Bill Text: CA AB1755 | 2013-2014 | Regular Session | Amended

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Medical information.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Passed) 2014-09-18 - Chaptered by Secretary of State - Chapter 412, Statutes of 2014. [AB1755 Detail]

Download: California-2013-AB1755-Amended.html
BILL NUMBER: AB 1755	AMENDED
	BILL TEXT

	AMENDED IN SENATE  AUGUST 4, 2014
	AMENDED IN SENATE  JULY 1, 2014
	AMENDED IN ASSEMBLY  MARCH 28, 2014

INTRODUCED BY   Assembly Member Gomez

                        FEBRUARY 14, 2014

   An act to amend Section 1280.15 of the Health and Safety Code,
relating to public health.


	LEGISLATIVE COUNSEL'S DIGEST


   AB 1755, as amended, Gomez. Medical information.
   Existing law requires a clinic, health facility, home health
agency, or hospice to prevent unlawful or unauthorized access to, and
use or disclosure of, patients' medical information, as defined.
Existing law requires the clinic, health facility, home health
agency, or hospice to report any unlawful or unauthorized access to,
or use or disclosure of, a patient's medical information to the State
Department of Public Health and to the affected patient or the
patient's representative no later than 5 business days after the
unlawful or unauthorized access, use, or disclosure has been
detected. Existing law requires that the report to the patient or the
patient's representative be made to that person's last known
address. Existing law requires these entities to delay the report for
specified law enforcement purposes and requires that the delayed
report be submitted within 5 days of the end of the delay. Existing
law authorizes the State Department of Public Health to assess
administrative penalties for violation of these provisions and gives
the department discretion to consider all factors when determining
the amount of a penalty.
   This bill would instead require those entities to make those
reports no later than 15 business days after the unlawful or
unauthorized access, use, or disclosure has been detected and would
authorize the report made to the patient or the patient's
representative to be made by alternative means, including email, as
specified. The bill would also require a delayed report for law
enforcement purposes to be made within 15 business days of the end of
the delay. The bill would give the department full discretion to
consider all factors when determining whether to investigate under
these provisions.
   Vote: majority. Appropriation: no. Fiscal committee: no.
State-mandated local program: no.


THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:

   SECTION 1.    Section 1280.15 of the  
Health and Safety Code   is amended to read: 
   1280.15.  (a) A clinic, health facility, home health agency, or
hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall
prevent unlawful or unauthorized access to, and use or disclosure of,
patients' medical information, as defined in Section 56.05 of the
Civil Code and consistent with Section 1280.18. For purposes of this
section, internal paper records, electronic mail, or facsimile
transmissions inadvertently misdirected within the same facility or
health care system within the course of coordinating care or
delivering services shall not constitute unauthorized access to, or
use or disclosure of, a patient's medical information. The
department, after investigation, may assess an administrative penalty
for a violation of this section of up to twenty-five thousand
dollars ($25,000) per patient whose medical information was
unlawfully or without authorization accessed, used, or disclosed, and
up to seventeen thousand five hundred dollars ($17,500) per
subsequent occurrence of unlawful or unauthorized access, use, or
disclosure of that patient's medical information. For purposes of the
investigation, the department shall consider the clinic's, health
facility's, agency's, or hospice's history of compliance with this
section and other related state and federal statutes and regulations,
the extent to which the facility detected violations and took
preventative action to immediately correct and prevent past
violations from recurring, and factors outside its control that
restricted the facility's ability to comply with this section. The
department shall have full discretion to consider all factors when
determining  whether to investigate and  the amount of an
administrative penalty  ,   if any,  pursuant to
this section.
   (b) (1) A clinic, health facility, home health agency, or hospice
to which subdivision (a) applies shall report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the department no later than  five 
 15  business days after the unlawful or unauthorized
access, use, or disclosure has been detected by the clinic, health
facility, home health agency, or hospice.
   (2) Subject to subdivision (c), a clinic, health facility, home
health agency, or hospice shall also report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the affected patient or the patient's representative
at the last known address,  or by an alternative means or at an
alternative location as specified by the patient or the patient's
representative in writing pursuant to Section 164.522(b) of Title 45
of the Code of Federal Regulations,  no later than  five
  15  business days after the unlawful or
unauthorized access, use, or disclosure has been detected by the
clinic, health facility, home health agency, or hospice.  Notice
may be provided by email only if the patient has previously agreed in
writing to electronic notice by email. 
   (c) (1) A clinic, health facility, home health agency, or hospice
shall delay the reporting, as required pursuant to paragraph (2) of
subdivision (b), of any unlawful or unauthorized access to, or use or
disclosure of, a patient's medical information beyond  five
  15  business days if a law enforcement agency or
official provides the clinic, health facility, home health agency, or
hospice with a written or oral statement that compliance with the
reporting requirements of paragraph (2) of subdivision (b) would
likely impede the law enforcement agency's investigation that relates
to the unlawful or unauthorized access to, and use or disclosure of,
a patient's medical information and specifies a date upon which the
delay shall end, not to exceed 60 days after a written request is
made, or 30 days after an oral request is made. A law enforcement
agency or official may request an extension of a delay based upon a
written declaration that there exists a bona fide, ongoing,
significant criminal investigation of serious wrongdoing relating to
the unlawful or unauthorized access to, and use or disclosure of, a
patient's medical information, that notification of patients will
undermine the law enforcement agency's investigation, and that
specifies a date upon which the delay shall end, not to exceed 60
days after the end of the original delay period.
   (2) If the statement of the law enforcement agency or official is
made orally, then the clinic, health facility, home health agency, or
hospice shall do both of the following:
   (A) Document the oral statement, including, but not limited to,
the identity of the law enforcement agency or official making the
oral statement and the date upon which the oral statement was made.
   (B) Limit the delay in reporting the unlawful or unauthorized
access to, or use or disclosure of, the patient's medical information
to the date specified in the oral statement, not to exceed 30
calendar days from the date that the oral statement is made, unless a
written statement that complies with the requirements of this
subdivision is received during that time.
   (3) A clinic, health facility, home health agency, or hospice
shall submit a report that is delayed pursuant to this subdivision
not later than  five   15  business days
after the date designated as the end of the delay.
   (d) If a clinic, health facility, home health agency, or hospice
to which subdivision (a) applies violates subdivision (b), the
department may assess the licensee a penalty in the amount of one
hundred dollars ($100) for each day that the unlawful or unauthorized
access, use, or disclosure is not reported to the department or the
affected patient, following the initial  five-day 
 15-day  period specified in subdivision (b). However, the
total combined penalty assessed by the department under subdivision
(a) and this subdivision shall not exceed two hundred fifty thousand
dollars ($250,000) per reported event. For enforcement purposes, it
shall be presumed that the facility did not notify the affected
patient if the notification was not documented. This presumption may
be rebutted by a licensee only if the licensee demonstrates, by a
preponderance of the evidence, that the notification was made.
   (e) In enforcing subdivisions (a) and (d), the department shall
take into consideration the special circumstances of small and rural
hospitals, as defined in Section 124840, and primary care clinics, as
defined in subdivision (a) of Section 1204, in order to protect
access to quality care in those hospitals and clinics. When assessing
a penalty on a skilled nursing facility or other facility subject to
Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
only the higher of either a penalty for the violation of this section
or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
not both.
   (f) All penalties collected by the department pursuant to this
section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited into
the Internal Departmental Quality Improvement Account, which is
hereby created within the Special Deposit Fund under Section 16370 of
the Government Code. Upon appropriation by the Legislature, moneys
in the account shall be expended for internal quality improvement
activities in the Licensing and Certification Program.
   (g) If the licensee disputes a determination by the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, or the imposition of a penalty under this section, the
licensee may, within 10 days of receipt of the penalty assessment,
request a hearing pursuant to Section 131071. Penalties shall be paid
when appeals have been exhausted and the penalty has been upheld.
   (h) In lieu of disputing the determination of the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, transmit to the department 75 percent of the total
amount of the administrative penalty, for each violation, within 30
business days of receipt of the administrative penalty.
   (i) For purposes of this section, the following definitions shall
apply:
   (1) "Reported event" means all breaches included in any single
report that is made pursuant to subdivision (b), regardless of the
number of breach events contained in the report.
   (2) "Unauthorized" means the inappropriate access, review, or
viewing of patient medical information without a direct need for
medical diagnosis, treatment, or other lawful use as permitted by the
Confidentiality of Medical Information Act (Part 2.6 (commencing
with Section 56) of Division 1 of the Civil Code) or any other
statute or regulation governing the lawful access, use, or disclosure
of medical information. 
  SECTION 1.    Section 1280.15 of the Health and
Safety Code is amended to read:
   1280.15.  (a) A clinic, health facility, home health agency, or
hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall
prevent unlawful or unauthorized access to, and use or disclosure of,
patients' medical information, as defined in Section 56.05 of the
Civil Code and consistent with Section 130203. For purposes of this
section, internal paper records, electronic mail, or facsimile
transmissions inadvertently misdirected within the same facility or
health care system within the course of coordinating care or
delivering services shall not constitute unauthorized access to, or
use or disclosure of, a patient's medical information. The
department, after investigation, may assess an administrative penalty
for a violation of this section of up to twenty-five thousand
dollars ($25,000) per patient whose medical information was
unlawfully or without authorization accessed, used, or disclosed, and
up to seventeen thousand five hundred dollars ($17,500) per
subsequent occurrence of unlawful or unauthorized access, use, or
disclosure of that patient's medical information. For purposes of the
investigation, the department shall consider the clinic's, health
facility's, agency's, or hospice's history of compliance with this
section and other related state and federal statutes and regulations,
the extent to which the facility detected violations and took
preventative action to immediately correct and prevent past
violations from recurring, and factors outside its control that
restricted the facility's ability to comply with this section. The
department shall have full discretion to consider all factors when
determining whether to investigate and the amount of an
administrative penalty, if any, pursuant to this section.
   (b) (1) A clinic, health facility, home health agency, or hospice
to which subdivision (a) applies shall report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the department no later than 15 business days after
the unlawful or unauthorized access, use, or disclosure has been
detected by the clinic, health facility, home health agency, or
hospice.
   (2) Subject to subdivision (c), a clinic, health facility, home
health agency, or hospice shall also report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the affected patient or the patient's representative
at the last known address, or by an alternative means or at an
alternative location as specified by the patient or the patient's
representative in writing pursuant to Section 164.522(b) of Title 45
of the Code of Federal Regulations, no later than 15 business days
after the unlawful or unauthorized access, use, or disclosure has
been detected by the clinic, health facility, home health agency, or
hospice. Notice may be provided by email only if the patient has
previously agreed in writing to electronic notice by email.
   (c) (1) A clinic, health facility, home health agency, or hospice
shall delay the reporting, as required pursuant to paragraph (2) of
subdivision (b), of any unlawful or unauthorized access to, or use or
disclosure of, a patient's medical information beyond 15 business
days if a law enforcement agency or official provides the clinic,
health facility, home health agency, or hospice with a written or
oral statement that compliance with the reporting requirements of
paragraph (2) of subdivision (b) would likely impede the law
enforcement agency's investigation that relates to the unlawful or
unauthorized access to, and use or disclosure of, a patient's medical
information and specifies a date upon which the delay shall end, not
to exceed 60 days after a written request is made, or 30 days after
an oral request is made. A law enforcement agency or official may
request an extension of a delay based upon a written declaration that
there exists a bona fide, ongoing, significant criminal
investigation of serious wrongdoing relating to the unlawful or
unauthorized access to, and use or disclosure of, a patient's medical
information, that notification of patients will undermine the law
enforcement agency's investigation, and that specifies a date upon
which the delay shall end, not to exceed 60 days after the end of the
original delay period.
   (2) If the statement of the law enforcement agency or official is
made orally, then the clinic, health facility, home health agency, or
hospice shall do both of the following:
   (A) Document the oral statement, including, but not limited to,
the identity of the law enforcement agency or official making the
oral statement and the date upon which the oral statement was made.
   (B) Limit the delay in reporting the unlawful or unauthorized
access to, or use or disclosure of, the patient's medical information
to the date specified in the oral statement, not to exceed 30
calendar days from the date that the oral statement is made, unless a
written statement that complies with the requirements of this
subdivision is received during that time.
   (3) A clinic, health facility, home health agency, or hospice
shall submit a report that is delayed pursuant to this subdivision
not later than 15 business days after the date designated as the end
of the delay.
   (d) If a clinic, health facility, home health agency, or hospice
to which subdivision (a) applies violates subdivision (b), the
department may assess the licensee a penalty in the amount of one
hundred dollars ($100) for each day that the unlawful or unauthorized
access, use, or disclosure is not reported to the department or the
affected patient, following the initial 15-day period specified in
subdivision (b). However, the total combined penalty assessed by the
department under subdivision (a) and this subdivision shall not
exceed two hundred fifty thousand dollars ($250,000) per reported
event. For enforcement purposes, it shall be presumed that the
facility did not notify the affected patient if the notification was
not documented. This presumption may be rebutted by a licensee only
if the licensee demonstrates, by a preponderance of the evidence,
that the notification was made.
   (e) In enforcing subdivisions (a) and (d), the department shall
take into consideration the special circumstances of small and rural
hospitals, as defined in Section 124840, and primary care clinics, as
defined in subdivision (a) of Section 1204, in order to protect
access to quality care in those hospitals and clinics. When assessing
a penalty on a skilled nursing facility or other facility subject to
Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
only the higher of either a penalty for the violation of this section
or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
not both.
   (f) All penalties collected by the department pursuant to this
section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited into
the Internal Departmental Quality Improvement Account, which is
hereby created within the Special Deposit Fund under Section 16370 of
the Government Code. Upon appropriation by the Legislature, moneys
in the account shall be expended for internal quality improvement
activities in the Licensing and Certification Program.
   (g) If the licensee disputes a determination by the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, or the imposition of a penalty under this section, the
licensee may, within 10 days of receipt of the penalty assessment,
request a hearing pursuant to Section 131071. Penalties shall be paid
when appeals have been exhausted and the penalty has been upheld.
   (h) In lieu of disputing the determination of the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, transmit to the department 75 percent of the total
amount of the administrative penalty, for each violation, within 30
business days of receipt of the administrative penalty.
   (i) Notwithstanding any other law, the department may refer
violations of this section to the Office of Health Information
Integrity for enforcement pursuant to Section 130303.
   (j) For purposes of this section, the following definitions shall
apply:
   (1) "Reported event" means all breaches included in any single
report that is made pursuant to subdivision (b), regardless of the
number of breach events contained in the report.
   (2) "Unauthorized" means the inappropriate access, review, or
viewing of patient medical information without a direct need for
medical diagnosis, treatment, or other lawful use as permitted by the
Confidentiality of Medical Information Act (Part 2.6 (commencing
with Section 56) of Division 1 of the Civil Code) or any other
statute or regulation governing the lawful access, use, or disclosure
of medical information. 
                               
feedback