AB 2688, as introduced, Gordon. Medical information privacy: commercial health monitoring device.
Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. HIPAA prohibits a covered entity that uses electronic means to perform HIPAA-covered transactions, from using or disclosing personal health information except pursuant to a written authorization signed by the patient or for treatment, payment, or health care operations. Notwithstanding those provisions, HIPAA allows a covered entity to maintain a directory of patients in its facility for specified purposes, and to disclose the protected health information of a patient to family members, relatives, or other persons identified by the patient, if certain conditions are met. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA. HIPAA further provides that if its provisions conflict with a provision of state law, the provision that is most protective of patient privacy prevails.
Existing law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as expressly authorized by the patient, enrollee, or subscriber, as specified, or as otherwise required or authorized by law. A violation of the provisions of this act that results in economic loss or personal injury to a patient is a crime.
The bill would include in the definition of “medical information” for these purposes any individually identifiable information in possession of or derived from a consumer health monitoring device, as defined.
By expanding the definition of an existing crime, this bill would impose a state-mandated local program by creating new crimes.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: yes.
The people of the State of California do enact as follows:
Section 56.05 of the Civil Code is amended to
2read:
For purposes of this part:
4(a) “Authorization” means permission granted in accordance
5with Section 56.11 or 56.21 for the disclosure of medical
6information.
7(b) “Authorized recipient” means any person who is authorized
8to receive medical information pursuant to Section 56.10 or 56.20.
9(c) “Confidential communications request” means a request by
10a subscriber or enrollee that health care service plan
11communications containing medical information be communicated
12to him or her at a specific mail or email address or specific
13telephone number, as designated by the subscriber or enrollee.
14(d) “Contractor” means any person or entity that is a medical
15group, independent practice association, pharmaceutical benefits
16manager, or a medical service organization and is not a health care
P3 1service plan or provider of health care. “Contractor” does not
2include insurance institutions as defined in subdivision (k) of
3Section 791.02 of the Insurance Code or pharmaceutical benefits
4managers licensed pursuant to the Knox-Keene Health Care Service
5Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340)
6of Division 2 of the Health and Safety Code).
7(e) “Endanger” means that the subscriber or enrollee fears that
8disclosure of his or her medical information could subject the
9subscriber or enrollee to harassment or abuse.
10(f) “Enrollee” has the same meaning as that term is defined in
11Section 1345 of the Health and Safety Code.
12(g) “Health care service plan” means any entity regulated
13pursuant to the Knox-Keene Health Care Service Plan Act of 1975
14(Chapter 2.2 (commencing with Section 1340) of Division 2 of
15the Health and Safety Code).
16(h) “Licensed health care professional” means any person
17licensed or certified pursuant to Division 2 (commencing with
18Section 500) of the Business and Professions Code, the Osteopathic
19Initiative Act or the Chiropractic Initiative Act, or Division 2.5
20(commencing with Section 1797) of the Health and Safety Code.
21(i) “Marketing” means to make a communication about a product
22or service that encourages recipients of the communication to
23purchase or use the product or service.
24“Marketing” does not include any of the following:
25(1) Communications made orally or in writing for which the
26communicator does not receive direct or indirect remuneration,
27including, but not limited to, gifts, fees, payments, subsidies, or
28other economic benefits, from a third party for making the
29communication.
30(2) Communications made to current enrollees solely for the
31purpose of describing a provider’s participation in an existing
32health care provider network or health plan network of a
33Knox-Keene licensed health plan to which the enrollees already
34subscribe; communications made to current enrollees solely for
35the purpose of describing if, and the extent to which, a product or
36service, or payment for a product or service, is provided by a
37provider, contractor, or plan or included in a plan of benefits of a
38Knox-Keene licensed health plan to which the enrollees already
39subscribe; or communications made to plan enrollees describing
40
the availability of more cost-effective pharmaceuticals.
P4 1(3) Communications that are tailored to the circumstances of a
2particular individual to educate or advise the individual about
3treatment options, and otherwise maintain the individual’s
4adherence to a prescribed course of medical treatment, as provided
5in Section 1399.901 of the Health and Safety Code, for a chronic
6and seriously debilitating or life-threatening condition as defined
7in subdivisions (d) and (e) of Section 1367.21 of the Health and
8Safety Code, if the health care provider, contractor, or health plan
9receives direct or indirect remuneration, including, but not limited
10to, gifts, fees, payments, subsidies, or other economic benefits,
11from a third party for making the communication, if all of the
12following apply:
13(A) The individual receiving the communication is notified in
14the communication in typeface no
smaller than 14-point type of
15the fact that the provider, contractor, or health plan has been
16remunerated and the source of the remuneration.
17(B) The individual is provided the opportunity to opt out of
18receiving future remunerated communications.
19(C) The communication contains instructions in typeface no
20smaller than 14-point type describing how the individual can opt
21out of receiving further communications by calling a toll-free
22number of the health care provider, contractor, or health plan
23making the remunerated communications. No further
24communication may be made to an individual who has opted out
25after 30 calendar days from the date the individual makes the opt
26out request.
27(j) “Medical information” means any individually identifiable
28information, in electronic or physical form, in possession of or
29derived from
a provider of health care, health care service plan,
30begin insert commercial health monitoring device,end insert pharmaceutical company,
31or contractor regarding a patient’s medical history, mental or
32physical condition, or treatment. “Individually identifiable” means
33that the medical information includes or contains any element of
34personal identifying information sufficient to allow identification
35of the individual, such as the patient’s name, address, electronic
36mail address, telephone number, or social security number, or other
37information that, alone or in combination with other publicly
38available information, reveals the individual’s identity.
P5 1(k) “Patient” means any natural person, whether or not still
2living, who received health care services from a provider of health
3care and to whom medical information pertains.
4(l) “Pharmaceutical company” means any company or business,
5or an agent or representative thereof, that manufactures, sells, or
6distributes pharmaceuticals, medications, or prescription drugs.
7“Pharmaceutical company” does not include a pharmaceutical
8benefits manager, as included in subdivision (c), or a provider of
9health care.
10(m) “Provider of health care” means any person licensed or
11certified pursuant to Division 2 (commencing with Section 500)
12of the Business and Professions Code; any person licensed pursuant
13to the Osteopathic Initiative Act or the Chiropractic Initiative Act;
14any person certified pursuant to Division 2.5 (commencing with
15Section 1797) of the Health and Safety Code; any clinic, health
16dispensary, or health facility licensed pursuant to Division 2
17(commencing with Section 1200) of the Health and Safety Code.
18“Provider of health care” does not include
insurance institutions
19as defined in subdivision (k) of Section 791.02 of the Insurance
20Code.
21(n) “Sensitive services” means all health care services described
22in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
23Code, and Sections 121020 and 124260 of the Health and Safety
24Code, obtained by a patient at or above the minimum age specified
25for consenting to the service specified in the section.
26(o) “Subscriber” has the same meaning as that term is defined
27in Section 1345 of the Health and Safety Code.
28(p) “commercial health monitoring device” means a device
29capable of connecting to the Internet that uses sensors to collect
30biometric or physiologic data while in contact with the individual.
No reimbursement is required by this act pursuant to
32Section 6 of Article XIII B of the California Constitution because
33the only costs that may be incurred by a local agency or school
34district will be incurred because this act creates a new crime or
35infraction, eliminates a crime or infraction, or changes the penalty
36for a crime or infraction, within the meaning of Section 17556 of
37the Government Code, or changes the definition of a crime within
P6 1the meaning of Section 6 of Article XIII B of the California
2Constitution.
O
99