BILL NUMBER: SB 19	ENROLLED
	BILL TEXT

	PASSED THE SENATE   SEPTEMBER 8, 1999
	PASSED THE ASSEMBLY   SEPTEMBER 7, 1999
	AMENDED IN ASSEMBLY   SEPTEMBER 7, 1999
	AMENDED IN ASSEMBLY   SEPTEMBER 3, 1999
	AMENDED IN ASSEMBLY   AUGUST 16, 1999
	AMENDED IN ASSEMBLY   JULY 7, 1999
	AMENDED IN ASSEMBLY   JULY 2, 1999
	AMENDED IN SENATE   APRIL 20, 1999

INTRODUCED BY   Senator Figueroa and Assembly Member Davis
   (Coauthors:  Assembly Members Gallegos, Kuehl, and Machado)

                        DECEMBER 7, 1998

   An act to amend Sections 56.05, 56.10, 56.11, 56.12, 56.14, 56.30,
56.36, and 56.37 of, and to add Section 56.101 to, the Civil Code,
to amend Section 1386 of, and to add Section 1364.5 to, the Health
and Safety Code, and to amend Section 791.02 of the Insurance Code,
relating to medical records.



	LEGISLATIVE COUNSEL'S DIGEST


   SB 19, Figueroa.  Medical records:  confidentiality.
   Existing law, known as the Confidentiality of Medical Information
Act, prohibits the disclosure of medical information, as defined, by
providers of health care, as defined, including certain health care
service plans, except in specified circumstances.  Unauthorized
disclosure that results in economic loss or personal injury to a
patient is a misdemeanor.  Existing law provides for licensure and
regulation of health care service plans by the Commissioner of
Corporations.
   This bill would revise the definition of providers of health care,
and make the prohibitions on disclosure of medical information
applicable also to all health care service plans, and contractors, as
defined.  The bill would expressly prohibit (1) negligent disposal
or destruction of medical information and (2) the intentional
sharing, sale, or use of medical information for any purpose not
necessary to provide health care services to the patient, except as
otherwise authorized.  The bill would permit disclosure of medical
information for purposes of encoding or encrypting data, governmental
reporting and chronic disease management programs, as specified.
   The bill would provide that violation of the act would be grounds
for suspension of revocation of a health care service plan's license
and would create a right of action to recover damages, as specified,
for any individual whose confidential information or records are
negligently released and would additionally provide for specified
administrative and civil penalties.  The bill would also prohibit a
provider of health care or a health care service plan and its
contractors from requiring a patient, as a condition to receiving
health care services, to sign an authorization, release, or consent,
or waiver permitting the disclosure of any medical information
subject to confidentiality protections provided by law.  The bill
would authorize a health care service plan or disability insurer to
require disclosure of the medical information as a condition of the
medical underwriting process.
   The bill would require every health care service plan to have
policies and procedures in place to protect the security of medical
information, as specified.  The bill would additionally require every
health care service plan, on and after July 1, 2001, to provide
enrollees, upon request, with a written statement describing how the
plan maintains the confidentiality of medical information, as
specified.
   Existing provisions of the Insurance Information and Privacy
Protection Act regulate certain practices by insurers and, for that
purpose, include health care service plans, within the definition of
insurance.
   This bill would delete this provision, and would make related
changes.
   By changing the definition of a crime, the bill would impose a
state-mandated local program.
  The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state.  Statutory provisions establish procedures for making that
reimbursement.
   This bill would provide that no reimbursement is required by this
act for a specified reason.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:


  SECTION 1.  Section 56.05 of the Civil Code is amended to read:
   56.05.  For purposes of this part:
   (a) "Authorization" means permission granted in accordance with
Section 56.11 or 56.21 for the disclosure of medical information.
   (b) "Authorized recipient" means any person who is authorized to
receive medical information pursuant to Section 56.10 or 56.20.
   (c) "Contractor" means any person or entity that is  a medical
group, independent practice association, pharmaceutical benefits
manager, or a medical service organization and is not a health care
service plan or provider of health care.  "Contractor" shall not
include insurance institutions as defined in subdivision (k) of
Section 791.02 of the Insurance Code or pharmaceutical benefits
managers licensed pursuant to the Knox-Keene Health Care Service Plan
Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division
2 of the Health and Safety Code).
   (d) "Health care service plan" means any entity regulated pursuant
to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2
(commencing with Section 1340) of Division 2 of the Health and Safety
Code).
   (e) "Licensed health care professional" means any person licensed
or certified pursuant to Division 2 (commencing with Section 500) of
the Business and Professions Code, the Osteopathic Initiative Act or
the Chiropractic Initiative Act, or Division 2.5 (commencing with
Section 1797) of the Health and Safety Code.
   (f) "Medical information" means any individually identifiable
information, in electronic or physical form, in possession of or
derived from a provider of health care or health care service plan
regarding a patient's medical history, mental or physical condition,
or treatment.  "Individually identifiable" means that the medical
information includes or contains any element of personal identifying
information sufficient to allow identification of the individual,
such as the patient's name, address, electronic mail address,
telephone number, or social security number, or other information
that, alone or in combination with other publicly available
information, reveals the individual's identity.
   (g) "Patient" means any natural person, whether or not still
living, who received health care services from a provider of health
care and to whom medical information pertains.
   (h) "Provider of health care" means any person licensed or
certified pursuant to Division 2 (commencing with Section 500) of the
Business and Professions Code; any person licensed pursuant to the
Osteopathic Initiative Act or the Chiropractic Initiative Act; any
person certified pursuant to Division 2.5 (commencing with Section
1797) of the Health and Safety Code; any clinic, health dispensary,
or health facility licensed pursuant to Division 2 (commencing with
Section 1200) of the Health and Safety Code.  "Provider of health
care" shall not include insurance institutions as defined in
subdivision (k) of Section 791.02 of the Insurance Code.
  SEC. 2.  Section 56.10 of the Civil Code is amended to read:
   56.10.  (a) No provider of health care, or health care service
plan, or contractor shall disclose medical information regarding a
patient of the provider of health care or an enrollee or subscriber
of a health care service plan without first obtaining an
authorization, except as provided in subdivision (b) or (c).
   (b) A provider of health care, a health care service plan, or a
contractor shall disclose medical information if the disclosure is
compelled by any of the following:
   (1) By a court pursuant to an order of that court.
   (2) By a board, commission, or administrative agency for purposes
of adjudication pursuant to its lawful authority.
   (3) By a party to a proceeding before a court or administrative
agency pursuant to a subpoena, subpoena duces tecum, notice to appear
served pursuant to Section 1987 of the Code of Civil Procedure, or
any provision authorizing discovery in a proceeding before a court or
administrative agency.
   (4) By a board, commission, or administrative agency pursuant to
an investigative subpoena issued under Article 2 (commencing with
Section 11180) of Chapter 2 of Part 1 of Division 3 of Title 2 of the
Government Code.
   (5) By an arbitrator or arbitration panel, when arbitration is
lawfully requested by either party, pursuant to a subpoena duces
tecum issued under Section 1282.6 of the Code of Civil Procedure, or
any other provision authorizing discovery in a proceeding before an
arbitrator or arbitration panel.
   (6) By a search warrant lawfully issued to a governmental law
enforcement agency.
   (7) By the patient or the patient's representative pursuant to
Chapter 1 (commencing with Section 123100) of Part 1 of Division 106
of the Health and Safety Code.
   (8) When otherwise specifically required by law.
   (c) A provider of health care, or a health care service plan may
disclose medical information as follows:
   (1) The information may be disclosed to providers of health care,
health care service plans, or other health care professionals or
facilities for purposes of diagnosis or treatment of the patient.
This includes, in an emergency situation, the communication of
patient information by radio transmission between emergency medical
personnel at the scene of an emergency, or in an emergency medical
transport vehicle, and emergency medical personnel at a health
facility licensed pursuant to Chapter 2 (commencing with Section
1200) of Division 2 of the Health and Safety Code.
   (2) The information may be disclosed to an insurer, employer,
health care service plan, hospital service plan, employee benefit
plan, governmental authority, or any other person or entity
responsible for paying for health care services rendered to the
patient, to the extent necessary to allow responsibility for payment
to be determined and payment to be made.  If (A) the patient is, by
reason of a comatose or other disabling medical condition, unable to
consent to the disclosure of medical information and (B) no other
arrangements have been made to pay for the health care services being
rendered to the patient, the information may be disclosed to a
governmental authority to the extent necessary to determine the
patient's eligibility for, and to obtain, payment under a
governmental program for health care services provided to the
patient.  The information may also be disclosed to another provider
of health care or health care service plan as necessary to assist the
other provider or health care service plan in obtaining payment for
health care services rendered by that provider of health care or
health care service plan to the patient.
   (3) The information may be disclosed to any person or entity that
provides billing, claims management, medical data processing, or
other administrative services for providers of health care or health
care service plans or for any of the persons or entities specified in
paragraph (2).  However, no information so disclosed shall be
further disclosed by the recipient in any way  that would be
violative of this part.
   (4) The information may be disclosed to organized committees and
agents of professional societies or of medical staffs of licensed
hospitals, licensed health care service plans, professional standards
review organizations, utilization and quality control peer review
organizations as established by Congress in Public Law 97-248 in
1982, or persons or organizations insuring, responsible for, or
defending professional liability that a provider may incur, if the
committees, agents, plans, organizations, or persons are engaged in
reviewing the competence or qualifications of health care
professionals or in reviewing health care services with respect to
medical necessity, level of care, quality of care, or justification
of charges.
   (5) The information in the possession of any provider of health
care or health care service plan may be reviewed by any private or
public body responsible for licensing or accrediting the provider of
health care or health care service plan.  However, no patient
identifying medical information may be removed from the premises
except as expressly permitted or required elsewhere by law.
   (6) The information may be disclosed to the county coroner in the
course of an investigation by the coroner's office.
   (7) The information may be disclosed to public agencies, clinical
investigators, including investigators conducting epidemiologic
studies, health care research organizations, and accredited public or
private nonprofit educational or health care institutions for bona
fide research purposes.  However, no information so disclosed shall
be further disclosed by the recipient in any way that would disclose
the identity of any patient or be violative of this part.
   (8) A provider of health care or health care service plan that has
created medical information as a result of employment-related health
care services to an employee conducted at the specific prior written
request and expense of the employer may disclose to the employee's
employer that part of the information  that:
   (A) Is relevant in a law suit, arbitration, grievance, or other
claim or challenge to which the employer and the employee are parties
and in which the patient has placed in issue his or her medical
history, mental or physical condition, or treatment, provided  that
information may only be used or disclosed in connection with that
proceeding.
   (B) Describes functional limitations of the patient that may
entitle the patient to leave from work for medical reasons or limit
the patient's fitness to perform his or her present employment,
provided that no statement of medical cause is included in the
information disclosed.
   (9) Unless the provider of health care or health care service plan
is notified in writing of an agreement by the sponsor, insurer, or
administrator to the contrary, the information may be disclosed to a
sponsor, insurer, or administrator of a group or individual insured
or uninsured plan or policy that the patient seeks coverage by or
benefits from, if the information was created by the provider of
health care or health care service plan as the result of services
conducted at the specific prior written request and expense of the
sponsor, insurer, or administrator for the purpose of evaluating the
application for coverage or benefits.
   (10) The information may be disclosed to a health care service
plan by providers  of health care that contract with the health care
service plan and may be transferred among providers of health care
that contract with the health care service plan, for the purpose of
administering the health care service plan.  Medical information may
not otherwise be disclosed by a health care service plan except in
accordance with the provisions of this part.
   (11) Nothing in this part shall prevent the disclosure by a
provider of health care or a health care service plan to an insurance
institution, agent, or support organization, subject to Article 6.6
(commencing with Section 791) of Part 2 of Division 1 of the
Insurance Code, of medical information if the insurance institution,
agent, or support organization has complied with all requirements for
obtaining the information pursuant to Article 6.6 (commencing with
Section 791) of Part 2 of Division 1 of the Insurance Code.
   (12) The information relevant to the patient's condition and care
and treatment provided may be disclosed to a probate court
investigator engaged in determining the need for an initial
conservatorship or continuation of an existent conservatorship, if
the patient is unable to give informed consent, or to a probate court
investigator, probation officer, or domestic relations investigator
engaged in determining the need for an initial guardianship or
continuation of an existent guardianship.
   (13) The information may be disclosed to an organ procurement
organization or a tissue bank processing the tissue of a decedent for
transplantation into the body of another person, but only with
respect to the donating decedent, for the purpose of aiding the
transplant.  For the purpose of this paragraph, the terms "tissue
bank" and "tissue" have the same meaning as defined in Section 1635
of the Health and Safety Code.
   (14) The information may be disclosed when the disclosure is
otherwise specifically authorized by law, such as the voluntary
reporting, either directly or indirectly, to the federal Food and
Drug Administration of adverse events related to drug products or
medical device problems.
   (15) Basic information including the patient's name, city of
residence, age, sex, and general condition may be  disclosed to a
state or federally recognized disaster relief organization for the
purpose of responding to disaster welfare inquiries.
   (16) The information may be disclosed to a third party for
purposes of encoding, encrypting, or otherwise anonymizing data.
However, no information so disclosed shall be further disclosed by
the recipient in any way that would be violative of this part,
including the unauthorized manipulation of coded or encrypted medical
information that reveals individually identifiable medical
information.
   (17) For purposes of chronic disease management programs,
information may be disclosed to any entity contracting with a health
care service plan to monitor or administer care of enrollees for a
covered benefit, provided that the disease management services and
care are authorized by a treating physician.
   (d) Except to the extent expressly authorized by the patient or
enrollee or subscriber or as provided by subdivisions (b) and (c), no
provider of health care, health care service plan, or contractor
shall intentionally share, sell, or otherwise use any medical
information for any purpose not necessary to provide health care
services to the patient.
   (e) Except to the extent expressly authorized by the patient or
enrollee or subscriber or as provided by subdivisions (b) and (c), no
contractor shall further disclose medical information regarding a
patient of the provider of health care or an enrollee or subscriber
of a health care service plan or insurer or self-insured employer
received under this section to any person or entity that is not
engaged in providing direct health care services to the patient or
his or her provider of health care or health care service plan or
insurer or self-insured employer.
  SEC. 3.  Section 56.101 is added to the Civil Code, to read:
   56.101.  Every provider of health care, health care service plan,
or contractor who creates, maintains, preserves, stores, abandons, or
destroys medical records shall do so in a manner that preserves the
confidentiality of the information contained therein.  Any provider
of health care, health care service plan, or contractor who
negligently disposes, abandons, or destroys medical records shall be
subject to the provisions of this part.
  SEC. 4.  Section 56.11 of the Civil Code is amended to read:
   56.11.  An authorization for the release of medical information by
a provider of health care, a health care service plan, or contractor
shall be valid if it:
   (a) Is handwritten by the person who signs it or is in typeface no
smaller than 8-point type.
   (b) Is clearly separate from any other language present on the
same page and is executed by a signature which serves no other
purpose than to execute the authorization.
   (c) Is signed and dated by one of the following:
   (1) The patient.  A patient who is a minor may only sign an
authorization for the release of medical information obtained by a
provider of health care, health care service plan, or contractor in
the course of furnishing services to which the minor could lawfully
have consented under Part 1 (commencing with Section 25) or Part 2.7
(commencing with Section 60).
   (2) The legal representative of the patient,  if the patient is a
minor or an incompetent.  However, authorization may not be given
under this subdivision for the disclosure of medical information
obtained by the provider of health care, a health care service plan,
or a contractor in the course of furnishing services to which a minor
patient could lawfully have consented under Part 1 (commencing with
Section 25) or Part 2.7 (commencing with Section 60).
   (3) The spouse of the patient or the person financially
responsible for the patient, where the medical information is being
sought for the sole purpose of processing an application for health
insurance or for enrollment in a nonprofit hospital plan, a health
care service plan, or an employee benefit plan, and where the patient
is to be an enrolled spouse or dependent under the policy or plan.
   (4) The beneficiary or personal representative of a deceased
patient.
   (d) States the specific uses and limitations on the types of
medical information to be disclosed.
   (e) States the name or functions of the provider of health care,
health care service plan, or contractor that may disclose the medical
information.
   (f) States the name or functions of the persons or entities
authorized to receive the medical information.
   (g) States the specific uses and limitations on the use of the
medical information by the persons or entities authorized to receive
the medical information.
   (h) States a specific date after which the provider of health
care, health care service plan, or contractor is no longer authorized
to disclose the medical information.
   (i) Advises the person signing the authorization of the right to
receive a copy of the authorization.
  SEC. 5.  Section 56.12 of the Civil Code is amended to read:
   56.12.  Upon demand by the patient or the person who signed an
authorization, a provider of health care, a health care service plan,
or contractor possessing the authorization shall furnish a true copy
thereof.
  SEC. 6.  Section 56.14 of the Civil Code is amended to read:
   56.14.  A provider of health care, health care service plan, or
contractor that discloses medical information pursuant to the
authorizations required by this chapter shall communicate to the
person or entity to which it discloses the medical information any
limitations in the authorization regarding the use of the medical
information.  No provider of health care, health care service plan,
or contractor that has attempted in good faith to comply with this
provision shall be liable for any unauthorized use of the medical
information by the person or entity to which the provider, plan, or
contractor disclosed the medical information.
  SEC. 7.  Section 56.30 of the Civil Code is amended to read:
   56.30.  The disclosure and use of the following medical
information shall not be subject to the limitations of this part:
   (a) (Mental health and developmental disabilities) Information and
records obtained in the course of providing services under Division
4 (commencing with Section 4001), Division 4.1 (commencing with
Section 4400), Division 4.5 (commencing with Section 4500), Division
5 (commencing with Section 5000), Division 6 (commencing with Section
6000), or Division 7 (commencing with Section 7100) of the Welfare
and Institutions Code.
   (b) (Public social services) Information and records that are
subject to Sections 10850, 14124.1, and 14124.2 of the Welfare and
Institutions Code.
   (c) (State health services, communicable diseases, developmental
disabilities) Information and records maintained pursuant to former
Chapter 2 (commencing with Section 200) of Part 1 of Division 1 of
the Health and Safety Code and pursuant to the Communicable Disease
Prevention and Control Act (subdivision (a) of Section 27 of the
Health and Safety Code).
   (d) (Licensing and statistics) Information and records maintained
pursuant to Division 2 (commencing with Section 1200) and Part 1
(commencing with Section 102100) of the Health and Safety Code;
pursuant to Chapter 3 (commencing with Section 1200) of Division 2 of
the Business and Professions Code; and pursuant to Section 8608,
8817, or 8909 of the Family Code.
   (e) (Medical survey, workers' safety) Information and records
acquired and maintained or disclosed pursuant to Sections 1380 and
1382 of the Health and Safety Code and pursuant to Division 5
(commencing with Section 6300) of the Labor Code.
   (f) (Industrial accidents) Information and records acquired,
maintained, or disclosed pursuant to Division 1 (commencing with
Section 50), Division 4 (commencing with Section 3201), Division 4.5
(commencing with Section 6100), and Division 4.7 (commencing with
Section 6200) of the Labor Code.
   (g) (Law enforcement) Information and records maintained by a
health facility which are sought by a law enforcement agency under
Chapter 3.5 (commencing with Section 1543) of Title 12 of Part 2 of
the Penal Code.
   (h) (Investigations of employment accident or illness) Information
and records sought as part of an investigation of an on-the-job
accident or illness pursuant to Division 5 (commencing with Section
6300) of the Labor Code or pursuant to Section 105200 of the Health
and Safety Code.
   (i) (Alcohol or drug abuse) Information and records subject to the
federal alcohol and drug abuse regulations (Part 2 (commencing with
Section 2.1) of subchapter A of Chapter 1 of Title 42 of the Code of
Federal Regulations) or to Section 11977 of the Health and Safety
Code dealing with narcotic and drug abuse.
   (j) (Patient discharge data) Nothing in this part shall be
construed to limit, expand, or otherwise affect the authority of the
California Health Facilities Commission to collect patient discharge
information from health facilities pursuant to Section 441.18 of the
Health and Safety Code.
   (k) Medical information and records disclosed to, and their use
by, the Insurance Commissioner, the Director of the Department of
Managed Care, the Division of Industrial Accidents, the Workers'
Compensation Appeals Board, the Department of Insurance, or the
Department of Managed Care.
  SEC. 8.  Section 56.36 of the Civil Code is amended to read:
   56.36.  (a) Any violation of the provisions of this part that
results in economic loss or personal injury to a patient is
punishable as a misdemeanor.
   (b) In addition to any other remedies available at law, any
individual may bring an action against any person or entity who has
negligently released confidential information or records concerning
him or her in violation of this part, for either or both of the
following:
   (1) Nominal damages of one thousand dollars ($1,000).  In order to
recover under this paragraph, it shall not be necessary that the
plaintiff suffered or was threatened with actual damages.
   (2) The amount of actual damages, if any, sustained by the
patient.
   (c) (1) In addition, any person or entity that negligently
discloses medical information in violation of the provisions of this
part shall also be liable, irrespective of the amount of damages
suffered by the patient as a result of that violation, for an
administrative fine or civil penalty not to exceed two thousand five
hundred dollars ($2,500) per violation.
   (2) (A) Any person or entity, other than a licensed health care
professional, who knowingly and willfully obtains, discloses, or uses
medical information in violation of this part shall be liable for an
administrative fine or civil penalty not to exceed twenty-five
thousand dollars ($25,000) per violation.
   (B) Any licensed health care professional, who knowingly and
willfully obtains, discloses, or uses medical information in
violation of this part shall be liable on a first violation, for an
administrative fine or civil penalty not to exceed two thousand five
hundred dollars ($2,500) per violation, or on a second violation for
an administrative fine or civil penalty not to exceed ten thousand
dollars ($10,000) per violation, or on a third and subsequent
violation for an administrative fine or civil penalty not to exceed
twenty-five thousand dollars ($25,000) per violation.  Nothing in
this subdivision shall be construed to limit the liability of a
health care service plan, a contractor, or a provider of health care
that is not a licensed health care professional for any violation of
this part.
   (3) (A) Any person or entity, other than a licensed health care
professional, who knowingly or willfully obtains or uses medical
information in violation of this part for the purpose of financial
gain shall be liable for an administrative fine or civil penalty not
to exceed two hundred fifty thousand dollars ($250,000) per violation
and shall also be subject to disgorgement of any proceeds or other
consideration obtained as a result of the violation.
   (B) Any licensed health care professional, who knowingly and
willfully obtains, discloses, or uses medical information in
violation of this part for financial gain shall be liable on a first
violation, for an administrative fine or civil penalty not to exceed
five thousand dollars ($5,000) per violation, or on a second
violation for an administrative fine or civil penalty not to exceed
twenty-five thousand dollars ($25,000) per violation, or on a third
and subsequent violation for an administrative fine or civil penalty
not to exceed two hundred fifty thousand dollars ($250,000) per
violation and shall also be subject to disgorgement of any proceeds
or other consideration obtained as a result of the violation.
Nothing in this subdivision shall be construed to limit the liability
of a health care service plan, a contractor, or a provider of health
care that is not a licensed health care professional for any
violation of this part.
   (4) Nothing in this subdivision shall be construed as authorizing
an administrative fine or civil penalty under both paragraphs (2) and
(3) for the same violation.
   (5) Any person or entity who is not permitted to receive medical
information pursuant to this part and who knowingly and willfully
obtains, discloses, or uses medical information without written
authorization from the patient shall be liable for a civil penalty
not to exceed two hundred fifty thousand dollars ($250,000) per
violation.
   (d) In assessing the amount of an administrative fine or civil
penalty pursuant to subdivision (c), the licensing agency or
certifying board or court shall consider any one or more of the
relevant circumstances presented by any of the parties to the case
including, but not limited to, the following:
   (1) Whether the defendant has made a reasonable, good faith
attempt to comply with this part.
   (2) The nature and seriousness of the misconduct.
              (3) The harm to the patient, enrollee, or subscriber.
   (4) The number of violations.
   (5) The persistence of the misconduct.
   (6) The length of time over which the misconduct occurred.
   (7) The willfulness of the defendant's misconduct.
   (8) The defendant's assets, liabilities, and net worth.
   (e) (1) The civil penalty pursuant to subdivision (c) shall be
assessed and recovered in a civil action brought in the name of the
people of the State of California in any court of competent
jurisdiction by any of the following:
   (A) The Attorney General.
   (B) Any district attorney.
   (C) Any county counsel authorized by agreement with the district
attorney in actions involving violation of a county ordinance.
   (D) Any city attorney of a city.
   (E) Any city attorney of a city and county having a population in
excess of 750,000, with the consent of the district attorney.
   (F) A city prosecutor in any city having a full-time city
prosecutor or, with the consent of the district attorney, by a city
attorney in any city and county.
   (2) If the action is brought by the Attorney General, one-half of
the penalty collected shall be paid to the treasurer of the county in
which the judgment was entered, and one-half to the General Fund.
If the action is brought by a district attorney or county counsel,
the penalty collected shall be paid to the treasurer of the county in
which the judgment was entered.  Except as provided in paragraph
(3), if the action is brought by a city attorney or city prosecutor,
one-half of the penalty collected shall be paid to the treasurer of
the city in which the judgment was entered and one-half to the
treasurer of the county in which the judgment was entered.
   (3) If the action is brought by a city attorney of a city and
county, the entire amount of the penalty collected shall be paid to
the treasurer of the city and county in which the judgment was
entered.
   (4) Nothing in this section shall be construed as authorizing both
an administrative fine and civil penalty for the same violation.
   (5) Imposition of a fine or penalty provided for in this section
shall not preclude imposition of any other sanctions or remedies
authorized by law.
   (f) For purposes of this section, "knowing" and "willful" shall
have the same meanings as in Section 7 of the Penal Code.
   (g) No person who discloses protected medical information in
accordance with the provisions of this part shall be subject to the
penalty provisions of this part.
  SEC. 9.  Section 56.37 of the Civil Code is amended to read:
   56.37.  (a) No provider of health care, health care service plan,
or contractor may require a patient, as a condition of receiving
health care services, to sign an authorization, release, consent, or
waiver that would permit the disclosure of medical information that
otherwise may not be disclosed under Section 56.10 or any other
provision of law.   However, a health care service plan or disability
insurer may require relevant enrollee or subscriber medical
information as a condition of the medical underwriting process,
provided that Sections 1374.7 and 1389.1 of the Health and Safety
Code are strictly observed.
   (b) Any waiver by a patient of the provisions of this part, except
as authorized by Section 56.11 or 56.21 or subdivision (b) of
Section 56.26, shall be deemed contrary to public policy and shall be
unenforceable.
  SEC. 10.  Section 1364.5 is added to the Health and Safety Code, to
read:
   1364.5.  (a) On or before July 1, 2001, every health care service
plan shall file with the director a copy of their policies and
procedures to protect the security of patient medical information to
ensure compliance with the Confidentiality of Information Act (Part
2.6 (commencing with Section 56) of Division 1 of the Civil Code).
Any amendment to the policies and procedures shall be filed in
accordance with Section 1352.
   (b) On and after July 1, 2001, every health care service plan
shall, upon request, provide to enrollees and subscribers a written
statement that describes how the contracting organization or health
care service plan maintains the confidentiality of medical
information obtained by and in the possession of the contracting
organization or the health care service plan.
   (c) The statement required by subdivision (b) shall be in at least
12-point type and meet the following requirements:
   (1) The statement shall describe how the contracting organization
or health care service plan protects the confidentiality of medical
information pursuant to this article and inform patients or enrollees
and subscribers that any disclosure of medical information beyond
the provisions of the law is prohibited.
   (2) The statement shall describe the types of personal information
that may be collected and the type of sources that may be used to
collect the information, the purposes for which the contracting
organization or plan will obtain medical information from other
health care providers.
   (3) The statement shall describe the circumstances under which
medical information may be disclosed without prior authorization,
pursuant to Section 56.10 of the Civil Code.
   (4) The statement shall describe how patients or enrollees and
subscribers may obtain access to medical information created by and
in the possession of the contracting organization or health care
service plan, including copies of medical information.
   (d) On and after July 1, 2001, every health care service plan
shall include in its evidence of coverage or disclosure form the
following notice, in 12-point type:
A STATEMENT DESCRIBING (NAME OR PLAN OR "OUR") POLICIES AND
PROCEDURES FOR PRESERVING THE CONFIDENTIALITY OF MEDICAL RECORDS IS
AVAILABLE AND WILL BE FURNISHED TO YOU UPON REQUEST.
  SEC. 11.  Section 1386 of the Health and Safety Code is amended to
read:
   1386.  (a) The director may, after appropriate notice and
opportunity for a hearing by order, suspend, or revoke any license
issued under this chapter to a health care service plan or assess
administrative penalties if the director determines that the licensee
has committed any of the acts or omissions constituting grounds for
disciplinary action.
   (b) The following acts or omissions constitute grounds for
disciplinary action by the director:
   (1) The plan is operating at variance with the basic
organizational documents as filed pursuant to Section 1351 or 1352,
or with its published plan, or in any manner contrary to that
described in, and reasonably inferred from, the plan as contained in
its application for licensure and annual report, or any modification
thereof, unless amendments allowing the variation have been submitted
to, and approved by, the director.
   (2) The plan has issued, or permits others to use, evidence of
coverage or uses a schedule of charges for health care services which
do not comply with those published in the latest evidence of
coverage found unobjectionable by the director.
   (3) The plan does not provide basic health care services to its
enrollees and subscribers as set forth in the evidence of coverage.
This subdivision shall not apply to specialized health care service
plan contracts.
   (4) The plan is no longer able to meet the standards set forth in
Article 5 (commencing with Section 1367).
   (5) The continued operation of the plan will constitute a
substantial risk to its subscribers and enrollees.
   (6) The plan has violated or attempted to violate, or conspired to
violate, directly or indirectly, or assisted in or abetted a
violation or conspiracy to violate any provision of this chapter, any
rule or regulation adopted by the director pursuant to this chapter,
or any order issued by the director.
   (7) The plan has engaged in any conduct that constitutes fraud or
dishonest dealing or unfair competition, as defined by Section 17200
of the Business and Professions Code.
   (8) The plan has permitted, or aided or abetted any violation by
an employee or contractor who is a holder of any certificate,
license, permit, registration or exemption issued pursuant to the
Business and Professions Code, or this code which would constitute
grounds for discipline against the certificate, license, permit,
registration, or exemption.
   (9) The plan has aided or abetted or permitted the commission of
any illegal act.
   (10) The engagement of a person as an officer, director, employee,
associate, or provider of the plan contrary to the provisions of an
order issued by the director pursuant to subdivision (c) of this
section or subdivision (d) of Section 1388.
   (11) The engagement of a person as a solicitor or supervisor of
solicitation contrary to the provisions of an order issued by the
director pursuant to Section 1388.
   (12) The plan, its management company, or any other affiliate of
the plan, or any controlling person, officer, director, or other
person occupying a principal management or supervisory position in
the plan, management company or affiliate, has been convicted of or
pleaded nolo contendere to a crime, or committed any act involving
dishonesty, fraud, or deceit, which crime or act is substantially
related to the qualifications, functions, or duties of a person
engaged in business in accordance with this chapter.  The director
may revoke or deny a license hereunder irrespective of a subsequent
order under the provisions of Section 1203.4 of the Penal Code.
   (13) The plan violates Section 510, 2056, or 2056.1 of the
Business and Professions Code.
   (14) The plan has been subject to a final disciplinary action
taken by this state, another state, an agency of the federal
government, or another country, for any act or omission that would
constitute a violation of this chapter.
   (15) The plan violates the Confidentiality of Medical Information
Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil
Code).
   (c) (1) The director may prohibit any person from serving as an
officer, director, employee, associate, or provider of any plan or
solicitor firm, or of any management company of any plan, or as a
solicitor, if either of the following applies:
   (A) The prohibition is in the public interest and the person has
committed, caused, participated in, or had knowledge of a violation
of this chapter by a plan, management company, or solicitor firm.
   (B) The person was an officer, director, employee, associate, or
provider of a plan or of a management company or solicitor firm of
any plan whose license has been suspended or revoked pursuant to this
section and the person had knowledge of, or participated in, any of
the prohibited acts for which the license was suspended or revoked.
   (2) A proceeding for the issuance of an order under this
subdivision may be included with a proceeding against a plan under
this section or may constitute a separate proceeding, subject in
either case to subdivision (d).
   (d) A proceeding under this section shall be subject to
appropriate notice to, and the opportunity for a hearing with regard
to, the person affected in accordance with subdivision (a) of Section
1397.
  SEC. 12.  Section 791.02 of the Insurance Code is amended to read:

   791.02.  As used in this act:
   (a) (1) "Adverse underwriting decision" means any of the following
actions with respect to insurance transactions involving insurance
coverage that is individually underwritten:
   (A) A declination of insurance coverage.
   (B) A termination of insurance coverage.
   (C) Failure of an agent to apply for insurance coverage with a
specific insurance institution that the agent represents and that is
requested by an applicant.
   (D) In the case of a property or casualty insurance coverage:
   (i) Placement by an insurance institution or agent of a risk with
a residual market mechanism, with an unauthorized insurer, or with an
insurance institution that provides insurance to other than
preferred or standard risks, if in fact the placement is at other
than a preferred or standard rate.  An adverse underwriting decision,
in case of placement with an insurance institution which provides
insurance to other than preferred or standard risks, shall not
include such placement where the applicant or insured did not specify
or apply for placement as a preferred or standard risk or placement
with a particular company insuring preferred or standard risks, or
   (ii) The charging of a higher rate on the basis of information
which differs from that which the applicant or policyholder
furnished.
   (E) In the case of a life, health, or disability insurance
coverage, an offer to insure at higher than standard rates.
   (2) Notwithstanding paragraph (1), any of the following actions
shall not be considered adverse underwriting decisions but the
insurance institution or agent responsible for their occurrence shall
nevertheless provide the applicant or policyholder with the specific
reason or reasons for their occurrence:
   (A) The termination of an individual policy form on a class or
statewide basis.
   (B) A declination of insurance coverage solely because such
coverage is not available on a class or statewide basis.
   (C) The rescission of a policy.
   (b) "Affiliate" or "affiliated" means a person that directly, or
indirectly through one or more intermediaries, controls, is
controlled by or is under common control with another person.
   (c) "Agent" means any person licensed pursuant to Chapter 5
(commencing with Section 1621), Chapter 5A (commencing with Section
1759), Chapter 6 (commencing with Section 1760), Chapter 7
(commencing with Section 1800), or Chapter 8 (commencing with Section
1831).
   (d) "Applicant" means any person who seeks to contract for
insurance coverage other than a person seeking group insurance that
is not individually underwritten.
   (e) "Consumer report" means any written, oral, or other
communication of information bearing on a natural person's
creditworthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living that
is used or expected to be used in connection with an insurance
transaction.
   (f) "Consumer reporting agency" means any person who:
   (1) Regularly engages, in whole or in part, in the practice of
assembling or preparing consumer reports for a monetary fee.
   (2) Obtains information primarily from sources other than
insurance institutions.
   (3) Furnishes consumer reports to other persons.
   (g) "Control," including the terms "controlled by" or "under
common control with," means the possession, direct or indirect, of
the power to direct or cause the direction of the management and
policies of a person, whether through the ownership of voting
securities, by contract other than a commercial contract for goods or
nonmanagement services, or otherwise, unless the power is the result
of an official position with or corporate office held by the person.

   (h) "Declination of insurance coverage" means a denial, in whole
or in part, by an insurance institution or agent of requested
insurance coverage.
   (i) "Individual" means any natural person who:
   (1) In the case of property or casualty insurance, is a past,
present or proposed named insured or certificate holder;
   (2) In the case of life or disability insurance, is a past,
present or proposed principal insured or certificate holder;
   (3) Is a past, present or proposed policyowner;
   (4) Is a past or present applicant;
   (5) Is a past or present claimant; or
   (6) Derived, derives, or is proposed to derive insurance coverage
under an insurance policy or certificate subject to this act.
   (j) "Institutional source" means any person or governmental entity
that provides information about an individual to an agent, insurance
institution, or insurance-support organization, other than:
   (1) An agent,
   (2) The individual who is the subject of the information, or
   (3) A natural person acting in a personal capacity rather than in
a business or professional capacity.
   (k) "Insurance institution" means any corporation, association,
partnership, reciprocal exchange, interinsurer, Lloyd's insurer,
fraternal benefit society, or other person engaged in the business of
insurance.  "Insurance institution" shall not include agents,
insurance-support organizations, or health care  service plans
regulated pursuant to the Knox-Keene Health Care Service Plan Act,
Chapter 2.2 (commencing with Section 1340) of Division 2 of the
Health and Safety Code.
   (l) "Insurance-support organization" means:
   (1) Any person who regularly engages, in whole or in part, in the
business of assembling or collecting information about natural
persons for the primary purpose of providing the information to an
insurance institution or agent for insurance transactions, including:

   (A) The furnishing of consumer reports or investigative consumer
reports to an insurance institution or agent for use in connection
with an insurance transaction, or
   (B) The collection of personal information from insurance
institutions, agents, or other insurance-support organizations for
the purpose of detecting or preventing fraud, material
misrepresentation or material nondisclosure in connection with
insurance underwriting or insurance claim activity.
   (2) Notwithstanding paragraph (1), the following persons shall not
be considered "insurance-support organizations":  agents,
governmental institutions, insurance institutions, medical care
institutions, medical professionals, and peer review committees.
   (m) "Insurance transaction" means any transaction involving
insurance primarily for personal, family, or household needs rather
than business or professional needs that entails:
   (1) The determination of an individual's eligibility for an
insurance coverage, benefit, or payment, or
   (2) The servicing of an insurance application, policy, contract,
or certificate.
   (n) "Investigative consumer report" means a consumer report or
portion thereof in which information about a natural person's
character, general reputation, personal characteristics, or mode of
living is obtained through personal interviews with the person's
neighbors, friends, associates, acquaintances, or others who may have
knowledge concerning those items of information.
   (o) "Medical care institution" means any facility or institution
that is licensed to provide health care services to natural persons,
including but not limited to, hospitals, skilled nursing facilities,
home health agencies, medical clinics, rehabilitation agencies, and
public health agencies.
   (p) "Medical professional" means any person licensed or certified
to provide health care services to natural persons, including but not
limited to, a physician, dentist, nurse, optometrist, physical or
occupational therapist, psychiatric social worker, clinical
dietitian, clinical psychologist, chiropractor, pharmacist, or speech
therapist.
   (q) "Medical record information" means personal information that:

   (1) Relates to an individual's physical or mental condition,
medical history or medical treatment, and
   (2) Is obtained from a medical professional or medical care
institution, from the individual, or from the individual's spouse,
parent, or legal guardian.
   (r) "Person" means any natural person, corporation, association,
partnership, limited liability company, or other legal entity.
   (s) "Personal information" means any individually identifiable
information gathered in connection with an insurance transaction from
which judgments can be  made about an individual's character,
habits, avocations, finances, occupation, general reputation, credit,
health, or any other personal characteristics.  "Personal
information" includes an individual's name and address and "medical
record information" but does not include "privileged information."
   (t) "Policyholder" means any person who:
   (1) In the case of individual property or casualty insurance, is a
present named insured;
   (2) In the case of individual life or disability insurance, is a
present policyowner; or
   (3) In the case of group insurance, which is individually
underwritten, is a present group certificate holder.
   (u) "Pretext interview" means an interview whereby a person, in an
attempt to obtain information about a natural person, performs one
or more of the following acts:
   (1) Pretends to be someone he or she is not,
   (2) Pretends to represent a person he or she is not in fact
representing,
   (3) Misrepresents the true purpose of the interview, or
   (4) Refuses to identify himself or herself upon request.
   (v) "Privileged information" means any individually identifiable
information that both:
   (1) Relates to a claim for insurance benefits or a civil or
criminal proceeding involving an individual.
   (2) Is collected in connection with or in reasonable anticipation
of a claim for insurance benefits or civil or criminal proceeding
involving an individual.  However, information otherwise meeting the
requirements of this division shall nevertheless be considered
"personal information" under this act if it is disclosed in violation
of Section 791.13.
   (w) "Residual market mechanism" means the California FAIR Plan
Association, Chapter 10 (commencing with Section 10101) of Part 1 of
Division 2, and the assigned risk plan, Chapter 1 (commencing with
Section 11550) of Part 3 of Division 2.
   (x) "Termination of insurance coverage" or "termination of an
insurance policy" means either a cancellation or nonrenewal of an
insurance policy, in whole or in part, for any reason other than the
failure to pay a premium as required by the policy.
   (y) "Unauthorized insurer" means an insurance institution that has
not been granted a certificate of authority by the director to
transact the business of insurance in this state.
   (z) "Commissioner" means the Insurance Commissioner.
  SEC. 13.  No reimbursement is required by this act pursuant to
Section 6 of Article XIIIB of the California Constitution because the
only costs that may be incurred by a local agency or school district
will be incurred because this act creates a new crime or infraction,
eliminates a crime or infraction, or changes the penalty for a crime
or infraction, within the meaning of Section 17556 of the Government
Code, or changes the definition of a crime within the meaning of
Section 6 of Article XIIIB of the California Constitution.