BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2013-2014 Regular Session
AB 658 (Calderon)
As Amended April 22, 2013
Hearing Date: June 4, 2013
Fiscal: Yes
Urgency: No
NR
SUBJECT
Personal information: disclosure
DESCRIPTION
The Confidentiality of Medical Information Act (CMIA) generally
prohibits any health care provider, health insurer, or medical
service contractor from disclosing a patient's medical
information without the patient's consent, subject to certain
mandatory and voluntary exceptions.
This bill would clarify that businesses which offer personal
health records (PHR), whether online or through a mobile
application, are subject to CMIA requirements if they maintain
medical information that is derived from a health care provider,
health service plan, or other medical service contractor.
BACKGROUND
The Health Insurance Portability and Accountability Act (HIPAA),
enacted in 1996, guarantees privacy protection for individuals
with regards to specific health information (Pub.L. 104-191, 110
Stat. 1936). Generally, protected health information (PHI) is
any information held by a covered entity which concerns health
status, provision of health care, or payment for health care
that can be connected to an individual. HIPAA privacy
regulations require health care providers and organizations to
develop and follow procedures that ensure the confidentiality
and security of PHI when it is transferred, received, handled,
or shared. HIPAA further requires reasonable efforts when
using, disclosing, or requesting PHI, to limit disclosure of
that information to the minimum amount necessary to accomplish
(more)
�
AB 658 (Calderon)
Page 2 of ?
the intended purpose.
The Confidentiality of Medical Information Act (CMIA) also
protects PHI and restricts the disclosure of medical information
by health care providers, and health care service plans, as
specified. Under existing law, a corporation organized for the
purpose of maintaining medical information in order to make that
information available to the patient, or a provider at the
request of the patient for purposes of diagnosis or treatment,
is deemed to be a provider of health care subject to the
requirements of the CMIA.
Personal health records (PHRs) are Internet-based applications
that allow individuals to gather, store, manage, and in some
cases share, personal health information. Some insurers, health
maintenance organizations (HMOs), or medical provider groups
offer PHRs for their members, and certain Internet companies
sell PHRs for anyone to use. In large part, the privacy
protections that apply to PHRs depend on where the PHR
originates. For example, the Privacy Rights Clearinghouse noted
in a recent report that "a PHR that a doctor or a health plan
provides would fall under the laws that protect medical privacy
and set standards for maintaining the security of your medical
information. This would include both HIPAA and the CMIA."
(Privacy Rights Clearinghouse, California Medical Privacy Fact
Sheet C7: Personal Health Records and Privacy
[as of May 28, 2013].) However, as these
services are increasingly offered through mobile applications,
created and maintained by companies who provide many services
and products beyond PHRs, new privacy concerns arise.
Accordingly, this bill would clarify that businesses which offer
PHRs, whether online or through a mobile application, are
subject to CMIA requirements if they maintain medical
information that is derived from a health care provider, health
service plan, or other medical service contractor.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const. art. I, Sec. 1.)
Existing federal law , the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections for
�
AB 658 (Calderon)
Page 3 of ?
patients' protected health information and generally provides
that a covered entity, as defined (health plan, health care
provider, and health care clearing house), may not use or
disclose protected health information except as specified or as
authorized by the patient in writing. (45 C.F.R. Sec. 164.500
et seq.)
Existing law prohibits, under the State Confidentiality of
Medical Information Act (CMIA), providers of health care, health
care service plans, or contractors, as defined, from sharing
medical information without the patient's written authorization,
subject to certain exceptions. (Civ. Code Sec. 56 et seq.)
Existing law defines "medical information" to mean any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment. Existing law defines
"individually identifiable" to mean that the medical information
includes or contains any element of personal identifying
information sufficient to allow identification of the
individual, such as the patient's name, address, electronic mail
address, telephone number, or social security number, or other
information that, alone or in combination with other publicly
available information, reveals the individual's identity. (Civ.
Code Sec. 56.05(g).)
Existing law provides that any business organized for the
purpose of maintaining medical information in order to make the
information available to an individual or to a provider of
health care at the request of the individual or the provider of
health care, for purposes of allowing the individual to manage
his or her information, or for the diagnosis of treatment of the
individual, shall be deemed to be a provider of health care
subject to the requirements of the CMIA. (Civ. Code Sec.
56.06(a).)
Existing law provides that any provider of health care, health
care service plan, pharmaceutical company, or contractor who
negligently creates, maintains, preserves, stores, abandons,
destroys, or disposes of written or electronic medical records
shall be subject to damages in a civil action or an
administrative fine, as specified. (Civ. Code Sec. 56.36.)
This bill would provide that any business that offers any
�
AB 658 (Calderon)
Page 4 of ?
software, hardware, application, or related device that is
designed to maintain medical information, as defined, in order
to make the information available to an individual or a provider
of health care, for purposes of allowing the individual to
manage his or her information, or for the diagnosis, treatment,
or management of a medical condition of the individual, shall be
deemed to be a provider of health care subject to the
requirements of the CMIA.
This bill would specify that, notwithstanding the above, nothing
in this bill shall be construed to make a business specified in
this bill a provider of health care for purposes of any other
law, including laws that specifically incorporate by reference
the definitions of the CMIA.
COMMENT
1.Stated need for the bill
According to the author:
Currently, the privacy protections that apply to medical
application software such as personal health records (PHR)
depend on where the application originates. A PHR that a
doctor or a health plan provides as part of one's medical
coverage would fall under the laws that protect medical
privacy. However, PHRs from commercial vendors, including
mobile medical application vendors, are not covered. In other
words, independent commercial vendors of personal health
service software are not subject to the requirement to keep
medical information collected and used in the operation of the
application confidential. AB 658 would correct this oversight
by bringing commercial vendor's mobile devices under the
similar covered entities of the CMIA.
2.Explicitly expands existing law to mobile applications and
devices
This bill would require any business which offers any software,
hardware, application, or related device designed to maintain
medical information, as specified, to be deemed as provider of
health care, and thus subject to the requirements of the CMIA.
The author argues that this bill is necessary because the
privacy agreements by companies who offer PHR applications for
mobile devices often do not include important privacy
�
AB 658 (Calderon)
Page 5 of ?
protections. The author writes "many applications directly or
indirectly state the applications and the medical information
they collect are not covered by HIPAA. Some applications do not
have visible privacy policies at all. ? The general failure of
privacy policies of PHR applications to state they will not
disclose sensitive medical information shows that these
applications may be disclosing medical information in ways that
would not be allowed were they covered under CMIA."
Privacy Rights Clearinghouse argued in a recent article that AB
1298 (Snyder, Chapter 699, Statutes of 2007), may not be
functioning in practice as intended. Prior to the enactment of
that bill, only businesses organized for the primary purpose of
maintaining medical information were deemed to be a provider of
health care subject to the requirements of the CMIA. AB 1298
bill deleted the word "primary" from relevant parts of the CMIA,
thus requiring businesses only to have a purpose, not a primary
purpose, of maintaining medical information. Similar to this
bill, AB 1298 was intended to expand the number and type of
businesses which were subject to the CMIA. Privacy Rights
Clearinghouse further notes that:
It is not clear whether this revision accomplished its goal.
Vendors that collect medical information may not strictly be
defined as "organized for the purpose of maintaining medical
information." In the case of whether the CMIA applies to PHR
applications, this uncertainty would be resolved by
specifically including mobile applications that collect
medical information under the statute. (Privacy Rights
Clearinghouse, California Medical Privacy Fact Sheet C7:
Personal Health Records and Privacy
[as of May 28, 2013].)
Accordingly, by imposing CMIA confidentiality requirements on
businesses who offer ways to manage PHR, regardless of whether
the business was organized for that specific purpose, this bill
would specifically include mobile applications under the state's
medical privacy laws.
3.Previous arguments in opposition
The Chamber of Commerce opposed an earlier version of this bill
�
AB 658 (Calderon)
Page 6 of ?
because it was "unclear which mobile application software
providers [would] be included. There are many small companies
offering a variety of mobile apps that may be captured in the
bill. For instance, it is difficult to determine if an app used
for health fitness would be captured."
To address these concerns, the author accepted amendments in the
Assembly Judiciary Committee which clarified that the provisions
of this bill would apply only to medical information, as defined
by the CMIA, which originates with a covered entity.
Support : California Chiropractic Association; Consumer
Federation of California; Privacy Rights Clearinghouse
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation :
AB 1298 (Snyder, Chapter 699, Statutes of 2007), subjected any
business organized to maintain medical information for purposes
of making that information available to an individual or to a
health care provider, as specified, to the provisions of the
Confidentiality of Medical Information Act (CMIA).
AB 336 (Snyder, Chapter 1004, Statutes of 1993), deemed certain
corporations to be providers of health care under the CMIA.
Prior Vote :
Assembly Floor (Ayes 76, Noes 0)
Assembly Appropriations Committee (Ayes 17, Noes 0)
Assembly Judiciary Committee (Ayes 10, Noes 0)
**************
�
AB 658 (Calderon)
Page 7 of ?