BILL NUMBER: SB 19 CHAPTERED 09/28/99 CHAPTER 526 FILED WITH SECRETARY OF STATE SEPTEMBER 28, 1999 APPROVED BY GOVERNOR SEPTEMBER 27, 1999 PASSED THE SENATE SEPTEMBER 8, 1999 PASSED THE ASSEMBLY SEPTEMBER 7, 1999 AMENDED IN ASSEMBLY SEPTEMBER 7, 1999 AMENDED IN ASSEMBLY SEPTEMBER 3, 1999 AMENDED IN ASSEMBLY AUGUST 16, 1999 AMENDED IN ASSEMBLY JULY 7, 1999 AMENDED IN ASSEMBLY JULY 2, 1999 AMENDED IN SENATE APRIL 20, 1999 INTRODUCED BY Senator Figueroa and Assembly Member Davis (Coauthors: Assembly Members Gallegos, Kuehl, and Machado) DECEMBER 7, 1998 An act to amend Sections 56.05, 56.10, 56.11, 56.12, 56.14, 56.30, 56.36, and 56.37 of, and to add Section 56.101 to, the Civil Code, to amend Section 1386 of, and to add Section 1364.5 to, the Health and Safety Code, and to amend Section 791.02 of the Insurance Code, relating to medical records. LEGISLATIVE COUNSEL'S DIGEST SB 19, Figueroa. Medical records: confidentiality. Existing law, known as the Confidentiality of Medical Information Act, prohibits the disclosure of medical information, as defined, by providers of health care, as defined, including certain health care service plans, except in specified circumstances. Unauthorized disclosure that results in economic loss or personal injury to a patient is a misdemeanor. Existing law provides for licensure and regulation of health care service plans by the Commissioner of Corporations. This bill would revise the definition of providers of health care, and make the prohibitions on disclosure of medical information applicable also to all health care service plans, and contractors, as defined. The bill would expressly prohibit (1) negligent disposal or destruction of medical information and (2) the intentional sharing, sale, or use of medical information for any purpose not necessary to provide health care services to the patient, except as otherwise authorized. The bill would permit disclosure of medical information for purposes of encoding or encrypting data, governmental reporting and chronic disease management programs, as specified. The bill would provide that violation of the act would be grounds for suspension of revocation of a health care service plan's license and would create a right of action to recover damages, as specified, for any individual whose confidential information or records are negligently released and would additionally provide for specified administrative and civil penalties. The bill would also prohibit a provider of health care or a health care service plan and its contractors from requiring a patient, as a condition to receiving health care services, to sign an authorization, release, or consent, or waiver permitting the disclosure of any medical information subject to confidentiality protections provided by law. The bill would authorize a health care service plan or disability insurer to require disclosure of the medical information as a condition of the medical underwriting process. The bill would require every health care service plan to have policies and procedures in place to protect the security of medical information, as specified. The bill would additionally require every health care service plan, on and after July 1, 2001, to provide enrollees, upon request, with a written statement describing how the plan maintains the confidentiality of medical information, as specified. Existing provisions of the Insurance Information and Privacy Protection Act regulate certain practices by insurers and, for that purpose, include health care service plans, within the definition of insurance. This bill would delete this provision, and would make related changes. By changing the definition of a crime, the bill would impose a state-mandated local program. The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. This bill would provide that no reimbursement is required by this act for a specified reason. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 56.05 of the Civil Code is amended to read: 56.05. For purposes of this part: (a) "Authorization" means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information. (b) "Authorized recipient" means any person who is authorized to receive medical information pursuant to Section 56.10 or 56.20. (c) "Contractor" means any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. "Contractor" shall not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code). (d) "Health care service plan" means any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code). (e) "Licensed health care professional" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code. (f) "Medical information" means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care or health care service plan regarding a patient's medical history, mental or physical condition, or treatment. "Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. (g) "Patient" means any natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains. (h) "Provider of health care" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; any person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; any clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. "Provider of health care" shall not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code. SEC. 2. Section 56.10 of the Civil Code is amended to read: 56.10. (a) No provider of health care, or health care service plan, or contractor shall disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as provided in subdivision (b) or (c). (b) A provider of health care, a health care service plan, or a contractor shall disclose medical information if the disclosure is compelled by any of the following: (1) By a court pursuant to an order of that court. (2) By a board, commission, or administrative agency for purposes of adjudication pursuant to its lawful authority. (3) By a party to a proceeding before a court or administrative agency pursuant to a subpoena, subpoena duces tecum, notice to appear served pursuant to Section 1987 of the Code of Civil Procedure, or any provision authorizing discovery in a proceeding before a court or administrative agency. (4) By a board, commission, or administrative agency pursuant to an investigative subpoena issued under Article 2 (commencing with Section 11180) of Chapter 2 of Part 1 of Division 3 of Title 2 of the Government Code. (5) By an arbitrator or arbitration panel, when arbitration is lawfully requested by either party, pursuant to a subpoena duces tecum issued under Section 1282.6 of the Code of Civil Procedure, or any other provision authorizing discovery in a proceeding before an arbitrator or arbitration panel. (6) By a search warrant lawfully issued to a governmental law enforcement agency. (7) By the patient or the patient's representative pursuant to Chapter 1 (commencing with Section 123100) of Part 1 of Division 106 of the Health and Safety Code. (8) When otherwise specifically required by law. (c) A provider of health care, or a health care service plan may disclose medical information as follows: (1) The information may be disclosed to providers of health care, health care service plans, or other health care professionals or facilities for purposes of diagnosis or treatment of the patient. This includes, in an emergency situation, the communication of patient information by radio transmission between emergency medical personnel at the scene of an emergency, or in an emergency medical transport vehicle, and emergency medical personnel at a health facility licensed pursuant to Chapter 2 (commencing with Section 1200) of Division 2 of the Health and Safety Code. (2) The information may be disclosed to an insurer, employer, health care service plan, hospital service plan, employee benefit plan, governmental authority, or any other person or entity responsible for paying for health care services rendered to the patient, to the extent necessary to allow responsibility for payment to be determined and payment to be made. If (A) the patient is, by reason of a comatose or other disabling medical condition, unable to consent to the disclosure of medical information and (B) no other arrangements have been made to pay for the health care services being rendered to the patient, the information may be disclosed to a governmental authority to the extent necessary to determine the patient's eligibility for, and to obtain, payment under a governmental program for health care services provided to the patient. The information may also be disclosed to another provider of health care or health care service plan as necessary to assist the other provider or health care service plan in obtaining payment for health care services rendered by that provider of health care or health care service plan to the patient. (3) The information may be disclosed to any person or entity that provides billing, claims management, medical data processing, or other administrative services for providers of health care or health care service plans or for any of the persons or entities specified in paragraph (2). However, no information so disclosed shall be further disclosed by the recipient in any way that would be violative of this part. (4) The information may be disclosed to organized committees and agents of professional societies or of medical staffs of licensed hospitals, licensed health care service plans, professional standards review organizations, utilization and quality control peer review organizations as established by Congress in Public Law 97-248 in 1982, or persons or organizations insuring, responsible for, or defending professional liability that a provider may incur, if the committees, agents, plans, organizations, or persons are engaged in reviewing the competence or qualifications of health care professionals or in reviewing health care services with respect to medical necessity, level of care, quality of care, or justification of charges. (5) The information in the possession of any provider of health care or health care service plan may be reviewed by any private or public body responsible for licensing or accrediting the provider of health care or health care service plan. However, no patient identifying medical information may be removed from the premises except as expressly permitted or required elsewhere by law. (6) The information may be disclosed to the county coroner in the course of an investigation by the coroner's office. (7) The information may be disclosed to public agencies, clinical investigators, including investigators conducting epidemiologic studies, health care research organizations, and accredited public or private nonprofit educational or health care institutions for bona fide research purposes. However, no information so disclosed shall be further disclosed by the recipient in any way that would disclose the identity of any patient or be violative of this part. (8) A provider of health care or health care service plan that has created medical information as a result of employment-related health care services to an employee conducted at the specific prior written request and expense of the employer may disclose to the employee's employer that part of the information that: (A) Is relevant in a law suit, arbitration, grievance, or other claim or challenge to which the employer and the employee are parties and in which the patient has placed in issue his or her medical history, mental or physical condition, or treatment, provided that information may only be used or disclosed in connection with that proceeding. (B) Describes functional limitations of the patient that may entitle the patient to leave from work for medical reasons or limit the patient's fitness to perform his or her present employment, provided that no statement of medical cause is included in the information disclosed. (9) Unless the provider of health care or health care service plan is notified in writing of an agreement by the sponsor, insurer, or administrator to the contrary, the information may be disclosed to a sponsor, insurer, or administrator of a group or individual insured or uninsured plan or policy that the patient seeks coverage by or benefits from, if the information was created by the provider of health care or health care service plan as the result of services conducted at the specific prior written request and expense of the sponsor, insurer, or administrator for the purpose of evaluating the application for coverage or benefits. (10) The information may be disclosed to a health care service plan by providers of health care that contract with the health care service plan and may be transferred among providers of health care that contract with the health care service plan, for the purpose of administering the health care service plan. Medical information may not otherwise be disclosed by a health care service plan except in accordance with the provisions of this part. (11) Nothing in this part shall prevent the disclosure by a provider of health care or a health care service plan to an insurance institution, agent, or support organization, subject to Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code, of medical information if the insurance institution, agent, or support organization has complied with all requirements for obtaining the information pursuant to Article 6.6 (commencing with Section 791) of Part 2 of Division 1 of the Insurance Code. (12) The information relevant to the patient's condition and care and treatment provided may be disclosed to a probate court investigator engaged in determining the need for an initial conservatorship or continuation of an existent conservatorship, if the patient is unable to give informed consent, or to a probate court investigator, probation officer, or domestic relations investigator engaged in determining the need for an initial guardianship or continuation of an existent guardianship. (13) The information may be disclosed to an organ procurement organization or a tissue bank processing the tissue of a decedent for transplantation into the body of another person, but only with respect to the donating decedent, for the purpose of aiding the transplant. For the purpose of this paragraph, the terms "tissue bank" and "tissue" have the same meaning as defined in Section 1635 of the Health and Safety Code. (14) The information may be disclosed when the disclosure is otherwise specifically authorized by law, such as the voluntary reporting, either directly or indirectly, to the federal Food and Drug Administration of adverse events related to drug products or medical device problems. (15) Basic information including the patient's name, city of residence, age, sex, and general condition may be disclosed to a state or federally recognized disaster relief organization for the purpose of responding to disaster welfare inquiries. (16) The information may be disclosed to a third party for purposes of encoding, encrypting, or otherwise anonymizing data. However, no information so disclosed shall be further disclosed by the recipient in any way that would be violative of this part, including the unauthorized manipulation of coded or encrypted medical information that reveals individually identifiable medical information. (17) For purposes of chronic disease management programs, information may be disclosed to any entity contracting with a health care service plan to monitor or administer care of enrollees for a covered benefit, provided that the disease management services and care are authorized by a treating physician. (d) Except to the extent expressly authorized by the patient or enrollee or subscriber or as provided by subdivisions (b) and (c), no provider of health care, health care service plan, or contractor shall intentionally share, sell, or otherwise use any medical information for any purpose not necessary to provide health care services to the patient. (e) Except to the extent expressly authorized by the patient or enrollee or subscriber or as provided by subdivisions (b) and (c), no contractor shall further disclose medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan or insurer or self-insured employer received under this section to any person or entity that is not engaged in providing direct health care services to the patient or his or her provider of health care or health care service plan or insurer or self-insured employer. SEC. 3. Section 56.101 is added to the Civil Code, to read: 56.101. Every provider of health care, health care service plan, or contractor who creates, maintains, preserves, stores, abandons, or destroys medical records shall do so in a manner that preserves the confidentiality of the information contained therein. Any provider of health care, health care service plan, or contractor who negligently disposes, abandons, or destroys medical records shall be subject to the provisions of this part. SEC. 4. Section 56.11 of the Civil Code is amended to read: 56.11. An authorization for the release of medical information by a provider of health care, a health care service plan, or contractor shall be valid if it: (a) Is handwritten by the person who signs it or is in typeface no smaller than 8-point type. (b) Is clearly separate from any other language present on the same page and is executed by a signature which serves no other purpose than to execute the authorization. (c) Is signed and dated by one of the following: (1) The patient. A patient who is a minor may only sign an authorization for the release of medical information obtained by a provider of health care, health care service plan, or contractor in the course of furnishing services to which the minor could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60). (2) The legal representative of the patient, if the patient is a minor or an incompetent. However, authorization may not be given under this subdivision for the disclosure of medical information obtained by the provider of health care, a health care service plan, or a contractor in the course of furnishing services to which a minor patient could lawfully have consented under Part 1 (commencing with Section 25) or Part 2.7 (commencing with Section 60). (3) The spouse of the patient or the person financially responsible for the patient, where the medical information is being sought for the sole purpose of processing an application for health insurance or for enrollment in a nonprofit hospital plan, a health care service plan, or an employee benefit plan, and where the patient is to be an enrolled spouse or dependent under the policy or plan. (4) The beneficiary or personal representative of a deceased patient. (d) States the specific uses and limitations on the types of medical information to be disclosed. (e) States the name or functions of the provider of health care, health care service plan, or contractor that may disclose the medical information. (f) States the name or functions of the persons or entities authorized to receive the medical information. (g) States the specific uses and limitations on the use of the medical information by the persons or entities authorized to receive the medical information. (h) States a specific date after which the provider of health care, health care service plan, or contractor is no longer authorized to disclose the medical information. (i) Advises the person signing the authorization of the right to receive a copy of the authorization. SEC. 5. Section 56.12 of the Civil Code is amended to read: 56.12. Upon demand by the patient or the person who signed an authorization, a provider of health care, a health care service plan, or contractor possessing the authorization shall furnish a true copy thereof. SEC. 6. Section 56.14 of the Civil Code is amended to read: 56.14. A provider of health care, health care service plan, or contractor that discloses medical information pursuant to the authorizations required by this chapter shall communicate to the person or entity to which it discloses the medical information any limitations in the authorization regarding the use of the medical information. No provider of health care, health care service plan, or contractor that has attempted in good faith to comply with this provision shall be liable for any unauthorized use of the medical information by the person or entity to which the provider, plan, or contractor disclosed the medical information. SEC. 7. Section 56.30 of the Civil Code is amended to read: 56.30. The disclosure and use of the following medical information shall not be subject to the limitations of this part: (a) (Mental health and developmental disabilities) Information and records obtained in the course of providing services under Division 4 (commencing with Section 4001), Division 4.1 (commencing with Section 4400), Division 4.5 (commencing with Section 4500), Division 5 (commencing with Section 5000), Division 6 (commencing with Section 6000), or Division 7 (commencing with Section 7100) of the Welfare and Institutions Code. (b) (Public social services) Information and records that are subject to Sections 10850, 14124.1, and 14124.2 of the Welfare and Institutions Code. (c) (State health services, communicable diseases, developmental disabilities) Information and records maintained pursuant to former Chapter 2 (commencing with Section 200) of Part 1 of Division 1 of the Health and Safety Code and pursuant to the Communicable Disease Prevention and Control Act (subdivision (a) of Section 27 of the Health and Safety Code). (d) (Licensing and statistics) Information and records maintained pursuant to Division 2 (commencing with Section 1200) and Part 1 (commencing with Section 102100) of the Health and Safety Code; pursuant to Chapter 3 (commencing with Section 1200) of Division 2 of the Business and Professions Code; and pursuant to Section 8608, 8817, or 8909 of the Family Code. (e) (Medical survey, workers' safety) Information and records acquired and maintained or disclosed pursuant to Sections 1380 and 1382 of the Health and Safety Code and pursuant to Division 5 (commencing with Section 6300) of the Labor Code. (f) (Industrial accidents) Information and records acquired, maintained, or disclosed pursuant to Division 1 (commencing with Section 50), Division 4 (commencing with Section 3201), Division 4.5 (commencing with Section 6100), and Division 4.7 (commencing with Section 6200) of the Labor Code. (g) (Law enforcement) Information and records maintained by a health facility which are sought by a law enforcement agency under Chapter 3.5 (commencing with Section 1543) of Title 12 of Part 2 of the Penal Code. (h) (Investigations of employment accident or illness) Information and records sought as part of an investigation of an on-the-job accident or illness pursuant to Division 5 (commencing with Section 6300) of the Labor Code or pursuant to Section 105200 of the Health and Safety Code. (i) (Alcohol or drug abuse) Information and records subject to the federal alcohol and drug abuse regulations (Part 2 (commencing with Section 2.1) of subchapter A of Chapter 1 of Title 42 of the Code of Federal Regulations) or to Section 11977 of the Health and Safety Code dealing with narcotic and drug abuse. (j) (Patient discharge data) Nothing in this part shall be construed to limit, expand, or otherwise affect the authority of the California Health Facilities Commission to collect patient discharge information from health facilities pursuant to Section 441.18 of the Health and Safety Code. (k) Medical information and records disclosed to, and their use by, the Insurance Commissioner, the Director of the Department of Managed Care, the Division of Industrial Accidents, the Workers' Compensation Appeals Board, the Department of Insurance, or the Department of Managed Care. SEC. 8. Section 56.36 of the Civil Code is amended to read: 56.36. (a) Any violation of the provisions of this part that results in economic loss or personal injury to a patient is punishable as a misdemeanor. (b) In addition to any other remedies available at law, any individual may bring an action against any person or entity who has negligently released confidential information or records concerning him or her in violation of this part, for either or both of the following: (1) Nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages. (2) The amount of actual damages, if any, sustained by the patient. (c) (1) In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation. (2) (A) Any person or entity, other than a licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. (B) Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable on a first violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation, or on a second violation for an administrative fine or civil penalty not to exceed ten thousand dollars ($10,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part. (3) (A) Any person or entity, other than a licensed health care professional, who knowingly or willfully obtains or uses medical information in violation of this part for the purpose of financial gain shall be liable for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. (B) Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part for financial gain shall be liable on a first violation, for an administrative fine or civil penalty not to exceed five thousand dollars ($5,000) per violation, or on a second violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part. (4) Nothing in this subdivision shall be construed as authorizing an administrative fine or civil penalty under both paragraphs (2) and (3) for the same violation. (5) Any person or entity who is not permitted to receive medical information pursuant to this part and who knowingly and willfully obtains, discloses, or uses medical information without written authorization from the patient shall be liable for a civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation. (d) In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the licensing agency or certifying board or court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including, but not limited to, the following: (1) Whether the defendant has made a reasonable, good faith attempt to comply with this part. (2) The nature and seriousness of the misconduct. (3) The harm to the patient, enrollee, or subscriber. (4) The number of violations. (5) The persistence of the misconduct. (6) The length of time over which the misconduct occurred. (7) The willfulness of the defendant's misconduct. (8) The defendant's assets, liabilities, and net worth. (e) (1) The civil penalty pursuant to subdivision (c) shall be assessed and recovered in a civil action brought in the name of the people of the State of California in any court of competent jurisdiction by any of the following: (A) The Attorney General. (B) Any district attorney. (C) Any county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance. (D) Any city attorney of a city. (E) Any city attorney of a city and county having a population in excess of 750,000, with the consent of the district attorney. (F) A city prosecutor in any city having a full-time city prosecutor or, with the consent of the district attorney, by a city attorney in any city and county. (2) If the action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district attorney or county counsel, the penalty collected shall be paid to the treasurer of the county in which the judgment was entered. Except as provided in paragraph (3), if the action is brought by a city attorney or city prosecutor, one-half of the penalty collected shall be paid to the treasurer of the city in which the judgment was entered and one-half to the treasurer of the county in which the judgment was entered. (3) If the action is brought by a city attorney of a city and county, the entire amount of the penalty collected shall be paid to the treasurer of the city and county in which the judgment was entered. (4) Nothing in this section shall be construed as authorizing both an administrative fine and civil penalty for the same violation. (5) Imposition of a fine or penalty provided for in this section shall not preclude imposition of any other sanctions or remedies authorized by law. (f) For purposes of this section, "knowing" and "willful" shall have the same meanings as in Section 7 of the Penal Code. (g) No person who discloses protected medical information in accordance with the provisions of this part shall be subject to the penalty provisions of this part. SEC. 9. Section 56.37 of the Civil Code is amended to read: 56.37. (a) No provider of health care, health care service plan, or contractor may require a patient, as a condition of receiving health care services, to sign an authorization, release, consent, or waiver that would permit the disclosure of medical information that otherwise may not be disclosed under Section 56.10 or any other provision of law. However, a health care service plan or disability insurer may require relevant enrollee or subscriber medical information as a condition of the medical underwriting process, provided that Sections 1374.7 and 1389.1 of the Health and Safety Code are strictly observed. (b) Any waiver by a patient of the provisions of this part, except as authorized by Section 56.11 or 56.21 or subdivision (b) of Section 56.26, shall be deemed contrary to public policy and shall be unenforceable. SEC. 10. Section 1364.5 is added to the Health and Safety Code, to read: 1364.5. (a) On or before July 1, 2001, every health care service plan shall file with the director a copy of their policies and procedures to protect the security of patient medical information to ensure compliance with the Confidentiality of Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code). Any amendment to the policies and procedures shall be filed in accordance with Section 1352. (b) On and after July 1, 2001, every health care service plan shall, upon request, provide to enrollees and subscribers a written statement that describes how the contracting organization or health care service plan maintains the confidentiality of medical information obtained by and in the possession of the contracting organization or the health care service plan. (c) The statement required by subdivision (b) shall be in at least 12-point type and meet the following requirements: (1) The statement shall describe how the contracting organization or health care service plan protects the confidentiality of medical information pursuant to this article and inform patients or enrollees and subscribers that any disclosure of medical information beyond the provisions of the law is prohibited. (2) The statement shall describe the types of personal information that may be collected and the type of sources that may be used to collect the information, the purposes for which the contracting organization or plan will obtain medical information from other health care providers. (3) The statement shall describe the circumstances under which medical information may be disclosed without prior authorization, pursuant to Section 56.10 of the Civil Code. (4) The statement shall describe how patients or enrollees and subscribers may obtain access to medical information created by and in the possession of the contracting organization or health care service plan, including copies of medical information. (d) On and after July 1, 2001, every health care service plan shall include in its evidence of coverage or disclosure form the following notice, in 12-point type: A STATEMENT DESCRIBING (NAME OR PLAN OR "OUR") POLICIES AND PROCEDURES FOR PRESERVING THE CONFIDENTIALITY OF MEDICAL RECORDS IS AVAILABLE AND WILL BE FURNISHED TO YOU UPON REQUEST. SEC. 11. Section 1386 of the Health and Safety Code is amended to read: 1386. (a) The director may, after appropriate notice and opportunity for a hearing by order, suspend, or revoke any license issued under this chapter to a health care service plan or assess administrative penalties if the director determines that the licensee has committed any of the acts or omissions constituting grounds for disciplinary action. (b) The following acts or omissions constitute grounds for disciplinary action by the director: (1) The plan is operating at variance with the basic organizational documents as filed pursuant to Section 1351 or 1352, or with its published plan, or in any manner contrary to that described in, and reasonably inferred from, the plan as contained in its application for licensure and annual report, or any modification thereof, unless amendments allowing the variation have been submitted to, and approved by, the director. (2) The plan has issued, or permits others to use, evidence of coverage or uses a schedule of charges for health care services which do not comply with those published in the latest evidence of coverage found unobjectionable by the director. (3) The plan does not provide basic health care services to its enrollees and subscribers as set forth in the evidence of coverage. This subdivision shall not apply to specialized health care service plan contracts. (4) The plan is no longer able to meet the standards set forth in Article 5 (commencing with Section 1367). (5) The continued operation of the plan will constitute a substantial risk to its subscribers and enrollees. (6) The plan has violated or attempted to violate, or conspired to violate, directly or indirectly, or assisted in or abetted a violation or conspiracy to violate any provision of this chapter, any rule or regulation adopted by the director pursuant to this chapter, or any order issued by the director. (7) The plan has engaged in any conduct that constitutes fraud or dishonest dealing or unfair competition, as defined by Section 17200 of the Business and Professions Code. (8) The plan has permitted, or aided or abetted any violation by an employee or contractor who is a holder of any certificate, license, permit, registration or exemption issued pursuant to the Business and Professions Code, or this code which would constitute grounds for discipline against the certificate, license, permit, registration, or exemption. (9) The plan has aided or abetted or permitted the commission of any illegal act. (10) The engagement of a person as an officer, director, employee, associate, or provider of the plan contrary to the provisions of an order issued by the director pursuant to subdivision (c) of this section or subdivision (d) of Section 1388. (11) The engagement of a person as a solicitor or supervisor of solicitation contrary to the provisions of an order issued by the director pursuant to Section 1388. (12) The plan, its management company, or any other affiliate of the plan, or any controlling person, officer, director, or other person occupying a principal management or supervisory position in the plan, management company or affiliate, has been convicted of or pleaded nolo contendere to a crime, or committed any act involving dishonesty, fraud, or deceit, which crime or act is substantially related to the qualifications, functions, or duties of a person engaged in business in accordance with this chapter. The director may revoke or deny a license hereunder irrespective of a subsequent order under the provisions of Section 1203.4 of the Penal Code. (13) The plan violates Section 510, 2056, or 2056.1 of the Business and Professions Code. (14) The plan has been subject to a final disciplinary action taken by this state, another state, an agency of the federal government, or another country, for any act or omission that would constitute a violation of this chapter. (15) The plan violates the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code). (c) (1) The director may prohibit any person from serving as an officer, director, employee, associate, or provider of any plan or solicitor firm, or of any management company of any plan, or as a solicitor, if either of the following applies: (A) The prohibition is in the public interest and the person has committed, caused, participated in, or had knowledge of a violation of this chapter by a plan, management company, or solicitor firm. (B) The person was an officer, director, employee, associate, or provider of a plan or of a management company or solicitor firm of any plan whose license has been suspended or revoked pursuant to this section and the person had knowledge of, or participated in, any of the prohibited acts for which the license was suspended or revoked. (2) A proceeding for the issuance of an order under this subdivision may be included with a proceeding against a plan under this section or may constitute a separate proceeding, subject in either case to subdivision (d). (d) A proceeding under this section shall be subject to appropriate notice to, and the opportunity for a hearing with regard to, the person affected in accordance with subdivision (a) of Section 1397. SEC. 12. Section 791.02 of the Insurance Code is amended to read: 791.02. As used in this act: (a) (1) "Adverse underwriting decision" means any of the following actions with respect to insurance transactions involving insurance coverage that is individually underwritten: (A) A declination of insurance coverage. (B) A termination of insurance coverage. (C) Failure of an agent to apply for insurance coverage with a specific insurance institution that the agent represents and that is requested by an applicant. (D) In the case of a property or casualty insurance coverage: (i) Placement by an insurance institution or agent of a risk with a residual market mechanism, with an unauthorized insurer, or with an insurance institution that provides insurance to other than preferred or standard risks, if in fact the placement is at other than a preferred or standard rate. An adverse underwriting decision, in case of placement with an insurance institution which provides insurance to other than preferred or standard risks, shall not include such placement where the applicant or insured did not specify or apply for placement as a preferred or standard risk or placement with a particular company insuring preferred or standard risks, or (ii) The charging of a higher rate on the basis of information which differs from that which the applicant or policyholder furnished. (E) In the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates. (2) Notwithstanding paragraph (1), any of the following actions shall not be considered adverse underwriting decisions but the insurance institution or agent responsible for their occurrence shall nevertheless provide the applicant or policyholder with the specific reason or reasons for their occurrence: (A) The termination of an individual policy form on a class or statewide basis. (B) A declination of insurance coverage solely because such coverage is not available on a class or statewide basis. (C) The rescission of a policy. (b) "Affiliate" or "affiliated" means a person that directly, or indirectly through one or more intermediaries, controls, is controlled by or is under common control with another person. (c) "Agent" means any person licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 5A (commencing with Section 1759), Chapter 6 (commencing with Section 1760), Chapter 7 (commencing with Section 1800), or Chapter 8 (commencing with Section 1831). (d) "Applicant" means any person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten. (e) "Consumer report" means any written, oral, or other communication of information bearing on a natural person's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used in connection with an insurance transaction. (f) "Consumer reporting agency" means any person who: (1) Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee. (2) Obtains information primarily from sources other than insurance institutions. (3) Furnishes consumer reports to other persons. (g) "Control," including the terms "controlled by" or "under common control with," means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person. (h) "Declination of insurance coverage" means a denial, in whole or in part, by an insurance institution or agent of requested insurance coverage. (i) "Individual" means any natural person who: (1) In the case of property or casualty insurance, is a past, present or proposed named insured or certificate holder; (2) In the case of life or disability insurance, is a past, present or proposed principal insured or certificate holder; (3) Is a past, present or proposed policyowner; (4) Is a past or present applicant; (5) Is a past or present claimant; or (6) Derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this act. (j) "Institutional source" means any person or governmental entity that provides information about an individual to an agent, insurance institution, or insurance-support organization, other than: (1) An agent, (2) The individual who is the subject of the information, or (3) A natural person acting in a personal capacity rather than in a business or professional capacity. (k) "Insurance institution" means any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd's insurer, fraternal benefit society, or other person engaged in the business of insurance. "Insurance institution" shall not include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene Health Care Service Plan Act, Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code. (l) "Insurance-support organization" means: (1) Any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including: (A) The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction, or (B) The collection of personal information from insurance institutions, agents, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity. (2) Notwithstanding paragraph (1), the following persons shall not be considered "insurance-support organizations": agents, governmental institutions, insurance institutions, medical care institutions, medical professionals, and peer review committees. (m) "Insurance transaction" means any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails: (1) The determination of an individual's eligibility for an insurance coverage, benefit, or payment, or (2) The servicing of an insurance application, policy, contract, or certificate. (n) "Investigative consumer report" means a consumer report or portion thereof in which information about a natural person's character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with the person's neighbors, friends, associates, acquaintances, or others who may have knowledge concerning those items of information. (o) "Medical care institution" means any facility or institution that is licensed to provide health care services to natural persons, including but not limited to, hospitals, skilled nursing facilities, home health agencies, medical clinics, rehabilitation agencies, and public health agencies. (p) "Medical professional" means any person licensed or certified to provide health care services to natural persons, including but not limited to, a physician, dentist, nurse, optometrist, physical or occupational therapist, psychiatric social worker, clinical dietitian, clinical psychologist, chiropractor, pharmacist, or speech therapist. (q) "Medical record information" means personal information that: (1) Relates to an individual's physical or mental condition, medical history or medical treatment, and (2) Is obtained from a medical professional or medical care institution, from the individual, or from the individual's spouse, parent, or legal guardian. (r) "Person" means any natural person, corporation, association, partnership, limited liability company, or other legal entity. (s) "Personal information" means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual's character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. "Personal information" includes an individual's name and address and "medical record information" but does not include "privileged information." (t) "Policyholder" means any person who: (1) In the case of individual property or casualty insurance, is a present named insured; (2) In the case of individual life or disability insurance, is a present policyowner; or (3) In the case of group insurance, which is individually underwritten, is a present group certificate holder. (u) "Pretext interview" means an interview whereby a person, in an attempt to obtain information about a natural person, performs one or more of the following acts: (1) Pretends to be someone he or she is not, (2) Pretends to represent a person he or she is not in fact representing, (3) Misrepresents the true purpose of the interview, or (4) Refuses to identify himself or herself upon request. (v) "Privileged information" means any individually identifiable information that both: (1) Relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual. (2) Is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual. However, information otherwise meeting the requirements of this division shall nevertheless be considered "personal information" under this act if it is disclosed in violation of Section 791.13. (w) "Residual market mechanism" means the California FAIR Plan Association, Chapter 10 (commencing with Section 10101) of Part 1 of Division 2, and the assigned risk plan, Chapter 1 (commencing with Section 11550) of Part 3 of Division 2. (x) "Termination of insurance coverage" or "termination of an insurance policy" means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as required by the policy. (y) "Unauthorized insurer" means an insurance institution that has not been granted a certificate of authority by the director to transact the business of insurance in this state. (z) "Commissioner" means the Insurance Commissioner. SEC. 13. No reimbursement is required by this act pursuant to Section 6 of Article XIIIB of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIIIB of the California Constitution.