Bill Text: CA AB384 | 2019-2020 | Regular Session | Amended

California Assembly Bill 384 (Prior Session Legislation)

Bill Title: Information privacy: digital health feedback systems.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Engrossed - Dead) 2019-08-30 - In committee: Held under submission. [AB384 Detail]

Download: California-2019-AB384-Amended.html

Amended IN Senate June 25, 2019

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Assembly Bill

No. 384

Introduced by Assembly Member Chau

February 05, 2019

An act to amend Sections 56.05 and 56.06 ~~of, and to add Chapter 2.6 (commencing with Section 56.18) to Part 2.6 of Division 1 of,~~ of the Civil Code, ~~to amend Section 121010 of the Health and Safety Code, and to amend Section 4903.6 of the Labor Code,~~ relating to privacy.

LEGISLATIVE COUNSEL'S DIGEST

AB 384, as amended, Chau. Information privacy: digital health feedback systems.

Existing law, the Confidentiality of Medical Information Act, generally prohibits a provider of health care, a health care service plan, or a contractor from disclosing medical information regarding a patient of the provider of health care or an enrollee or subscriber of a health care service plan without first obtaining an authorization, except as otherwise specified. Existing law defines “medical information” for purposes of these provisions to mean certain individually identifiable health information in possession of or derived from a provider of health care, among others. Existing law makes a violation of these provisions that results in economic loss or personal injury to a patient punishable as a misdemeanor.

This bill would expand the definition of “medical information” for purposes of the act to include any information in possession of, or derived from, a digital health feedback system, which the bill would define. The bill would also require a manufacturer or operator that sells or offers to sell a device or software application that may be used with a digital health feedback system to a consumer in California to equip the device or software application, and the system, with reasonable security features that meet certain requirements, including that the measures be appropriate to the nature of the device, software application, or system. Because this bill would expand the definition of a crime, it would impose a state-mandated local program. The bill would make other related conforming changes.
This bill would define “personal health record information” for purposes of the act to mean individually identifiable information, in electronic or physical form, about an individual’s mental or physical condition that is collected by an FDA-approved commercial internet website, online service, or product that is used by an individual at the direction of a provider of health care with the primary purpose of collecting the individual’s individually identifiable personal health record information through a direct measurement of an individual’s mental or physical condition or through user input regarding an individual’s mental or physical condition. The bill would provide that a business that offers personal health record software or hardware to a consumer, in order to make information available to an individual or provider of health care at the request of the individual or provider of health care, for purposes of allowing the individual to manage their information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of the Confidentiality of Medical Information Act. Because the bill would expand the definition of a crime, it would impose a state-mandated local program.

The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES

The people of the State of California do enact as follows:

SECTION 1.

Section 56.05 of the Civil Code is amended to read:

56.05.

For purposes of this part:

(a) “Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.

(b) “Authorized recipient” means any person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.

(c) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications containing medical information be communicated to ~~him or her~~ the subscriber or enrollee at a specific mail or email address or specific telephone number, as designated by the subscriber or enrollee.

(d) “Contractor” means any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(e) “Endanger” means that the subscriber or enrollee fears that disclosure of ~~his or her~~ their medical information could subject the subscriber or enrollee to harassment or abuse.

(f) “Enrollee” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

(g) “Health care service plan” means any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(h) “Licensed health care professional” means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.

(i) “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

“Marketing” does not include any of the following:

(1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.

(2) Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.

(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:

(A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.

(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.

(C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. No further communication may be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt out request.

(j) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.

(k) “Patient” means any natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.

(l) “Personal health record” means an FDA-approved commercial internet website, online service, or product that is used by an individual at the direction of a provider of health care with the primary purpose of collecting the individual’s individually identifiable personal health record information.
(m) “Personal health record information” means individually identifiable information, in electronic or physical form, about an individual’s mental or physical condition that is collected by a personal health record through a direct measurement of an individual’s mental or physical condition or through user input regarding an individual’s mental or physical condition into a personal health record.
~~(l)~~

(n) “Pharmaceutical company” means any company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.

~~(m)~~

(o) “Provider of health care” means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; any person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; any clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.

~~(n)~~

(p) “Sensitive services” means all health care services described in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.

~~(o)~~

(q) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

SEC. 2.

Section 56.06 of the Civil Code is amended to read:

56.06.

(a) Any business organized for the purpose of maintaining medical information, as defined in subdivision (j) of Section 56.05, in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage ~~his or her~~ their information, or for the diagnosis and treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.

(b) Any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information, as defined in subdivision (j) of Section 56.05, in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage ~~his or her~~ their information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.

(c) Any business that offers personal health record software or hardware to a consumer, including a mobile application or other related device that is designed to maintain personal health record information, as defined in subdivision (m) of Section 56.05, in order to make information available to an individual or to a provider of health care at the request of the individual or provider of health care, for purposes of allowing the individual to manage their information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part.
~~(c)~~

(d) Any business that is licensed pursuant to Division 10 (commencing with Section 26000) of the Business and Professions Code that is authorized to receive or receives identification cards issued pursuant to Section 11362.71 of the Health and Safety Code or information contained in a physician’s recommendation issued in accordance with Article 25 (commencing with Section 2525) of Chapter 5 of Division 2 of the Business and Professions Code shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.

~~(d)~~

(e) Any business described in this section shall maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business.

~~(e)~~

(f) Any business described in this section is subject to the penalties for improper use and disclosure of medical information prescribed in this part.

SECTION 1.Section 56.05 of the Civil Code is amended to read:
56.05.
~~For purposes of this part:~~
~~(a)“Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.~~
~~(b)“Authorized recipient” means any person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.~~
(c)“Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications containing medical information be communicated to him or her at a specific mail or email address or specific telephone number, as designated by the subscriber or enrollee.
(d)“Contractor” means any person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
~~(e)“Digital health feedback system” means an ingestible sensor that collects or sends information about an individual, and is used in conjunction with either, or both, of the following:~~
~~(1)A sensor or device placed inside or worn on the body that collects or sends information about an individual.~~
(2)A software platform that is connected to the Internet, directly or indirectly, or to another device that receives and displays information collected or sent from a sensor or device as described in paragraph (1).
~~(f)“Endanger” means that the subscriber or enrollee fears that disclosure of his or her medical information could subject the subscriber or enrollee to harassment or abuse.~~
~~(g)“Enrollee” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.~~
(h)“Health care service plan” means any entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
(i)“Licensed health care professional” means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.
~~(j)“Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.~~
~~“Marketing” does not include any of the following:~~
(1)Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.
(2)Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.
(3)Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:
(A)The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.
~~(B)The individual is provided the opportunity to opt out of receiving future remunerated communications.~~
(C)The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. No further communication may be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt out request.
(k)“Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Medical information” also means any individually identifiable information in electronic or physical form in possession of, or derived from, a digital health feedback system. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.
~~(l)“Patient” means any natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.~~
(m)“Pharmaceutical company” means any company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.
(n)“Provider of health care” means any person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; any person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; any person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; any clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.
(o)“Sensitive services” means all health care services described in Sections 6924, 6925, 6926, 6927, 6928, and 6929 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.
~~(p)“Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.~~
SEC. 2.Section 56.06 of the Civil Code, as amended by Section 3 of Chapter 583 of the Statutes of 2018, is amended to read:
56.06.
(a)Any business organized for the purpose of maintaining medical information, as defined in subdivision (k) of Section 56.05, in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
(b)Any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information, as defined in subdivision (k) of Section 56.05, in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
(c)Any business that is licensed pursuant to Division 10 (commencing with Section 26000) of the Business and Professions Code that is authorized to receive or receives identification cards issued pursuant to Section 11362.71 of the Health and Safety Code or information contained in a physician’s recommendation issued in accordance with Article 25 (commencing with Section 2525) of Chapter 5 of Division 2 of the Business and Professions Code shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.
~~(d)Any business described in this section shall maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business.~~
~~(e)Any business described in this section is subject to the penalties for improper use and disclosure of medical information prescribed in this part.~~
SEC. 3.Chapter 2.6 (commencing with Section 56.18) is added to Part 2.6 of Division 1 of the Civil Code, to read:
2.6.Digital Health Feedback Systems
56.18.
For purposes of this chapter, “unauthorized access, destruction, use, modification, or disclosure” means access, destruction, use, modification, or disclosure that is not authorized by the person about whom the information pertains unless the access, destruction, use, modification, or disclosure is authorized or required by law.
56.18.1.
A manufacturer or operator that sells or offers to sell a device or software application that may be used with a digital health feedback system to a consumer in California shall equip the device or software application, and the system, with reasonable security features appropriate to the nature of the device, software application, or system and the information it may collect, contain, or transmit. The features shall protect the device, software application, or system and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
SEC. 4.Section 121010 of the Health and Safety Code is amended to read:
121010.
Notwithstanding Section 120975 or 120980, the results of an HIV test, as defined in subdivision (c) of Section 120775, to detect antibodies to the probable causative agent of AIDS may be disclosed to any of the following persons without written authorization of the subject of the test:
(a)To the subject of the test or the subject’s legal representative, conservator, or to any person authorized to consent to the test pursuant to Section 120990 of this code and Section 6926 of the Family Code.
(b)To a test subject’s provider of health care, as defined in subdivision (n) of Section 56.05 of the Civil Code, except that for purposes of this section, “provider of health care” does not include a health care service plan regulated pursuant to Chapter 2.2 (commencing with Section 1340) of Division 2.
~~(c)To an agent or employee of the test subject’s provider of health care who provides direct patient care and treatment.~~
(d)To a provider of health care who procures, processes, distributes, or uses a human body part donated pursuant to the Uniform Anatomical Gift Act (Chapter 3.5 (commencing with Section 7150) of Part 1 of Division 7).
(e)(1)To the designated officer of an emergency response employee, and from that designated officer to an emergency response employee regarding possible exposure to HIV or AIDS, but only to the extent necessary to comply with provisions of the federal Ryan White Comprehensive AIDS Resources Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec. 201).
(2)For purposes of this subdivision, “designated officer” and “emergency response employee” have the same meaning as these terms are used in the federal Ryan White Comprehensive AIDS Resources Emergency Act of 1990 (Public Law 101-381; 42 U.S.C. Sec. 201).
(3)The designated officer shall be subject to the confidentiality requirements specified in Section 120980, and may be personally liable for unauthorized release of any identifying information about the HIV results. Further, the designated officer shall inform the exposed emergency response employee that the employee is also subject to the confidentiality requirements specified in Section 120980, and may be personally liable for unauthorized release of any identifying information about the HIV test results.
SEC. 5.Section 4903.6 of the Labor Code is amended to read:
4903.6.
(a)Except as necessary to meet the requirements of Section 4903.5, a lien claim or application for adjudication shall not be filed or served under subdivision (b) of Section 4903 until both of the following have occurred:
(1)Sixty days have elapsed after the date of acceptance or rejection of liability for the claim, or expiration of the time provided for investigation of liability pursuant to subdivision (b) of Section 5402, whichever date is earlier.
~~(2)Either of the following:~~
(A)The time provided for payment of medical treatment bills pursuant to Section 4603.2 has expired and, if the employer objected to the amount of the bill, the reasonable fee has been determined pursuant to Section 4603.6, and, if authorization for the medical treatment has been disputed pursuant to Section 4610, the medical necessity of the medical treatment has been determined pursuant to Sections 4610.5 and 4610.6.
(B)The time provided for payment of medical-legal expenses pursuant to Section 4622 has expired and, if the employer objected to the amount of the bill, the reasonable fee has been determined pursuant to Section 4603.6.
(b)All lien claimants under Section 4903 shall notify the employer and the employer’s representative, if any, and the employee and his or her representative, if any, and the appeals board within five working days of obtaining, changing, or discharging representation by an attorney or nonattorney representative. The notice shall set forth the legal name, address, and telephone number of the attorney or nonattorney representative.
(c)A declaration of readiness to proceed shall not be filed for a lien under subdivision (b) of Section 4903 until the underlying case has been resolved or where the applicant chooses not to proceed with his or her case.
(d)With the exception of a lien for services provided by a physician as defined in Section 3209.3, a lien claimant shall not be entitled to any medical information, as defined in subdivision (k) of Section 56.05 of the Civil Code, about an injured worker without prior written approval of the appeals board. Any order authorizing disclosure of medical information to a lien claimant other than a physician shall specify the information to be provided to the lien claimant and include a finding that the information is relevant to the proof of the matter for which the information is sought. The appeals board shall adopt reasonable regulations to ensure compliance with this section, and shall take any further steps as may be necessary to enforce the regulations, including, but not limited to, impositions of sanctions pursuant to Section 5813.
(e)The prohibitions of this section shall not apply to lien claims, applications for adjudication, or declarations of readiness to proceed filed by or on behalf of the employee, or to the filings by or on behalf of the employer.

SEC. 6.SEC. 3.

No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.