BILL ANALYSIS ��
Senate Appropriations Committee Fiscal Summary
Senator Christine Kehoe, Chair
SB 1250 (Alquist) - Medical records: confidentiality.
Amended: May 15, 2012 Policy Vote: Judiciary 3-2
Urgency: No Mandate: Yes
Hearing Date: May 21, 2012 Consultant: Jolie Onodera
This bill meets the criteria for referral to the Suspense File.
Bill Summary: SB 1250 would amend the Confidentiality of Medical
Information Act (CMIA) to require a health care provider, health
care service plan, or contractor, if there is a breach in the
security of a patient's personal or financial information, as
specified, and that provider, plan, or contractor is required to
issue a breach notification, to offer in the breach notification
one year of free credit monitoring services to the patient.
Fiscal Impact:
Potentially major costs in the millions of dollars (General
Fund) across various state agencies and the University of
California (UC) hospitals and health centers for the
provision of credit monitoring services, as specified.
Estimated potential costs of $1.2 million to $3.6 million
(General Fund) for every 10,000 individuals provided credit
monitoring services.
Potential ongoing significant costs to impacted agencies
related to the implementation of the provisions of this bill
including development of an implementation plan, policy, and
guidelines, as well as likely ongoing workload to respond to
inquiries.
Non-reimbursable local costs for enforcement offset in part
by fine revenue for violations resulting from the
requirements set forth in this bill.
Background: Under existing law, any person or business that
conducts business in the state, and that owns, licenses, or
maintains computerized data that includes personal information,
is required to disclose any breach of the security of the system
following discovery or notification of the breach in the
security to any resident of California whose unencrypted
personal information was, or is reasonably believed to have
been, acquired by an unauthorized person. Existing law specifies
�
SB 1250 (Alquist)
Page 1
the timing and manner in which the disclosure is required to be
made, as well as the specific information to be included in the
security breach notification.
In addition to the general description of the breach incident,
notices are required to include the toll-free telephone numbers
and addresses of the major credit reporting agencies if the
breach exposed a social security number or a driver's license or
California identification card number. Additionally, the
security breach notification may also include information about
what the person or business has done to protect individuals
whose information has been breached and advice on steps that the
person whose information has been breached may take to protect
him or herself.
Proposed Law: This bill would provide that when there is a
breach in the security of a patient's social security number,
driver's license number, California identification number, or
financial information, and a health care provider, health care
service plan, or contractor is required to issue a breach
notification under any applicable state or federal law, the
provider, plan, or contractor must offer in the breach
notification one year of free credit monitoring services to the
patient. If the patient accepts the offer, the provider, plan,
or contractor would be required to provide the service to the
patient. This bill defines "financial information" for purposes
of this bill to mean credit card or debit card numbers.
Staff Comments: The provisions of this bill could result in
substantial costs to various state agencies and the University
of California hospitals and health centers that provide direct
health care services to clients and would be considered a
"health care provider" under the provisions of this bill.
Further, to the extent other state agencies are determined to be
covered under the requirements of this bill as a "contractor,"
could also result in significantly more costs.
Based on information surveyed from credit monitoring services,
bulk enrollment costs for credit monitoring services in which
the vendor is provided with a complete list of individuals at
once from the breached entity generally range from $10 to $30
per month per person ($120 to $360 per year per person),
depending on the type of monitoring package offered by the
vendor.
�
SB 1250 (Alquist)
Page 2
The California Correctional Health Care Services (CCHCS) has
indicated the provisions of this bill could result in additional
costs to provide credit monitoring services to inmates who have
had their personal information compromised. Based on historical
information on the number of breach notification letters issued
of approximately 850 per year, annual costs could range from
$100,000 up to $300,000 (General Fund) if all affected inmates
accepted the services. Given the statewide prison population
exceeds 100,000 inmates, the potential costs should a much
larger breach of information occur could result in costs to the
CCHCS in the tens of millions of dollars. Moreover, in order to
coordinate the administration of the provisions of this bill
would likely require additional resources for development of an
implementation plan and guidelines, as well as ongoing workload
to respond to inquiries.
The Department of Veterans Affairs (DVA) will potentially serve
approximately 2,000 patients in any one day as a health care
provider, and likewise could incur significant costs in the
event of a security breach. The estimated annual costs for
credit monitoring services for 2,000 individuals could result in
costs of $240,000 to $720,000 for any one incident. Other state
departments providing direct health care services to clients
include the Department of Mental Health and the Department of
Developmental Services. To the extent a security breach occurs,
costs would likely be incurred by these agencies as well, the
magnitude of which would be dependent on the number of clients
impacted.
The University of California operates hospitals as well as
health centers on each of the ten campuses serving tens of
thousands of patients. Any single security breach of patient
information could also result in major costs in the millions of
dollars depending on the number of patients impacted.
It is unclear at this time if other state departments may be
impacted by this bill pursuant to the provision designating
"contractors" as responsible parties. The Department of Social
Services (DSS) recently issued notification of a breach of
personal information of approximately 700,000 recipients and
providers of the In-Home Supportive Services program. To the
extent the DSS were found to be a "contractor" under the
provisions of this bill, costs to provide credit monitoring
�
SB 1250 (Alquist)
Page 3
services for one year to the impacted individuals could range
from $84 million to $250 million.
Existing law makes any violation of the provisions of the CMIA
resulting in economic loss or personal injury to a patient
punishable as a misdemeanor. Accordingly, any violation of the
provisions of this bill would be punishable as a misdemeanor
subject to jail time, and fine, or both. The establishment of a
new crime will result in non-reimbursable local costs for
enforcement, offset in part by fine revenue. To the extent any
state agencies are found in violation of offering and providing
credit monitoring services related to security breaches as
specified, potential costs (General Fund) for civil penalties
could also be incurred.