Bill Text: CA SB138 | 2013-2014 | Regular Session | Chaptered
Bill Title: Confidentiality of medical information.
Spectrum: Partisan Bill (Democrat 3-0)
Status: (Passed) 2013-10-01 - Chaptered by Secretary of State. Chapter 444, Statutes of 2013. [SB138 Detail]
Download: California-2013-SB138-Chaptered.html
BILL NUMBER: SB 138 CHAPTERED
BILL TEXT
CHAPTER 444
FILED WITH SECRETARY OF STATE OCTOBER 1, 2013
APPROVED BY GOVERNOR OCTOBER 1, 2013
PASSED THE SENATE SEPTEMBER 10, 2013
PASSED THE ASSEMBLY SEPTEMBER 9, 2013
AMENDED IN ASSEMBLY SEPTEMBER 3, 2013
AMENDED IN ASSEMBLY AUGUST 6, 2013
AMENDED IN ASSEMBLY JUNE 26, 2013
AMENDED IN SENATE MAY 28, 2013
AMENDED IN SENATE APRIL 8, 2013
AMENDED IN SENATE MARCH 13, 2013
INTRODUCED BY Senator Hernandez
(Coauthors: Senators DeSaulnier and Leno)
JANUARY 28, 2013
An act to amend Sections 56.05, 56.104, 56.16, 1786.2, and 1798.91
of, and to add Section 56.107 to, the Civil Code, to amend Section
4053 of the Financial Code, to amend Sections 1280.15, 1627,
117705,117928, 120985, 121010, and 130201 of, and to add Section
1348.5 to, the Health and Safety Code, to amend Section 791.02 of,
and to add Section 791.29 to, the Insurance Code, and to amend
Sections 3208.05, 3762, and 5406.6 of the Labor Code, relating to
medical information.
LEGISLATIVE COUNSEL'S DIGEST
SB 138, Hernandez. Confidentiality of medical information.
Existing federal law, the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), establishes certain requirements
relating to the provision of health insurance, and the protection of
privacy of individually identifiable health information.
Existing law, the Knox-Keene Health Care Service Plan Act of 1975,
provides for the licensure and regulation of health care service
plans by the Department of Managed Health Care and makes a willful
violation of its provisions a crime. Existing law also provides for
the regulation of health insurers by the Department of Insurance.
Existing law, the Confidentiality of Medical Information Act,
provides that medical information, as defined, may not be disclosed
by providers of health care, health care service plans, or
contractors, as defined, without the patient's written authorization,
subject to certain exceptions, including disclosure to a probate
court investigator, as specified. A violation of the act resulting in
economic loss or personal injury to a patient is a misdemeanor and
subjects the violating party to liability for specified damages and
administrative fines and penalties. The act defines various terms
relevant to its implementation.
Existing law, the Insurance Information and Privacy Protection
Act, generally regulates how insurers collect, use, and disclose
information gathered in connection with insurance transactions.
This bill would declare the intent of the Legislature to
incorporate HIPAA standards into state law and to clarify standards
for protecting the confidentiality of medical information in
insurance transactions. The bill would define additional terms in
connection with maintaining the confidentiality of this information,
including a "confidential communications request" which an insured,
or a subscriber or enrollee under a health care service plan, may
submit for the purpose of specifying the method for transmitting
medical information communications.
This bill would specify the manner in which a health care service
plan or health insurer, on and after January 1, 2015, would be
required to maintain confidentiality of medical information regarding
the treatment of an insured, subscriber, or enrollee, including
requiring a health care service plan or health insurer to accommodate
requests by insureds, subscribers, and enrollees to receive requests
for confidential communication of medical information in situations
involving sensitive services or situations in which disclosure would
endanger the individual.
This bill would specifically authorize a provider of health care
to communicate information regarding benefit cost-sharing
arrangements to the health care service plan or health insurer, as
specified.
This bill would also prohibit the health care service plan or
health insurer from conditioning enrollment in the plan or
eligibility for benefits on the waiver of certain rights provided for
in the bill. The bill also would make conforming technical changes.
Because a willful violation of these provisions by a health care
service plan would be a crime, and because this bill would expand the
scope of a crime, the bill would create a state-mandated local
program.
The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
This bill would provide that no reimbursement is required by this
act for a specified reason.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. The Legislature finds and declares all of the
following:
(a) Privacy is a fundamental right of all Californians, protected
by the California Constitution, the federal Health Insurance
Portability and Accountability Act (HIPAA; Public Law 104-191), and
the Confidentiality of Medical Information Act, Part 2.6 (commencing
with Section 56) of Division 1 of the Civil Code.
(b) Implementation of the recently enacted federal Patient
Protection and Affordable Care Act (Public Law 111-148) will expand
the number of individuals insured as dependents on a health insurance
policy held in another person's name, including adult children under
26 years of age insured on a parent's insurance policy.
(c) HIPAA explicitly protects the confidentiality of medical care
obtained by dependents insured under a health insurance policy held
by another person.
(d) Therefore, it is the intent of the Legislature in enacting
this act to incorporate HIPAA standards into state law and to clarify
the standards for protecting the confidentiality of medical
information in insurance transactions.
SEC. 2. Section 56.05 of the Civil Code is amended to read:
56.05. For purposes of this part:
(a) "Authorization" means permission granted in accordance with
Section 56.11 or 56.21 for the disclosure of medical information.
(b) "Authorized recipient" means any person who is authorized to
receive medical information pursuant to Section 56.10 or 56.20.
(c) "Confidential communications request" means a request by a
subscriber or enrollee that health care service plan communications
containing medical information be communicated to him or her at a
specific mail or email address or specific telephone number, as
designated by the subscriber or enrollee.
(d) "Contractor" means any person or entity that is a medical
group, independent practice association, pharmaceutical benefits
manager, or a medical service organization and is not a health care
service plan or provider of health care. "Contractor" does not
include insurance institutions as defined in subdivision (k) of
Section 791.02 of the Insurance Code or pharmaceutical benefits
managers licensed pursuant to the Knox-Keene Health Care Service Plan
Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division
2 of the Health and Safety Code).
(e) "Endanger" means that the subscriber or enrollee fears that
disclosure of his or her medical information could subject the
subscriber or enrollee to harassment or abuse.
(f) "Enrollee" has the same meaning as that term is defined in
Section 1345 of the Health and Safety Code.
(g) "Health care service plan" means any entity regulated pursuant
to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2
(commencing with Section 1340) of Division 2 of the Health and Safety
Code).
(h) "Licensed health care professional" means any person licensed
or certified pursuant to Division 2 (commencing with Section 500) of
the Business and Professions Code, the Osteopathic Initiative Act or
the Chiropractic Initiative Act, or Division 2.5 (commencing with
Section 1797) of the Health and Safety Code.
(i) "Marketing" means to make a communication about a product or
service that encourages recipients of the communication to purchase
or use the product or service.
"Marketing" does not include any of the following:
(1) Communications made orally or in writing for which the
communicator does not receive direct or indirect remuneration,
including, but not limited to, gifts, fees, payments, subsidies, or
other economic benefits, from a third party for making the
communication.
(2) Communications made to current enrollees solely for the
purpose of describing a provider's participation in an existing
health care provider network or health plan network of a Knox-Keene
licensed health plan to which the enrollees already subscribe;
communications made to current enrollees solely for the purpose of
describing if, and the extent to which, a product or service, or
payment for a product or service, is provided by a provider,
contractor, or plan or included in a plan of benefits of a Knox-Keene
licensed health plan to which the enrollees already subscribe; or
communications made to plan enrollees describing the availability of
more cost-effective pharmaceuticals.
(3) Communications that are tailored to the circumstances of a
particular individual to educate or advise the individual about
treatment options, and otherwise maintain the individual's adherence
to a prescribed course of medical treatment, as provided in Section
1399.901 of the Health and Safety Code, for a chronic and seriously
debilitating or life-threatening condition as defined in subdivisions
(d) and (e) of Section 1367.21 of the Health and Safety Code, if the
health care provider, contractor, or health plan receives direct or
indirect remuneration, including, but not limited to, gifts, fees,
payments, subsidies, or other economic benefits, from a third party
for making the communication, if all of the following apply:
(A) The individual receiving the communication is notified in the
communication in typeface no smaller than 14-point type of the fact
that the provider, contractor, or health plan has been remunerated
and the source of the remuneration.
(B) The individual is provided the opportunity to opt out of
receiving future remunerated communications.
(C) The communication contains instructions in typeface no smaller
than 14-point type describing how the individual can opt out of
receiving further communications by calling a toll-free number of the
health care provider, contractor, or health plan making the
remunerated communications. No further communication may be made to
an individual who has opted out after 30 calendar days from the date
the individual makes the opt out request.
(j) "Medical information" means any individually identifiable
information, in electronic or physical form, in possession of or
derived from a provider of health care, health care service plan,
pharmaceutical company, or contractor regarding a patient's medical
history, mental or physical condition, or treatment. "Individually
identifiable" means that the medical information includes or contains
any element of personal identifying information sufficient to allow
identification of the individual, such as the patient's name,
address, electronic mail address, telephone number, or social
security number, or other information that, alone or in combination
with other publicly available information, reveals the individual's
identity.
(k) "Patient" means any natural person, whether or not still
living, who received health care services from a provider of health
care and to whom medical information pertains.
( l ) "Pharmaceutical company" means any company or
business, or an agent or representative thereof, that manufactures,
sells, or distributes pharmaceuticals, medications, or prescription
drugs. "Pharmaceutical company" does not include a pharmaceutical
benefits manager, as included in subdivision (c), or a provider of
health care.
(m) "Provider of health care" means any person licensed or
certified pursuant to Division 2 (commencing with Section 500) of the
Business and Professions Code; any person licensed pursuant to the
Osteopathic Initiative Act or the Chiropractic Initiative Act; any
person certified pursuant to Division 2.5 (commencing with Section
1797) of the Health and Safety Code; any clinic, health dispensary,
or health facility licensed pursuant to Division 2 (commencing with
Section 1200) of the Health and Safety Code. "Provider of health care"
does not include insurance institutions as defined in subdivision
(k) of Section 791.02 of the Insurance Code.
(n) "Sensitive services" means all health care services described
in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
Code, and Sections 121020 and 124260 of the Health and Safety Code,
obtained by a patient at or above the minimum age specified for
consenting to the service specified in the section.
(o) "Subscriber" has the same meaning as that term is defined in
Section 1345 of the Health and Safety Code.
SEC. 3. Section 56.104 of the Civil Code is amended to read:
56.104. (a) Notwithstanding subdivision (c) of Section 56.10,
except as provided in subdivision (e), no provider of health care,
health care service plan, or contractor may release medical
information to persons or entities who have requested that
information and who are authorized by law to receive that information
pursuant to subdivision (c) of Section 56.10, if the requested
information specifically relates to the patient's participation in
outpatient treatment with a psychotherapist, unless the person or
entity requesting that information submits to the patient pursuant to
subdivision (b) and to the provider of health care, health care
service plan, or contractor a written request, signed by the person
requesting the information or an authorized agent of the entity
requesting the information, that includes all of the following:
(1) The specific information relating to a patient's participation
in outpatient treatment with a psychotherapist being requested and
its specific intended use or uses.
(2) The length of time during which the information will be kept
before being destroyed or disposed of. A person or entity may extend
that timeframe, provided that the person or entity notifies the
provider, plan, or contractor of the extension. Any notification of
an extension shall include the specific reason for the extension, the
intended use or uses of the information during the extended time,
and the expected date of the destruction of the information.
(3) A statement that the information will not be used for any
purpose other than its intended use.
(4) A statement that the person or entity requesting the
information will destroy the information and all copies in the person'
s or entity's possession or control, will cause it to be destroyed,
or will return the information and all copies of it before or
immediately after the length of time specified in paragraph (2) has
expired.
(b) The person or entity requesting the information shall submit a
copy of the written request required by this section to the patient
within 30 days of receipt of the information requested, unless the
patient has signed a written waiver in the form of a letter signed
and submitted by the patient to the provider of health care or health
care service plan waiving notification.
(c) For purposes of this section, "psychotherapist" means a person
who is both a "psychotherapist" as defined in Section 1010 of the
Evidence Code and a "provider of health care" as defined in Section
56.05.
(d) This section does not apply to the disclosure or use of
medical information by a law enforcement agency or a regulatory
agency when required for an investigation of unlawful activity or for
licensing, certification, or regulatory purposes, unless the
disclosure is otherwise prohibited by law.
(e) This section shall not apply to any of the following:
(1) Information authorized to be disclosed pursuant to paragraph
(1) of subdivision (c) of Section 56.10.
(2) Information requested from a psychotherapist by law
enforcement or by the target of the threat subsequent to a disclosure
by that psychotherapist authorized by paragraph (19) of subdivision
(c) of Section 56.10, in which the additional information is clearly
necessary to prevent the serious and imminent threat disclosed under
that paragraph.
(3) Information disclosed by a psychotherapist pursuant to
paragraphs (14) and (22) of subdivision (c) of Section 56.10 and
requested by an agency investigating the abuse reported pursuant to
those paragraphs.
(f) Nothing in this section shall be construed to grant any
additional authority to a provider of health care, health care
service plan, or contractor to disclose information to a person or
entity without the patient's consent.
SEC. 4. Section 56.107 is added to the Civil Code, to read:
56.107. (a) Notwithstanding any other law, and to the extent
permitted by federal law, a health care service plan shall take the
following steps to protect the confidentiality of a subscriber's or
enrollee's medical information on and after January 1, 2015:
(1) A health care service plan shall permit subscribers and
enrollees to request, and shall accommodate requests for,
communication in the form and format requested by the individual, if
it is readily producible in the requested form and format, or at
alternative locations, if the subscriber or enrollee clearly states
either that the communication discloses medical information or
provider name and address relating to receipt of sensitive services
or that disclosure of all or part of the medical information or
provider name and address could endanger the subscriber or enrollee.
(2) A health care service plan may require the subscriber or
enrollee to make a request for a confidential communication described
in paragraph (1), in writing or by electronic transmission.
(3) A health care service plan may require that a confidential
communications request contain a statement that the request pertains
to either medical information related to the receipt of sensitive
services or that disclosure of all or part of the medical information
could endanger the subscriber or enrollee. The health care service
plan shall not require an explanation as to the basis for a
subscriber's or enrollee's statement that disclosure could endanger
the subscriber or enrollee.
(4) The confidential communication request shall be valid until
the subscriber or enrollee submits a revocation of the request or a
new confidential communication request is submitted.
(5) For the purposes of this section, a confidential
communications request shall be implemented by the health care
service plan within seven calendar days of receipt of an electronic
transmission or telephonic request or within 14 calendar days of
receipt by first-class mail. The health care service plan shall
acknowledge receipt of the confidential communications request and
advise the subscriber or enrollee of the status of implementation of
the request if a subscriber or enrollee contacts the health care
service plan.
(b) Notwithstanding subdivision (a), the provider of health care
may make arrangements with the subscriber or enrollee for the payment
of benefit cost sharing and communicate that arrangement with the
health care service plan.
(c) A health care service plan shall not condition enrollment or
coverage on the waiver of rights provided in this section.
SEC. 5. Section 56.16 of the Civil Code is amended to read:
56.16. For disclosures not addressed by Section 56.1007, unless
there is a specific written request by the patient to the contrary,
nothing in this part shall be construed to prevent a general acute
care hospital, as defined in subdivision (a) of Section 1250 of the
Health and Safety Code, upon an inquiry concerning a specific
patient, from releasing at its discretion any of the following
information: the patient's name, address, age, and sex; a general
description of the reason for treatment (whether an injury, a burn,
poisoning, or some unrelated condition); the general nature of the
injury, burn, poisoning, or other condition; the general condition of
the patient; and any information that is not medical information as
defined in Section 56.05.
SEC. 6. Section 1786.2 of the Civil Code is amended to read:
1786.2. The following terms as used in this title have the
meaning expressed in this section:
(a) The term "person" means any individual, partnership,
corporation, limited liability company, trust, estate, cooperative,
association, government or governmental subdivision or agency, or
other entity. The term "person" as used in this title shall not be
construed to require duplicative reporting by any individual,
corporation, trust, estate, cooperative, association, government, or
governmental subdivision or agency, or other entity involved in the
same transaction.
(b) The term "consumer" means a natural individual who has made
application to a person for employment purposes, for insurance for
personal, family, or household purposes, or the hiring of a dwelling
unit, as defined in subdivision (c) of Section 1940.
(c) The term "investigative consumer report" means a consumer
report in which information on a consumer's character, general
reputation, personal characteristics, or mode of living is obtained
through any means. The term does not include a consumer report or
other compilation of information that is limited to specific factual
information relating to a consumer's credit record or manner of
obtaining credit obtained directly from a creditor of the consumer or
from a consumer reporting agency when that information was obtained
directly from a potential or existing creditor of the consumer or
from the consumer. Notwithstanding the foregoing, for transactions
between investigative consumer reporting agencies and insurance
institutions, agents, or insurance-support organizations subject to
Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of
Division 1 of the Insurance Code, the term "investigative consumer
report" shall have the meaning set forth in Section 791.02 of the
Insurance Code.
(d) The term "investigative consumer reporting agency" means any
person who, for monetary fees or dues, engages in whole or in part in
the practice of collecting, assembling, evaluating, compiling,
reporting, transmitting, transferring, or communicating information
concerning consumers for the purposes of furnishing investigative
consumer reports to third parties, but does not include any
governmental agency whose records are maintained primarily for
traffic safety, law enforcement, or licensing purposes, or any
licensed insurance agent, insurance broker, or solicitor, insurer, or
life insurance agent.
(e) The term "file," when used in connection with information on
any consumer, means all of the information on that consumer recorded
and retained by an investigative consumer reporting agency regardless
of how the information is stored.
(f) The term "employment purposes," when used in connection with
an investigative consumer report, means a report used for the purpose
of evaluating a consumer for employment, promotion, reassignment, or
retention as an employee.
(g) The term "medical information" means information on a person's
medical history or condition obtained directly or indirectly from a
licensed physician, medical practitioner, hospital, clinic, or other
medical or medically related facility.
SEC. 7. Section 1798.91 of the Civil Code is amended to read:
1798.91. (a) For purposes of this title, the following
definitions shall apply:
(1) "Direct marketing purposes" means the use of personal
information for marketing or advertising products, goods, or services
directly to individuals. "Direct marketing purposes" does not
include the use of personal information (A) by bona fide tax exempt
charitable or religious organizations to solicit charitable
contributions or (B) to raise funds from and communicate with
individuals regarding politics and government.
(2) "Medical information" means any individually identifiable
information, in electronic or physical form, regarding the individual'
s medical history, or medical treatment or diagnosis by a health care
professional. "Individually identifiable" means that the medical
information includes or contains any element of personal identifying
information sufficient to allow identification of the individual,
such as the individual's name, address, electronic mail address,
telephone number, or social security number, or other information
that, alone or in combination with other publicly available
information, reveals the individual's identity. For purposes of this
section, "medical information" does not mean a subscription to,
purchase of, or request for a periodical, book, pamphlet, video,
audio, or other multimedia product or nonprofit association
information.
(3) "Clear and conspicuous" means in larger type than the
surrounding text, or in contrasting type, font, or color to the
surrounding text of the same size, or set off from the surrounding
text of the same size by symbols or other marks that call attention
to the language.
(4) For purposes of this section, the collection of medical
information online constitutes "in writing." For purposes of this
section, "written consent" includes consent obtained online.
(b) A business may not orally request medical information directly
from an individual regardless of whether the information pertains to
the individual or not, and use, share, or otherwise disclose that
information for direct marketing purposes, without doing both of the
following prior to obtaining that information:
(1) Orally disclosing to the individual in the same conversation
during which the business seeks to obtain the information, that it is
obtaining the information to market or advertise products, goods, or
services to the individual.
(2) Obtaining the consent of either the individual to whom the
information pertains or a person legally authorized to consent for
the individual, to permit his or her medical information to be used
or shared to market or advertise products, goods, or services to the
individual, and making and maintaining for two years after the date
of the conversation, an audio recording of the entire conversation.
(c) A business may not request in writing medical information
directly from an individual regardless of whether the information
pertains to the individual or not, and use, share, or otherwise
disclose that information for direct marketing purposes, without
doing both of the following prior to obtaining that information:
(1) Disclosing in a clear and conspicuous manner that it is
obtaining the information to market or advertise products, goods, or
services to the individual.
(2) Obtaining the written consent of either the individual to whom
the information pertains or a person legally authorized to consent
for the individual, to permit his or her medical information to be
used or shared to market or advertise products, goods, or services to
the individual.
(d) This section does not apply to a provider of health care,
health care service plan, or contractor, as defined in Section 56.05.
(e) This section shall not apply to an insurance institution,
agent, or support organization, as defined in Section 791.02 of the
Insurance Code, when engaged in an insurance transaction, as defined
in Section 791.02 of the Insurance Code, pursuant to all the
requirements of Article 6.6 (commencing with Section 791) of Chapter
1 of Part 2 of Division 1 of the Insurance Code, and the regulations
promulgated thereunder.
(f) This section does not apply to a telephone corporation, as
defined in Section 234 of the Public Utilities Code, when that
corporation is engaged in providing telephone services and products
pursuant to Sections 2881, 2881.1, and 2881.2 of the Public Utilities
Code, if the corporation does not share or disclose medical
information obtained as a consequence of complying with those
sections of the Public Utilities Code, to third parties for direct
marketing purposes.
SEC. 8. Section 4053 of the Financial Code is amended to read:
4053. (a) (1) A financial institution shall not disclose to, or
share a consumer's nonpublic personal information with, any
nonaffiliated third party as prohibited by Section 4052.5, unless the
financial institution has obtained a consent acknowledgment from the
consumer that complies with paragraph (2) that authorizes the
financial institution to disclose or share the nonpublic personal
information. Nothing in this section shall prohibit or otherwise
apply to the disclosure of nonpublic personal information as allowed
in Section 4056. A financial institution shall not discriminate
against or deny an otherwise qualified consumer a financial product
or a financial service because the consumer has not provided consent
pursuant to this subdivision and Section 4052.5 to authorize the
financial institution to disclose or share nonpublic personal
information pertaining to him or her with any nonaffiliated third
party. Nothing in this section shall prohibit a financial institution
from denying a consumer a financial product or service if the
financial institution could not provide the product or service to a
consumer without the consent to disclose the consumer's nonpublic
personal information required by this subdivision and Section 4052.5,
and the consumer has failed to provide consent. A financial
institution shall not be liable for failing to offer products and
services to a consumer solely because that consumer has failed to
provide consent pursuant to this subdivision and Section 4052.5 and
the financial institution could not offer the product or service
without the consent to disclose the consumer's nonpublic personal
information required by this subdivision and Section 4052.5, and the
consumer has failed to provide consent. Nothing in this section is
intended to prohibit a financial institution from offering incentives
or discounts to elicit a specific response to the notice.
(2) A financial institution shall utilize a form, statement, or
writing to obtain consent to disclose nonpublic personal information
to nonaffiliated third parties as required by Section 4052.5 and this
subdivision. The form, statement, or writing shall meet all of the
following criteria:
(A) The form, statement, or writing is a separate document, not
attached to any other document.
(B) The form, statement, or writing is dated and signed by the
consumer.
(C) The form, statement, or writing clearly and conspicuously
discloses that by signing, the consumer is consenting to the
disclosure to nonaffiliated third parties of nonpublic personal
information pertaining to the consumer.
(D) The form, statement, or writing clearly and conspicuously
discloses (i) that the consent will remain in effect until revoked or
modified by the consumer; (ii) that the consumer may revoke the
consent at any time; and (iii) the procedure for the consumer to
revoke consent.
(E) The form, statement, or writing clearly and conspicuously
informs the consumer that (i) the financial institution will maintain
the document or a true and correct copy; (ii) the consumer is
entitled to a copy of the document upon request; and (iii) the
consumer may want to make a copy of the document for the consumer's
records.
(b) (1) A financial institution shall not disclose to, or share a
consumer's nonpublic personal information with, an affiliate
unless the financial institution
has clearly and conspicuously notified the consumer annually in
writing pursuant to subdivision (d) that the nonpublic personal
information may be disclosed to an affiliate of the financial
institution and the consumer has not directed that the nonpublic
personal information not be disclosed. A financial institution does
not disclose information to, or share information with, its affiliate
merely because information is maintained in common information
systems or databases, and employees of the financial institution and
its affiliate have access to those common information systems or
databases, or a consumer accesses a Web site jointly operated or
maintained under a common name by or on behalf of the financial
institution and its affiliate, provided that where a consumer has
exercised his or her right to prohibit disclosure pursuant to this
division, nonpublic personal information is not further disclosed or
used by an affiliate except as permitted by this division.
(2) Subdivision (a) shall not prohibit the release of nonpublic
personal information by a financial institution with whom the
consumer has a relationship to a nonaffiliated financial institution
for purposes of jointly offering a financial product or financial
service pursuant to a written agreement with the financial
institution that receives the nonpublic personal information provided
that all of the following requirements are met:
(A) The financial product or service offered is a product or
service of, and is provided by, at least one of the financial
institutions that is a party to the written agreement.
(B) The financial product or service is jointly offered, endorsed,
or sponsored, and clearly and conspicuously identifies for the
consumer the financial institutions that disclose and receive the
disclosed nonpublic personal information.
(C) The written agreement provides that the financial institution
that receives that nonpublic personal information is required to
maintain the confidentiality of the information and is prohibited
from disclosing or using the information other than to carry out the
joint offering or servicing of a financial product or financial
service that is the subject of the written agreement.
(D) The financial institution that releases the nonpublic personal
information has complied with subdivision (d) and the consumer has
not directed that the nonpublic personal information not be
disclosed.
(E) Notwithstanding this section, until January 1, 2005, a
financial institution may disclose nonpublic personal information to
a nonaffiliated financial institution pursuant to a preexisting
contract with the nonaffiliated financial institution, for purposes
of offering a financial product or financial service, if that
contract was entered into on or before January 1, 2004. Beginning on
January 1, 2005, no nonpublic personal information may be disclosed
pursuant to that contract unless all the requirements of this
subdivision are met.
(3) Nothing in this subdivision shall prohibit a financial
institution from disclosing or sharing nonpublic personal information
as otherwise specifically permitted by this division.
(4) A financial institution shall not discriminate against or deny
an otherwise qualified consumer a financial product or a financial
service because the consumer has directed pursuant to this
subdivision that nonpublic personal information pertaining to him or
her not be disclosed. A financial institution shall not be required
to offer or provide products or services offered through affiliated
entities or jointly with nonaffiliated financial institutions
pursuant to paragraph (2) where the consumer has directed that
nonpublic personal information not be disclosed pursuant to this
subdivision and the financial institution could not offer or provide
the products or services to the consumer without disclosure of the
consumer's nonpublic personal information that the consumer has
directed not be disclosed pursuant to this subdivision. A financial
institution shall not be liable for failing to offer or provide
products or services offered through affiliated entities or jointly
with nonaffiliated financial institutions pursuant to paragraph (2)
solely because the consumer has directed that nonpublic personal
information not be disclosed pursuant to this subdivision and the
financial institution could not offer or provide the products or
services to the consumer without disclosure of the consumer's
nonpublic personal information that the consumer has directed not be
disclosed to affiliates pursuant to this subdivision. Nothing in this
section is intended to prohibit a financial institution from
offering incentives or discounts to elicit a specific response to the
notice set forth in this division. Nothing in this section shall
prohibit the disclosure of nonpublic personal information allowed by
Section 4056.
(5) The financial institution may, at its option, choose instead
to comply with the requirements of subdivision (a).
(c) Nothing in this division shall restrict or prohibit the
sharing of nonpublic personal information between a financial
institution and its wholly owned financial institution subsidiaries;
among financial institutions that are each wholly owned by the same
financial institution; among financial institutions that are wholly
owned by the same holding company; or among the insurance and
management entities of a single insurance holding company system
consisting of one or more reciprocal insurance exchanges which has a
single corporation or its wholly owned subsidiaries providing
management services to the reciprocal insurance exchanges, provided
that in each case all of the following requirements are met:
(1) The financial institution disclosing the nonpublic personal
information and the financial institution receiving it are regulated
by the same functional regulator; provided, however, that for
purposes of this subdivision, financial institutions regulated by the
Office of the Comptroller of the Currency, Office of Thrift
Supervision, National Credit Union Administration, or a state
regulator of depository institutions shall be deemed to be regulated
by the same functional regulator; financial institutions regulated by
the Securities and Exchange Commission, the United States Department
of Labor, or a state securities regulator shall be deemed to be
regulated by the same functional regulator; and insurers admitted in
this state to transact insurance and licensed to write insurance
policies shall be deemed to be in compliance with this paragraph.
(2) The financial institution disclosing the nonpublic personal
information and the financial institution receiving it are both
principally engaged in the same line of business. For purposes of
this subdivision, "same line of business" shall be one and only one
of the following:
(A) Insurance.
(B) Banking.
(C) Securities.
(3) The financial institution disclosing the nonpublic personal
information and the financial institution receiving it share a common
brand, excluding a brand consisting solely of a graphic element or
symbol, within their trademark, service mark, or trade name, which is
used to identify the source of the products and services provided.
A wholly owned subsidiary shall include a subsidiary wholly owned
directly or wholly owned indirectly in a chain of wholly owned
subsidiaries.
Nothing in this subdivision shall permit the disclosure by a
financial institution of medical record information, as defined in
Section 791.02 of the Insurance Code, except in compliance with the
requirements of this division, including the requirements set forth
in subdivisions (a) and (b).
(d) (1) A financial institution shall be conclusively presumed to
have satisfied the notice requirements of subdivision (b) if it uses
the form set forth in this subdivision. The form set forth in this
subdivision or a form that complies with subparagraphs (A) to (L),
inclusive, of this paragraph shall be sent by the financial
institution to the consumer so that the consumer may make a decision
and provide direction to the financial institution regarding the
sharing of his or her nonpublic personal information. If a financial
institution does not use the form set forth in this subdivision, the
financial institution shall use a form that meets all of the
following requirements:
(A) The form uses the same title ("IMPORTANT PRIVACY CHOICES FOR
CONSUMERS") and the headers, if applicable, as follows: "Restrict
Information Sharing With Companies We Own Or Control (Affiliates)"
and "Restrict Information Sharing With Other Companies We Do Business
With To Provide Financial Products And Services."
(B) The titles and headers in the form are clearly and
conspicuously displayed, and no text in the form is smaller than
10-point type.
(C) The form is a separate document, except as provided by
subparagraph (D) of paragraph (2), and Sections 4054 and 4058.7.
(D) The choice or choices pursuant to subdivision (b) and Section
4054.6, if applicable, provided in the form are stated separately and
may be selected by checking a box.
(E) The form is designed to call attention to the nature and
significance of the information in the document.
(F) The form presents information in clear and concise sentences,
paragraphs, and sections.
(G) The form uses short explanatory sentences (an average of 15-20
words) or bullet lists whenever possible.
(H) The form avoids multiple negatives, legal terminology, and
highly technical terminology whenever possible.
(I) The form avoids explanations that are imprecise and readily
subject to different interpretations.
(J) The form achieves a minimum Flesch reading ease score of 50,
as defined in Section 2689.4(a)(7) of Title 10 of the California Code
of Regulations, in effect on March 24, 2003, except that the
information in the form included to comply with subparagraph (A)
shall not be included in the calculation of the Flesch reading ease
score, and the information used to describe the choice or choices
pursuant to subparagraph (D) shall score no lower than the
information describing the comparable choice or choices set forth in
the form in this subdivision.
(K) The form provides wide margins, ample line spacing and uses
boldface or italics for key words.
(L) The form is not more than one page.
(2) (A) None of the instructional items appearing in brackets in
the form set forth in this subdivision shall appear in the form
provided to the consumer, as those items are for explanation purposes
only. If a financial institution does not disclose or share
nonpublic personal information as described in a header of the form,
the financial institution may omit the applicable header or headers,
and the accompanying information and box, in the form it provides
pursuant to this subdivision. The form with those omissions shall be
conclusively presumed to satisfy the notice requirements of this
subdivision. GRAPHIC INSERT HERE: SEE PRINTED VERSION OF THE
BILL]
(B) If a financial institution uses a form other than that set
forth in this subdivision, the financial institution may submit that
form to its functional regulator for approval, and for forms filed
with the Office of Privacy Protection prior to July 1, 2007, that
approval shall constitute a rebuttable presumption that the form
complies with this section.
(C) A financial institution shall not be in violation of this
subdivision solely because it includes in the form one or more brief
examples or explanations of the purpose or purposes, or context,
within which information will be shared, as long as those examples
meet the clarity and readability standards set forth in paragraph
(1).
(D) The outside of the envelope in which the form is sent to the
consumer shall clearly state in 16-point boldface type "IMPORTANT
PRIVACY CHOICES," except that a financial institution sending the
form to a consumer in the same envelope as a bill, account statement,
or application requested by the consumer does not have to include
the wording "IMPORTANT PRIVACY CHOICES" on that envelope. The form
shall be sent in any of the following ways:
(i) With a bill, other statement of account, or application
requested by the consumer, in which case the information required by
Title V of the Gramm-Leach-Bliley Act may also be included in the
same envelope.
(ii) As a separate notice or with the information required by
Title V of the Gramm-Leach-Bliley Act, and including only information
related to privacy.
(iii) With any other mailing, in which case it shall be the first
page of the mailing.
(E) If a financial institution uses a form other than that set
forth in this subdivision, that form shall be filed with the Office
of Privacy Protection within 30 days after it is first used.
(3) The consumer shall be provided a reasonable opportunity prior
to disclosure of nonpublic personal information to direct that
nonpublic personal information not be disclosed. A consumer may
direct at any time that his or her nonpublic personal information not
be disclosed. A financial institution shall comply with a consumer's
directions concerning the sharing of his or her nonpublic personal
information within 45 days of receipt by the financial institution.
When a consumer directs that nonpublic personal information not be
disclosed, that direction is in effect until otherwise stated by the
consumer. A financial institution that has not provided a consumer
with annual notice pursuant to subdivision (b) shall provide the
consumer with a form that meets the requirements of this subdivision,
and shall allow 45 days to lapse from the date of providing the form
in person or the postmark or other postal verification of mailing
before disclosing nonpublic personal information pertaining to the
consumer.
Nothing in this subdivision shall prohibit the disclosure of
nonpublic personal information as allowed by subdivision (c) or
Section 4056.
(4) A financial institution may elect to comply with the
requirements of subdivision (a) with respect to disclosure of
nonpublic personal information to an affiliate or with respect to
nonpublic personal information disclosed pursuant to paragraph (2) of
subdivision (b), or subdivision (c) of Section 4054.6.
(5) If a financial institution does not have a continuing
relationship with a consumer other than the initial transaction in
which the product or service is provided, no annual disclosure
requirement exists pursuant to this section as long as the financial
institution provides the consumer with the form required by this
section at the time of the initial transaction. As used in this
section, "annually" means at least once in any period of 12
consecutive months during which that relationship exists. The
financial institution may define the 12-consecutive-month period, but
shall apply it to the consumer on a consistent basis. If, for
example, a financial institution defines the 12-consecutive-month
period as a calendar year and provides the annual notice to the
consumer once in each calendar year, it complies with the requirement
to send the notice annually.
(6) A financial institution with assets in excess of twenty-five
million dollars ($25,000,000) shall include a self-addressed first
class business reply return envelope with the notice. A financial
institution with assets of up to and including twenty-five million
dollars ($25,000,000) shall include a self-addressed return envelope
with the notice. In lieu of the first class business reply return
envelope required by this paragraph, a financial institution may
offer a self-addressed return envelope with the notice and at least
two alternative cost-free means for consumers to communicate their
privacy choices, such as calling a toll-free number, sending a
facsimile to a toll-free telephone number, or using electronic means.
A financial institution shall clearly and conspicuously disclose in
the form required by this subdivision the information necessary to
direct the consumer on how to communicate his or her choices,
including the toll-free or facsimile number or Web site address that
may be used, if those means of communication are offered by the
financial institution.
(7) A financial institution may provide a joint notice from it and
one or more of its affiliates or other financial institutions, as
identified in the notice, so long as the notice is accurate with
respect to the financial institution and the affiliates and other
financial institutions.
(e) Nothing in this division shall prohibit a financial
institution from marketing its own products and services or the
products and services of affiliates or nonaffiliated third parties to
customers of the financial institution as long as (1) nonpublic
personal information is not disclosed in connection with the delivery
of the applicable marketing materials to those customers except as
permitted by Section 4056 and (2) in cases in which the applicable
nonaffiliated third party may extrapolate nonpublic personal
information about the consumer responding to those marketing
materials, the applicable nonaffiliated third party has signed a
contract with the financial institution under the terms of which (A)
the nonaffiliated third party is prohibited from using that
information for any purpose other than the purpose for which it was
provided, as set forth in the contract, and (B) the financial
institution has the right by audit, inspections, or other means to
verify the nonaffiliated third party's compliance with that contract.
SEC. 9. Section 1280.15 of the Health and Safety Code is amended
to read:
1280.15. (a) A clinic, health facility, home health agency, or
hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall
prevent unlawful or unauthorized access to, and use or disclosure of,
patients' medical information, as defined in Section 56.05 of the
Civil Code and consistent with Section 130203. For purposes of this
section, internal paper records, electronic mail, or facsimile
transmissions inadvertently misdirected within the same facility or
health care system within the course of coordinating care or
delivering services shall not constitute unauthorized access to, or
use or disclosure of, a patient's medical information. The
department, after investigation, may assess an administrative penalty
for a violation of this section of up to twenty-five thousand
dollars ($25,000) per patient whose medical information was
unlawfully or without authorization accessed, used, or disclosed, and
up to seventeen thousand five hundred dollars ($17,500) per
subsequent occurrence of unlawful or unauthorized access, use, or
disclosure of that patient's medical information. For purposes of the
investigation, the department shall consider the clinic's, health
facility's, agency's, or hospice's history of compliance with this
section and other related state and federal statutes and regulations,
the extent to which the facility detected violations and took
preventative action to immediately correct and prevent past
violations from recurring, and factors outside its control that
restricted the facility's ability to comply with this section. The
department shall have full discretion to consider all factors when
determining the amount of an administrative penalty pursuant to this
section.
(b) (1) A clinic, health facility, home health agency, or hospice
to which subdivision (a) applies shall report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the department no later than five business days after
the unlawful or unauthorized access, use, or disclosure has been
detected by the clinic, health facility, home health agency, or
hospice.
(2) Subject to subdivision (c), a clinic, health facility, home
health agency, or hospice shall also report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the affected patient or the patient's representative
at the last known address, no later than five business days after the
unlawful or unauthorized access, use, or disclosure has been
detected by the clinic, health facility, home health agency, or
hospice.
(c) (1) A clinic, health facility, home health agency, or hospice
shall delay the reporting, as required pursuant to paragraph (2) of
subdivision (b), of any unlawful or unauthorized access to, or use or
disclosure of, a patient's medical information beyond five business
days if a law enforcement agency or official provides the clinic,
health facility, home health agency, or hospice with a written or
oral statement that compliance with the reporting requirements of
paragraph (2) of subdivision (b) would likely impede the law
enforcement agency's investigation that relates to the unlawful or
unauthorized access to, and use or disclosure of, a patient's medical
information and specifies a date upon which the delay shall end, not
to exceed 60 days after a written request is made, or 30 days after
an oral request is made. A law enforcement agency or official may
request an extension of a delay based upon a written declaration that
there exists a bona fide, ongoing, significant criminal
investigation of serious wrongdoing relating to the unlawful or
unauthorized access to, and use or disclosure of, a patient's medical
information, that notification of patients will undermine the law
enforcement agency's investigation, and that specifies a date upon
which the delay shall end, not to exceed 60 days after the end of the
original delay period.
(2) If the statement of the law enforcement agency or official is
made orally, then the clinic, health facility, home health agency, or
hospice shall do both of the following:
(A) Document the oral statement, including, but not limited to,
the identity of the law enforcement agency or official making the
oral statement and the date upon which the oral statement was made.
(B) Limit the delay in reporting the unlawful or unauthorized
access to, or use or disclosure of, the patient's medical information
to the date specified in the oral statement, not to exceed 30
calendar days from the date that the oral statement is made, unless a
written statement that complies with the requirements of this
subdivision is received during that time.
(3) A clinic, health facility, home health agency, or hospice
shall submit a report that is delayed pursuant to this subdivision
not later than five business days after the date designated as the
end of the delay.
(d) If a clinic, health facility, home health agency, or hospice
to which subdivision (a) applies violates subdivision (b), the
department may assess the licensee a penalty in the amount of one
hundred dollars ($100) for each day that the unlawful or unauthorized
access, use, or disclosure is not reported to the department or the
affected patient, following the initial five-day period specified in
subdivision (b). However, the total combined penalty assessed by the
department under subdivision (a) and this subdivision shall not
exceed two hundred fifty thousand dollars ($250,000) per reported
event. For enforcement purposes, it shall be presumed that the
facility did not notify the affected patient if the notification was
not documented. This presumption may be rebutted by a licensee only
if the licensee demonstrates, by a preponderance of the evidence,
that the notification was made.
(e) In enforcing subdivisions (a) and (d), the department shall
take into consideration the special circumstances of small and rural
hospitals, as defined in Section 124840, and primary care clinics, as
defined in subdivision (a) of Section 1204, in order to protect
access to quality care in those hospitals and clinics. When assessing
a penalty on a skilled nursing facility or other facility subject to
Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
only the higher of either a penalty for the violation of this section
or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
not both.
(f) All penalties collected by the department pursuant to this
section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited into
the Internal Departmental Quality Improvement Account, which is
hereby created within the Special Deposit Fund under Section 16370 of
the Government Code. Upon appropriation by the Legislature, moneys
in the account shall be expended for internal quality improvement
activities in the Licensing and Certification Program.
(g) If the licensee disputes a determination by the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, or the imposition of a penalty under this section, the
licensee may, within 10 days of receipt of the penalty assessment,
request a hearing pursuant to Section 131071. Penalties shall be paid
when appeals have been exhausted and the penalty has been upheld.
(h) In lieu of disputing the determination of the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, transmit to the department 75 percent of the total
amount of the administrative penalty, for each violation, within 30
business days of receipt of the administrative penalty.
(i) Notwithstanding any other law, the department may refer
violations of this section to the Office of Health Information
Integrity for enforcement pursuant to Section 130303.
(j) For purposes of this section, the following definitions shall
apply:
(1) "Reported event" means all breaches included in any single
report that is made pursuant to subdivision (b), regardless of the
number of breach events contained in the report.
(2) "Unauthorized" means the inappropriate access, review, or
viewing of patient medical information without a direct need for
medical diagnosis, treatment, or other lawful use as permitted by the
Confidentiality of Medical Information Act (Part 2.6 (commencing
with Section 56) of Division 1 of the Civil Code) or any other
statute or regulation governing the lawful access, use, or disclosure
of medical information.
SEC. 10. Section 1348.5 is added to the Health and Safety Code, to
read:
1348.5. A health care service plan shall comply with the
provisions of Section 56.107 of the Civil Code to the extent required
by that section. To the extent this chapter conflicts with Section
56.107 of the Civil Code, the provisions of Section 56.107 of the
Civil Code shall control.
SEC. 11. Section 1627 of the Health and Safety Code is amended to
read:
1627. (a) (1) On or before July 1, 2011, the University of
California is requested to develop a plan to establish and administer
the Umbilical Cord Blood Collection Program for the purpose of
collecting units of umbilical cord blood for public use in
transplantation and providing nonclinical units for research
pertaining to biology and new clinical utilization of stem cells
derived from the blood and tissue of the placenta and umbilical cord.
The program shall conclude no later than January 1, 2018.
(2) For purposes of this article, "public use" means both of the
following:
(A) The collection of umbilical cord blood units from genetically
diverse donors that will be owned by the University of California.
This inventory shall be accessible by the National Registry and by
qualified California-based and other United States and international
registries and transplant centers to increase the likelihood of
providing suitably matched donor cord blood units to patients or
research participants who are in need of a transplant.
(B) Cord blood units with a lower number of cells than deemed
necessary for clinical transplantation and units that meet clinical
requirements, but for other reasons are unsuitable, unlikely to be
transplanted, or otherwise unnecessary for clinical use, may be made
available for research.
(b) (1) In order to implement the collection goals of this
program, the University of California may, commensurate with
available funds appropriated to the University of California for this
program, contract with one or more selected applicant entities that
have demonstrated the competence to collect and ship cord blood units
in compliance with federal guidelines and regulations.
(2) It is the intent of the Legislature that, if the University of
California contracts with another entity pursuant to this
subdivision, the following shall apply:
(A) The University of California may use a competitive process to
identify the best proposals submitted by applicant entities to
administer the collection and research objectives of the program, to
the extent that the University of California chooses not to undertake
these activities itself.
(B) In order to qualify for selection under this section to
receive, process, cryopreserve, or bank cord blood units, the entity
shall, at a minimum, have obtained an investigational new drug (IND)
exemption from the FDA or a biologic license from the FDA, as
appropriate, to manufacture clinical grade cord blood stem cell units
for clinical indications.
(C) In order to qualify to receive appropriate cord blood units
and placental tissue to advance the research goals of this program,
an entity shall, at a minimum, be a laboratory recognized as having
performed peer-reviewed research on stem and progenitor cells,
including those derived from placental or umbilical cord blood and
postnatal tissue.
(3) A medical provider or research facility shall comply with, and
shall be subject to, existing penalties for violations of all
applicable state and federal laws with respect to the protection of
any medical information, as defined in Section 56.05 of the Civil
Code, and any personally identifiable information contained in the
umbilical cord blood inventory.
(c) The University of California is encouraged to make every
effort to avoid duplication or conflicts with existing and ongoing
programs and to leverage existing resources.
(d) (1) All information collected pursuant to the program shall be
confidential, and shall be used solely for the purposes of the
program, including research. Access to confidential information shall
be limited to authorized persons who are bound by appropriate
institutional policies or who otherwise agree, in writing, to
maintain the confidentiality of that information.
(2) Any person who, in violation of applicable institutional
policies or a written agreement to maintain confidentiality,
discloses any information provided pursuant to this section, or who
uses information provided pursuant to this section in a manner other
than as approved pursuant to this section, may be denied further
access to any confidential information maintained by the University
of California, and shall be subject to a civil penalty not exceeding
one thousand dollars ($1,000). The penalty provided for in this
section shall not be construed to limit or otherwise restrict any
remedy, provisional or otherwise, provided by law for the benefit of
the University of California or any other person covered by this
section.
(3) Notwithstanding the restrictions of this section, an
individual to whom the confidential information pertains shall have
access to his or her own personal information.
(e) It is the intent of the Legislature that the plan and
implementation of the program provide for both of the following:
(1) Limit fees for access to cord blood units to the reasonable
and actual costs of storage, handling, and providing units, as well
as for related services such as donor matching and testing of cord
blood and other programs and services typically provided by cord
blood banks and public use programs.
(2) The submittal of the plan developed pursuant to subdivision
(a) to the health and fiscal committees of the Legislature.
(f) It is additionally the intent of the Legislature that the plan
and implementation of the program attempt to provide for all of the
following:
(1) Development of a strategy to increase voluntary participation
by hospitals in the collection and storage of umbilical cord blood
and identify funding sources to offset the financial impact on
hospitals.
(2) Consideration of a medical contingency response program to
prepare for and respond effectively to biological, chemical, or
radiological attacks, accidents, and other public health emergencies
where victims potentially benefit from treatment.
(3) Exploration of the feasibility of operating the program as a
self-funding program, including the potential for charging users a
reimbursement fee.
SEC. 12. Section 117705 of the Health and Safety Code is amended
to read:
117705. "Medical waste generator" means any person whose act or
process produces medical waste and includes, but is not limited to, a
provider of health care, as defined in Section 56.05 of the Civil
Code. All of the following are examples of businesses that generate
medical waste:
(a) Medical and dental offices, clinics, hospitals, surgery
centers, laboratories, research laboratories, unlicensed health
facilities, those facilities required to be licensed pursuant to
Division 2 (commencing with Section 1200), chronic dialysis clinics,
as regulated pursuant to Division 2 (commencing with Section 1200),
and education and research facilities.
(b) Veterinary offices, veterinary clinics, and veterinary
hospitals.
(c) Pet shops.
(d) Trauma scene waste management practitioners.
SEC. 13. Section 117928 of the Health and Safety Code is amended
to read:
117928. (a) Any common storage facility for the collection of
medical waste produced by small quantity generators operating
independently, but sharing common storage facilities, shall have a
permit issued by the enforcement agency.
(b) A permit for any common storage facility specified in
subdivision (a) may be obtained by any one of the following:
(1) A provider of health care as defined in Section 56.05 of the
Civil Code.
(2) The registered hazardous waste transporter.
(3) The property owner.
(4) The property management firm responsible for providing tenant
services to the medical waste generators.
SEC. 14. Section 120985 of the Health and Safety Code is amended
to read:
120985. (a) Notwithstanding Section 120980, the results of an
HIV test that identifies or provides identifying characteristics of
the person to whom the test results apply may be recorded by the
physician who ordered the test in the test subject's medical record
or otherwise disclosed without written authorization of the subject
of the test, or the subject's representative as set forth in Section
121020, to the test subject's providers of health care, as defined in
Section 56.05 of the Civil Code, for purposes of diagnosis, care, or
treatment of the patient, except that for purposes of this section,
"providers of health care" does not include a health care service
plan regulated pursuant to Chapter 2.2 (commencing with Section 1340)
of Division 2.
(b) Recording or disclosure of HIV test results pursuant to
subdivision (a) does not authorize further disclosure unless
otherwise permitted by law.
SEC. 15. Section 121010 of the Health and Safety Code is amended
to read:
121010. Notwithstanding Section 120975 or 120980, the results of
a blood test to detect antibodies to the probable causative agent of
AIDS may be disclosed to any of the following persons without written
authorization of the subject of the test:
(a) To the subject of the test or the subject's legal
representative, conservator, or to any person authorized to consent
to the test pursuant to subdivision (b) of Section 120990.
(b) To a test subject's provider of health care, as defined in
Section 56.05 of the Civil Code, except that for purposes of this
section, "provider of health care" does not include a health care
service plan regulated pursuant to Chapter 2.2 (commencing with
Section 1340) of Division 2.
(c) To an agent or employee of the test subject's provider of
health care who provides direct patient care and treatment.
(d) To a provider of health care who procures, processes,
distributes, or uses a human body part donated pursuant to the
Uniform Anatomical Gift Act (Chapter 3.5 (commencing with Section
7150) of Part 1 of Division 7).
(e) (1) To the designated officer of an emergency response
employee, and from that designated officer to an emergency response
employee regarding possible exposure to HIV or AIDS, but only to the
extent necessary to comply with provisions of the Ryan White
Comprehensive AIDS Resources Emergency Act of 1990 (Public Law
101-381; 42 U.S.C. Sec. 201).
(2) For purposes of this subdivision, "designated officer" and
"emergency response employee" have the same meaning as these terms
are used in the Ryan White Comprehensive AIDS Resources Emergency Act
of 1990 (Public Law 101-381; 42 U.S.C. Sec. 201).
(3) The designated officer shall be subject to the confidentiality
requirements specified in Section 120980, and may be personally
liable for unauthorized release of any identifying information about
the HIV results. Further, the designated officer shall inform the
exposed emergency response employee that the employee is also subject
to the confidentiality requirements specified in Section 120980, and
may be personally liable for unauthorized release of any identifying
information about the HIV test results.
SEC. 16. Section 130201 of the Health and Safety Code is amended
to read:
130201. For purposes of this division, the following definitions
apply:
(a) "Director" means the Director of the Office of Health
Information Integrity.
(b) "Medical information" means the term as defined in Section
56.05 of the Civil Code.
(c) "Office" means the Office of Health Information Integrity.
(d) "Provider of health care" means the term as defined in
Sections 56.05 and 56.06 of the Civil Code.
(e) "Unauthorized access" means the inappropriate review or
viewing of patient medical information without a direct need for
diagnosis, treatment, or other lawful use as permitted by the
Confidentiality of Medical Information Act (Part 2.6 (commencing with
Section 56) of Division 1 of the Civil Code) or by other statutes or
regulations governing the lawful access, use, or disclosure of
medical information.
SEC. 17. Section 791.02 of the Insurance Code is amended to read:
791.02. As used in this act:
(a) (1) "Adverse underwriting decision" means any of the following
actions with respect to insurance transactions involving insurance
coverage that is individually underwritten:
(A) A declination of insurance coverage.
(B) A termination of insurance coverage.
(C) Failure of an agent to apply for insurance coverage with a
specific insurance institution that the agent represents and that is
requested by an applicant.
(D) In the case of a property or casualty insurance coverage:
(i) Placement by an insurance institution or agent of a risk with
a residual market mechanism, with an unauthorized insurer, or with an
insurance institution that provides insurance to other than
preferred or standard risks, if in fact the placement is at other
than a preferred or standard rate. An adverse underwriting decision,
in case of placement with an insurance institution that provides
insurance to other than preferred or standard risks, shall not
include placement if the applicant or insured did not specify or
apply for placement as a preferred or standard risk or placement with
a particular company insuring preferred or standard risks, or
(ii) The charging of a higher rate on the basis of information
which differs from that which the applicant or policyholder
furnished.
(E) In the case of a life, health, or disability insurance
coverage, an offer to insure at higher than standard rates.
(2) Notwithstanding paragraph (1), any of the following actions
shall not be considered adverse underwriting decisions but the
insurance institution or agent responsible for their occurrence shall
nevertheless provide the applicant or policyholder with the specific
reason or reasons for their occurrence:
(A) The termination of an individual policy form on a class or
statewide basis.
(B) A declination of insurance coverage solely because coverage is
not available on a class or statewide basis.
(C) The rescission of a policy.
(b) "Affiliate" or "affiliated" means a person that directly, or
indirectly through one or more intermediaries, controls, is
controlled by or is under common control with another person.
(c) "Agent" means any person licensed pursuant to Chapter 5
(commencing with Section 1621), Chapter 5A (commencing with Section
1759), Chapter 6 (commencing with Section 1760), Chapter 7
(commencing with Section 1800), or Chapter 8 (commencing with Section
1831).
(d) "Applicant" means any person who seeks to contract for
insurance coverage other than a person seeking group insurance that
is not individually underwritten.
(e) "Consumer report" means any written, oral, or other
communication of information bearing on a natural person's
creditworthiness, credit standing, credit capacity, character,
general reputation, personal characteristics, or mode of living that
is used or expected to be used in connection with an insurance
transaction.
(f) "Consumer reporting agency" means any person who:
(1) Regularly engages, in whole or in part, in the practice of
assembling or preparing consumer reports for a monetary fee.
(2) Obtains information primarily from sources other than
insurance institutions.
(3) Furnishes consumer reports to other persons.
(g) "Control," including the terms "controlled by" or "under
common control with," means the possession, direct or indirect, of
the power to direct or cause the direction of the management and
policies of a person, whether through the ownership of voting
securities, by contract other than a commercial contract for goods or
nonmanagement services, or otherwise, unless the power is the result
of an official position with or corporate office held by the person.
(h) "Declination of insurance coverage" means a denial, in whole
or in part, by an insurance institution or agent of requested
insurance coverage.
(i) "Individual" means any natural person who is any of the
following:
(1) In the case of property or casualty insurance, is a past,
present, or proposed named insured or certificate holder.
(2) In the case of life or disability insurance, is a past,
present, or proposed principal insured or certificate holder.
(3) Is a past, present, or proposed policyowner.
(4) Is a past or present applicant.
(5) Is a past or present claimant.
(6) Derived, derives, or is proposed to derive insurance coverage
under an insurance policy or certificate subject to this act.
(j) "Institutional source" means any person or governmental entity
that provides information about an individual to an agent, insurance
institution, or insurance-support organization, other than any of
the following:
(1) An agent.
(2) The individual who is the subject of the information.
(3) A natural person acting in a personal capacity rather than in
a business or professional capacity.
(k) "Insurance institution" means any corporation, association,
partnership, reciprocal exchange, interinsurer, Lloyd's insurer,
fraternal benefit society, or other person engaged in the business of
insurance. "Insurance institution" shall not include agents,
insurance-support organizations, or health care service plans
regulated pursuant to the Knox-Keene Health Care Service Plan Act,
Chapter 2.2 (commencing with Section 1340) of Division 2 of the
Health and Safety Code.
( l ) "Insurance-support organization" means:
(1) Any person who regularly engages, in whole or in part, in the
business of assembling or collecting information about natural
persons for the primary purpose of providing the information to an
insurance institution or agent for insurance transactions, including
either of the following:
(A) The furnishing of consumer reports or investigative consumer
reports to an insurance institution or agent for use in connection
with an insurance transaction.
(B) The collection of personal information from insurance
institutions, agents, or other insurance-support organizations for
the purpose of detecting or preventing fraud, material
misrepresentation or material nondisclosure in connection with
insurance underwriting or insurance claim activity.
(2) Notwithstanding paragraph (1), the following persons shall not
be considered "insurance-support organizations": agents,
governmental institutions, insurance institutions, medical care
institutions, medical professionals, and peer review committees.
(m) "Insurance transaction" means any transaction involving
insurance primarily for personal, family, or household needs rather
than business or professional needs that entails either of the
following:
(1) The determination of an individual's eligibility for an
insurance coverage, benefit, or payment.
(2) The servicing of an insurance application, policy, contract,
or certificate.
(n) "Investigative consumer report" means a consumer report or
portion thereof in which information about a natural person's
character, general reputation, personal characteristics, or mode of
living is obtained through personal interviews with the person's
neighbors, friends, associates, acquaintances, or others who may have
knowledge concerning those items of information.
(o) "Medical care institution" means any facility or institution
that is licensed to provide health care services to natural persons,
including but not limited to, hospitals, skilled nursing facilities,
home health agencies, medical clinics, rehabilitation agencies, and
public health agencies.
(p) "Medical professional" means any person licensed or certified
to provide health care services to natural persons, including but not
limited to, a physician, dentist, nurse, optometrist, physical or
occupational therapist, psychiatric social worker, clinical
dietitian, clinical psychologist, chiropractor, pharmacist, or speech
therapist.
(q) "Medical record information" means personal information that
is both of the following:
(1) Relates to an individual's physical or mental condition,
medical history or medical treatment.
(2) Is obtained from a medical professional or medical care
institution, from the individual, or from the individual's spouse,
parent, or legal guardian.
(r) "Person" means any natural person, corporation, association,
partnership, limited liability company, or other legal entity.
(s) "Personal information" means any individually identifiable
information gathered in connection with an insurance transaction from
which judgments can be made about an individual's character, habits,
avocations, finances, occupation, general reputation, credit,
health, or any other personal characteristics. "Personal information"
includes an individual's name and address and "medical record
information" but does not include "privileged information."
(t) "Policyholder" means any person who is any of the following:
(1) In the case of individual property or casualty insurance, is a
present named insured.
(2) In the case of individual life or disability insurance, is a
present policyowner.
(3) In the case of group insurance, which is individually
underwritten, is a present group certificate holder.
(u) "Pretext interview" means an interview whereby a person, in an
attempt to obtain information about a natural person, performs one
or more of the following acts:
(1) Pretends to be someone he or she is not.
(2) Pretends to represent a person he or she is not in fact
representing.
(3) Misrepresents the true purpose of the interview.
(4) Refuses to identify himself or herself upon request.
(v) "Privileged information" means any individually identifiable
information that both:
(1) Relates to a claim for insurance benefits or a civil or
criminal proceeding involving an individual.
(2) Is collected in connection with or in reasonable anticipation
of a claim for insurance benefits or civil or criminal proceeding
involving an individual. However, information otherwise meeting the
requirements of this division shall nevertheless be considered
"personal information" under this act if it is disclosed in violation
of Section 791.13.
(w) "Residual market mechanism" means the California FAIR Plan
Association, Chapter 10 (commencing with Section 10101) of Part 1 of
Division 2, and the assigned risk plan, Chapter 1 (commencing with
Section 11550) of Part 3 of Division 2.
(x) "Termination of insurance coverage" or "termination of an
insurance policy" means either a cancellation or nonrenewal of an
insurance policy, in whole or in part, for any reason other than the
failure to pay a premium as required by the policy.
(y) "Unauthorized insurer" means an insurance institution that has
not been granted a certificate of authority by the director to
transact the business of insurance in this state.
(z) "Commissioner" means the Insurance Commissioner.
(aa) "Confidential communications request" means a request by an
insured covered under a health insurance policy that insurance
communications containing medical information be communicated to him
or her at a specific mail or email address or specific telephone
number, as designated by the insured.
(ab) "Endanger" means that the insured covered under a health
insurance policy fears that the disclosure of his or her medical
information could subject the insured covered under a health
insurance policy to harassment or abuse.
(ac) "Sensitive services" means all health care services described
in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
Code, and Sections 121020 and 124260 of the Health and Safety Code,
obtained by a patient of any age at or above the minimum age
specified for consenting to the service specified in the section.
(ad) "Medical information" means any individually identifiable
information, in electronic or physical form, in possession of or
derived from a provider of health care, health insurer,
pharmaceutical company, or contractor regarding a patient's medical
history, mental or physical condition, or treatment. "Individually
identifiable" means that the medical information includes or contains
any element of personal identifying information sufficient to allow
identification of the individual, such as the patient's name,
address, electronic mail address, telephone number, or social
security number, or other information that, alone or in combination
with other publicly available information, reveals the individual's
identity.
SEC. 18. Section 791.29 is added to the Insurance Code, to read:
791.29. (a) Notwithstanding any other law, and to the extent
permitted by federal law, a health insurer shall take the following
steps to protect the confidentiality of an insured's medical
information on and after January 1, 2015:
(1) A health insurer shall permit an insured to request, and shall
accommodate requests for, communication in the form and format
requested by the individual, if it is readily producible in the
requested form and format, or at alternative locations, if the
insured clearly states either that the communication discloses
medical information or provider name and address relating to receipt
of sensitive services or that disclosure of all or part of the
medical information or provider name and address could endanger him
or her.
(2) A health insurer may require the insured to make a request for
a confidential communication described in paragraph (1) in writing
or by electronic transmission.
(3) A health insurer may require that a confidential
communications request contain a statement that the request pertains
to either medical information related to the receipt of sensitive
services or that disclosure of all or part of the medical information
could endanger the insured. The health insurer shall not require an
explanation as to the basis for a insured's statement that disclosure
could endanger the insured.
(4) The confidential communication request shall be valid until
the insured submits a revocation of the request, or a new
confidential communication request is submitted.
(5) For the purposes of this section, a confidential
communications request must be implemented by the health insurer
within seven calendar days of the receipt of an electronic
transmission or telephonic request or within 14 calendar days of
receipt by first-class mail. The health insurer shall acknowledge
receipt of the confidential communications request and advise the
insured of the status of implementation of the request if an insured
contacts the insurer.
(b) Notwithstanding subdivision (a), a provider of health care may
make arrangements with the insured for the payment of benefit cost
sharing and communicate that arrangement with the insurer.
(c) A health insurer shall not condition coverage on the waiver of
rights provided in this section.
SEC. 19. Section 3208.05 of the Labor Code is amended to read:
3208.05. (a) "Injury" includes a reaction to or a side
effect arising from health care provided by an employer to a health
care worker, which health care is intended to prevent the development
or manifestation of any bloodborne disease, illness, syndrome, or
condition recognized as occupationally incurred by Cal-OSHA, the
federal Centers for Disease Control and Prevention, or other
appropriate governmental entities. This section shall apply only to
preventive health care that the employer provided to a health care
worker under the following circumstances: (1) prior to an exposure
because of risk of occupational exposure to such a disease, illness,
syndrome, or condition, or (2) where the preventive care is provided
as a consequence of a documented exposure to blood or bodily fluid
containing blood that arose out of and in the course of employment.
Such a disease, illness, syndrome, or condition includes, but is not
limited to, hepatitis, and the human immunodeficiency virus. Such
preventive health care, and any disability indemnity or other
benefits required as a result of the preventive health care provided
by the employer, shall be compensable under the workers' compensation
system. The employer may require the health care worker to document
that the employer provided the preventive health care and that the
reaction or side effects arising from the preventive health care
resulted in lost work time, health care costs, or other costs
normally compensable under workers' compensation.
(b) The benefits of this section shall not be provided to a health
care worker for a reaction to or side effect from health care
intended to prevent the development of the human immunodeficiency
virus if the worker claims a work-related exposure and if the worker
tests positive within 48 hours of that exposure to a test to
determine the presence of the human immunodeficiency virus.
(c) For purposes of this section, "health care worker" includes
any person who is an employee of a provider of health care as defined
in Section 56.05 of the Civil Code, and who is exposed to human
blood or other bodily fluids contaminated with blood in the course of
employment, including, but not limited to, a registered nurse, a
licensed vocational nurse, a certified nurse aide, clinical
laboratory technologist, dental hygienist, physician, janitor, and
housekeeping worker. "Health care worker" does not include an
employee who provides employee health services for an employer
primarily engaged in a business other than providing health care.
SEC. 20. Section 3762 of the Labor Code is amended to read:
3762. (a) Except as provided in subdivisions (b) and (c), the
insurer shall discuss all elements of the claim file that affect the
employer's premium with the employer, and shall supply copies of the
documents that affect the premium at the employer's expense during
reasonable business hours.
(b) The right provided by this section shall not extend to any
document that the insurer is prohibited from disclosing to the
employer under the attorney-client privilege, any other applicable
privilege, or statutory prohibition upon disclosure, or under Section
1877.4 of the Insurance Code.
(c) An insurer, third-party administrator retained by a
self-insured employer pursuant to Section 3702.1 to administer the
employer's workers' compensation claims, and those employees and
agents specified by a self-insured employer to administer the
employer's workers' compensation claims, are prohibited from
disclosing or causing to be disclosed to an employer, any medical
information, as defined in Section 56.05 of the Civil Code, about an
employee who has filed a workers' compensation claim, except as
follows:
(1) Medical information limited to the diagnosis of the mental or
physical condition for which workers' compensation is claimed and the
treatment provided for this condition.
(2) Medical information regarding the injury for which workers'
compensation is claimed that is necessary for the employer to have in
order for the employer to modify the employee's work duties.
SEC. 21. Section 5406.6 of the Labor Code is amended to read:
5406.6. (a) In the case of the death of a health care worker, a
worker described in Section 3212, or a worker described in Section
830.5 of the Penal Code from an HIV-related disease, the period
within which proceedings may be commenced for the collection of
benefits provided by Article 4 (commencing with Section 4700) of
Chapter 2 of Part 2 is one year from the date of death, providing
that one or more of the following events has occurred:
(1) A report of the injury or exposure was made to the employer or
to a governmental agency authorized to administer industrial injury
claims, within one year of the date of the injury.
(2) The worker has complied with the notice provisions of this
chapter and the claim has not been finally determined to be
noncompensable.
(3) The employer provided, or was ordered to provide, workers'
compensation benefits for the injury prior to the date of death.
(b) For the purposes of this section, "health care worker" means
an employee who has direct contact, in the course of his or her
employment, with blood or other bodily fluids contaminated with
blood, or with other bodily fluids identified by the Division of
Occupational Safety and Health as capable of transmitting HIV, who is
either (1) any person who is an employee of a provider of health
care, as defined in Section 56.05 of the Civil Code, including, but
not limited to, a registered nurse, licensed vocational nurse,
certified nurse aide, clinical laboratory technologist, dental
hygienist, physician, janitor, or housekeeping worker, or (2) an
employee who provides direct patient care.
SEC. 22. No reimbursement is required by this act pursuant to
Section 6 of Article XIII B of the California Constitution because
the only costs that may be incurred by a local agency or school
district will be incurred because this act creates a new crime or
infraction, eliminates a crime or infraction, or changes the penalty
for a crime or infraction, within the meaning of Section 17556 of the
Government Code, or changes the definition of a crime within the
meaning of Section 6 of Article XIII B of the California
Constitution.
