AB 2688, as amended, Gordon. Privacy: commercial health monitoring programs.
Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. HIPAA prohibits a covered entity that uses electronic means to perform HIPAA-covered transactions, from using or disclosing personal health information except pursuant to a written authorization signed by the patient or for treatment, payment, or health care operations. Notwithstanding those provisions, HIPAA allows a covered entity to maintain a directory of patients in its facility for specified purposes, and to disclose the protected health information of a patient to family members, relatives, or other persons identified by the patient, if certain conditions are met. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA. HIPAA further provides that if its provisions conflict with a provision of state law, the provision that is most protective of patient privacy prevails.
Existing law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as expressly authorized by the patient, enrollee, or subscriber, as specified, or as otherwise required or authorized by law.
This bill would prohibit an operator of a commercial health monitoring program from intentionally sharing, selling,begin delete disclosing, using for marketing,end delete orbegin delete otherwise usingend deletebegin insert disclosingend insert healthbegin insert monitoringend insert information in possession of or derived from a commercial health monitoring program to a 3rd party, as defined, without first obtaining explicit authorization, as provided, and wouldbegin delete extend this prohibition toend deletebegin insert specify that an
authorization is not required where monitoringend insert a 3rd partybegin delete thatend delete solely provides a service to thebegin delete program.end deletebegin insert program and does not further use or disclose health monitoring information.end insert The bill would also require an employer that receives healthbegin insert monitoringend insert information in possession of or derived from a commercial health monitoring program to establish procedures to ensure the confidentialitybegin delete of, and protection from unauthorized use and disclosure of,end deletebegin insert
and security ofend insert that information, as provided. The bill would further prohibit an employer from discriminating against an employee based on an employee’s healthbegin insert monitoringend insert information or if that employee does not authorize the use of his or her healthbegin insert monitoringend insert information. The bill would exempt a covered entity, provider of health care, businessbegin delete entity,end deletebegin insert associate,end insert health care service plan, contractor, employer, or any other person subject tobegin delete and compliant withend delete the federal Health Insurance
Portability and Accountability Act of 1996 (HIPAA)begin delete andend deletebegin insert
orend insert the Confidentiality of Medical Information Act from these requirements.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.4 (commencing with Section 22596)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
For purposes of this chapter:
9(a) “Commercial health monitoring program” means a
10commercial Internet Web site or online service used by consumers
11that collects healthbegin insert monitoringend insert information regardingbegin delete an begin insert the consumer’send insert mental or physical condition from
12individual’send delete
13sources including, but not limited to, manual entry, sensors, or
14both.
15(b) “Healthbegin insert
monitoringend insert information”begin delete meanend deletebegin insert meansend insert any
16individually identifiable information, in electronic or physical
17form, in possession of, or derived from, a commercial health
18monitoring program regarding a consumer’s mental or physical
19condition.
20(c) “Individually identifiable” means that the healthbegin insert monitoringend insert
21 information includes or contains an element of personal identifying
22information sufficient to allow identification of thebegin delete individual,end delete
23begin insert
consumer,end insert including, but not limited to, thebegin delete individual’send deletebegin insert
consumer’send insert
24 name, address, electronic mail address, telephone number, social
25security number, or unique electronic identifier, or other
26information that, alone or in combination with other publicly
27available information, reveals thebegin delete individual’send deletebegin insert consumer’send insert identity.
28(d) “Third party”begin delete meansend deletebegin insert includes, but is not limited to,end insert an
29advertising network, consumer data reseller, data analytics
30provider,begin delete provider of health care,end delete
health care service plan,
31pharmaceutical company, government entity, operating system or
32platform, social network, or other commercial Internet Web site
33or online service.
34
(e) “Consumer” includes employees of employers subject to
35the provisions of Section 22596.2.
36
(f) “Business associate” means a person or entity who provides,
37other than in the capacity of a member of the workforce of an
38operator of a commercial health monitoring program, legal,
P4 1actuarial, accounting, consulting, data aggregation (as defined
2in the federal Health Insurance Portability and Accountability Act
3of 1996 (HIPAA) (Public Law 104-191)), management,
4administrative, accreditation, or financial services to or for a
5consumer health monitoring program where the provision of the
6service
involves the disclosure of health monitoring information
7from a commercial health monitoring program or from another
8business associate of a commercial health monitoring program.
(a) An operator of a commercial health monitoring
10program shall not intentionally share, sell,begin delete disclose, use for or
11marketing,end deletebegin delete otherwise useend deletebegin insert discloseend insert healthbegin insert monitoringend insert information
12to or with a third party without first obtainingbegin insert from the consumerend insert
13 explicitbegin insert
opt-inend insert authorizationbegin delete from the individual. Theend deletebegin insert which fulfills
14the following requirements:end insert
15
begin insert(1)end insertbegin insert end insertbegin insertThe request for authorization shall be clear, conspicuous,
16and separate from all other authorizations or agreements.end insert
17begin insert(2)end insertbegin insert end insertbegin insertTheend insert request for authorization shall include thebegin insert
name andend insert
18 nature of the third party and the reason for the request.
19
(3) Each request for authorization shall be limited to a single
20third-party entity.
21
(4) A consumer’s refusal to authorize third-party disclosure of
22health monitoring information shall not limit the consumer’s ability
23to use the commercial health monitoring program even if features
24and services provided by the specific third party are inoperable.
25
(5) A waiver of any legal right, penalty, remedy, forum, or
26enforcement procedure imposed as a condition of use is
27unconscionable and unenforceable. Any person who seeks to
28enforce such a waiver shall have the burden of proving that the
29waiver was knowing and voluntary and was
not made as a
30condition of use.
31
(6) Each request for authorization shall state that a consumer
32has the right to revoke the authorization at any time without cost
33or penalty by a readily accessible method.
34(b) begin delete(1)end deletebegin delete end deletebegin deleteAn end deletebegin insertNotwithstanding subdivision (a), an end insertauthorization
35is not required where the third party solely provides services to
36the operator of the commercial health monitoringbegin delete program.end delete
37
begin insert
program and does not further use or disclose health monitoring
38information.end insert
39(2) A third party that solely provides services to the operator of
40the commercial health monitoring program shall not further
P5 1disclose health information, subject to the authorization
2requirements of subdivision (a).
3(c) An operator of a commercial health monitoring program
4that creates, maintains, preserves, stores, abandons, destroys, or
5disposes of healthbegin insert monitoringend insert information shall do so in a manner
6that preserves thebegin insert
security andend insert confidentiality of the health
7begin insert monitoringend insert information contained therein.
8(d) This chapter is not intended to limit the required disclosure
9of healthbegin insert monitoringend insert information pursuant to another provision of
10law.
11(e) Nothing in this chapter shall be construed to limit or
12otherwisebegin delete affectend deletebegin insert reduceend insert existing privacy protections provided for
13in state or federal law.
14
(f) Health monitoring information may be disclosed to a provider
15of health care or other health care professional or facility to aid
16the diagnosis or treatment of the consumer, where the consumer
17is unable to authorize the disclosure due to an emergent medical
18condition.
(a) An employer that receives healthbegin insert monitoringend insert
20 information shall establish appropriate procedures to ensure the
21begin insert security andend insert confidentialitybegin delete and protection from unauthorized use of information. These procedures may include, but
22and disclosureend delete
23are not limited to, instruction regarding confidentiality of
24employees and agents handling files containing healthbegin insert monitoringend insert
25
information and security systems restricting access to files
26containing healthbegin insert monitoringend insert information.
27(b) An employer shall not discriminate against an employee in
28any terms or conditions of employment due to that employee’s
29refusal to provide an authorization pursuant to Section 22596.1.
30(c) An employer shall not discriminate against an employee in
31any terms or conditions of employment due to the findings of that
32employee’s healthbegin insert monitoringend insert information.
33(d) An employer shall not use, disclose, or knowingly permit
34its
employees or agents to use or disclose healthbegin insert
monitoringend insert
35 information which the employer possesses pertaining to its
36employees without first obtaining authorization to do so.
37(e) An employer that has attempted in good faith to comply with
38this section shall not be liable for any unauthorized usebegin insert or
39disclosureend insert of the healthbegin insert monitoringend insert information by the person or
P6 1entity to which the employer disclosed the healthbegin insert monitoringend insert
2 information.
3(f) A recipient of healthbegin insert
monitoringend insert information pursuant to an
4authorization as provided by this chapter shall not further disclose
5that healthbegin insert monitoringend insert information unless in accordance with a
6new authorization.
(a) A covered entity, provider of health care, business
8begin delete entity,end deletebegin insert associate,end insert health care service plan, contractor, employer,
9or any other person subject tobegin delete and compliant withend delete the federal Health
10Insurance Portability and Accountability Act of 1996 (HIPAA)
11begin delete (P.L.end deletebegin insert (Public Lawend insert 104-191)begin delete andend deletebegin insert
orend insert the Confidentiality of Medical
12Information Act (Part 2.6 (commencing with Section 56) of
13Division 1 of the Civil Code) shall not be subject to thisbegin delete chapter.end delete
14
begin insert chapter with respect to any activity regulated by those acts.end insert
15(b) The definitions in those acts, in effect on January 1, 2016,
16shall apply to this section.
O
96