Bill Text: CA AB254 | 2023-2024 | Regular Session | Chaptered


Bill Title: Confidentiality of Medical Information Act: reproductive or sexual health application information.

Spectrum: Partisan Bill (Democrat 12-0)

Status: (Passed) 2023-09-27 - Chaptered by Secretary of State - Chapter 254, Statutes of 2023. [AB254 Detail]

Download: California-2023-AB254-Chaptered.html

Assembly Bill No. 254
CHAPTER 254

An act to amend Sections 56.05 and 56.06 of the Civil Code, relating to privacy.

[ Approved by Governor  September 27, 2023. Filed with Secretary of State  September 27, 2023. ]

LEGISLATIVE COUNSEL'S DIGEST


AB 254, Bauer-Kahan. Confidentiality of Medical Information Act: reproductive or sexual health application information.
The Confidentiality of Medical Information Act (CMIA) prohibits a provider of health care, a health care service plan, a contractor, or a corporation and its subsidiaries and affiliates from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided. The CMIA makes a business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information or for the diagnosis, treatment, or management of a medical condition of the individual, a provider of health care subject to the requirements of the CMIA. Existing law makes a violation of these provisions that results in economic loss or personal injury to a patient punishable as a misdemeanor.
This bill would revise the definition of “medical information” to include reproductive or sexual health application information, which the bill would define to mean information about a consumer’s reproductive or sexual health collected by a reproductive or sexual health digital service, as specified. The bill would make a business that offers a reproductive or sexual health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, a provider of health care subject to the requirements of the CMIA. Because the bill would expand the scope of a crime, it would impose a state-mandated local program.
This bill would incorporate additional changes to Section 56.05 of the Civil Code proposed by AB 1697 to be operative only if this bill and AB 1697 are enacted and this bill is enacted last.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: YES  

The people of the State of California do enact as follows:


SECTION 1.

 Section 56.05 of the Civil Code is amended to read:

56.05.
 For purposes of this part:
(a) “Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.
(b) “Authorized recipient” means a person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.
(c) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications containing medical information be communicated to them at a specific mail or email address or specific telephone number, as designated by the subscriber or enrollee.
(d) “Contractor” means a person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
(e) “Enrollee” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.
(f) “Health care service plan” means an entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
(g) “Licensed health care professional” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.
(h) “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
“Marketing” does not include any of the following:
(1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.
(2) Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.
(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:
(A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.
(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.
(C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. Further communication shall not be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt-out request.
(i) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, reproductive or sexual health application information, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.
(j) “Mental health application information” means information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as defined in Section 1374.72 of the Health and Safety Code, collected by a mental health digital service.
(k) “Mental health digital service” means a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.
(l) “Patient” means a natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.
(m) “Pharmaceutical company” means a company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.
(n) “Protected individual” means any adult covered by the subscriber’s health care service plan or a minor who can consent to a health care service without the consent of a parent or legal guardian, pursuant to state or federal law. “Protected individual” does not include an individual that lacks the capacity to give informed consent for health care pursuant to Section 813 of the Probate Code.
(o) “Provider of health care” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; a person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; a person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; or a clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.
(p) “Reproductive or sexual health application information” means information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual health digital service, including, but not limited to, information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual activity, or gender identity.
(q) “Reproductive or sexual health digital service” means a mobile-based application or internet website that collects reproductive or sexual health application information from a consumer, markets itself as facilitating reproductive or sexual health services to a consumer, and uses the information to facilitate reproductive or sexual health services to a consumer.
(r) “Sensitive services” means all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.
(s) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

SEC. 1.5.

 Section 56.05 of the Civil Code is amended to read:

56.05.
 For purposes of this part:
(a) “Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.
(b) “Authorized recipient” means a person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.
(c) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications containing medical information be communicated to them at a specific mail or email address or specific telephone number, as designated by the subscriber or enrollee.
(d) “Contractor” means a person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
(e) “Enrollee” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.
(f) “Expiration date or event” means a specified date or an occurrence relating to the individual to whom the medical information pertains or the purpose of the use or disclosure, after which the provider of health care, health care service plan, pharmaceutical company, or contractor is no longer authorized to disclose the medical information.
(g) “Health care service plan” means an entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
(h) “Licensed health care professional” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.
(i) “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
“Marketing” does not include any of the following:
(1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.
(2) Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.
(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:
(A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.
(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.
(C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. Further communication shall not be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt-out request.
(j) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, reproductive or sexual health application information, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.
(k) “Mental health application information” means information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as defined in Section 1374.72 of the Health and Safety Code, collected by a mental health digital service.
(l) “Mental health digital service” means a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.
(m) “Patient” means a natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.
(n) “Pharmaceutical company” means a company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.
(o) “Protected individual” means any adult covered by the subscriber’s health care service plan or a minor who can consent to a health care service without the consent of a parent or legal guardian, pursuant to state or federal law. “Protected individual” does not include an individual that lacks the capacity to give informed consent for health care pursuant to Section 813 of the Probate Code.
(p) “Provider of health care” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; a person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; a person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; or a clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.
(q) “Reproductive or sexual health application information” means information about a consumer’s reproductive health, menstrual cycle, fertility, pregnancy, pregnancy outcome, plans to conceive, or type of sexual activity collected by a reproductive or sexual health digital service, including, but not limited to, information from which one can infer someone’s pregnancy status, menstrual cycle, fertility, hormone levels, birth control use, sexual activity, or gender identity.
(r) “Reproductive or sexual health digital service” means a mobile-based application or internet website that collects reproductive or sexual health application information from a consumer, markets itself as facilitating reproductive or sexual health services to a consumer, and uses the information to facilitate reproductive or sexual health services to a consumer.
(s) “Sensitive services” means all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.
(t) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

SEC. 2.

 Section 56.06 of the Civil Code is amended to read:

56.06.
 (a) Any business organized for the purpose of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information, or for the diagnosis and treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
(b) Any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
(c) Any business that is licensed pursuant to Division 10 (commencing with Section 26000) of the Business and Professions Code that is authorized to receive or receives identification cards issued pursuant to Section 11362.71 of the Health and Safety Code or information contained in a physician’s recommendation issued in accordance with Article 25 (commencing with Section 2525) of Chapter 5 of Division 2 of the Business and Professions Code shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
(d) Any business that offers a mental health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
(e) Any business that offers a reproductive or sexual health digital service to a consumer for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including, but not limited to, laws that specifically incorporate by reference the definitions of this part.
(f) Any business described in this section shall maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business.
(g) Any business described in this section is subject to the penalties for improper use and disclosure of medical information prescribed in this part.

SEC. 3.

 Section 1.5 of this bill incorporates amendments to Section 56.05 of the Civil Code proposed by both this bill and Assembly Bill 1697. That section of this bill shall only become operative if (1) both bills are enacted and become effective on or before January 1, 2024, (2) each bill amends Section 56.05 of the Civil Code, and (3) this bill is enacted after Assembly Bill 1697, in which case Section 1 of this bill shall not become operative.

SEC. 4.

 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.
feedback