BILL ANALYSIS ��
AB 658
Page 1
Date of Hearing: April 16, 2013
ASSEMBLY COMMITTEE ON JUDICIARY
Bob Wieckowski, Chair
AB 658 (Calderon) - As Introduced: February 21, 2013
As Proposed to be Amended
SUBJECT : Personal Information: Disclosure
KEY ISSUE : SHOULD entities covered by the Confidentiality of
Medical Information Act be expanded to include a business that
maintains personal health records?
FISCAL EFFECT : As currently in print this bill is keyed fiscal.
SYNOPSIS
The Confidentiality of Medical Information Act (CMIA) generally
prohibits any health care provider, health insurer, or medical
service contractor from disclosing a patient's medical
information without the patient's consent, subject to certain
mandatory and voluntary exceptions. Originally, the "covered
entities" that were subject to CMIA were health care providers
or health insurers, or such entities that might contract with
the provider or insurer for billing or administrative purposes.
Since 1993, the CMIA has also covered a business that maintained
medical information for the purpose of permitting individuals to
manage their health information by having ready access to this
information and authorizing its release. Beginning in 2008, AB
1298 (Chapter 699, Stats. of 2007) attempted to clarify that
this provision applied to an array of new companies, many
Internet-based, that began offering so-called "personal health
records" - that is, typically electronic or digital databases,
maintained by the business, that permitted patients to
self-manage their medical information by bringing it together in
a single place, where it could be disclosed to the individual or
any health care provider according to the individual's wishes.
As one might expect, these services are increasingly offered
through mobile applications, potentially raising a new set of
privacy concerns. Arguably, existing law already imposes CMIA
requirements on any "business" that maintains medical
information and allows customers to manage that information -
whether the service is offered on the Internet, as a mobile app,
�
AB 658
Page 2
or out of cardboard boxes in a brick-and-mortar warehouse.
However, this bill seeks to clarify that businesses that offer
personal health care records, whether online or through a mobile
application, are subject to CMIA requirements if they maintain
medical information that is derived from a health care provider,
health service plan, or other medical service contractor. The
author has agreed to take clarifying amendments in this
Committee, amendments that would appear to likely remove the
opposition of the California Chamber of Commerce and the Civil
Justice Association of California. The bill summary and
analysis reflect these amendments. The bill is supported by the
California Chiropractic Association.
SUMMARY : Applies the requirements of the Confidentiality of
Medical Information Act (CMIA) to any business that maintains
medical information, as defined, in order to allow an individual
to manage his or her medical information, as specified.
Specifically, this bill :
1)Provides that any business that offers any software, hardware,
application, or related device that is designed to maintain
medical information, as defined, in order to make the
information available to an individual or a provider of health
care, for purposes of allowing the individual to manage his or
her information, or for the diagnosis, treatment, or
management of a medical condition of the individual, shall be
deemed to be a provider of health care subject to the
requirements of the CMIA.
2)Specifies that, notwithstanding the above, nothing in this
bill shall be construed to make a business specified in this
bill a provider of health care for purposes of any other law,
including laws that specifically incorporate by reference the
definitions of the CMIA.
EXISTING LAW :
1)Specifies, under the federal Health Insurance Portability and
Accountability Act (HIPAA), privacy protections for patients'
protected health information and generally provides that a
covered entity, as defined, may not use or disclose protected
health information except as specified or as authorized by the
patient in writing. (45 C.F.R. Section 164.500 et seq.)
2)Prohibits a health care provider, health care service plan, or
�
AB 658
Page 3
contractor from disclosing medical information, as defined,
regarding a patient, enrollee, or subscriber without first
obtaining an authorization, except as specified. Provides
that a valid authorization must comply with HIPAA and the
California Confidentiality of Medical Information Act (CMIA).
(Civil Code Sections 56.10(a) and 56.11.)
3)Provides that any business organized for the purpose of
maintaining medical information in order to make the
information available to an individual or to a provider of
health care at the request of the individual or the provider
of health care, for purposes of allowing the individual to
manage his or her information, or for the diagnosis of
treatment of the individual, shall be deemed to be a provider
of health care subject to the requirements of the CMIA.
(Civil Code Section 56.06(a).)
4)Provides that any provider of health care, health care service
plan, pharmaceutical company, or contractor who negligently
creates, maintains, preserves, stores, abandons, destroys, or
disposes of written or electronic medical records shall be
subject to damages in a civil action or an administrative
fine, as specified. (Civil Code Section 56.36.)
5)Requires a health care provider, health care service plan,
pharmaceutical company, or contractor who creates, maintains,
preserves, stores, abandons, destroys, or disposes of written
or electronic medical records to do so in a manner that
preserves the confidentiality, accuracy, and integrity of the
information contained therein. (Civil Code Section 56.101.)
6)Defines "medical information" to mean any individually
identifiable information, in electronic or physical form, in
possession of or derived from a provider of health care,
health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, condition,
or treatment. Existing law defines "individually
identifiable" to mean that the medical information includes or
contains an element of personal information sufficient to
allow identification of the individual, such as the patient's
name, address, electronic mail address, telephone number, or
social security number, or other information that, alone or in
combination with other publicly available information, reveals
the individual's identity. (Civil Code Section 56.05 (g).)
�
AB 658
Page 4
COMMENTS : The Confidentiality of Medical Information Act (CMIA)
prohibits a health care provider, health care service plan, or
medical contractor from sharing or disclosing a person's medical
information without that person's consent. Existing law creates
a number of mandatory and permissive exceptions to this general
rule of no disclosure without consent. For example, mandatory
exemptions include, among other things, emergency situations or
by order of a court, while permissive disclosures include those
necessary for billing or administrative purposes, or for
purposes of diagnosis or treatment of the patient. "Medical
information" for purposes of the CMIA is defined to include "any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding the a patient's medical history, mental or
physical condition, or treatment." A person whose medical
information has been disclosed or used in violation of the CMIA,
and who has sustained economic loss or personal injury as a
result, may recover compensatory and punitive damages, as
prescribed.
Background: Personal Health Records under the CMIA : According
to the background information provided by the author's office,
this bill seeks to clarify that a personal health record (PHR),
including those offered as an application, is subject to CMIA
prohibitions. PHRs, according the California Office of Privacy
Protection, "are Internet-based applications that allow you to
gather, store, manage, and in some cases share, information
about your health or the health of someone in your care." The
information, which would typically be provided by your various
health care providers, is stored and accessible on an Internet
website. Sometimes a PHR would be offered as a service by a
health care provider or health care plan, but PHRs are also
increasingly offered by private companies that provide this
service for a fee. The company maintains the medical
information in one place so the individual may access it or have
it disclosed to the appropriate health care provider. The main
benefit of a PHR is that it allows an individual to manage his
or her own medical information.
However, according to the Privacy Rights Clearinghouse (PRC),
there are questions about whether or not a private business that
offers a PHR is covered by the CMIA. Understanding this problem
requires tracking the legislative history of Civil Code Section
56.06. As enacted in 1993, Section 56.06 stated that any
�
AB 658
Page 5
business "organized for the primary purpose of" maintaining
medical information so that an individual could manage his or
her own medical information was deemed a "provider of health
care" and therefore subject to the requirements of the CMIA.
However, as the number of companies offering PHRs proliferated -
and more significantly as these services were increasingly
offered through the Internet - it was not entirely clear if
these companies were covered by CMIA. In particular, if a PHR
was only one of many services provided by a company, it was not
clear that the company was "organized for the primary purpose"
of maintaining medical information in a PHR. AB 1298 (Chapter
699, Stats. of 2007) attempted to address this problem by
removing the "primary" from Section 56.06, but that legislation
still left in place the requirement that the business was
"organized for the purpose of" maintaining medical information.
However, many of the companies that provide these services -
such as WebMD - provide many other services as well and began
offering those other services prior to offering PHRs, so those
companies were not organized for that purpose and thus arguably
not subject to CMIA. This bill, as proposed to be amended,
would not only ensure that the CMIA applies to businesses that
offer PHRs through the Internet, mobile applications, or similar
devices; it would also apply to any business that maintains
medical information, as defined, regardless of whether the
business was organized for that purpose or not.
The Meaning of "Medical Information" under CMIA : Some industry
representatives have expressed a concern that the legislation
might be construed to apply to types of medical information that
are not currently covered by CMIA, and that should not be
covered. For example, smartphones like the iPhone 3G are
capable of acting as a high-tech pedometer that counts the
number of steps that user takes, estimates the number of
calories burned, and monitors the heart rate while walking.
Because these smartphones are linked to the Internet, this
information could potentially be collected or disclosed, or
perhaps intentionally sent by a user to his or her PHR if the
PHR were set up to accept it. However, the intent of the CMIA
was to protect medical information that originated with medical
professionals, whether providers, insurers, administrators, or
other contractors who held a person's medical information. This
is why CMIA defines "medical information" to only include
information "in the possession of or derived from" health care
service providers, health care service plans, or related
contractors. (See Civil Code Section 56.05 (g).) CMIA was not
�
AB 658
Page 6
intended to protect all medical information, broadly construed,
that is created by the individual - such as the data on the
pedometer. In order to address this concern, the author has
agreed to take an amendment in this Committee that will clarify
that the provisions added by this bill only apply to medical
information that originates with a health care provider, health
care service plan, or medical contractor. Arguably, such an
amendment is redundant, given that the existing definition of
"medical information" restricts that term to information "in the
possession of or derived from" entities covered by CMIA, and
then the general definition would seemingly apply to the
provision added by this bill. However, in order to make this
perfectly clear and assuage the concerns that have been raised,
the author wishes to amend the bill in Committee so as to
expressly state that "medical information" in the provision
added by this bill has the same meaning as that term is defined
in subdivision (g) of Civil Code Section 56.05.
ARGUMENTS IN SUPPORT : According to the author:
AB 658 is a common sense extension that closes a loophole
in existing law by applying the existing provisions of the
Confidentiality of Medical Information Act (CMIA) to the
newest platform for commercial vendors who offer storage,
maintenance and sharing of sensitive medical information,
which are mobile application software services.
AB 658 would expand the group of entities covered by the
CMIA to include commercial vendors of mobile applications
that provide Personal Health Record (PHR) services to
disclose or share confidential medical information.
Currently, the privacy protections that apply to PHRs
depend on where the PHR originates. A PHR that a doctor or
a health plan provides would fall under the laws that
protect medical privacy. However, PHRs from commercial
vendors, including mobile medical application vendors, are
not covered. Commercial vendors of PHRs are therefore not
subject to the requirement to keep medical information
confidential. AB 658 would correct this oversight by
bringing commercial vendors of PHRs on mobile devices
under the covered entities of the CMIA.
The California Chiropractic Association (CCA) believes that
this bill will protect patient confidentiality by "extending
the [CMIA] to include businesses offering software to
�
AB 658
Page 7
patients and health care providers to monitor and manage
medical information." CCA argues that this measure will
"bring added security and potentially increase the likelihood
that patients will engage in managing their health
information."
ARGUMENTS IN OPPOSITION : The Chamber of Commerce opposes
this bill because it is "unclear which mobile application
software providers will be included. There are many small
companies offering a variety of mobile apps that may be
captured in the bill. For instance, it is difficult to
determine if an app used for health fitness would be
captured."
Proposed Author Amendments Appears to Address Opposition
Concerns : It appears that the amendments that the author
will take will likely address opposition concerns, at least
insofar as it is concerned with the bill's application to
fitness applications or other kinds of information that do
not originate with a covered entity. As noted above, this
bill expressly confirms the existing CMIA definition of
"medical information," which would only apply to information
that is derived from a covered entity - that is, a health
care provider, insurer, or contractor. The data that is
generated by a fitness application would not be derived from
one of these covered entities, so it would not be captured by
this bill.
Proposed Author Amendments : For the reasons stated above, to
clarify that the provisions of this bill applies to any
business that maintains medical information, as currently
defined by the CMIA, and regardless of how the business
offers its PHR service - whether online or offline, by mobile
application or otherwise - the author will take the following
amendments in this Committee:
- On page 2 line 15 after "information" insert:
, as defined in subdivision (g) of Section 56.05,
- On page 2 line 14 delete "application software" and
insert:
any software, hardware, application, or other related device
�
AB 658
Page 8
REGISTERED SUPPORT / OPPOSITION :
Support
California Chiropractic Association
Opposition
Chamber of Commerce
Civil Justice Association of California
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334