AB 2935: Health information privacy: digital commercial health monitoring.

Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. Existing state law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided.

This bill would prohibit an operator of a commercial health monitoring program from intentionally sharing, selling, or disclosing individually identifiable health monitoring information in possession of or derived from a commercial health monitoring program to a 3rd party without first providing clear and conspicuous notice and obtaining the consumers affirmative consent, except as provided. The bill would require an operator of a commercial health monitoring program, upon request, to delete a consumers individually identifiable health monitoring information, and to maintain or delete individually identifiable health monitoring information in a manner that preserves security and confidentiality. The bill would define terms for its purposes and exempt entities and individuals subject to HIPAA or the Confidentiality of Medical Information Act from these requirements.