Division 110. The Health Insurance Portability And Accountability Implementation Act Of 2001 of California Health And Safety Code >> Division 110.
This division shall be known and may be cited as the Health
Insurance Portability and Accountability Implementation Act of 2001.
The Legislature finds and declares the following:
(a) The federal Health Insurance Portability and Accountability
Act (Public Law 104-191), known as HIPAA, was enacted on August 21,
1996.
(b) HIPAA extends health coverage benefits to workers after they
terminate or change employment by allowing the worker to participate
in existing group coverage plans, thereby avoiding the additional
expense associated with obtaining individual coverage as well as the
potential loss of coverage because of a preexisting health condition.
(c) Administrative simplification is a key feature of HIPAA,
requiring standard national identifiers for providers, employers, and
health plans and the development of uniform standards for the coding
and transmission of claims and health care information.
Administration simplification is intended to promote the use of
information technology, thereby reducing costs and increasing
efficiency in the health care industry.
(d) HIPAA also contains new standards for safeguarding the privacy
and security of health information. Therefore, the development of
policies for safeguarding the privacy and security of health records
is a fundamental and indispensable part of HIPAA implementation that
must accompany or precede the expansion or standardization of
technology for recording or transmitting health information.
(e) The federal Department of Health and Human Services has
published, and continues to publish, rules pertaining to the
implementation of HIPAA. Following a 60-day congressional concurrence
period, health providers and insurers have 24 months in which to
implement these rules.
(f) These federal rules directly apply to state and county
departments that provide health coverage, health care, mental health
services, and alcohol and drug treatment programs. Other state and
county departments are subject to these rules to the extent they use
or exchange information with the departments to which the federal
rules directly apply.
(g) In view of the substantial changes that HIPAA will require in
the practices of both private and public health entities and their
business associates, the ability of California government to continue
the delivery of vital health services will depend upon the
implementation of HIPAA in a manner that is coordinated among state
departments as well as our partners in county government and the
private health sector.
(h) The implementation of HIPAA shall be accomplished as required
by federal law and regulations and shall be a priority for state
departments.
For the purposes of this division, the following
definitions apply:
(a) "Director" means the Director of the Office of Health
Information Integrity.
(b) "HIPAA" means the federal Health Insurance Portability and
Accountability Act.
(c) "Office" means the Office of Health Information Integrity
established by the office of the Governor in the Health and Human
Services Agency.
(d) "State entities" means all state departments, boards,
commissions, programs, and other organizational units of the
executive branch of state government.
The office shall assume statewide leadership, coordination,
policy formulation, direction, and oversight responsibilities for
HIPAA implementation. The office shall exercise full authority
relative to state entities to establish policy, provide direction to
state entities, monitor progress, and report on implementation
efforts.
The office shall be under the supervision and control of a
director, known as the Director of the Office of Health Information
Integrity, who shall be appointed by, and serve at the pleasure of,
the Secretary of the Health and Human Services Agency.
The office shall be staffed, at a minimum, with the
following personnel:
(a) Legal counsel to perform activities that may include, but are
not limited to, determining the application of federal law pertaining
to HIPAA.
(b) Staff with expertise in the rules promulgated by HIPAA.
(c) Staff to oversee the development of training curricula and
tools and to modify the curricula and tools as required by the state'
s ongoing HIPAA compliance effort.
(d) Information technology staff.
(e) Staff, as necessary, to coordinate and monitor the progress
made by all state entities in HIPAA implementation.
(f) Administrative staff, as necessary.
(a) The office shall perform the following functions:
(1) Standardizing the HIPAA implementation process used in all
state entities, which includes the following:
(A) Developing a master plan and overall state strategy for HIPAA
implementation that includes timeframes within which specified
activities will be completed.
(B) Specifying tools, such as protocols for assessment and
reporting, and any other tools as determined by the director for
HIPAA implementation.
(C) Developing uniform policies on privacy, security, and other
matters related to HIPAA that shall be adopted and implemented by all
state entities. In developing these policies, the office shall
consult with representatives from the private sector, state
government, and other public entities affected by HIPAA.
(D) Providing an ongoing evaluation of HIPAA implementation in
California and refining the plans, tools, and policies as required to
effect implementation.
(E) Developing standards for the office to use in determining the
extent of HIPAA compliance.
(2) Representing the State of California in HIPAA discussions with
the federal Department of Health and Human Services and at the
Workgroup for Electronic Data Interchange and other national and
regional groups developing standards for HIPAA implementation,
including those authorized by the federal Department of Health and
Human Services to receive comments related to HIPAA. In preparing
comments for submission to these entities, the office shall work in
coordination with private and public entities to which the comments
relate. The office may review and approve all comments related to
HIPAA that state entities or representatives from the University of
California, to the extent authorized by its Regents, propose for
submission to the federal Department of Health and Human Services or
any other body or organization.
(3) Monitoring the HIPAA implementation activities of state
entities and requiring these entities to report on their
implementation activities at times specified by the director using a
format prescribed by the director. The office shall seek the
cooperation of counties in monitoring HIPAA implementation in
programs that are administered by county government.
(4) Providing state entities with technical assistance as the
director deems necessary and appropriate to advance the state's
implementation of HIPAA as required by the schedule adopted by the
federal Department of Health and Human Services. This assistance
shall also include sharing information obtained by the office
relating to HIPAA.
(5) Providing the Department of Finance with recommendations on
HIPAA implementation expenditures, including proposals submitted by
state entities and a recommendation on the amount to be appropriated
for allocation by the Department of Finance to entities implementing
HIPAA.
(6) Conducting a periodic assessment at least once every three
years to determine whether staff positions established in the office
and in other state entities to perform HIPAA compliance activities
continue to be necessary or whether additional staff positions are
required to complete these activities.
(7) Reviewing and approving contracts relating to HIPAA to which a
state entity is a party prior to the contract's effective date.
(8) Reviewing and approving all HIPAA legislation proposed by
state entities, other than state control agencies, prior to the
proposal's review by any other entity and reviewing all analyses and
positions, other than those prepared by state control agencies, on
HIPAA related legislation being considered by either Congress or the
Legislature.
(9) Ensuring state departments claim federal funding for those
activities that qualify under federal funding criteria.
(10) Establishing a Web site that is accessible to the public to
provide information in a consistent and accessible format concerning
state HIPAA implementation activities, timeframes for completing
those activities, HIPAA implementation requirements that have been
met, and the promulgation of federal regulations pertaining to HIPAA
implementation. The office shall update this Web site quarterly.
(b) In performing these functions, the office shall coordinate its
activities with the State Office of Privacy Protection.
The director shall establish an advisory committee to
obtain information on statewide HIPAA implementation activities,
which shall meet at a minimum of two times per year. It is the intent
of the Legislature that the committee's membership include
representatives from county government, from consumers, and from a
broad range of provider groups, such as physicians and surgeons,
clinics, hospitals, pharmaceutical companies, health care service
plans, disability insurers, long-term care facilities, facilities for
the developmentally disabled, and mental health providers. The
director shall invite key stakeholders from the federal government,
the Judicial Council, health care advocates, nonprofit health care
organizations, public health systems, and the private sector to
provide information to the committee.
The office may contract for the provision of services
required to implement this division. The Legislature finds that these
contracts are for a new state function and authorizes the
performance of this work by independent contractors, pursuant to
paragraph (2) of subdivision (b) of Section 19130 of the Government
Code.
(a) All state entities subject to HIPAA shall complete an
assessment, in a form specified by the office, prior to January 1,
2002, to determine the impact of HIPAA on their operations. The
office shall report the statewide results of the assessment to the
appropriate policy and fiscal committees of the Legislature on or
before May 15, 2002.
(b) Other state entities shall cooperate with the office to
determine whether they are subject to HIPAA, including, but not
limited to, providing a completed assessment as prescribed by the
office.
All state entities shall cooperate with the efforts of the
office to monitor HIPAA implementation activities and to obtain
information on those activities.
All state entities affected by HIPAA shall comply with the
decisions of the director in achieving compliance with HIPAA.
(a) The office shall assume statewide leadership,
coordination, direction, and oversight responsibilities for
determining which provisions of state law concerning personal medical
information are preempted by HIPAA pursuant to Section 160.203 of
Title 45 of the Code of Federal Regulations. State entities impacted
by HIPAA shall, at the direction of the office, do the following:
(1) Assist in determining which state laws concerning personal
medical information are preempted by HIPAA.
(2) Conform to all determinations made by the office concerning
HIPAA preemption issues.
(b) Any provision of state law concerning personal medical
information that is determined by the office to be preempted by HIPAA
pursuant to Section 160.203 of Title 45 of the Code of Federal
Regulations, shall not be applicable to the extent of that
preemption. The remainder of the provisions of state law concerning
personal medical information shall remain in full force and effect.
(a) The Department of Finance shall provide a complete
accounting of HIPAA expenditures made by all state entities.
(b) The Department of Finance, in consultation with the office,
shall develop and annually publish prior to August 1, guidelines for
state entities to obtain additional HIPAA funding. All funding
requests from state entities for HIPAA implementation, including, but
not limited to, requests for appropriations through the Budget Act
or other legislation and requests for allocation of lump-sum funds
from the Department of Finance, shall be reviewed and approved by the
office prior to being submitted to the Department of Finance.
Funding requests pertaining to information technology activities
shall also be reviewed and approved by the Department of Information
Technology.
(c) The Department of Finance shall notify the office and the
Chairperson of the Senate Committee on Budget and Fiscal Review and
the Chairperson of the Assembly Budget Committee of each allocation
it approves within 10 working days of the approval. The Department of
Finance shall also report to the Legislature quarterly on HIPAA
allocations, redirections, and expenditures, categorized by state
entity and by project.
To the extent that funds are appropriated in the annual
Budget Act, the office shall perform the following functions in order
to comply with HIPAA requirements:
(a) The establishment and ongoing support of departmental HIPAA
project management offices.
(b) The development, revision, and issuance of HIPAA compliance
policies.
(c) Modifications of programs in accordance with any revised
policies.
(d) Staff training on HIPAA compliance policies and programs.
(e) Coordination and communication with other affected entities.
(f) Modifications to, or replacement of, information technology
systems.
(g) Consultation with appropriate stakeholders.
The office shall report to the Legislature, upon its
request, any services or programs that were temporarily reduced or
suspended due to the redirection of funds for HIPAA compliance
activities.
State entities may adopt emergency regulations in
accordance with the Administrative Procedure Act (Chapter 3.5
(commencing with Section 11340) of Part 1 of Division 3 of Title 2 of
the Government Code) to implement HIPAA requirements set forth in
final federal regulations. This authority shall terminate one year
after the last final rule for HIPAA is issued by the federal
government. The adoption of emergency regulations described in this
section shall be deemed to be an emergency and necessary for the
immediate preservation of the public peace, health and safety, or
general welfare. An emergency regulation adopted under this section
shall remain in effect for not more than two years.