BILL NUMBER: AB 2688 INTRODUCED
BILL TEXT
INTRODUCED BY Assembly Member Gordon
FEBRUARY 19, 2016
An act to amend Section 56.05 of the Civil Code, relating to
privacy.
LEGISLATIVE COUNSEL'S DIGEST
AB 2688, as introduced, Gordon. Medical information privacy:
commercial health monitoring device.
Existing federal law, the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), establishes certain requirements
relating to the provision of health insurance, including provisions
relating to the confidentiality of health records. HIPAA prohibits a
covered entity that uses electronic means to perform HIPAA-covered
transactions, from using or disclosing personal health information
except pursuant to a written authorization signed by the patient or
for treatment, payment, or health care operations. Notwithstanding
those provisions, HIPAA allows a covered entity to maintain a
directory of patients in its facility for specified purposes, and to
disclose the protected health information of a patient to family
members, relatives, or other persons identified by the patient, if
certain conditions are met. Covered entities include health plans,
health care clearinghouses, such as billing services and community
health information systems, and health care providers that transmit
health care data in a way that is regulated by HIPAA. HIPAA further
provides that if its provisions conflict with a provision of state
law, the provision that is most protective of patient privacy
prevails.
Existing law, the Confidentiality of Medical Information Act,
prohibits a provider of health care, a health care service plan, a
contractor, a corporation and its subsidiaries and affiliates, or any
business that offers software or hardware to consumers, including a
mobile application or other related device, as defined, from
intentionally sharing, selling, using for marketing, or otherwise
using any medical information, as defined, for any purpose not
necessary to provide health care services to a patient, except as
expressly authorized by the patient, enrollee, or subscriber, as
specified, or as otherwise required or authorized by law. A violation
of the provisions of this act that results in economic loss or
personal injury to a patient is a crime.
The bill would include in the definition of "medical information"
for these purposes any individually identifiable information in
possession of or derived from a consumer health monitoring device, as
defined.
By expanding the definition of an existing crime, this bill would
impose a state-mandated local program by creating new crimes.
The California Constitution requires the state to reimburse local
agencies and school districts for certain costs mandated by the
state. Statutory provisions establish procedures for making that
reimbursement.
This bill would provide that no reimbursement is required by this
act for a specified reason.
Vote: majority. Appropriation: no. Fiscal committee: yes.
State-mandated local program: yes.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 56.05 of the Civil Code is amended to read:
56.05. For purposes of this part:
(a) "Authorization" means permission granted in accordance with
Section 56.11 or 56.21 for the disclosure of medical information.
(b) "Authorized recipient" means any person who is authorized to
receive medical information pursuant to Section 56.10 or 56.20.
(c) "Confidential communications request" means a request by a
subscriber or enrollee that health care service plan communications
containing medical information be communicated to him or her at a
specific mail or email address or specific telephone number, as
designated by the subscriber or enrollee.
(d) "Contractor" means any person or entity that is a medical
group, independent practice association, pharmaceutical benefits
manager, or a medical service organization and is not a health care
service plan or provider of health care. "Contractor" does not
include insurance institutions as defined in subdivision (k) of
Section 791.02 of the Insurance Code or pharmaceutical benefits
managers licensed pursuant to the Knox-Keene Health Care Service Plan
Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division
2 of the Health and Safety Code).
(e) "Endanger" means that the subscriber or enrollee fears that
disclosure of his or her medical information could subject the
subscriber or enrollee to harassment or abuse.
(f) "Enrollee" has the same meaning as that term is defined in
Section 1345 of the Health and Safety Code.
(g) "Health care service plan" means any entity regulated pursuant
to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2
(commencing with Section 1340) of Division 2 of the Health and Safety
Code).
(h) "Licensed health care professional" means any person licensed
or certified pursuant to Division 2 (commencing with Section 500) of
the Business and Professions Code, the Osteopathic Initiative Act or
the Chiropractic Initiative Act, or Division 2.5 (commencing with
Section 1797) of the Health and Safety Code.
(i) "Marketing" means to make a communication about a product or
service that encourages recipients of the communication to purchase
or use the product or service.
"Marketing" does not include any of the following:
(1) Communications made orally or in writing for which the
communicator does not receive direct or indirect remuneration,
including, but not limited to, gifts, fees, payments, subsidies, or
other economic benefits, from a third party for making the
communication.
(2) Communications made to current enrollees solely for the
purpose of describing a provider's participation in an existing
health care provider network or health plan network of a Knox-Keene
licensed health plan to which the enrollees already subscribe;
communications made to current enrollees solely for the purpose of
describing if, and the extent to which, a product or service, or
payment for a product or service, is provided by a provider,
contractor, or plan or included in a plan of benefits of a Knox-Keene
licensed health plan to which the enrollees already subscribe; or
communications made to plan enrollees describing the availability of
more cost-effective pharmaceuticals.
(3) Communications that are tailored to the circumstances of a
particular individual to educate or advise the individual about
treatment options, and otherwise maintain the individual's adherence
to a prescribed course of medical treatment, as provided in Section
1399.901 of the Health and Safety Code, for a chronic and seriously
debilitating or life-threatening condition as defined in subdivisions
(d) and (e) of Section 1367.21 of the Health and Safety Code, if the
health care provider, contractor, or health plan receives direct or
indirect remuneration, including, but not limited to, gifts, fees,
payments, subsidies, or other economic benefits, from a third party
for making the communication, if all of the following apply:
(A) The individual receiving the communication is notified in the
communication in typeface no smaller than 14-point type of the fact
that the provider, contractor, or health plan has been remunerated
and the source of the remuneration.
(B) The individual is provided the opportunity to opt out of
receiving future remunerated communications.
(C) The communication contains instructions in typeface no smaller
than 14-point type describing how the individual can opt out of
receiving further communications by calling a toll-free number of the
health care provider, contractor, or health plan making the
remunerated communications. No further communication may be made to
an individual who has opted out after 30 calendar days from the date
the individual makes the opt out request.
(j) "Medical information" means any individually identifiable
information, in electronic or physical form, in possession of or
derived from a provider of health care, health care service plan,
commercial health monitoring device, pharmaceutical
company, or contractor regarding a patient's medical history, mental
or physical condition, or treatment. "Individually identifiable"
means that the medical information includes or contains any element
of personal identifying information sufficient to allow
identification of the individual, such as the patient's name,
address, electronic mail address, telephone number, or social
security number, or other information that, alone or in combination
with other publicly available information, reveals the individual's
identity.
(k) "Patient" means any natural person, whether or not still
living, who received health care services from a provider of health
care and to whom medical information pertains.
( l ) "Pharmaceutical company" means any company or
business, or an agent or representative thereof, that manufactures,
sells, or distributes pharmaceuticals, medications, or prescription
drugs. "Pharmaceutical company" does not include a pharmaceutical
benefits manager, as included in subdivision (c), or a provider of
health care.
(m) "Provider of health care" means any person licensed or
certified pursuant to Division 2 (commencing with Section 500) of the
Business and Professions Code; any person licensed pursuant to the
Osteopathic Initiative Act or the Chiropractic Initiative Act; any
person certified pursuant to Division 2.5 (commencing with Section
1797) of the Health and Safety Code; any clinic, health dispensary,
or health facility licensed pursuant to Division 2 (commencing with
Section 1200) of the Health and Safety Code. "Provider of health care"
does not include insurance institutions as defined in subdivision
(k) of Section 791.02 of the Insurance Code.
(n) "Sensitive services" means all health care services described
in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family
Code, and Sections 121020 and 124260 of the Health and Safety Code,
obtained by a patient at or above the minimum age specified for
consenting to the service specified in the section.
(o) "Subscriber" has the same meaning as that term is defined in
Section 1345 of the Health and Safety Code.
(p) "commercial health monitoring device" means a device capable
of connecting to the Internet that uses sensors to collect biometric
or physiologic data while in contact with the individual.
SEC. 2. No reimbursement is required by this act pursuant to
Section 6 of Article XIII B of the California Constitution because
the only costs that may be incurred by a local agency or school
district will be incurred because this act creates a new crime or
infraction, eliminates a crime or infraction, or changes the penalty
for a crime or infraction, within the meaning of Section 17556 of the
Government Code, or changes the definition of a crime within the
meaning of Section 6 of Article XIII B of the California
Constitution.