BILL ANALYSIS �
SENATE HEALTH
COMMITTEE ANALYSIS
Senator Elaine K. Alquist, Chair
BILL NO: SB 368
S
AUTHOR: Maldonado
B
AMENDED: April 1, 2009
HEARING DATE: April 15, 2009
3
REFERRAL: Judiciary
6
CONSULTANT:
8
Hansel/cjt
SUBJECT
Confidential medical information: unlawful disclosure
SUMMARY
Allows the Office of Health Information Integrity (OHII) to
audit the procedures and records of a health care provider
at any time in order to determine the provider's compliance
with requirements to establish and implement appropriate
administrative, technical, and physical safeguards to
protect the privacy of patient's medical information, and
to reasonably safeguard confidential medical information
from any unauthorized access or unlawful access, use, or
disclosure.
CHANGES TO EXISTING LAW
Existing federal law:
Prohibits, under federal regulations, implementing the
federal Health Insurance Portability and Accountability Act
(HIPAA), a health plan, health care clearinghouse and a
health care provider, who transmits health information in
electronic form, from using or disclosing protected health
information, for purposes other than medical treatment or
payment, or health care operations, as defined, without
Continued---
�
STAFF ANALYSIS OF SENATE BILL SB 368 (Maldonado)Page 2
written authorization of the patient, with exceptions.
Existing state law:
Prohibits, under the Confidentiality of Medical Information
Act (CMIA), licensed or certified health care
professionals, clinics and health facilities, health plans,
and contracting entities, as defined, from disclosing or
using a patient's medical information for any purpose not
necessary to provide health care services to the patient
and related administrative functions, without first
obtaining authorization from the patient or the patient's
representative, as specified, with exceptions.
Provides for administrative fines and civil penalties for
persons and entities subject to the CMIA who negligently
disclose, or who knowingly and willfully obtain, disclose,
or use, medical information in violation of the CMIA, and
authorizes the Attorney General, any district attorney, any
county counsel acting pursuant to an agreement with the
district attorney, or a city attorney, to seek civil
penalties for violations.
Requires every provider of health care to establish and
implement appropriate administrative, technical, and
physical safeguards to protect the privacy of patient's
medical information, and requires every provider to
reasonably safeguard confidential medical information from
any unauthorized access or unlawful access, use, or
disclosure. Existing law defines unauthorized access as
the inappropriate review or viewing of patient medical
information without a direct need for diagnosis, treatment,
or other lawful use of the information.
Establishes the Office of Health Information Integrity
(OHII) within the California Health and Human Services
Agency (CHHSA) to ensure the enforcement of state law
mandating the confidentiality of medical information and to
impose administrative fines for the unauthorized use of
medical information.
Permits OHII, upon receipt of a referral from the
Department of Public Health (DPH), to assess an
administrative fine against any person or any licensed or
unlicensed provider, other than a licensed clinic, health
facility, agency, or hospice, for any medical privacy
violation in an amount consistent with the penalties under
�
STAFF ANALYSIS OF SENATE BILL SB 368 (Maldonado)Page 3
the CMIA, which provides penalties ranging from $1,000 to
$250,000, as specified.
Requires OHII, in exercising its duties, to consider
several factors, including the provider's capability,
complexity, size, and history of compliance with medical
privacy requirements, the extent to which the provider
detected violations and took steps to immediately correct
and prevent past violations from reoccurring, and factors
beyond the provider's immediate control that restricted the
facility's ability to comply with medical privacy
requirements.
Permits OHII to send a recommendation for further
investigation or discipline for a potential violation of
this bill to the licensee's relevant licensing authority.
Requires the licensing authority of the provider of health
care to review all evidence submitted by the OHII director,
and permits the licensing authority to take action for
further investigation or discipline of the licensee.
This bill:
This bill would allow OHII to audit the procedures and
records of a health care provider at any time in order to
determine the provider's compliance with requirements to
establish and implement appropriate administrative,
technical, and physical safeguards to protect the privacy
of patient's medical information, and to reasonably
safeguard confidential medical information from any
unauthorized access or unlawful access, use, or disclosure.
FISCAL IMPACT
Unknown. Existing law requires any costs that OHII incurs
related to enforcing medical privacy provisions to be
funded through non-General Fund sources.
BACKGROUND AND DISCUSSION
The author states that the Legislature passed important
bills last session requiring health care providers to
establish and implement safeguards to protect the privacy
of patients' medical information, beefing up DPHs authority
to sanction providers for medical confidentiality breaches,
�
STAFF ANALYSIS OF SENATE BILL SB 368 (Maldonado)Page 4
and designating a new state entity, the OHII, to
investigate and levy penalties against individual providers
for unauthorized use, disclosure, and access to patients'
medical information (SB 541 - Alquist, Chapter 605,
Statutes of 2008 and AB 211 - Jones, Chapter 602, Statutes
of 2008). However, the bills did not provide OHII with
authority to audit the procedures and records of providers
in order to determine whether they are complying with these
requirements, as SB 368 would provide. Without this
authority, the author argues that OHII is limited to
dealing with medical privacy breaches after the fact,
rather than proactively.
The author argues that, given current federal efforts to
reform and expand use of health information technology, it
is important to consider preemptive efforts to ensure that
health care providers honor patients' basic right to the
privacy of their medical information. The author questions
whether the bills the Legislature enacted last year,
without the additional authority of OHII to audit providers
for their compliance, as this bill would provide, will be
sufficient to discourage providers and other employees from
unlawfully accessing patients' medical files. The author
specifically notes that in March, 2009, after SB 541 and AB
211 were in place, Kaiser Permanente fired several staffers
who looked at the medical files of the so-called "Octo-Mom"
without authorization.
2007-08 Legislation
In response to several high profile incidents involving
unauthorized access to, and misuse of, patients'
confidential medical information, the Legislature enacted
two bills in the 2007 - 2008 Session, SB 541 (Alquist -
Chapter 605, Statutes of 2008) and AB 211 (Jones - Chapter
602, Statutes of 2008). In support of the bills, DPH
released data indicating that 349 medical information
confidentiality violations, involving 5,235 patients, had
occurred in general acute care hospitals in the prior
two-year period. Prior to the enactment of these bills,
the only remedy DPH had, if a health facility failed to
safeguard patients' medical records, was to issue a notice
of deficiency and require the facility to implement a plan
of correction, which is cumbersome and less effective than
imposing an administrative penalty. Among the violations
cited by DPH were those that occurred at the UCLA Medical
Center.
�
STAFF ANALYSIS OF SENATE BILL SB 368 (Maldonado)Page 5
DPH also indicated that while it could refer individual
providers within a health facility to the relevant
licensing board or to law enforcement, the then-existing
provisions of the CMIA did not adequately address
unauthorized access to medical records, as opposed to
negligent or willful disclosure of the records.
Another factor precipitating passage of the two bills was
press coverage indicating that hospitals and other health
care organizations commonly use patients' information for
fundraising efforts without their express permission.
DPH reports that since January 1, 2009, when SB 541 took
effect, it has substantiated 18 cases of breaches of
medical confidentiality involving health facilities.
Specifically, SB 541 requires health care facilities to
prevent unlawful or unauthorized access to, use, or
disclosure of, patients' medical information and to
establish safeguards to protect the privacy of patients'
medical information. The bill authorizes DPH to assess an
administrative penalty of up to $25,000 per patient for
failure to prevent unlawful or unauthorized access, use, or
disclosure of medical information, and up to $17,500 for
each subsequent violation. The bill authorizes DPH to
assess a penalty of $100 for each day that an unlawful or
unauthorized access, use, or disclosure of medical
information is not reported, beyond five days after it has
been detected, up to a maximum of $250,000. The bill
additionally increases the level of administrative
penalties DPH may assess against hospitals for deficiencies
that constitute immediate jeopardy to the health or safety
of patients from up to $25,000, to up to $100,000, for
incidents occurring on and after January 1, 2009.
AB 211 requires health care providers to establish
appropriate safeguards to protect patients' medical
information from unauthorized or unlawful access, use, or
disclosure. The bill also establishes OHII and gives it
authority, upon a referral from DPH, to assess
administrative fines against any person or health care
provider for unauthorized use of patients' medical
information. AB 211 also allows the Office to recommend
that a licensing board further investigate and discipline a
health care provider for violations of the bill's
�
STAFF ANALYSIS OF SENATE BILL SB 368 (Maldonado)Page 6
provisions.
Other prior legislation
AB 1301 (Alquist), Chapter 647, Statutes of 2006 requires
general acute care hospitals, acute psychiatric hospitals,
and special hospitals to report adverse events to the
Department of Health Services (now DPH) no later than five
days after the event has been detected, or in the case of
an urgent or emergent threat, not later than 24 hours after
the adverse event has been detected. Requires DPH, by
January 1, 2013, to provide information regarding reports
of substantiated adverse events and the outcomes of
inspections on its web site.
SB 1312 (Alquist), Chapter 895, Statutes of 2006 authorizes
DPH to assess administrative penalties on hospitals based
on deficiencies constituting immediate jeopardy to the
health and safety of a patient. Requires inspections and
investigations of long-term care facilities certified by
the Medicare or Medicaid program to determine compliance
with federal standards and California statutes and
regulations. Eliminates existing law that provides an
exemption for specified health care facilities from
periodic inspections by DPH.
Arguments in opposition
Taking an oppose unless amended position, the California
Hospital Association (CHA) states that hospitals must
comply with a variety of state and federal laws governing
the privacy and security of patients' medical information.
These include federal HIPAA privacy rules and the
provisions of SB 541 (Alquist), which, among other things,
require hospitals to report any violations of medical
confidentiality laws to DPH and subject hospitals to fines
of up the $25,000 per patient for these violations. CHA
notes that DPH verifies compliance with medical
confidentiality laws during regular surveys and
inspections, and also investigates complaints related to
unlawful use, disclosure, or access to patients' medical
information. CHA argues that there are already strong
incentives in place to encourage hospitals to adopt
policies and procedures to ensure compliance with state and
federal privacy laws, and opposes giving another
governmental entity authority to audit a hospital's
policies and procedures. CHA requests an amendment to
provide that the auditing authority given to OHII under the
�
STAFF ANALYSIS OF SENATE BILL SB 368 (Maldonado)Page 7
bill does not apply to health care facilities, clinics,
home health agencies, and hospices, which are subject to
the requirements of SB 541.
Also taking an oppose unless amended position, the
California Association of Health Facilities (CAHF) also
states that compliance with state and federal laws
regarding unlawful use and disclosure of, and unauthorized
access to, patients' medical information by long-term care
facilities is verified by DPH during annual federal
certification surveys and annual state licensing surveys,
and in response to breaches of confidentiality that are the
subject of complaints. CAHF argues that additionally
allowing OHII to audit a facility's procedures and records
at any time would duplicate current enforcement efforts and
divert facility staff time and resources away from patient
care. CAHF requests an amendment to provide that the
auditing authority given to OHII under the bill does not
apply to providers who are subject to annual inspections by
their licensing agency, where the licensing agency is
required to inspect for compliance with state laws and
regulations.
The California Medical Association (CMA) argues that the
bill would allow an enforcement entity to walk in and
"snoop" around a provider's office at any time without
cause or reason, which conflicts with the enforcement
process that was contained in SB 541 and AB 211 last year.
CMA states that this represents a significant departure
from existing enforcement policy, and one that could
disrupt medical offices and jeopardize the medical
confidentiality of patients.
COMMENTS
1. Application of bill to health care facilities. Under
existing law, enforcement of protections against
unauthorized use of patients' medical information in health
care facilities, clinics, home health agencies, and
hospices is carried out by DPH under SB 541 (Alquist),
although DPH is authorized to refer violations involving
these entities to OHII for enforcement. As drafted, this
bill would additionally provide OHII with authority to
audit these entities. Health care facilities are generally
subject to regular licensing surveys and inspections in
�
STAFF ANALYSIS OF SENATE BILL SB 368 (Maldonado)Page 8
response to complaints that can include looking at the
facilities' compliance with state laws dealing with
unlawful use and disclosure of, and unauthorized access to,
patients' medical information. They are also required to
self-report breaches of medical confidentiality. A
suggested amendment that is consistent with the wording of
AB 211 (Jones), which established OHII, would be to clarify
that the bill does not apply to clinics, health facilities,
agencies, or hospices.
a. Suggested amendment:
On page 3, lines 1 - 3, amend as follows:
(b) The office may audit the procedures and records of a
provider of health care, other than a clinic, health
facility, agency, or hospice licensed pursuant to Section
1204, 1250, 1725, or 1745, or any other entity that is
subject to the requirements of Section 1280.15 at any time
in order to determine the provider's compliance with the
requirements of subdivision (a).
2. Unclear whether OHII has the resources to conduct
auditing. As currently constructed, OHII is set up to
receive referrals from DPH involving a health care
providers' unlawful use or disclosure of, or unauthorized
access to, patients' medical information, and to levy
administrative penalties for violations. OHII operates
with a small staff within the office of the Secretary for
Health and Human Services and is supported by non-General
Fund revenues. These factors would likely significantly
limit the ability of OHII to audit health care providers,
outside if its investigation of providers who have been
referred to it.
POSITIONS
Support: None received
Oppose: California Association of Health Facilities
California Association of Marriage and Family
Therapists
California Hospital Association
California Medical Association
�
STAFF ANALYSIS OF SENATE BILL SB 368 (Maldonado)Page 9