BILL ANALYSIS Ó AB 658 Page 1 CONCURRENCE IN SENATE AMENDMENTS AB 658 (Ian Calderon) As Amended June 24, 2013 Majority vote ----------------------------------------------------------------- |ASSEMBLY: |76-0 |(May 9, 2013) |SENATE: |37-0 |(August 19, | | | | | | |2013) | ----------------------------------------------------------------- Original Committee Reference: JUD. SUMMARY : Requires any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information, as defined, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the state Confidentiality of Medical Information Act (CMIA). The Senate amendments add minor clarifying language. EXISTING LAW : 1)Specifies, under the federal Health Insurance Portability and Accountability Act (HIPAA), privacy protections for patients' protected health information and generally provides that a covered entity, as defined, may not use or disclose protected health information except as specified or as authorized by the patient in writing. 2)Prohibits a health care provider, health care service plan, or contractor from disclosing medical information, as defined, regarding a patient, enrollee, or subscriber without first obtaining an authorization, except as specified. Provides that a valid authorization must comply with HIPAA and the CMIA. 3)Provides that any business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or the provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis of AB 658 Page 2 treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of the CMIA. 4)Provides that any provider of health care, health care service plan, pharmaceutical company, or contractor who negligently creates, maintains, preserves, stores, abandons, destroys, or disposes of written or electronic medical records shall be subject to damages in a civil action or an administrative fine, as specified. 5)Requires a health care provider, health care service plan, pharmaceutical company, or contractor who creates, maintains, preserves, stores, abandons, destroys, or disposes of written or electronic medical records to do so in a manner that preserves the confidentiality, accuracy, and integrity of the information contained therein. 6)Defines "medical information" to mean any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, condition, or treatment. Existing law defines "individually identifiable" to mean that the medical information includes or contains an element of personal information sufficient to allow identification of the individual, such as the patient's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. FISCAL EFFECT : According to the Senate Appropriations Committee, pursuant to Senate Rule 28.8, negligible state costs. COMMENTS : The Confidentiality of Medical Information Act (CMIA) prohibits a health care provider, health care service plan, or medical contractor from sharing or disclosing a person's medical information without that person's consent. Existing law creates a number of mandatory and permissive exceptions to this general rule of no disclosure without consent. For example, mandatory exemptions include, among other things, emergency situations or by order of a court, while permissive disclosures include those necessary for billing or administrative purposes, or for purposes of diagnosis or treatment of the patient. "Medical information" for purposes of the CMIA is defined to include "any AB 658 Page 3 individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient's medical history, mental or physical condition, or treatment." A person whose medical information has been disclosed or used in violation of the CMIA, and who has sustained economic loss or personal injury as a result, may recover compensatory and punitive damages, as prescribed. This bill seeks to clarify that personal health records (PHRs), including those offered as an application, are subject to CMIA prohibitions. PHRs, according the California Office of Privacy Protection, "are Internet-based applications that allow you to gather, store, manage, and in some cases share, information about your health or the health of someone in your care." Sometimes a PHR would be offered as a service by a health care provider or health care plan - which would clearly be covered by CMIA - but PHRs are also increasingly offered by private companies that provide this service for a fee. The company maintains the medical information in one place so the individual may access it or have it disclosed to the appropriate health care provider. The main benefit of a PHR is that it allows an individual to manage his or her own medical information. This bill would clarify that a business that offers a PHR is covered by the CMIA. The bill would also clarify business that maintains medical information, as defined, is subject to CMIA, regardless of whether the business was organized for that purpose or not. Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334 FN: 0001421