130300-130317
HEALTH AND SAFETY CODE
SECTION 130300-130317
130300. This division shall be known and may be cited as the Health Insurance Portability and Accountability Implementation Act of 2001. 130301. The Legislature finds and declares the following: (a) The federal Health Insurance Portability and Accountability Act (42 U.S.C. Sec. 300gg), known as HIPAA, was enacted on August 21, 1996. (b) HIPAA extends health coverage benefits to workers after they terminate or change employment by allowing the worker to participate in existing group coverage plans, thereby avoiding the additional expense associated with obtaining individual coverage as well as the potential loss of coverage because of a preexisting health condition. (c) Administrative simplification is a key feature of HIPAA, requiring standard national identifiers for providers, employers, and health plans and the development of uniform standards for the coding and transmission of claims and health care information. Administration simplification is intended to promote the use of information technology, thereby reducing costs and increasing efficiency in the health care industry. (d) HIPAA also contains new standards for safeguarding the privacy and security of health information. Therefore, the development of policies for safeguarding the privacy and security of health records is a fundamental and indispensable part of HIPAA implementation that must accompany or precede the expansion or standardization of technology for recording or transmitting health information. (e) The federal Health and Human Services Agency has published, and continues to publish, rules pertaining to the implementation of HIPAA. Following a 60-day congressional concurrence period, health providers and insurers have 24 months in which to implement these rules. (f) These federal rules directly apply to state and county departments that provide health coverage, health care, mental health services, and alcohol and drug treatment programs. Other state and county departments are subject to these rules to the extent they use or exchange information with the departments to which the federal rules directly apply. (g) In view of the substantial changes that HIPAA will require in the practices of both private and public health entities and their business associates, the ability of California government to continue the delivery of vital health services will depend upon the implementation of HIPAA in a manner that is coordinated among state departments as well as our partners in county government and the private health sector. (h) The implementation of HIPAA shall be accomplished as required by federal law and regulations and shall be a priority for state departments. 130302. For the purposes of this division, the following definitions apply: (a) "Director" means the Director of the Office of HIPAA Implementation. (b) "HIPAA" means the federal Health Insurance Portability and Accountability Act. (c) "Office" means the Office of HIPAA Implementation established by the office of the Governor in the Health and Human Services Agency. (d) "State entities" means all state departments, boards, commissions, programs, and other organizational units of the executive branch of state government. 130303. The office shall assume statewide leadership, coordination, policy formulation, direction, and oversight responsibilities for HIPAA implementation. The office shall exercise full authority relative to state entities to establish policy, provide direction to state entities, monitor progress, and report on implementation efforts. 130304. The office shall be under the supervision and control of a director, known as the Director of the Office of HIPAA Implementation, who shall be appointed by, and serve at the pleasure of, the Secretary of the Health and Human Services Agency. 130305. The office shall be staffed, at a minimum, with the following personnel: (a) Legal counsel to perform activities that may include, but are not limited to, determining the application of federal law pertaining to HIPAA. (b) Staff with expertise in the rules promulgated by HIPAA. (c) Staff to oversee the development of training curricula and tools and to modify the curricula and tools as required by the state' s ongoing HIPAA compliance effort. (d) Information technology staff. (e) Staff, as necessary, to coordinate and monitor the progress made by all state entities in HIPAA implementation. (f) Administrative staff, as necessary. 130306. (a) The office shall perform the following functions: (1) Standardizing the HIPAA implementation process used in all state entities, which includes the following: (A) Developing a master plan and overall state strategy for HIPAA implementation that includes timeframes within which specified activities will be completed. (B) Specifying tools, such as protocols for assessment and reporting, and any other tools as determined by the director for HIPAA implementation. (C) Developing uniform policies on privacy, security, and other matters related to HIPAA that shall be adopted and implemented by all state entities. In developing these policies, the office shall consult with representatives from the private sector, state government, and other public entities affected by HIPAA. (D) Providing an ongoing evaluation of HIPAA implementation in California and refining the plans, tools, and policies as required to effect implementation. (E) Developing standards for the office to use in determining the extent of HIPAA compliance. (2) Representing the State of California in HIPAA discussions with the federal Department of Health and Human Services and at the Workgroup for Electronic Data Interchange and other national and regional groups developing standards for HIPAA implementation, including those authorized by the federal Department of Health and Human Services to receive comments related to HIPAA. In preparing comments for submission to these entities, the office shall work in coordination with private and public entities to which the comments relate. The office may review and approve all comments related to HIPAA that state entities or representatives from the University of California, to the extent authorized by its Regents, propose for submission to the federal Department of Health and Human Services or any other body or organization. (3) Monitoring the HIPAA implementation activities of state entities and requiring these entities to report on their implementation activities at times specified by the director using a format prescribed by the director. The office shall seek the cooperation of counties in monitoring HIPAA implementation in programs that are administered by county government. (4) Providing state entities with technical assistance as the director deems necessary and appropriate to advance the state's implementation of HIPAA as required by the schedule adopted by the federal Department of Health and Human Services. This assistance shall also include sharing information obtained by the office relating to HIPAA. (5) Providing the Department of Finance with recommendations on HIPAA implementation expenditures, including proposals submitted by state entities and a recommendation on the amount to be appropriated for allocation by the Department of Finance to entities implementing HIPAA. (6) Conducting a periodic assessment at least once every three years to determine whether staff positions established in the office and in other state entities to perform HIPAA compliance activities continue to be necessary or whether additional staff positions are required to complete these activities. (7) Reviewing and approving contracts relating to HIPAA to which a state entity is a party prior to the contract's effective date. (8) Reviewing and approving all HIPAA legislation proposed by state entities, other than state control agencies, prior to the proposal's review by any other entity and reviewing all analyses and positions, other than those prepared by state control agencies, on HIPAA related legislation being considered by either Congress or the Legislature. (9) Ensuring state departments claim federal funding for those activities that qualify under federal funding criteria. (10) Establishing a Web site that is accessible to the public to provide information in a consistent and accessible format concerning state HIPAA implementation activities, timeframes for completing those activities, HIPAA implementation requirements that have been met, and the promulgation of federal regulations pertaining to HIPAA implementation. The office shall update this Web site quarterly. (b) In performing these functions, the office shall coordinate its activities with the State Office of Privacy Protection. 130307. The director shall establish an advisory committee to obtain information on statewide HIPAA implementation activities, which shall meet at a minimum of two times per year. It is the intent of the Legislature that the committee's membership include representatives from county government, from consumers, and from a broad range of provider groups, such as physicians and surgeons, clinics, hospitals, pharmaceutical companies, health care service plans, disability insurers, long-term care facilities, facilities for the developmentally disabled, and mental health providers. The director shall invite key stakeholders from the federal government, the Judicial Council, health care advocates, nonprofit health care organizations, public health systems, and the private sector to provide information to the committee. 130308. The office may contract for the provision of services required to implement this division. The Legislature finds that these contracts are for a new state function and authorizes the performance of this work by independent contractors, pursuant to paragraph (2) of subdivision (b) of Section 19130 of the Government Code. 130309. (a) All state entities subject to HIPAA shall complete an assessment, in a form specified by the office, prior to January 1, 2002, to determine the impact of HIPAA on their operations. The office shall report the statewide results of the assessment to the appropriate policy and fiscal committees of the Legislature on or before May 15, 2002. (b) Other state entities shall cooperate with the office to determine whether they are subject to HIPAA, including, but not limited to, providing a completed assessment as prescribed by the office. 130310. All state entities shall cooperate with the efforts of the office to monitor HIPAA implementation activities and to obtain information on those activities. 130311. All state entities affected by HIPAA shall comply with the decisions of the director in achieving compliance with HIPAA. 130311.5. (a) The office shall assume statewide leadership, coordination, direction, and oversight responsibilities for determining which provisions of state law concerning personal medical information are preempted by HIPAA pursuant to Section 160.203 of Title 45 of the Code of Federal Regulations. State entities impacted by HIPAA shall, at the direction of the office, do the following: (1) Assist in determining which state laws concerning personal medical information are preempted by HIPAA. (2) Conform to all determinations made by the office concerning HIPAA preemption issues. (b) Any provision of state law concerning personal medical information that is determined by the office to be preempted by HIPAA pursuant to Section 160.203 of Title 45 of the Code of Federal Regulations, shall not be applicable to the extent of that preemption. The remainder of the provisions of state law concerning personal medical information shall remain in full force and effect. 130312. (a) The Department of Finance shall provide a complete accounting of HIPAA expenditures made by all state entities. (b) The Department of Finance, in consultation with the office, shall develop and annually publish prior to August 1, guidelines for state entities to obtain additional HIPAA funding. All funding requests from state entities for HIPAA implementation, including, but not limited to, requests for appropriations through the Budget Act or other legislation and requests for allocation of lump-sum funds from the Department of Finance, shall be reviewed and approved by the office prior to being submitted to the Department of Finance. Funding requests pertaining to information technology activities shall also be reviewed and approved by the Department of Information Technology. (c) The Department of Finance shall notify the office and the Chairperson of the Senate Committee on Budget and Fiscal Review and the Chairperson of the Assembly Budget Committee of each allocation it approves within 10 working days of the approval. The Department of Finance shall also report to the Legislature quarterly on HIPAA allocations, redirections, and expenditures, categorized by state entity and by project. 130313. To the extent that funds are appropriated in the annual Budget Act, the office shall perform the following functions in order to comply with HIPAA requirements: (a) The establishment and ongoing support of departmental HIPAA project management offices. (b) The development, revision, and issuance of HIPAA compliance policies. (c) Modifications of programs in accordance with any revised policies. (d) Staff training on HIPAA compliance policies and programs. (e) Coordination and communication with other affected entities. (f) Modifications to, or replacement of, information technology systems. (g) Consultation with appropriate stakeholders. 130314. The office shall report to the Legislature, upon its request, any services or programs that were temporarily reduced or suspended due to the redirection of funds for HIPAA compliance activities. 130315. State entities may adopt emergency regulations in accordance with the Administrative Procedure Act (Chapter 3.5 (commencing with Section 11340) of Part 1 of Division 3 of Title 2 of the Government Code) to implement HIPAA requirements set forth in final federal regulations. This authority shall terminate one year after the last final rule for HIPAA is issued by the federal government. The adoption of emergency regulations described in this section shall be deemed to be an emergency and necessary for the immediate preservation of the public peace, health and safety, or general welfare. An emergency regulation adopted under this section shall remain in effect for not more than two years. 130316. Any funds appropriated for the purpose of this division that remain unexpended or unencumbered on January 1, 2013, shall revert to the General Fund on that date unless a statute that is enacted before January 1, 2013, extends the provisions of this division. 130317. This division shall become inoperative on January 1, 2013, and as of that date is repealed, unless a later enacted statute, that is enacted before January 1, 2013, deletes or extends the dates on which it becomes inoperative and is repealed.