BILL NUMBER: SB 270AMENDED BILL TEXT AMENDED IN SENATE JANUARY 6, 2010 AMENDED IN SENATE MAY 5, 2009 AMENDED IN SENATE APRIL 23, 2009 INTRODUCED BY Senator Alquist FEBRUARY 24, 2009An act to add Division 109.5 (commencing with Section 130250) toAn act to amend Sections 1280.15 and 130251 of the Health and Safety Code, relating to public health. LEGISLATIVE COUNSEL'S DIGEST SB 270, as amended, Alquist.Health Information Technology Advisory Panel.Health care providers: medical information. (1) Existing law provides for the licensing and regulation of clinics, health facilities, home health agencies, and hospices by the State Department of Public Health. Existing law requires these entities to prevent unlawful or unauthorized access to, and use or disclosure of, a patient's medical information. A violation of these provisions is a crime. Existing law requires these entities to report an instance of unlawful or unauthorized access to, and use or disclosure of, a patient's medical information to the department and to the affected patient or patient's representative, as prescribed, within 5 business days of its detection, except that an entity is required to delay compliance with this reporting requirement beyond this 5 business day period if a law enforcement agency or official provides the entity with a written or oral statement that compliance with the reporting requirement would impede the law enforcement agency's activities that relate to the unlawful or unauthorized access to, and use or disclosure of, a patient's medical information and specifies the date upon which the delay shall end, as prescribed. This bill would, instead, apply the provision requiring a delay in compliance with the reporting requirement only to a statement that compliance with that requirement would impede the law enforcement agency's investigations, rather than activities. By expanding circumstances to which a crime would apply, the bill would create a state-mandated local program. (2) Existing law establishes the Office of Health Information Integrity within the California Health and Human Services Agency to ensure the enforcement of state law mandating confidentiality of medical information and to impose administrative fines for the unauthorized use of medical information. Existing law authorizes the California Health and Human Services Agency, or one of the departments under its jurisdiction, to apply for federal funds made available through the federal American Recovery and Reinvestment Act (ARRA) for health information technology and exchange and, if no application is made, requires the Governor to designate a nonprofit entity to be the state-designated entity for purposes of health information exchange. Existing law requires the agency or state-designated entity to facilitate and expand the use and disclosure of health information electronically among organizations, as prescribed, while protecting individual privacy and the confidentiality of electronic medical records. This bill would, in addition, require the agency or state-designated entity to facilitate and expand the use and disclosure of health information electronically among organizations with no diminution of rights under state law. The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. This bill would provide that no reimbursement is required by this act for a specified reason.Existing law establishes the Office of Health Information Integrity within the California Health and Human Services Agency to ensure the enforcement of state law mandating confidentiality of medical information and to impose administrative fines for the unauthorized use of medical information.This bill would, in addition, establish the Health Information Technology Advisory Panel to advise the Governor and the Legislature on health information technology implementation. This bill would provide for the appointment of panel members, establish the qualifications of members, and set forth the duties of the panel.Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program:noyes . THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 1280.15 of the Health and Safety Code is amended to read: 1280.15. (a) A clinic, health facility, home health agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information, as defined in subdivision (g) of Section 56.05 of the Civil Code and consistent with Section 130203. The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of that patients' medical information. For purposes of the investigation, the department shall consider the clinic's, health facility's, agency's, or hospice's history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility's ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section. (b) (1) A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice. (2) Subject to subdivision (c), a clinic, health facility, home health agency, or hospice shall also report any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information to the affected patient or the patient's representative at the last known address, no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice. (c) (1) A clinic, health facility, home health agency, or hospice shall delay the reporting, as required pursuant to paragraph (2) of subdivision (b), of any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information beyond five business days if a law enforcement agency or official provides the clinic, health facility, home health agency, or hospice with a written or oral statement that compliance with the reporting requirements of paragraph (2) of subdivision (b) wouldbelikelytoimpede the law enforcement agency'sactivitiesinvestigation thatrelaterelates to the unlawful or unauthorized access to, and use or disclosure of, a patient's medical information and specifies a date upon which the delay shall end, not to exceed 60 days after a written request is made, or 30 days after an oral request is made. A law enforcement agency or official may request an extension of a delay based upon a written declaration that there exists a bona fide, ongoing, significant criminal investigation of serious wrongdoing relating to the unlawful or unauthorized access to, and use or disclosure of, a patient's medical information, that notification of patients will undermine the law enforcement agency'sactivitiesinvestigation , and that specifies a date upon which the delay shall end, not to exceed 60 days after the end of the original delay period. (2) If the statement of the law enforcement agency or official is made orally, then the clinic, health facility, home health agency, or hospice shall do the following: (A) Document the oral statement, including, but not limited to, the identity of the law enforcement agency or official making the oral statement and the date upon which the oral statement was made. (B) Limit the delay in reporting the unlawful or unauthorized access to, or use or disclosure of, the patient's medical information to the date specified in the oral statement, not to exceed 30 calendar days from the date that the oral statement is made, unless a written statement that complies with the requirements of this subdivision is received during that time. (3) A clinic, health facility, home health agency, or hospice shall submit a report that is delayed pursuant to this subdivision not later than five business days after the date designated as the end of the delay. (d) If a clinic, health facility, home health agency, or hospice to which subdivision (a) applies violates subdivision (b), the department may assess the licensee a penalty in the amount of one hundred dollars ($100) for each day that the unlawful or unauthorized access, use, or disclosure is not reported, following the initial five-day period specified in subdivision (b). However, the total combined penalty assessed by the department under subdivision (a) and this subdivision shall not exceed two hundred fifty thousand dollars ($250,000) per reported event. (e) In enforcing subdivisions (a) and (d), the department shall take into consideration the special circumstances of small and rural hospitals, as defined in Section 124840, and primary care clinics, as defined in subdivision (a) of Section 1204, in order to protect access to quality care in those hospitals and clinics. When assessing a penalty on a skilled nursing facility or other facility subject to Section 1423, 1424, 1424.1, or 1424.5, the department shall issue only the higher of either a penalty for the violation of this section or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5, not both. (f) All penalties collected by the department pursuant to this section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited into the Internal Departmental Quality Improvement Account, which is hereby created within the Special Deposit Fund under Section 16370 of the Government Code. Upon appropriation by the Legislature, moneys in the account shall be expended for internal quality improvement activities in the Licensing and Certification Program. (g) If the licensee disputes a determination by the department regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, or use or disclosure of, patients' medical information, or the imposition of a penalty under this section, the licensee may, within 10 days of receipt of the penalty assessment, request a hearing pursuant to Section 131071. Penalties shall be paid when appeals have been exhausted and the penalty has been upheld. (h) In lieu of disputing the determination of the department regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, or use or disclosure of, patients' medical information, transmit to the department 75 percent of the total amount of the administrative penalty, for each violation, within 30 business days of receipt of the administrative penalty. (i) Notwithstanding any other law, the department may refer violations of this section to the Office of Health Information Integrity for enforcement pursuant to Section 130303. (j) For purposes of this section, the following definitions shall apply: (1) "Reported event" means all breaches included in any single report that is made pursuant to subdivision (b), regardless of the number of breach events contained in the report. (2) "Unauthorized" means the inappropriate access, review, or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or any other statute or regulation governing the lawful access, use, or disclosure of medical information. SEC. 2. Section 130251 of the Health and Safety Code is amended to read: 130251. (a) The California Health and Human Services Agency or one of the departments under its jurisdiction may apply for federal funds made available through the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5) for health information technology and exchange. (b) In the event that the California Health and Human Services Agency or one of the departments under its jurisdiction elects not to submit an application described in subdivision (a), the Governor shall designate a qualified nonprofit entity to be the state-designated entity for the purposes of health information exchange, pursuant to the requirements set forth in ARRA. (c) The agency or state-designated entity shall execute tasks related to accessing federal stimulus funds made available through ARRA, and facilitate and expand the use and disclosure of health information electronically among organizations according to nationally recognized standards and implementation specifications while protecting, to the greatest extent possible, individual privacy and the confidentiality of electronic medical records , and with no diminution of rights under state law . (d) The agency or state-designated entity shall develop a plan to ensure that health information exchange capabilities are available, adopted, and utilized statewide so that patients do not experience disparities in access to the benefits of this technology by age, race, ethnicity, language, income, insurance status, geography, or otherwise. (e) The agency or state-designated entity shall create a plan for a self-sustaining funding mechanism that does not include use of General Fund moneys that shall cover all reasonable costs of the administration of health information exchange when federal ARRA funds expire or are exhausted. (f) The state-designated entity shall continually meet any conditions for being so designated as determined by the Secretary of California Health and Human Services. Failure to comply with this subdivision may result in the entity losing its designation. (g) As a condition of receiving the state designation, the state-designated entity shall comply with all of the following requirements: (1) It shall be subject to oversight by the California Health and Human Services Agency. (2) (A) It shall be governed by a board with a diverse composition from multiple types of organizations from multiple regions throughout the state. The governing board shall include, at a minimum, all of the following: (i) The Secretary of California Health and Human Servicesonor his or her designee. (ii) The Chair of the Senate Committee on Health or his or her designee. (iii) The Chair of the Assembly Committee on Healthonor his or her designee. (iv) At least two consumer representatives, one of whom shall have expertise in privacy and security of health information. (B) The majority of the board shall be comprised of `nongovernmental employees. (3) If the board convenes workgroups or subcommittees, the workgroups or subcommittees shall be comprised of representatives from multiple types of organizations from multiple regions throughout the state, and meetings of any workgroup or subcommittee shall be held in an open, public, and transparent way. (4) It shall have nondiscrimination and conflict-of-interest policies that demonstrate a commitment to open, fair, and nondiscriminatory participation by stakeholders. (h) The state-designated entity shall report to the California Health and Human Services Agency and the Legislature on its progress and activities at least annually. SEC. 3. No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.SECTION 1.Division 109.5 (commencing with Section 130250) is added to the Health and Safety Code, to read: DIVISION 109.5. Health Information Technology Advisory Panel 130250. (a) There is hereby created a health information technology advisory panel to advise the Governor and the Legislature on health information technology implementation in California. The panel shall be composed of the following voting members: (1) Two representatives of consumers, one of whom shall have expertise in privacy and security of health information. (2) One representative from a hospital. (3) One representative from a primary care clinic. (4) One representative from a health plan or health insurer. (5) Two representatives from a medical group, one of whom shall represent a group of specialists. (6) Two representatives from health care professions who are not physicians. (7) One representative who is a solo or small group physician. For purposes of this section, "small group physician" means a physician who is part of a group of five or fewer physicians. (8) One representative who is a solo or small group physician representing specialty care. (9) One representative who has expertise in telemedicine or telehealth. (10) Two representatives from institutions of higher education that offer medical or clinical education or health informatics, one of whom represents a public institution. (11) One representative from the California Council on Science and Technology. (12) One representative from a nonprofit entity who has demonstrated expertise in health information technology. (13) One representative with expertise in the use of health information technology to manage chronic disease. (b) Of the panel members as provided for in subdivision (a) the Governor shall appoint __ members, the Senate Committee on Rules shall appoint __ members, and the Speaker of the Assembly shall appoint __ members. (c) The following shall also participate in the panel as ex officio, nonvoting members: (1) The Secretary of Business, Transportation and Housing, or his or her designee. (2) The Secretary of Health and Human Services, or his or her designee. (3) The chair of the Senate Committee on Health, or his or her designee. (4) The chair of the Assembly Committee on Health, or his or her designee. (5) The State Chief Information Officer, or his or her designee. 130251. (a) Voting members shall have demonstrated expertise in the provision, use, or deployment of health information technologies to providers, provider groups, provider facilities, consumers, patients, or communities. (b) The initial term of voting members shall be staggered, with eight members being appointed for a two-year term and nine members being appointed for a four-year term. Upon the expiration of the initial term, all voting members shall be appointed for a four-year term. (c) The panel shall elect, from among its members, a chair who shall regularly report to the Governor and the Legislature on behalf of the panel. 130252. (a) The panel shall do all of the following: (1) Make recommendations to maximize the state's eligibility and award of federal stimulus funds, authorized by the American Recovery and Reinvestment Act of 2009 (ARRA) (Public Law 111-5), related to the use of health information technology. (2) Advise the Governor and the Legislature on a mechanism for designating a nonstate entity, and whether such a nonstate entity is desirable, for executing tasks related to accessing federal stimulus funds made available through ARRA. (3) Make recommendations to ensure that safety net providers have access to federal stimulus funds for which they are eligible. (4) Make recommendations for sources necessary to match federal dollars in the award of funds made available through ARRA. (5) Make recommendations for working with higher education entities to incorporate medical informatics and health care information enterprise integration into the higher education curriculum, and information technology into clinical education. (6) Make recommendations for standards and certification to federal policy makers and the Office of the National Coordinator for Health Information Technology in the federal Department of Health and Human Services. (7) Make recommendations on qualifications for centers in the state that may provide technical assistance and best practices related to health information technology and meaningful assistance on its implementation. (8) Make recommendations to ensure that providers have access to information on federal incentive payments available under ARRA that will help them maximize their eligibility under ARRA, including understanding of "meaningful use" as defined in federal law. (9) Meet at least monthly in the first year, and, thereafter, as deemed necessary by the chair. (b) The panel shall make a recommendation in 2014 whether continued need for the advisory panel exists beyond 2016. (c) All members of the advisory panel shall serve without compensation. Members of the panel shall be reimbursed for all necessary travel expenses associated with the activities of the panel. Consumer representatives on the panel may receive per diem compensation if they are otherwise economically unable to attend and participate in panel activities.