During 2008, the California legislature passed numerous bills impacting health care providers and debated several high-profile bills touting universal health insurance. In this memorandum, we bring to your attention four new laws (each becoming effective Jan. 1, 2009) impacting hospitals and other licensed health care facilities. These laws address patient privacy, diagnostic imaging services, infection control and health care reporting.  

First, the California legislature passed provisions to protect the privacy of patients’ confidential medical information from unauthorized disclosure by licensed health care professionals and third parties. Second, the legislature enacted provisions governing penalties and reporting requirements for licensed facilities permitting unauthorized use of, or access to, patient medical information. Third, the legislature passed a law regulating the manner in which facilities bill for the performance of certain diagnostic imaging services. Lastly, the legislature approved provisions requiring hospitals to monitor the incidence of infections associated with pathogens, take steps to minimize infection rates, and publicly disclose the incidence of infection.  

Together, these new laws impact the management of California hospitals and other licensed health care facilities by imposing fines for health care professionals’ unauthorized disclosure and use of patients’ medical information, creating penalties for facilities permitting unauthorized use of patient’s information, regulating charges for diagnostic imaging services, and expanding obligations related to certain infections.  

This memorandum analyzes in detail the requirements of the new California laws, identifies the responsibilities of the entities subject to the laws, and evaluates their relationship to another recently enacted California reporting statute regarding certain “adverse events.”  


A. Patient Privacy Laws

In a response to the highly publicized breach of confidential medical records at the UCLA Medical Center, the California legislature passed two laws imposing fines and penalties on individuals and health care providers for unauthorized or unlawful access to confidential patient medical information.  

1. Protection of Patients’ Confidential Medical Information

Effective Jan. 1, 2009, Assembly Bill 211 expressly authorizes private individuals to take legal action against any person or entity who negligently discloses confidential medical information or records. Through private action, a patient may recover either $1,000 in nominal damages without proving actual injury, or the total amount of actual damages sustained by the patient. Further, any person or entity that negligently discloses medical information is liable for an administrative fine not to exceed $2,500 per violation. A person or entity that knowingly and willfully obtains, discloses, or uses medical information in violation of California law is liable for an administrative fine not to exceed $25,000 per violation. Additional fines and penalties ranging between $5,000 and $250,000 may be applied to persons or entities that use confidential medical information for financial gain.  

In assessing the amount of an administrative fine or civil penalty, several factors are considered. Specifically, the following relevant circumstances are evaluated: (1) whether the defendant has made a reasonable, good faith attempt to comply with the requirements of Assembly Bill 211; (2) the nature and seriousness of the misconduct; (3) the harm to the patient, enrollee, or subscriber; (4) the number of violations; (5) the persistence of the misconduct; (6) the length of time over which the misconduct occurred; (7) the willfulness of the defendant’s misconduct; and (8) the defendant’s assets, liabilities, and net worth.  

Assembly Bill 211 establishes the Office of Health Information Integrity (the “Office”) within the California Health and Human Services Agency for the express purpose of ensuring the enforcement of the state law and imposition of administrative fines for the unauthorized use of medical information. The Office also is charged with promulgating regulations and referring violations to appropriate authorities. In addition to establishing the Office, Assembly Bill 211 creates the Internal Health Information Integrity Fund (the “Fund”). Any administrative fines collected as a result of violations of the statute will be deposited into the Fund and used to support quality improvement activities of the Office.  

2. Increased Penalties for Unlawful or Unauthorized Access to, Use or Disclosure of, Patient Medical Information

Senate Bill 541 authorizes fines for failure to prevent unlawful or unauthorized access to patient medical information. Effective Jan. 1, 2009, the Department of Public Health (“Department”) may impose, after investigation, an initial administrative penalty of up to $25,000 per patient whose medical information is accessed, used, or disclosed unlawfully or without authorization. The Department may fine licensed facilities up to $17,500 for each subsequent violation.  

Additionally, Senate Bill 541 imposes reporting requirements on health facilities with respect to unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information. Clinics, hospitals, home health agencies, and hospices are required to report any unlawful or unauthorized access to, or use or disclosure of, a patient’s medical information to the Department no later than five days after access, use, or disclosure has been detected. Senate Bill 541 authorizes the Department to assess a penalty for a health facility’s failure to report in the amount of $100 for each day that the unlawful or unauthorized access, use, or disclosure is not reported, up to a maximum penalty of $250,000.  

To dispute the Department’s determination that a facility failed to prevent or timely report an unlawful or unauthorized access, use, or disclosure of medical information, the health care provider must request a hearing within 10 days of the date that the notice of the penalty was received. If a provider chooses not to dispute the Department’s determination, the health care provider may close the matter by remitting 75 percent of the total amount of the administrative penalty within 30 days. All penalties collected pursuant to Senate Bill 541 are required to be deposited into the Internal Department Improvement Account to be used exclusively for internal quality improvement activities within the Department’s Licensing & Certification Program.  

For an additional discussion of Assembly Bill 211 and Senate Bill 541, please refer to the Reed Smith website. Our colleagues, Janet H. Kwuon and Rachel A. Rubin, have written an article entitled, “California’s New Patient Health Privacy Laws Heighten Need for HIPAA Compliance,” which provides additional details for these two laws. The article is available for your review at www.lifescienceslegalupdate.com/uploads/file/alert08192.pdf.  

B. Payment for Diagnostic Imaging Services

Assembly Bill 2794 regulates billing requirements for physicians and facilities performing the technical aspects of diagnostic imaging services. Effective Jan. 1, 2009, physicians may not charge for performance of the technical aspects of particular diagnostic imaging services if the licensed practitioner (or someone under his or her direct supervision) does not render the services. By reference, the new law adopts existing Medicare requirements for the level of supervision required for a diagnostic test.  

The three types of services affected are Computerized Tomography (“CT”), Positron Emission Tomography (“PET”), and Magnetic Resonance Imaging (“MRI”) services. While the law prohibits a physician from billing for a diagnostic test purchased from the performing or supervising physician, the law also requires facilities performing the technical components1 of CT, PET, or MRI services to directly bill the patient or third party paying for the services. A radiological facility or imaging center may not bill the referring physician.  

Although Assembly Bill 2794 dictates how practitioners and facilities may bill for diagnostic imaging services, a few categories of physicians, facilities, and programs are exempt from its provisions. Physicians and facilities are exempt from these provisions if they:  

(1) Contract directly with a licensed health care service plan (Knox-Keane plans)

(2) Provide free diagnostic imaging services, or charge based upon patients’ ability to pay  

(3) Contract with an employer to provide its employees with medical services that include diagnostic imaging services  

(4) Perform the diagnostic imaging services in a physician and surgeon’s office,2 or the office of a group practice3  

In addition to the listed exemptions, a physician or physician entity4 may bill globally for the professional and technical components of CT, PET, or MRI services if the practitioner or entity meets both of the following two conditions: (1) neither the physician nor any member of his medical group or the physician entity ordered the service; and (2) the physician or a member of his medical group or the physician entity provides the professional interpretation of the services.  

Certain health care programs also are exempt from these provisions. All health care programs operated by public entities such as colleges and universities qualify for exemption. Exemption also is available for health care programs operated by private educational institutions when those programs are meant to fulfill students’ health care needs.  

C. Monitoring, Preventing, and Reporting Hospital-Related Infections

Senate Bill 1058 establishes the Medical Facility Infection Control and Prevention Act, or Nile’s law. The purpose of the legislation is to protect patients and the public from exposure to pathogens present in general acute care hospitals. The law protects patients and the public by requiring hospitals to screen patients, maintain procedures for ensuring that hospital facilities are sanitary, and make public reports of incidences of infection resulting from pathogens present in the facility.  

1. Screening and Testing Requirements

Effective Jan. 1, 2009, hospitals must screen specified patients for methicillin-resistant staphylococcus aureus (“MRSA”) within 24 hours of admission. Specifically, the MRSA test is required for patients who:  

(1) Are scheduled for inpatient surgery and have a documented medical condition making him or her susceptible to infection  

(2) Were discharged from a general acute care hospital within 30 days prior to their current hospital admission  

(3) Will be admitted to an intensive care or burn unit  

(4) Receive inpatient dialysis  

(5) Are being transferred from a skilled nursing facility  

If a patient tests positive for MRSA during this initial screening, the attending physician must inform the patient of the results as soon as possible. The physician also must give all patients testing positive for MRSA oral and written instructions regarding aftercare and ways to prevent the infection from spreading.  

Beginning Jan. 1, 2011, a patient who does not test positive, but shows evidence of increased risk of contracting MRSA must be re-tested for MRSA immediately prior to discharge from the hospital. Re-testing is not required, however, for patients who tested positive for MRSA upon entering the facility. If an outgoing patient tests positive for MRSA, the hospital must give the patient oral and written instructions regarding after care and preventing the spread of infection.  

2. Infection Control Policy and Officer Requirements

Beyond screening and testing patients, the hospital also must have an infection control policy5 in place to ensure that health facilities remain sanitary. The policy must include the following:  

(1) Procedures to reduce health-care-associated infections6  

(2) Regular disinfection of certain areas and surfaces such as restrooms, countertops, furniture, televisions, telephones, bedding, office equipment, and surfaces in patient rooms, nursing stations, and storage units  

(3) Regular cleaning and disinfection of all surfaces in the hospital’s common areas (e.g., elevators, meeting rooms, and lounges) and all moveable medical equipment  

(4) Regular removal of accumulated bodily fluids and intravenous substances

As an extension of the infection control policy requirements, each hospital also must designate an infection control officer. The officer will work with the hospital’s infection control committee to ensure implementation of Nile’s law mandatory testing and reporting requirements. Upon request, the hospital must make public the name of the designated infection control officer.  

3. Reporting Requirements

Nile’s law also requires that hospitals publicly report information regarding certain infections. Specifically, hospitals must make extensive quarterly reports documenting infection rates. On a quarterly basis, hospitals must report all cases of health-care-associated MRSA bloodstream, clostridium difficile, and Vancomycin-resistant enterococcal bloodstream infection. Additionally, hospitals must make quarterly reports identifying all health-care-acquired central-line-associated bloodstream infections and the accompanying number of total central line days. Hospitals also must report the number of inpatient days associated with each case of infection.  

Similarly, the Department must post information regarding the incidence rates for these infections at all California general acute care hospitals. Based upon the hospitals’ reported cases of infection and by Jan. 1, 2011, the Department must post information regarding incidence rates for these infections and the associated number of inpatient days.  

Finally, hospitals must make quarterly reports regarding all cases of:  

(1) Health-care-associated surgical site infections of deep or organ space surgical sites and the total number of such surgeries  

(2) Health-care-associated infections of orthopedic, cardiac, and gastrointestinal surgical sites designated as clean and clean-contaminated, and the total number of such surgeries  

The Department must post incidence rates for these types of infections and the associated number of inpatient days on its website beginning Jan. 1, 2012  

Any information contained in the public reports of the hospitals or the Department must also meet particular requirements. First, the Department must follow a risk adjustment process consistent with the federal Centers for Disease Control and Prevention’s (“CDC”) National Healthcare Safety Network (“NHSN”). Second, in instances where the CDC does not use a public reporting model for a specific infection on which the Department must report, the Department must follow particular reporting guidelines provided by Nile’s law. Third, the hospitals and the Department must report infection incidence and rates using the NHSN definition of the term “infection.” Fourth, hospitals reporting infection information also must report to the NHSN and the Department when appropriate.  

4. Relationship Between California Health and Safety Code Section 1279.1 and Nile’s Law

The California legislature has previously enacted California Health and Safety Code Section 1279.1, which requires hospitals to report the occurrence of any one of 27 specific “adverse events.” Shortly after passage of Section 1279.1, Nile’s law was enacted, which expands hospitals’ reporting obligations. Importantly, the list of “adverse events” under Section 1279.1 does not include the health-care-associated infections that are the subject of Nile’s law reporting requirements. Furthermore, Nile’s law does not mention Section 1279.1.  

If, however, a health-care-associated infection covered under Nile’s law causes an adverse event covered under Section 1279.1, both sets of reporting laws potentially would be implicated. For example, if a maternal death associated with labor in a low-risk pregnancy occurs in a hospital as a result of a health-care-associated infection, the incident would qualify as both an “adverse event” and a “health-care-associated infection.” As noted above, Nile’s law does not mention Section 1279.1 and no further guidance has been issued regarding the relationship between Section 1279.1 and Nile’s law. As such, it is currently unclear whether a hospital would be required to report a “health-care-associated infection” that caused an “adverse event” twice: once pursuant to its Nile’s law obligations and once pursuant to the Section 1279.1 provisions.  


We encourage California health care providers impacted by the new laws to take steps to ensure that their policies and procedures safeguard patients’ confidential information from unlawful and unauthorized access, use, or disclosure, and to report all instances of such unauthorized access, use, or disclosure. In the event these safeguards prove insufficient, California providers risk being assessed significant penalties. California health care providers also should establish policies to facilitate proper billing for diagnostic imaging services. Lastly, California hospitals should implement appropriate policies and procedures to ensure screening of patients for health-care-associated infections, maintenance of sanitary facilities, and compliance with the Nile’s law reporting requirements.