BILL ANALYSIS �
------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 270|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
------------------------------------------------------------
THIRD READING
Bill No: SB 270
Author: Alquist (D)
Amended: 1/20/10
Vote: 21
SENATE HEALTH COMMITTEE : 7-0, 1/13/10
AYES: Strickland, Cedillo, Cox, Leno, Negrete McLeod,
Pavley, Romero
SENATE APPROPRIATIONS : Senate Rule 28.8
SUBJECT : Health care providers: medical information
SOURCE : Author
DIGEST : This bill specifies that a provision in existing
law requiring a delay in compliance with reporting
requirements, in the event of a medical privacy breach,
applies when notification of the breach impedes a law
enforcement agency's investigations, rather than
activities, and requires the California Health and Human
Services Agency or a non-profit entity designated by the
state, for the purposes of establishing health information
exchange, to facilitate and expand the use and disclosure
of health information electronically, in accordance with
applicable state and federal law.
ANALYSIS :
Existing Law
CONTINUED
�
SB 270
Page
2
1.Provides for the licensing and regulation of clinics,
health facilities, home health agencies, and hospices by
the Department of Public Health (DPH).
2.Requires these entities to prevent unlawful or
unauthorized access to, and use or disclosure of, a
patient's medical information. A violation of these
provisions is a crime.
3.Requires these entities to report an instance of unlawful
or unauthorized access top, and use or disclosure of, a
patient's medical information to DPH and to the affected
patient or patient's representative, as prescribed,
within five business days of its detection, except that
an entity is required to delay compliance with this
reporting requirement beyond this five business day
period if a law enforcement agency or official provides
the entity with a written or oral statement that
compliance with the reporting requirement would impede
the law enforcement agency's activities that relate to
the unlawful or unauthorized access to, and use or
disclosure of, a patient's medical information and
specifies the date upon which the delay shall end, as
prescribed.
4.Establishes the Office of Health Information Integrity
within the California Health and Human Services Agency
(CHHSA) to ensure the enforcement of state law mandating
confidentiality of medical information and to impose
administrative fines for the unauthorized use of medical
information.
5.Authorizes CHHSA, or one of the departments under its
jurisdiction, to apply for federal funds made available
through the federal American Recovery and Reinvestment
Act (ARRA) for health information technology and exchange
and, if no application is made, requires the Governor to
designate a nonprofit entity to be the state-designated
entity for purposes of health information exchange.
6.Requires the agency or state-designated entity to
facilitate and expand the use and disclosure of health
information electronically among organizations, as
CONTINUED
�
SB 270
Page
3
prescribed, while protecting individual privacy and the
confidentiality of electronic medical records.
This bill:
1.Specifies that delays in reporting unlawful or
unauthorized access, use, or disclosure of a patient's
medical information to DPH by a clinic, health facility,
home health agency, or hospice can only occur if a law
enforcement agency or official provides the entity with a
written or oral statement that compliance with the
reporting requirement would be likely to impede the law
enforcement agency's investigation, that relates to the
unlawful or unauthorized access to, and use or disclosure
of, a patient's medical information, rather than the
agency's activities in that regard.
2.Allows a law enforcement agency or official to request an
extension of the 60-day delay based upon a written
declaration that there exists a bona fide, ongoing,
significant criminal investigation of serious wrongdoing,
that notification of patients will undermine the law
enforcement agency's investigation, as opposed to
activities.
3.Requires CHHSA or the state-designated agency to
facilitate and expand the use of electronic health
information according to nationally recognized standards
and specifications, and execute tasks related to
accessing ARRA funds while, to the greatest extent
possible, protecting the privacy and confidentiality of
medical records, and in accordance with applicable state
and federal law.
4.Makes other minor, technical changes.
Background
Under the medical privacy provisions of the recently
enacted federal legislation, ARRA, entities that transmit
health information in an electronic form are required to
provide notice of a medical privacy breach to an individual
whose information has been subject to a breach, within 60
days of the discovery of the breach. The 60-day
CONTINUED
�
SB 270
Page
4
requirement is delayed in the case that a law enforcement
official determines that notice of a medical privacy breach
would impede a criminal investigation or cause damage to
national security. However, the ARRA provides that state
medical privacy breach notification laws that are more
protective of medical privacy are not preempted.
The Confidentiality of Medical Information Act (CMIA)
provides statutory protection for confidentiality of
medical information of all persons and restricts the
dissemination and use of such information. It covers all
medical information, including electronic health
information. State law also differs from federal law by
requiring all medical privacy breaches to be reported to
DPH and the individual within five days of the discovery of
the breach, unless the notification would be likely to
impede a law enforcement agency's investigation of that
breach. In the event that an entity is requested to delay
notification of a breach by law enforcement, state law also
specifies when that delay shall end, depending if the
request was submitted to the entity orally or in writing.
Note: For more extensive background information, please
refer to the
Senate Health Committee analysis.
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: Yes
SUPPORT : (Verified 1/20/10)
American Civil Liberties Union
ARGUMENTS IN SUPPORT : The American Civil Liberties Union
(ACLU) writes in strong support of the privacy
clarification language in this bill to ensure that there is
no diminution of individual privacy rights under California
law while the state or state-designated entities are
accessing federal stimulus funds. The ACLU further states
that most people would agree that there is little
information that they hold more private that medical and
health information, and that the state has a strong
interest in encouraging people to seek prompt treatment for
health conditions.
CONTINUED
�
SB 270
Page
5
CTW:cm 1/20/10 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED