BILL ANALYSIS �Ó
AB 2688
Page 1
Date of Hearing: May 3, 2016
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Ed Chau, Chair
AB 2688
(Gordon) - As Amended April 28, 2016
SUBJECT: Privacy: commercial health monitoring programs
SUMMARY: Prohibits the operator of a commercial health
monitoring program, such as a wearable fitness device connected
to the Internet, from sharing or using a consumer's health
monitoring information without explicit authorization, and
prohibits employers from using health monitoring information
collected through a commercial health monitoring program from
discriminating against employees. Specifically, this bill:
1)Prohibits an operator of a commercial health monitoring
program from intentionally sharing, selling or disclosing
health monitoring information to or with a third party without
first obtaining from the consumer explicit opt-in
authorization, as specified.
2)The opt-in authorization request must fulfill the following
requirements:
a) Be clear, conspicuous and separate from all other
�
AB 2688
Page 2
authorizations or agreements;
b) Include the name and nature of the third party and the
reason for the request;
c) Be limited to a single third-party entity;
d) Provide that a consumer's refusal to authorize
third-party disclosure of health monitoring information
shall not limit the consumer's ability to use the
commercial health monitoring program even if features and
services provided by the specific third party are
inoperable;
e) Provide that the waiver of any legal right, penalty,
remedy, forum, or enforcement procedure imposed as a
condition of use is unconscionable and unenforceable, and
that any person who seeks to enforce such a waiver shall
have the burden of proving that the waiver was knowing and
voluntary and was not made as a condition of use; and
f) State that a consumer has the right to revoke the
authorization at any time without cost or penalty by a
readily accessible method.
3)Specifies that an authorization is not required where the
third party solely provides services to the operator of the
�
AB 2688
Page 3
commercial health monitoring program and does not further use
or disclose health monitoring information.
4)Requires an operator of a commercial health monitoring program
that creates, maintains, preserves, stores, abandons,
destroys, or disposes of health monitoring information shall
do so in a manner that preserves the security and
confidentiality of the health monitoring information contained
therein.
5)Provides that the provisions of this bill are not intended to
limit the required disclosure of health monitoring information
pursuant to another provision of law.
6)Provides that the provisions of this bill shall not be
construed to limit or otherwise reduce existing privacy
protections provided for in state or federal law.
7)Permits health monitoring information to be disclosed to a
provider of health care or other health care professional or
facility to aid the diagnosis or treatment of the consumer,
where the consumer is unable to authorize the disclosure due
to an emergent medical condition.
8)Requires an employer that receives health monitoring
information to establish appropriate procedures to ensure the
security and confidentiality of the information, which may
include instruction regarding confidentiality of employees and
agents handling files containing health monitoring
information, and security systems restricting access to files
�
AB 2688
Page 4
containing health monitoring information.
9)Prohibits an employer from discriminating against an employee
in any terms or conditions of employment due to that
employee's refusal to provide an authorization to share, sell,
disclose or use an individual's health monitoring information.
10)Prohibits an employer from discriminating against an employee
in any terms or conditions of employment due to the findings
of that employee's health monitoring information.
11)Prohibits an employer from using, disclosing, or knowingly
permitting its employees or agents to use or disclose health
monitoring information which the employer possesses pertaining
to its employees without first obtaining authorization to do
so.
12)Exempts an employer that has attempted in good faith to
comply with the requirements and prohibitions of this bill
from liability for any unauthorized use or disclosure of the
health monitoring information by the person or entity to which
the employer disclosed the health monitoring information.
13)Prohibits a recipient of health monitoring information
pursuant to an authorization from further disclosing that
health monitoring information unless in accordance with a new
authorization.
�
AB 2688
Page 5
14)Exempts from the provisions of this bill any covered entity,
provider of health care, business associate, health care
service plan, contractor, employer, or any other person
subject to the federal Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and the California
Confidentiality of Medical Information Act (CMIA).
15)Applies the definitions contained in HIPAA and CMIA as of
January 1, 2016, to the provisions of this bill.
16)Defines "commercial health monitoring program" to mean "a
commercial Internet Web site or online service used by
consumers that collects health monitoring information
regarding the consumer's mental or physical condition from
sources including, but not limited to, manual entry, sensors,
or both."
17)Defines "health information" to mean "any individually
identifiable information, in electronic or physical form, in
possession of, or derived from, a commercial health monitoring
program regarding a consumer's mental or physical condition."
18)Defines "individually identifiable" to mean "that the health
monitoring information includes or contains an element of
personal identifying information sufficient to allow
identification of the consumer, including, but not limited to,
the consumer's name, address, electronic mail address,
telephone number, social security number, or unique electronic
identifier, or other information that, alone or in combination
with other publicly available information, reveals the
consumer's identity."
�
AB 2688
Page 6
19)Defines "third party" to include, but is not limited to, "an
advertising network, consumer data reseller, data analytics
provider, health care service plan, pharmaceutical company,
government entity, operating system or platform, social
network, or other commercial Internet Web site or online
service."
20)Defines "consumer" as including employees of employers
subject to the employer provisions of this bill.
21)Defines "business associate" to mean "a person or entity who
provides, other than in the capacity of a member of the
workforce of an operator of a commercial health monitoring
program, legal, actuarial, accounting, consulting, data
aggregation [as defined], management, administrative,
accreditation, or financial services to or for a consumer
health monitoring program where the provision of the service
involves the disclosure of health monitoring information from
a commercial health monitoring program or from another
business associate of a commercial health monitoring program."
EXISTING LAW:
1)Establishes, pursuant to HIPAA, certain requirements relating
to the provision of health insurance, including provisions
relating to the confidentiality of health records. HIPAA
prohibits a covered entity that uses electronic means to
perform HIPAA-covered transactions, from using or disclosing
personal health information except pursuant to a written
authorization signed by the patient or for treatment, payment,
or health care operations. Notwithstanding those provisions,
�
AB 2688
Page 7
HIPAA allows a covered entity to maintain a directory of
patients in its facility for specified purposes, and to
disclose the protected health information (PHI) of a patient
to family members, relatives, or other persons identified by
the patient, if certain conditions are met. Covered entities
include health plans, health care clearinghouses, such as
billing services and community health information systems, and
health care providers that transmit health care data in a way
that is regulated by HIPAA. HIPAA further provides that if
its provisions conflict with a provision of state law, the
provision that is most protective of patient privacy prevails.
(Public Law 104-191 104th Congress)
2)Prohibits, pursuant to the state CMIA, a provider of health
care, a health care service plan, a contractor, a corporation
and its subsidiaries and affiliates, or any business that
offers software or hardware to consumers, including a mobile
application or other related device, as defined, from
intentionally sharing, selling, using for marketing, or
otherwise using any medical information, as defined, for any
purpose not necessary to provide health care services to a
patient, except as expressly authorized by the patient,
enrollee, or subscriber, as specified, or as otherwise
required or authorized by law. A violation of the provisions
of this act that results in economic loss or personal injury
to a patient is a crime. (Civil Code Section (CC) 56, et
seq.)
3)Defines, for purposes of the CMIA, "medical information" to
mean "any individually identifiable information, in electronic
or physical form, in possession of or derived from a provider
of health care, health care service plan, pharmaceutical
company, or contractor regarding a patient's medical history,
mental or physical condition, or treatment. "Individually
identifiable" means that the medical information includes or
contains any element of personal identifying information
�
AB 2688
Page 8
sufficient to allow identification of the individual, such as
the patient's name, address, electronic mail address,
telephone number, or social security number, or other
information that, alone or in combination with other publicly
available information, reveals the individual's identity."
(CC 56.05(g))
FISCAL EFFECT: None. This bill is keyed nonfiscal by the
Legislative Counsel.
COMMENTS:
1)Purpose of this bill . This bill is intended to apply a
limited set of protections against unauthorized disclosure and
employment discrimination for personal health monitoring
information collected through a commercial health monitoring
device that falls outside of existing federal and state
protections for medical and health information. This bill is
author-sponsored.
2)Author's statement . According to the author, "[c]ommercial
health monitoring devices, such as wearables or health
maintenance apps, are an innovative and empowering way to put
healthcare awareness in the hands of the consumer. The
information gathered by these applications and devices, which
can range from heart rate to menstrual cycle to brain wave
patterns, would be considered sensitive to most. But such
data currently have no privacy protections. This bill updates
current law to contend with this emerging technology by laying
down reasonable basic standards for the sharing of personally
identifiable information that can be applied to any future
development of this technology that comes along. This will
ensure that information used for health maintenance by
consumers is not widely shared without that consumer's very
explicit and intentional permission, and that those employers
�
AB 2688
Page 9
using such technologies to improve the health of their
employees do not use the information against them."
3)The "Internet of Things" and health devices . The term
"Internet of Things" (or IoT) was created to describe a
network of physical objects embedded with sensors and network
connectivity that enables the objects to collect and transmit
data remotely, as well as be controlled. As a result, massive
amounts of data can be collected and analyzed, much of it in
real time or near to it, allowing these systems to be
monitored and operated with greater efficiency, accuracy and
economic benefit - leading to the use of the term "smart" in
relation to these technologies.
In an August 2014 article, Forbes.com describes IoT and its
scope this way: "Simply put, this is the concept of basically
connecting any device with an on and off switch to the
Internet (and/or to each other). This includes everything
from cellphones, coffee makers, washing machines, headphones,
lamps, wearable devices and almost anything else you can think
of. This also applies to components of machines, for example
a jet engine of an airplane or the drill of an oil rig?[I]f it
has an on and off switch then chances are it can be a part of
the IoT. The analyst firm Gartner says that by 2020 there will
be over 26 billion connected devices? That's a lot of
connections (some even estimate this number to be much higher,
over 100 billion). The IoT is a giant network of connected
'things' (which also includes people). The relationship will
be between people-people, people-things, and things-things."
The same article goes on mention the potential challenges
raised by IoT, security and privacy chiefest among them: "The
reality is that the IoT allows for virtually endless
opportunities and connections to take place, many of which we
can't even think of or fully understand the impact of
�
AB 2688
Page 10
today?.With billions of devices being connected together, what
can people do to make sure that their information stays
secure? Will someone be able to hack into your toaster and
thereby get access to your entire network? The IoT also opens
up companies all over the world to more security threats.
Then we have the issue of privacy and data sharing. This is a
hot-button topic even today, so one can only imagine how the
conversation and concerns will escalate when we are talking
about many billions of devices being connected. Another issue
that many companies specifically are going to be faced with is
around the massive amounts of data that all of these devices
are going to produce. Companies need to figure out a way to
store, track, analyze and make sense of the vast amounts of
data that will be generated."
IoT is also expected to have a major impact in the health care
industry. Wired.com writes: "Quite a lot of inventions are
occurring in the healthcare industry which is part of Internet
of Things adoption?Wearable devices and home health monitoring
devices assisting patients is a common thing now?The devices
are capable enough to transmit vital sign data from a patient
home to the hospital staff. It allows them to have a real
time monitoring of patient's health. These devices use
wirelessly connected glucometers, scales, heart rate and blood
pressure monitors. Devices helping in monitoring real time
ICU procedure are indeed a big part of IoT. There are devices
for wireless ultrasound monitoring and remote vital sign
monitoring from a hospital environment."
The same article also notes that there are major commercial
applications for health-related IoT products: "Fitness bands
are another addition in the medical devices and IoT [fields].
These connected bands take vital data from the body throughout
�
AB 2688
Page 11
the day and transmit wirelessly to user devices such as
computers, smartphones and tablets. As they are indeed a
great tool to reduce the medical expenses, even the health
insurance companies too are taking interest in promoting
them." Well-known examples of such technology are the Fitbit
fitness band, the Apple Watch, and the Google Smart Contact
Lens.
One March 2014 law review article entitled "Regulating the
Internet of Things" addressed what a significant business IoT
devices have already become: "Sales of fitness trackers such
as Fitbit and Nike+ FuelBand topped $300 million last year,
and consumer sensor devices dominated the January 2014
International Consumer Electronics Show. The hype is real:
such devices are revolutionizing personal health, home
security and automation, business analytics, and many other
fields of human activity."
The use of such devices to monitor and collect health
information, whether by sensor or manual entry, along with any
online interface, is termed a "commercial health monitoring
program" for purposes of this bill.
4)Previous privacy concerns over mobile phone health apps .
Questions about the privacy and security implications of
consumer health technology are not new. In July 2013, the
Privacy Rights Clearinghouse (PRC) released a report entitled
"Mobile Health and Fitness Applications and Information
Privacy," funded by the California Consumer Protection
Foundation. The report examined a total of 43 free and paid
mobile phone applications on more than 150 separate data
points related to privacy and security.
The report found "Our research brought us to the conclusion
�
AB 2688
Page 12
that, from a privacy perspective, mobile health and fitness
applications are not particularly safe when it comes to
protecting users' privacy. Consumers who have no hesitation
about sharing personal information will probably find value in
sharing the details of their pregnancies by linking their app
with Facebook, participating in app-based chat groups and
posting photographs of themselves as their pregnancies
progress. Others will find that socializing their diet or
exercise regimes provides support or competition that helps
motivate them." However, PRC did recommend efforts to
increase consumer education of data collection and use
practices in order to "assess for themselves the overall
privacy risks that mobile health and fitness apps pose."
The report also found that, as of 2013, 39% of free apps and
30% of paid apps sent data to someone not disclosed by the
developer either in the app or any privacy policy.
Additionally, only 13% of free apps and 10% of paid apps used
encryption for all data connections and transmissions.
More recently, another study excerpted in the Journal of the
American Medical Association (JAMA) (March 8, 2016) did an
analysis of privacy practices of diabetes managements
applications on Android smartphones and found widespread
problems. The study examined 211 separate apps and found that
81% lacked privacy policies, and among those that did, 49%
included permissions to share data with partners and third
parties and 39% authorized use of data for advertising
purposes.
The JAMA report opined: "This study demonstrated that diabetes
apps shared information with third parties, posing privacy
risks because there are no federal legal protections against
the sale or disclosure of data from medical apps to third
parties. The sharing of sensitive health information by apps
is generally not prohibited by the Health Insurance
�
AB 2688
Page 13
Portability and Accountability Act. Patients might mistakenly
believe that health information entered into an app is private
(particularly if the app has a privacy policy), but that
generally is not the case. Medical professionals should
consider privacy implications prior to encouraging patients to
use health apps."
Partially in response, the Legislature passed AB 658
(Calderon), Chapter 296, Statutes of 2013, which applied the
prohibitions of California's CMIA to any business that offers
software or hardware to consumers, including a mobile
application or other related device that is designed to
maintain medical information to allow an individual to manage
his/her information, or for the diagnosis, treatment, or
management of a medical condition of the individual.
1)HIPAA, CMIA and beyond . The privacy of medical information is
protected under both federal and state law. The federal
statute, HIPAA, protects the confidentiality of medical
records in the health care field by generally restricting
"covered entities" (such as health plans, health care
clearinghouses, such as billing services and community health
information systems, and health care providers) from using or
disclosing PHI without written authorization.
California's own CMIA restricts a provider of health care, a
health care service plan, a contractor, a corporation and its
subsidiaries and affiliates, or any business that offers
software or hardware to consumers, including a mobile
application or other related device, from intentionally
sharing, selling, using for marketing, or otherwise using any
medical information for any purpose not necessary to provide
health care services to a patient, except as expressly
authorized by the patient, enrollee, or subscriber, or as
otherwise required or authorized by law. A violation of the
provisions of CMIA that results in economic loss or personal
injury to a patient is a crime and grounds for nominal or
punitive damages, court costs and civil liability up to
�
AB 2688
Page 14
$250,000 per violation, depending on the circumstances.
It should be noted that the introduced version of this bill
would have expanded CMIA to cover commercial health
information devices, but was amended on March 28, 2016, to
separate its provisions from CMIA and shift those requirements
to a separate chapter in the Business and Professions Code.
1)This bill in practice . In its current form, this bill has two
primary aims: it prohibits operators from intentionally
sharing, selling or disclosing health monitoring information
to a third party without explicit authorization; and it
requires employers with health monitoring programs not to
discriminate against employees based on their results or their
refusal to participate.
The requirement that operators get the explicit opt-in
authorization of the consumer before sharing, using or
disclosing information has a number of additional provisions
intended to ensure that the consumer is adequately informed
about the decision: the request must be clear, conspicuous and
separate; the request must specify the name and nature of the
third party and the reason for the request; the request must
be limited to a single third party; and refusal cannot limit
the consumer's ability to use the program. These protections
are not waivable, and a consumer has the right to revoke an
authorization without penalty at any time.
The provisions for employer-provided programs are more varied,
but generally require employers not to discriminate against
program participants because of the information collected or
the consumer's refusal to authorize third party sharing.
Employers are prohibited from using or disclosing health
monitoring information without authorization, and are required
to have procedures in place for securing the collected
information. Employers are also granted immunity for
unauthorized use or disclosure by a third party to which
�
AB 2688
Page 15
health monitoring information was disclosed if the employer
shows a good faith effort to comply with restrictions.
This bill also clarifies that activities by a company or
employer that are covered under HIPAA and CMIA are not subject
to the provisions of this bill.
2)Arguments in opposition . According to the Consumer Federation
of California (CFC), the primary objection to the bill is that
it lacks the breadth and tough remedies of the CMIA: "Our
experience over the years with enforcement of privacy laws has
shown us that without precise language, such as clearly
spelling out the steps required for obtaining information
sharing permission, along with strong sanctions for privacy
violations, commercial profit motives will always prevail over
consumer privacy rights. In recent years, state courts have
whittled away at the privacy provisions of the Song Beverly
Credit Card Act and the Confidentiality of Medical Information
Act. These courts interpreted words contained in these laws
as narrowly as possible, siding with business interests, and
inferring meanings that were at odds with the intent and
legislative histories of these laws. This hard-learned
experience informs our objections to the bill in its current
and proposed versions. AB 2688 does not safeguard the privacy
of individually identifiable health records."
"Because the bill identifies by name, and thereby shields
information sharing with specific industries that are
notorious privacy abusers, it is essential that it establish
strict consumer controls over the private data these
businesses would be entitled to receive, and it must contain
strong, enforceable deterrents against privacy violations by
commercial health monitoring programs?.CMIA and HIPAA-covered
entities are imposing ever more rigorous internal privacy and
security protocols, in part because of their potential
exposure to substantial penalties for privacy violations and
damages for negligent record exposure."
�
AB 2688
Page 16
According to a coalition of opponents, this bill compares
unfavorably to CMIA's "strict rules", protection against
negligent disclosure, and right of private action: "AB 2688
only establishes minimal, industry controlled rules regarding
the intentional sharing or selling of this same data by an
online commercial entity. It does not address the negligent
release of health information by a commercial entity. It does
not have the deterrent of strict penalties and damages for a
privacy violation."
The coalition also expresses concern that a consumer could take
CMIA-protected data and manually enter it into a commercial
health monitoring program and cause that data to lose its
protection under CMIA. They also contend that the bill "gives
employers an additional way out of legal liability for
unauthorized information sharing by allowing it to show its
'good faith' attempt to comply?"
3)Recent amendments . Amendments taken by the author on April
28th made a wide variety of changes and clarifications in
response to questions raised by opponents, including an
expansion of the authorization request requirements to make it
explicitly "opt-in," clear and conspicuous, separate from
other requests, limited to a single third party, specifying
the name and nature of the third party, requiring that refusal
to authorize third party sharing shall not limit use of the
program, and disclose that consumers have the right to revoke
the authorization at any time. As a result of these
amendments and others, the California Hospital Association and
the California Life Sciences Association have removed their
previous opposition.
4)Previous legislation . AB 658 (Calderon), Chapter 296,
Statutes of 2013, applied the prohibitions of CMIA to any
business that offers software or hardware to consumers,
including a mobile application or other related device that is
designed to maintain medical information to allow an
individual to manage his/her information, or for the
�
AB 2688
Page 17
diagnosis, treatment, or management of a medical condition of
the individual.
SB138 (Hernandez), Chapter 444, Statutes of 2013, required
health care service plans and health insurers to take
specified steps to protect the confidentiality of an insured
individual's medical information for purposes of sensitive
services or if disclosure will endanger an individual.
AB 1298 (Jones), Chapter 699, Statutes of 2007, subjected any
business organized to maintain medical information for
purposes of making that information available to an individual
or to a health care provider, as specified, to the provisions
of the CMIA.
AB 2747 (Committee on Judiciary), Chapter 913, Statutes of
2014, extended CMIA provisions to any business that offers
software or hardware to consumers, including a mobile
application or other related device that is designed to
maintain medical information in order to make the information
available to an individual or a provider of health care at the
request of the individual or a provider of health care.
REGISTERED SUPPORT / OPPOSITION:
Support
None on file.
�
AB 2688
Page 18
Opposition
ACLU of California
California Alliance for Retired Americans
CALPIRG
Consumer Action
Consumer Attorneys of California (concerns)
Consumer Federation of California
Consumer Watchdog
UFCW Western States Council
World Privacy Forum
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916) 319-2200
�
AB 2688
Page 19