Compare Versions


Add To My Favorites | print page

SB-1250 Medical records: confidentiality.(2011-2012)



Current Version: 05/15/12 - Amended Senate

Compare Versions information image


SB1250:v98#DOCUMENT

Amended  IN  Senate  May 15, 2012

CALIFORNIA LEGISLATURE— 2011–2012 REGULAR SESSION

Senate Bill
No. 1250


Introduced  by  Senator Alquist

February 23, 2012


An act to amend Section 56.36 of add Section 56.08 to the Civil Code, relating to medical records.


LEGISLATIVE COUNSEL'S DIGEST


SB 1250, as amended, Alquist. Medical records: confidentiality.
The Confidentiality of Medical Information Act requires that every provider of health care, health care service plan, pharmaceutical company, and contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of medical records do so in a manner that preserves the confidentiality of the information contained in the records, and provides that negligence in conducting these activities may result in damages or an administrative fine or civil penalty, as specified. Existing law also makes a violation of these provision that results in economic loss or personal injury to a patient punishable as a misdemeanor.
This bill would provide that negligence in conducting these activities may result in the defendant being required to provide each person who is the subject of the medical records with access to a credit monitoring and reporting service for one year require a health care provider, health care service plan, or contractor, if there is a breach in the security of a patient’s social security number, driver’s license number, California identification card number, or financial information and that provider, plan, or contractor is required to issue a breach notification, to offer, in the breach notification, one year of free credit monitoring services to the patient. Because a violation of this requirement that results in economic loss or personal injury to a patient would be punishable as a crime, this bill would impose a state-mandated local program.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NOYES   Local Program: NOYES  

The people of the State of California do enact as follows:


SECTION 1.

 Section 56.08 is added to the Civil Code, to read:

56.08.
 If there is a breach in the security of a patient’s social security number, driver’s license number, California identification card number, or financial information and a health care provider, health care service plan, or contractor is required to issue a breach notification pursuant to Section 1798.82 or any applicable federal law, the provider, plan, or contractor shall offer, in the breach notification, one year of free credit monitoring services to the patient. If the patient accepts that offer, the health care provider, health care service plan, or contractor shall provide the credit monitoring service to the patient. For purposes of this subdivision, “financial information” means credit card or debit card number.

SEC. 2.

 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.
SECTION 1.Section 56.36 of the Civil Code is amended to read:
56.36.

(a)Any violation of this part that results in economic loss or personal injury to a patient is punishable as a misdemeanor.

(b)In addition to any other remedies available at law, any individual may bring an action against any person or entity that has negligently released confidential information or records concerning him or her in violation of this part, for access, at the defendant’s expense, to a nationally recognized credit monitoring and reporting service for one year from the date of release of any medical information and either or both of the following:

(1)Nominal damages of one thousand dollars ($1,000). In order to recover under this paragraph, it shall not be necessary that the plaintiff suffered or was threatened with actual damages.

(2)The amount of actual damages, if any, sustained by the patient.

(c)(1)In addition, any person or entity that negligently discloses medical information in violation of the provisions of this part shall also be liable, irrespective of the amount of damages suffered by the patient as a result of that violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation.

(2)(A)Any person or entity, other than a licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation.

(B)Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part shall be liable on a first violation, for an administrative fine or civil penalty not to exceed two thousand five hundred dollars ($2,500) per violation, or on a second violation for an administrative fine or civil penalty not to exceed ten thousand dollars ($10,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part.

(3)(A)Any person or entity, other than a licensed health care professional, who knowingly or willfully obtains or uses medical information in violation of this part for the purpose of financial gain shall be liable for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation.

(B)Any licensed health care professional, who knowingly and willfully obtains, discloses, or uses medical information in violation of this part for financial gain shall be liable on a first violation, for an administrative fine or civil penalty not to exceed five thousand dollars ($5,000) per violation, or on a second violation for an administrative fine or civil penalty not to exceed twenty-five thousand dollars ($25,000) per violation, or on a third and subsequent violation for an administrative fine or civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation and shall also be subject to disgorgement of any proceeds or other consideration obtained as a result of the violation. Nothing in this subdivision shall be construed to limit the liability of a health care service plan, a contractor, or a provider of health care that is not a licensed health care professional for any violation of this part.

(4)Nothing in this subdivision shall be construed as authorizing an administrative fine or civil penalty under both paragraphs (2) and (3) for the same violation.

(5)Any person or entity that is not permitted to receive medical information pursuant to this part and who knowingly and willfully obtains, discloses, or uses medical information without written authorization from the patient shall be liable for a civil penalty not to exceed two hundred fifty thousand dollars ($250,000) per violation.

(d)In assessing the amount of an administrative fine or civil penalty pursuant to subdivision (c), the Office of Health Information Integrity, licensing agency, or certifying board or court shall consider any one or more of the relevant circumstances presented by any of the parties to the case including, but not limited to, the following:

(1)Whether the defendant has made a reasonable, good faith attempt to comply with this part.

(2)The nature and seriousness of the misconduct.

(3)The harm to the patient, enrollee, or subscriber.

(4)The number of violations.

(5)The persistence of the misconduct.

(6)The length of time over which the misconduct occurred.

(7)The willfulness of the defendant’s misconduct.

(8)The defendant’s assets, liabilities, and net worth.

(e)(1)The civil penalty pursuant to subdivision (c) shall be assessed and recovered in a civil action brought in the name of the people of the State of California in any court of competent jurisdiction by any of the following:

(A)The Attorney General.

(B)Any district attorney.

(C)Any county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance.

(D)Any city attorney of a city.

(E)Any city attorney of a city and county having a population in excess of 750,000, with the consent of the district attorney.

(F)A city prosecutor in any city having a full-time city prosecutor or, with the consent of the district attorney, by a city attorney in any city and county.

(G)The Director of the Office of Health Information Integrity may recommend that any person described in subparagraphs (A) to (F), inclusive, bring a civil action under this section.

(2)If the action is brought by the Attorney General, one-half of the penalty collected shall be paid to the treasurer of the county in which the judgment was entered, and one-half to the General Fund. If the action is brought by a district attorney or county counsel, the penalty collected shall be paid to the treasurer of the county in which the judgment was entered. Except as provided in paragraph (3), if the action is brought by a city attorney or city prosecutor, one-half of the penalty collected shall be paid to the treasurer of the city in which the judgment was entered and one-half to the treasurer of the county in which the judgment was entered.

(3)If the action is brought by a city attorney of a city and county, the entire amount of the penalty collected shall be paid to the treasurer of the city and county in which the judgment was entered.

(4)Nothing in this section shall be construed as authorizing both an administrative fine and civil penalty for the same violation.

(5)Imposition of a fine or penalty provided for in this section shall not preclude imposition of any other sanctions or remedies authorized by law.

(6)Administrative fines or penalties issued pursuant to Section 1280.15 of the Health and Safety Code shall offset any other administrative fine or civil penalty imposed under this section for the same violation.

(f)For purposes of this section, “knowing” and “willful” shall have the same meanings as in Section 7 of the Penal Code.

(g)No person who discloses protected medical information in accordance with the provisions of this part shall be subject to the penalty provisions of this part.

(h)Paragraph (6) of subdivision (e) shall only become operative if Senate Bill 541 of the 2007–08 Regular Session is enacted and becomes effective on or before January 1, 2009.