BILL NUMBER: SB 368 INTRODUCED
BILL TEXT
INTRODUCED BY Senator Maldonado
FEBRUARY 25, 2009
An act to amend Section 56.36 of the Civil Code, and to amend
Sections 1280.15 and 130202 of the Health and Safety Code, relating
to confidential medical information.
LEGISLATIVE COUNSEL'S DIGEST
SB 368, as introduced, Maldonado. Confidential medical
information: unlawful disclosure.
(1) Existing law, the Confidentiality of Medical Information Act,
generally prohibits the unlawful disclosure of confidential patient
information, sets forth criminal and civil penalties for prescribed
violations, and authorizes prescribed persons to bring enforcement
actions.
This bill would authorize a person who brings an action against a
licensed health care provider pursuant to those provisions to send a
recommendation for further investigation of, or discipline for, a
potential violation of those provisions to the licensee's relevant
licensing authority.
(2) Existing law establishes provisions for the licensing and
certification of clinics, health facilities, home health agencies,
and hospices under the jurisdiction of the State Department of Public
Health, prohibits the unlawful release of medical records by those
entities, and authorizes the department to assess administrative
penalties for violations.
This bill would, if the director finds that the violation was due
to unlawful conduct of a licensed health care professional, authorize
the director to send a recommendation for further investigation of,
or discipline for, a potential violation to the licensed health care
professional's relevant licensing authority
(3) Existing law requires every provider of health care to
reasonably safeguard confidential medical information from
unauthorized or unlawful access, use, or disclosure. Existing law
establishes within the California Health and Human Services Agency
the Office of Health Information Integrity to assess and impose
administrative fines for a violation of these provisions. Existing
law authorizes the director to send a recommendation for further
investigation of, or discipline for, a potential violation to the
licensee's relevant licensing authority.
The law does not permit the office to assess prescribed
administrative penalties that are authorized to be assessed against
licensed health care providers by the State Department of Public
Health.
This bill would authorize the office to assess those
administrative penalties for unlawful disclosure of confidential
medical records if the Director of Public Health has delegated that
authority to the office.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 56.36 of the Civil Code is amended to read:
56.36. (a) Any violation of the provisions of this part that
results in economic loss or personal injury to a patient is
punishable as a misdemeanor.
(b) In addition to any other remedies available at law, any
individual may bring an action against any person or entity who has
negligently released confidential information or records concerning
him or her in violation of this part, for either or both of the
following:
(1) Nominal damages of one thousand dollars ($1,000). In order to
recover under this paragraph, it shall not be necessary that the
plaintiff suffered or was threatened with actual damages.
(2) The amount of actual damages, if any, sustained by the
patient.
(c) (1) In addition, any person or entity that negligently
discloses medical information in violation of the provisions of this
part shall also be liable, irrespective of the amount of damages
suffered by the patient as a result of that violation, for an
administrative fine or civil penalty not to exceed two thousand five
hundred dollars ($2,500) per violation.
(2) (A) Any person or entity, other than a licensed health care
professional, who knowingly and willfully obtains, discloses, or uses
medical information in violation of this part shall be liable for an
administrative fine or civil penalty not to exceed twenty-five
thousand dollars ($25,000) per violation.
(B) Any licensed health care professional, who knowingly and
willfully obtains, discloses, or uses medical information in
violation of this part shall be liable on a first violation, for an
administrative fine or civil penalty not to exceed two thousand five
hundred dollars ($2,500) per violation, or on a second violation for
an administrative fine or civil penalty not to exceed ten thousand
dollars ($10,000) per violation, or on a third and subsequent
violation for an administrative fine or civil penalty not to exceed
twenty-five thousand dollars ($25,000) per violation. Nothing in this
subdivision shall be construed to limit the liability of a health
care service plan, a contractor, or a provider of health care that is
not a licensed health care professional for any violation of this
part.
(3) (A) Any person or entity, other than a licensed health care
professional, who knowingly or willfully obtains or uses medical
information in violation of this part for the purpose of financial
gain shall be liable for an administrative fine or civil penalty not
to exceed two hundred fifty thousand dollars ($250,000) per violation
and shall also be subject to disgorgement of any proceeds or other
consideration obtained as a result of the violation.
(B) Any licensed health care professional, who knowingly and
willfully obtains, discloses, or uses medical information in
violation of this part for financial gain shall be liable on a first
violation, for an administrative fine or civil penalty not to exceed
five thousand dollars ($5,000) per violation, or on a second
violation for an administrative fine or civil penalty not to exceed
twenty-five thousand dollars ($25,000) per violation, or on a third
and subsequent violation for an administrative fine or civil penalty
not to exceed two hundred fifty thousand dollars ($250,000) per
violation and shall also be subject to disgorgement of any proceeds
or other consideration obtained as a result of the violation. Nothing
in this subdivision shall be construed to limit the liability of a
health care service plan, a contractor, or a provider of health care
that is not a licensed health care professional for any violation of
this part.
(4) Nothing in this subdivision shall be construed as authorizing
an administrative fine or civil penalty under both paragraphs (2) and
(3) for the same violation.
(5) Any person or entity who is not permitted to receive medical
information pursuant to this part and who knowingly and willfully
obtains, discloses, or uses medical information without written
authorization from the patient shall be liable for a civil penalty
not to exceed two hundred fifty thousand dollars ($250,000) per
violation.
(d) In assessing the amount of an administrative fine or civil
penalty pursuant to subdivision (c), the Office of Health Information
Integrity, licensing agency, or certifying board or court shall
consider any one or more of the relevant circumstances presented by
any of the parties to the case including, but not limited to, the
following:
(1) Whether the defendant has made a reasonable, good faith
attempt to comply with this part.
(2) The nature and seriousness of the misconduct.
(3) The harm to the patient, enrollee, or subscriber.
(4) The number of violations.
(5) The persistence of the misconduct.
(6) The length of time over which the misconduct occurred.
(7) The willfulness of the defendant's misconduct.
(8) The defendant's assets, liabilities, and net worth.
(e) (1) The civil penalty pursuant to subdivision (c) shall be
assessed and recovered in a civil action brought in the name of the
people of the State of California in any court of competent
jurisdiction by any of the following:
(A) The Attorney General.
(B) Any district attorney.
(C) Any county counsel authorized by agreement with the district
attorney in actions involving violation of a county ordinance.
(D) Any city attorney of a city.
(E) Any city attorney of a city and county having a population in
excess of 750,000, with the consent of the district attorney.
(F) A city prosecutor in any city having a full-time city
prosecutor or, with the consent of the district attorney, by a city
attorney in any city and county.
(G) The Director of the Office of Health Information Integrity may
recommend that any person described in subparagraphs (A) to (F),
inclusive, bring a civil action under this section.
(2) If the action is brought by the Attorney General, one-half of
the penalty collected shall be paid to the treasurer of the county in
which the judgment was entered, and one-half to the General Fund. If
the action is brought by a district attorney or county counsel, the
penalty collected shall be paid to the treasurer of the county in
which the judgment was entered. Except as provided in paragraph (3),
if the action is brought by a city attorney or city prosecutor,
one-half of the penalty collected shall be paid to the treasurer of
the city in which the judgment was entered and one-half to the
treasurer of the county in which the judgment was entered.
(3) If the action is brought by a city attorney of a city and
county, the entire amount of the penalty collected shall be paid to
the treasurer of the city and county in which the judgment was
entered.
(4) Nothing in this section shall be construed as authorizing both
an administrative fine and civil penalty for the same violation.
(5) Imposition of a fine or penalty provided for in this section
shall not preclude imposition of any other sanctions or remedies
authorized by law.
(6) Administrative fines or penalties issued pursuant to Section
1280.15 of the Health and Safety Code shall offset any other
administrative fine or civil penalty imposed under this section for
the same violation.
(f) For purposes of this section, "knowing" and "willful" shall
have the same meanings as in Section 7 of the Penal Code.
(g) No person who discloses protected medical information in
accordance with the provisions of this part shall be subject to the
penalty provisions of this part.
(h) Paragraph (6) of subdivision (e) shall only become operative
if Senate Bill 541 of the 2007-08 Regular Session is enacted and
becomes effective on or before January 1, 2009.
(i) Notwithstanding any other provision of law, a person who
brings an action pursuant to this section against a licensed health
care provider may send a recommendation for further investigation of,
or discipline for, a potential violation of this part to the
licensee's relevant licensing authority. The recommendation shall
include all documentary evidence collected by the person in
evaluating whether or not to make that recommendation. The
recommendation and accompanying evidence shall be deemed in the
nature of an investigative communication and be protected by Section
6254 of the Government Code. The licensing authority of the licensed
health care provider shall review all evidence submitted and may take
action for further investigation or discipline of the licensee.
SEC. 2. Section 1280.15 of the Health and Safety Code is amended
to read:
1280.15. (a) A clinic, health facility, home health agency, or
hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall
prevent unlawful or unauthorized access to, and use or disclosure of,
patients' medical information, as defined in subdivision (g) of
Section 56.05 of the Civil Code and consistent with Section 130203.
The department, after investigation, may assess an administrative
penalty for a violation of this section of up to twenty-five thousand
dollars ($25,000) per patient whose medical information was
unlawfully or without authorization accessed, used, or disclosed, and
up to seventeen thousand five hundred dollars ($17,500) per
subsequent occurrence of unlawful or unauthorized access, use, or
disclosure of that patients' medical information. For purposes of the
investigation, the department shall consider the clinic's, health
facility's, agency's, or hospice's history of compliance with this
section and other related state and federal statutes and regulations,
the extent to which the facility detected violations and took
preventative action to immediately correct and prevent past
violations from recurring, and factors outside its control that
restricted the facility's ability to comply with this section. The
department shall have full discretion to consider all factors when
determining the amount of an administrative penalty pursuant to this
section.
(b) (1) A clinic, health facility, agency, or hospice to which
subdivision (a) applies shall report any unlawful or unauthorized
access to, or use or disclosure of, a patient's medical information
to the department no later than five days after the unlawful or
unauthorized access, use, or disclosure has been detected by the
clinic, health facility, agency, or hospice.
(2) A clinic, health facility, agency, or hospice shall also
report any unlawful or unauthorized access to, or use or disclosure
of, a patient's medical information to the affected patient or the
patient's representative at the last known address, no later than
five days after the unlawful or unauthorized access, use, or
disclosure has been detected by the clinic, health facility, agency,
or hospice.
(c) If a clinic, health facility, agency, or hospice to which
subdivision (a) applies violates subdivision (b), the department may
assess the licensee a penalty in the amount of one hundred dollars
($100) for each day that the unlawful or unauthorized access, use, or
disclosure is not reported, following the initial five-day period
specified in subdivision (b). However, the total combined penalty
assessed by the department under subdivision (a) and this subdivision
shall not exceed two hundred fifty thousand dollars ($250,000) per
reported event.
(d) In enforcing subdivisions (a) and (c), the department shall
take into consideration the special circumstances of small and rural
hospitals, as defined in Section 124840, and primary care clinics, as
defined in subdivision (a) of Section 1204, in order to protect
access to quality care in those hospitals and clinics. When assessing
a penalty on a skilled nursing facility or other facility subject to
Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
only the higher of either a penalty for the violation of this section
or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
not both.
(e) All penalties collected by the department pursuant to this
section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited into
the Internal Departmental Quality Improvement Account, which is
hereby created within the Special Deposit Fund under Section 16370 of
the Government Code. Upon appropriation by the Legislature, moneys
in the account shall be expended for internal quality improvement
activities in the Licensing and Certification Program.
(f) If the licensee disputes a determination by the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, or the imposition of a penalty under this section, the
licensee may, within 10 days of receipt of the penalty assessment,
request a hearing pursuant to Section 131071. Penalties shall be paid
when appeals have been exhausted and the penalty has been upheld.
(g) In lieu of disputing the determination of the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, transmit to the department 75 percent of the total
amount of the administrative penalty, for each violation, within 30
business days of receipt of the administrative penalty.
(h) Notwithstanding any other provision of law, the department may
refer violations of this section to the office of Health Information
Integrity for enforcement pursuant to Section 130303, except that if
Assembly Bill 211 of the 2007-08 Regular Session is not enacted, the
department may refer violations to the Office of HIPAA
Implementation.
(i) For purposes of this section, the following definitions shall
apply:
(1) "Reported event" means all breaches included in any single
report that is made pursuant to subdivision (b), regardless of the
number of breach events contained in the report.
(2) "Unauthorized" means the inappropriate access, review, or
viewing of patient medical information without a direct need for
medical diagnosis, treatment, or other lawful use as permitted by the
Confidentiality of Medical Information Act (Part 2.6 (commencing
with Section 56) of Division 1 of the Civil Code) or any other
statute or regulation governing the lawful access, use, or disclosure
of medical information.
(j) Notwithstanding any other provision of law, if the director
finds that a violation of this section was due to the unlawful action
of a licensed health care professional, the director may send a
recommendation for further investigation of, or discipline for, a
potential violation of this section to the licensee's relevant
licensing authority. The recommendation shall include all documentary
evidence collected by the director in evaluating whether or not to
make that recommendation. The recommendation and accompanying
evidence shall be deemed in the nature of an investigative
communication and be protected by Section 6254 of the Government
Code. The licensing authority of the licensed health care
professional shall review all evidence submitted by the director and
may take action for further investigation or discipline of the
licensee.
SEC. 3. Section 130202 of the Health and Safety Code is amended to
read:
130202. (a) (1) Upon receipt of a referral from the State
Department of Public Health, the office may assess an administrative
fine against any person or any provider of health care, whether
licensed or unlicensed, for any violation of this division in an
amount as provided in Section 56.36 of the Civil Code. Proceedings
against any person or entity for a violation of this section shall be
held in accordance with administrative adjudication provisions of
Chapter 4.5 (commencing with Section 11400) and Chapter 5 (commencing
with Section 11500) of Part 1 of Division 3 of Title 2 of the
Government Code.
(2) Paragraph (1) shall not apply to a clinic, health facility,
agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or
1745 if Senate Bill 541 of the 2007-08 Regular Session is enacted and
becomes effective on or before January 1, 2009.
(3) Nothing in paragraph (1) shall be construed as authorizing the
office to assess the administrative penalties described in Section
1280.15 of the Health and Safety Code , unless the Director of
Public Health has delegated that authority to the office .
(b) The office shall adopt, amend, or repeal, in accordance with
the provisions of Chapter 3.5 (commencing with Section 11340) of Part
1 of Division 3 of Title 2 of the Government Code, such rules and
regulations as may be reasonable and proper to carry out the purposes
and intent of this division, and to enable the authority to exercise
the powers and perform the duties conferred upon it by this division
not inconsistent with any other provision of law.
(c) Paragraph (3) of subdivision (a) shall only become operative
if Senate Bill 541 of the 2007-08 Regular Session is enacted and
becomes effective on or before January 1, 2009.