Bill Text

PDF |Add To My Favorites |Track Bill | print page

AB-1751 Controlled substances: CURES database.(2017-2018)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 08/17/2018 01:19 PM
AB1751:v97#DOCUMENT

Amended  IN  Senate  August 17, 2018
Amended  IN  Senate  July 05, 2018

CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill No. 1751


Introduced by Assembly Member Low

January 03, 2018


An act to amend Section 1798.24 of the Civil Code, and to amend Sections Section 11165 and 11165.1 of the Health and Safety Code, relating to controlled substances.


LEGISLATIVE COUNSEL'S DIGEST


AB 1751, as amended, Low. Controlled substances: CURES database.
Existing law classifies certain controlled substances into designated schedules. Existing law requires the Department of Justice to maintain the Controlled Substance Utilization Review and Evaluation System (CURES) for the electronic monitoring of the prescribing and dispensing of Schedule II, Schedule III, and Schedule IV controlled substances by a health care practitioner authorized to prescribe, order, administer, furnish, or dispense a Schedule II, Schedule III, or Schedule IV controlled substance.
This bill would require the department, no later than July 1, 2020, to adopt regulations regarding the access and use of the information within CURES by consulting with specified stakeholders, and addressing certain processes, purposes, and conditions in the regulations. The bill would authorize the department, once those final regulations have been adopted, issued, to enter into an agreement with any entity operating an interstate data sharing hub, or any agency operating a prescription drug monitoring program in another state, for purposes of interstate data sharing of prescription drug monitoring program information, as specified. The bill would require any agreement entered into by the department for those purposes to ensure that all access to data obtained from CURES complies and the handling of data contained within CURES comply with California law and meets meet the same patient privacy, audit, and data security standards employed and required for direct access to CURES.
The bill would authorize a health care practitioner otherwise eligible for access to CURES, or a pharmacist who is employed by a health insurer or health care service plan and is involved in accepting, denying, or adjusting a claim for health insurance policy benefits or health care service plan contract benefits related to controlled substances, to access CURES for purposes of reviewing a claim. The bill would make conforming changes to related provisions concerning the department’s release of the electronic history of controlled substances corresponding to an individual, and to provisions concerning exceptions to the prohibition on a state agency from disclosing personal information.

Existing law requires specified health care practitioners and pharmacists to submit an application to obtain approval to electronically access information regarding the controlled substance history of a patient that is maintained by the department. Existing law authorizes the denial of an application, or the suspension of a subscriber, for specified reasons, including, among others, accessing information for a reason other than to diagnose or treat the patient, or to document compliance with the law.

This bill would additionally authorize the denial of an application, or the suspension of a subscriber, in that circumstance if the information is accessed for a reason other than to assess or ensure patient safety, or to make a determination regarding accepting, denying, or adjusting a benefits claim, as specified.

Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Section 1798.24 of the Civil Code is amended to read:

1798.24.
 An agency shall not disclose any personal information in a manner that would identify link the information disclosed to the individual to whom it pertains unless the information is disclosed, as follows:
(a) To the individual to whom the information pertains.
(b) With the prior written voluntary consent of the individual to whom the information pertains, but only if that consent has been obtained not more than 30 days before the disclosure, or in the time limit agreed to by the individual in the written consent.
(c) To the duly appointed guardian or conservator of the individual or a person representing the individual if it can be proven with reasonable certainty through the possession of agency forms, documents, or correspondence that this person is the authorized representative of the individual to whom the information pertains.
(d) To those officers, employees, attorneys, agents, or volunteers of the agency that has custody of the information if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties and is related to the purpose for which the information was acquired.
(e) To a person, or to another agency if the transfer is necessary for the transferee agency to perform its constitutional or statutory duties, and the use is compatible with a purpose for which the information was collected and the use or transfer is in accordance with Section 1798.25. With respect to information transferred from a law enforcement or regulatory agency, or information transferred to another law enforcement or regulatory agency, a use is compatible if the use of the information requested is needed in an investigation of unlawful activity under the jurisdiction of the requesting agency or for licensing, certification, or regulatory purposes by that agency.
(f) To a governmental entity if required by state or federal law.
(g) Pursuant to the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1 of the Government Code).
(h) To a person who has provided the agency with advance, adequate written assurance that the information will be used solely for statistical research or reporting purposes, but only if the information to be disclosed is in a form that will not identify any individual.
(i) Pursuant to a determination by the agency that maintains information that compelling circumstances exist that affect the health or safety of an individual, if upon the disclosure notification is transmitted to the individual to whom the information pertains at his or her last known address. Disclosure shall not be made if it is in conflict with other state or federal laws.
(j) To the State Archives as a record that has sufficient historical or other value to warrant its continued preservation by the California state government, or for evaluation by the Director of General Services or his or her designee to determine whether the record has further administrative, legal, or fiscal value.
(k) To any person pursuant to a subpoena, court order, or other compulsory legal process if, before the disclosure, the agency reasonably attempts to notify the individual to whom the record pertains, and if the notification is not prohibited by law.
(l) To any person pursuant to a search warrant.
(m) Pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code.
(n) For the sole purpose of verifying and paying government health care service claims made pursuant to Division 9 (commencing with Section 10000) of the Welfare and Institutions Code.
(o) To a law enforcement or regulatory agency when required for an investigation of unlawful activity or for licensing, certification, or regulatory purposes, unless the disclosure is otherwise prohibited by law.
(p) To another person or governmental organization to the extent necessary to obtain information from the person or governmental organization for an investigation by the agency of a failure to comply with a specific state law that the agency is responsible for enforcing.
(q) To an adopted person and is limited to general background information pertaining to the adopted person’s biological parents, if the information does not include or reveal the identity of the biological parents.
(r) To a child or a grandchild of an adopted person and disclosure is limited to medically necessary information pertaining to the adopted person’s biological parents. However, the information, or the process for obtaining the information, shall not include or reveal the identity of the biological parents. The State Department of Social Services shall adopt regulations governing the release of information pursuant to this subdivision. The regulations shall require licensed adoption agencies to provide the same services provided by the department as established by this subdivision.
(s) To a committee of the Legislature or to a Member of the Legislature, or his or her staff if authorized in writing by the member, if the member has permission to obtain the information from the individual to whom it pertains or if the member provides reasonable assurance that he or she is acting on behalf of the individual.
(t) (1) To the University of California, a nonprofit educational institution, or, in the case of education-related data, another nonprofit entity, conducting scientific research, if the request for information is approved by the Committee for the Protection of Human Subjects (CPHS) for the California Health and Human Services Agency (CHHSA) or an institutional review board, as authorized in paragraphs (4) and (5). The approval shall include a review and determination that all the following criteria have been satisfied:
(A) The researcher has provided a plan sufficient to protect personal information from improper use and disclosures, including sufficient administrative, physical, and technical safeguards to protect personal information from reasonable anticipated threats to the security or confidentiality of the information.
(B) The researcher has provided a sufficient plan to destroy or return all personal information as soon as it is no longer needed for the research project, unless the researcher has demonstrated an ongoing need for the personal information for the research project and has provided a long-term plan sufficient to protect the confidentiality of that information.
(C) The researcher has provided sufficient written assurances that the personal information will not be reused or disclosed to any other person or entity, or used in any manner, not approved in the research protocol, except as required by law or for authorized oversight of the research project.
(2) The CPHS or institutional review board shall, at a minimum, accomplish all of the following as part of its review and approval of the research project for the purpose of protecting personal information held in agency databases:
(A) Determine whether the requested personal information is needed to conduct the research.
(B) Permit access to personal information only if it is needed for the research project.
(C) Permit access only to the minimum necessary personal information needed for the research project.
(D) Require the assignment of unique subject codes that are not derived from personal information in lieu of social security numbers if the research can still be conducted without social security numbers.
(E) If feasible, and if cost, time, and technical expertise permit, require the agency to conduct a portion of the data processing for the researcher to minimize the release of personal information.
(3) Reasonable costs to the agency associated with the agency’s process of protecting personal information under the conditions of CPHS approval may be billed to the researcher, including, but not limited to, the agency’s costs for conducting a portion of the data processing for the researcher, removing personal information, encrypting or otherwise securing personal information, or assigning subject codes.
(4) The CPHS may enter into written agreements to enable other institutional review boards to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision are satisfied.
(5) Pursuant to paragraph (4), the CPHS shall enter into a written agreement with the institutional review board established pursuant to former Section 49079.6 of the Education Code. The agreement shall authorize, commencing July 1, 2010, or the date upon which the written agreement is executed, whichever is later, that board to provide the data security approvals required by this subdivision, if the data security requirements set forth in this subdivision and the act specified in subdivision (a) of Section 49079.5 of the Education Code are satisfied.
(u) To an insurer if authorized by Chapter 5 (commencing with Section 10900) of Division 4 of the Vehicle Code.
(v) Pursuant to Section 450, 452, 8009, or 18396 of the Financial Code.
(w) For the sole purpose of participation in interstate data sharing of prescription drug monitoring program information pursuant to the California Uniform Controlled Substances Act (Division 10 (commencing with Section 11000) of the Health and Safety Code), if disclosure is limited to prescription drug monitoring program information.
This article does not require the disclosure of personal information to the individual to whom the information pertains if that information may otherwise be withheld as set forth in Section 1798.40.

SEC. 2.

 Section 11165 of the Health and Safety Code is amended to read:

11165.
 (a) To assist health care practitioners in their efforts to ensure appropriate prescribing, ordering, administering, furnishing, and dispensing of controlled substances, law enforcement and regulatory agencies in their efforts to control the diversion and resultant abuse of Schedule II, Schedule III, and Schedule IV controlled substances, and for statistical analysis, education, and research, the Department of Justice shall, contingent upon the availability of adequate funds in the CURES Fund, maintain the Controlled Substance Utilization Review and Evaluation System (CURES) for the electronic monitoring of, and Internet access to information regarding, the prescribing and dispensing of Schedule II, Schedule III, and Schedule IV controlled substances by all practitioners authorized to prescribe, order, administer, furnish, or dispense these controlled substances.
(b) The Department of Justice may seek and use grant funds to pay the costs incurred by the operation and maintenance of CURES. The department shall annually report to the Legislature and make available to the public the amount and source of funds it receives for support of CURES.
(c) (1) The operation of CURES shall comply with all applicable federal and state privacy and security laws and regulations.
(2) (A) CURES shall operate under existing provisions of law to safeguard the privacy and confidentiality of patients. Data obtained from CURES shall only be provided to appropriate state, local, and federal public agencies for disciplinary, civil, or criminal purposes and to other agencies or entities, as determined by the Department of Justice, for the purpose of educating practitioners and others in lieu of disciplinary, civil, or criminal actions. Data may be provided to public or private entities, as approved by the Department of Justice, for educational, peer review, statistical, or research purposes, if patient information, including any information that may identify the patient, is not compromised. Further, data disclosed to any individual or agency as described in this subdivision shall not be disclosed, sold, or transferred to any third party, unless authorized by, or pursuant to, state and federal privacy and security laws and regulations. The Department of Justice shall establish policies, procedures, and regulations regarding the use, access, evaluation, management, implementation, operation, storage, disclosure, and security of the information within CURES, consistent with this subdivision.
(B) Notwithstanding subparagraph (A), a regulatory board whose licensees do not prescribe, order, administer, furnish, or dispense controlled substances shall not be provided data obtained from CURES.
(3) The Department of Justice shall, no later than July 1, 2020, adopt regulations regarding the access and use of the information within CURES. The Department of Justice shall consult with all stakeholders representing law enforcement agencies, the licensed prescriber and dispenser communities, and any other stakeholders identified by the department during the rulemaking process. The regulations shall, at a minimum, address all of the following in a manner consistent with this chapter:
(A) The process for approving, denying, and disapproving individuals or entities seeking access to information in CURES.
(B) The purposes for which a health care practitioner may access information in CURES.
(C) The conditions under which a warrant, subpoena, or court order is required for a law enforcement agency to obtain information from CURES as part of a criminal investigation of a patient or health care practitioner, respectively. investigation.
(D) The process by which information in CURES may be provided for educational, peer review, statistical, or research purposes.

(4)Consistent with this subdivision, a health care practitioner otherwise eligible for access to CURES, or a pharmacist who is employed by a health insurer or health care service plan and is involved in accepting, denying, or adjusting a claim for health insurance policy benefits or health care service plan contract benefits related to controlled substances, may access CURES for purposes of reviewing a claim.

(5)

(4) In accordance with federal and state privacy laws and regulations, a health care practitioner may provide a patient with a copy of the patient’s CURES patient activity report as long as no additional CURES data are provided and keep a copy of the report in the patient’s medical record in compliance with subdivision (d) of Section 11165.1.
(d) For each prescription for a Schedule II, Schedule III, or Schedule IV controlled substance, as defined in the controlled substances schedules in federal law and regulations, specifically Sections 1308.12, 1308.13, and 1308.14, respectively, of Title 21 of the Code of Federal Regulations, the dispensing pharmacy, clinic, or other dispenser shall report the following information to the Department of Justice as soon as reasonably possible, but not more than seven days after the date a controlled substance is dispensed, in a format specified by the Department of Justice:
(1) Full name, address, and, if available, telephone number of the ultimate user or research subject, or contact information as determined by the Secretary of the United States Department of Health and Human Services, and the gender, and date of birth of the ultimate user.
(2) The prescriber’s category of licensure, license number, national provider identifier (NPI) number, if applicable, the federal controlled substance registration number, and the state medical license number of any prescriber using the federal controlled substance registration number of a government-exempt facility. facility, if provided.
(3) Pharmacy prescription number, license number, NPI number, and federal controlled substance registration number.
(4) National Drug Code (NDC) number of the controlled substance dispensed.
(5) Quantity of the controlled substance dispensed.
(6) International Statistical Classification of Diseases, 9th revision (ICD-9) or 10th revision (ICD-10) Code, if available.
(7) Number of refills ordered.
(8) Whether the drug was dispensed as a refill of a prescription or as a first-time request.
(9) Date of origin of the prescription.
(10) Date of dispensing of the prescription.
(e) The Department of Justice may invite stakeholders to assist, advise, and make recommendations on the establishment of rules and regulations necessary to ensure the proper administration and enforcement of the CURES database. All prescriber and dispenser invitees shall be licensed by one of the boards or committees identified in subdivision (d) of Section 208 of the Business and Professions Code, in active practice in California, and a regular user of CURES.
(f) The Department of Justice shall, prior to upgrading CURES, consult with prescribers licensed by one of the boards or committees identified in subdivision (d) of Section 208 of the Business and Professions Code, one or more of the boards or committees identified in subdivision (d) of Section 208 of the Business and Professions Code, and any other stakeholder identified by the department, for the purpose of identifying desirable capabilities and upgrades to the CURES Prescription Drug Monitoring Program (PDMP).
(g) The Department of Justice may establish a process to educate authorized subscribers of the CURES PDMP on how to access and use the CURES PDMP.
(h) (1) The Department of Justice may enter into an agreement with any entity operating an interstate data sharing hub, or any agency operating a prescription drug monitoring program in another state, for purposes of interstate data sharing of prescription drug monitoring program information.
(2) Data obtained from CURES may be provided to authorized users of another state’s prescription drug monitoring program, as determined by the Department of Justice pursuant to subdivision (c), if the entity operating the interstate data sharing hub, and the prescription drug monitoring program of that state, as applicable, have entered into an agreement with the Department of Justice for interstate data sharing of prescription drug monitoring program information.
(3) Any agreement entered into by the Department of Justice for purposes of interstate data sharing of prescription drug monitoring program information shall ensure that all access to data obtained from CURES complies and the handling of data contained within CURES comply with California law, including regulations, and meets meet the same patient privacy, audit, and data security standards employed and required for direct access to CURES.
(4) For purposes of interstate data sharing of CURES information pursuant to this subdivision, an authorized user of another state’s prescription drug monitoring program shall not be required to register with CURES, if he or she is registered and in good standing with that state’s prescription drug monitoring program.
(5) The Department of Justice shall not enter into an agreement pursuant to this subdivision until the department has issued final regulations regarding the access and use of the information within CURES as required by paragraph (3) of subdivision (c).

SEC. 3.Section 11165.1 of the Health and Safety Code is amended to read:
11165.1.

(a)(1)(A)(i)A health care practitioner authorized to prescribe, order, administer, furnish, or dispense Schedule II, Schedule III, or Schedule IV controlled substances pursuant to Section 11150 shall, before July 1, 2016, or upon receipt of a federal Drug Enforcement Administration (DEA) registration, whichever occurs later, submit an application developed by the department to obtain approval to electronically access information regarding the controlled substance history of a patient that is maintained by the department. Upon approval, the department shall release to that practitioner the electronic history of controlled substances dispensed to an individual under his or her care, or for whom the practitioner is involved in accepting, denying, or adjusting a claim for health insurance policy benefits or health care service plan contract benefits related to controlled substances, based on data contained in the CURES Prescription Drug Monitoring Program (PDMP).

(ii)A pharmacist shall, before July 1, 2016, or upon licensure, whichever occurs later, submit an application developed by the department to obtain approval to electronically access information regarding the controlled substance history of a patient that is maintained by the department. Upon approval, the department shall release to that pharmacist the electronic history of controlled substances dispensed to an individual under his or her care, or for whom the pharmacist is involved in accepting, denying, or adjusting a claim for health insurance policy benefits or health care service plan contract benefits related to controlled substances, based on data contained in the CURES PDMP.

(B)An application may be denied, or a subscriber may be suspended, for reasons that include, but are not limited to, the following:

(i)Materially falsifying an application to access information contained in the CURES database.

(ii)Failing to maintain effective controls for access to the patient activity report.

(iii)Having his or her federal DEA registration suspended or revoked.

(iv)Violating a law governing controlled substances or any other law for which the possession or use of a controlled substance is an element of the crime.

(v)Accessing information for a reason other than to diagnose or treat his or her patients, or to assess or ensure patient safety, or to make a determination regarding accepting, denying, or adjusting a claim for health insurance policy benefits or health care service plan contract benefits, or to document compliance with the law.

(C)An authorized subscriber shall notify the department within 30 days of any changes to the subscriber account.

(D)Commencing no later than October 1, 2018, an approved health care practitioner, pharmacist, and any person acting on behalf of a health care practitioner or pharmacist pursuant to subdivision (b) of Section 209 of the Business and Professions Code may use the department’s online portal or a health information technology system that meets the criteria required in subparagraph (E) to access information in the CURES database pursuant to this section. A subscriber who uses a health information technology system that meets the criteria required in subparagraph (E) to access the CURES database may submit automated queries to the CURES database that are triggered by predetermined criteria.

(E)Commencing no later than October 1, 2018, an approved health care practitioner or pharmacist may submit queries to the CURES database through a health information technology system if the entity that operates the health information technology system can certify all of the following:

(i)The entity will not use or disclose data received from the CURES database for any purpose other than delivering the data to an approved health care practitioner or pharmacist or performing data processing activities that may be necessary to enable the delivery unless authorized by, and pursuant to, state and federal privacy and security laws and regulations.

(ii)The health information technology system will authenticate the identity of an authorized health care practitioner or pharmacist initiating queries to the CURES database and, at the time of the query to the CURES database, the health information technology system submits the following data regarding the query to CURES:

(I)The date of the query.

(II)The time of the query.

(III)The first and last name of the patient queried.

(IV)The date of birth of the patient queried.

(V)The identification of the CURES user for whom the system is making the query.

(iii)The health information technology system meets applicable patient privacy and information security requirements of state and federal law.

(iv)The entity has entered into a memorandum of understanding with the department that solely addresses the technical specifications of the health information technology system to ensure the security of the data in the CURES database and the secure transfer of data from the CURES database. The technical specifications shall be universal for all health information technology systems that establish a method of system integration to retrieve information from the CURES database. The memorandum of understanding shall not govern, or in any way impact or restrict, the use of data received from the CURES database or impose any additional burdens on covered entities in compliance with the regulations promulgated pursuant to the federal Health Insurance Portability and Accountability Act of 1996 found in Parts 160 and 164 of Title 45 of the Code of Federal Regulations.

(F)No later than October 1, 2018, the department shall develop a programming interface or other method of system integration to allow health information technology systems that meet the requirements in subparagraph (E) to retrieve information in the CURES database on behalf of an authorized health care practitioner or pharmacist.

(G)The department shall not access patient-identifiable information in an entity’s health information technology system.

(H)An entity that operates a health information technology system that is requesting to establish an integration with the CURES database shall pay a reasonable fee to cover the cost of establishing and maintaining integration with the CURES database.

(I)The department may prohibit integration or terminate a health information technology system’s ability to retrieve information in the CURES database if the health information technology system fails to meet the requirements of subparagraph (E), or the entity operating the health information technology system does not fulfill its obligation under subparagraph (H).

(2)A health care practitioner authorized to prescribe, order, administer, furnish, or dispense Schedule II, Schedule III, or Schedule IV controlled substances pursuant to Section 11150 or a pharmacist shall be deemed to have complied with paragraph (1) if the licensed health care practitioner or pharmacist has been approved to access the CURES database through the process developed pursuant to subdivision (a) of Section 209 of the Business and Professions Code.

(b)A request for, or release of, a controlled substance history pursuant to this section shall be made in accordance with guidelines developed by the department.

(c)In order to prevent the inappropriate, improper, or illegal use of Schedule II, Schedule III, or Schedule IV controlled substances, the department may initiate the referral of the history of controlled substances dispensed to an individual based on data contained in CURES to licensed health care practitioners, pharmacists, or both, providing care or services to the individual, including services provided by a practitioner or pharmacist employed by a health insurer or health care service plan who reviews claims related to that individual.

(d)The history of controlled substances dispensed to an individual based on data contained in CURES that is received by a practitioner or pharmacist from the department pursuant to this section is medical information subject to the provisions of the Confidentiality of Medical Information Act contained in Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code.

(e)Information concerning a patient’s controlled substance history provided to a practitioner or pharmacist pursuant to this section shall include prescriptions for controlled substances listed in Sections 1308.12, 1308.13, and 1308.14 of Title 21 of the Code of Federal Regulations.

(f)A health care practitioner, pharmacist, and any person acting on behalf of a health care practitioner or pharmacist, when acting with reasonable care and in good faith, is not subject to civil or administrative liability arising from any false, incomplete, inaccurate, or misattributed information submitted to, reported by, or relied upon in the CURES database or for any resulting failure of the CURES database to accurately or timely report that information.

(g)For purposes of this section, the following terms have the following meanings:

(1)“Automated basis” means using predefined criteria to trigger an automated query to the CURES database, which can be attributed to a specific health care practitioner or pharmacist.

(2)“Department” means the Department of Justice.

(3)“Entity” means an organization that operates, or provides or makes available, a health information technology system to a health care practitioner or pharmacist.

(4)“Health information technology system” means an information processing application using hardware and software for the storage, retrieval, sharing of or use of patient data for communication, decisionmaking, coordination of care, or the quality, safety, or efficiency of the practice of medicine or delivery of health care services, including, but not limited to, electronic medical record applications, health information exchange systems, or other interoperable clinical or health care information system.

(5)“User-initiated basis” means an authorized health care practitioner or pharmacist has taken an action to initiate the query to the CURES database, such as clicking a button, issuing a voice command, or taking some other action that can be attributed to a specific health care practitioner or pharmacist.