Legislation that would amend California’s Confidentiality of Medical Information Act (“CMIA”) is working its way through California’s Senate and passed in the Senate Health Committee earlier this week. The proposed bill passed in the state’s Assembly back in April. Introduced by Democratic California Assemblymember Edwin Chau, who sits on the Privacy and Consumer Protection Committee, the proposed legislation (AB 1436) expands the definition of “provider of health care.” Under the CMIA, providers of health care are subject to various obligations, including provisions that restrict the disclosure of medical information without a prior valid authorization, subject to certain exceptions.
The CMIA already applies to a broader universe of entities than the Health Insurance Portability and Accountability Act, as amended by the Health Information Technology for Economic and Clinical Health Act, and its implementing regulations (collectively, “HIPAA”). As the law currently stands, a “provider of health care” includes any business organized for the purpose of maintaining medical information in order to make that information available to an individual or provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual. “Provider of health care” also includes businesses that offer software or hardware to consumers, including mobile applications or other related devices, that are designed to maintain medical information in order to make that information available to an individual or a provider of health care at either’s request, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment, or management of a medical condition.
Under the new proposed law, a provider of health care would also include:
“any business that offers personal health record software or hardware to a consumer, including a mobile application or other related device that is designed to maintain personal health record system information . . . in order to make information available to an individual or to a provider of health care at the request of the individual or provider of health care, for purposes of allowing the individual to manage their information, or for the diagnosis, treatment, or management of a medical condition of the individual.”
The proposed legislation would also add the following definitions:
- Personal health record system, defined as “a commercial internet website, online service, or product that is used by an individual and that collects the individual’s personal health record information.”
- Personal health record information, defined as “individually identifiable information, in electronic or physical form, about an individual’s mental or physical condition that is collected by a personal health record system through a direct measurement of an individual’s mental or physical condition or through user input regarding an individual’s mental or physical condition into a personal health record system.”
The CMIA currently only applies to “medical information,” defined as “any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company or contractor regarding a patient’s medical history, mental or physical condition, or treatment.” In comments provided to the Senate Health Committee, Assemblymember Chau stated that the legislation is needed to cover technologies used by consumers at home that are not “in possession of or derived from a provider of health care.”
The CMIA includes a private right of action for individual’s whose medical information has been used or disclosed in violation of the CMIA, and the state Attorney General’s office may impose civil penalties for violations. Various industry groups have criticized the proposed bill as overbroad and unnecessary. The proposed bill contains identical language to legislation introduced earlier this year by Assemblymember Chau that was subsequently shelved.
Mobile health tracking apps have been under growing scrutiny by state and federal regulators. In September 2020, California Attorney General Xavier Becerra, who is now Secretary of the Department of Health and Human Services, announced a $250,000 settlement with Glow, Inc., resolving allegations that the fertility app had “expose[d] millions of women’s personal and medical information” and violated multiple laws, including [the CMIA].” Although this settlement implied that mobile health tracking apps would be considered “providers of health care” under the CMIA, the proposed bill would explicitly bring these apps within the statute’s reach. Additionally, the Federal Trade Commission announced a settlement earlier this year against Flo Health, the developer of popular menstrual cycle and fertility-tracking application, resolving allegations that “the company shared the health information of users with outside data analytics providers after promising that such information would be kept private.”