BILL ANALYSIS �Ó
AB 2688
Page 1
ASSEMBLY THIRD READING
AB
2688 (Gordon)
As Amended April 28, 2016
Majority vote
------------------------------------------------------------------
|Committee |Votes|Ayes |Noes |
| | | | |
| | | | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Privacy |8-0 |Chau, Calderon, | |
| | |Chang, Cooper, | |
| | |Dababneh, Gatto, | |
| | |Gordon, Low | |
| | | | |
| | | | |
------------------------------------------------------------------
SUMMARY: Prohibits the operator of a commercial health
monitoring program, such as a wearable fitness device connected
to the Internet, from sharing or using a consumer's health
monitoring information without explicit authorization, and
prohibits employers from using health monitoring information
collected through a commercial health monitoring program from
discriminating against employees. Specifically, this bill:
1)Prohibits an operator of a commercial health monitoring
program from intentionally sharing, selling or disclosing
�
AB 2688
Page 2
health monitoring information to or with a third party without
first obtaining from the consumer explicit opt-in
authorization, as specified.
2)The opt-in authorization request must fulfill the following
requirements:
a) Be clear, conspicuous and separate from all other
authorizations or agreements;
b) Include the name and nature of the third party and the
reason for the request;
c) Be limited to a single third-party entity;
d) Provide that a consumer's refusal to authorize
third-party disclosure of health monitoring information
shall not limit the consumer's ability to use the
commercial health monitoring program even if features and
services provided by the specific third party are
inoperable;
e) State that a consumer has the right to revoke the
authorization at any time without cost or penalty by a
readily accessible method.
3)Specifies that an authorization is not required where the
third party solely provides services to the operator of the
commercial health monitoring program and does not further use
or disclose health monitoring information.
4)Requires an operator of a commercial health monitoring program
that creates, maintains, preserves, stores, abandons,
destroys, or disposes of health monitoring information shall
do so in a manner that preserves the security and
confidentiality of the health monitoring information contained
therein.
�
AB 2688
Page 3
5)Prohibits an employer from 1) discriminating against an
employee in any terms or conditions of employment due to that
employee's refusal to provide an authorization to share, sell,
disclose or use an individual's health monitoring information;
2) discriminating against an employee in any terms or
conditions of employment due to the findings of that
employee's health monitoring information; and 3) using,
disclosing, or knowingly permitting its employees or agents to
use or disclose health monitoring information which the
employer possesses pertaining to its employees without first
obtaining authorization to do so.
6)Exempts an employer that has attempted in good faith to comply
with the requirements and prohibitions of this bill from
liability for any unauthorized use or disclosure of the health
monitoring information by the person or entity to which the
employer disclosed the health monitoring information.
7)Prohibits a recipient of health monitoring information
pursuant to an authorization from further disclosing that
health monitoring information unless in accordance with a new
authorization.
FISCAL EFFECT: None. This bill is keyed non-fiscal by the
Legislative Counsel.
COMMENTS:
1)Purpose of this bill. This bill is intended to apply a
limited set of protections against unauthorized disclosure and
employment discrimination for personal health monitoring
information collected through a commercial health monitoring
�
AB 2688
Page 4
device that falls outside of existing federal and state
protections for medical and health information. This bill is
author-sponsored.
2)The "Internet of Things" and health devices. The term
"Internet of Things" (or IoT) was created to describe a
network of physical objects embedded with sensors and network
connectivity that enables the objects to collect and transmit
data remotely, as well as be controlled. As a result, massive
amounts of data can be collected and analyzed, much of it in
real time or near to it, allowing these systems to be
monitored and operated with greater efficiency, accuracy and
economic benefit - leading to the use of the term "smart" in
relation to these technologies. IoT is expected to have a
major impact in the health care industry.
Well-known examples of IoT health devices are the Fitbit
fitness band, the Apple Watch, and the Google Smart Contact
Lens.
This bill has two primary aims: a) It prohibits operators
from intentionally sharing, selling or disclosing health
monitoring information to a third party without explicit
authorization; and b) It requires employers with health
monitoring programs not to discriminate against employees
based on their results or their refusal to participate. This
bill also clarifies that activities by a company or employer
that are covered under the Health Insurance Portability and
Accountability Act of 1996 and California Medical
Instrumentation Association are not subject to the provisions
of this bill.
Analysis Prepared by:
�
AB 2688
Page 5
Hank Dempsey / P. & C.P. / (916) 319-2200 FN:
0002877