BILL ANALYSIS �
AB 1011
Page 1
ASSEMBLY THIRD READING
AB 1011 (Jones)
As Amended June 1, 2009
Majority vote
HEALTH 18-0 APPROPRIATIONS 13-3
-----------------------------------------------------------------
|Ayes:|Jones, Fletcher, Adams, |Ayes:|De Leon, Ammiano, |
| |Ammiano, Block, Carter, | |Charles Calderon, Davis, |
| |Conway, De La Torre, De | |Fuentes, Hall, Miller, |
| |Leon, Emmerson, Hall, | |John A. Perez, Price, |
| |Hayashi, Hernandez, | |Skinner, Solorio, |
| |Bonnie Lowenthal, Nava, | |Torlakson, Krekorian |
| |V. Manuel Perez, Salas, | | |
| |Audra Strickland | | |
|-----+--------------------------+-----+--------------------------|
| | |Nays:|Nielsen, Duvall, Harkey |
| | | | |
-----------------------------------------------------------------
SUMMARY : Requires the Office of Health Information Integrity
(OHII) within the California Health and Human Services Agency
(CHHSA) to report, by April 1, 2010, to the appropriate policy
and fiscal committees of the Legislature on the impact of
federal law changes related to health care technology and the
privacy of health and medical information.
EXISTING FEDERAL LAW :
1)Prohibits, under the federal Health Insurance Portability and
Accountability Act of 1996 (HIPAA), with specified exceptions,
covered entities (generally health care providers, health
plans, and health care clearinghouses, such as billing
services) from using or disclosing protected health
information (PHI), and generally requires a covered entity to
make reasonable efforts to limit the use or disclosure of PHI
to the minimum necessary to accomplish the intended purpose of
the disclosure. Defines PHI as individually identifiable
health information which identifies, or can be used to
identify, an individual.
2)Requires, under the federal Health Information Technology for
Economic and Clinical Health (HITECH) Act, enacted as part of
the federal American Recovery and Reinvestment Act of 2009
�
AB 1011
Page 2
(ARRA), the Secretary of the federal Department of Health and
Human Services (DHHS) to adopt an initial set of standards for
health information technology (HIT) and health information
exchange (HIE), as specified, by December 31, 2009. In
addition, among other changes, requires business associates of
covered entities subject to HIPAA to notify the covered entity
following the discovery of a breach of PHI and requires DHHS
to issue interim final regulations for privacy breach
notification by entities subject to HIPAA.
EXISTING LAW :
3)Establishes OHII within CHHSA to ensure the enforcement of
confidentiality of medical information and to impose
administrative fines for the unauthorized use of medical
information upon referral from the Department of Public
Health.
4)Requires a health facility to prevent unlawful or unauthorized
access to, and use or disclosure of, patients' medical
information, and requires every provider of health care to
prevent the unauthorized access or unlawful access, use of
patients' medical information, and to take specific actions to
ensure the privacy, confidentiality, security, and integrity
of medical information, as specified.
5)Prohibits, under the California Confidentiality of Medical
Information Act, a provider of health care, health care
service plan, or health care contractor from disclosing a
person's medical information without first obtaining that
person's authorization, except as specified.
FISCAL EFFECT : According to the Assembly Appropriations
Committee, one-time cost of $50,000 General Fund for OHII to
prepare the report for the Legislature.
COMMENTS : According to the author, this bill is needed to
prepare California for enhanced and more widespread adoption of
HIT and HIE. The author points out that the federal HITECH Act,
enacted as one component of the ARRA economic stimulus plan
signed by President Obama on February 17, 2009, establishes a
framework for federal policy, standards setting and investment
in the development and dissemination of HIT and HIE. In
addition, the author notes, the HITECH Act includes numerous
�
AB 1011
Page 3
changes to the federal privacy and security provisions of HIPAA,
which will have a direct impact on organizations participating
in HIE projects in California. The author also notes that
California already has stronger and more robust state law
provisions affecting the disclosure and the protection of
individual, private patient information, such as the state
breach notification provisions enacted during the 2008
legislative session in AB 211 (Jones), Chapter 602, Statutes of
2008, and SB 541(Alquist), Chapter 650, Statutes of 2008. The
author contends that in order to continue to protect private
patient information, but to also ensure that California can move
forward toward wider adoption of HIT, this bill requires OHII to
do the legal and policy analysis necessary to clarify the
statutory changes to better synchronize state and federal
medical privacy laws.
The federal HITECH Act provides more than $36 billion to promote
HIT/HIE, including grants and incentive payments for adoption of
electronic health records, chronic disease management systems,
and other health-related technologies. The HITECH Act sets
forth a framework for development of federal policy and the
expenditure of federal stimulus money to advance the design,
development, and operation of a nationwide HIT infrastructure
that allows for the electronic use and exchange of information.
The goal of HITECH is to ensure that every person in the United
States has an electronic health record by 2014.
According to a February 2009 policy brief prepared by the
California HealthCare Foundation (CHCF), "An Unprecedented
Opportunity: Using Federal Stimulus Funds to advance Health IT
in California," the HITECH Act strengthens the privacy and
security provisions of HIPAA in five key areas: 1) extension of
HIPAA to business associates; 2) establishment of a federal
security breach notification mandate; 3) new restrictions on the
use and disclosure of PHI;
4) creation of additional patient rights to allow patients to
more fully protect and to obtain their PHI and medical records;
and, 5) increased HIPAA enforcement. CHCF recommends that OHII
disseminate technical guidance to all parties that engage in
electronic information exchange to clarify the interplay between
California and federal privacy laws and to recommend best
practices for facilitating legal compliance.
�
AB 1011
Page 4
Analysis Prepared by : Allegra Kim / HEALTH / (916) 319-2097
FN: 0001259