BILL ANALYSIS Ó AB 658 Page 1 ASSEMBLY THIRD READING AB 658 (Ian Calderon) As Amended April 22, 2013 Majority vote JUDICIARY 10-0 APPROPRIATIONS 17-0 ----------------------------------------------------------------- |Ayes:|Wieckowski, Wagner, |Ayes:|Gatto, Harkey, Bigelow, | | |Alejo, Chau, Dickinson, | |Bocanegra, Bradford, Ian | | |Garcia, Gorell, | |Calderon, Campos, | | |Maienschein, Muratsuchi, | |Donnelly, Eggman, Gomez, | | |Stone | |Hall, Holden, Linder, | | | | |Pan, Quirk, Wagner, Weber | |-----+--------------------------+-----+--------------------------| | | | | | ----------------------------------------------------------------- SUMMARY : Provides that any business that offers any software, hardware, application, or related device that is designed to maintain medical information, as defined, in order to make the information available to an individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of the California Confidentiality of Medical Information Act (CMIA). EXISTING LAW : 1)Specifies, under the federal Health Insurance Portability and Accountability Act (HIPAA), privacy protections for patients' protected health information and generally provides that a covered entity, as defined, may not use or disclose protected health information except as specified or as authorized by the patient in writing. 2)Prohibits a health care provider, health care service plan, or contractor from disclosing medical information, as defined, regarding a patient, enrollee, or subscriber without first obtaining an authorization, except as specified. Provides that a valid authorization must comply with HIPAA and the CMIA. 3)Provides that any business organized for the purpose of AB 658 Page 2 maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or the provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis of treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of the CMIA. 4)Provides that any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of written or electronic medical records shall be subject to damages in a civil action or an administrative fine, as specified. 5)Requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of written or electronic medical records to do so in a manner that preserves the confidentiality, accuracy, and integrity of the information contained therein. 6)Defines "medical information" to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, condition, or treatment. Existing law defines "individually identifiable" to mean that the medical information includes or contains an element of personal information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. FISCAL EFFECT : According to the Assembly Appropriations Committee, since violations of the CMIA that result in economic loss or personal injury to the patient are punishable as misdemeanors, there could be minor non-reimbursable costs to local governments for enforcement, offset to some extent by fine revenues. COMMENTS : The Confidentiality of Medical Information Act (CMIA) AB 658 Page 3 prohibits a health care provider, health care service plan, or medical contractor from sharing or disclosing a person's medical information without that person's consent. Existing law creates a number of mandatory and permissive exceptions to this general rule of no disclosure without consent. For example, mandatory exemptions include, among other things, emergency situations or by order of a court, while permissive disclosures include those necessary for billing or administrative purposes, or for purposes of diagnosis or treatment of the patient. "Medical information" for purposes of the CMIA is defined to include "any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment." A person whose medical information has been disclosed or used in violation of the CMIA, and who has sustained economic loss or personal injury as a result, may recover compensatory and punitive damages, as prescribed. According to the background information provided by the author's office, this bill seeks to clarify that a personal health record (PHR), including those offered as an application, is subject to CMIA prohibitions. PHRs, according the California Office of Privacy Protection, "are Internet-based applications that allow you to gather, store, manage, and in some cases share, information about your health or the health of someone in your care." The information, which would typically be provided by your various health care providers, is stored and accessible on an Internet Web site. Sometimes a PHR would be offered as a service by a health care provider or health care plan, but PHRs are also increasingly offered by private companies that provide this service for a fee. The company maintains the medical information in one place so the individual may access it or have it disclosed to the appropriate health care provider. The main benefit of a PHR is that it allows an individual to manage his or her own medical information. However, according to the Privacy Rights Clearinghouse (PRC), there are questions about whether or not a private business that offers a PHR is covered by the CMIA. Understanding this problem requires tracking the legislative history of Civil Code Section 56.06. As enacted in 1993, Section 56.06 stated that any business "organized for the primary purpose of" maintaining AB 658 Page 4 medical information so that an individual could manage his or her own medical information was deemed a "provider of health care" and therefore subject to the requirements of the CMIA. However, as the number of companies offering PHRs proliferated - and more significantly as these services were increasingly offered through the Internet - it was not entirely clear if these companies were covered by CMIA. In particular, if a PHR was only one of many services provided by a company, it was not clear that the company was "organized for the primary purpose" of maintaining medical information in a PHR. AB 1298 (Jones), Chapter 699, Statutes of 2007, attempted to address this problem by removing the "primary" from Section 56.06, but that legislation still left in place the requirement that the business was "organized for the purpose of" maintaining medical information. However, many of the companies that provide these services - such as WebMD - provide many other services as well and began offering those other services prior to offering PHRs, so those companies were not organized for that purpose and thus arguably not subject to CMIA. This bill, as amended, would not only ensure that the CMIA applies to businesses that offer PHRs through the Internet, mobile applications, or similar devices; it would also apply to any business that maintains medical information, as defined, regardless of whether the business was organized for that purpose or not. Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334 FN: 0000353