BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Hannah-Beth Jackson, Chair
2015-2016 Regular Session
AB 2688 (Gordon)
Version: April 28, 2016
Hearing Date: June 28, 2016
Fiscal: No
Urgency: No
NR
SUBJECT
Privacy: commercial health monitoring programs
DESCRIPTION
This bill would prohibit the operator of a commercial health
monitoring program, such as a wearable fitness device connected
to the Internet, from sharing or using a consumer's health
monitoring information without explicit authorization, and would
prohibit employers from using health monitoring information
collected through a commercial health monitoring program from
discriminating against employees.
BACKGROUND
In July 2013, the Privacy Rights Clearinghouse (PRC) released a
report entitled "Mobile Health and Fitness Applications and
Information Privacy." The report examined a total of 43 free and
paid mobile phone applications (apps) on more than 150 separate
data points related to privacy and security.
The report stated "our research brought us to the conclusion
that, from a privacy perspective, mobile health and fitness
applications are not particularly safe when it comes to
protecting users' privacy. Consumers who have no hesitation
about sharing personal information will probably find value in
sharing the details of their pregnancies by linking their app
with Facebook, participating in app-based chat groups and
posting photographs of themselves as their pregnancies progress.
Others will find that socializing their diet or exercise
regimes provides support or competition that helps motivate
�
AB 2688 (Gordon)
Page 2 of ?
them." The report also found that, as of 2013, 39 percent of
free apps and 30 percent of paid apps sent data to someone not
disclosed by the developer either in the app or any privacy
policy. Additionally, only 13 percent of free apps and 10
percent of paid apps used encryption for all data connections
and transmissions.
More recently, another study excerpted in the Journal of the
American Medical Association (JAMA) (March 8, 2016) did an
analysis of privacy practices of diabetes management
applications on Android smartphones and found widespread
problems. The study examined 211 separate apps and found that
81 percent lacked privacy policies, and among those that did, 49
percent included permissions to share data with partners and
third parties and 39 percent authorized use of data for
advertising purposes.
The JAMA report noted, "this study demonstrated that diabetes
apps shared information with third parties, posing privacy risks
because there are no federal legal protections against the sale
or disclosure of data from medical apps to third parties. The
sharing of sensitive health information by apps is generally not
prohibited by the Health Insurance Portability and
Accountability Act. Patients might mistakenly believe that
health information entered into an app is private (particularly
if the app has a privacy policy), but that generally is not the
case. Medical professionals should consider privacy
implications prior to encouraging patients to use health apps."
Partially in response, the Legislature passed AB 658 (Calderon,
Ch. 296, Stats. 2013), which applied the prohibitions of the
Confidentiality of Medical Information Act (CMIA) to any
business that offers software or hardware to consumers,
including a mobile application or other related device that is
designed to maintain medical information to allow an individual
to manage his or her information, or for the diagnosis,
treatment, or management of a medical condition of the
individual. This bill, seeking to protect the personal health
information of individuals and employees collects on mobile
applications, would regulate how employers, operators, and third
parties use that information.
CHANGES TO EXISTING LAW
Existing law , the California Constitution, provides that all
�
AB 2688 (Gordon)
Page 3 of ?
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const. art. I, Sec. 1.)
Existing federal law , the Health Insurance Portability and
Accountability Act (HIPAA), specifies privacy protections for
patients' protected health information and generally provides
that a covered entity, as defined (health plan, health care
provider, and health care clearing house), may not use or
disclose protected health information except as specified or as
authorized by the patient in writing. (45 C.F.R. Sec. 164.500
et seq.)
Existing law prohibits, under the State Confidentiality of
Medical Information Act (CMIA), providers of health care, health
care service plans, or contractors, as defined, from sharing
medical information without the patient's written authorization,
subject to certain exceptions. (Civ. Code Sec. 56 et seq.)
Existing law defines "medical information" to mean any
individually identifiable information, in electronic or physical
form, in possession of or derived from a provider of health
care, health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment. Existing law defines
"individually identifiable" to mean that the medical information
includes or contains any element of personal identifying
information sufficient to allow identification of the
individual, such as the patient's name, address, electronic mail
address, telephone number, or social security number, or other
information that, alone or in combination with other publicly
available information, reveals the individual's identity. (Civ.
Code Sec. 56.05(g).)
Existing law provides that any business organized for the
purpose of maintaining medical information in order to make the
information available to an individual or to a provider of
health care at the request of the individual or the provider of
health care, for purposes of allowing the individual to manage
his or her information, or for the diagnosis of treatment of the
individual, shall be deemed to be a provider of health care
subject to the requirements of the CMIA. (Civ. Code Sec.
56.06(a).)
Existing law provides that any provider of health care, health
care service plan, pharmaceutical company, or contractor who
�
AB 2688 (Gordon)
Page 4 of ?
negligently creates, maintains, preserves, stores, abandons,
destroys, or disposes of written or electronic medical records
shall be subject to damages in a civil action or an
administrative fine, as specified. (Civ. Code Sec. 56.36.)
This bill would prohibit an operator of a commercial health
monitoring program from intentionally sharing, selling or
disclosing health monitoring information to or with a third
party without first obtaining from the consumer explicit opt-in
authorization, which must fulfill the following requirements:
be clear, conspicuous, and separate from all other
authorizations or agreements;
include the name and nature of the third party and the reason
for the request;
be limited to a single third-party entity;
provide that a consumer's refusal to authorize third-party
disclosure of health monitoring information shall not limit
the consumer's ability to use the commercial health monitoring
program even if features and services provided by the specific
third party are inoperable;
provide that the waiver of any legal right, penalty, remedy,
forum, or enforcement procedure imposed as a condition of use
is unconscionable and unenforceable, and that any person who
seeks to enforce such a waiver shall have the burden of
proving that the waiver was knowing and voluntary and was not
made as a condition of use; and
state that a consumer has the right to revoke the
authorization at any time without cost or penalty by a readily
accessible method.
This bill would specify that an authorization is not required
where the third party solely provides services to the operator
of the commercial health monitoring program and does not further
use or disclose health monitoring information.
This bill would require an operator of a commercial health
monitoring program that creates, maintains, preserves, stores,
abandons, destroys, or disposes of health monitoring information
shall do so in a manner that preserves the security and
confidentiality of the health monitoring information contained
therein.
This bill would permit health monitoring information to be
disclosed to a provider of health care or other health care
professional or facility to aid the diagnosis or treatment of
�
AB 2688 (Gordon)
Page 5 of ?
the consumer, where the consumer is unable to authorize the
disclosure due to an emergent medical condition.
This bill would require an employer that receives health
monitoring information to establish appropriate procedures to
ensure the security and confidentiality of the information,
which may include instruction regarding confidentiality of
employees and agents handling files containing health monitoring
information, and security systems restricting access to files
containing health monitoring information.
This bill would prohibit an employer from discriminating against
an employee in any terms or conditions of employment due to that
employee's refusal to provide an authorization to share, sell,
disclose or use an individual's health monitoring information.
This bill would prohibit an employer from discriminating against
an employee in any terms or conditions of employment due to the
findings of that employee's health monitoring information.
This bill would prohibit an employer from using, disclosing, or
knowingly permitting its employees or agents to use or disclose
health monitoring information which the employer possesses
pertaining to its employees without first obtaining
authorization to do so.
This bill would protect an employer that has attempted in good
faith to comply with the requirements and prohibitions of this
bill from liability for any unauthorized use or disclosure of
the health monitoring information by the person or entity to
which the employer disclosed the health monitoring information.
COMMENT
1.Stated need for the bill
According to the author:
Sensitive health-related data from commercially obtained
wearable health monitoring devices or online applications are
not currently protected by any state or federal law. There are
no restrictions on how companies may use, share or sell this
information, even in personally identifiable form.
Currently, wearable devices can perform substantial
�
AB 2688 (Gordon)
Page 6 of ?
monitoring, including everything from heart rate to brain wave
patterns. Simple measurements such as walking pattern can
indicate injury or disability and measurement of body
temperature can reveal ovulation cycles. While this
information is valuable and empowering to the consumer, lack
of a common agreement on how this information can be shared
leaves the consumer without adequate protections.
There is also an increasing trend of employers providing these
kinds of devices to their employees to promote wellness and
bring down healthcare costs for the company. This is a win-win
scenario for both employers and employees, but requires
significant protections to ensure that health information (or
a refusal to wear a health monitoring device) is not used
against an employee.
2.Health information collected by mobile applications not
expressly protected under existing law
In its current form, this bill has two primary aims: it
prohibits operators from intentionally sharing, selling, or
disclosing health monitoring information to a third party
without explicit authorization; and it prohibits employers with
health monitoring programs from discriminating against employees
based on their results or on their refusal to participate in the
health monitoring program.
The requirement that operators get the explicit opt-in
authorization of the consumer before sharing, using, or
disclosing information has a number of additional provisions
intended to ensure that the consumer is adequately informed
about the decision. For example: the request must be clear,
conspicuous and separate; the request must specify the name and
nature of the third party and the reason for the request; the
request must be limited to a single third party; and refusal
cannot limit the consumer's ability to use the program. These
protections are not waivable, and a consumer has the right to
revoke an authorization without penalty at any time.
The provisions for employer-provided programs are more varied,
but generally require employers not to discriminate against
program participants because of the information collected or the
consumer's refusal to authorize third party sharing. Employers
are prohibited from using or disclosing health monitoring
information without authorization, and are required to have
�
AB 2688 (Gordon)
Page 7 of ?
procedures in place for securing the collected information.
Employers are also granted immunity for unauthorized use or
disclosure by a third party to which health monitoring
information was disclosed if the employer shows a good faith
effort to comply with restrictions.
3.Privacy concerns related to mobile phone health applications
A number of privacy groups, expressing gratitude to the author
for introducing a bill which seeks to protect personal health
information of consumers, nonetheless oppose this bill unless
amended provide stronger consumer protections. The Consumer
Federation of California (CFC), in opposition, argues that
without precise language spelling out privacy rights, commercial
profit motives will always prevail over consumer privacy rights.
The CFC writes:
Though recent amendments are an improvement on the concept of
sharing of health information from a commercial health
monitoring program to advertising networks, data aggregators,
social networks and others require a consumer's "explicit
authorization," however the language of the bill does not
clarify that the consumer controls this "authorization". The
bill should further spell out the form of its "Opt-In"
authorization, to make it certain that information sharing is
prohibited, absent additional affirmative and voluntary steps
by the consumer, which are separated in time from the
procedures required to set up, register, or use the health
monitoring program.
AB 2688 addresses the intentional sharing of individually
identifiable health information. That is an essential topic
but it falls short because it fails to address the many
problems with the negligent sharing of sensitive information.
The California Attorney General identified 103 separate
medical record data breach incidents in our state between 2012
and 2015. These breaches exposed 19 million Californians'
medical records. 54% of these breaches were "physical"
breaches which the Attorney General's report described as
"preventable". Many of these occurred because medical records
were not encrypted and/or records were not physically secured.
Another 10% were due to "misuse" by employees and 20% due to
"errors" by medical entities. These are also categories
breaches that are preventable, provided the business
�
AB 2688 (Gordon)
Page 8 of ?
establishes proper data security protocols.
The American Civil Liberties Union of California argues that
stronger penalties are needed to prevent the unauthorized
disclosure of health information obtained through mobile apps:
The Confidentiality of Medical Information Act (CMIA) provides
a strong deterrent against the negligent or intentional
exposure of individually identifiable health records. CMIA
may be enforced by government agencies or private civil
action. CMIA was modernized in 2013 to begin to address new
health recording technologies when AB 658 (Ian Calderon)
extended CMIA to cover businesses that offer software or
hardwar to consumers, including a mobile application or
related device that maintains medical information for
management, diagnosis, or treatment of a medical condition.
[?] CMIA creates strict sanctions against the negligent
release of this information. AB 2688 is silent on a device
maker's negligence in establishing security safeguards, though
both intentional and negligent data security are major
concerns. [?] AB 2688 addresses only the sharing or selling of
"individually identifiable" health information from these
devices. The selling or sharing of anonymized health
information from these devices is common and problematic.
AB 2688 also contains language that places health information
obtained by an employer from a wearable device or other
ill-defined methods under its weak privacy regulations. AB
2688 prohibits an employer from using, disclosing, or
knowingly permitting its employees or agents from using or
disclosing worker health information without first obtaining
the worker's authorization, [but] does not describe how this
information sharing is "authorized" and the authorization may
be buried in app's privacy policy fine print that a user must
accept as a condition for setting up the device.
Staff notes that the author has been in negotiations with the
opposition in an attempt to resolve these concerns, but has not
yet been able to reach an agreement. In light of these issues
and ongoing efforts to achieve a consensus, if this Committee
were to approve this bill, it should consider doing so with the
commitment that the author continues to work with stakeholders
to find an appropriate balance between information disclosure
and consumer protection.
�
AB 2688 (Gordon)
Page 9 of ?
4.Concerns noted by technology companies
A coalition of technology companies oppose the bill unless
amended to address "unintended consequences, logistical
difficulties, and consumer harm."
Our coalition has proposed language that included a very high
standard of clear and conspicuous notice, plus affirmative
consent, which would set the bar across the country. While it
is impossible to force a consumer to consider these issues,
this standard would make sure that a consumer would be clearly
presented with the information and would need to agree to the
rules before sharing occurs.
Adding the requirement of separate consent immediately
elevates the broadly defined category of health monitoring
information above other types of information, and would likely
create a race for each category of information to obtain its
own separate consent. The clear and conspicuous standard is
in line with reasonable privacy standards and allows an
operator to present all of the privacy issues to the consumer
together.
The bill also requires a process to allow a consumer to
withdraw consent, but fails to make clear that this could
impact the rights and/or ability of the consumer to make use
of the product or service covered by the bill. Data sharing
is frequently integral to the working of the product and in
other cases; the business model is based upon data sharing.
These situations should be acknowledged in the bill.
In response, the author writes, "We thank the diligence and hard
work of representatives from the tech industry to make this bill
more robust and realistic, taking into consideration the
advances that are likely to emerge in coming years. We have
spent hours in productive meetings both here in the Capitol and
on tech company campuses to ensure that this bill will safeguard
consumers while not hindering innovation in Silicon Valley. With
regard to the concerns listed by industry associations in their
opposition letter, we think it important to share our thoughts.
First is that a clear and conspicuous notice with affirmative
consent can simply be included in the user's initial terms of
service agreement -- which research has shown is rarely read by
users. We firmly believe that the consent needs to be separate
�
AB 2688 (Gordon)
Page 10 of ?
from those agreements in order to give a consumer truly informed
control over their own identifiable health information.
Second, the opposition states that the bill would elevate health
monitoring information above other type of information. We do
not disagree with this point: health information should be
elevated above other types of data. The confidentiality of
one's health information is a concept dating back to
Hippocrates, and our society has always recognized the sensitive
nature of our personal health information and sought to give it
additional protections.
Lastly, there is a concern raised that stopping this type of
data sharing would be detrimental to companies that rely upon it
for their business model. It's our opinion that the sale of
health monitoring information in personally identifiable form
without a user's consent is not an acceptable business model.
Consent must be obtained. The top tech companies in California
seem to agree, as their privacy policies uniformly state that
they never share personally identifiable information with third
parties."
Support : None Known
Opposition : American Civil Liberties Union of California;
California Chamber of Commerce; Cellular Telephone Industries
Association (CTIA); CompTia; Consumer Federation of California;
Direct Marketing Association; Entertainment Software
Association; Internet Association; TechNet
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation :
AB 2747 (Assembly Committee on Judiciary, Chapter 913, Statutes
of 2014) extends CMIA provisions to any business that offers
software or hardware to consumers, including a mobile
application or other related device that is designed to maintain
medical information in order to make the information available
to an individual or a provider of health care at the request of
�
AB 2688 (Gordon)
Page 11 of ?
the individual or a provider of health care.
AB 658 (Calderon, Ch. 296, Stats. 2013) applies the prohibitions
of CMIA to any business that offers software or hardware to
consumers, including a mobile application or other related
device that is designed to maintain medical information to allow
an individual to manage his or her information, or for the
diagnosis, treatment, or management of a medical condition of
the individual.
AB 1298 (Snyder, Chapter 699, Statutes of 2007), subjected any
business organized to maintain medical information for purposes
of making that information available to an individual or to a
health care provider, as specified, to the provisions of the
Confidentiality of Medical Information Act (CMIA).
AB 336 (Snyder, Chapter 1004, Statutes of 1993), deemed certain
corporations to be providers of health care under the CMIA.
Prior Vote :
Assembly Floor (Ayes 54, Noes 14)
Assembly Privacy and Consumer Protection Committee (Ayes 8, Noes
0)
**************