CMIA Amendments Increase Health Care Providers’ Responsibility for Protecting Enrollees’ Privacy
Newly enacted Assembly Bill 1184 (AB 1184) will effectuate revisions to the Confidentiality of Medical Information Act that will require significant changes to the operational practices and risk management assessments of health care providers and insurers. AB 1184's changes to the Confidentiality of Medical Information Act reflect a shift toward compartmentalizing the medical information of a patient, enrollee or insured individual (Enrollees) away from the policyholder – whether that policyholder is the spouse, guardian or parent of the Enrollee. The new law’s changes drastically transfer from the Enrollee to the health care providers and insurers (“HPIs”) the burden of maintaining the confidentiality and privacy of an Enrollee’s information.
The Confidentiality of Medical Information Act (CMIA) is a California state law that aims to protect the confidentiality of individually identifiable medical information of patients gathered by health care providers and insurers, and includes provisions more stringent than federal HIPAA regulations. CMIA was last revised by Senate Bill 138 (SB 138) in 2013, and SB 138 sets forth the current standard for allowing patients to make requests that certain sensitive services be kept confidential – even from parents, guardians and the primary subscriber to the insurance plan.
SB 138 was the subject of much scrutiny over the practical challenges it posed for Enrollees. As a result, AB 1184, signed into law by Governor Gavin Newsom on September 22, 2021, overhauls and clarifies many of the burdens and requirements posed by CMIA and SB 138 with respect to “confidential communication requests” and the disclosure of sensitive patient information. To do so, AB 1184 shifts the burden of ensuring the confidentiality of an Enrollee’s information to the health care providers and insurers (HPIs). While AB 1184 creates new channels of access for Enrollees, when it goes into effect on July 1, 2022, it will pose many practical and operational challenges to HPIs if not prepared for in advance.
Under the previous law, SB 138, an Enrollee who received health care services but did not want those services to be disclosed to a parent or the primary subscriber of the plan, could have made a “confidential communication request” (CCR). SB 138 required HPIs to accommodate the Enrollees’ CCR so long as the CCR was in a “readily producible” format, and the Enrollee openly stated that the medical information was related to a “sensitive service,” or could “endanger” the Enrollee. While an HPI cannot require the Enrollee to explain why the Enrollee feared that the disclosure could subject the Enrollee to harassment or abuse, and thus “endanger” the Enrollee, the HPI could request a definitive statement that the disclosure could endanger the Enrollee.
However, Enrollees regularly complained that SB 138 created a labyrinth of administrative challenges that Enrollees found too difficult to navigate in order to effectuate a CCR. For example, the instructions established by HPIs for submitting a CCR were inconsistent and confusing, and HPIs were known to have systematically failed to implement the CCR regime on a timely basis, including retroactively to address sensitive services rendered before the submission of the CCR.
The California legislature drafted AB 1184 to address those concerns and simplify the process of maintaining the confidentiality of an Enrollee’s medical information, and generally broaden the scope of protection afforded to Enrollees. AB 1184 expanded the term “sensitive services” (which encompasses those services entitled to confidentiality protection) to include mental and behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorders, gender affirming care and intimate partner violence services. AB 1184 also prohibits HPIs from requiring the consent of the policyholder or primary subscriber for the Enrollee to receive any sensitive services, so long as the Enrollee has the right or capacity to consent to the service. Further separating the policyholder from the Enrollee’s medical information, AB 1184 prohibits the disclosure of medical information related to sensitive services to anyone other than the Enrollee – including the policyholder or parent of a minor patient – without the Enrollee’s express written authorization.
Another important aspect of AB 1184 is the requirement that HPIs automaticallydirect to the Enrollees themselves all communications regarding sensitive services (as opposed to the policyholder or parent) at the current address on file, unless the Enrollee has otherwise designated an alternative address. HPIs should note the breadth of communications covered here: The bill encompasses explanation of benefits (EOBs), bills, payment collection attempts, adverse benefits determinations, notices of contested claims, the name and address of the healthcare provider, the description of services and any other communications that contain protected health information. Under AB 1184, the Enrollee is still able to make a CCR, but the responsibility for initiating the CCR has largely shifted to the HPIs. In particular, the HPI must make the process for enrollment and renewal “conspicuously visible” in the evidence of coverage, and accessible through hyperlink on the HPI’s website in a manner that will allow the Enrollee to “easily locate” the information.
With the greatly expanded scope of services that are subject to the new obligations under AB 1184, HPIs must carefully review and categorize the services they provide that may fall under the umbrella of “sensitive services.” It may be necessary for HPIs to update or overhaul their internal processes and operating systems to account for the large responsibility shift regarding what consents are required prior to authorization of services, who is entitled to receive protected information, where that information may be delivered and to whom that information may be disclosed. An HPI may also need to update its website and plan coverage information documents in order to make the submission or renewal of CCRs a more easily accessible and streamlined process. HPIs should begin this process as soon as possible, because the most time-consuming part of this process could be the retraining of staff to comply with the new rules. While the practical changes required of the HPIs may vary among companies, the overriding concept is the legislature’s goal of removing accessibility barriers and reducing the instances of disclosures of Enrollees’ sensitive information.