BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                  AB 658
                                                                  Page  1

          Date of Hearing:  April 16, 2013

                           ASSEMBLY COMMITTEE ON JUDICIARY
                                Bob Wieckowski, Chair
                AB 658 (Calderon) - As Introduced:  February 21, 2013

                              As Proposed to be Amended
           
          SUBJECT  :  Personal Information: Disclosure 

           KEY ISSUE  :  SHOULD entities covered by the Confidentiality of  
          Medical Information Act be expanded to include a business that  
          maintains personal health records?  

           FISCAL EFFECT  :  As currently in print this bill is keyed fiscal.  


                                      SYNOPSIS
          
          The Confidentiality of Medical Information Act (CMIA) generally  
          prohibits any health care provider, health insurer, or medical  
          service contractor from disclosing a patient's medical  
          information without the patient's consent, subject to certain  
          mandatory and voluntary exceptions.  Originally, the "covered  
          entities" that were subject to CMIA were health care providers  
          or health insurers, or such entities that might contract with  
          the provider or insurer for billing or administrative purposes.   
          Since 1993, the CMIA has also covered a business that maintained  
          medical information for the purpose of permitting individuals to  
          manage their health information by having ready access to this  
          information and authorizing its release.  Beginning in 2008, AB  
          1298 (Chapter 699, Stats. of 2007) attempted to clarify that  
          this provision applied to an array of new companies, many  
          Internet-based, that began offering so-called "personal health  
          records" - that is, typically electronic or digital databases,  
          maintained by the business, that permitted patients to  
          self-manage their medical information by bringing it together in  
          a single place, where it could be disclosed to the individual or  
          any health care provider according to the individual's wishes.   
          As one might expect, these services are increasingly offered  
          through mobile applications, potentially raising a new set of  
          privacy concerns.  Arguably, existing law already imposes CMIA  
          requirements on any "business" that maintains medical  
          information and allows customers to manage that information -  
          whether the service is offered on the Internet, as a mobile app,  








                                                                  AB 658
                                                                  Page  2

          or out of cardboard boxes in a brick-and-mortar warehouse.   
          However, this bill seeks to clarify that businesses that offer  
          personal health care records, whether online or through a mobile  
          application, are subject to CMIA requirements if they maintain  
          medical information that is derived from a health care provider,  
          health service plan, or other medical service contractor.  The  
          author has agreed to take clarifying amendments in this  
          Committee, amendments that would appear to likely remove the  
          opposition of the California Chamber of Commerce and the Civil  
          Justice Association of California.  The bill summary and  
          analysis reflect these amendments.  The bill is supported by the  
          California Chiropractic Association.
           
           SUMMARY  :  Applies the requirements of the Confidentiality of  
          Medical Information Act (CMIA) to any business that maintains  
          medical information, as defined, in order to allow an individual  
          to manage his or her medical information, as specified.   
          Specifically,  this bill  :  

          1)Provides that any business that offers any software, hardware,  
            application, or related device that is designed to maintain  
            medical information, as defined, in order to make the  
            information available to an individual or a provider of health  
            care, for purposes of allowing the individual to manage his or  
            her information, or for the diagnosis, treatment, or  
            management of a medical condition of the individual, shall be  
            deemed to be a provider of health care subject to the  
            requirements of the CMIA.
                
          2)Specifies that, notwithstanding the above, nothing in this  
            bill shall be construed to make a business specified in this  
            bill a provider of health care for purposes of any other law,  
            including laws that specifically incorporate by reference the  
            definitions of the CMIA. 

           EXISTING LAW  :

          1)Specifies, under the federal Health Insurance Portability and  
            Accountability Act (HIPAA), privacy protections for patients'  
            protected health information and generally provides that a  
            covered entity, as defined, may not use or disclose protected  
            health information except as specified or as authorized by the  
            patient in writing.  (45 C.F.R. Section 164.500 et seq.)  

          2)Prohibits a health care provider, health care service plan, or  








                                                                  AB 658
                                                                  Page  3

            contractor from disclosing medical information, as defined,  
            regarding a patient, enrollee, or subscriber without first  
            obtaining an authorization, except as specified.  Provides  
            that a valid authorization must comply with HIPAA and the  
            California Confidentiality of Medical Information Act (CMIA).   
            (Civil Code Sections 56.10(a) and 56.11.)

          3)Provides that any business organized for the purpose of  
            maintaining medical information in order to make the  
            information available to an individual or to a provider of  
            health care at the request of the individual or the provider  
            of health care, for purposes of allowing the individual to  
            manage his or her information, or for the diagnosis of  
            treatment of the individual, shall be deemed to be a provider  
            of health care subject to the requirements of the CMIA.   
            (Civil Code Section 56.06(a).) 

          4)Provides that any provider of health care, health care service  
            plan, pharmaceutical company, or contractor who negligently  
            creates, maintains, preserves, stores, abandons, destroys, or  
            disposes of written or electronic medical records shall be  
            subject to damages in a civil action or an administrative  
            fine, as specified.  (Civil Code Section 56.36.)

          5)Requires a health care provider, health care service plan,  
            pharmaceutical company, or contractor who creates, maintains,  
            preserves, stores, abandons, destroys, or disposes of written  
            or electronic medical records to do so in a manner that  
            preserves the confidentiality, accuracy, and integrity of the  
            information contained therein.  (Civil Code Section 56.101.) 

          6)Defines "medical information" to mean any individually  
            identifiable information, in electronic or physical form, in  
            possession of or derived from a provider of health care,  
            health care service plan, pharmaceutical company, or  
            contractor regarding a patient's medical history, condition,  
            or treatment.  Existing law defines "individually  
            identifiable" to mean that the medical information includes or  
            contains an element of personal information sufficient to  
            allow identification of the individual, such as the patient's  
            name, address, electronic mail address, telephone number, or  
            social security number, or other information that, alone or in  
            combination with other publicly available information, reveals  
            the individual's identity.  (Civil Code Section 56.05 (g).)









                                                                  AB 658
                                                                  Page  4

           COMMENTS  :  The Confidentiality of Medical Information Act (CMIA)  
          prohibits a health care provider, health care service plan, or  
          medical contractor from sharing or disclosing a person's medical  
          information without that person's consent.  Existing law creates  
          a number of mandatory and permissive exceptions to this general  
          rule of no disclosure without consent.  For example, mandatory  
          exemptions include, among other things, emergency situations or  
          by order of a court, while permissive disclosures include those  
          necessary for billing or administrative purposes, or for  
          purposes of diagnosis or treatment of the patient.  "Medical  
          information" for purposes of the CMIA is defined to include "any  
          individually identifiable information, in electronic or physical  
          form, in possession of or derived from a provider of health  
          care, health care service plan, pharmaceutical company, or  
          contractor regarding the a patient's medical history, mental or  
          physical condition, or treatment."  A person whose medical  
          information has been disclosed or used in violation of the CMIA,  
          and who has sustained economic loss or personal injury as a  
          result, may recover compensatory and punitive damages, as  
          prescribed.  
           
          Background: Personal Health Records under the CMIA  :  According  
          to the background information provided by the author's office,  
          this bill seeks to clarify that a personal health record (PHR),  
          including those offered as an application, is subject to CMIA  
          prohibitions.  PHRs, according the California Office of Privacy  
          Protection, "are Internet-based applications that allow you to  
          gather, store, manage, and in some cases share, information  
          about your health or the health of someone in your care."  The  
          information, which would typically be provided by your various  
          health care providers, is stored and accessible on an Internet  
          website.  Sometimes a PHR would be offered as a service by a  
          health care provider or health care plan, but PHRs are also  
          increasingly offered by private companies that provide this  
          service for a fee.  The company maintains the medical  
          information in one place so the individual may access it or have  
          it disclosed to the appropriate health care provider.  The main  
          benefit of a PHR is that it allows an individual to manage his  
          or her own medical information.  

          However, according to the Privacy Rights Clearinghouse (PRC),  
          there are questions about whether or not a private business that  
          offers a PHR is covered by the CMIA.  Understanding this problem  
          requires tracking the legislative history of Civil Code Section  
          56.06.  As enacted in 1993, Section 56.06 stated that any  








                                                                  AB 658
                                                                  Page  5

          business "organized for the primary purpose of" maintaining  
          medical information so that an individual could manage his or  
          her own medical information was deemed a "provider of health  
          care" and therefore subject to the requirements of the CMIA.   
          However, as the number of companies offering PHRs proliferated -  
          and more significantly as these services were increasingly  
          offered through the Internet - it was not entirely clear if  
          these companies were covered by CMIA.  In particular, if a PHR  
          was only one of many services provided by a company, it was not  
          clear that the company was "organized for the primary purpose"  
          of maintaining medical information in a PHR.  AB 1298 (Chapter  
          699, Stats. of 2007) attempted to address this problem by  
          removing the "primary" from Section 56.06, but that legislation  
          still left in place the requirement that the business was  
          "organized for the purpose of" maintaining medical information.   
          However, many of the companies that provide these services -  
          such as WebMD - provide many other services as well and began  
          offering those other services prior to offering PHRs, so those  
          companies were not organized for that purpose and thus arguably  
          not subject to CMIA.  This bill, as proposed to be amended,  
          would not only ensure that the CMIA applies to businesses that  
          offer PHRs through the Internet, mobile applications, or similar  
          devices; it would also apply to any business that maintains  
          medical information, as defined, regardless of whether the  
          business was organized for that purpose or not. 

           The Meaning of "Medical Information" under CMIA  :  Some industry  
          representatives have expressed a concern that the legislation  
          might be construed to apply to types of medical information that  
          are not currently covered by CMIA, and that should not be  
          covered.  For example, smartphones like the iPhone 3G are  
          capable of acting as a high-tech pedometer that counts the  
          number of steps that user takes, estimates the number of  
          calories burned, and monitors the heart rate while walking.   
          Because these smartphones are linked to the Internet, this  
          information could potentially be collected or disclosed, or  
          perhaps intentionally sent by a user to his or her PHR if the  
          PHR were set up to accept it.  However, the intent of the CMIA  
          was to protect medical information that originated with medical  
          professionals, whether providers, insurers, administrators, or  
          other contractors who held a person's medical information.  This  
          is why CMIA defines "medical information" to only include  
          information "in the possession of or derived from" health care  
          service providers, health care service plans, or related  
          contractors.  (See Civil Code Section 56.05 (g).)  CMIA was not  








                                                                  AB 658
                                                                  Page  6

          intended to protect all medical information, broadly construed,  
          that is created by the individual - such as the data on the  
          pedometer.  In order to address this concern, the author has  
          agreed to take an amendment in this Committee that will clarify  
          that the provisions added by this bill only apply to medical  
          information that originates with a health care provider, health  
          care service plan, or medical contractor.  Arguably, such an  
          amendment is redundant, given that the existing definition of  
          "medical information" restricts that term to information "in the  
          possession of or derived from" entities covered by CMIA, and  
          then the general definition would seemingly apply to the  
          provision added by this bill.  However, in order to make this  
          perfectly clear and assuage the concerns that have been raised,  
          the author wishes to amend the bill in Committee so as to  
          expressly state that "medical information" in the provision  
          added by this bill has the same meaning as that term is defined  
          in subdivision (g) of Civil Code Section 56.05.  

           ARGUMENTS IN SUPPORT  :  According to the author:

             AB 658 is a common sense extension that closes a loophole  
             in existing law by applying the existing provisions of the  
             Confidentiality of Medical Information Act (CMIA) to the  
             newest platform for commercial vendors who offer storage,  
             maintenance and sharing of sensitive medical information,  
             which are mobile application software services.

             AB 658 would expand the group of entities covered by the  
             CMIA to include commercial vendors of mobile applications  
             that provide Personal Health Record (PHR) services to  
             disclose or share confidential medical information.  
             Currently, the privacy protections that apply to PHRs  
             depend on where the PHR originates. A PHR that a doctor or  
             a health plan provides would fall under the laws that  
             protect medical privacy. However, PHRs from commercial  
             vendors, including mobile medical application vendors, are  
             not covered. Commercial vendors of PHRs are therefore not  
             subject to the requirement to keep medical information  
             confidential. AB 658 would correct this oversight by  
             bringing commercial vendors of PHRs on mobile devices  
             under the covered entities of the CMIA.

          The California Chiropractic Association (CCA) believes that  
          this bill will protect patient confidentiality by "extending  
          the [CMIA] to include businesses offering software to  








                                                                  AB 658
                                                                  Page  7

          patients and health care providers to monitor and manage  
          medical information."  CCA argues that this measure will  
          "bring added security and potentially increase the likelihood  
          that patients will engage in managing their health  
          information." 

           ARGUMENTS IN OPPOSITION  :  The Chamber of Commerce opposes  
          this bill because it is "unclear which mobile application  
          software providers will be included.  There are many small  
          companies offering a variety of mobile apps that may be  
          captured in the bill.  For instance, it is difficult to  
          determine if an app used for health fitness would be  
          captured."

           Proposed Author Amendments Appears to Address Opposition  
          Concerns  :  It appears that the amendments that the author  
          will take will likely address opposition concerns, at least  
          insofar as it is concerned with the bill's application to  
          fitness applications or other kinds of information that do  
          not originate with a covered entity.  As noted above, this  
          bill expressly confirms the existing CMIA definition of  
          "medical information," which would only apply to information  
          that is derived from a covered entity - that is, a health  
          care provider, insurer, or contractor.  The data that is  
          generated by a fitness application would not be derived from  
          one of these covered entities, so it would not be captured by  
          this bill. 

           Proposed Author Amendments :  For the reasons stated above, to  
          clarify that the provisions of this bill applies to any  
          business that maintains medical information, as currently  
          defined by the CMIA, and regardless of how the business  
          offers its PHR service - whether online or offline, by mobile  
          application or otherwise - the author will take the following  
          amendments in this Committee:

             -    On page 2 line 15 after "information" insert:

           , as defined in subdivision (g) of Section 56.05,

              -    On page 2 line 14 delete "application software" and  
               insert:  
           
           any software, hardware, application, or other related device 
           








                                                                  AB 658
                                                                  Page  8

           REGISTERED SUPPORT / OPPOSITION  :   

           Support 
           
          California Chiropractic Association 

           Opposition 
           
          Chamber of Commerce 
          Civil Justice Association of California
           
          Analysis Prepared by :   Thomas Clark / JUD. / (916) 319-2334