BILL ANALYSIS �
AB 1298
Page 1
CONCURRENCE IN SENATE AMENDMENTS
AB 1298 (Jones)
As Amended August 23, 2007
Majority vote
-----------------------------------------------------------------
|ASSEMBLY: |76-0 |(May 24, 2007) |SENATE: |25-11|(September 5, |
| | | | | |2007) |
-----------------------------------------------------------------
Original Committee Reference: JUD.
SUMMARY : Changes existing law relating to the disclosure of
personal information, including medical information, maintained
by a business or state agency or contained in a credit report.
Specifically, this bill :
1)Expands the application of the Confidentiality of Medical
Information Act (CMIA) to include any business organized for
the purpose of maintaining medical information in order to
make the information available to an individual or a provider
of health care for purposes of managing health care
information or for treatment or diagnosis, even if the
business is not organized for the primary purpose of
maintaining medical information for treatment or diagnosis.
2)Clarifies that the state's existing security freeze law, which
permits a person to place a hold or "freeze" on his or her
credit report, does not apply to any information in the report
that the credit reporting agency lawfully obtained from public
records.
3)Expands the definition of "personal information," as that term
is used in California's data breach notification laws, to
include medical and health insurance information, as defined.
The Senate amendments make minor clarifying changes, remove
provisions that are duplicative of existing law, and provide
that this bill would incorporate changes made by AB 779 that
would become operative if both bills are enacted and this bill
is enacted after AB 779.
EXISTING FEDERAL LAW requires, under the federal Health
Insurance Portability and Accountability Act (HIPAA), a health
plan, health care clearinghouse, or health care provider that
�
AB 1298
Page 2
transmits a person's medical information in electronic form to
comply with national privacy standards. Imposes certain
restrictions on the disclosure of medical information and
provides further that any entity covered under HIPAA must
provide patients or subscribers with certain information about
its privacy policies, including a description of how the entity
uses and discloses patient information.
EXISTING LAW :
1)Prohibits a provider of health care, health care service plan,
or health care contractor from disclosing a person's medical
information without first obtaining that person's
authorization, except as specified. Defines "provider of
health care" as any corporation organized for the primary
purpose of maintaining medical information for treatment or
diagnosis.
2)Provides, notwithstanding #1) above, that a health care
provider, health care service plan, or health care contractor
shall disclose medical information if required by a subpoena,
search warrant, or other court order. Permits a provider,
plan, or contractor to disclose information in other specified
circumstances, including for purposes of diagnosis or
treatment or as necessary to provide billing or other
administrative services to the provider or plan. Specifies
that a provider, plan, or contractor shall not disclose a
person's medical information for marketing purposes, or any
other purpose not necessary to provide health care services to
the patient, without express authorization from that person.
3)Permits a person to place a "security freeze" on his/her
credit report by making a written request to a credit
reporting agency. Prohibits the credit reporting agency, once
a security freeze is in place, from releasing the person's
credit report or any information within it without the express
authorization of the person who requested the freeze.
4)Requires any person, business, or government agency that owns
or licenses computerized data that includes personal
information to disclose any breach in the security of that
data to any California resident whose unencrypted personal
information was compromised. Provides further that notice of
breach shall be made in the most expedient time possible,
unless a law enforcement agency determines that notification
�
AB 1298
Page 3
will impede or compromise a criminal investigation.
5)Defines "personal information," for purposes of the breach
notification law, to include the person's first and last name,
or first initial and last name, in combination with any of the
following: a social security number (SSN), driver's license
number, and certain account numbers if disclosed in
combination with corresponding access codes. Specifies that
personal information does not include publicly available
information that is publicly available in federal, state, or
local government records.
AS PASSED BY THE ASSEMBLY , this bill was substantially similar
to the version approved by the Senate.
FISCAL EFFECT : According to the Senate Appropriations
Committee, pursuant to Senate Rule 28.8, negligible state costs.
COMMENTS : This bill addresses two distinct issues relating to
the disclosure of personal information in two different
contexts: electronically stored medical information and public
records information in credit reports.
This bill contains two provisions aimed at the problem of
medical identity theft and, more generally, a patient's right to
keep medical information private. First, this bill will ensure
that all companies that maintain personal health records are
covered by California's existing medical privacy law. Under
CMIA, companies are generally prohibited from disclosing medical
information about a patient without the patient's prior
authorization, subject to certain exceptions. However, the CMIA
presently defines as a "covered entity" any business that
maintains medical information for the "primary purpose" of
making the information available for purposes of diagnosis or
treatment. However, the author points out that not all
businesses that maintain personal medical information are
organized for the primary purpose of making that information
available for purposes of diagnosis or treatment The author's
rather straightforward solution to this problem is to eliminate
the word "primary" from the relevant section of the CMIA so that
the law will apply to any company that makes medical information
available for purposes of diagnosis or treatment, whether that
be its primary purpose or not. The author reasons that any
business that stores and potentially disseminates medical
information poses a threat whether it is the only service
�
AB 1298
Page 4
provided or whether it is just one of many services provided.
This bill's second provision relating to medical privacy would
expand the definition of "personal information" to include
medical and health insurance information for purposes of the
state's data breach notification laws. Existing law requires
businesses and state agencies that maintain personal information
to notify affected persons in the event that a breach in
security may have compromised the security of that personal
information. Existing law, however, defines "personal
information" to include the person's first and last name, or
first initial and last name, in combination with any of the
following: a SSN, driver's license number, and certain account
numbers if disclosed in combination with corresponding access
codes. In light of recent reports about the growing problem of
"medical identity theft," this bill would expand that definition
of "personal information" to include medical and health
insurance information.
In addition to changes in medical information, this bill makes
clarifying changes to California's "security freeze" law, which
permits an individual to place a hold, or freeze, on his or her
credit reports under certain circumstances. For example, if a
person has reason to believe that some sensitive piece of
personal information, such as a SSN, has been obtained by an
identity thief, that person may request that the credit
reporting agency stop selling his or her credit report.
However, provisions of California's security freeze law recently
came under scrutiny by a California appellate court in UD
Registry v. California (2006) 144 Cal App. 4th 405. In that
case, a credit reporting agency claimed that the law
unconstitutionally allowed consumers to block the dissemination
of public records, and thereby interfered with the reporting
agency's commercial free speech rights under both the United
States and California constitutions. Although the court refused
to strike down the law entirely, it nonetheless concluded that,
as applied in that particular case, the law could not prevent
the reporting of information that the agency had obtained from
public records. In short, a person may demand that a credit
reporting agency not sell his or her credit report, but he or
she cannot prevent the agency from reporting information within
the credit report that the agency has lawfully obtained from
public records.
�
AB 1298
Page 5
This bill will amend existing law to conform to the UD Registry
opinion. It does so by specifying that, notwithstanding the
existence of a security freeze, the credit reporting agency may
disclose any public record information lawfully obtained by the
agency from an open public record. According to the author,
this measure is necessary not only to bring the law into
conformity with the court ruling, but to protect the law from
any future challenge that could lead to the invalidation of the
law in its entirety. For while the court in UD Registry held
that the provision was only unconstitutional as applied, it left
open the possibility that a future challenge could find that the
law was unconstitutional on its face. This bill will ensure
that the law passes constitutional muster by creating an express
exemption for lawfully obtained public record information.
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN: 0002521