BILL NUMBER: SB 368AMENDED BILL TEXT AMENDED IN SENATE DECEMBER 15, 2009 AMENDED IN SENATE APRIL 1, 2009 INTRODUCED BY Senator Maldonado FEBRUARY 25, 2009An act to amend Section 130203 of the Health and Safety Code, relating to confidential medical information.An act to add Section 15438.9 to the Government Code, relating to public health. LEGISLATIVE COUNSEL'S DIGEST SB 368, as amended, Maldonado.Confidential medical information: unlawful disclosure.Public health: health care technology systems: loans. Existing law authorizes the California Health Facilities Financing Authority to, among other things, make secured and unsecured loans to any participating health institution in connection with the financing of a project or working capital in accordance with an agreement between the authority and the participating health institution. This bill would require the authority to establish a low-interest loan program to provide any participating health institution eligible health provider organization, as defined, or eligible licensed physician and surgeon, as defined, with financing for the costs of purchasing a health care information technology system, as defined. It would also require the authority, by January 1, 2012, and on an annual basis thereafter, to provide a report on the status and utilization of this loan program to the Assembly Committee on Health and the Senate Committee on Health.Existing law, the Confidentiality of Medical Information Act, generally prohibits the unlawful disclosure of confidential patient information, sets forth criminal and civil penalties for prescribed violations, and authorizes prescribed persons to bring enforcement actions.Existing law requires a provider of health care, as defined, to establish and implement specified safeguards to protect the privacy of a patient's medical information. Existing law requires a provider of health care to reasonably safeguard confidential medical information from unauthorized or unlawful access, use, or disclosure.Existing law establishes within the California Health and Human Services Agency the Office of Health Information Integrity to assess and impose administrative fines for a violation of these provisions.This bill would authorize the office to audit the procedures and records of a provider of health care at any time to determine the provider's compliance with the Confidentiality of Medical Information Act.Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Section 15438.9 is added to the Government Code , to read: 15438.9. (a) The authority shall establish a low-interest loan program to provide any participating health institution, eligible health provider organization, such as a medical group or independent practice association, or eligible licensed physician and surgeon, whose primary business is health care, with financing for the costs of purchasing a health care information technology system. Subject to the California Constitution, the State General Obligation Bond Law (Chapter 4 (commencing with Section 16720) of Part 3 of Division 4), and this part, moneys from the Health Facilities Financing Fund may be used, upon appropriation by the Legislature, for purposes of this program. (b) For purposes of this section: (1) "Eligible health provider organization" means a health care provider organization that is established and operates on a nonprofit basis. (2) "Eligible licensed physician and surgeon" means a physician and surgeon whose office or practice is established and operates on a nonprofit basis. (3) "Health care information system" means information technology purchased by a qualified taxpayer that will aid in the provision of health care in a health care setting, including, but not limited to, health care information technology that deals with the storage, retrieval, sharing, and use of health care information, including electronic health records, electronic prescription drug administration, and computerized physician order entry that permits the electronic ordering of diagnostic and treatment services. For purposes of this paragraph, "health care information technology" does not include information technology whose sole use is for maintenance of inventory of basic supplies or appointment scheduling. (c) On or before January 1, 2012, and on an annual basis thereafter, the authority shall provide a report on the status and utilization of the loan program, described in subdivision (a), to the respective chairs and vice chairs of the Assembly Committee on Health and the Senate Committee on Health.SECTION 1.Section 130203 of the Health and Safety Code is amended to read: 130203. (a) Every provider of health care shall establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of a patient's medical information. Every provider of health care shall reasonably safeguard confidential medical information from any unauthorized access or unlawful access, use, or disclosure. (b) The office may audit the procedures and records of a provider of health care at any time in order to determine the provider's compliance with the requirements of subdivision (a). (c) In exercising its duties pursuant to this division, the office shall consider the provider's capability, complexity, size, and history of compliance with this section and other related state and federal statutes and regulations, the extent to which the provider detected violations and took steps to immediately correct and prevent past violations from reoccurring, and factors beyond the provider's immediate control that restricted the facility's ability to comply with this section.