Sign In
Welcome to the California Department of Health Care Services 
Skip Navigation LinksHome > Forms, Laws & Publications > Laws > Privacy > Privacy Legislation

Privacy Legislative Update

State Capitol imageThe following privacy related legislation was presented by the State Legislature in the 2009 Legislative Session.  Also included are privacy bills deliberated in the State 2007-08 and 2005-06 Legislative Sessions.   

 

The Privacy Office monitors and analyzes privacy legislation for DHCS, but does not officially support or endorse legislation. The following list of bills is for informational purposes only.  To obtain a copy of the proposed legislation, amendments, bill analyses, bill status and history as well as voting record, scroll down to the bottom of this page to visit the Office of Legislative Counsel website.

Privacy bills signed into law:

AB 1298 (Jones; Chapter 699, Statutes of 2007)

An important privacy measure was signed into law by the Governor on 10/14/07 - Assembly Bill 1298, by Assemblyman Dave Jones, chairman of the Assembly Judiciary Committee, amending the State Information Practices Act effective January 1, 2008. AB 1298 expands state law requirements governing the privacy of confidential computerized information maintained by state agencies and businesses by adding the data elements of medical and health insurance information to the State Breach Notification law.  State government and businesses engaged in health care can no longer avoid the obligation of notifying residents of security breaches of unencrypted data by removing social security numbers from computerized files.

When a person’s name plus medical information or health insurance information in unencrypted computerized form are acquired, or believed to be acquired, by an unauthorized person, the law requires individual notification of the breach, regardless of whether social security numbers are involved.  By adding medical and health insurance data to the law, the State Breach Notification law is amended from a financial identity theft law to a far broader law triggering breach notifications whenever medical or health insurance policy information are breached.  The intent is to prevent the growing crime of medical identity theft and to protect confidential medical information by encouraging encryption.

Whenever there is a breach of computerized unencrypted data containing a person’s name, the Department of Health Care Services (DHCS) must determine whether data that has become lost or stolen or transmitted to an unauthorized party would trigger a security breach notification.   AB 1298 adds two new breach-triggering data categories to the law of “health insurance information” defined as a health insurance policy or subscriber number(s), any information in an individual’s application and claims history, including any appeals records; and “medical information” including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.

According to the author, adding “medical information” and “health insurance information” to the data elements that will trigger a breach notice will enable persons whose private medical or health insurance information has been compromised to become aware of potential problems and take any necessary corrective measures.  In 2003, California was the first state in the nation to enact a breach notification law relating to financial information (SB 1386; Chapter 915, statutes of 2002). Other states are following our lead and now Congress is considering a proposal to legislate a uniform national breach notification process.
 

Back To Top

 SB 13 (Bowen; Chapter 241, Statutes of 2005)

An important privacy measure was signed into law in 2005  - Senate Bill 13, which amends the State Information Practices Act, effective January 1, 2006. SB 13 is intended to ensure that state agency data is not disclosed to researchers at the University of California or another nonprofit educational institution in a manner that would create a risk for privacy breaches and identity theft.

SB 13 requires that before state agencies may release personal information (PI) for research projects, the requests for data must be reviewed and approved by the Committee for the Protection of Human Subjects in the Health and Human Services Agency (CPHS), using new data protection requirements. The researcher has to provide a plan to protect the PI with sufficient administrative, physical, and technical safeguards from reasonable anticipated threats to the security or confidentiality of the information, and must provide a plan to destroy or return all PI as soon as it is no longer needed, along with sufficient written assurances that the researcher will not reuse or disclose the PI to any other person or entity except as approved in the research protocol, authorized by law, or for oversight of the research.

The bill amends section 1798.24 of the Civil Code, Information Practices Act, and requires the CPHS to determine whether the PI is needed for the research and permit the disclosure of only the minimum necessary amount of PI needed for the research project.

In addition, the state agency must assign a unique subject code in lieu of the SSN, if the research can be conducted without SSNs, and conduct a portion of the data processing "if feasible and if cost, time and technical expertise permit," with reasonable costs to be billed to the researcher.

CPHS may enter into written agreements with other institutional review boards to approve projects using state agency data, provided the data security requirements in this section of the IPA are met.

SB 13 was introduced in response to a high profile computer hacking incident that occurred last year in which the Department of Social Services (DSS) disclosed the names and SSNs of In-Home Supportive Services (IHSS) providers and recipients to a researcher at UC Berkeley who was conducting a research of IHSS provider wages and benefits. Only a random sample of IHSS data from four counties was needed for the project. The entire IHSS database was downloaded to the researcher in lieu of a partial county sample of the data. A computer hacker took advantage of a known system vulnerability to crack the system that housed the database. Although there was no evidence that personal information was actually released, a recently adopted statute, SB 1386, (Chapter 915, Statutes of 2002), codified at Civil Code sections 1798.29 (state agencies) and 1798.80 (contractors/private sector), triggered the requirement for notification of the breach to all potentially affected individuals.

 Back To Top

PRIVACY RELATED BILLS OF THE 2009 LEGISLATIVE SESSION:

SB 20 (Simitian) Personal Information: privacy
SB 20 would amend California's security breach notification law to provide that any agency, person or business required to issue a notification be written in plain language and include certain specified information, including contact information regarding the breach, the types of information breached, and the date.  The bill would also provide that a security breach notification also include other specified information at the discretion of the entity issuing the notification.
Status:  Vetoed by the Governor on 10/11/09

SB 40 (Correa) Personal Information:  Social Security Numbers (SSNs)
SB 40 establishes restrictions on a number of restrictions for uses of SSNs in public records.
SB 40 Status:  Signed into law by the Governor on 10/11/09; now Chapter 552, Statutes of 2009

SB 238 (Calderon) Medical Information
SB 238 Amends provisions of the state Confidentiality of Medical Information Act (CMIA) relating to prescription refill requirements. 
Status:  Double referral to Senate Health and Judiciary Committees

SB 437 (Pavley) Unlisted Telephone Numbers
This bill would prohibit all telephone corporations, including cellphone companies, from charging customers for having an unlisted telephone number.
Status:  Set for hearing on 1/6/2010 in the Senate Energy, Utilities and Communications Committee

AB 524 (Bass) Privacy
AB 524 amends California's existing "invasion of privacy" law by making liable any person who sells, publishes, or broadcasts the image or recording, if that person has actual knowledge the images or recordings were obtained illegally and provided compensation, consideration, or remuneration, monetary or otherwise, for the use of, or rights to, the unlawfully obtained images or recordings.
Status:  Signed into law by the Governor on 10/11/09; now Chapter 449, Statutes of 2009

AB 1094 (Conway) Disposal of Personal Information
AB 1094 sponsored by the Governor's Office of Information Security and Privacy Protection would require broader protections for personal information disposal as specified.
Status:  Signed into law by the Governor on 8/5/09; now Chapter 134, Statutes of 2009

Privacy related bills of the 2007-08 Legislative Session:

SB 30 (Simitian) Identity Information Protection Act of 2007
SB 30 would establish protections for remotely readable identification documents created/maintained by state government entities. 
Status: Placed on Assembly Inactive File on 8/29/08; Died on Assembly floor
 
SB 31 (Simitian) Identification Documents
SB 31 would provide that a person who intentionally remotely reads a person's ID, without their consent, will be subject to $5,00 fine, jail up to one year or both.
Status:  Signed into law by the Governor on 9/30/08; now Chapter 746, Statutes of 2008 
 
SB 328  (Corbett) Personal Information: prohibited practices
SB 328 amends the state Civil Code definition of business records, and adds language to include telephone calling patterns record or list in the definition of "personal information" to prohibit any person from disclosing information about a customer or employee contained in the records of a business. Provides for civil money penalties. Relates to "pretexting" and HP case where company obtained personal information on HP employees.
Status:  Died in Assembly policy committee 

SB 364 (Simitian) Personal information: privacy
SB 364 amends the State Breach Notification Law to require notifications be written in plain language and include at a minimun certain standardized information regarding circumstances of the breach, including local and/or toll-free telephone numbers; SB 364 is double-jointed with AB 1656 (Jones).
Status:  Senate concurs in Assembly amendments on 8/30/08 by a vote of 38-2; Vetoed by the Governor on 9/30/08

SB 541 (Alquist) Health facilities: administrative penalites
SB 541 is part of a two-bill package to prevent unlawful or unauthorized access to, and use or disclosure of. patients' medical information consistent with the requirements of AB 211.  SB 541 would permit CDPH to assess an administrative penalty for a violation of the bill's medical privacy provisions.  The bill would require health facilities to report any unauthorized disclosure of a patient's medical information to the affected patient or his or her representative, and to CDPH no later than five days after the unauthorized disclosure was detected by the facility.  The bill would permit CDPH to assess health facilities that violate these provisions a penalty of $100 for each day during which the unauthorized disclosure is not reported.
Status:  signed into law by the Governor on 9/30/08; now Chapter 605, Statutes of 2008

SB 1096 (Calderon) Medical information
SB 1096 would allow a pharmacy to mail specified communications to a patient without the patient's authorization under specified circumstances.
Status:  Failed passage in Assembly Health Committee 6/17/08

SB 1415 (Kuehl) Patient records
SB 1415 would require health care providers that create a medical record to provide a statement to be signed by the patient or the patient's representative that sets forth patient's rights; including access to records as well as the length of time records will be retained.  Requires providers to notify patients at least 60 days prior to destruction of medical records through certified mail and applies only to records created on or after January 1, 2009.
Status:  Senate concurs in Assembly amendments on 8/19/08 by a vote of 31-7; Vetoed by the Governor on 9/30/08  

AB 211 (Jones) Public Health
AB 211 establishes an Office of Health Information Integrity (OHII) to ensure enforcement of state confidentiality of medical information to impose administrative fines for the unauthorized use of medical information upon referral from the California Department of Public Health (CDPH) and requires providers of health care to establish and implement appropriate administrative, technical, and physical safeguards to protect the privacy of patients' medical information.
Status: signed into law by the Governor on 9/30/08; Chapter 602, Statutes of 2008

AB 372  (Salas) Consumer Credit Freeze Reports
AB 372 Amends state law on credit freezes to change the fee from $10 to $5 for persons 65 years of age or older to place or remove a security credit "freeze" with certain exceptions.
Status:  Signed into law by the Governor on 7/21/08; now Chapter 151, Statutes of 2008

AB 703  (Ruskin) Social Security Numbers
AB 703 amends the state Civil Code section 1798.85 to prohibit a person or entity from using SSN otherwise specified by state or federal law.   Would require records using SSN to be discarded or destroyed in a specified manner (cross shredding) and would require encryption or locked storage of records containing SSN.
Status:  Died in Assembly Judiciary Committee

AB 779 (Jones) Personal Information: state agencies and businesses   
AB 779 would amend the State breach notification law to entitle the owner or licensee of personal information to recover notification costs from the person or business that actually maintained and compromised the data, clarifies retail sellers are subject to the notification law and requires notices be more consumer friendly.  Requires a business or agency to provide notice to the Office of Privacy Protection.
Status:  Vetoed by the Governor on 10/13/07

AB 1168 (Jones) Social Security Numbers   
AB 1168 requires certain public agencies to truncate SSNs to the last 4 digits in electronic records at California colleges & universities, and would prohibit the Secretary of State from releasing any public records that contain social security numbers.  AB 1168 would also prohibit local governments from releasing records that display more than the last four digits. Requires the Franchise Tax Board (FTB) to redact first five digits of SSN on liens or other public records created by FTB.
Status:  Signed into law by the Governor on 10/13/07; now Chapter 627, Statutes of 2007

AB 1298  (Jones) Personal Information
AB 1298 would apply the prohibitions of the CMIA to any corporation organized for the purpose of maintaining medical information for treatment or diagnosis. AB 1298 would permit a credit bureau to disclose public record information lawfully obtain from an open public record, even if security freeze in place to the extent permitted by law and allows credit bureau to apply security freeze to the entire contents of a credit report. Adds medical information to personal information data elements that could invoke breach notification.
Status: Status: Signed into law by the Governor on 10/14/07; now Chapter 699, Statutes of 2007

AB 1302  (Horton) Health Insurance Portability and Accountability Act (HIPAA)
AB 1302, sponsored by the Administration, would allow CalOHI to continue work such as adoption of standards unique identifiers for providers and health plans per HIPAA. These identifiers will improve the efficiency and effectiveness of the electronic transmission of health information.
Status:  Signed by the Governor 10/14/07; now Chapter 700, Statutes of 2007

AB 1587  (De La Torre) Personal Information: pharmacy
AB 1587 exempts from the definition of marketing in the State Confidentiality of Medical Information Act (CMIA) written communications to a pharmacy patient by a pharmacist or pharmacy personnel when dispensing drugs as specified.
Status:  Died in Senate Judiciary Committee

AB 1656 (Jones) Personal information:  security breaches
AB 1656 is double-jointed with SB 364 to establish breach notification standards; adding a provision that any person, business or state agency that is subject to requirements to give notice shall be liable to the owner or licensee for the actual costs of any consumer notification required by the State Breach Notification Act.
Status:  Passed the State Assembly on 8/31/08 by a vote of 74-1; Vetoed by the Governor on 9/30/08

AB 1779 (Jones) Personal information: security breaches
AB 1779 would require notice to the Office of Privacy Protection in the event of a security breach, if substitute notice is required. 
Status:  Died in Senate Judiciary Committee 

AB 2362 (Keene) State records: personal information: security breaches
AB 2362 would require an agency to provide notice to residents that their information is being handled in a secure manner and timely and appropriate notice will be provided in the event of a beach.
Status:  Died in Senate Judiciary Committee

Back To Top

Privacy related bills of the 2005-06 Legislative Session:

SB 7 (Figueroa) Internet Privacy
SB 7 would declare the Legislature's intent that a provider of e-mail services may not use the contents of e-mail messages to develop personally identifiable profiles of individuals and may not extract e-mail addresses or other personally identifiable information for the provider's own purposes. 
Status: Returned to the Secretary of the Senate (introduced but not heard in policy committee).

SB 13 (Bowen) Personal Information: State Agencies
This bill would amend the Information Practices Act, the privacy law that applies to state agencies, to revise the provision authorizing a state agency to disclose personal information for certain research purposes to the University of California or a non-profit educational institution by permitting that disclosure only if the request is approved by the Committee for the Protection of Human Subjects in the California Health and Human Services Agency.  The bill would also establish criteria for the review and approval of the request.
Status:  Signed into law by the Governor on 9/22/05; now Chapter 241, Statutes of 2005

SB 158 (Machado) Power of Attorney: Social Security Numbers
Existing law provides for a Statutory Form Power of Attorney that a person may use to appoint another person as his/her attorney-in-fact.  The form provides a space and line for the person executing the power of attorney to place his/her social security number.  This bill deletes the social security number from the statutory power of attorney form.  This bill notifies a person on the statutory power of attorney form that a third party may require additional identification.
Status:  Signed into law by the Governor on 9/22/05; now Chapter 251, Statutes of 2005

SB 222 (Runner) Social Security Numbers
SB 222 imposes misdemeanor penalties for violations of state law with respect to privacy of Social Security numbers.
Status:  Died in Senate Public Safety Committee

SB 346 (Battin) Child Identity Theft
This bill amends the Welfare and Institutions Code relating to dependent children to provide that a parent can be guilty of identity theft for unlawfully using the identifying information of his or her child.
Status:  Died in Senate Judiciary Committee

SB 433 (Simitian) Personal Information: Drivers' Licenses
This bill amends Civil Code §1798.90 to preclude a business from using or retaining information that was obtained by electronically reading information stored on a driver's license card.
Status:  Assembly Inactive File (died on the Assembly floor)

SB 550 (Speier) Data Brokers
This bill enacts the California Data Brokers Access Accuracy Act of 2005 to regulate the disclosure of personally identifiable information by data brokers.
Status:  7/6/05 failed passage in Assembly Banking and Finance (died in committee)

SB 580 (Escutia) PUC Low Income Oversight Board and California Alternate Rates for Energy
Increases membership of the board and enrollment of qualified applicants, including Medi-Cal recipients, into a discount rate utility program.
Status:  Signed in law by the Governor 10/7/05; now Chapter 662, Statutes of 2005

 Back To Top

SB 682 (Simitian) Identity Information Protection Act
SB 682 allows the use of Radio Frequency Identification (RFID) in government issued ID as well as in driver's licenses, student ID, government medical benefit cards, and library cards only if certain safeguards are in place, unless the RFID was in use prior to January 1, 2006.
Status:  Held on Assembly Appropriations Committee Suspense File

SB 768 (Simitian) Information Protection Act of 2005 (formerly SB 682)
Continues SB 682 which died on Assembly Suspense File.
Status:  Vetoed by the Governor on 9/30/06

SB 852 (Bown) Identity Theft
This bill would require a state agency, or a person or business conducting business in California, to notify California residents of any breach of security of their personal information, expanding current law that applies to breaches of computerized data, to files in paper or other medium.
Status:  6/28/05 failed passage in Assembly Business and Professions Committee (died in committee)

SB 1307 (Poochigian) Medical Information: Confidentiality
This bill would permit a covered entity to refuse to disclose information to an agent of the personal representative in certain circumstances.
Status: Signed into law by the Governor on September 14, 2006; now Chapter 249, Statutes of 2006

SB 1371 (Machado) Medi-Cal SMART Cards
Requires the CDHS to develop a pilot for the development of Smart Cards for Medi-Cal beneficiaries as used in other states, I.e., Mt. Sinai Hospital in New York.
Status:  Held on Senate Appropriations Committee Suspense File

SB 1512 (Machado) Privacy: Personal Information Security
SB 1512 changes the threshold from $250,000 to $500,000 for substitute notice in the event of a security breach.
Status:  Died in Senate Judiciary Committee

SB 1744 (Bowen) Information Privacy
SB 1744 would expedite a security freeze lift for a specified time period.  The bill would require credit reporting agencies, by September 1, 2008, to have in place a system to allow the freeze to be lifted within 15 minutes of a request if certain conditions are met. This provision would mirror current law in Utah.
Status:  Failed passage in the Assembly Business and Professions Committee (died in committee)

AB 421 (Spitzer) Identity Theft: Minors
This bill would make the knowing distribution of a minor's personal information for criminal purposes a misdemeanor, or if great bodily injury or death results, a felony.
Status:  Held on Senate Appropriations Committee Suspense File

AB 424 (Calderon) Identity Theft
This bill would provide that "person" as used in the Penal Code provisions on identity theft includes a firm, association, organization, partnership, business trust, company, corporation, limited liability company, or other public entity.  It would also expand the definition of "personal identifying information" to include a logo or graphic representation.
Status:  Signed in law by the Governor on 2/24/06; now Chapter 10, Statutes of 2006

AB 576 (Wolk) Immunizations
AB 576 permits CDHS to share specified immunization information and identifying personal information by entering into agreements to exchange immunization information with other states.
Status:  Signed into law by the Governor on 9/19/06; now Chapter 329, Statutes of 2006

AB 779 (De La Torre) Medi-Cal: Maintaining Eligibility
Requires DHS to extend to providers automated access to data concerning when a patient must reapply for Medi-Cal eligibility.
Status:  Vetoed by the Governor on 10/6/05

AB 916 (Canciamilla) Elder Abuse
This bill would impose sentence enhancements for any person who commits financial abuse, including identity theft, of an elder and specifies that these enhancements shall apply to the theft,  embezzlement, forgery, fraud, or identity theft involving large sums from an elder or dependant adult.
Status:  Held on the Senate Appropriations Committee Suspense File

AB 946 (Wyland) Identity Theft
This bill would increase the maximum financial penalties for both misdemeanor and felony identity theft fines.  Maximum misdemeanor penalties would be increased from $1,000 to $2,000 and maximum felony penalties from $10,000 to $20,000.
Status:  4/5/05 failed passage in the Assembly Public Safety Committee (died in committee)

AB 988 (Bogh) Criminal Profiteering
This bill adds identity theft to the list of crimes for which profits and goods obtained through criminal activity must be forfeited.
Status:  7/18/05 signed into law by the Governor; Chapter 53, Statutes of 2005

AB 1994 (Leslie) Health Records Access: Minors
AB 1994 exempts a health care provider from liability when making a determination that the representative of a minor patient is not entitled to inspect or copy the minor patient's records.
Status:  Signed into law by the Governor 7/21/06; Chapter 100, Statutes of 2006

AB 3013 (Koretz) Medical Information Disclosures
AB 3013 amends the Confidentiality of Medical Information Act regarding discretionary releases of patient information as part of a facility directory or to family members, close personal friends and others.  Specifically, allows general acute care hospitals to release medical information upon an inquiry concerning a specific patient.
Status:  Signed into law by the Governor 9/30/06; Chapter 833, Statutes of 2006


For more information on the latest amendments, bill analyses and members' voting records on the above legislation,
visit the Legislative Counsel web site at:  www.leginfo.ca.gov.

Back to Privacy Office Home Page