BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 658|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 658
Author: Ian Calderon (D)
Amended: 6/24/13 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE : 6-0, 6/4/13
AYES: Evans, Anderson, Corbett, Jackson, Leno, Monning
NO VOTE RECORDED: Walters
SENATE APPROPRIATIONS COMMITTEE : Senate Rule 28.8
ASSEMBLY FLOOR : 76-0, 5/9/13 - See last page for vote
SUBJECT : Personal information: disclosure
SOURCE : Author
DIGEST : This bill applies the prohibitions of the
Confidentiality of Medical Information Act (CMIA) to any
business that offers software or hardware to consumers,
including a mobile application or other related device that is
designed to maintain medical information to allow an individual
to manage his/her information, or for the diagnosis, treatment,
or management of a medical condition of the individual.
ANALYSIS : Existing federal law, the Health Insurance
Portability and Accountability Act (HIPAA), specifies privacy
protections for patients' protected health information and
generally provides that a covered entity, as defined (health
plan, health care provider, and health care clearing house), may
CONTINUED
�
AB 658
Page
2
not use or disclose protected health information except as
specified or as authorized by the patient in writing.
Existing state law:
1.The California Constitution provides that all people have
inalienable rights, including the right to pursue and obtain
privacy.
2.Prohibits, under the CMIA, providers of health care, health
care service plans, or contractors, as defined, from sharing
medical information without the patient's written
authorization, subject to certain exceptions.
3.Defines "medical information" to mean any individually
identifiable information, in electronic or physical form, in
possession of or derived from a provider of health care,
health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment. Existing law defines
"individually identifiable" to mean that the medical
information includes or contains any element of personal
identifying information sufficient to allow identification of
the individual, such as the patient's name, address,
electronic mail address, telephone number, or social security
number, or other information that, alone or in combination
with other publicly available information, reveals the
individual's identity.
4.Provides that any business organized for the purpose of
maintaining medical information in order to make the
information available to an individual or to a provider of
health care at the request of the individual or the provider
of health care, for purposes of allowing the individual to
manage his/her information, or for the diagnosis of treatment
of the individual, shall be deemed to be a provider of health
care subject to the requirements of the CMIA.
5.Provides that any provider of health care, health care service
plan, pharmaceutical company, or contractor who negligently
creates, maintains, preserves, stores, abandons, destroys, or
disposes of written or electronic medical records shall be
subject to damages in a civil action or an administrative
fine, as specified.
CONTINUED
�
AB 658
Page
3
This bill:
1.Provides that any business that offers any software, hardware,
application, or related device to consumers that is designed
to maintain medical information, as defined, in order to make
the information available to an individual or a provider of
health care, for purposes of allowing the individual to manage
his/her information, or for the diagnosis, treatment, or
management of a medical condition of the individual, is deemed
to be a provider of health care subject to the requirements of
the CMIA.
2.Specifies that, notwithstanding the above, nothing in this
bill be construed to make a business specified in this bill a
provider of health care for purposes of any other law,
including laws that specifically incorporate by reference the
definitions of the CMIA.
Background
HIPAA, enacted in 1996, guarantees privacy protection for
individuals with regards to specific health information.
Generally, protected health information (PHI) is any information
held by a covered entity which concerns health status, provision
of health care, or payment for health care that can be connected
to an individual. HIPAA privacy regulations require health care
providers and organizations to develop and follow procedures
that ensure the confidentiality and security of PHI when it is
transferred, received, handled, or shared. HIPAA further
requires reasonable efforts when using, disclosing, or
requesting PHI, to limit disclosure of that information to the
minimum amount necessary to accomplish the intended purpose.
CMIA also protects PHI and restricts the disclosure of medical
information by health care providers, and health care service
plans, as specified. Under existing law, a corporation organized
for the purpose of maintaining medical information in order to
make that information available to the patient, or a provider at
the request of the patient for purposes of diagnosis or
treatment, is deemed to be a provider of health care subject to
the requirements of the CMIA.
Personal health records (PHRs) are Internet-based applications
CONTINUED
�
AB 658
Page
4
that allow individuals to gather, store, manage, and in some
cases share, personal health information. Some insurers, health
maintenance organizations (HMOs), or medical provider groups
offer PHRs for their members, and certain Internet companies
sell PHRs for anyone to use. In large part, the privacy
protections that apply to PHRs depend on where the PHR
originates. For example, the Privacy Rights Clearinghouse noted
in a recent report that "a PHR that a doctor or a health plan
provides would fall under the laws that protect medical privacy
and set standards for maintaining the security of your medical
information. This would include both HIPAA and the CMIA."
(Privacy Rights Clearinghouse, California Medical Privacy Fact
Sheet C7: Personal Health Records and Privacy
[as of May 28, 2013].) However, as
these services are increasingly offered through mobile
applications, created and maintained by companies who provide
many services and products beyond PHRs, new privacy concerns
arise.
Accordingly, this bill clarifies that businesses which offer
PHRs, whether online or through a mobile application, are
subject to CMIA requirements if they maintain medical
information that is derived from a health care provider, health
service plan, or other medical service contractor.
Prior Legislation
AB 1298 (Snyder, Chapter 699, Statutes of 2007) subjected any
business organized to maintain medical information for purposes
of making that information available to an individual or to a
health care provider, as specified, to the provisions of the
CMIA.
AB 336 (Snyder, Chapter 1004, Statutes of 1993) deemed certain
corporations to be providers of health care under the CMIA.
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: Yes
SUPPORT : (Verified 7/1/13)
California Chiropractic Association
Consumer Federation of California
CONTINUED
�
AB 658
Page
5
Privacy Rights Clearinghouse
ARGUMENTS IN SUPPORT : According to the author:
Currently, the privacy protections that apply to medical
application software such as PHRs depend on where the
application originates. A PHR that a doctor or a health
plan provides as part of one's medical coverage would fall
under the laws that protect medical privacy. However, PHRs
from commercial vendors, including mobile medical
application vendors, are not covered. In other words,
independent commercial vendors of personal health service
software are not subject to the requirement to keep medical
information collected and used in the operation of the
application confidential. AB 658 would correct this
oversight by bringing commercial vendor's mobile devices
under the similar covered entities of the CMIA.
ASSEMBLY FLOOR : 76-0, 5/9/13
AYES: Achadjian, Alejo, Allen, Ammiano, Atkins, Bigelow, Bloom,
Blumenfield, Bocanegra, Bonilla, Bonta, Bradford, Brown,
Buchanan, Ian Calderon, Campos, Chau, Chávez, Chesbro, Conway,
Cooley, Dahle, Daly, Dickinson, Donnelly, Eggman, Fong, Fox,
Frazier, Beth Gaines, Garcia, Gatto, Gomez, Gordon, Gorell,
Gray, Grove, Hagman, Hall, Harkey, Roger Hernández, Jones,
Jones-Sawyer, Levine, Linder, Lowenthal, Maienschein, Mansoor,
Medina, Melendez, Mitchell, Morrell, Mullin, Muratsuchi,
Nazarian, Nestande, Olsen, Pan, Patterson, Perea, V. Manuel
Pérez, Quirk, Quirk-Silva, Rendon, Salas, Skinner, Stone,
Ting, Torres, Wagner, Weber, Wieckowski, Wilk, Williams,
Yamada, John A. Pérez
NO VOTE RECORDED: Holden, Logue, Waldron, Vacancy
AL:nl 7/2/13 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
CONTINUED
�
AB 658
Page
6
CONTINUED