BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 2688|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 2688
Author: Gordon (D)
Amended: 4/28/16 in Assembly
Vote: 21
SENATE JUDICIARY COMMITTEE: 5-2, 6/28/16
AYES: Jackson, Hertzberg, Leno, Monning, Wieckowski
NOES: Moorlach, Anderson
ASSEMBLY FLOOR: 54-14, 5/12/16 - See last page for vote
SUBJECT: Privacy: commercial health monitoring programs
SOURCE: Author
DIGEST: This bill prohibits the operator of a commercial health
monitoring program, such as a wearable fitness device connected
to the Internet, from sharing or using a consumer's health
monitoring information without explicit authorization, and
prohibits employers from using health monitoring information
collected through a commercial health monitoring program from
discriminating against employees.
ANALYSIS:
Existing law:
1)Provides that all people have inalienable rights, including
the right to pursue and obtain privacy. (Cal. Const. art. I,
�
AB 2688
Page 2
Sec. 1.)
2)Specifies, pursuant to the federal Health Insurance
Portability and Accountability Act (HIPAA), privacy
protections for patients' protected health information and
generally provides that a covered entity may not use or
disclose protected health information except as specified or
as authorized by the patient in writing. (45 C.F.R. Sec.
164.500 et seq.)
3)Prohibits, under the State Confidentiality of Medical
Information Act (CMIA), providers of health care, health care
service plans, or contractors from sharing medical information
without the patient's written authorization, subject to
certain exceptions. (Civ. Code Sec. 56 et seq.)
4)Defines "medical information" to mean any individually
identifiable information, in electronic or physical form, in
possession of or derived from a provider of health care,
health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment. (Civ. Code Sec. 56.05(g).)
5)Provides that any business organized for the purpose of
maintaining medical information in order to make the
information available to an individual or to a provider of
health care at the request of the individual or the provider
of health care, for purposes of allowing the individual to
manage his or her information, or for the diagnosis of
treatment of the individual, shall be deemed to be a provider
of health care subject to the requirements of the CMIA. (Civ.
Code Sec. 56.06(a).)
6)Provides that any provider of health care, health care service
plan, pharmaceutical company, or contractor who negligently
creates, maintains, preserves, stores, abandons, destroys, or
disposes of written or electronic medical records shall be
subject to damages in a civil action or an administrative
fine, as specified. (Civ. Code Sec. 56.36.)
This bill:
1)Prohibits an operator of a commercial health monitoring
program from intentionally sharing, selling or disclosing
�
AB 2688
Page 3
health monitoring information to or with a third party without
first obtaining from the consumer explicit opt-in
authorization, which must fulfill the following requirements:
a) be clear, conspicuous, and separate from all other
authorizations or agreements;
b) include the name and nature of the third party and the
reason for the request;
c) be limited to a single third-party entity;
d) provide that a consumer's refusal to authorize
third-party disclosure of health monitoring information
shall not limit the consumer's ability to use the
commercial health monitoring program even if features and
services provided by the specific third party are
inoperable;
e) provide that the waiver of any legal right, penalty,
remedy, forum, or enforcement procedure imposed as a
condition of use is unconscionable and unenforceable, and
that any person who seeks to enforce such a waiver shall
have the burden of proving that the waiver was knowing and
voluntary and was not made as a condition of use; and
f) state that a consumer has the right to revoke the
authorization at any time without cost or penalty by a
readily accessible method.
2)Specifies that an authorization is not required where the
third party solely provides services to the operator of the
commercial health monitoring program and does not further use
or disclose health monitoring information.
3)Requires an operator of a commercial health monitoring program
that creates, maintains, preserves, stores, abandons,
destroys, or disposes of health monitoring information shall
do so in a manner that preserves the security and
confidentiality of the health monitoring information contained
therein.
4)Permits health monitoring information to be disclosed to a
provider of health care or other health care professional or
facility to aid the diagnosis or treatment of the consumer,
where the consumer is unable to authorize the disclosure due
to an emergent medical condition.
5)Requires an employer that receives health monitoring
�
AB 2688
Page 4
information to establish appropriate procedures to ensure the
security and confidentiality of the information, which may
include instruction regarding confidentiality of employees and
agents handling files containing health monitoring
information, and security systems restricting access to files
containing health monitoring information.
6)Prohibits an employer from discriminating against an employee
in any terms or conditions of employment due to that
employee's refusal to provide an authorization to share, sell,
disclose or use an individual's health monitoring information.
7)Prohibits an employer from discriminating against an employee
in any terms or conditions of employment due to the findings
of that employee's health monitoring information.
8)Prohibits an employer from using, disclosing, or knowingly
permitting its employees or agents to use or disclose health
monitoring information which the employer possesses pertaining
to its employees without first obtaining authorization to do
so.
9)Protects an employer that has attempted in good faith to
comply with the requirements and prohibitions of this bill
from liability for any unauthorized use or disclosure of the
health monitoring information by the person or entity to which
the employer disclosed the health monitoring information.
Background
In July 2013, the Privacy Rights Clearinghouse (PRC) released a
report entitled "Mobile Health and Fitness Applications and
Information Privacy." The report examined a total of 43 free and
paid mobile phone applications (apps) on more than 150 separate
data points related to privacy and security.
The report stated "our research brought us to the conclusion
that, from a privacy perspective, mobile health and fitness
applications are not particularly safe when it comes to
protecting users' privacy. Consumers who have no hesitation
about sharing personal information will probably find value in
�
AB 2688
Page 5
sharing the details of their pregnancies by linking their app
with Facebook, participating in app-based chat groups and
posting photographs of themselves as their pregnancies progress.
Others will find that socializing their diet or exercise
regimes provides support or competition that helps motivate
them." The report also found that, as of 2013, 39 percent of
free apps and 30 percent of paid apps sent data to someone not
disclosed by the developer either in the app or any privacy
policy. Additionally, only 13 percent of free apps and 10
percent of paid apps used encryption for all data connections
and transmissions.
More recently, another study excerpted in the Journal of the
American Medical Association (JAMA) (March 8, 2016) did an
analysis of privacy practices of diabetes management
applications on Android smartphones and found widespread
problems. The study examined 211 separate apps and found that
81 percent lacked privacy policies, and among those that did, 49
percent included permissions to share data with partners and
third parties and 39 percent authorized use of data for
advertising purposes.
The JAMA report noted, "this study demonstrated that diabetes
apps shared information with third parties, posing privacy risks
because there are no federal legal protections against the sale
or disclosure of data from medical apps to third parties. The
sharing of sensitive health information by apps is generally not
prohibited by the Health Insurance Portability and
Accountability Act. Patients might mistakenly believe that
health information entered into an app is private (particularly
if the app has a privacy policy), but that generally is not the
case. Medical professionals should consider privacy
implications prior to encouraging patients to use health apps."
Partially in response, the Legislature passed AB 658 (Calderon,
Chapter 296, Statutes of 2013), which applied the prohibitions
of the Confidentiality of Medical Information Act to any
business that offers software or hardware to consumers,
including a mobile application or other related device that is
designed to maintain medical information to allow an individual
to manage his or her information, or for the diagnosis,
treatment, or management of a medical condition of the
�
AB 2688
Page 6
individual. This bill, seeking to protect the personal health
information of individuals and employees collects on mobile
applications, regulates how employers, operators, and third
parties use that information.
FISCAL EFFECT: Appropriation: No Fiscal
Com.:NoLocal: No
SUPPORT: (Verified7/6/16)
None received
OPPOSITION: (Verified7/6/16)
American Civil Liberties Union of California
California Alliance for Retired Americans
California Chamber of Commerce
California Public Interest Research Group
Cellular Telephone Industries Association
CompTia
Consumer Action
Consumer Federation of California
Consumer Watchdog
Direct Marketing Association
Entertainment Software Association
Internet Association
TechNet
Western States Council
ARGUMENTS IN SUPPORT: The author writes:
Sensitive health-related data from commercially obtained
wearable health monitoring devices or online applications are
not currently protected by any state or federal law. There are
no restrictions on how companies may use, share or sell this
information, even in personally identifiable form.
�
AB 2688
Page 7
Currently, wearable devices can perform substantial
monitoring, including everything from heart rate to brain wave
patterns. Simple measurements such as walking pattern can
indicate injury or disability and measurement of body
temperature can reveal ovulation cycles. While this
information is valuable and empowering to the consumer, lack
of a common agreement on how this information can be shared
leaves the consumer without adequate protections.
There is also an increasing trend of employers providing these
kinds of devices to their employees to promote wellness and
bring down healthcare costs for the company. This is a win-win
scenario for both employers and employees, but requires
significant protections to ensure that health information (or
a refusal to wear a health monitoring device) is not used
against an employee.
ARGUMENTS IN OPPOSITION: A number of privacy groups,
expressing gratitude to the author for introducing a bill which
seeks to protect personal health information of consumers,
nonetheless oppose this bill unless amended to provide stronger
consumer protections. The Consumer Federation of California, in
opposition, argues that without precise language spelling out
privacy rights, commercial profit motives will always prevail
over consumer privacy rights. The bill should further spell
out the form of its "Opt-In" authorization, to make it certain
that information sharing is prohibited, absent additional
affirmative and voluntary steps by the consumer, which are
separated in time from the procedures required to set up,
register, or use the health monitoring program. AB 2688
addresses the intentional sharing of individually identifiable
health information. That is an essential topic but it falls
short because it fails to address the many problems with the
negligent sharing of sensitive information. The California
Attorney General identified 103 separate medical record data
breach incidents in our state between 2012 and 2015. These
breaches exposed 19 million Californians' medical records. 54%
of these breaches were "physical" breaches which the Attorney
General's report described as "preventable". Many of these
occurred because medical records were not encrypted and/or
records were not physically secured. Another 10% were due to
"misuse" by employees and 20% due to "errors" by medical
�
AB 2688
Page 8
entities. These are also categories breaches that are
preventable, provided the business establishes proper data
security protocols. A coalition of technology companies also
oppose the bill unless amended to address "unintended
consequences, logistical difficulties, and consumer harm." Our
coalition has proposed language that included a very high
standard of clear and conspicuous notice, plus affirmative
consent, which would set the bar across the country. While it
is impossible to force a consumer to consider these issues, this
standard would make sure that a consumer would be clearly
presented with the information and would need to agree to the
rules before sharing occurs. Adding the requirement of separate
consent immediately elevates the broadly defined category of
health monitoring information above other types of information,
and would likely create a race for each category of information
to obtain its own separate consent. The clear and conspicuous
standard is in line with reasonable privacy standards and allows
an operator to present all of the privacy issues to the consumer
together. The bill also requires a process to allow a consumer
to withdraw consent, but fails to make clear that this could
impact the rights and/or ability of the consumer to make use of
the product or service covered by the bill. Data sharing is
frequently integral to the working of the product and in other
cases; the business model is based upon data sharing. These
situations should be acknowledged in the bill.
ASSEMBLY FLOOR: 54-14, 5/12/16
AYES: Achadjian, Alejo, Travis Allen, Arambula, Atkins, Bloom,
Bonilla, Bonta, Brown, Calderon, Campos, Chang, Chau, Chiu,
Chu, Cooley, Cooper, Dababneh, Daly, Dodd, Eggman, Cristina
Garcia, Eduardo Garcia, Gatto, Gipson, Gomez, Gonzalez,
Gordon, Hadley, Roger Hernández, Holden, Irwin, Jones, Levine,
Linder, Lopez, Low, McCarty, Medina, Mullin, Nazarian,
O'Donnell, Quirk, Ridley-Thomas, Rodriguez, Salas, Santiago,
Mark Stone, Thurmond, Ting, Weber, Williams, Wood, Rendon
NOES: Baker, Chávez, Dahle, Beth Gaines, Gray, Grove, Harper,
Lackey, Maienschein, Mayes, Olsen, Patterson, Wagner, Wilk
NO VOTE RECORDED: Bigelow, Brough, Burke, Frazier, Gallagher,
Jones-Sawyer, Kim, Mathis, Melendez, Obernolte, Steinorth,
Waldron
Prepared by:Nichole Rapier / JUD. / (916) 651-4113
7/29/16 12:31:19
�
AB 2688
Page 9
**** END ****