56.05.

 For purposes of this part:

(a) “Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.

(b) “Authorized recipient” means a person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.

(c) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications containing medical information be communicated to them at a specific mail or email address or specific telephone number, as designated by the subscriber or enrollee.

(d) “Contractor” means a person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(e) “Enrollee” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

(f) “Expiration date or event” means a specified date or an occurrence relating to the individual to whom the medical information pertains or the purpose of the use or disclosure, after which the provider of health care, health care service plan, pharmaceutical company, or contractor is no longer authorized to disclose the medical information.

(g) “Health care service plan” means an entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(h) “Licensed health care professional” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.

(i) “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

“Marketing” does not include any of the following:

(1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.

(2) Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.

(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:

(A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.

(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.

(C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. Further communication shall not be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt-out request.

(j) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.

(k) “Mental health application information” means information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as defined in Section 1374.72 of the Health and Safety Code, collected by a mental health digital service.

(l) “Mental health digital service” means a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.

(m) “Patient” means a natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.

(n) “Pharmaceutical company” means a company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.

(o) “Protected individual” means any adult covered by the subscriber’s health care service plan or a minor who can consent to a health care service without the consent of a parent or legal guardian, pursuant to state or federal law. “Protected individual” does not include an individual that lacks the capacity to give informed consent for health care pursuant to Section 813 of the Probate Code.

(p) “Provider of health care” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; a person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; a person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; or a clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.

(q) “Sensitive services” means all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.

(r) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

56.05.

 For purposes of this part:

(a) “Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.

(b) “Authorized recipient” means a person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.

(c) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications containing medical information be communicated to them at a specific mail or email address or specific telephone number, as designated by the subscriber or enrollee.

(d) “Contractor” means a person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(e) “Enrollee” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

(f) “Expiration date or event” means a specified date or an occurrence relating to the individual to whom the medical information pertains or the purpose of the use or disclosure, after which the provider of health care, health care service plan, pharmaceutical company, or contractor is no longer authorized to disclose the medical information.

(g) “Health care service plan” means an entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(h) “Licensed health care professional” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.

(i) “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

“Marketing” does not include any of the following:

(1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.

(2) Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.

(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:

(A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.

(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.

(C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. Further communication shall not be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt-out request.

(j) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, reproductive or sexual health application information, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.

(k) “Mental health application information” means information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as defined in Section 1374.72 of the Health and Safety Code, collected by a mental health digital service.

(l) “Mental health digital service” means a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.

(m) “Patient” means a natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.

(n) “Pharmaceutical company” means a company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.

(o) “Protected individual” means any adult covered by the subscriber’s health care service plan or a minor who can consent to a health care service without the consent of a parent or legal guardian, pursuant to state or federal law. “Protected individual” does not include an individual that lacks the capacity to give informed consent for health care pursuant to Section 813 of the Probate Code.

(p) “Provider of health care” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; a person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; a person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; or a clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.

(q) “Reproductive or sexual health application information” means information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual health digital service, including, but not limited to, information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual activity, or gender identity.

(r) “Reproductive or sexual health digital service” means a mobile-based application or internet website that collects reproductive or sexual health application information from a consumer, markets itself as facilitating reproductive or sexual health services to a consumer, and uses the information to facilitate reproductive or sexual health services to a consumer.

(s) “Sensitive services” means all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.

(t) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

56.11.

 (a) Any person or entity that wishes to obtain medical information pursuant to subdivision (a) of Section 56.10, other than a person or entity authorized to receive medical information pursuant to subdivision (b) or (c) of Section 56.10, except as provided in paragraph (21) of subdivision (c) of Section 56.10, shall obtain a valid authorization for the release of this information.

(b) An authorization for the release of medical information by a provider of health care, health care service plan, pharmaceutical company, or contractor shall be valid if it meets the following conditions:

(1) Is handwritten or is in a typeface no smaller than 14-point type.

(2) Is clearly separate from any other language present on the same page and is executed by a signature that serves no other purpose than to execute the authorization.

(3) Is signed, including with an electronic or handwritten signature, and dated by one of the following:

(A) The patient. A patient who is a minor may only sign an authorization for the release of medical information obtained by a provider of health care, health care service plan, pharmaceutical company, or contractor in the course of furnishing services to which the minor could lawfully have consented under Part 4 (commencing with Section 6900) of Division 11 of the Family Code.

(B) The legal representative of the patient, if the patient is a minor or lacks the capacity to make the decision to authorize the release of medical information. However, authorization may not be given under this subdivision for the disclosure of medical information obtained by the provider of health care, health care service plan, pharmaceutical company, or contractor in the course of furnishing services to which a minor patient could lawfully have consented under Part 4 (commencing with Section 6900) of Division 11 of the Family Code.

(C) The spouse of the patient or the person financially responsible for the patient, where the medical information is being sought for the sole purpose of processing an application for health insurance or for enrollment in a nonprofit hospital plan, a health care service plan, or an employee benefit plan, and where the patient is to be an enrolled spouse or dependent under the policy or plan.

(D) The beneficiary, as defined in Section 24 of the Probate Code, or personal representative, as defined in Section 58 of the Probate Code, of a deceased patient.

(4) States the specific uses and limitations on the types of medical information to be disclosed.

(5) States the name or functions of the provider of health care, health care service plan, pharmaceutical company, or contractor that may disclose the medical information.

(6) States the name or functions of the persons or entities authorized to receive the medical information.

(7) States the specific uses and limitations on the use of the medical information by the persons or entities authorized to receive the medical information.

(8) States an expiration date or event. The expiration date or event shall limit the duration of the authorization to one year or less, unless the person signing the authorization requests a specific date beyond a year or unless the authorization is related to an approved clinical trial, as defined in Section 1370.6 of the Health and Safety Code, or medical research study, in which case the authorization may extend beyond one year if the expiration date or event extends no longer than the completion of the relevant clinical trial or research study.

(9) Advises the person signing the authorization of the right to receive a copy of the authorization.

(c) If a provider of health care, health care service plan, pharmaceutical company, contractor, or any other entity seeks an authorization from an individual for a use or disclosure of protected health information, the provider of health care, health care service plan, pharmaceutical company, contractor, or other entity shall provide the individual with a copy of the signed authorization, and instructions on how to access additional copies or a digital version of the signed authorization.

56.17.

 (a) This section shall apply to the disclosure of genetic test results by a health care service plan that are contained in an applicant’s or enrollee’s medical records.

(b) Any person who negligently discloses results of a test for a genetic characteristic to any third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization as described in subdivision (g), shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court, which penalty and costs shall be paid to the subject of the test.

(c) Any person who willfully discloses the results of a test for a genetic characteristic to any third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization as described in subdivision (g), shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and no more than five thousand dollars ($5,000) plus court costs, as determined by the court, which penalty and costs shall be paid to the subject of the test.

(d) Any person who willfully or negligently discloses the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization as described in subdivision (g), that results in economic, bodily, or emotional harm to the subject of the test, is guilty of a misdemeanor punishable by a fine not to exceed ten thousand dollars ($10,000).

(e) In addition to the penalties listed in subdivisions (b) and (c), any person who commits any act described in subdivision (b) or (c) shall be liable to the subject for all actual damages, including damages for economic, bodily, or emotional harm which is proximately caused by the act.

(f) Each disclosure made in violation of this section is a separate and actionable offense.

(g) The applicant’s “written authorization,” as used in this section, shall satisfy the following requirements:

(1) Is written in plain language and is in a typeface no smaller than 14-point type.

(2) Is dated and signed, including with an electronic or handwritten signature, by the individual or a person authorized to act on behalf of the individual.

(3) Specifies the types of persons authorized to disclose information about the individual.

(4) Specifies the nature of the information authorized to be disclosed.

(5) States the name or functions of the persons or entities authorized to receive the information.

(6) Specifies the purposes for which the information is collected.

(7) Specifies the length of time the authorization shall remain valid or states an expiration date or event. The expiration date or event shall limit the duration of the authorization to one year or less, unless the person signing the authorization requests a specific date beyond a year or unless the authorization is related to an approved clinical trial, as defined in Section 1370.6 of the Health and Safety Code, or medical research study, in which case the authorization may extend beyond one year if the expiration date or event extends no longer than the completion of the relevant clinical trial or research study.

(8) Advises the person signing the authorization of the right to receive a copy of the authorization. Written authorization is required for each separate disclosure of the test results.

(h) If a provider of health care, health care service plan, pharmaceutical company, contractor, or any other entity seeks an authorization from an individual for a use or disclosure of protected health information, the provider of health care, health care service plan, pharmaceutical company, contractor, or other entity shall provide the individual with a copy of the signed authorization and instructions on how to access additional copies or a digital version of the signed authorization.

(i) This section shall not apply to disclosures required by the State Department of Health Care Services necessary to monitor compliance with Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code, nor to disclosures required by the Department of Managed Health Care necessary to administer and enforce compliance with Section 1374.7 of the Health and Safety Code.

(j) For purposes of this section, “genetic characteristic” has the same meaning as that set forth in subdivision (d) of Section 1374.7 of the Health and Safety Code.

56.21.

 An authorization for an employer to disclose medical information shall be valid if the authorization complies with all of the following:

(a) Is handwritten or is in a typeface no smaller than 14-point type.

(b) Is clearly separate from any other language present on the same page and is executed by a signature that serves no purpose other than to execute the authorization.

(c) Is signed, including with an electronic or handwritten signature, and dated by one of the following:

(1) The patient, except that a patient who is a minor may only sign an authorization for the disclosure of medical information obtained by a provider of health care in the course of furnishing services to which the minor could lawfully have consented under Part 4 (commencing with Section 6900) of Division 11 of the Family Code.

(2) The legal representative of the patient, if the patient is a minor or lacks the capacity to make the decision to authorize the release of medical information. However, authorization may not be given under this subdivision for the disclosure of medical information that pertains to a competent minor and that was created by a provider of health care in the course of furnishing services to which a minor patient could lawfully have consented under Part 4 (commencing with Section 6900) of Division 11 of the Family Code.

(3) The beneficiary, as defined in Section 24 of the Probate Code, or personal representative, as defined in Section 58 of the Probate Code, of a deceased patient.

(d) States the limitations, if any, on the types of medical information to be disclosed.

(e) States the name or functions of the employer or person authorized to disclose the medical information.

(f) States the names or functions of the persons or entities authorized to receive the medical information.

(g) States the limitations, if any, on the use of the medical information by the persons or entities authorized to receive the medical information.

(h) States an expiration date or event. The expiration date or event shall limit the duration of the authorization to one year or less, unless the person signing the authorization requests a specific date beyond a year or unless the authorization is related to an approved clinical trial, as defined in Section 1370.6 of the Health and Safety Code, or medical research study, in which case the authorization may extend beyond one year if the expiration date or event extends no longer than the completion of the relevant clinical trial or research study.

(i) Advises the person who signed the authorization of the right to receive a copy of the authorization.

(j) If an employer or any other entity seeks an authorization from an individual for a use or disclosure of protected health information, the employer or other entity shall provide the individual with a copy of the signed authorization and instructions on how to access additional copies or a digital version of the signed authorization.

1633.3.

 (a) Except as otherwise provided in subdivisions (b) and (c), this title applies to electronic records and electronic signatures relating to a transaction.

(b) This title does not apply to transactions subject to any of the following laws:

(1) A law governing the creation and execution of wills, codicils, or testamentary trusts.

(2) Division 1 (commencing with Section 1101) of the Uniform Commercial Code, except Sections 1206 and 1306.

(3) Divisions 3 (commencing with Section 3101), 4 (commencing with Section 4101), 5 (commencing with Section 5101), 8 (commencing with Section 8101), 9 (commencing with Section 9101), and 11 (commencing with Section 11101) of the Uniform Commercial Code.

(4) A law that requires that specifically identifiable text or disclosures in a record or a portion of a record be separately signed, including initialed, from the record. However, this paragraph does not apply to Section 1677 or 1678 of this code or Section 1298 of the Code of Civil Procedure.

(c) This title does not apply to any specific transaction described in Section 17511.5 of the Business and Professions Code, Section 798.14, 1133, or 1134 of, Section 1689.6, 1689.7, or 1689.13 of, Chapter 2.5 (commencing with Section 1695) of Title 5 of Part 2 of Division 3 of, Section 1720, 1785.15, 1789.14, 1789.16, or 1793.23 of, Chapter 1 (commencing with Section 1801) of Title 2 of Part 4 of Division 3 of, Section 1861.24, 1862.5, 1917.712, 1917.713, 1950.6, 1983, 2924b, 2924c, 2924f, 2924i, 2924j, 2924.3, or 2937 of, Article 1.5 (commencing with Section 2945) of Chapter 2 of Title 14 of Part 4 of Division 3 of, Section 2954.5 or 2963 of, Chapter 2b (commencing with Section 2981) or 2d (commencing with Section 2985.7) of Title 14 of Part 4 of Division 3 of, Section 3071.5 of, Part 5 (commencing with Section 4000) of Division 4 of, or Part 5.3 (commencing with Section 6500) of Division 4 of, this code, subdivision (b) of Section 18608 or Section 22328 of the Financial Code, Section 1358.15, 1365, 1368.01, 1368.1, 1371, or 18035.5 of the Health and Safety Code, Section 786 as it applies to individual and group disability policies, 10199.44, 10199.46, 10235.16, 10235.40, 11624.09, or 11624.1 of the Insurance Code, Section 779.1, 10010.1, or 16482 of the Public Utilities Code, or Section 9975 or 11738 of the Vehicle Code. An electronic record may not be substituted for any notice that is required to be sent pursuant to Section 1162 of the Code of Civil Procedure. This subdivision does not prohibit the recordation of any document with a county recorder by electronic means.

(d) This title applies to an electronic record or electronic signature otherwise excluded from the application of this title under subdivision (b) when used for a transaction subject to a law other than those specified in subdivision (b).

(e) A transaction subject to this title is also subject to other applicable substantive law.

(f) The exclusion of a transaction from the application of this title under subdivision (b) or (c) shall be construed only to exclude the transaction from the application of this title, but shall not be construed to prohibit the transaction from being conducted by electronic means if the transaction may be conducted by electronic means under any other applicable law.

(g) Notwithstanding subdivisions (b) and (c), this title shall apply to electronic records and electronic signatures relating to transactions conducted by a person licensed, certified, or registered pursuant to the Alarm Company Act (Chapter 11.6 (commencing with Section 7590) of Division 3 of the Business and Professions Code) for purposes of activities authorized by Section 7599.54 of the Business and Professions Code.