BILL ANALYSIS �Ó
-----------------------------------------------------------------
|SENATE RULES COMMITTEE | AB 2688|
|Office of Senate Floor Analyses | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
-----------------------------------------------------------------
THIRD READING
Bill No: AB 2688
Author: Gordon (D)
Amended: 8/19/16 in Senate
Vote: 21
SENATE JUDICIARY COMMITTEE: 5-2, 6/28/16
AYES: Jackson, Hertzberg, Leno, Monning, Wieckowski
NOES: Moorlach, Anderson
ASSEMBLY FLOOR: 54-14, 5/12/16 - See last page for vote
SUBJECT: Privacy: commercial health monitoring programs
SOURCE: Author
DIGEST: This bill prohibits the operator of a commercial health
monitoring program, such as a wearable fitness device connected
to the Internet, from sharing or using a consumer's health
monitoring information without explicit authorization, and
prohibits employers from using health monitoring information
collected through a commercial health monitoring program from
discriminating against employees.
Senate Floor Amendments of 8/19/16 make various changes
throughout the bill. Specifically, the amendments (1) define
"service provider" and prohibit a service provider from using or
further disclosing a consumer's information; (2) prohibit a
third party from further disclosing a consumer's information;
(3) allow a consumer to access or delete his or her information,
as specified; and (4) require an operator of a commercial health
monitoring program to make available and provide notice of a
process whereby a consumer may withdraw consent to share his or
�
AB 2688
Page 2
her information, as specified.
ANALYSIS:
Existing law:
1) Provides that all people have inalienable rights, including
the right to pursue and obtain privacy. (Cal. Const. art. I,
Sec. 1.)
2) Specifies, pursuant to the Health Insurance Portability and
Accountability Act, privacy protections for patients'
protected health information and generally provides that a
covered entity, as defined (health plan, health care
provider, and health care clearing house), may not use or
disclose protected health information except as specified or
as authorized by the patient in writing. (45 C.F.R. Sec.
164.500 et seq.)
3) Prohibits, under the State Confidentiality of Medical
Information Act (CMIA), providers of health care, health care
service plans, or contractors, as defined, from sharing
medical information without the patient's written
authorization, subject to certain exceptions. (Civ. Code
Sec. 56 et seq.)
4) Defines "medical information" to mean any individually
identifiable information, in electronic or physical form, in
possession of or derived from a provider of health care,
health care service plan, pharmaceutical company, or
contractor regarding a patient's medical history, mental or
physical condition, or treatment, and defines "individually
identifiable" to mean that the medical information includes
or contains any element of personal identifying information
sufficient to allow identification of the individual, as
specified. (Civ. Code Sec. 56.05(g).)
�
AB 2688
Page 3
5) Provides that any business organized for the purpose of
maintaining medical information in order to make the
information available to an individual or to a provider of
health care at the request of the individual or the provider
of health care, for purposes of allowing the individual to
manage his or her information, or for the diagnosis of
treatment of the individual, shall be deemed to be a provider
of health care subject to the requirements of the CMIA.
(Civ. Code Sec. 56.06(a).)
6) Provides that any provider of health care, health care
service plan, pharmaceutical company, or contractor who
negligently creates, maintains, preserves, stores, abandons,
destroys, or disposes of written or electronic medical
records shall be subject to damages in a civil action or an
administrative fine, as specified. (Civ. Code Sec. 56.36.)
This bill:
1) Defines "commercial health monitoring program" to mean a
commercial Internet Web site, online service, or product used
by consumers whose primary purpose is to collect the
consumer's individually identifiable health monitoring
information.
2) Defines "health monitoring information" to mean any
information, in electronic or physical form, about a
consumer's mental or physical condition that is collected by
a commercial health monitoring program through a direct
measurement of a consumer's mental or physical condition or
though user-input regarding a consumer's mental or physical
condition into a commercial health monitoring program.
3) Defines "individually identifiable" to mean information that
includes or contains an element of personal identifying
information sufficient to allow identification of the
consumer, including the consumer's name, address, electronic
�
AB 2688
Page 4
mail address, telephone number, social security number, or
unique electronic identifier, or other information that,
alone or in combination with other publicly available
information, reveals the consumer's identity.
4) Defines "third party" to mean an entity with whom the
consumer does not have a direct relationship, as specified,
and whose processing of individually identifiable health
monitoring information is not otherwise necessary for the
functionality of the commercial health monitoring program.
5) Defines "service provider" means an entity which does not
further use or disclose individually identifiable health
information except at the direction of the commercial health
monitoring program to other service providers of the
commercial health monitoring program and either:
provides services to the operator that support the
functionality or operation of the commercial health
monitoring program.
controls, or is under common control with the provider
of the commercial health monitoring program, as specified.
1) Prohibits an operator of a commercial health monitoring
program from disclosing individually identifiable health
monitoring information without first obtaining consent from
the consumer, as specified.
2) Provides that the consent shall be separate from all other
authorizations or agreements, and include the name or nature
of the third party and purpose for the request.
3) Provides that a consumer's refusal to consent shall not
limit the consumer's ability to use the commercial health
monitoring program, as specified.
4) Requires that the operator of a commercial health monitoring
program make available and provide notice of a process
whereby a consumer may withdraw his or her consent to share
information with a third party, as specified.
�
AB 2688
Page 5
5) Requires that, upon request by the consumer, that the
commercial health monitoring program delete or provide to the
consumer his or her information, as specified.
6) Requires that an operator of a commercial health monitoring
program that creates, maintains, preserves, stores, abandons,
destroys, deletes, or disposes of health monitoring
information shall do so in a manner to preserve the security
and confidentiality of the information.
7) Authorizes the disclosure of individually identifiable
health monitoring information to a healthcare provider or
government official in specified circumstances without first
obtaining the consent of the consumer.
8) Requires that an employer who receives health monitoring
information do the following:
establish appropriate procedures to preserve the
security and confidentiality of information, as specified;
not discriminate against an employee in any terms or
conditions of employment due to that employee's refusal to
provide a consent; and
not use, disclose, or knowingly permit its employees
or agents to use, sell, or disclose individually
identifiable health monitoring information which the
employer possesses pertaining to its employees without
first obtaining that employee's consent to do so.
1) Provides that no employer that has complied with the
provision of the bill shall be liable for any unauthorized
use or disclosure of individually identifiable health
monitoring information.
2) Prohibits an entity which is not a commercial health
monitoring program from further disclosing that health
monitoring information, and assigns responsibility for a
violation to the disclosing entity.
Background
�
AB 2688
Page 6
In July 2013, the Privacy Rights Clearinghouse released a report
entitled "Mobile Health and Fitness Applications and Information
Privacy." The report examined a total of 43 free and paid mobile
phone applications (apps) on more than 150 separate data points
related to privacy and security.
The report stated "our research brought us to the conclusion
that, from a privacy perspective, mobile health and fitness
applications are not particularly safe when it comes to
protecting users' privacy. Consumers who have no hesitation
about sharing personal information will probably find value in
sharing the details of their pregnancies by linking their app
with Facebook, participating in app-based chat groups and
posting photographs of themselves as their pregnancies progress.
Others will find that socializing their diet or exercise
regimes provides support or competition that helps motivate
them." The report also found that, as of 2013, 39 percent of
free apps and 30 percent of paid apps sent data to someone not
disclosed by the developer either in the app or any privacy
policy. Additionally, only 13 percent of free apps and 10
percent of paid apps used encryption for all data connections
and transmissions.
More recently, another study excerpted in the Journal of the
American Medical Association (JAMA) (March 8, 2016) did an
analysis of privacy practices of diabetes management
applications on Android smartphones and found widespread
problems. The study examined 211 separate apps and found that
81 percent lacked privacy policies, and among those that did, 49
percent included permissions to share data with partners and
third parties and 39 percent authorized use of data for
advertising purposes.
The JAMA report noted, "this study demonstrated that diabetes
apps shared information with third parties, posing privacy risks
because there are no federal legal protections against the sale
or disclosure of data from medical apps to third parties. The
sharing of sensitive health information by apps is generally not
prohibited by the Health Insurance Portability and
�
AB 2688
Page 7
Accountability Act. Patients might mistakenly believe that
health information entered into an app is private (particularly
if the app has a privacy policy), but that generally is not the
case. Medical professionals should consider privacy
implications prior to encouraging patients to use health apps."
Partially in response, the Legislature passed AB 658 (Calderon,
Chapter 296, Statutes of 2013), which applied the prohibitions
of the CMIA to any business that offers software or hardware to
consumers, including a mobile application or other related
device that is designed to maintain medical information to allow
an individual to manage his or her information, or for the
diagnosis, treatment, or management of a medical condition of
the individual. This bill, seeking to protect the personal
health information of individuals and employees collects on
mobile applications, regulates how employers, operators, and
third parties use that information.
FISCAL EFFECT: Appropriation: No Fiscal
Com.:NoLocal: No
SUPPORT: (Verified8/19/16)
None received
OPPOSITION: (Verified8/31/16)
American Civil Liberties Union of California
California Alliance for Retired Americans
California Chamber of Commerce
California Public Interest Research Group
Cellular Telephone Industries Association
Civil Justice Association of California
CompTia
Consumer Action
Consumer Federation of California
Consumer Watchdog
�
AB 2688
Page 8
Direct Marketing Association
Entertainment Software Association
Internet Association
TechNet
Western States Council
ARGUMENTS IN SUPPORT: The author writes, "sensitive
health-related data from commercially obtained wearable health
monitoring devices or online applications are not currently
protected by any state or federal law. There are no restrictions
on how companies may use, share or sell this information, even
in personally identifiable form. [?] Currently, wearable devices
can perform substantial monitoring, including everything from
heart rate to brain wave patterns. Simple measurements such as
walking pattern can indicate injury or disability and
measurement of body temperature can reveal ovulation cycles.
While this information is valuable and empowering to the
consumer, lack of a common agreement on how this information can
be shared leaves the consumer without adequate protections.
ARGUMENTS IN OPPOSITION: A number of privacy groups oppose this
bill unless amended to provide stronger consumer protections.
The Consumer Federation of California, in opposition, argues
that without precise language spelling out privacy rights,
commercial profit motives will always prevail over consumer
privacy rights. Consumer Federation writes:
Our experience over the years with enforcement of privacy laws
has shown us that without precise language, such as clearly
spelling out the steps required for obtaining information
sharing permission, along with strong sanctions for privacy
violations, commercial profit motives will always prevail over
consumer privacy rights. In recent years, state courts have
whittled away at the privacy provisions of the Song Beverly
Credit Card Act and the Confidentiality of Medical Information
Act. These courts interpreted words contained in these laws as
narrowly as possible, siding with business interests, and
inferring meanings that were at odds with the intent and
legislative histories of these laws.
This hard-learned experience informs our objections to the
�
AB 2688
Page 9
bill. AB 2688 does not safeguard the privacy of individually
identifiable health records.
A coalition of technology companies also oppose the bill unless
amended to address "unintended consequences, logistical
difficulties, and consumer harm."
ASSEMBLY FLOOR: 54-14, 5/12/16
AYES: Achadjian, Alejo, Travis Allen, Arambula, Atkins, Bloom,
Bonilla, Bonta, Brown, Calderon, Campos, Chang, Chau, Chiu,
Chu, Cooley, Cooper, Dababneh, Daly, Dodd, Eggman, Cristina
Garcia, Eduardo Garcia, Gatto, Gipson, Gomez, Gonzalez,
Gordon, Hadley, Roger Hernández, Holden, Irwin, Jones, Levine,
Linder, Lopez, Low, McCarty, Medina, Mullin, Nazarian,
O'Donnell, Quirk, Ridley-Thomas, Rodriguez, Salas, Santiago,
Mark Stone, Thurmond, Ting, Weber, Williams, Wood, Rendon
NOES: Baker, Chávez, Dahle, Beth Gaines, Gray, Grove, Harper,
Lackey, Maienschein, Mayes, Olsen, Patterson, Wagner, Wilk
NO VOTE RECORDED: Bigelow, Brough, Burke, Frazier, Gallagher,
Jones-Sawyer, Kim, Mathis, Melendez, Obernolte, Steinorth,
Waldron
Prepared by:Nichole Rapier / JUD. / (916) 651-4113
8/31/16 11:49:53
**** END ****