BILL ANALYSIS ��
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2011-2012 Regular Session
SB 1250 (Alquist)
As Introduced
Hearing Date: May 8, 2012
Fiscal: No
Urgency: No
SK:rm
SUBJECT
Medical Records: Confidentiality
DESCRIPTION
This bill would amend the Confidentiality of Medical Information
Act (CMIA) to provide that any individual may bring an action
against any person or entity that has negligently released
confidential information or records concerning him or her in
violation of the CMIA for access to a nationally recognized
credit monitoring and reporting service for one year from the
date of release of any medical information. The defendant would
bear the expense of the credit monitoring service.
BACKGROUND
According to Privacy Rights Clearinghouse, 684 data breaches
involving medical and healthcare providers have been made public
since 2005. Those breaches involved nearly 23 million records.
(See http://www.privacyrights.org.) Recent press described the
problem:
. . . data breaches have taken a wide array of forms. In one
case, a custodian traded more than 30,000 patient records for
$40 at a recycling center. In another, a hospital mistakenly
faxed medical records to an automobile repair shop, mistakenly
thinking it was a pharmacy. And there have been several
incidents of hospital employees posting information about
patients on Facebook or sharing pictures of patients via text
messages. ("Data leaks go beyond celebrities," Daily Journal,
November 16, 2010.)
(more)
�
SB 1250 (Alquist)
Page 2 of ?
Electronic health record systems are increasingly being used in
healthcare settings. In fact, under the recently enacted Health
Information Technology for Economic and Clinical Health Act
(HITECH Act), Public Law 111-5, the Obama Administration
provides a reimbursement incentive for health care providers who
become "meaningful users" of an electronic health record. As a
result, the trend is for health care providers to increasingly
and actively use electronic health records. At the same time,
more and more people will have easy, quick access to a patient's
electronic medical record. The Los Angeles Times reported that
"�a]lready, roughly 150 people, including nursing staff, X-ray
technicians and billing clerks, have access to at least part of
a patient's records during a hospitalization, according to the
U.S. Department of Health and Human Services." (Foreman, At
risk of exposure: in the push for electronic medical records,
concern is growing about how well privacy can be safeguarded,
Los Angeles Times (June 26, 2006).)
In 1999, the Legislature passed and the Governor signed SB 19
(Figueroa, Ch. 526, Stats. 1999) which, among other things,
prohibited disclosure of confidential medical information. This
bill would permit an individual to bring an action for access to
a nationally recognized credit monitoring and reporting service
for one year from the date of release of any medical
information, to be paid by the defendant.
CHANGES TO EXISTING LAW
Existing law prohibits a health care provider, health care
service plan, or contractor from disclosing medical information
regarding a patient, enrollee, or subscriber without first
obtaining an authorization, except as specified. (Civ. Code
Sec. 56.10(a).)
Existing law requires a health care provider, health care
service plan, or contractor to disclose medical information if
the disclosure is compelled as specified (Civ. Code Sec.
56.10(b)) and permits a health care provider or service plan to
disclose medical information in specified circumstances. (Civ.
Code Sec. 56.10(c).)
Existing law defines "medical information" to mean any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
�
SB 1250 (Alquist)
Page 3 of ?
physical condition, or treatment. Existing law defines
"individually identifiable" to mean that the medical information
includes or contains any element of personal identifying
information sufficient to allow identification of the
individual, such as the patient's name, address, electronic mail
address, telephone number, or social security number, or other
information that, alone or in combination with other publicly
available information, reveals the individual's identity. (Civ.
Code Sec. 56.05(g).)
Existing federal law , the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections for
patients' protected health information and generally provides
that a covered entity, as defined (health plan, health care
provider, and health care clearing house), may not use or
disclose protected health information except as specified or as
authorized by the patient in writing. (45 C.F.R. Sec. 164.500
et seq.)
Existing law requires a health care provider, health care
service plan, pharmaceutical company, or contractor who creates,
maintains, preserves, stores, abandons, destroys, or disposes of
medical records to do so in a manner that preserves the
confidentiality of the information contained within those
records. Existing law provides that any health care provider of
health care, health care service plan, pharmaceutical company,
or contractor who negligently creates, maintains, preserves,
stores, abandons, destroys, or disposes of medical records shall
be subject to existing remedies and penalties, as specified.
(Civ. Code Sec. 56.101.)
This bill would amend the CMIA to provide that any individual
may bring an action against any person or entity that has
negligently released confidential information or records
concerning him or her in violation of the CMIA for access to a
nationally recognized credit monitoring and reporting service
for one year from the date of release of any medical
information. The defendant would bear the expense of the credit
monitoring service.
COMMENT
1. Stated need for the bill
The author writes:
�
SB 1250 (Alquist)
Page 4 of ?
By January 2014, all medical records in the U.S. should be
converted into an electronic format, as mandated by the
American Recovery and Reinvestment Act (ARRA). Experts agree
that the availability of electronic health records offers
convenience and decreases costs to health care providers,
businesses, and government entities. However, with the
inevitable explosion of electronic medical records that the
ARRA mandate will create, many agree that patient privacy will
be at a greater risk if proactive approaches are not
implemented. . . .
Data from the U.S. Health and Human Services Agency shows that
since 2009, information on 18 million patients has been
compromised on a total of 364 reported incidents related to
the theft or loss of information. Patient's information on
these incidents involved "sensitive information" such as
medical diagnoses, Social Security numbers, names and
addresses. This reporting criterion applies to incidents
involving 500 or more patients.
In early 2011, nearly 2,400 Medi-Cal recipients' identifying
information was breached as part of an employee dispute at the
Human Services Agency of San Francisco, CA. The records
contained names, Social Security numbers and other identifying
information. In September 2011, medical information
(including names and diagnosis codes) of emergency room
patients at Stanford Hospital in Palo Alto, CA was compromised
when it was posted on a commercial Web site for over a year.
This medical privacy data breach affected nearly 20,000
patients.
2. Bill would permit individuals to seek one-year of free credit
reporting when medical information negligently disclosed
This bill would provide an additional remedy under the CMIA when
an individual's confidential information or records was
negligently released. Under the bill, the individual may bring
an action, against the person or entity responsible for the
release, for access to a nationally recognized credit monitoring
and reporting service for one year from the date of release of
any medical information. The defendant would be responsible for
the cost of the service. Providing individuals with free credit
monitoring and reporting services after their information has
been disclosed raises several policy issues, as described below.
�
SB 1250 (Alquist)
Page 5 of ?
a. Whether information contained in a medical record may
later turn up in a credit report
This bill would permit an individual to bring an action
seeking access to a nationally recognized credit monitoring
and reporting service in the case where the individual's
confidential information and records have been negligently
disclosed. According to the author's office, data breaches
and thefts have compromised patient information including
sensitive information such as medical diagnoses, social
security numbers, and names and addresses.
The California Health Information Association (CHIA) has a
"support if amended" position and writes:
CHIA believes that when there is a negligent release of
confidential health information, that includes the
patient's social security number and/or credit card number ,
an affected individual should have a right to request a one
year credit monitoring. CHIA believes that an exception
should be made for those breaches where the patient's
social security number or credit card number(s) were not
breached, and that, in those instances, one year credit
monitoring should not be required. (Emphasis in original.)
The California Hospital Association opposes the bill unless it
is amended and writes that "most medical privacy breaches do
not, and cannot, result in identity theft. For example, if a
doctor's officer were to fax a prescription using an incorrect
fax number, and the prescription was received by someone other
than the pharmacy, this would constitute a violation of CMIA.
However, there would be no Social Security number or other
financial information released about the patient, so there
would be no risk of identity theft. Requiring the doctor to
provide free credit monitoring may not be beneficial."
In order to address these concerns and ensure that the bill
provides appropriate protection against potential identity
theft as a result of an unauthorized disclosure, the author
has agreed to amend the bill to delete its current contents
and instead require a health care provider, health care
service plan, or contractor, when there is a breach in the
security of a patient's Social Security number, driver's
license number or California identification card number, or
�
SB 1250 (Alquist)
Page 6 of ?
financial information and the provider is required to issue a
breach notification pursuant to Civil Code Section 1798.82 or
any applicable federal law, to offer, in the breach
notification, one year of free credit monitoring services to
the patient. That language would read:
Amendment
Strike the current contents of the bill and insert a
new Civil Code Section 56.08 to read:
56.08. When there is a breach in the security of a
patient's Social Security number, driver's license number,
California identification card number, or financial
information and a health care provider, health care service
plan, or contractor is required to issue a breach
notification pursuant to Section 1798.82 or any applicable
federal law, the provider, plan, or contractor must offer,
in the breach notification, one year of free credit
monitoring services to the patient. If the patient accepts
that offer, the health care provider, health care service
plan, or contractor shall provide the credit monitoring
service to the patient. For purposes of this subdivision,
"financial information" means credit card or debit card
number.
a. Perceived benefits of credit monitoring and reporting
services
Over the last few years, as personal information has more
frequently been disclosed, credit monitoring and reporting
services have increased in availability. On April 18, 2012,
the Consumer Federation of America (CFA) released a report on
credit monitoring services entitled "Best Practices for
Identity Theft Services: How Are Services Measuring Up?" (See
www.consumerfed.org/pdfs/Studies.Best Practices
MeasuringUpReport.4.17.12.pdf .) This report was a follow up
to the group's March 2009 report, "To Catch a Thief: Are
Identity Theft Services Worth the Cost?" and was based on
CFA's "Best Practices for Identity Theft Services" (See
www.consumerfed.org/pdfs/CFA-Best-Practices-Id-Theft-Services.p
df.)
The CFA's 2012 report noted that there is "a wide range of
services in the marketplace, from those that mainly monitor
consumers' credit reports to services that monitor more
�
SB 1250 (Alquist)
Page 7 of ?
broadly, looking for consumers' information in commercial and
public databases and sometimes on the Internet where it may be
fraudulently offered for sale." The report found that some
identity theft services overpromise what the service can
deliver, for example by stating "stop identity theft in its
tracks" or "prevent identity theft." Although services may
alert consumers to identity theft, they cannot prevent the
theft before it happens, especially-the CFA report points
out-if someone's Social Security number has been compromised.
(Consumer Federation of America, Best Practices for Identity
Theft Services: How Are Services Measuring Up? (Apr. 2012) p.
5.)
The CFA report also found the following: "There is some sloppy
use of statistics;" "Information about the features that
services offer and how they work could be improved;" "Refund
and cancellation policies aren't always adequately disclosed;
on disclosing the cost, services did better; "In many cases,
the assistance provided to identity theft victims isn't
clearly described;" "Details about insurance are much easier
to find;" and "The most frequent complaint about identity
theft services is not covered in the best practices: Free
trial offers." (Id., pp. 5-8.)
What is clear from the CFA reports is that credit monitoring
services vary widely and not all services are alike. The
Privacy Rights Clearinghouse notes "these services vary
tremendously. We use the term 'identity theft monitoring
services' in the broadest sense. Many of these services only
provide credit report monitoring. Some provide other
monitoring services in addition to checking your credit
report. For example, they may monitor information in
commercial and public databases, and in online chat rooms.
Some may also monitor 'underground' Web sites that identity
thieves use to trade in stolen information." (See Fact Sheet
33: Identity Theft Monitoring Services, Privacy Rights
Clearinghouse �as of May 4, 2012].)
In addition, the services do not prevent identity theft
although they can be helpful in alerting a consumer to
fraudulent activity, perhaps earlier than the consumer may
otherwise discover it. According to the Privacy Rights
Clearinghouse, these services do not, however, protect against
the following types of fraud: (1) existing account fraud; (2)
debit or check card fraud; (3) Social Security number fraud;
(4) criminal identity theft; and (5) medical identity theft.
�
SB 1250 (Alquist)
Page 8 of ?
(Id.) In any event, credit monitoring services do not appear
to be a panacea if a consumer's personal information is
inappropriately disclosed and used for fraudulent activities.
3. Bill should be sent back to Senate Rules Committee for
consideration of request from Senate Appropriations Committee
The Senate Appropriations Committee has indicated that this bill
may have a fiscal impact. As a result, should the Committee
approve the bill, the motion should be to send the bill back to
the Senate Rules Committee for consideration of the re-referral
request from the Appropriations Committee.
Support : California Health Information Association (if amended)
Opposition : California Healthcare Institute; California
Hospital Association (unless amended)
HISTORY
Source : Author
Related Pending Legislation : AB 439 (Skinner) would provide an
affirmative defense for an action brought by a plaintiff
alleging a violation of the CMIA and nominal damages of $1,000.
If the defendant establishes that defense, as specified, the
plaintiff may not be awarded nominal damages. This bill is
pending in this Committee.
Prior Legislation : None Known
**************