Bill Text: CA AB648 | 2019-2020 | Regular Session | Amended

California Assembly Bill 648 (Prior Session Legislation)

Bill Title: Wellness programs.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Engrossed - Dead) 2020-06-23 - Referred to Com. on HEALTH. [AB648 Detail]

Download: California-2019-AB648-Amended.html

Amended IN Assembly January 23, 2020

Amended IN Assembly March 28, 2019

Amended IN Assembly March 12, 2019

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Assembly Bill

No. 648

Introduced by Assembly Member Nazarian

February 15, 2019

An act to add Section 1367.13 to the Health and Safety Code, to add Section 10127.6 to the Insurance Code, and to add Section 436 to the Labor Code, relating to wellness programs.

LEGISLATIVE COUNSEL'S DIGEST

AB 648, as amended, Nazarian. Wellness programs.

(1) Existing federal law, the federal Patient Protection and Affordable Care Act (PPACA), enacted various health care coverage market reforms that took effect January 1, 2014. Among other things, PPACA sets forth various requirements related to wellness programs, which encompass programs of health promotion or disease prevention.

Existing law, the Knox-Keene Health Care Service Plan Act of 1975, provides for the licensure and regulation of health care service plans by the Department of Managed Health Care (department) and makes a willful violation of the act a crime. Existing law also provides for the regulation of various insurers by the Department of Insurance, headed by the Insurance Commissioner. ~~Existing law authorizes the director of the department and the commissioner to adopt regulations for purposes of implementing various provisions of law, as specified.~~

This bill would prohibit health care service plans and insurers from sharing any personal information or data collected through a wellness program, except as specified, and would prohibit health care service plans or insurers from taking any adverse action, as defined, against an enrollee or member, or insured ~~(“individual”),~~ (individual), if the action of the health care service plans or insurers is in response to ~~a matter related to a wellness program, such as~~ an individual’s election to not participate in a wellness program. The bill would establish and impose upon health care service plans and insurers various requirements related to a wellness ~~programs,~~ program, such as requiring a health care service plan or insurer to ~~provide an individual information~~ post a written explanation that is reasonably likely to be understood by an individual on its internet website concerning its policies and practices pertaining to wellness programs, as specified. The bill would require a health care service plan or insurer, for purposes of administering and operating a wellness program, to limit its collection, dissemination, retention, and use of any personal information of an individual to only information that is reasonably necessary to operate a wellness program, except as specified, and would extend various requirements, to the extent that they are applicable, to any entity that the health care service plan or insurer contracts with for purposes of administering or operating a wellness program on their behalf. The bill would authorize the commissioner to assess penalties on an insurer for any violation of these provisions, as specified. ~~The bill would authorize the director and commissioner to adopt regulations to conform to federal law in the event that the provisions conflict with federal law.~~

Because a willful violation of these requirements relative to health care service plans would be a crime, the bill would impose a state-mandated local program.

(2) Existing law establishes the Division of Labor Standards Enforcement, headed by the Labor Commissioner, within the Department of Industrial Relations, for the purpose of enforcing labor laws, including those relating to employer ~~retaliation, and makes a person who violates specified requirements guilty of a misdemeanor.~~ retaliation.

This bill would, among other things, prohibit an employer from requiring an employee to participate in a wellness program as a condition of employment and ~~would prohibit an employer~~ from taking any adverse action, as defined, against an employee if the action is in response to ~~a matter related to a wellness program, such as~~ an employee’s election to not participate in a wellness program. The bill would establish and impose upon an employer various requirements related to a wellness program, such as requiring an employer to ~~provide an employee information~~ post a written explanation that is reasonably likely to be understood by an employee on its internet website concerning its policies and practices pertaining to a wellness program. The bill would require an employer, for purposes of administering and operating a wellness program, to limit its collection, dissemination, retention, and use of any personal information of an employee to only information that is reasonably necessary for the program’s operation, except as specified, and would extend various requirements, to the extent that they are applicable, to any entity that the employer contracts with for purposes of administering or operating a wellness program on their behalf. The bill would grant an employee various rights in relation to a wellness program, such as obtaining a copy of the employee’s records, including personal information that has been collected by the employer as part of a wellness program.

~~Because a willful violation of these requirements would be a crime, the bill would impose~~

The bill would make a violation of these requirements an infraction, thereby imposing a state-mandated local program.

(3) The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.

This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES

The people of the State of California do enact as follows:

SECTION 1.

This act shall be ~~known as, and may be cited as, the Making Wellness Programs Healthy for Consumers Act of 2019.~~ known, and may be cited, as the Wellness Program Protection Act.

SEC. 2.

Section 1367.13 is added to the Health and Safety Code, to read:

1367.13.

(a) A health care service plan shall not do either of the following:

(1) Retaliate or take any adverse action against an enrollee or member if the health care service plan’s action is in response to ~~a matter related to a wellness program, such as~~ an individual’s election to not participate in a wellness program or the data collected through the wellness program about the enrollee or member.

(2) Share any personal information or data collected through a wellness program.

(b) (1) (A) A health care service plan that collects personal information of an enrollee or member as part of its administration and operation of a wellness program shall ensure compliance with state and federal privacy laws, including, but not limited to, the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1 of the Civil Code), and the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191).

(B) A health care service plan shall ~~provide an enrollee or member a written explanation, in clear and easily understandable language,~~ post a written explanation that is reasonably likely to be understood by an enrollee or member on its internet website about the basis of the wellness program, a description about the data collection process and which data will be collected through the wellness program, policies and practices pertaining to the wellness program, and the rights of the enrollee or member concerning the wellness program under federal and state laws and regulations.

(2) (A) Notwithstanding any other law, for purposes of administering and operating a wellness program, a health care service plan shall limit its collection, dissemination, retention, and use of any personal information of an enrollee or member to only information that is reasonably necessary to operate the wellness program.

(B) If an enrollee or member terminates their participation in a wellness program, or upon the conclusion of a wellness program, the health care service plan shall destroy any personal information received or collected through the wellness program, and shall order the destruction of this material.

(1) Obtain a copy of their records, including personal information that has been collected by the health care service plan, in a format accessible to the individual.

(2) Challenge the completeness and accuracy of any records, including personal information or data, related to the enrollee or member that has been collected by a health care service plan.

(d) A person who willfully violates any provision of this section shall be subject to the enforcement procedures set forth under Article 8 (commencing with Section 1390), and any other sanctions and penalties permitted by law.

~~(e)(1)If this section conflicts with federal law, the director may adopt regulations to conform to federal law.~~
~~(2)~~

(e) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

(f) The requirements described in this section shall apply, to the extent that they are applicable, to any entity that the health care service plan contracts with for purposes of administering or operating a wellness program on the health care service plan’s behalf.

(g) A health care service plan shall not share any personal information about the enrollee or member that is collected through a wellness program with the enrollee’s or member’s employer.

(h) Notwithstanding paragraph (2) of subdivision (b), a health care service plan may retain publicly available information or deidentified and aggregated information that is collected through a wellness program if this data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(i) Notwithstanding paragraph (2) of subdivision (a), a health care service plan may share data that is collected through a wellness program with a third party if the data is either publicly available information or deidentified and aggregated information, and the data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(j) The provisions of this section do not apply to either of the following:
(1) Any wellness program for licensed health care professionals administered or operated by a professional association or its affiliates or subsidiaries.
(2) The personal information or data collected by a professional association or its affiliates or subsidiaries in relation to, or in support of, the administration or operation of a wellness program for licensed health care professionals.
(k) This section does not limit or restrict the disclosure of any personal information by a health care service plan if otherwise required by law.
~~(h)~~

(l) For purposes of this section, the following definitions apply:

(1) “Administration and operation of a wellness program” means, but is not limited to, the use of personal information when reasonably necessary and proportionate to achieve one of the following purposes:

(A) Detecting and responding to security incidents arising from a wellness program and protecting against malicious, deceptive, fraudulent, or illegal activity related to a wellness program.

(B) Executing functions of a wellness program for the benefit of the enrollee or member.

(D) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for, or controlled by the health care service plan, or to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by the health care service plan related to a wellness program.

(2) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing, by any means, any personal information pertaining to an enrollee or member. This includes information that the health care service plan receives from an enrollee or member either directly or indirectly, such as through observation of the enrollee or member.

~~(3)“Personal information” means information that identifies or could reasonably be linked, directly or indirectly, with either an enrollee or member or their household.~~
(A)“Personal information” includes, but is not limited to, an enrollee’s or member’s past, present, or future physical or mental health condition, common identifiers, including a name, address, birth date, social security number, or any other identification number, and protected health information.
~~(B)(i)“Personal information” excludes any publicly available information, and excludes any deidentified or aggregate information about an enrollee or member.~~
~~(ii)“Publicly available information” means information that is lawfully made available pursuant to federal and state law.~~
~~(iii)For purposes of this section, the deidentification of personal information shall meet the requirements set forth in Section 164.514 of Title 45 of the Code of Federal Regulations.~~
~~(4)“Protected health information” has the same definition as in Section 160.103 of Title 45 of the Code of Federal Regulations.~~
(3) “Personal information” shall have the same meaning as defined in subdivision (o) of Section 1798.140 of the Civil Code.
~~(5)~~

(4) “Retaliatory” or “adverse action” means, but is not limited to, an adverse action taken by a health care service plan against an enrollee or member, including increasing a premium, if the health care service plan’s action is in response to ~~a matter related to a wellness program, such as~~ an enrollee or member’s election to not participate in a wellness program or the data collected through the wellness program about an enrollee or member.

(5) “Wellness program” means a health care service plan-based program aimed at promoting health-related behaviors and disease prevention. A wellness program excludes care coordination by or between health care providers in the practice of medicine.

SEC. 3.

Section 10127.6 is added to the Insurance Code, to read:

10127.6.

(a) An insurer shall not do either of the following:

(1) Retaliate or take any adverse action against an insured if the insurer’s action is in response to ~~a matter related to a wellness program, such as~~ an insured’s election to not participate in a wellness program or the data collected through the wellness program about the insured.

(2) Share any personal information or data collected through a wellness program.

(b) (1) (A) An insurer that collects personal information of an insured as part of its administration and operation of a wellness program shall ensure compliance with state and federal privacy laws.

(B) An insurer shall ~~provide an insured a written explanation, in clear and easily understandable language,~~ post a written explanation that is reasonably likely to be understood by an insured on its internet website about the basis of the wellness program, a description about the data collection process and which data will be collected through the wellness program, policies and practices pertaining to the wellness program, and the insured’s rights concerning the wellness program under federal and state laws and regulations.

(2) (A) Notwithstanding any other law, for purposes of administering and operating a wellness program, an insurer shall limit its collection, dissemination, retention, and use of any personal information of an employee to only information that is reasonably necessary to operate the wellness program.

(B) If an insured terminates their participation in a wellness program, or upon the conclusion of a wellness program, the insurer shall destroy any personal information received or collected through the wellness program, and shall order the destruction of this material.

(1) Obtain a copy of the insured’s records, including personal information that has been collected by the insurer, in a format accessible to the insured.

(2) Challenge the completeness and accuracy of any records, including personal information or data, related to the insured that has been collected by the insurer.

(d) (1) In addition to any other remedy permitted by law, the commissioner may assess the administrative penalties specified in this section against an insurer for a violation of this section.

(2) An insurer that violates this section is liable for an administrative penalty of not more than two thousand five hundred dollars ($2,500) for the first violation and not more than five thousand dollars ($5,000) for each subsequent violation.

(3) An insurer that violates this section with a frequency that indicates a general business practice or commits a knowing violation of that section is liable for an administrative penalty of not less than fifteen thousand dollars ($15,000) and not more than one hundred thousand dollars ($100,000) for each violation.

~~(e)(1)If this section conflicts with federal law, the commissioner may adopt regulations to conform to federal law.~~
~~(2)~~

(f) The requirements described in this section shall apply, to the extent that they are applicable, to any entity that the insurer contracts with for purposes of administering or operating a wellness program on the insurer’s behalf.

(g) An insurer shall not share any personal information about the insured that is collected through a wellness program with the insured’s employer.

(h) Notwithstanding paragraph (2) of subdivision (b), an insurer may retain publicly available information or deidentified and aggregated information that is collected through a wellness program if this data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(i) Notwithstanding paragraph (2) of subdivision (a), an insurer may share data that is collected through a wellness program with a third party if the data is either publicly available information or deidentified and aggregated information, and the data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(j) The provisions of this section do not apply to either of the following:
(1) Any wellness program for licensed health care professionals administered or operated by a professional association or its affiliates or subsidiaries.
(2) The personal information or data collected by a professional association or its affiliates or subsidiaries in relation to, or in support of, the administration or operation of a wellness program for licensed health care professionals.
(k) This section does not limit or restrict the disclosure of any personal information by an insurer if otherwise required by law.
~~(h)~~

(l) For purposes of this section, the following definitions apply:

(A) Detecting and responding to security incidents arising from a wellness program and protecting against malicious, deceptive, fraudulent, or illegal activity related to a wellness program.

(B) Executing functions of a wellness program for the benefit of the insured.

(D) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for, or controlled by the insurer, or to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by the insurer related to a wellness program.

(2) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing, by any means, any personal information pertaining to an insured. This includes information that the insurer receives from an insured either directly or indirectly, such as through the observation of an insured’s behavior.

~~(3)“Personal information” means information that identifies or could reasonably be linked, directly or indirectly, with either the insured or their household.~~
(A)“Personal information” includes, but is not limited to, an insured’s past, present, or future physical or mental health condition, common identifiers, including a name, address, birth date, social security number, or any other identification number, and protected health information.
~~(B)(i)“Personal information” excludes any publicly available information, and excludes any deidentified or aggregate information about an insured.~~
~~(ii)“Publicly available information” means information that is lawfully made available pursuant to federal and state law.~~
~~(iii)For purposes of this section, the deidentification of personal information shall meet the requirements set forth in Section 164.514 of Title 45 of the Code of Federal Regulations.~~
~~(4)“Protected health information” has the same definition as in Section 160.103 of Title 45 of the Code of Federal Regulations.~~
(3) “Personal information” shall have the same meaning as defined in subdivision (o) of Section 1798.140 of the Civil Code.
~~(5)~~

(4) “Retaliatory” or “adverse action” means, but is not limited to, an adverse action taken by an insurer against an insured, including increasing a premium on a policy, if the insurer’s action is in response to ~~a matter related to a wellness program, such as~~ an insured’s election to not participate in a wellness program or the data collected through the wellness program about an insured.

(5) “Wellness program” means an insurer-based program aimed at promoting health-related behaviors and disease prevention. A wellness program excludes care coordination by or between health care providers in the practice of medicine.

SEC. 4.

Section 436 is added to the Labor Code, to read:

436.

(a) (1) An employer shall not require an employee to participate in a wellness program as a condition of employment.

(2) An employer shall not retaliate or take any adverse action against an employee if the employer’s action is in response to ~~a matter related to a wellness program, such as~~ an employee’s election to not participate in a wellness program or the data collected through the wellness program about the employee.

(3) An employer shall not share any personal information or data collected through a wellness program.

(b) An employer that collects the personal information of an employee as part of the administration and operation of a wellness program shall ensure compliance with state and federal privacy laws.

(c) (1) An employer shall ~~provide an employee a written explanation, in clear and easily understandable language,~~ post a written explanation that is reasonably likely to be understood by an employee on its internet website about the basis of the wellness program, a description about the data collection process and which data will be collected through the wellness program, policies and practices pertaining to the wellness program, and the employee’s rights concerning the wellness program under federal and state laws and regulations.

(2) Notwithstanding any other law, for purposes of administering and operating a wellness program, an employer shall limit its collection, dissemination, retention, and use of any personal information of an employee to only information that is reasonably necessary to operate the wellness program.

(3) If an employee terminates their participation in a wellness program, or upon the conclusion of a wellness program, the employer shall destroy any personal information received or collected through the wellness program, and shall order the destruction of this material.

(d) An employee has the right to do both of the following:

(1) Obtain a copy of the employee’s records, including personal information that has been collected by the employer, pertaining to a wellness program, in a format accessible to the employee.

(2) Challenge the completeness and accuracy of any records, including personal information or data, related to the employee that has been collected by the employer as part of a wellness program.

(e) Any person who believes that they have been discharged or otherwise discriminated against in violation of this section may file a complaint with the division within six months after the occurrence of the violation pursuant to Section 98.7.

(f) ~~Any~~ Notwithstanding Section 433, a person who violates this section is guilty of ~~a misdemeanor pursuant to Section 433.~~ an infraction.

(g) (1) The requirements described in this section shall apply, to the extent that they are applicable, to any entity that the employer contracts with for purposes of administering or operating a wellness program on the employer’s behalf.

(2) The entity specified in paragraph (1) shall not share any personal information about the employee that is collected through a wellness program with the employer.

(h) The provisions of this section are severable. If any provision of this section or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.

(i) Notwithstanding paragraphs (2) and (3) of subdivision (c), an employer may retain publicly available information or deidentified and aggregated information that is collected through a wellness program if this data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(j) Notwithstanding paragraph (3) of subdivision (a), an employer may share data that is collected through a wellness program with a third party if the data is either publicly available information or deidentified and aggregated information, and the data would be used for the purpose of conducting bona fide research relating to health care utilization and outcomes.
(k) The provisions of this section do not apply to either of the following:
(1) Any wellness program for licensed health care professionals administered or operated by a professional association or its affiliates or subsidiaries.
(2) The personal information or data collected by a professional association or its affiliates or subsidiaries in relation to, or in support of, the administration or operation of a wellness program for licensed health care professionals.
(l) This section does not limit or restrict the disclosure of any personal information by an employer if otherwise required by law.
~~(i)~~

(m) For purposes of this section, the following definitions apply:

(1) “Administration and operation of a wellness program” means, but is not limited to, the use of personal information, including health information, when reasonably necessary and proportionate to achieve one of the following purposes:

(A) Detecting and responding to security incidents arising from a wellness program and protecting against malicious, deceptive, fraudulent, or illegal activity related to a wellness program.

(B) Executing functions of a wellness program for the benefit of the employee.

(D) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned by, manufactured by, manufactured for, or controlled by the employer, or to improve, upgrade, or enhance the service or device that is owned by, manufactured by, manufactured for, or controlled by the employer, related to a wellness program.

(2) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing, by any means, any personal information, including health information, pertaining to an employee. This includes information that the employer receives either directly or indirectly, such as through observation of the employee.

(3) “Employer” means either of the following:

(A) Any person who directly employs 50 or more persons to perform services for a wage or salary.

(B) The state and any political or civil subdivision of the state, a county, or a city.

~~(4)“Personal information” means information that identifies or could reasonably be linked, directly or indirectly, with either the employee or their household.~~
(A)“Personal information” includes, but is not limited to, an employee’s past, present, or future physical or mental health condition, and common identifiers, including a name, address, birth date, social security number, or any other identification number.
~~(B)(i)“Personal information” excludes any publicly available information, and excludes any deidentified or aggregate information about an employee.~~
~~(ii)For purposes of this section, the deidentification of personal information shall meet the requirements set forth in Section 164.514 of Title 45 of the Code of Federal Regulations.~~
~~(5)“Publicly available information” means information that is lawfully made available pursuant to federal and state law.~~
(4) “Personal information” shall have the same meaning as defined in subdivision (o) of Section 1798.140 of the Civil Code.
~~(6)~~

(5) “Retaliatory” or “adverse action” means, but is not limited to, an adverse employment action taken by an employer against an employee, including termination, fine, or suspension, if an employer’s action is in response to ~~a matter related to a wellness program, such as~~ an employee’s election to not participate in a wellness program or the data collected through the wellness program about an employee.

(6) “Wellness program” means an employer-based program aimed at promoting health-related behaviors and disease prevention. A wellness program excludes care coordination by or between health care providers in the practice of medicine.

SEC. 5.

No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.