Bill Text: CA SB138 | 2013-2014 | Regular Session | Amended
NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Confidentiality of medical information.
Spectrum: Partisan Bill (Democrat 3-0)
Status: (Passed) 2013-10-01 - Chaptered by Secretary of State. Chapter 444, Statutes of 2013. [SB138 Detail]
Download: California-2013-SB138-Amended.html
Bill Title: Confidentiality of medical information.
Spectrum: Partisan Bill (Democrat 3-0)
Status: (Passed) 2013-10-01 - Chaptered by Secretary of State. Chapter 444, Statutes of 2013. [SB138 Detail]
Download: California-2013-SB138-Amended.html
BILL NUMBER: SB 138 AMENDED
BILL TEXT
AMENDED IN SENATE APRIL 8, 2013
AMENDED IN SENATE MARCH 13, 2013
INTRODUCED BY Senator Hernandez
(Coauthors: Senators DeSaulnier and Leno)
JANUARY 28, 2013
An act to amend Sections 56.05, 56.104, and 56.16 of, and to add
Section 56.107 to, the Civil Code, to amend Sections 1280.15, 1627,
117928, 120985, 121010, and 130201 of the Health and Safety Code,
to add Section 791.29 to the Insurance Code, and to
amend Section 3208.05 of the Labor Code, relating to medical
information.
LEGISLATIVE COUNSEL'S DIGEST
SB 138, as amended, Hernandez. Confidentiality of medical
information.
Existing federal law, the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), establishes certain requirements
relating to the provision of health insurance, and the protection of
privacy of individually identifiable health information.
Existing state law, the Confidentiality of Medical Information
Act, provides that medical information, as defined, may not be
disclosed by providers of health care, health care service plans, or
contractors, as defined, without the patient's written authorization,
subject to certain exceptions, including disclosure to a probate
court investigator, as specified. A violation of the act resulting in
economic loss or personal injury to a patient is a misdemeanor and
subjects the violating party to liability for specified damages and
administrative fines and penalties. The act defines various terms
relevant to its implementation.
This bill would declare the intent of the Legislature to
incorporate HIPAA standards into state law and to clarify standards
for protecting the confidentiality of medical information in
insurance transactions. The bill would define additional terms in
connection with maintaining the confidentiality of this information,
including an "authorization for insurance communications," which an
insured individual may submit for the purpose of specifying
disclosable medical information and insurance transactions, and
permissible recipients.
This bill would specify the manner in which a health care service
plan or health insurer would be required to maintain confidentiality
of information regarding the treatment of insured individuals less
than 26 years of age who are insured as dependents on another person'
s policy, the treatment of an insured individual involving sensitive
services, as defined, or situations in which disclosure would
endanger the insured individual, as defined.
This bill would specifically authorize a provider of health care
to communicate information regarding benefit cost-sharing
arrangements to the health care service plan or health insurer, as
specified.
This bill would also prohibit the health care service plan or
health insurer from conditioning enrollment in the plan or
eligibility for benefits on the provision of an authorization for
insurance communications. The bill also would make conforming
technical changes. By expanding the scope of a crime, the bill would
create a state-mandated local program.
Existing state law, the Insurance Information and Privacy
Protection Act, generally regulates how insurers collect, use, and
disclose information gathered in connection with insurance
transactions.
This bill would specify that a health insurer, as defined, shall
comply with the requirements of the Confidentiality of Medical
Information Act, if that act conflicts with the Insurance Information
and Privacy Protection Act.
The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
This bill would provide that no reimbursement is required by this
act for a specified reason.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: yes.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. The Legislature finds and declares all of the
following:
(a) Privacy is a fundamental right of all Californians, protected
by the California Constitution, the federal Health Insurance
Portability and Accountability Act (HIPAA; Public Law 104-191), and
the Confidentiality of Medical Information Act, Part 2.6 (commencing
with Section 56) of Division 1 of the Civil Code.
(b) Implementation of the recently enacted federal Patient
Protection and Affordable Care Act (Public Law 111-148) will expand
the number of individuals insured as dependents on a health insurance
policy held in another person's name, including adult children under
26 years of age insured on a parent's insurance policy.
(c) HIPAA explicitly protects the confidentiality of medical care
obtained by dependents insured under a health insurance policy held
by another person.
(d) Therefore, it is the intent of the Legislature in enacting
this act to incorporate HIPAA standards into state law and to clarify
the standards for protecting the confidentiality of medical
information in insurance transactions.
SEC. 2. Section 56.05 of the Civil Code is amended to read:
56.05. For purposes of this part:
(a) "Authorization" means permission granted in accordance with
Section 56.11 or 56.21 for the disclosure of medical information.
(b) "Authorization for insurance communications" means permission
from the individual, that meets the requirements of subdivisions (a)
to (c), inclusive, of Section 56.11, specifying the medical
information and insurance transactions that may be disclosed and the
identity of the people to whom disclosures are permitted as part of
an insurance communication.
(c) "Authorized recipient" means any person who is authorized to
receive medical information pursuant to Section 56.10 or 56.20.
(d) "Confidential communications request" means a request by an
insured individual that insurance communications be communicated by a
specific method, such as by telephone, email, or in a covered
envelope rather than postcard, or to a specific mail or email address
or specific telephone number, as designated by the insured
individual.
(e) "Contractor" means any person or entity that is a medical
group, independent practice association, pharmaceutical benefits
manager, or a medical service organization and is not a health care
service plan or provider of health care. "Contractor" does not
include insurance institutions as defined in subdivision (k) of
Section 791.02 of the Insurance Code or pharmaceutical benefits
managers licensed pursuant to the Knox-Keene Health Care Service Plan
Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division
2 of the Health and Safety Code).
(f) "Endanger" means that the insured individual fears harassment
or abuse resulting from an insurance communication sufficient to
deter the patient from obtaining health care absent confidentiality.
(g) "Health care service plan" means any entity regulated pursuant
to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2
(commencing with Section 1340) of Division 2 of the Health and Safety
Code).
(h) "Health insurer" means an entity that issues health
insurance, as defined in subdivision (b) of Section
106 of the Insurance Code.
(i) "Insured individual" means a person entitled to coverage under
a health care service plan or health insurer, including the
policyholder and dependents.
(j) "Insurance communication" means any communication from the
health care service plan or health insurer to policyholders or
insured individuals that discloses individually identifiable medical
information. Insurance communication includes, but is not limited to,
explanation of benefits forms, scheduling information, notices of
denial, and notices of contested claims.
(k) "Licensed health care professional" means any person licensed
or certified pursuant to Division 2 (commencing with Section 500) of
the Business and Professions Code, the Osteopathic Initiative Act or
the Chiropractic Initiative Act, or Division 2.5 (commencing with
Section 1797) of the Health and Safety Code.
(l) "Marketing" means to make a communication about a product or
service that encourages recipients of the communication to purchase
or use the product or service.
"Marketing" does not include any of the following:
(1) Communications made orally or in writing for which the
communicator does not receive direct or indirect remuneration,
including, but not limited to, gifts, fees, payments, subsidies, or
other economic benefits, from a third party for making the
communication.
(2) Communications made to current enrollees solely for the
purpose of describing a provider's participation in an existing
health care provider network or health plan network of a Knox-Keene
licensed health plan to which the enrollees already subscribe;
communications made to current enrollees solely for the purpose of
describing if, and the extent to which, a product or service, or
payment for a product or service, is provided by a provider,
contractor, or plan or included in a plan of benefits of a Knox-Keene
licensed health plan to which the enrollees already subscribe; or
communications made to plan enrollees describing the availability of
more cost-effective pharmaceuticals.
(3) Communications that are tailored to the circumstances of a
particular individual to educate or advise the individual about
treatment options, and otherwise maintain the individual's adherence
to a prescribed course of medical treatment, as provided in Section
1399.901 of the Health and Safety Code, for a chronic and seriously
debilitating or life-threatening condition as defined in subdivisions
(d) and (e) of Section 1367.21 of the Health and Safety Code, if the
health care provider, contractor, or health plan receives direct or
indirect remuneration, including, but not limited to, gifts, fees,
payments, subsidies, or other economic benefits, from a third party
for making the communication, if all of the following apply:
(A) The individual receiving the communication is notified in the
communication in typeface no smaller than 14-point type of the fact
that the provider, contractor, or health plan has been remunerated
and the source of the remuneration.
(B) The individual is provided the opportunity to opt out of
receiving future remunerated communications.
(C) The communication contains instructions in typeface no smaller
than 14-point type describing how the individual can opt out of
receiving further communications by calling a toll-free number of the
health care provider, contractor, or health plan making the
remunerated communications. No further communication may be made to
an individual who has opted out after 30 calendar days from the date
the individual makes the opt out request.
(m) "Medical information" means any individually identifiable
information, in electronic or physical form, in possession of or
derived from a provider of health care, health care service plan,
pharmaceutical company, or contractor regarding a patient's medical
history, mental or physical condition, or treatment. "Individually
identifiable" means that the medical information includes or contains
any element of personal identifying information sufficient to allow
identification of the individual, such as the patient's name,
address, electronic mail address, telephone number, or social
security number, or other information that, alone or in combination
with other publicly available information, reveals the individual's
identity.
(n) "Nondisclosure request" means a written request to withhold
insurance communications that includes the insured individual's name
and address, description of the medical or other information that
should not be disclosed, identity of the persons from whom
information shall be withheld, and contact information for the
individual for additional information or clarification necessary to
satisfy the request.
(o) "Patient" means any natural person, whether or not still
living, who received health care services from a provider of health
care and to whom medical information pertains.
(p) "Pharmaceutical company" means any company or business, or an
agent or representative thereof, that manufactures, sells, or
distributes pharmaceuticals, medications, or prescription drugs.
"Pharmaceutical company" does not include a pharmaceutical benefits
manager, as included in subdivision (c), or a provider of health
care.
(q) "Provider of health care" means any person licensed or
certified pursuant to Division 2 (commencing with Section 500) of the
Business and Professions Code; any person licensed pursuant to the
Osteopathic Initiative Act or the Chiropractic Initiative Act; any
person certified pursuant to Division 2.5 (commencing with Section
1797) of the Health and Safety Code; any clinic, health dispensary,
or health facility licensed pursuant to Division 2 (commencing with
Section 1200) of the Health and Safety Code. "Provider of health care"
does not include insurance institutions as defined in subdivision
(k) of Section 791.02 of the Insurance Code.
(r) "Sensitive services" means all health care services described
in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
Code, and Sections 121020 and 124260 of the Health and Safety Code,
obtained by any patient who has reached the minimum age specified for
consenting to the service specified in the section, including
patients 18 years of age and older.
SEC. 3. Section 56.104 of the Civil Code is amended to read:
56.104. (a) Notwithstanding subdivision (c) of Section 56.10,
except as provided in subdivision (e), no provider of health care,
health care service plan, or contractor may release medical
information to persons or entities who have requested that
information and who are authorized by law to receive that information
pursuant to subdivision (c) of Section 56.10, if the requested
information specifically relates to the patient's participation in
outpatient treatment with a psychotherapist, unless the person or
entity requesting that information submits to the patient pursuant to
subdivision (b) and to the provider of health care, health care
service plan, or contractor a written request, signed by the person
requesting the information or an authorized agent of the entity
requesting the information, that includes all of the following:
(1) The specific information relating to a patient's participation
in outpatient treatment with a psychotherapist being requested and
its specific intended use or uses.
(2) The length of time during which the information will be kept
before being destroyed or disposed of. A person or entity may extend
that timeframe, provided that the person or entity notifies the
provider, plan, or contractor of the extension. Any notification of
an extension shall include the specific reason for the extension, the
intended use or uses of the information during the extended time,
and the expected date of the destruction of the information.
(3) A statement that the information will not be used for any
purpose other than its intended use.
(4) A statement that the person or entity requesting the
information will destroy the information and all copies in the person'
s or entity's possession or control, will cause it to be destroyed,
or will return the information and all copies of it before or
immediately after the length of time specified in paragraph (2) has
expired.
(b) The person or entity requesting the information shall submit a
copy of the written request required by this section to the patient
within 30 days of receipt of the information requested, unless the
patient has signed a written waiver in the form of a letter signed
and submitted by the patient to the provider of health care or health
care service plan waiving notification.
(c) For purposes of this section, "psychotherapist" means a person
who is both a "psychotherapist" as defined in Section 1010 of the
Evidence Code and a "provider of health care" as defined in Section
56.05.
(d) This section does not apply to the disclosure or use of
medical information by a law enforcement agency or a regulatory
agency when required for an investigation of unlawful activity or for
licensing, certification, or regulatory purposes, unless the
disclosure is otherwise prohibited by law.
(e) This section shall not apply to any of the following:
(1) Information authorized to be disclosed pursuant to paragraph
(1) of subdivision (c) of Section 56.10.
(2) Information requested from a psychotherapist by law
enforcement or by the target of the threat subsequent to a disclosure
by that psychotherapist authorized by paragraph (19) of subdivision
(c) of Section 56.10, in which the additional information is clearly
necessary to prevent the serious and imminent threat disclosed under
that paragraph.
(3) Information disclosed by a psychotherapist pursuant to
paragraphs (14) and (22) of subdivision (c) of Section 56.10 and
requested by an agency investigating the abuse reported pursuant to
those paragraphs.
(f) Nothing in this section shall be construed to grant any
additional authority to a provider of health care, health care
service plan, or contractor to disclose information to a person or
entity without the patient's consent.
SEC. 4. Section 56.107 is added to the Civil Code, to read:
56.107. (a) Notwithstanding any other law, and to the extent
permitted by federal law, a health care service plan or health
insurer shall take the following steps to protect the confidentiality
of an insured individual's medical information as follows:
(1) A health care service plan or health insurer shall not send
insurance communications relating to sensitive services:
(A) Unless the health care service plan or health insurer has
received an authorization for insurance communications from an
insured individual who is under 26 years of age and insured as a
dependent on another person's insurance policy.
(B) For an insured individual to whom subparagraph (A) does not
apply, if that insured individual has submitted a nondisclosure
request.
(2) A health care service plan or health insurer shall comply with
a confidential communications request regarding sensitive services
from an insured individual.
(3) A health care service plan or health insurer shall comply with
a nondisclosure request or a confidential communications request
from an insured individual who states that disclosure of
health medical information will endanger the
individual, and shall not require an explanation as to the basis for
the insured individual's statement that disclosure will endanger the
individual.
(b) Notwithstanding subdivision (a), the provider of health care
may make arrangements with the insured individual for the payment of
benefit cost sharing and communicate that arrangement with the health
care service plan or health insurer.
(c) A health care service plan or health insurer shall not
condition enrollment or coverage in the health plan or health
insurance policy or eligibility for benefits on the provision of an
authorization for insurance communications.
SEC. 5. Section 56.16 of the Civil Code is amended to read:
56.16. For disclosures not addressed by Section 56.1007, unless
there is a specific written request by the patient to the contrary,
nothing in this part shall be construed to prevent a general acute
care hospital, as defined in subdivision (a) of Section 1250 of the
Health and Safety Code, upon an inquiry concerning a specific
patient, from releasing at its discretion any of the following
information: the patient's name, address, age, and sex; a general
description of the reason for treatment (whether an injury, a burn,
poisoning, or some unrelated condition); the general nature of the
injury, burn, poisoning, or other condition; the general condition of
the patient; and any information that is not medical information as
defined in Section 56.05.
SEC. 6. Section 1280.15 of the Health and Safety Code is amended
to read:
1280.15. (a) A clinic, health facility, home health agency, or
hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall
prevent unlawful or unauthorized access to, and use or disclosure of,
patients' medical information, as defined in Section 56.05 of the
Civil Code and consistent with Section 130203. For purposes of this
section, internal paper records, electronic mail, or facsimile
transmissions inadvertently misdirected within the same facility or
health care system within the course of coordinating care or
delivering services shall not constitute unauthorized access to, or
use or disclosure of, a patient's medical information. The
department, after investigation, may assess an administrative penalty
for a violation of this section of up to twenty-five thousand
dollars ($25,000) per patient whose medical information was
unlawfully or without authorization accessed, used, or disclosed, and
up to seventeen thousand five hundred dollars ($17,500) per
subsequent occurrence of unlawful or unauthorized access, use, or
disclosure of that patients' patient's
medical information. For purposes of the investigation, the
department shall consider the clinic's, health facility's, agency's,
or hospice's history of compliance with this section and other
related state and federal statutes and regulations, the extent to
which the facility detected violations and took preventative action
to immediately correct and prevent past violations from recurring,
and factors outside its control that restricted the facility's
ability to comply with this section. The department shall have full
discretion to consider all factors when determining the amount of an
administrative penalty pursuant to this section.
(b) (1) A clinic, health facility, home health agency, or hospice
to which subdivision (a) applies shall report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the department no later than five business days after
the unlawful or unauthorized access, use, or disclosure has been
detected by the clinic, health facility, home health agency, or
hospice.
(2) Subject to subdivision (c), a clinic, health facility, home
health agency, or hospice shall also report any unlawful or
unauthorized access to, or use or disclosure of, a patient's medical
information to the affected patient or the patient's representative
at the last known address, no later than five business days after the
unlawful or unauthorized access, use, or disclosure has been
detected by the clinic, health facility, home health agency, or
hospice.
(c) (1) A clinic, health facility, home health agency, or hospice
shall delay the reporting, as required pursuant to paragraph (2) of
subdivision (b), of any unlawful or unauthorized access to, or use or
disclosure of, a patient's medical information beyond five business
days if a law enforcement agency or official provides the clinic,
health facility, home health agency, or hospice with a written or
oral statement that compliance with the reporting requirements of
paragraph (2) of subdivision (b) would likely impede the law
enforcement agency's investigation that relates to the unlawful or
unauthorized access to, and use or disclosure of, a patient's medical
information and specifies a date upon which the delay shall end, not
to exceed 60 days after a written request is made, or 30 days after
an oral request is made. A law enforcement agency or official may
request an extension of a delay based upon a written declaration that
there exists a bona fide, ongoing, significant criminal
investigation of serious wrongdoing relating to the unlawful or
unauthorized access to, and use or disclosure of, a patient's medical
information, that notification of patients will undermine the law
enforcement agency's investigation, and that specifies a date upon
which the delay shall end, not to exceed 60 days after the end of the
original delay period.
(2) If the statement of the law enforcement agency or official is
made orally, then the clinic, health facility, home health agency, or
hospice shall do both of the following:
(A) Document the oral statement, including, but not limited to,
the identity of the law enforcement agency or official making the
oral statement and the date upon which the oral statement was made.
(B) Limit the delay in reporting the unlawful or unauthorized
access to, or use or disclosure of, the patient's medical information
to the date specified in the oral statement, not to exceed 30
calendar days from the date that the oral statement is made, unless a
written statement that complies with the requirements of this
subdivision is received during that time.
(3) A clinic, health facility, home health agency, or hospice
shall submit a report that is delayed pursuant to this subdivision
not later than five business days after the date designated as the
end of the delay.
(d) If a clinic, health facility, home health agency, or hospice
to which subdivision (a) applies violates subdivision (b), the
department may assess the licensee a penalty in the amount of one
hundred dollars ($100) for each day that the unlawful or unauthorized
access, use, or disclosure is not reported to the department or the
affected patient, following the initial five-day period specified in
subdivision (b). However, the total combined penalty assessed by the
department under subdivision (a) and this subdivision shall not
exceed two hundred fifty thousand dollars ($250,000) per reported
event. For enforcement purposes, it shall be presumed that the
facility did not notify the affected patient if the notification was
not documented. This presumption may be rebutted by a licensee only
if the licensee demonstrates, by a preponderance of the evidence,
that the notification was made.
(e) In enforcing subdivisions (a) and (d), the department shall
take into consideration the special circumstances of small and rural
hospitals, as defined in Section 124840, and primary care clinics, as
defined in subdivision (a) of Section 1204, in order to protect
access to quality care in those hospitals and clinics. When assessing
a penalty on a skilled nursing facility or other facility subject to
Section 1423, 1424, 1424.1, or 1424.5, the department shall issue
only the higher of either a penalty for the violation of this section
or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5,
not both.
(f) All penalties collected by the department pursuant to this
section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited into
the Internal Departmental Quality Improvement Account, which is
hereby created within the Special Deposit Fund under Section 16370 of
the Government Code. Upon appropriation by the Legislature, moneys
in the account shall be expended for internal quality improvement
activities in the Licensing and Certification Program.
(g) If the licensee disputes a determination by the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, or the imposition of a penalty under this section, the
licensee may, within 10 days of receipt of the penalty assessment,
request a hearing pursuant to Section 131071. Penalties shall be paid
when appeals have been exhausted and the penalty has been upheld.
(h) In lieu of disputing the determination of the department
regarding a failure to prevent or failure to timely report unlawful
or unauthorized access to, or use or disclosure of, patients' medical
information, transmit to the department 75 percent of the total
amount of the administrative penalty, for each violation, within 30
business days of receipt of the administrative penalty.
(i) Notwithstanding any other law, the department may refer
violations of this section to the Office of Health Information
Integrity for enforcement pursuant to Section 130303.
(j) For purposes of this section, the following definitions shall
apply:
(1) "Reported event" means all breaches included in any single
report that is made pursuant to subdivision (b), regardless of the
number of breach events contained in the report.
(2) "Unauthorized" means the inappropriate access, review, or
viewing of patient medical information without a direct need for
medical diagnosis, treatment, or other lawful use as permitted by the
Confidentiality of Medical Information Act (Part 2.6 (commencing
with Section 56) of Division 1 of the Civil Code) or any other
statute or regulation governing the lawful access, use, or disclosure
of medical information.
SEC. 7. Section 1627 of the Health and Safety Code is amended to
read:
1627. (a) (1) On or before July 1, 2011, the University of
California is requested to develop a plan to establish and administer
the Umbilical Cord Blood Collection Program for the purpose of
collecting units of umbilical cord blood for public use in
transplantation and providing nonclinical units for research
pertaining to biology and new clinical utilization of stem cells
derived from the blood and tissue of the placenta and umbilical cord.
The program shall conclude no later than January 1, 2018.
(2) For purposes of this article, "public use" means both of the
following:
(A) The collection of umbilical cord blood units from genetically
diverse donors that will be owned by the University of California.
This inventory shall be accessible by the National Registry and by
qualified California-based and other United States and international
registries and transplant centers to increase the likelihood of
providing suitably matched donor cord blood units to patients or
research participants who are in need of a transplant.
(B) Cord blood units with a lower number of cells than deemed
necessary for clinical transplantation and units that meet clinical
requirements, but for other reasons are unsuitable, unlikely to be
transplanted, or otherwise unnecessary for clinical use, may be made
available for research.
(b) (1) In order to implement the collection goals of this
program, the University of California may, commensurate with
available funds appropriated to the University of California for this
program, contract with one or more selected applicant entities that
have demonstrated the competence to collect and ship cord blood units
in compliance with federal guidelines and regulations.
(2) It is the intent of the Legislature that, if the University of
California contracts with another entity pursuant to this
subdivision, the following shall apply:
(A) The University of California may use a competitive process to
identify the best proposals submitted by applicant entities
to administer the collection
and research objectives of the program, to the extent that the
University of California chooses not to undertake these activities
itself.
(B) In order to qualify for selection under this section to
receive, process, cryopreserve, or bank cord blood units, the entity
shall, at a minimum, have obtained an investigational new drug (IND)
exemption from the FDA or a biologic license from the FDA, as
appropriate, to manufacture clinical grade cord blood stem cell units
for clinical indications.
(C) In order to qualify to receive appropriate cord blood units
and placental tissue to advance the research goals of this program,
an entity shall, at a minimum, be a laboratory recognized as having
performed peer-reviewed research on stem and progenitor cells,
including those derived from placental or umbilical cord blood and
postnatal tissue.
(3) A medical provider or research facility shall comply with, and
shall be subject to, existing penalties for violations of all
applicable state and federal laws with respect to the protection of
any medical information, as defined in Section 56.05 of the Civil
Code, and any personally identifiable information contained in the
umbilical cord blood inventory.
(c) The University of California is encouraged to make every
effort to avoid duplication or conflicts with existing and ongoing
programs and to leverage existing resources.
(d) (1) All information collected pursuant to the program shall be
confidential, and shall be used solely for the purposes of the
program, including research. Access to confidential information shall
be limited to authorized persons who are bound by appropriate
institutional policies or who otherwise agree, in writing, to
maintain the confidentiality of that information.
(2) Any person who, in violation of applicable institutional
policies or a written agreement to maintain confidentiality,
discloses any information provided pursuant to this section, or who
uses information provided pursuant to this section in a manner other
than as approved pursuant to this section, may be denied further
access to any confidential information maintained by the University
of California, and shall be subject to a civil penalty not exceeding
one thousand dollars ($1,000). The penalty provided for in this
section shall not be construed to limit or otherwise restrict any
remedy, provisional or otherwise, provided by law for the benefit of
the University of California or any other person covered by this
section.
(3) Notwithstanding the restrictions of this section, an
individual to whom the confidential information pertains shall have
access to his or her own personal information.
(e) It is the intent of the Legislature that the plan and
implementation of the program provide for both of the following:
(1) Limit fees for access to cord blood units to the reasonable
and actual costs of storage, handling, and providing units, as well
as for related services such as donor matching and testing of cord
blood and other programs and services typically provided by cord
blood banks and public use programs.
(2) The submittal of the plan developed pursuant to subdivision
(a) to the health and fiscal committees of the Legislature.
(f) It is additionally the intent of the Legislature that the plan
and implementation of the program attempt to provide for all of the
following:
(1) Development of a strategy to increase voluntary participation
by hospitals in the collection and storage of umbilical cord blood
and identify funding sources to offset the financial impact on
hospitals.
(2) Consideration of a medical contingency response program to
prepare for and respond effectively to biological, chemical, or
radiological attacks, accidents, and other public health emergencies
where victims potentially benefit from treatment.
(3) Exploration of the feasibility of operating the program as a
self-funding program, including the potential for charging users a
reimbursement fee.
SEC. 8. Section 117928 of the Health and Safety Code is amended to
read:
117928. (a) Any common storage facility for the collection of
medical waste produced by small quantity generators operating
independently, but sharing common storage facilities, shall have a
permit issued by the enforcement agency.
(b) A permit for any common storage facility specified in
subdivision (a) may be obtained by any one of the following:
(1) A provider of health care as defined in Section 56.05 of the
Civil Code.
(2) The registered hazardous waste transporter.
(3) The property owner.
(4) The property management firm responsible for providing tenant
services to the medical waste generators.
SEC. 9. Section 120985 of the Health and Safety Code is amended to
read:
120985. (a) Notwithstanding Section 120980, the results of an
HIV test that identifies or provides identifying characteristics of
the person to whom the test results apply may be recorded by the
physician who ordered the test in the test subject's medical record
or otherwise disclosed without written authorization of the subject
of the test, or the subject's representative as set forth in Section
121020, to the test subject's providers of health care, as defined in
Section 56.05 of the Civil Code, for purposes of diagnosis, care, or
treatment of the patient, except that for purposes of this section
, "providers of health care" does not include a health
care service plan regulated pursuant to Chapter 2.2 (commencing with
Section 1340) of Division 2.
(b) Recording or disclosure of HIV test results pursuant to
subdivision (a) does not authorize further disclosure unless
otherwise permitted by law.
SEC. 10. Section 121010 of the Health and Safety Code is amended
to read:
121010. Notwithstanding Section 120975 or 120980, the results of
a blood test to detect antibodies to the probable causative agent of
AIDS may be disclosed to any of the following persons without written
authorization of the subject of the test:
(a) To the subject of the test or the subject's legal
representative, conservator, or to any person authorized to consent
to the test pursuant to subdivision (b) of Section 120990.
(b) To a test subject's provider of health care, as defined in
Section 56.05 of the Civil Code, except that for purposes of this
section, "provider of health care" does not include a health care
service plan regulated pursuant to Chapter 2.2 (commencing with
Section 1340) of Division 2.
(c) To an agent or employee of the test subject's provider of
health care who provides direct patient care and treatment.
(d) To a provider of health care who procures, processes,
distributes, or uses a human body part donated pursuant to the
Uniform Anatomical Gift Act (Chapter 3.5 (commencing with Section
7150) of Part 1 of Division 7).
(e) (1) To the designated officer of an emergency response
employee, and from that designated officer to an emergency response
employee regarding possible exposure to HIV or AIDS, but only to the
extent necessary to comply with provisions of the Ryan White
Comprehensive AIDS Resources Emergency Act of 1990 (Public Law
101-381; 42 U.S.C. Sec. 201).
(2) For purposes of this subdivision, "designated officer" and
"emergency response employee" have the same meaning as these terms
are used in the Ryan White Comprehensive AIDS Resources Emergency Act
of 1990 (Public Law 101-381; 42 U.S.C. Sec. 201).
(3) The designated officer shall be subject to the confidentiality
requirements specified in Section 120980, and may be personally
liable for unauthorized release of any identifying information about
the HIV results. Further, the designated officer shall inform the
exposed emergency response employee that the employee is also subject
to the confidentiality requirements specified in Section 120980, and
may be personally liable for unauthorized release of any identifying
information about the HIV test results.
SEC. 11. Section 130201 of the Health and Safety Code is amended
to read:
130201. For purposes of this division, the following definitions
apply:
(a) "Director" means the Director of the Office of Health
Information Integrity.
(b) "Medical information" means the term as defined in Section
56.05 of the Civil Code.
(c) "Office" means the Office of Health Information Integrity.
(d) "Provider of health care" means the term as defined in
Sections 56.05 and 56.06 of the Civil Code.
(e) "Unauthorized access" means the inappropriate review or
viewing of patient medical information without a direct need for
diagnosis, treatment, or other lawful use as permitted by the
Confidentiality of Medical Information Act (Part 2.6 (commencing with
Section 56) of Division 1 of the Civil Code) or by other statutes or
regulations governing the lawful access, use, or disclosure of
medical information.
SEC. 12. Section 791.29 is added to the
Insurance Code , to read:
791.29. A health insurer, as defined in subdivision (h) of
Section 56.05 of the Civil Code, shall comply with the provisions of
Section 56.107 of the Civil Code to the extent required by that
section. To the extent this article conflicts with Section 56.107 of
the Civil Code, the provisions of Section 56.107 of the Civil Code
shall control.
SEC. 12. SEC. 13. Section 3208.05 of
the Labor Code is amended to read:
3208.05. (a) "Injury" includes a reaction to or a side effect
arising from health care provided by an employer to a health care
worker, which health care is intended to prevent the development or
manifestation of any bloodborne disease, illness, syndrome, or
condition recognized as occupationally incurred by Cal-OSHA, the
federal Centers for Disease Control and Prevention, or other
appropriate governmental entities. This section shall apply only to
preventive health care that the employer provided to a health care
worker under the following circumstances: (1) prior to an exposure
because of risk of occupational exposure to such a disease, illness,
syndrome, or condition, or (2) where the preventive care is provided
as a consequence of a documented exposure to blood or bodily fluid
containing blood that arose out of and in the course of employment.
Such a disease, illness, syndrome, or condition includes, but is not
limited to, hepatitis, and the human immunodeficiency virus. Such
preventive health care, and any disability indemnity or other
benefits required as a result of the preventive health care provided
by the employer, shall be compensable under the workers' compensation
system. The employer may require the health care worker to document
that the employer provided the preventive health care and that the
reaction or side effects arising from the preventive health care
resulted in lost work time, health care costs, or other costs
normally compensable under workers' compensation.
(b) The benefits of this section shall not be provided to a health
care worker for a reaction to or side effect from health care
intended to prevent the development of the human immunodeficiency
virus if the worker claims a work-related exposure and if the worker
tests positive within 48 hours of that exposure to a test to
determine the presence of the human immunodeficiency virus.
(c) For purposes of this section, "health care worker" includes
any person who is an employee of a provider of health care as defined
in Section 56.05 of the Civil Code, and who is exposed to human
blood or other bodily fluids contaminated with blood in the course of
employment, including, but not limited to, a registered nurse, a
licensed vocational nurse, a certified nurse aide, clinical
laboratory technologist, dental hygienist, physician, janitor, and
housekeeping worker. "Health care worker" does not include an
employee who provides employee health services for an employer
primarily engaged in a business other than providing health care.
SEC. 13. SEC. 14. No reimbursement
is required by this act pursuant to Section 6 of Article XIII B of
the California Constitution because the only costs that may be
incurred by a local agency or school district will be incurred
because this act creates a new crime or infraction, eliminates a
crime or infraction, or changes the penalty for a crime or
infraction, within the meaning of Section 17556 of the Government
Code, or changes the definition of a crime within the meaning of
Section 6 of Article XIII B of the California Constitution.
