AB 2688, as amended, Gordon. Privacy: commercial health monitoring programs.
Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. HIPAA prohibits a covered entity that uses electronic means to perform HIPAA-covered transactions, from using or disclosing personal health information except pursuant to a written authorization signed by the patient or for treatment, payment, or health care operations. Notwithstanding those provisions, HIPAA allows a covered entity to maintain a directory of patients in its facility for specified purposes, and to disclose the protected health information of a patient to family members, relatives, or other persons identified by the patient, if certain conditions are met. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA. HIPAA further provides that if its provisions conflict with a provision of state law, the provision that is most protective of patient privacy prevails.
Existing law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as expressly authorized by the patient, enrollee, or subscriber, as specified, or as otherwise required or authorized by law.
This bill would prohibit an operator of a commercial health monitoring program from intentionally sharing, selling, disclosing, using for marketing, or otherwise using health information in possession of or derived from a commercial health monitoring program to a 3rd party, as defined, without first obtaining explicit authorization, as provided, and would extend this prohibition to a 3rd party that solely provides a service to the program. The bill would also require an employer that receives health information in possession of or derived from a commercial health monitoring program to establish procedures to ensure the confidentiality of, and protection from unauthorized use and disclosure of, that information, as provided. The bill would further prohibit an employer from discriminating against an employee based on an employee’s health information or if that employee does not authorize the use of his or her health information.begin insert The bill would exempt a covered entity, provider of health care, business entity, health care service plan, contractor, employer, or any other person subject to and compliant with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Confidentiality of Medical Information Act from these requirements.end insert
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.4 (commencing with Section 22596)
2is added to Division 8 of the Business and Professions Code, to
3read:
For purposes of this chapter:
5(a) “Commercial health monitoring program” means a
6commercial Internet Web site or online service used by consumers
7that collects health information regarding an individual’s mental
8or physical condition from sources including, but not limited to,
9manual entry, sensors, or both.
10(b) “Health information” mean any individually identifiable
11information, in electronic or physical form, in possession of, or
12derived from, a commercial health monitoring program regarding
13a consumer’s mental or physical condition.
14(c) “Individually
identifiable” means that the health information
15includes or contains an element of personal identifying information
16sufficient to allow identification of the individual, including, but
17not limited to, the individual’s name, address, electronic mail
18address, telephone number, social security number, or unique
19electronic identifier, or other information that, alone or in
20combination with other publicly available information, reveals the
21individual’s identity.
22(d) “Third party” means an advertising network, consumer data
23reseller, data analytics provider, provider of health care, health
24care service plan, pharmaceutical company, government entity,
25operating system or platform, social network, or other commercial
26Internet Web site or online service.
(a) An operator of a commercial health monitoring
28program shall not intentionally share, sell, disclose, use for
29marketing, or otherwise use health information to or with a third
30party without first obtaining explicit authorization from the
31individual. The request for authorization shall include the nature
32of the third party and the reason for the request.
33(b) (1) An authorization is not required where the third party
34solely provides services to the operator of the commercial health
35monitoring program.
36(2) A third party that solely provides services to the operator of
37the
commercial health monitoring program shall not further
38disclose health information, subject to the authorization
39requirements of subdivision (a).
P4 1(c) An operator of a commercial health monitoring program
2that creates, maintains, preserves, stores, abandons, destroys, or
3disposes of health information shall do so in a manner that
4preserves the confidentiality of the health information contained
5therein.
6(d) Thisbegin delete sectionend deletebegin insert chapterend insert is not intended to limit the required
7disclosure of health information pursuant to another provision of
8law.
9(e) Nothing in thisbegin delete sectionend deletebegin insert
chapterend insert shall be construed to limit
10or otherwise affect existing privacy protections provided for in
11state or federal law.
(a) An employer that receives health information
13shall establish appropriate procedures to ensure the confidentiality
14and protection from unauthorized use and disclosure of
15information. These procedures may include, but are not limited
16to, instruction regarding confidentiality of employees and agents
17handling files containing health information and security systems
18restricting access to files containing health information.
19(b) An employer shall not discriminate against an employee in
20any terms or conditions of employment due to that employee’s
21refusal to provide an authorization pursuant to Section 22596.1.
22(c) An employer shall not discriminate against an employee in
23any terms or conditions of employment due to the findings of that
24employee’s health information.
25(d) An employer shall not use, disclose, or knowingly permit
26its employees or agents to use or disclose health information which
27the employer possesses pertaining to its employees without first
28obtaining authorization to do so.
29(e) An employer that has attempted in good faith to comply with
30this section shall not be liable for any unauthorized use of the
31health information by the person or entity to which the employer
32disclosed the health information.
33(f) A recipient of health information pursuant to an authorization
34as provided by this chapter
shall not further disclose that health
35information unless in accordance with a new authorization.
(a) A covered entity, provider of health care, business
37entity, health care service plan, contractor, employer, or any other
38person subject to and compliant with the federal Health Insurance
39Portability and Accountability Act of 1996 (HIPAA) (P.L. 104-191)
40and the Confidentiality of Medical Information Act (Part 2.6
P5 1(commencing with Section 56) of Division 1 of the Civil Code)
2shall not be subject to this chapter.
3
(b) The definitions in those acts, in effect on January 1, 2016,
4shall apply to this section.
O
97