BILL NUMBER: SB 1633 CHAPTERED 09/29/04 CHAPTER 861 FILED WITH SECRETARY OF STATE SEPTEMBER 29, 2004 APPROVED BY GOVERNOR SEPTEMBER 29, 2004 PASSED THE SENATE AUGUST 23, 2004 PASSED THE ASSEMBLY AUGUST 18, 2004 AMENDED IN ASSEMBLY AUGUST 16, 2004 AMENDED IN ASSEMBLY JUNE 22, 2004 AMENDED IN ASSEMBLY JUNE 7, 2004 AMENDED IN SENATE MAY 11, 2004 AMENDED IN SENATE APRIL 29, 2004 INTRODUCED BY Senator Figueroa FEBRUARY 20, 2004 An act to add Title 1.81.25 (commencing with Section 1798.91) to Part 4 of Division 3 of the Civil Code, relating to privacy. LEGISLATIVE COUNSEL'S DIGEST SB 1633, Figueroa. Medical information privacy. Existing law provides for the confidentiality of medical information regarding a patient. These provisions prohibit certain health care providers and business entities from disclosing medical information regarding a patient without the express authorization of the patient or legal representative, except as specified. This bill would prohibit a business from seeking to obtain medical information directly from an individual for direct marketing purposes without providing specified disclosures and obtaining the individual's consent. The bill would exempt businesses that are already subject to the Confidentiality of Medical Information Act, certain telephone corporations, and insurance institutions, agents, and support organizations, as specified, from the provisions of the bill. THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS: SECTION 1. Title 1.81.25 (commencing with Section 1798.91) is added to Part 4 of Division 3 of the Civil Code, to read: TITLE 1.81.25. CONSUMER PRIVACY PROTECTION 1798.91. (a) For purposes of this title, the following definitions shall apply: (1) "Direct marketing purposes" means the use of personal information for marketing or advertising products, goods, or services directly to individuals. "Direct marketing purposes" does not include the use of personal information (A) by bona fide tax exempt charitable or religious organizations to solicit charitable contributions or (B) to raise funds from and communicate with individuals regarding politics and government. (2) "Medical information" means any individually identifiable information, in electronic or physical form, regarding the individual's medical history, or medical treatment or diagnosis by a health care professional. "Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the individual's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. For purposes of this section, "medical information" does not mean a subscription to, purchase of, or request for a periodical, book, pamphlet, video, audio, or other multimedia product or nonprofit association information. (3) "Clear and conspicuous" means in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. (4) For purposes of this section, the collection of medical information online constitutes "in writing." For purposes of this section, "written consent" includes consent obtained online. (b) A business may not orally request medical information directly from an individual regardless of whether the information pertains to the individual or not, and use, share, or otherwise disclose that information for direct marketing purposes, without doing both of the following prior to obtaining that information: (1) Orally disclosing to the individual in the same conversation during which the business seeks to obtain the information, that it is obtaining the information to market or advertise products, goods, or services to the individual. (2) Obtaining the consent of either the individual to whom the information pertains or a person legally authorized to consent for the individual, to permit his or her medical information to be used or shared to market or advertise products, goods, or services to the individual, and making and maintaining for two years after the date of the conversation, an audio recording of the entire conversation. (c) A business may not request in writing medical information directly from an individual regardless of whether the information pertains to the individual or not, and use, share, or otherwise disclose that information for direct marketing purposes, without doing both of the following prior to obtaining that information: (1) Disclosing in a clear and conspicuous manner that it is obtaining the information to market or advertise products, goods, or services to the individual. (2) Obtaining the written consent of either the individual to whom the information pertains or a person legally authorized to consent for the individual, to permit his or her medical information to be used or shared to market or advertise products, goods, or services to the individual. (d) This section does not apply to a provider of health care, health care service plan, or contractor, as defined in Section 56.05. (e) This section shall not apply to an insurance institution, agent, or support organization, as defined in Section 791.02 of the Insurance Code, when engaged in an insurance transaction, as defined in subdivision (m) of Section 791.02 of the Insurance Code, pursuant to all the requirements of Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code, and the regulations promulgated thereunder. (f) This section does not apply to a telephone corporation, as defined in Section 234 of the Public Utilities Code, when that corporation is engaged in providing telephone services and products pursuant to Sections 2881, 2881.1, and 2881.2 of the Public Utilities Code, if the corporation does not share or disclose medical information obtained as a consequence of complying with those sections of the Public Utilities Code, to third parties for direct marketing purposes.