BILL ANALYSIS �Ó
AB 658
Page 1
CONCURRENCE IN SENATE AMENDMENTS
AB 658 (Ian Calderon)
As Amended June 24, 2013
Majority vote
-----------------------------------------------------------------
|ASSEMBLY: |76-0 |(May 9, 2013) |SENATE: |37-0 |(August 19, |
| | | | | |2013) |
-----------------------------------------------------------------
Original Committee Reference: JUD.
SUMMARY : Requires any business that offers software or hardware
to consumers, including a mobile application or other related
device that is designed to maintain medical information, as
defined, for purposes of allowing the individual to manage his
or her information, or for the diagnosis, treatment, or
management of a medical condition of the individual, shall be
deemed to be a provider of health care subject to the state
Confidentiality of Medical Information Act (CMIA).
The Senate amendments add minor clarifying language.
EXISTING LAW :
1)Specifies, under the federal Health Insurance Portability and
Accountability Act (HIPAA), privacy protections for patients'
protected health information and generally provides that a
covered entity, as defined, may not use or disclose protected
health information except as specified or as authorized by the
patient in writing.
2)Prohibits a health care provider, health care service plan, or
contractor from disclosing medical information, as defined,
regarding a patient, enrollee, or subscriber without first
obtaining an authorization, except as specified. Provides
that a valid authorization must comply with HIPAA and the
CMIA.
3)Provides that any business organized for the purpose of
maintaining medical information in order to make the
information available to an individual or to a provider of
health care at the request of the individual or the provider
of health care, for purposes of allowing the individual to
manage his or her information, or for the diagnosis of
�
AB 658
Page 2
treatment of the individual, shall be deemed to be a provider
of health care subject to the requirements of the CMIA.
4)Provides that any provider of health care, health care service
plan, pharmaceutical company, or contractor who negligently
creates, maintains, preserves, stores, abandons, destroys, or
disposes of written or electronic medical records shall be
subject to damages in a civil action or an administrative
fine, as specified.
5)Requires a health care provider, health care service plan,
pharmaceutical company, or contractor who creates, maintains,
preserves, stores, abandons, destroys, or disposes of written
or electronic medical records to do so in a manner that
preserves the confidentiality, accuracy, and integrity of the
information contained therein.
6)Defines "medical information" to mean any individually
identifiable information, in electronic or physical form, in
possession of or derived from a provider of health care,
health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, condition,
or treatment. Existing law defines "individually
identifiable" to mean that the medical information includes or
contains an element of personal information sufficient to
allow identification of the individual, such as the patient's
name, address, electronic mail address, telephone number, or
social security number, or other information that, alone or in
combination with other publicly available information, reveals
the individual's identity.
FISCAL EFFECT : According to the Senate Appropriations
Committee, pursuant to Senate Rule 28.8, negligible state costs.
COMMENTS : The Confidentiality of Medical Information Act (CMIA)
prohibits a health care provider, health care service plan, or
medical contractor from sharing or disclosing a person's medical
information without that person's consent. Existing law creates
a number of mandatory and permissive exceptions to this general
rule of no disclosure without consent. For example, mandatory
exemptions include, among other things, emergency situations or
by order of a court, while permissive disclosures include those
necessary for billing or administrative purposes, or for
purposes of diagnosis or treatment of the patient. "Medical
information" for purposes of the CMIA is defined to include "any
�
AB 658
Page 3
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment." A person whose medical
information has been disclosed or used in violation of the CMIA,
and who has sustained economic loss or personal injury as a
result, may recover compensatory and punitive damages, as
prescribed.
This bill seeks to clarify that personal health records (PHRs),
including those offered as an application, are subject to CMIA
prohibitions. PHRs, according the California Office of Privacy
Protection, "are Internet-based applications that allow you to
gather, store, manage, and in some cases share, information
about your health or the health of someone in your care."
Sometimes a PHR would be offered as a service by a health care
provider or health care plan - which would clearly be covered by
CMIA - but PHRs are also increasingly offered by private
companies that provide this service for a fee. The company
maintains the medical information in one place so the individual
may access it or have it disclosed to the appropriate health
care provider. The main benefit of a PHR is that it allows an
individual to manage his or her own medical information. This
bill would clarify that a business that offers a PHR is covered
by the CMIA. The bill would also clarify business that maintains
medical information, as defined, is subject to CMIA, regardless
of whether the business was organized for that purpose or not.
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334
FN:
0001421