1181.10.
(a) An operator of a commercial health monitoring program shall not intentionally share, sell, or disclose individually identifiable health monitoring information to or with a third party without first providing clear and conspicuous notice and obtaining the consumer’s affirmative consent that fulfills all of the following requirements:(1) The request for consent shall be separate from all other authorizations or agreements.
(2) The request for consent shall include the name or nature of the third party and the purpose for the request.
(3) (A) A consumer’s refusal to consent to third-party sharing, sale, or disclosure of individually identifiable health monitoring information shall not limit the consumer’s ability to use the commercial health monitoring program even if features and services provided by the specific third party are inoperable.
(B) This paragraph does not apply if the primary function of the commercial health monitoring program is the sharing, sale, or disclosure of individually identifiable health monitoring information to third parties and the consumer is notified of this function at the time of the request for consent.
(4) A waiver of any legal right, penalty, remedy, forum, or enforcement procedure presented to the consumer in the consent described by this section is unenforceable and void as a matter of law.
(b) An operator of a commercial health monitoring program shall make available and provide notice of a process whereby a consumer may withdraw the consent granted in subdivision (a), although the notice does not expressly need to be included in the consent described in subdivision (a). Any withdrawal of consent shall apply prospectively and shall not impact valid disclosures and consent prior to the operative date of withdrawal.
(c) When health monitoring information is stored in an individually identifiable manner, upon request by the consumer, the operator of the commercial health monitoring program shall delete or provide to the consumer his or her individually identifiable health monitoring information. A commercial health monitoring program may assess a reasonable administrative charge for the cost of accessing, copying, or deleting individually identifiable health monitoring information under this chapter.
(d) An operator of a commercial health monitoring program that creates, maintains, preserves, stores, abandons, deletes, destroys, or disposes of health monitoring information shall do so in a manner to preserve the security and confidentiality of the individually identifiable health monitoring information contained therein.
(e) This chapter is not intended to limit the required disclosure of individually identifiable health monitoring information pursuant to another law.
(f) This chapter shall not be construed to limit or otherwise reduce existing privacy protections provided for in state or federal law.
(g) Individually identifiable health monitoring information may be disclosed to the following persons without satisfying the consent requirements of this chapter if the disclosing entity provides notice of the disclosure to the consumer whose individually identifiable health monitoring information was disclosed as soon as practicable:
(1) To a health care provider to aid in the diagnosis or treatment of the consumer, when the consumer is unable to consent to the disclosure due to an emergent medical condition.
(2) To a government official if necessary to prevent an emergency involving danger of death or serious physical injury to a person that requires access to the individually identifiable commercial health information.
(h) A recipient of individually identifiable health monitoring information that is not a commercial health monitoring program shall not further disclose that health monitoring information. Responsibility for a violation of this paragraph shall not rest with the commercial health monitoring agency but with the disclosing entity.