
            continues to grow at higher rates than inflation. According to  
            a 2013 Health Care Almanac report on health care costs  
            published by the California Health Care Foundation (CHCF), the  
            average annual growth rate has declined since 1981 and has  
            remained flat over the last three years at a historic low of  
            3.9 percent.  Health spending in 2011 was only slightly higher  
            than inflation. Annual average health care spending has been  
            in the single digits (as compared to double digits) for the  
            last two decades, influenced recently by the recession.  
            However, some provisions of the [Affordable Care Act] are  
            expected to cause a one-time spike in growth.  According to a  
            May 2012 Primer published by the Kaiser Family Foundation, the  
            U.S. spends substantially more on health care than other  
            developed countries.  In 2009, U.S. spending was 90 percent  
            higher than many other industrialized countries.  Some  
            researchers believe the U.S. pays more for health care because  
            prices are higher, technology is more readily available, and  
            Americans have greater rates of chronic disease.

            This bill will help make available valid performance  
            information to encourage health care providers and facilities  
            to provide care that is safe, medically effective,  
            patient-centered, timely, efficient, affordable and equitable.  
             Additionally, it will put provider cost and performance  
            information into the hands of consumers and purchasers so that  
            they can understand their financial liability and realize the  







          SB 1159 (Hernandez)
          Page 6 of ? 

            best quality and value available to them.

           2.Improving Healthcare Cost Transparency
             
          According to the Western Center on Law and Poverty:

            Today it is incredibly difficult for health care consumers to  
            access clear, reliable information about the cost of a given  
            health care service or product, or the level of quality of  
            providers offering that care, and there is broad variation in  
            both cost and quality.  While the Affordable [C]are Act has  
            been transformative in providing coverage to millions of  
            additional Californians who were previously uninsured,  
            consumers with commercial coverage still have grave concerns  
            with the affordability of health care.  Many plans have  
            deductibles of more than $6,000 for individuals so health care  
            consumers are paying for a significant portion of their care  
            out-of-pocket.  They need to be able to access trustworthy  
            cost information.  In addition to allowing consumers to make  
            more informed decisions about both the cost and quality of the  
            care they are receiving, transparency of cost and quality data  
            also encourages improved quality of care and applies market  
            pressures on cost.

          This bill is intended to increase cost and quality transparency  
          in California's healthcare marketplace.  By requiring plans and  
          providers to submit cost, usage, and outcome data to the  
          Secretary of California Health and Human Services, this bill  
          would enable the Secretary to construct a statewide cost and  
          quality database that could equip consumers with comparative  
          cost and outcome data when choosing health care plans and  
          providers.

           3.Ensuring Confidentiality of Personal Information 
           
          California's Confidentiality of Medical Information Act (CMIA)  
          generally restricts the sharing or disclosure of a person's  
          medical information without first obtaining their written  
          consent.  The act states that "a provider of health care, health  
          care service plan, or contractor shall not disclose medical  
          information regarding a patient of the provider of health care  
          or an enrollee or subscriber of a health care service plan  
          without first obtaining an authorization," unless a particular  
          exception allows the disclosure.  (Civ. Code Sec. 56.10.)  Some  
          exceptions that do not require prior authorization include when  







          SB 1159 (Hernandez)
          Page 7 of ? 

          information disclosure is "otherwise specifically required by  
          law" (Civ. Code Sec. 56.10(b)(9).), or when information is  
          "disclosed to a third party for purposes of encoding,  
          encrypting, or otherwise anonymizing data"(Civ. Code Sec.  
          56.10(c)(16).).

          Without such an exception, any person or entity that wishes to  
          obtain medical information must first obtain a valid  
          authorization, which must be either handwritten by the person  
          who signs it or in a typeface no smaller than 14-point type; be  
          clearly separate from any other language present on the same  
          page and executed by a signature which serves no other purpose  
          than to execute the authorization; and be signed and dated by an  
          authorized person.  Additionally, in order to be valid, an  
          authorization must also:
           state the specific uses and limitations on the types of  
            medical information to be disclosed;
           state the name or functions of the provider of health care,  
            health care service plan, pharmaceutical company, or  
            contractor that may disclose the medical information;
           state the name or functions of the persons or entities  
            authorized to receive the medical information;
           state the specific uses and limitations on the use of the  
            medical information by the persons or entities authorized to  
            receive the medical information;
           state a specific date after which the provider of health care,  
            health care service plan, pharmaceutical company, or  
            contractor is no longer authorized to disclose the medical  
            information; and
           advise the person signing the authorization of the right to  
            receive a copy of the authorization.  (Civ. Code Sec. 56.11.)   


          This bill explicitly states that the CMIA, in addition to other  
          privacy and data security laws, shall govern all uses and  
          disclosures of data made pursuant to the bill.

          The American Civil Liberties Union, writing in opposition,  
          opines that the CMIA would not provide "privacy protections for  
          the medical data being analyzed because [the] Secretary of  
          California Health and Human Services and the database itself are  
          not covered entities under CMIA."  Whether or not this statement  
          about the scope of entities covered by the CMIA is accurate, the  
          Secretary, as well as any data collected by him or her pursuant  
          to this bill, would be subject to restrictions in the  







          SB 1159 (Hernandez)
          Page 8 of ? 

          Information Practices Act of 1977, which, like the CMIA, limits  
          the disclosure of personal information held by governmental  
          agencies in order to protect the privacy of affected  
          individuals.

          In general, the Information Practices Act prohibits the  
          disclosure of personal information to another party without  
          first obtaining the permission of the affected individual.  In  
          certain circumstances, disclosure may be authorized without such  
          permission when, as here, the information may be necessary for  
          an agency "to perform its constitutional or statutory duties."   
          (Civ. Code Sec. 1798.24.)  Even when permission from an affected  
          individual is not obtained, the Information Practices Act  
          requires governmental agencies to "establish appropriate and  
          reasonable administrative, technical, and physical safeguards to  
          ensure compliance with the [act], to ensure the security and  
          confidentiality of records, and to protect against anticipated  
          threats or hazards to their security or integrity which could  
          result in any injury."  (Civ. Code Sec. 1798.21.)  Consequently,  
          whether or not the CMIA applies to information obtained by the  
          Secretary pursuant to this bill, he or she would nonetheless be  
          duty bound to protect the confidentiality of that information  
          under the Information Practices Act, and would be legally  
          required to limit any disclosure of those records as required by  
          the act, whether to the public in the form of a healthcare cost  
          and quality database, or privately within the Health and Human  
          Services Agency.

           1.Data Security 
           
          The American Civil Liberties Union (ACLU), in opposition,  
          states, "[i]f the state wishes to compile a database containing  
          such sensitive [health] information, it should adopt the most  
          rigorous standards of security protection to ensure as nearly as  
          possible that this information is not compromised," and requests  
          that the bill require information collected for, or contained  
          within, a health care cost and quality database to be encrypted.  
           As noted above, the Information Practices Act already requires  
          state agencies to protect personal information, including health  
          information, in their possession with "reasonable  
          administrative, technical, and physical safeguards."  (Civ. Code  
          Sec. 1798.21.)  To date, the Legislature has not explicitly  
          required data encryption to be one of those safeguards.  When  
          the Legislature amended the Information Practices Act in 2002 to  
          create California's data breach notification law (SB 1386,  







          SB 1159 (Hernandez)
          Page 9 of ? 

          Peace, Ch. 915, Stats. 2002), it included a safe harbor that  
          generally exempted the exposure of encrypted personal  
          information from the law's notification provisions.  The  
          inclusion of an encryption safe harbor was meant to incentivize  
          organizations to encrypt personal information under their  
          control.

          However, recent data breaches have revealed instances where  
          encrypted information was breached along with the encryption  
          key.  For example, the ride-hailing company Uber reported in  
          late 2014 that "[t]housands of Uber driver names and driver's  
          license numbers may be in the hands of an unauthorized third  
          party due to a data breach," and that "one of its many databases  
          could have potentially been accessed because one of the  
          encryption keys required to unlock it had been compromised."   
          (Tracey Lien, Uber Security Breach May Have Affected up to  
          50,000 Drivers, Los Angeles Times (Feb. 27, 2015)  
           [as of Apr. 10, 2016].)  In breaches  
          such as this where an encryption key is taken along with  
          encrypted information, the compromised information has lost the  
          effectiveness of its encryption protection.

          While it may be beyond the scope of this bill, the Committee may  
          wish to consider the data breach notification law's encryption  
          safe harbor and how best to address the problem of compromised  
          encryption keys in future legislation.

           2.Other Stakeholder Concerns
           
          A number of stakeholders not officially supporting or opposing  
          this bill have raised concerns about the advisory committee this  
          bill would establish to help develop parameters for the  
          creation, implementation, and ongoing administration of a health  
          care cost and quality database.  Representative of these  
          concerns, the Service Employees International Union, California  
          State Council (SEIU), writes:

            [This bill] as currently drafted would grant the Secretary of  
            the California Health and Human Services Agency with the sole  
            discretion to act unilaterally in the formation of the  
            database with guidance from a multi-stakeholder review  
            committee which would include plans, providers, purchasers . .  
            . and consumers.  Past health care transparency efforts in  
            California have shown that influence by the industry groups  







          SB 1159 (Hernandez)
          Page 10 of ? 

            over the analysis and use of provider-specific performance  
            information results in far more limited data analysis and  
            reporting than is needed or desired, and could greatly limit  
            the value of the state's investment in a cost and quality  
            database. . . . SEIU would like to see SB 1159 amended to  
            include a more robust public governance structure which brings  
            consumers, labor, and purchasers together with the state to  
            oversee the rules and administration of the database informed  
            by recommendations and input from a separate group of those  
            entities required to submit data to the database.

          Stakeholders also raise concerns with a provision of the bill  
          excluding confidentially negotiated contract terms and  
          proprietary contract information from disclosure. Also  
          representative of these concerns, SEIU writes:

            As currently drafted, SB 1159 would protect confidentially  
            negotiated contract terms, which includes prices, between  
            commercial health plans and providers.  SEIU believes that  
            this protection of prices is unnecessary and should be removed  
            to ensure that health care purchasers and consumers can access  
            information on the prices paid for health care services.


           Support  : AARP California; California Association of Physician  
          Groups; California Pan-Ethnic Health Network; League of  
          California Cities; National Multiple Sclerosis Society; Western  
          Center on Law and Poverty
                                                                       
           Opposition  :  American Civil Liberties Union of California;  
          Consumer Federation of California

                                       HISTORY
           
           Source  :  Author

           Related Pending Legislation  :  None Known




           Prior Legislation  :

          SB 26 (Hernandez, 2015) would have required the Secretary of  
          Health and Human Services to enter into a contract with one or  







          SB 1159 (Hernandez)
          Page 11 of ? 

          more independent, nonprofit organizations to develop and  
          administer the California Health Care Cost and Quality Database.  
           This bill would have required certain health care entities,  
          including health care service plans, to provide medical claims,  
          cost, and quality information to the California Health Care Cost  
          and Quality Database in order to create a publicly available  
          web-based, searchable database.  This bill would have required  
          all data disclosures involving the database to comply with  
          applicable state and federal laws for the protection of the  
          privacy and security of data, and would have prohibited public  
          disclosure of any unaggregated, individually identifiable health  
          information.  This bill was held on suspense in the Senate  
          Appropriations Committee.

          SB 1322 (Hernandez, 2014) was substantially similar to SB 26  
          (Hernandez, 2015).  This bill was held on suspense in the  
          Assembly Appropriations Committee.

          AB 1558 (Hernandez, 2014) would have requested the University of  
          California to establish the California Health Data Organization  
          to collect data from payers and establish an all-payer claims  
          database.  This bill would have required certain private payers  
          to submit claims data to the organization on utilization,  
          payment, and cost sharing for services delivered to  
          beneficiaries, and would have requested the organization to  
          design and maintain an Internet Web site that allowed consumers  
          to compare the prices paid by payers for procedures.  This bill  
          was held on suspense in the Senate Appropriations Committee.

          SB 746 (Leno, 2013) would have required health care service  
          plans and insurers to disclose specified aggregate data for  
          products and for rate filings, as specified, in the large group  
          market on an annual basis.  The bill also would have required a  
          health plan or health insurer that exclusively contracts with no  
          more than two medical groups in the state to provide claims or  
          other data to large group purchasers that request the data and  
          demonstrate the ability to comply with privacy laws, as  
          specified, and would have required the health care service plan  
          or health insurer to use only deidentified data in that  
          disclosure to protect the privacy rights of individuals.  This  
          bill was vetoed by Governor Brown.

           Prior Vote  :  Senate Health Committee (Ayes 8, Noes 0)

                                   **************







          SB 1159 (Hernandez)
          Page 12 of ?