BILL ANALYSIS �
SENATE HEALTH
COMMITTEE ANALYSIS
Senator Elaine K. Alquist, Chair
BILL NO: SB 270 S
AUTHOR: Alquist B
AMENDED: January 6, 2010
HEARING DATE: January 13, 2010 2
CONSULTANT: 7
Chan-Sawin 0
SUBJECT
Health care providers: medical information
SUMMARY
Specifies that a provision in existing law requiring a delay in
compliance with reporting requirements, in the event of a
medical privacy breach, applies when notification of the breach
would impede a law enforcement agency's investigations, rather
than activities. Also requires the California Health and Human
Services Agency (CHHSA) or a non-profit entity designated by the
state, for the purposes of establishing health information
exchange (HIE), to facilitate and expand the use and disclosure
of health information electronically with no diminution of
individual rights under state law.
CHANGES TO EXISTING LAW
Existing federal law:
Prohibits, under federal regulations implementing the federal
Health Insurance Portability and Accountability Act (HIPAA), a
health plan, health care clearinghouse or a health care
provider, who transmits health information in electronic form
(covered entity), from using or disclosing protected health
information, for purposes other than medical treatment or
payment, or health care operations, as defined, without written
authorization of the patient, with exceptions.
Requires covered entities, and their business associates, to
provide notice of medical privacy breaches involving the
unauthorized acquisition, access, use, or disclosure of
protected health information to each individual whose
information has been subject to a breach within 60 days of the
discovery of the breach.
Continued---
�
STAFF ANALYSIS OF SENATE BILL SB 270 (Alquist)Page 2
Provides that if a law enforcement official determines that
notice of a medical privacy breach would impede a criminal
investigation or cause damage to national security, the notice
shall be delayed, in a specified manner.
Allows, under the federal American Recovery and Reinvestment Act
of 2009 (ARRA), certain medical providers to receive incentive
payments for meaningful use of health information technology
(HIT), as specified, and provides other funding related to HIT
promotion and HIE.
Existing state law:
Medical Privacy Provisions
Prohibits, under the Confidentiality of Medical Information Act
(CMIA), licensed or certified health care professionals, clinics
and health facilities, health plans, and contracting entities,
as defined, from disclosing or using a patient's medical
information for any purpose not necessary to provide health care
services to the patient and related administrative functions,
without first obtaining authorization from the patient or the
patient's representative, as specified, with exceptions.
Provides for administrative fines and civil penalties for
persons and entities subject to the CMIA who negligently
disclose, or who knowingly and willfully obtain, disclose, or
use, medical information in violation of the CMIA, and
authorizes the Attorney General, any district attorney, any
county counsel acting pursuant to an agreement with the district
attorney, or a city attorney, to seek civil penalties for
violations.
Requires every provider of health care services to establish and
implement administrative, technical, and physical safeguards to
protect the privacy of patients' medical information, and
requires every provider to reasonably safeguard confidential
medical information from any unauthorized access or unlawful
access, use, or disclosure.
Defines unauthorized access as the inappropriate review or
viewing of patient medical information without a direct need for
diagnosis, treatment, or other lawful use of the information.
Requires a clinic, health facility, home health agency, or
hospice to report any unlawful or unauthorized access to, or use
or disclosure of, a patient's medical information to the
�
STAFF ANALYSIS OF SENATE BILL SB 270 (Alquist)Page 3
Department of Public Health (DPH) and to the affected patient or
patient's representative, no later than five days after the
unlawful or unauthorized access, use, or disclosure has been
detected by the entity.
Allows DPH to assess a penalty of $100 for each day the unlawful
or unauthorized access, use, or disclosure is not reported,
following the initial five-day period, not to exceed $250,000
per reported event.
Requires a clinic, health facility, home health agency, or
hospice to delay reporting any unlawful or unauthorized access,
use, or disclosure of a patient's medical information to DPH if
a law enforcement agency or official provides the entity with a
written or oral statement that compliance with the reporting
requirement would be likely to impede the law enforcement
agency's activities that relate to the unlawful or unauthorized
access to, and use or disclosure of, a patient's medical
information, and specifies a date upon which the delay shall
end, not to exceed 60 days after a written request was made, or
30 days after an oral request is made.
Allows a law enforcement agency or official to request an
extension of the 60-day delay based upon a written declaration
that there exists a bona fide, ongoing, significant criminal
investigation of serious wrongdoing, that notification of
patients will undermine the law enforcement agency's activities,
and that specifies a date upon which the delay shall end, not to
exceed 60 days after the end of the original 60-day period.
Health Information Technology and Exchange Provisions
Authorizes CHHSA, or one of its departments, to apply for
federal HIT and HIE grants, pursuant to requirements set forth
in ARRA. Requires the Governor to designate a nonprofit entity,
as specified, to apply for federal funds and establish HIE if no
application is made by the state.
Requires CHHSA or the state-designated entity (SDE) to develop a
plan to ensure that HIE capabilities are developed, adopted, and
utilized statewide while minimizing disparities in access to
HIT, as specified.
Specifies that the governing board of the SDE must contain, at a
minimum, the secretary of CHHSA, chairs of the Senate and
Assembly Committees on Health, and two consumer representatives,
as specified.
�
STAFF ANALYSIS OF SENATE BILL SB 270 (Alquist)Page 4
Requires CHHSA or the SDE to facilitate and expand the use of
electronic health information according to nationally recognized
standards and specifications, and execute tasks related to
accessing ARRA funds while, to the greatest extent possible,
protecting the privacy and confidentiality of medical records.
This bill:
Medical Privacy Provisions
Specifies that delays in reporting unlawful or unauthorized
access, use, or disclosure of a patient's medical information to
DPH by a clinic, health facility, home health agency, or hospice
can only occur if a law enforcement agency or official provides
the entity with a written or oral statement that compliance with
the reporting requirement would be likely to impede the law
enforcement agency's investigation, that relates to the unlawful
or unauthorized access to, and use or disclosure of, a patient's
medical information, rather than the agency's activities in that
regard.
Allows a law enforcement agency or official to request an
extension of the 60-day delay based upon a written declaration
that there exists a bona fide, ongoing, significant criminal
investigation of serious wrongdoing, that notification of
patients will undermine the law enforcement agency's
investigation, as opposed to activities.
Health Information Technology and Exchange Provisions
Requires CHHSA or the SDE to facilitate and expand the use of
electronic health information according to nationally recognized
standards and specifications, and execute tasks related to
accessing ARRA funds while, to the greatest extent possible,
protecting the privacy and confidentiality of medical records,
and with no diminution of rights under state law.
Makes other minor, technical changes.
FISCAL IMPACT
This bill, as amended, has not been analyzed by a fiscal
committee.
BACKGROUND AND DISCUSSION
According to the author, SB 270 makes technical and clarifying
amendments to SB 337 (Alquist), Chapter 180, Statutes of 2009,
which addressed medical privacy breach notifications, authorized
�
STAFF ANALYSIS OF SENATE BILL SB 270 (Alquist)Page 5
CHHSA to apply for federal HIT and HIE grants. In particular,
this bill clarifies that expanding the use and disclosure of
electronic health information, as authorized in SB 337, shall
not diminish individual privacy rights under existing state law.
Notification of Breaches of Medical Privacy under Federal and
State Law
Under the medical privacy provisions of the recently enacted
federal legislation, ARRA, entities that transmit health
information in an electronic form are required to provide notice
of a medical privacy breach to an individual whose information
has been subject to a breach, within 60 days of the discovery of
the breach. The 60-day requirement is delayed in the case that
a law enforcement official determines that notice of a medical
privacy breach would impede a criminal investigation or cause
damage to national security. However, the ARRA provides that
state medical privacy breach notification laws that are more
protective of medical privacy (such as the notification
requirements in SB 541) are not preempted.
The CMIA provides statutory protection for confidentiality of
medical information of all persons and restricts the
dissemination and use of such information. It covers all
medical information, including electronic health information,
but does not directly address the sharing of electronic health
information. State law also differs from federal law by
requiring all medical privacy breaches to be reported to DPH and
the individual within five days of the discovery of the breach,
unless the notification would be likely to impede a law
enforcement agency's investigation of the breach. In the event
that an entity is requested to delay notification of a breach by
law enforcement, state law also specifies when that delay shall
end, depending if the request was submitted to the entity orally
or in writing.
Health Information Technology and Health Information Exchange
The potential for HIT to improve health care safety, cost and
quality is now nationally recognized, as both governments and
the private sector confront spiraling health care costs and
inefficiencies in delivering care. To fully realize the
benefits of HIT requires a pervasive underlying infrastructure
that supports the use of patient-focused electronic health
information. This infrastructure must go beyond the limitations
of HIT systems used by individual providers, health plans or
even delivery systems. It requires wide-scale systemic, state
and nationwide infrastructure that incorporates protections for
�
STAFF ANALYSIS OF SENATE BILL SB 270 (Alquist)Page 6
patient privacy and confidentiality.
The building blocks for this infrastructure include electronic
medical records (EMRs) used by providers to manage patient
information, personal health records (PHRs) for individual
access to their own records, and HIE to facilitate the
electronic exchange of EMRs and PHRs. HIE is the capability to
electronically move health information among disparate health
care information systems while maintaining the meaning of the
information being exchanged. In many instances, HIE is used to
describe both the process of moving health information
electronically, and the entity overseeing and governing the
exchange. The goal of HIE is to facilitate access to, and
retrieval of, clinical data to provide safer, more timely,
efficient, effective, equitable, patient-centered care.
The American Recovery and Reinvestment Act of 2009
Last January, President Barack Obama challenged states and
health care providers to computerize the nation's health
records. To assist states in their efforts, Congress passed the
ARRA in February 2009, which includes roughly $41 billion for
national HIT and HIE investments over the next four years.
The majority of these funds ($34 billion) are incentive payments
that will go to Medicaid and Medicare providers who are able to
demonstrate "meaningful use" of HIT. In addition, ARRA provides
$2 billion for HIT promotion, including $564 million in planning
and implementation grants for HIE. These funds can be used, at
the discretion of the federal Secretary of Health and Human
Service's discretion to fund a number of initiatives, including
grants to states to develop HIEs, HIT workforce training grants,
and grants to states to develop loan funds, to name a few.
Out of the $2 billion, $564 million in federal grant funds are
available to states to develop state and local/regional HIEs,
which are intended to ultimately connect to a national health
information network. These funds are to create an exchange
mechanism within California that allows health information to
move across disparate health care systems.
These federal actions have served as a catalyst for California
and the rest of the nation to build HIT infrastructure that will
allow pervasive sharing of electronic health information.
California is expected to receive roughly $4 billion of the
available ARRA HIT stimulus funds.
�
STAFF ANALYSIS OF SENATE BILL SB 270 (Alquist)Page 7
State Implementation of Health Information Technology and
Exchange
In the past year, under the leadership of CHHSA, the state has
developed an HIT and HIE strategic plan aimed towards maximizing
the opportunities provided under ARRA as part of a more
comprehensive vision of the state's HIT infrastructure. In
addition to coordinating activities across various state
departments and stakeholders, who are planning and implementing
various HIT elements in ARRA, CHHSA is the state entity
responsible for establishing HIE for California. CHHSA has
submitted an application on behalf of the state and is estimated
to receive $38.8 million early 2010.
The strategic plan calls for the Governor to designate a
separate nonprofit entity, commonly referred to in federal
guidance as the "state-designated entity," or within CHHSA, as
the "HIE governance board," to implement the requirements of the
federal HIE grant.
Privacy and Security of Medical Information
Continued progress toward widespread HIE will depend on
successfully addressing a number of major privacy and security
concerns. The California Office of HIPAA Implementation
(CalOHI), under the supervision of CHHSA, is currently working
with a wide spectrum of health care stakeholders, including
representatives from the health care industry, consumers, and
privacy and security advocates, to develop new privacy and
security standards to enable the adoption and application of HIE
in California.
CalOHI has convened the California Privacy and Security Advisory
Board (CalPSAB) to develop and recommend these new standards.
Adoption of privacy and security standards for HIE will ensure
that a person's critical health information can move safely and
securely to the point of care. An individual could benefit from
improved treatment outcomes and the opportunity to better manage
their health. Electronic HIE could also lead to more transparent
care and contribute to a more effective and efficient health
care system.
Over the last two years, CalPSAB has been working towards
developing recommendations for creation of a privacy and
security framework for sharing of electronic health information.
Recommendations are expected early in 2010.
�
STAFF ANALYSIS OF SENATE BILL SB 270 (Alquist)Page 8
Support
The American Civil Liberties Union (ACLU) writes in strong
support of the privacy clarification language in this bill to
ensure that there is no diminution of individual privacy rights
under California law while the state or state-designated
entities are accessing federal stimulus funds. ACLU further
states that most people would agree that there is little
information that they hold more private than medical and health
information, and that the state has a strong interest in
encouraging people to seek prompt treatment for health
conditions.
Prior Legislation
SB 337 (Alquist) Chapter 180, Statutes of 2009, revises the
timelines for reporting of unauthorized access to, or use or
disclosure of, patients' medical information, and provides
limited exemptions to the reporting timelines in cases where law
enforcement agencies are investigating such privacy breaches.
This bill also authorizes the California Health and Human
Services Agency to apply for federal health information
technology and health information exchange grants, and requires
the Governor to designate a qualified non-profit entity to apply
for federal health information exchange grants on behalf of the
state if no application is made by the state.
AB 211 (Jones) Chapter 602, Statutes of 2008, establishes OHII
to ensure the enforcement of state confidentiality of medical
information, to impose administrative fines for the unauthorized
use of medical information upon referral from DPH, and require
providers of health care to establish and implement appropriate
administrative, technical, and physical safeguards to protect
the privacy of patient's medical information.
SB 541 (Alquist) Chapter 605, Statutes of 2008, requires
licensed clinics, health facilities, hospices, and home health
agencies to prevent unlawful access to, use, or disclosure of
patients' medical information, establishes administrative
penalties for violations, and requires the patient and the DPH
be notified of any unlawful access to, use, or disclosure of a
patient's medical information.
SB 320 (Alquist) of 2007 would have required the California
Office of HIPAA Implementation, in consultation with the others,
to develop a plan for implementation of the California Health
Care Information Infrastructure Program no later than March 1,
2009, that would seek to provide the opportunity for every
�
STAFF ANALYSIS OF SENATE BILL SB 270 (Alquist)Page 9
resident of the state to have an electronic health record.
Vetoed.
SB 1338 (Alquist) of 2006 would have required CHHSA, in
conjunction with certain other state departments, to develop a
strategic plan to foster the adoption of HIT. This plan would
have included, among other provisions, HIT standards and
identified incentives to promote the use of electronic health
records (EHRs) and personal health records. Held in the Assembly
Appropriations Committee.
AB 1672 (Nation, Richman) of 2005, in an early version, would
have established deadlines for various health care entities to
adopt EHRs, provided enhanced Medi-Cal reimbursement for EHR
adoption, and provided state funding to promote HIT development.
These provisions were amended out of the bill.
�
STAFF ANALYSIS OF SENATE BILL SB 270 (Alquist)Page 10
POSITIONS
Support: American Civil Liberties Union
Oppose: None.
-- END --