Today's Law As Amended


PDF |Add To My Favorites |Track Bill | print page

AB-648 Wellness programs.(2019-2020)



As Amends the Law Today


SECTION 1.
 This act shall be known, and may be cited, as the Wellness Program Protection Act.

SEC. 2.

 Section 1367.13 is added to the Health and Safety Code, to read:

1367.13.
 (a) A health care service plan shall not do either of the following:
(1) Retaliate or take any adverse action against an enrollee or member if the health care service plan’s action is in response to an individual’s election to not participate in a wellness program or the data collected through the wellness program about the enrollee or member.
(2) Share any personal information or data collected through a wellness program.
(b) (1) (A) A health care service plan that collects personal information of an enrollee or member as part of its administration and operation of a wellness program shall ensure compliance with state and federal privacy laws, including, but not limited to, the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code), and the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).
(B) A health care service plan shall post a written explanation that is reasonably likely to be understood by an enrollee or member on its internet website about the basis of the wellness program, a description about the data collection process and which data will be collected through the wellness program, policies and practices pertaining to the wellness program, and the rights of the enrollee or member concerning the wellness program under federal and state laws and regulations.
(2) (A) Notwithstanding any other law, for purposes of administering and operating a wellness program, a health care service plan shall limit its collection, dissemination, retention, and use of any personal information of an enrollee or member to only information that is reasonably necessary to operate the wellness program.
(B) If an enrollee or member terminates their participation in a wellness program, or upon the conclusion of a wellness program, the health care service plan shall destroy any personal information received or collected through the wellness program, and shall order the destruction of this material.
(c) With respect to a wellness program, an enrollee or member has the right to do both of the following:
(1) Obtain a copy of their records, including personal information that has been collected by the health care service plan, in a format accessible to the individual.
(2) Challenge the completeness and accuracy of any records, including personal information or data, related to the enrollee or member that has been collected by a health care service plan.
(d) A person who willfully violates any provision of this section shall be subject to the enforcement procedures set forth under Article 8 (commencing with Section 1390), and any other sanctions and penalties permitted by law.
(e) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.
(f) The requirements described in this section shall apply, to the extent that they are applicable, to any entity that the health care service plan contracts with for purposes of administering or operating a wellness program on the health care service plan’s behalf.
(g) A health care service plan shall not share any personal information about the enrollee or member that is collected through a wellness program with the enrollee’s or member’s employer.
(h) Notwithstanding paragraph (2) of subdivision (b), a health care service plan may retain publicly available information or deidentified and aggregated information that is collected through a wellness program if this data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(i) Notwithstanding paragraph (2) of subdivision (a), a health care service plan may share data that is collected through a wellness program with a third party if the data is either publicly available information or deidentified and aggregated information, and the data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(j) The provisions of this section do not apply to either of the following:
(1) Any wellness program for licensed health care professionals administered or operated by a professional association or its affiliates or subsidiaries.
(2) The personal information or data collected by a professional association or its affiliates or subsidiaries in relation to, or in support of, the administration or operation of a wellness program for licensed health care professionals.
(k) This section does not limit or restrict the disclosure of any personal information by a health care service plan if otherwise required by law.
(l) For purposes of this section, the following definitions apply:
(1) “Administration and operation of a wellness program” means, but is not limited to, the use of personal information when reasonably necessary and proportionate to achieve one of the following purposes:
(A) Detecting and responding to security incidents arising from a wellness program and protecting against malicious, deceptive, fraudulent, or illegal activity related to a wellness program.
(B) Executing functions of a wellness program for the benefit of the enrollee or member.
(C) Undertaking internal research for technological development and demonstration related to a wellness program.
(D) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for, or controlled by the health care service plan, or to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by the health care service plan related to a wellness program.
(2) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing, by any means, any personal information pertaining to an enrollee or member. This includes information that the health care service plan receives from an enrollee or member either directly or indirectly, such as through observation of the enrollee or member.
(3) “Personal information” shall have the same meaning as defined in subdivision (o) of Section 1798.140 of the Civil Code.
(4) “Retaliatory” or “adverse action” means, but is not limited to, an adverse action taken by a health care service plan against an enrollee or member, including increasing a premium, if the health care service plan’s action is in response to an enrollee or member’s election to not participate in a wellness program or the data collected through the wellness program about an enrollee or member.
(5) “Wellness program” means a health care service plan-based program aimed at promoting health-related behaviors and disease prevention. A wellness program excludes care coordination by or between health care providers in the practice of medicine.

SEC. 3.

 Section 10127.6 is added to the Insurance Code, to read:

10127.6.
 (a) An insurer shall not do either of the following:
(1) Retaliate or take any adverse action against an insured if the insurer’s action is in response to an insured’s election to not participate in a wellness program or the data collected through the wellness program about the insured.
(2) Share any personal information or data collected through a wellness program.
(b) (1) (A) An insurer that collects personal information of an insured as part of its administration and operation of a wellness program shall ensure compliance with state and federal privacy laws.
(B) An insurer shall post a written explanation that is reasonably likely to be understood by an insured on its internet website about the basis of the wellness program, a description about the data collection process and which data will be collected through the wellness program, policies and practices pertaining to the wellness program, and the insured’s rights concerning the wellness program under federal and state laws and regulations.
(2) (A) Notwithstanding any other law, for purposes of administering and operating a wellness program, an insurer shall limit its collection, dissemination, retention, and use of any personal information of an employee to only information that is reasonably necessary to operate the wellness program.
(B) If an insured terminates their participation in a wellness program, or upon the conclusion of a wellness program, the insurer shall destroy any personal information received or collected through the wellness program, and shall order the destruction of this material.
(c) With respect to a wellness program, an insured has the right to do both of the following:
(1) Obtain a copy of the insured’s records, including personal information that has been collected by the insurer, in a format accessible to the insured.
(2) Challenge the completeness and accuracy of any records, including personal information or data, related to the insured that has been collected by the insurer.
(d) (1) In addition to any other remedy permitted by law, the commissioner may assess the administrative penalties specified in this section against an insurer for a violation of this section.
(2) An insurer that violates this section is liable for an administrative penalty of not more than two thousand five hundred dollars ($2,500) for the first violation and not more than five thousand dollars ($5,000) for each subsequent violation.
(3) An insurer that violates this section with a frequency that indicates a general business practice or commits a knowing violation of that section is liable for an administrative penalty of not less than fifteen thousand dollars ($15,000) and not more than one hundred thousand dollars ($100,000) for each violation.
(e) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.
(f) The requirements described in this section shall apply, to the extent that they are applicable, to any entity that the insurer contracts with for purposes of administering or operating a wellness program on the insurer’s behalf.
(g) An insurer shall not share any personal information about the insured that is collected through a wellness program with the insured’s employer.
(h) Notwithstanding paragraph (2) of subdivision (b), an insurer may retain publicly available information or deidentified and aggregated information that is collected through a wellness program if this data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(i) Notwithstanding paragraph (2) of subdivision (a), an insurer may share data that is collected through a wellness program with a third party if the data is either publicly available information or deidentified and aggregated information, and the data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(j) The provisions of this section do not apply to either of the following:
(1) Any wellness program for licensed health care professionals administered or operated by a professional association or its affiliates or subsidiaries.
(2) The personal information or data collected by a professional association or its affiliates or subsidiaries in relation to, or in support of, the administration or operation of a wellness program for licensed health care professionals.
(k) This section does not limit or restrict the disclosure of any personal information by an insurer if otherwise required by law.
(l) For purposes of this section, the following definitions apply:
(1) “Administration and operation of a wellness program” means, but is not limited to, the use of personal information when reasonably necessary and proportionate to achieve one of the following purposes:
(A) Detecting and responding to security incidents arising from a wellness program and protecting against malicious, deceptive, fraudulent, or illegal activity related to a wellness program.
(B) Executing functions of a wellness program for the benefit of the insured.
(C) Undertaking internal research for technological development and demonstration related to a wellness program.
(D) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for, or controlled by the insurer, or to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by the insurer related to a wellness program.
(2) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing, by any means, any personal information pertaining to an insured. This includes information that the insurer receives from an insured either directly or indirectly, such as through the observation of an insured’s behavior.
(3) “Personal information” shall have the same meaning as defined in subdivision (o) of Section 1798.140 of the Civil Code.
(4) “Retaliatory” or “adverse action” means, but is not limited to, an adverse action taken by an insurer against an insured, including increasing a premium on a policy, if the insurer’s action is in response to an insured’s election to not participate in a wellness program or the data collected through the wellness program about an insured.
(5) “Wellness program” means an insurer-based program aimed at promoting health-related behaviors and disease prevention. A wellness program excludes care coordination by or between health care providers in the practice of medicine.

SEC. 4.

 Section 436 is added to the Labor Code, to read:

436.
 (a) (1) An employer shall not require an employee to participate in a wellness program as a condition of employment.
(2) An employer shall not retaliate or take any adverse action against an employee if the employer’s action is in response to an employee’s election to not participate in a wellness program or the data collected through the wellness program about the employee.
(3) An employer shall not share any personal information or data collected through a wellness program.
(b) An employer that collects the personal information of an employee as part of the administration and operation of a wellness program shall ensure compliance with state and federal privacy laws.
(c) (1) An employer shall post a written explanation that is reasonably likely to be understood by an employee on its internet website about the basis of the wellness program, a description about the data collection process and which data will be collected through the wellness program, policies and practices pertaining to the wellness program, and the employee’s rights concerning the wellness program under federal and state laws and regulations.
(2) Notwithstanding any other law, for purposes of administering and operating a wellness program, an employer shall limit its collection, dissemination, retention, and use of any personal information of an employee to only information that is reasonably necessary to operate the wellness program.
(3) If an employee terminates their participation in a wellness program, or upon the conclusion of a wellness program, the employer shall destroy any personal information received or collected through the wellness program, and shall order the destruction of this material.
(d) An employee has the right to do both of the following:
(1) Obtain a copy of the employee’s records, including personal information that has been collected by the employer, pertaining to a wellness program, in a format accessible to the employee.
(2) Challenge the completeness and accuracy of any records, including personal information or data, related to the employee that has been collected by the employer as part of a wellness program.
(e) Any person who believes that they have been discharged or otherwise discriminated against in violation of this section may file a complaint with the division within six months after the occurrence of the violation pursuant to Section 98.7.
(f) Notwithstanding Section 433, a person who violates this section is guilty of an infraction.
(g) (1) The requirements described in this section shall apply, to the extent that they are applicable, to any entity that the employer contracts with for purposes of administering or operating a wellness program on the employer’s behalf.
(2) The entity specified in paragraph (1) shall not share any personal information about the employee that is collected through a wellness program with the employer.
(h) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.
(i) Notwithstanding paragraphs (2) and (3) of subdivision (c), an employer may retain publicly available information or deidentified and aggregated information that is collected through a wellness program if this data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(j) Notwithstanding paragraph (3) of subdivision (a), an employer may share data that is collected through a wellness program with a third party if the data is either publicly available information or deidentified and aggregated information, and the data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(k) The provisions of this section do not apply to either of the following:
(1) Any wellness program for licensed health care professionals administered or operated by a professional association or its affiliates or subsidiaries.
(2) The personal information or data collected by a professional association or its affiliates or subsidiaries in relation to, or in support of, the administration or operation of a wellness program for licensed health care professionals.
(l) This section does not limit or restrict the disclosure of any personal information by an employer if otherwise required by law.
(m) For purposes of this section, the following definitions apply:
(1) “Administration and operation of a wellness program” means, but is not limited to, the use of personal information, including health information, when reasonably necessary and proportionate to achieve one of the following purposes:
(A) Detecting and responding to security incidents arising from a wellness program and protecting against malicious, deceptive, fraudulent, or illegal activity related to a wellness program.
(B) Executing functions of a wellness program for the benefit of the employee.
(C) Undertaking internal research for technological development and demonstration related to a wellness program.
(D) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for, or controlled by the employer, or to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by the employer, related to a wellness program.
(2) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing, by any means, any personal information, including health information, pertaining to an employee. This includes information that the employer receives either directly or indirectly, such as through observation of the employee.
(3) “Employer” means either of the following:
(A) Any person who directly employs 50 or more persons to perform services for a wage or salary.
(B) The state and any political or civil subdivision of the state, a county, or a city.
(4) “Personal information” shall have the same meaning as defined in subdivision (o) of Section 1798.140 of the Civil Code.
(5) “Retaliatory” or “adverse action” means, but is not limited to, an adverse employment action taken by an employer against an employee, including termination, fine, or suspension, if an employer’s action is in response to an employee’s election to not participate in a wellness program or the data collected through the wellness program about an employee.
(6) “Wellness program” means an employer-based program aimed at promoting health-related behaviors and disease prevention. A wellness program excludes care coordination by or between health care providers in the practice of medicine.
SEC. 5.
 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.