Bill Text


Bill PDF |Add To My Favorites | print page

AB-2935 Health information privacy: digital commercial health monitoring.(2017-2018)

SHARE THIS: share this bill in Facebook share this bill in Twitter
Date Published: 02/16/2018 09:00 PM
AB2935:v99#DOCUMENT


CALIFORNIA LEGISLATURE— 2017–2018 REGULAR SESSION

Assembly Bill
No. 2935

Introduced by Assembly Member Chau

February 16, 2018

An act to add Division 1.7 (commencing with Section 1181) to the Health and Safety Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 2935, as introduced, Chau. Health information privacy: digital commercial health monitoring.
Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. Existing state law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided.
This bill would prohibit an operator of a commercial health monitoring program from intentionally sharing, selling, or disclosing individually identifiable health monitoring information in possession of or derived from a commercial health monitoring program to a 3rd party without first providing clear and conspicuous notice and obtaining the consumer’s affirmative consent, except as provided. The bill would require an operator of a commercial health monitoring program, upon request, to delete a consumer’s individually identifiable health monitoring information, and to maintain or delete individually identifiable health monitoring information in a manner that preserves security and confidentiality. The bill would define terms for its purposes and exempt entities and individuals subject to HIPAA or the Confidentiality of Medical Information Act from these requirements.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: NO   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Division 1.7 (commencing with Section 1181) is added to the Health and Safety Code, to read:

DIVISION 1.7. Health Information Privacy

CHAPTER  1. Digital Commercial health Monitoring

1181.
 For purposes of this chapter:
(a) “Commercial health monitoring program” means a commercial Internet Web site, online service, or product used by consumers whose primary purpose is to collect the consumer’s individually identifiable health monitoring information.
(b) “Health care provider” has the meaning given that term in the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191).
(c) “Health monitoring information” means information, in electronic or physical form, about a consumer’s mental or physical condition that is collected by a commercial health monitoring program through a direct measurement of a consumer’s mental or physical condition or though user-input regarding a consumer’s mental or physical condition into a commercial health monitoring program.
(d) “Individually identifiable” means information that includes or contains an element of personal identifying information sufficient to allow identification of the consumer, including, but not limited to, the consumer’s name, address, electronic mail address, telephone number, social security number, or unique electronic identifier, or other information that, alone or in combination with other publicly available information, reveals the consumer’s identity.
(e) “Service provider” means an entity that does not further use or disclose individually identifiable health information except at the direction of the commercial health monitoring program to other service providers of the commercial health monitoring programs and does either of the following:
(1) Provides services to the operator, or on behalf of the operator, of the commercial health monitoring program that solely support the functionality or operation of the commercial health monitoring program.
(2) Controls, is controlled by, or is under common control with the provider of the commercial health monitoring program when both of the following apply:
(A) The entity maintains third-party data sharing practices, with respect to individually identifiable health monitoring information, that are at least as protective of privacy as those of the commercial health monitoring program.
(B) The operator of the commercial health monitoring program disclosing the individually identifiable health monitoring information and the entity receiving the individually identifiable health monitoring information are both principally engaged in the same line of business.
(f) “Third party” means an entity that is not a service provider, with whom the consumer does not have a direct relationship with respect to the consumer’s use of the commercial health monitoring program, and whose processing of individually identifiable health monitoring information is not otherwise necessary for the functionality of the commercial health monitoring program.

1181.10.
 (a) An operator of a commercial health monitoring program shall not intentionally share, sell, or disclose individually identifiable health monitoring information to or with a third party without first providing clear and conspicuous notice and obtaining the consumer’s affirmative consent that fulfills all of the following requirements:
(1) The request for consent shall be separate from all other authorizations or agreements.
(2) The request for consent shall include the name or nature of the third party and the purpose for the request.
(3) (A) A consumer’s refusal to consent to third-party sharing, sale, or disclosure of individually identifiable health monitoring information shall not limit the consumer’s ability to use the commercial health monitoring program even if features and services provided by the specific third party are inoperable.
(B) This paragraph does not apply if the primary function of the commercial health monitoring program is the sharing, sale, or disclosure of individually identifiable health monitoring information to third parties and the consumer is notified of this function at the time of the request for consent.
(4) A waiver of any legal right, penalty, remedy, forum, or enforcement procedure presented to the consumer in the consent described by this section is unenforceable and void as a matter of law.
(b) An operator of a commercial health monitoring program shall make available and provide notice of a process whereby a consumer may withdraw the consent granted in subdivision (a), although the notice does not expressly need to be included in the consent described in subdivision (a). Any withdrawal of consent shall apply prospectively and shall not impact valid disclosures and consent prior to the operative date of withdrawal.
(c) When health monitoring information is stored in an individually identifiable manner, upon request by the consumer, the operator of the commercial health monitoring program shall delete or provide to the consumer his or her individually identifiable health monitoring information. A commercial health monitoring program may assess a reasonable administrative charge for the cost of accessing, copying, or deleting individually identifiable health monitoring information under this chapter.
(d) An operator of a commercial health monitoring program that creates, maintains, preserves, stores, abandons, deletes, destroys, or disposes of health monitoring information shall do so in a manner to preserve the security and confidentiality of the individually identifiable health monitoring information contained therein.
(e) This chapter is not intended to limit the required disclosure of individually identifiable health monitoring information pursuant to another law.
(f) This chapter shall not be construed to limit or otherwise reduce existing privacy protections provided for in state or federal law.
(g) Individually identifiable health monitoring information may be disclosed to the following persons without satisfying the consent requirements of this chapter if the disclosing entity provides notice of the disclosure to the consumer whose individually identifiable health monitoring information was disclosed as soon as practicable:
(1) To a health care provider to aid in the diagnosis or treatment of the consumer, when the consumer is unable to consent to the disclosure due to an emergent medical condition.
(2) To a government official if necessary to prevent an emergency involving danger of death or serious physical injury to a person that requires access to the individually identifiable commercial health information.
(h) A recipient of individually identifiable health monitoring information that is not a commercial health monitoring program shall not further disclose that health monitoring information. Responsibility for a violation of this paragraph shall not rest with the commercial health monitoring agency but with the disclosing entity.

1181.20.
 (a) A covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191) or the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code) shall not be subject to this chapter with respect to any activity or exemption regulated by those acts.
(b) The definitions in those acts, in effect on January 1, 2018, shall apply to this section.