AB 2688: Privacy: commercial health monitoring programs.

Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. HIPAA prohibits a covered entity that uses electronic means to perform HIPAA-covered transactions, from using or disclosing personal health information except pursuant to a written authorization signed by the patient or for treatment, payment, or health care operations. Notwithstanding those provisions, HIPAA allows a covered entity to maintain a directory of patients in its facility for specified purposes, and to disclose the protected health information of a patient to family members, relatives, or other persons identified by the patient, if certain conditions are met. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA. HIPAA further provides that if its provisions conflict with a provision of state law, the provision that is most protective of patient privacy prevails.

Existing law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as expressly authorized by the patient, enrollee, or subscriber, as specified, or as otherwise required or authorized by law.

This bill would prohibit an operator of a commercial health monitoring program from intentionally sharing, selling, or disclosing individually identifiable health monitoring information in possession of or derived from a commercial health monitoring program to a 3rd party, as defined, without first obtaining explicit authorization, as provided, and would specify that an authorization is not required where monitoring a 3rd party solely provides a service to the program and does not further use or disclose health monitoring information. providing clear and conspicuous notice and obtaining the consumers affirmative consent, as provided, and would provide that individually identifiable information may be disclosed to specified entities without consent under specified circumstances, including to a government official if necessary to prevent an emergency involving the danger of death or serious physical injury to a person, if the disclosing entity provides notice of the disclosure as soon as practicable. The bill would also require an employer that receives health monitoring information in possession of or derived from a commercial health monitoring program to establish procedures to ensure preserve the confidentiality and security of that information, as provided. The bill would further prohibit an employer from discriminating against an employee based on an employees health monitoring information or if that employee does not authorize consent to the use of his or her health monitoring information. The bill would exempt a covered entity, provider of health care, business associate, health care service plan, contractor, employer, or any other person subject to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Confidentiality of Medical Information Act from these requirements.