436.
(a) (1) An employer shall not require an employee to participate in a wellness program as a condition of employment.(2) An employer shall not retaliate or take any adverse action against an employee if the employer’s action is in response to a matter related to a wellness program, such as an employee’s election to not participate in a wellness program or the data collected through the wellness program about the employee.
(3) An employer shall not share any personal information or data collected through a
wellness program.
(b) An employer that collects the personal information of an employee as part of the administration and operation of a wellness program shall ensure compliance with state and federal privacy laws.
(c) (1) An employer shall provide an employee a written explanation, in clear and easily understandable language, post a written explanation that is reasonably likely to be understood by an employee on its internet website about the basis of the wellness program, a description about the data collection process and which data will be collected through the wellness program, policies and
practices pertaining to the wellness program, and the employee’s rights concerning the wellness program under federal and state laws and regulations.
(2) Notwithstanding any other law, for purposes of administering and operating a wellness program, an employer shall limit its collection, dissemination, retention, and use of any personal information of an employee to only information that is reasonably necessary to operate the wellness program.
(3) If an employee terminates their participation in a wellness program, or upon the conclusion of a wellness program, the employer shall destroy any personal information received or collected through the wellness program, and shall order the destruction of this material.
(d) An employee has the right to do both of the following:
(1) Obtain a copy of the employee’s records, including personal information that has been collected by the employer, pertaining to a wellness program, in a format accessible to the employee.
(2) Challenge the completeness and accuracy of any records, including personal information or data, related to the employee that has been collected by the employer as part of a wellness program.
(e) Any person who believes that they have been discharged or otherwise discriminated against in violation of this section may file a complaint with the division within six months after the occurrence of the violation pursuant to Section 98.7.
(f) Any Notwithstanding Section 433, a person who violates this section is guilty of a misdemeanor pursuant to Section 433. an infraction.
(g) (1) The requirements described in this section shall apply, to the extent that they are applicable, to any entity that the employer contracts with for purposes of administering or operating a wellness program on the employer’s behalf.
(2) The
entity specified in paragraph (1) shall not share any personal information about the employee that is collected through a wellness program with the employer.
(h) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.
(i) Notwithstanding paragraphs (2) and (3) of subdivision (c), an employer may retain publicly available information or deidentified and aggregated information that is collected through a wellness program if this data would be used for the purpose of conducting bona fide research relating to health care utilization and
outcomes.
(j) Notwithstanding paragraph (3) of subdivision (a), an employer may share data that is collected through a wellness program with a third party if the data is either publicly available information or deidentified and aggregated information, and the data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(k) The provisions of this section do not apply to either of the following:
(1) Any wellness program for licensed health care professionals administered or operated by a professional association or its affiliates or subsidiaries.
(2) The personal information or data collected
by a professional association or its affiliates or subsidiaries in relation to, or in support of, the administration or operation of a wellness program for licensed health care professionals.
(l) This section does not limit or restrict the disclosure of any personal information by an employer if otherwise required by law.
(i)
(m) For purposes of this section, the following definitions apply:
(1) “Administration and operation of a wellness program” means, but is not limited to, the use of personal information, including health information, when reasonably necessary and proportionate to achieve one of the following purposes:
(A) Detecting and responding to security incidents arising from a wellness program and protecting against malicious, deceptive, fraudulent, or illegal activity related to a wellness program.
(B) Executing functions of a wellness program for the benefit of the employee.
(C) Undertaking internal research for technological development and demonstration related to a wellness program.
(D) Undertaking activities to verify or
maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for, or controlled by the employer, or to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by the employer, related to a wellness program.
(2) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing, by any means, any personal information, including health information, pertaining to an employee. This includes information that the employer receives either directly or indirectly, such as through observation of the employee.
(3) “Employer” means either of the following:
(A) Any person who
directly employs 50 or more persons to perform services for a wage or salary.
(B) The state and any political or civil subdivision of the state, a county, or a city.
(4)“Personal information” means information that identifies or could reasonably be linked, directly or indirectly, with either the employee or their household.
(A)“Personal information” includes, but is not limited to, an employee’s past, present, or future physical or mental health condition, and common identifiers, including a name, address, birth date, social security number, or any other identification number.
(B)(i)“Personal information”
excludes any publicly available information, and excludes any deidentified or aggregate information about an employee.
(ii)For purposes of this section, the deidentification of personal information shall meet the requirements set forth in Section 164.514 of Title 45 of the Code of Federal Regulations.
(5)“Publicly available information” means information that is lawfully made available pursuant to federal and state
law.
(4) “Personal information” shall have the same meaning as defined in subdivision (o) of Section 1798.140 of the Civil Code.
(6)
(5) “Retaliatory” or “adverse action” means, but is not limited to, an adverse employment action taken by an employer against an employee, including termination, fine, or suspension, if an employer’s action is in response to a matter related to a wellness program, such as
an employee’s election to not participate in a wellness program or the data collected through the wellness program about an employee.
(6) “Wellness program” means an employer-based program aimed at promoting health-related behaviors and disease prevention. A wellness program excludes care coordination by or between health care providers in the practice of medicine.