BILL ANALYSIS Ó AB 658 Page 1 Date of Hearing: April 16, 2013 ASSEMBLY COMMITTEE ON JUDICIARY Bob Wieckowski, Chair AB 658 (Calderon) - As Introduced: February 21, 2013 As Proposed to be Amended SUBJECT : Personal Information: Disclosure KEY ISSUE : SHOULD entities covered by the Confidentiality of Medical Information Act be expanded to include a business that maintains personal health records? FISCAL EFFECT : As currently in print this bill is keyed fiscal. SYNOPSIS The Confidentiality of Medical Information Act (CMIA) generally prohibits any health care provider, health insurer, or medical service contractor from disclosing a patient's medical information without the patient's consent, subject to certain mandatory and voluntary exceptions. Originally, the "covered entities" that were subject to CMIA were health care providers or health insurers, or such entities that might contract with the provider or insurer for billing or administrative purposes. Since 1993, the CMIA has also covered a business that maintained medical information for the purpose of permitting individuals to manage their health information by having ready access to this information and authorizing its release. Beginning in 2008, AB 1298 (Chapter 699, Stats. of 2007) attempted to clarify that this provision applied to an array of new companies, many Internet-based, that began offering so-called "personal health records" - that is, typically electronic or digital databases, maintained by the business, that permitted patients to self-manage their medical information by bringing it together in a single place, where it could be disclosed to the individual or any health care provider according to the individual's wishes. As one might expect, these services are increasingly offered through mobile applications, potentially raising a new set of privacy concerns. Arguably, existing law already imposes CMIA requirements on any "business" that maintains medical information and allows customers to manage that information - whether the service is offered on the Internet, as a mobile app, AB 658 Page 2 or out of cardboard boxes in a brick-and-mortar warehouse. However, this bill seeks to clarify that businesses that offer personal health care records, whether online or through a mobile application, are subject to CMIA requirements if they maintain medical information that is derived from a health care provider, health service plan, or other medical service contractor. The author has agreed to take clarifying amendments in this Committee, amendments that would appear to likely remove the opposition of the California Chamber of Commerce and the Civil Justice Association of California. The bill summary and analysis reflect these amendments. The bill is supported by the California Chiropractic Association. SUMMARY : Applies the requirements of the Confidentiality of Medical Information Act (CMIA) to any business that maintains medical information, as defined, in order to allow an individual to manage his or her medical information, as specified. Specifically, this bill : 1)Provides that any business that offers any software, hardware, application, or related device that is designed to maintain medical information, as defined, in order to make the information available to an individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of the CMIA. 2)Specifies that, notwithstanding the above, nothing in this bill shall be construed to make a business specified in this bill a provider of health care for purposes of any other law, including laws that specifically incorporate by reference the definitions of the CMIA. EXISTING LAW : 1)Specifies, under the federal Health Insurance Portability and Accountability Act (HIPAA), privacy protections for patients' protected health information and generally provides that a covered entity, as defined, may not use or disclose protected health information except as specified or as authorized by the patient in writing. (45 C.F.R. Section 164.500 et seq.) 2)Prohibits a health care provider, health care service plan, or AB 658 Page 3 contractor from disclosing medical information, as defined, regarding a patient, enrollee, or subscriber without first obtaining an authorization, except as specified. Provides that a valid authorization must comply with HIPAA and the California Confidentiality of Medical Information Act (CMIA). (Civil Code Sections 56.10(a) and 56.11.) 3)Provides that any business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or the provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis of treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of the CMIA. (Civil Code Section 56.06(a).) 4)Provides that any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of written or electronic medical records shall be subject to damages in a civil action or an administrative fine, as specified. (Civil Code Section 56.36.) 5)Requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of written or electronic medical records to do so in a manner that preserves the confidentiality, accuracy, and integrity of the information contained therein. (Civil Code Section 56.101.) 6)Defines "medical information" to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, condition, or treatment. Existing law defines "individually identifiable" to mean that the medical information includes or contains an element of personal information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. (Civil Code Section 56.05 (g).) AB 658 Page 4 COMMENTS : The Confidentiality of Medical Information Act (CMIA) prohibits a health care provider, health care service plan, or medical contractor from sharing or disclosing a person's medical information without that person's consent. Existing law creates a number of mandatory and permissive exceptions to this general rule of no disclosure without consent. For example, mandatory exemptions include, among other things, emergency situations or by order of a court, while permissive disclosures include those necessary for billing or administrative purposes, or for purposes of diagnosis or treatment of the patient. "Medical information" for purposes of the CMIA is defined to include "any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding the a patient's medical history, mental or physical condition, or treatment." A person whose medical information has been disclosed or used in violation of the CMIA, and who has sustained economic loss or personal injury as a result, may recover compensatory and punitive damages, as prescribed. Background: Personal Health Records under the CMIA : According to the background information provided by the author's office, this bill seeks to clarify that a personal health record (PHR), including those offered as an application, is subject to CMIA prohibitions. PHRs, according the California Office of Privacy Protection, "are Internet-based applications that allow you to gather, store, manage, and in some cases share, information about your health or the health of someone in your care." The information, which would typically be provided by your various health care providers, is stored and accessible on an Internet website. Sometimes a PHR would be offered as a service by a health care provider or health care plan, but PHRs are also increasingly offered by private companies that provide this service for a fee. The company maintains the medical information in one place so the individual may access it or have it disclosed to the appropriate health care provider. The main benefit of a PHR is that it allows an individual to manage his or her own medical information. However, according to the Privacy Rights Clearinghouse (PRC), there are questions about whether or not a private business that offers a PHR is covered by the CMIA. Understanding this problem requires tracking the legislative history of Civil Code Section 56.06. As enacted in 1993, Section 56.06 stated that any AB 658 Page 5 business "organized for the primary purpose of" maintaining medical information so that an individual could manage his or her own medical information was deemed a "provider of health care" and therefore subject to the requirements of the CMIA. However, as the number of companies offering PHRs proliferated - and more significantly as these services were increasingly offered through the Internet - it was not entirely clear if these companies were covered by CMIA. In particular, if a PHR was only one of many services provided by a company, it was not clear that the company was "organized for the primary purpose" of maintaining medical information in a PHR. AB 1298 (Chapter 699, Stats. of 2007) attempted to address this problem by removing the "primary" from Section 56.06, but that legislation still left in place the requirement that the business was "organized for the purpose of" maintaining medical information. However, many of the companies that provide these services - such as WebMD - provide many other services as well and began offering those other services prior to offering PHRs, so those companies were not organized for that purpose and thus arguably not subject to CMIA. This bill, as proposed to be amended, would not only ensure that the CMIA applies to businesses that offer PHRs through the Internet, mobile applications, or similar devices; it would also apply to any business that maintains medical information, as defined, regardless of whether the business was organized for that purpose or not. The Meaning of "Medical Information" under CMIA : Some industry representatives have expressed a concern that the legislation might be construed to apply to types of medical information that are not currently covered by CMIA, and that should not be covered. For example, smartphones like the iPhone 3G are capable of acting as a high-tech pedometer that counts the number of steps that user takes, estimates the number of calories burned, and monitors the heart rate while walking. Because these smartphones are linked to the Internet, this information could potentially be collected or disclosed, or perhaps intentionally sent by a user to his or her PHR if the PHR were set up to accept it. However, the intent of the CMIA was to protect medical information that originated with medical professionals, whether providers, insurers, administrators, or other contractors who held a person's medical information. This is why CMIA defines "medical information" to only include information "in the possession of or derived from" health care service providers, health care service plans, or related contractors. (See Civil Code Section 56.05 (g).) CMIA was not AB 658 Page 6 intended to protect all medical information, broadly construed, that is created by the individual - such as the data on the pedometer. In order to address this concern, the author has agreed to take an amendment in this Committee that will clarify that the provisions added by this bill only apply to medical information that originates with a health care provider, health care service plan, or medical contractor. Arguably, such an amendment is redundant, given that the existing definition of "medical information" restricts that term to information "in the possession of or derived from" entities covered by CMIA, and then the general definition would seemingly apply to the provision added by this bill. However, in order to make this perfectly clear and assuage the concerns that have been raised, the author wishes to amend the bill in Committee so as to expressly state that "medical information" in the provision added by this bill has the same meaning as that term is defined in subdivision (g) of Civil Code Section 56.05. ARGUMENTS IN SUPPORT : According to the author: AB 658 is a common sense extension that closes a loophole in existing law by applying the existing provisions of the Confidentiality of Medical Information Act (CMIA) to the newest platform for commercial vendors who offer storage, maintenance and sharing of sensitive medical information, which are mobile application software services. AB 658 would expand the group of entities covered by the CMIA to include commercial vendors of mobile applications that provide Personal Health Record (PHR) services to disclose or share confidential medical information. Currently, the privacy protections that apply to PHRs depend on where the PHR originates. A PHR that a doctor or a health plan provides would fall under the laws that protect medical privacy. However, PHRs from commercial vendors, including mobile medical application vendors, are not covered. Commercial vendors of PHRs are therefore not subject to the requirement to keep medical information confidential. AB 658 would correct this oversight by bringing commercial vendors of PHRs on mobile devices under the covered entities of the CMIA. The California Chiropractic Association (CCA) believes that this bill will protect patient confidentiality by "extending the [CMIA] to include businesses offering software to AB 658 Page 7 patients and health care providers to monitor and manage medical information." CCA argues that this measure will "bring added security and potentially increase the likelihood that patients will engage in managing their health information." ARGUMENTS IN OPPOSITION : The Chamber of Commerce opposes this bill because it is "unclear which mobile application software providers will be included. There are many small companies offering a variety of mobile apps that may be captured in the bill. For instance, it is difficult to determine if an app used for health fitness would be captured." Proposed Author Amendments Appears to Address Opposition Concerns : It appears that the amendments that the author will take will likely address opposition concerns, at least insofar as it is concerned with the bill's application to fitness applications or other kinds of information that do not originate with a covered entity. As noted above, this bill expressly confirms the existing CMIA definition of "medical information," which would only apply to information that is derived from a covered entity - that is, a health care provider, insurer, or contractor. The data that is generated by a fitness application would not be derived from one of these covered entities, so it would not be captured by this bill. Proposed Author Amendments : For the reasons stated above, to clarify that the provisions of this bill applies to any business that maintains medical information, as currently defined by the CMIA, and regardless of how the business offers its PHR service - whether online or offline, by mobile application or otherwise - the author will take the following amendments in this Committee: - On page 2 line 15 after "information" insert: , as defined in subdivision (g) of Section 56.05, - On page 2 line 14 delete "application software" and insert: any software, hardware, application, or other related device AB 658 Page 8 REGISTERED SUPPORT / OPPOSITION : Support California Chiropractic Association Opposition Chamber of Commerce Civil Justice Association of California Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334