BILL ANALYSIS �Ó
AB 658
Page 1
ASSEMBLY THIRD READING
AB 658 (Ian Calderon)
As Amended April 22, 2013
Majority vote
JUDICIARY 10-0 APPROPRIATIONS 17-0
-----------------------------------------------------------------
|Ayes:|Wieckowski, Wagner, |Ayes:|Gatto, Harkey, Bigelow, |
| |Alejo, Chau, Dickinson, | |Bocanegra, Bradford, Ian |
| |Garcia, Gorell, | |Calderon, Campos, |
| |Maienschein, Muratsuchi, | |Donnelly, Eggman, Gomez, |
| |Stone | |Hall, Holden, Linder, |
| | | |Pan, Quirk, Wagner, Weber |
|-----+--------------------------+-----+--------------------------|
| | | | |
-----------------------------------------------------------------
SUMMARY : Provides that any business that offers any software,
hardware, application, or related device that is designed to
maintain medical information, as defined, in order to make the
information available to an individual or a provider of health
care, for purposes of allowing the individual to manage his or
her information, or for the diagnosis, treatment, or management
of a medical condition of the individual, shall be deemed to be
a provider of health care subject to the requirements of the
California Confidentiality of Medical Information Act (CMIA).
EXISTING LAW :
1)Specifies, under the federal Health Insurance Portability and
Accountability Act (HIPAA), privacy protections for patients'
protected health information and generally provides that a
covered entity, as defined, may not use or disclose protected
health information except as specified or as authorized by the
patient in writing.
2)Prohibits a health care provider, health care service plan, or
contractor from disclosing medical information, as defined,
regarding a patient, enrollee, or subscriber without first
obtaining an authorization, except as specified. Provides
that a valid authorization must comply with HIPAA and the
CMIA.
3)Provides that any business organized for the purpose of
�
AB 658
Page 2
maintaining medical information in order to make the
information available to an individual or to a provider of
health care at the request of the individual or the provider
of health care, for purposes of allowing the individual to
manage his or her information, or for the diagnosis of
treatment of the individual, shall be deemed to be a provider
of health care subject to the requirements of the CMIA.
4)Provides that any provider of health care, health care service
plan, pharmaceutical company, or contractor who negligently
creates, maintains, preserves, stores, abandons, destroys, or
disposes of written or electronic medical records shall be
subject to damages in a civil action or an administrative
fine, as specified.
5)Requires a health care provider, health care service plan,
pharmaceutical company, or contractor who creates, maintains,
preserves, stores, abandons, destroys, or disposes of written
or electronic medical records to do so in a manner that
preserves the confidentiality, accuracy, and integrity of the
information contained therein.
6)Defines "medical information" to mean any individually
identifiable information, in electronic or physical form, in
possession of or derived from a provider of health care,
health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, condition,
or treatment. Existing law defines "individually
identifiable" to mean that the medical information includes or
contains an element of personal information sufficient to
allow identification of the individual, such as the patient's
name, address, electronic mail address, telephone number, or
social security number, or other information that, alone or in
combination with other publicly available information, reveals
the individual's identity.
FISCAL EFFECT : According to the Assembly Appropriations
Committee, since violations of the CMIA that result in economic
loss or personal injury to the patient are punishable as
misdemeanors, there could be minor non-reimbursable costs to
local governments for enforcement, offset to some extent by fine
revenues.
COMMENTS : The Confidentiality of Medical Information Act (CMIA)
�
AB 658
Page 3
prohibits a health care provider, health care service plan, or
medical contractor from sharing or disclosing a person's medical
information without that person's consent. Existing law creates
a number of mandatory and permissive exceptions to this general
rule of no disclosure without consent. For example, mandatory
exemptions include, among other things, emergency situations or
by order of a court, while permissive disclosures include those
necessary for billing or administrative purposes, or for
purposes of diagnosis or treatment of the patient. "Medical
information" for purposes of the CMIA is defined to include "any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment." A person whose medical
information has been disclosed or used in violation of the CMIA,
and who has sustained economic loss or personal injury as a
result, may recover compensatory and punitive damages, as
prescribed.
According to the background information provided by the author's
office, this bill seeks to clarify that a personal health record
(PHR), including those offered as an application, is subject to
CMIA prohibitions. PHRs, according the California Office of
Privacy Protection, "are Internet-based applications that allow
you to gather, store, manage, and in some cases share,
information about your health or the health of someone in your
care." The information, which would typically be provided by
your various health care providers, is stored and accessible on
an Internet Web site. Sometimes a PHR would be offered as a
service by a health care provider or health care plan, but PHRs
are also increasingly offered by private companies that provide
this service for a fee. The company maintains the medical
information in one place so the individual may access it or have
it disclosed to the appropriate health care provider. The main
benefit of a PHR is that it allows an individual to manage his
or her own medical information.
However, according to the Privacy Rights Clearinghouse (PRC),
there are questions about whether or not a private business that
offers a PHR is covered by the CMIA. Understanding this problem
requires tracking the legislative history of Civil Code Section
56.06. As enacted in 1993, Section 56.06 stated that any
business "organized for the primary purpose of" maintaining
�
AB 658
Page 4
medical information so that an individual could manage his or
her own medical information was deemed a "provider of health
care" and therefore subject to the requirements of the CMIA.
However, as the number of companies offering PHRs proliferated -
and more significantly as these services were increasingly
offered through the Internet - it was not entirely clear if
these companies were covered by CMIA. In particular, if a PHR
was only one of many services provided by a company, it was not
clear that the company was "organized for the primary purpose"
of maintaining medical information in a PHR. AB 1298 (Jones),
Chapter 699, Statutes of 2007, attempted to address this problem
by removing the "primary" from Section 56.06, but that
legislation still left in place the requirement that the
business was "organized for the purpose of" maintaining medical
information. However, many of the companies that provide these
services - such as WebMD - provide many other services as well
and began offering those other services prior to offering PHRs,
so those companies were not organized for that purpose and thus
arguably not subject to CMIA. This bill, as amended, would not
only ensure that the CMIA applies to businesses that offer PHRs
through the Internet, mobile applications, or similar devices;
it would also apply to any business that maintains medical
information, as defined, regardless of whether the business was
organized for that purpose or not.
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN: 0000353