BILL NUMBER: SB 138 AMENDED BILL TEXT AMENDED IN SENATE APRIL 8, 2013 AMENDED IN SENATE MARCH 13, 2013 INTRODUCED BY Senator Hernandez (Coauthors: Senators DeSaulnier and Leno) JANUARY 28, 2013 An act to amend Sections 56.05, 56.104, and 56.16 of, and to add Section 56.107 to, the Civil Code, to amend Sections 1280.15, 1627, 117928, 120985, 121010, and 130201 of the Health and Safety Code, to add Section 791.29 to the Insurance Code, and to amend Section 3208.05 of the Labor Code, relating to medical information. LEGISLATIVE COUNSEL'S DIGEST SB 138, as amended, Hernandez. Confidentiality of medical information. Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, and the protection of privacy of individually identifiable health information. Existing state law, the Confidentiality of Medical Information Act, provides that medical information, as defined, may not be disclosed by providers of health care, health care service plans, or contractors, as defined, without the patient's written authorization, subject to certain exceptions, including disclosure to a probate court investigator, as specified. A violation of the act resulting in economic loss or personal injury to a patient is a misdemeanor and subjects the violating party to liability for specified damages and administrative fines and penalties. The act defines various terms relevant to its implementation. This bill would declare the intent of the Legislature to incorporate HIPAA standards into state law and to clarify standards for protecting the confidentiality of medical information in insurance transactions. The bill would define additional terms in connection with maintaining the confidentiality of this information, including an "authorization for insurance communications," which an insured individual may submit for the purpose of specifying disclosable medical information and insurance transactions, and permissible recipients. This bill would specify the manner in which a health care service plan or health insurer would be required to maintain confidentiality of information regarding the treatment of insured individuals less than 26 years of age who are insured as dependents on another person' s policy, the treatment of an insured individual involving sensitive services, as defined, or situations in which disclosure would endanger the insured individual, as defined. This bill would specifically authorize a provider of health care to communicate information regarding benefit cost-sharing arrangements to the health care service plan or health insurer, as specified. This bill would also prohibit the health care service plan or health insurer from conditioning enrollment in the plan or eligibility for benefits on the provision of an authorization for insurance communications. The bill also would make conforming technical changes. By expanding the scope of a crime, the bill would create a state-mandated local program. Existing state law, the Insurance Information and Privacy Protection Act, generally regulates how insurers collect, use, and disclose information gathered in connection with insurance transactions. This bill would specify that a health insurer, as defined, shall comply with the requirements of the Confidentiality of Medical Information Act, if that act conflicts with the Insurance Information and Privacy Protection Act. The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. This bill would provide that no reimbursement is required by this act for a specified reason. Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. The Legislature finds and declares all of the following: (a) Privacy is a fundamental right of all Californians, protected by the California Constitution, the federal Health Insurance Portability and Accountability Act (HIPAA; Public Law 104-191), and the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code. (b) Implementation of the recently enacted federal Patient Protection and Affordable Care Act (Public Law 111-148) will expand the number of individuals insured as dependents on a health insurance policy held in another person's name, including adult children under 26 years of age insured on a parent's insurance policy. (c) HIPAA explicitly protects the confidentiality of medical care obtained by dependents insured under a health insurance policy held by another person. (d) Therefore, it is the intent of the Legislature in enacting this act to incorporate HIPAA standards into state law and to clarify the standards for protecting the confidentiality of medical information in insurance transactions. SEC. 2. Section 56.05 of the Civil Code is amended to read: 56.05. For purposes of this part: (a) "Authorization" means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information. (b) "Authorization for insurance communications" means permission from the individual, that meets the requirements of subdivisions (a) to (c), inclusive, of Section 56.11, specifying the medical information and insurance transactions that may be disclosed and the identity of the people to whom disclosures are permitted as part of an insurance communication. (c) "Authorized recipient" means any person who is authorized to receive medical information pursuant to Section 56.10 or 56.20. (d) "Confidential communications request" means a request by an insured individual that insurance communications be communicated by a specific method, such as by telephone, email, or in a covered envelope rather than postcard, or to a specific mail or email address or specific telephone number, as designated by the insured individual. (e) "Contractor" means any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. "Contractor" does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code). (f) "Endanger" means that the insured individual fears harassment or abuse resulting from an insurance communication sufficient to deter the patient from obtaining health care absent confidentiality. (g) "Health care service plan" means any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code). (h) "Health insurer" means an entity that issues health insurance, as defined in subdivision (b) of Section 106 of the Insurance Code. (i) "Insured individual" means a person entitled to coverage under a health care service plan or health insurer, including the policyholder and dependents. (j) "Insurance communication" means any communication from the health care service plan or health insurer to policyholders or insured individuals that discloses individually identifiable medical information. Insurance communication includes, but is not limited to, explanation of benefits forms, scheduling information, notices of denial, and notices of contested claims. (k) "Licensed health care professional" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code. (l) "Marketing" means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. "Marketing" does not include any of the following: (1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication. (2) Communications made to current enrollees solely for the purpose of describing a provider's participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals. (3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual's adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply: (A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration. (B) The individual is provided the opportunity to opt out of receiving future remunerated communications. (C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. No further communication may be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt out request. (m) "Medical information" means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment. "Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. (n) "Nondisclosure request" means a written request to withhold insurance communications that includes the insured individual's name and address, description of the medical or other information that should not be disclosed, identity of the persons from whom information shall be withheld, and contact information for the individual for additional information or clarification necessary to satisfy the request. (o) "Patient" means any natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains. (p) "Pharmaceutical company" means any company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. "Pharmaceutical company" does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care. (q) "Provider of health care" means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; any person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; any clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. "Provider of health care" does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code. (r) "Sensitive services" means all health care services described in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by any patient who has reached the minimum age specified for consenting to the service specified in the section, including patients 18 years of age and older. SEC. 3. Section 56.104 of the Civil Code is amended to read: 56.104. (a) Notwithstanding subdivision (c) of Section 56.10, except as provided in subdivision (e), no provider of health care, health care service plan, or contractor may release medical information to persons or entities who have requested that information and who are authorized by law to receive that information pursuant to subdivision (c) of Section 56.10, if the requested information specifically relates to the patient's participation in outpatient treatment with a psychotherapist, unless the person or entity requesting that information submits to the patient pursuant to subdivision (b) and to the provider of health care, health care service plan, or contractor a written request, signed by the person requesting the information or an authorized agent of the entity requesting the information, that includes all of the following: (1) The specific information relating to a patient's participation in outpatient treatment with a psychotherapist being requested and its specific intended use or uses. (2) The length of time during which the information will be kept before being destroyed or disposed of. A person or entity may extend that timeframe, provided that the person or entity notifies the provider, plan, or contractor of the extension. Any notification of an extension shall include the specific reason for the extension, the intended use or uses of the information during the extended time, and the expected date of the destruction of the information. (3) A statement that the information will not be used for any purpose other than its intended use. (4) A statement that the person or entity requesting the information will destroy the information and all copies in the person' s or entity's possession or control, will cause it to be destroyed, or will return the information and all copies of it before or immediately after the length of time specified in paragraph (2) has expired. (b) The person or entity requesting the information shall submit a copy of the written request required by this section to the patient within 30 days of receipt of the information requested, unless the patient has signed a written waiver in the form of a letter signed and submitted by the patient to the provider of health care or health care service plan waiving notification. (c) For purposes of this section, "psychotherapist" means a person who is both a "psychotherapist" as defined in Section 1010 of the Evidence Code and a "provider of health care" as defined in Section 56.05. (d) This section does not apply to the disclosure or use of medical information by a law enforcement agency or a regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law. (e) This section shall not apply to any of the following: (1) Information authorized to be disclosed pursuant to paragraph (1) of subdivision (c) of Section 56.10. (2) Information requested from a psychotherapist by law enforcement or by the target of the threat subsequent to a disclosure by that psychotherapist authorized by paragraph (19) of subdivision (c) of Section 56.10, in which the additional information is clearly necessary to prevent the serious and imminent threat disclosed under that paragraph. (3) Information disclosed by a psychotherapist pursuant to paragraphs (14) and (22) of subdivision (c) of Section 56.10 and requested by an agency investigating the abuse reported pursuant to those paragraphs. (f) Nothing in this section shall be construed to grant any additional authority to a provider of health care, health care service plan, or contractor to disclose information to a person or entity without the patient's consent. SEC. 4. Section 56.107 is added to the Civil Code, to read: 56.107. (a) Notwithstanding any other law, and to the extent permitted by federal law, a health care service plan or health insurer shall take the following steps to protect the confidentiality of an insured individual's medical information as follows: (1) A health care service plan or health insurer shall not send insurance communications relating to sensitive services: (A) Unless the health care service plan or health insurer has received an authorization for insurance communications from an insured individual who is under 26 years of age and insured as a dependent on another person's insurance policy. (B) For an insured individual to whom subparagraph (A) does not apply, if that insured individual has submitted a nondisclosure request. (2) A health care service plan or health insurer shall comply with a confidential communications request regarding sensitive services from an insured individual. (3) A health care service plan or health insurer shall comply with a nondisclosure request or a confidential communications request from an insured individual who states that disclosure ofhealthmedical information will endanger the individual, and shall not require an explanation as to the basis for the insured individual's statement that disclosure will endanger the individual. (b) Notwithstanding subdivision (a), the provider of health care may make arrangements with the insured individual for the payment of benefit cost sharing and communicate that arrangement with the health care service plan or health insurer. (c) A health care service plan or health insurer shall not condition enrollment or coverage in the health plan or health insurance policy or eligibility for benefits on the provision of an authorization for insurance communications. SEC. 5. Section 56.16 of the Civil Code is amended to read: 56.16. For disclosures not addressed by Section 56.1007, unless there is a specific written request by the patient to the contrary, nothing in this part shall be construed to prevent a general acute care hospital, as defined in subdivision (a) of Section 1250 of the Health and Safety Code, upon an inquiry concerning a specific patient, from releasing at its discretion any of the following information: the patient's name, address, age, and sex; a general description of the reason for treatment (whether an injury, a burn, poisoning, or some unrelated condition); the general nature of the injury, burn, poisoning, or other condition; the general condition of the patient; and any information that is not medical information as defined in Section 56.05. SEC. 6. Section 1280.15 of the Health and Safety Code is amended to read: 1280.15. (a) A clinic, health facility, home health agency, or hospice licensed pursuant to Section 1204, 1250, 1725, or 1745 shall prevent unlawful or unauthorized access to, and use or disclosure of, patients' medical information, as defined in Section 56.05 of the Civil Code and consistent with Section 130203. For purposes of this section, internal paper records, electronic mail, or facsimile transmissions inadvertently misdirected within the same facility or health care system within the course of coordinating care or delivering services shall not constitute unauthorized access to, or use or disclosure of, a patient's medical information. The department, after investigation, may assess an administrative penalty for a violation of this section of up to twenty-five thousand dollars ($25,000) per patient whose medical information was unlawfully or without authorization accessed, used, or disclosed, and up to seventeen thousand five hundred dollars ($17,500) per subsequent occurrence of unlawful or unauthorized access, use, or disclosure of thatpatients'patient's medical information. For purposes of the investigation, the department shall consider the clinic's, health facility's, agency's, or hospice's history of compliance with this section and other related state and federal statutes and regulations, the extent to which the facility detected violations and took preventative action to immediately correct and prevent past violations from recurring, and factors outside its control that restricted the facility's ability to comply with this section. The department shall have full discretion to consider all factors when determining the amount of an administrative penalty pursuant to this section. (b) (1) A clinic, health facility, home health agency, or hospice to which subdivision (a) applies shall report any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information to the department no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice. (2) Subject to subdivision (c), a clinic, health facility, home health agency, or hospice shall also report any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information to the affected patient or the patient's representative at the last known address, no later than five business days after the unlawful or unauthorized access, use, or disclosure has been detected by the clinic, health facility, home health agency, or hospice. (c) (1) A clinic, health facility, home health agency, or hospice shall delay the reporting, as required pursuant to paragraph (2) of subdivision (b), of any unlawful or unauthorized access to, or use or disclosure of, a patient's medical information beyond five business days if a law enforcement agency or official provides the clinic, health facility, home health agency, or hospice with a written or oral statement that compliance with the reporting requirements of paragraph (2) of subdivision (b) would likely impede the law enforcement agency's investigation that relates to the unlawful or unauthorized access to, and use or disclosure of, a patient's medical information and specifies a date upon which the delay shall end, not to exceed 60 days after a written request is made, or 30 days after an oral request is made. A law enforcement agency or official may request an extension of a delay based upon a written declaration that there exists a bona fide, ongoing, significant criminal investigation of serious wrongdoing relating to the unlawful or unauthorized access to, and use or disclosure of, a patient's medical information, that notification of patients will undermine the law enforcement agency's investigation, and that specifies a date upon which the delay shall end, not to exceed 60 days after the end of the original delay period. (2) If the statement of the law enforcement agency or official is made orally, then the clinic, health facility, home health agency, or hospice shall do both of the following: (A) Document the oral statement, including, but not limited to, the identity of the law enforcement agency or official making the oral statement and the date upon which the oral statement was made. (B) Limit the delay in reporting the unlawful or unauthorized access to, or use or disclosure of, the patient's medical information to the date specified in the oral statement, not to exceed 30 calendar days from the date that the oral statement is made, unless a written statement that complies with the requirements of this subdivision is received during that time. (3) A clinic, health facility, home health agency, or hospice shall submit a report that is delayed pursuant to this subdivision not later than five business days after the date designated as the end of the delay. (d) If a clinic, health facility, home health agency, or hospice to which subdivision (a) applies violates subdivision (b), the department may assess the licensee a penalty in the amount of one hundred dollars ($100) for each day that the unlawful or unauthorized access, use, or disclosure is not reported to the department or the affected patient, following the initial five-day period specified in subdivision (b). However, the total combined penalty assessed by the department under subdivision (a) and this subdivision shall not exceed two hundred fifty thousand dollars ($250,000) per reported event. For enforcement purposes, it shall be presumed that the facility did not notify the affected patient if the notification was not documented. This presumption may be rebutted by a licensee only if the licensee demonstrates, by a preponderance of the evidence, that the notification was made. (e) In enforcing subdivisions (a) and (d), the department shall take into consideration the special circumstances of small and rural hospitals, as defined in Section 124840, and primary care clinics, as defined in subdivision (a) of Section 1204, in order to protect access to quality care in those hospitals and clinics. When assessing a penalty on a skilled nursing facility or other facility subject to Section 1423, 1424, 1424.1, or 1424.5, the department shall issue only the higher of either a penalty for the violation of this section or a penalty for violation of Section 1423, 1424, 1424.1, or 1424.5, not both. (f) All penalties collected by the department pursuant to this section, Sections 1280.1, 1280.3, and 1280.4, shall be deposited into the Internal Departmental Quality Improvement Account, which is hereby created within the Special Deposit Fund under Section 16370 of the Government Code. Upon appropriation by the Legislature, moneys in the account shall be expended for internal quality improvement activities in the Licensing and Certification Program. (g) If the licensee disputes a determination by the department regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, or use or disclosure of, patients' medical information, or the imposition of a penalty under this section, the licensee may, within 10 days of receipt of the penalty assessment, request a hearing pursuant to Section 131071. Penalties shall be paid when appeals have been exhausted and the penalty has been upheld. (h) In lieu of disputing the determination of the department regarding a failure to prevent or failure to timely report unlawful or unauthorized access to, or use or disclosure of, patients' medical information, transmit to the department 75 percent of the total amount of the administrative penalty, for each violation, within 30 business days of receipt of the administrative penalty. (i) Notwithstanding any other law, the department may refer violations of this section to the Office of Health Information Integrity for enforcement pursuant to Section 130303. (j) For purposes of this section, the following definitions shall apply: (1) "Reported event" means all breaches included in any single report that is made pursuant to subdivision (b), regardless of the number of breach events contained in the report. (2) "Unauthorized" means the inappropriate access, review, or viewing of patient medical information without a direct need for medical diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or any other statute or regulation governing the lawful access, use, or disclosure of medical information. SEC. 7. Section 1627 of the Health and Safety Code is amended to read: 1627. (a) (1) On or before July 1, 2011, the University of California is requested to develop a plan to establish and administer the Umbilical Cord Blood Collection Program for the purpose of collecting units of umbilical cord blood for public use in transplantation and providing nonclinical units for research pertaining to biology and new clinical utilization of stem cells derived from the blood and tissue of the placenta and umbilical cord. The program shall conclude no later than January 1, 2018. (2) For purposes of this article, "public use" means both of the following: (A) The collection of umbilical cord blood units from genetically diverse donors that will be owned by the University of California. This inventory shall be accessible by the National Registry and by qualified California-based and other United States and international registries and transplant centers to increase the likelihood of providing suitably matched donor cord blood units to patients or research participants who are in need of a transplant. (B) Cord blood units with a lower number of cells than deemed necessary for clinical transplantation and units that meet clinical requirements, but for other reasons are unsuitable, unlikely to be transplanted, or otherwise unnecessary for clinical use, may be made available for research. (b) (1) In order to implement the collection goals of this program, the University of California may, commensurate with available funds appropriated to the University of California for this program, contract with one or more selected applicant entities that have demonstrated the competence to collect and ship cord blood units in compliance with federal guidelines and regulations. (2) It is the intent of the Legislature that, if the University of California contracts with another entity pursuant to this subdivision, the following shall apply: (A) The University of California may use a competitive process to identify the best proposals submitted by applicant entities to administer the collection and research objectives of the program, to the extent that the University of California chooses not to undertake these activities itself. (B) In order to qualify for selection under this section to receive, process, cryopreserve, or bank cord blood units, the entity shall, at a minimum, have obtained an investigational new drug (IND) exemption from the FDA or a biologic license from the FDA, as appropriate, to manufacture clinical grade cord blood stem cell units for clinical indications. (C) In order to qualify to receive appropriate cord blood units and placental tissue to advance the research goals of this program, an entity shall, at a minimum, be a laboratory recognized as having performed peer-reviewed research on stem and progenitor cells, including those derived from placental or umbilical cord blood and postnatal tissue. (3) A medical provider or research facility shall comply with, and shall be subject to, existing penalties for violations of all applicable state and federal laws with respect to the protection of any medical information, as defined in Section 56.05 of the Civil Code, and any personally identifiable information contained in the umbilical cord blood inventory. (c) The University of California is encouraged to make every effort to avoid duplication or conflicts with existing and ongoing programs and to leverage existing resources. (d) (1) All information collected pursuant to the program shall be confidential, and shall be used solely for the purposes of the program, including research. Access to confidential information shall be limited to authorized persons who are bound by appropriate institutional policies or who otherwise agree, in writing, to maintain the confidentiality of that information. (2) Any person who, in violation of applicable institutional policies or a written agreement to maintain confidentiality, discloses any information provided pursuant to this section, or who uses information provided pursuant to this section in a manner other than as approved pursuant to this section, may be denied further access to any confidential information maintained by the University of California, and shall be subject to a civil penalty not exceeding one thousand dollars ($1,000). The penalty provided for in this section shall not be construed to limit or otherwise restrict any remedy, provisional or otherwise, provided by law for the benefit of the University of California or any other person covered by this section. (3) Notwithstanding the restrictions of this section, an individual to whom the confidential information pertains shall have access to his or her own personal information. (e) It is the intent of the Legislature that the plan and implementation of the program provide for both of the following: (1) Limit fees for access to cord blood units to the reasonable and actual costs of storage, handling, and providing units, as well as for related services such as donor matching and testing of cord blood and other programs and services typically provided by cord blood banks and public use programs. (2) The submittal of the plan developed pursuant to subdivision (a) to the health and fiscal committees of the Legislature. (f) It is additionally the intent of the Legislature that the plan and implementation of the program attempt to provide for all of the following: (1) Development of a strategy to increase voluntary participation by hospitals in the collection and storage of umbilical cord blood and identify funding sources to offset the financial impact on hospitals. (2) Consideration of a medical contingency response program to prepare for and respond effectively to biological, chemical, or radiological attacks, accidents, and other public health emergencies where victims potentially benefit from treatment. (3) Exploration of the feasibility of operating the program as a self-funding program, including the potential for charging users a reimbursement fee. SEC. 8. Section 117928 of the Health and Safety Code is amended to read: 117928. (a) Any common storage facility for the collection of medical waste produced by small quantity generators operating independently, but sharing common storage facilities, shall have a permit issued by the enforcement agency. (b) A permit for any common storage facility specified in subdivision (a) may be obtained by any one of the following: (1) A provider of health care as defined in Section 56.05 of the Civil Code. (2) The registered hazardous waste transporter. (3) The property owner. (4) The property management firm responsible for providing tenant services to the medical waste generators. SEC. 9. Section 120985 of the Health and Safety Code is amended to read: 120985. (a) Notwithstanding Section 120980, the results of an HIV test that identifies or provides identifying characteristics of the person to whom the test results apply may be recorded by the physician who ordered the test in the test subject's medical record or otherwise disclosed without written authorization of the subject of the test, or the subject's representative as set forth in Section 121020, to the test subject's providers of health care, as defined in Section 56.05 of the Civil Code, for purposes of diagnosis, care, or treatment of the patient, except that for purposes of this section , "providers of health care" does not include a health care service plan regulated pursuant to Chapter 2.2 (commencing with Section 1340) of Division 2. (b) Recording or disclosure of HIV test results pursuant to subdivision (a) does not authorize further disclosure unless otherwise permitted by law. SEC. 10. Section 121010 of the Health and Safety Code is amended to read: 121010. Notwithstanding Section 120975 or 120980, the results of a blood test to detect antibodies to the probable causative agent of AIDS may be disclosed to any of the following persons without written authorization of the subject of the test: (a) To the subject of the test or the subject's legal representative, conservator, or to any person authorized to consent to the test pursuant to subdivision (b) of Section 120990. (b) To a test subject's provider of health care, as defined in Section 56.05 of the Civil Code, except that for purposes of this section, "provider of health care" does not include a health care service plan regulated pursuant to Chapter 2.2 (commencing with Section 1340) of Division 2. (c) To an agent or employee of the test subject's provider of health care who provides direct patient care and treatment. (d) To a provider of health care who procures, processes, distributes, or uses a human body part donated pursuant to the Uniform Anatomical Gift Act (Chapter 3.5 (commencing with Section 7150) of Part 1 of Division 7). (e) (1) To the designated officer of an emergency response employee, and from that designated officer to an emergency response employee regarding possible exposure to HIV or AIDS, but only to the extent necessary to comply with provisions of the Ryan White Comprehensive AIDS Resources Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec. 201). (2) For purposes of this subdivision, "designated officer" and "emergency response employee" have the same meaning as these terms are used in the Ryan White Comprehensive AIDS Resources Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec. 201). (3) The designated officer shall be subject to the confidentiality requirements specified in Section 120980, and may be personally liable for unauthorized release of any identifying information about the HIV results. Further, the designated officer shall inform the exposed emergency response employee that the employee is also subject to the confidentiality requirements specified in Section 120980, and may be personally liable for unauthorized release of any identifying information about the HIV test results. SEC. 11. Section 130201 of the Health and Safety Code is amended to read: 130201. For purposes of this division, the following definitions apply: (a) "Director" means the Director of the Office of Health Information Integrity. (b) "Medical information" means the term as defined in Section 56.05 of the Civil Code. (c) "Office" means the Office of Health Information Integrity. (d) "Provider of health care" means the term as defined in Sections 56.05 and 56.06 of the Civil Code. (e) "Unauthorized access" means the inappropriate review or viewing of patient medical information without a direct need for diagnosis, treatment, or other lawful use as permitted by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) or by other statutes or regulations governing the lawful access, use, or disclosure of medical information. SEC. 12. Section 791.29 is added to the Insurance Code , to read: 791.29. A health insurer, as defined in subdivision (h) of Section 56.05 of the Civil Code, shall comply with the provisions of Section 56.107 of the Civil Code to the extent required by that section. To the extent this article conflicts with Section 56.107 of the Civil Code, the provisions of Section 56.107 of the Civil Code shall control.SEC. 12.SEC. 13. Section 3208.05 of the Labor Code is amended to read: 3208.05. (a) "Injury" includes a reaction to or a side effect arising from health care provided by an employer to a health care worker, which health care is intended to prevent the development or manifestation of any bloodborne disease, illness, syndrome, or condition recognized as occupationally incurred by Cal-OSHA, the federal Centers for Disease Control and Prevention, or other appropriate governmental entities. This section shall apply only to preventive health care that the employer provided to a health care worker under the following circumstances: (1) prior to an exposure because of risk of occupational exposure to such a disease, illness, syndrome, or condition, or (2) where the preventive care is provided as a consequence of a documented exposure to blood or bodily fluid containing blood that arose out of and in the course of employment. Such a disease, illness, syndrome, or condition includes, but is not limited to, hepatitis, and the human immunodeficiency virus. Such preventive health care, and any disability indemnity or other benefits required as a result of the preventive health care provided by the employer, shall be compensable under the workers' compensation system. The employer may require the health care worker to document that the employer provided the preventive health care and that the reaction or side effects arising from the preventive health care resulted in lost work time, health care costs, or other costs normally compensable under workers' compensation. (b) The benefits of this section shall not be provided to a health care worker for a reaction to or side effect from health care intended to prevent the development of the human immunodeficiency virus if the worker claims a work-related exposure and if the worker tests positive within 48 hours of that exposure to a test to determine the presence of the human immunodeficiency virus. (c) For purposes of this section, "health care worker" includes any person who is an employee of a provider of health care as defined in Section 56.05 of the Civil Code, and who is exposed to human blood or other bodily fluids contaminated with blood in the course of employment, including, but not limited to, a registered nurse, a licensed vocational nurse, a certified nurse aide, clinical laboratory technologist, dental hygienist, physician, janitor, and housekeeping worker. "Health care worker" does not include an employee who provides employee health services for an employer primarily engaged in a business other than providing health care.SEC. 13.SEC. 14. No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.