AB 2688, as amended, Gordon. Privacy: commercial health monitoring programs.
Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. HIPAA prohibits a covered entity that uses electronic means to perform HIPAA-covered transactions, from using or disclosing personal health information except pursuant to a written authorization signed by the patient or for treatment, payment, or health care operations. Notwithstanding those provisions, HIPAA allows a covered entity to maintain a directory of patients in its facility for specified purposes, and to disclose the protected health information of a patient to family members, relatives, or other persons identified by the patient, if certain conditions are met. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA. HIPAA further provides that if its provisions conflict with a provision of state law, the provision that is most protective of patient privacy prevails.
Existing law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as expressly authorized by the patient, enrollee, or subscriber, as specified, or as otherwise required or authorized by law.
This bill would prohibit an operator of a commercial health monitoring program from intentionally sharing, selling, or disclosingbegin insert individually identifiableend insert health monitoring information in possession of or derived from a commercial health monitoring program to a 3rd party, as defined, without firstbegin delete obtaining explicit authorization, as provided, and would specify that an authorization is not required where monitoring a 3rd party solely provides a service to the program and does not further use or disclose health monitoring information.end deletebegin insert providing clear and conspicuous notice and obtaining the consumer’s affirmative consent, as provided, and would provide that individually identifiable information may
be disclosed to specified entities without consent under specified circumstances, including to a government official if necessary to prevent an emergency involving the danger of death or serious physical injury to a person, if the disclosing entity provides notice of the disclosure as soon as practicable.end insert The bill would also require an employer that receives health monitoring information in possession of or derived from a commercial health monitoring program to establish procedures tobegin delete ensureend deletebegin insert preserveend insert the confidentiality and security of that information, as provided. The bill would further prohibit an employer from discriminating against an employee based on an employee’s health monitoring information or if that employee does notbegin delete authorizeend deletebegin insert
consent toend insert the use of his or her health monitoring information. The bill would exempt a covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Confidentiality of Medical Information Act from these requirements.
Vote: majority. Appropriation: no. Fiscal committee: no. State-mandated local program: no.
The people of the State of California do enact as follows:
Chapter 22.4 (commencing with Section 22596)
2is added to Division 8 of the Business and Professions Code, to
3read:
4
For purposes of this chapter:
9(a) “Commercial health monitoring program” means a
10commercial Internet Webbegin delete site or online service used by consumers begin insert site, online
11that collects health monitoring information regarding the
12consumer’s mental or physical condition from sources including,
13but not limited to, manual entry, sensors, or both.end delete
14service, or product used by consumers whose primary purpose is
15to collect the consumer’s individually identifiable health
16monitoring information.end insert
17
(b) “Consumer” includes, but is not limited to, employees of
18employers subject to the provisions of Section 22596.2.
19
(c) “Health care provider” has the meaning given that term in
20the federal Health Insurance Portability and Accountability Act
21of 1996 (HIPAA) (Public Law 104-191).
15 22(b)
end delete
23begin insert(d)end insert “Health monitoring information” meansbegin delete any individually
information, in electronic or physical form,
24identifiableend deletebegin delete in
25possession of, or derived from, a commercial health monitoring
26program regarding a consumer’s mental or physical condition.end delete
27
begin insert about a consumer’s mental or physical condition that is collected
28by a commercial health monitoring program through a direct
29measurement of a consumer’s mental or physical condition or
30though user-input regarding a consumer’s mental or physical
31condition into a commercial health monitoring program.end insert
20 32(c)
end delete
P4 1begin insert(e)end insert “Individually identifiable” meansbegin delete that the health monitoringend delete
2 informationbegin insert thatend insert includes or contains an element of personal
3identifying information sufficient to allow identification of the
4consumer, including, but not limited to, the consumer’s name,
5address, electronic mail address, telephone number, social security
6number, or unique electronic identifier, or other information that,
7alone or in combination with other publicly available information,
8reveals the consumer’s identity.
9(d) “Third party” includes, but is not limited to, an advertising
10network, consumer data reseller, data analytics provider,
health
11care service plan, pharmaceutical company, government entity,
12operating system or platform, social network, or other commercial
13Internet Web site or online service.
14(e) “Consumer” includes employees of employers subject to
15the provisions of Section 22596.2.
16(f) “Business associate” means a person or entity who provides,
17other than in the capacity of a member of the workforce of an
18operator of a commercial health monitoring program, legal,
19actuarial, accounting, consulting, data aggregation (as defined in
20the federal Health Insurance Portability and Accountability Act
21of 1996 (HIPAA) (Public Law 104-191)), management,
22administrative, accreditation, or financial services to or for a
23consumer health monitoring program where the provision of the
24service
involves the disclosure of health monitoring information
25from a commercial health monitoring program or from another
26business associate of a commercial health monitoring program.
27
(f) “Service provider” means an entity that does not further use
28or disclose individually identifiable health information except at
29the direction of the commercial health monitoring program to
30other service providers of the commercial health monitoring
31programs and does either of the following:
32
(1) Provides services to the operator, or on behalf of the
33operator, of the commercial health monitoring program that solely
34support the functionality or operation of the commercial health
35monitoring program.
36
(2) Controls, is controlled by, or is under common control with
37the provider of the commercial health monitoring program where
38both of the following apply:
39
(A) The entity maintains third-party data sharing practices,
40with respect to individually identifiable health monitoring
P5 1information, that are at least as protective of privacy as those of
2the commercial health monitoring program.
3
(B) The operator of the commercial health monitoring program
4disclosing the individually identifiable health monitoring
5information and the entity receiving the individually identifiable
6health monitoring information are both principally engaged in the
7same line of business.
8
(g) “Third party” means an entity that is not a service provider,
9with whom the consumer does not have a direct relationship with
10respect to the
consumer’s use of the commercial health monitoring
11program, and whose processing of individually identifiable health
12monitoring information is not otherwise necessary for the
13functionality of the commercial health monitoring program.
(a) An operator of a commercial health monitoring
15program shall not intentionally share, sell, or disclosebegin insert individually
16identifiableend insert health monitoring information to or with a third party
17without firstbegin delete obtaining from the consumer explicit
opt-in
18authorization whichend delete
19obtaining the consumer’s affirmative consent thatend insert fulfills the
20following requirements:
21(1) The request forbegin delete authorization shall be clear, conspicuous, begin insert consent shall beend insert separate from all other authorizations or
22andend delete
23agreements.
24(2) The request forbegin delete authorizationend deletebegin insert consentend insert shall include
the name
25begin delete andend deletebegin insert orend insert nature of the third party and thebegin delete reasonend deletebegin insert purposeend insert for the
26request.
27(3) Each request for authorization shall be limited to a single
28third-party entity.
21 29(4)
end delete
30begin insert(3)end insert begin insert(A)end insertbegin insert end insert A consumer’s refusal tobegin delete authorize third-partyend deletebegin insert consent
31to third-party sharing, sale, orend insert disclosure ofbegin insert individually
32identifiableend insert health monitoring information shall not limit the
33consumer’s ability to use the commercial health monitoring
34program even if features and services provided by
the specific
35third party are inoperable.
36(5) A waiver of any legal right, penalty, remedy, forum, or
37enforcement procedure imposed as a condition of use is
38unconscionable and unenforceable. Any person who seeks to
39enforce such a waiver shall have the burden of proving that the
P6 1waiver was knowing and voluntary and was not made as a
2condition of use.
3(6) Each request for authorization shall state that a consumer
4has the right to revoke the authorization at any time without cost
5or penalty by a readily accessible
method.
6(b) Notwithstanding subdivision (a), an authorization is not
7required where the third party solely provides services to the
8operator of the commercial health monitoring
program and does
9not further use or disclose health monitoring information.
10
(B) This paragraph does not apply if the primary function of
11the commercial health monitoring program is the sharing, sale,
12or disclosure of individually identifiable health monitoring
13information to third parties and the consumer is notified of this
14function at the time of the request for consent.
15
(4) A waiver of any legal right, penalty, remedy, forum, or
16enforcement procedure presented to the consumer in the consent
17described by this section is unenforceable and void as a matter of
18law.
19
(b) An operator of a
commercial health monitoring program
20shall make available and provide notice of a process whereby a
21consumer may withdraw the consent granted in subdivision (a)
22though the notice does not expressly need to be included in the
23consent described in subdivision (a). Any withdrawal of consent
24shall apply prospectively and shall not impact valid disclosures
25and consent prior to the operative date of withdrawal.
26
(c) Where health monitoring information is stored in an
27individually identifiable manner, upon request by the consumer,
28the operator of the commercial health monitoring program shall
29delete or provide to the consumer his or her individually
30identifiable health monitoring information. A commercial health
31monitoring program may assess a reasonable administrative
32charge for the cost of accessing, copying, or deleting individually
33identifiable health monitoring information under this chapter.
P5 3 34(c)
end delete
35begin insert(d)end insert An operator of a commercial health monitoring program
36that creates, maintains, preserves, stores, abandons,begin insert deletes,end insert
37 destroys, or disposes of health monitoring information shall do so
38in a mannerbegin delete that preservesend deletebegin insert
to preserveend insert the security and
39confidentiality of thebegin insert individually identifiableend insert health monitoring
40information contained therein.
8 P7 1(d)
end delete
2begin insert(e)end insert This chapter is not intended to limit the required disclosure
3ofbegin insert individually identifiableend insert health monitoring information pursuant
4to another provision of law.
11 5(e)
end delete
6begin insert(f)end insert Nothing in this chapter shall be construed to limit or
7otherwise reduce existing privacy protections provided for in state
8or federal law.
9(f) Health monitoring information may be disclosed to a provider
10of health care or other health care professional or facility to aid
11the diagnosis or treatment of the consumer, where the consumer
12is unable to authorize the disclosure due to an emergent medical
13condition.
14
(g) Individually identifiable health monitoring information may
15be disclosed to the following persons without satisfying the consent
16requirements of this chapter if the disclosing entity provides notice
17of the disclosure to the consumer whose individually identifiable
18health monitoring information was disclosed as soon as
19practicable:
20
(1) To a health care provider to aid in the diagnosis or treatment
21of the consumer, where the consumer is unable to consent to the
22disclosure due to an emergent medical condition.
23
(2) To a government official if necessary to prevent an
24emergency involving danger of death or serious physical injury
25to a person, that requires access to the individually identifiable
26commercial health information.
27
(h) A recipient of individually identifiable health monitoring
28information that is not a commercial health monitoring program
29shall not further disclose that health monitoring information.
30Responsibility for a violation of this paragraph shall not rest with
31the commercial health monitoring agency but with the disclosing
32entity.
(a) An employer that receives health monitoring
34information shall establish appropriate procedures tobegin delete ensureend delete
35begin insert preserveend insert the security and confidentiality of information. These
36procedures may include, but are not limited to, instruction
37regarding confidentiality of employees and agents handling files
38containing health monitoring information and security systems
39restricting access to files containingbegin delete health monitoringend deletebegin insert
thatend insert
40 information.
P8 1(b) An employer shall not discriminate against an employee in
2any terms or conditions of employment due to that employee’s
3refusal to providebegin delete an authorizationend deletebegin insert consentend insert pursuant to Section
422596.1.
5(c) An employer shall not discriminate against an employee in
6any terms or conditions of employment due to the findings of that
7employee’s health monitoring information.
8(d) An employer shall not use, disclose, or knowingly permit
9its employees or agents to use or disclosebegin insert
individually identifiableend insert
10 health monitoring informationbegin delete whichend deletebegin insert thatend insert the employer possesses
11pertaining to its employees without first obtainingbegin delete authorization begin insert that employee’s consent to do so pursuant to Section
12to do so.end delete
1322596.end insert
14(e) An employer that hasbegin delete attempted in good faith to complyend delete
15begin insert
compliedend insert with this section shall not be liable for any unauthorized
16use or disclosure ofbegin delete theend deletebegin insert individually identifiableend insert health monitoring
17begin delete information by the person or entity to which the employer disclosed information.
18the health monitoringend delete
19(f) A recipient of health monitoring information pursuant to an
20authorization as provided by this chapter shall not further disclose
21that health monitoring information unless in accordance with a
22new authorization.
23
(f) An entity that is not a commercial health monitoring program
24that receives individually identifiable health monitoring
25information from an employer shall not further disclose that health
26monitoring information. Responsibility for a violation of this
27paragraph shall not rest with commercial health monitoring
28program or with the employer but with the disclosing entity.
(a) A covered entity, provider of health care, business
30associate, health care service plan, contractor, employer, or any
31other person subject to the federal Health Insurance Portability
32and Accountability Act of 1996 (HIPAA) (Public Lawbegin delete 104-191)end delete
33begin insert 104-191)end insert or the Confidentiality of Medical Information Act (Part
342.6 (commencing with Section 56) of Division 1 of the Civil Code)
35shall not be subject to this chapter with respect to any activitybegin insert or
36exemptionend insert regulated
by those acts.
37(b) The definitions in those acts, in effect on January 1, 2016,
38shall apply to this section.
O
95