Enrolled  September 04, 2020
Passed  IN  Senate  August 31, 2020
Passed  IN  Assembly  August 31, 2020
Amended  IN  Senate  August 28, 2020
Amended  IN  Senate  August 20, 2020
Amended  IN  Senate  June 29, 2020
Amended  IN  Assembly  May 12, 2020
Amended  IN  Assembly  March 12, 2020

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Assembly Bill
No. 2004

Introduced by Assembly Member Calderon
(Principal coauthor: Senator Hertzberg)

January 28, 2020

An act to add Section 11546.10 to the Government Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


AB 2004, Calderon. Medical test results: verification credentials.
Existing law, the Confidentiality of Medical Information Act, prohibits providers of health care, health care service plans, contractors, employers, and third party administrators, among others, from disclosing medical information, as defined, without the patient’s written authorization, subject to certain exceptions, as specified.
This bill would require the Government Operations Agency, on or before July 1, 2021, to appoint a working group, consisting of representatives from the public and private sectors, as specified, to explore the use of verifiable health credentials for communication of COVID-19 test results or other medical test results in this state. The bill would require the working group to report its recommendations to the Legislature on or before July 1, 2022. The bill would require the Department of Consumer Affairs to, among other things, in consultation with the working group, develop and maintain a verifiable issuer registry, as defined.
The bill would prohibit a law enforcement agency, excluding a federal law enforcement agency, from requiring a patient to show a verifiable health credential.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 The Legislature finds and declares the following:
(a) Public health experts have indicated that widespread medical testing is critical to an efficient response to the ongoing COVID-19 pandemic in order to assess the extent of infection, direct public health resources, and minimize interpersonal transmission.
(b) Due to the unique sensitivity of personal health information, the communication of this information, including medical test results, is subject to extensive state and federal regulation to protect the individual rights to privacy guaranteed by the California Constitution and the United States Constitution, respectively.
(c) Cryptography-based verifiable credential models, such as the Verifiable Credentials Data Model developed by the World Wide Web Consortium (W3C), show great promise for providing privacy-protective, secure, and portable avenues to communicate sensitive health information.
(d) Verifiable credential models should protect individuals from surveillance, discrimination, and fraud, while promoting accessibility for all. Verifiable credential models should not in any way compromise an individual’s right to privacy, including by means of tracking or reporting the individual’s usage of the verifiable health credential.
(e) Though existing protections for health information maintained and communicated electronically may apply to test results communicated as verifiable health credentials, the practical application of those protections to this cutting-edge technology warrants clarification.
(f) Considering the immediate demand for widespread medical testing, development of technical infrastructure, standards, and practices for the use of this promising technology to securely communicate medical test results, including COVID-19 test results, is particularly timely.

SEC. 2.

 Section 11546.10 is added to the Government Code, immediately following Section 11546.9, to read:

11546.10.
 (a) For purposes of this section, the following definitions shall apply:
(1) “Verifiable health credential” means a portable electronic patient record issued by an authorized health care provider to a patient or patient’s personal representative, as defined in Section 123105 of the Health and Safety Code, for which the authenticity of the record can be independently verified cryptographically.
(2) “Authorized health care provider” means the holder of a physician’s or surgeon’s certificate, a nurse practitioner, a physician’s assistant or any other licensed healthcare provider who is engaged in the professional practice authorized by that certificate under the jurisdiction of a board within the Department of Consumer Affairs and whose current license and name has been included in a verifiable issuer registry of health care providers authorized to issue verifiable health credentials.
(3) “Verifiable issuer registry” means a repository of current licenses representing authorized health care providers maintained by their respective licensing agencies, against which verifiable health credentials may be checked to confirm their authenticity by verifying the identity and authorization status of the issuer of the credential.
(4) “Law enforcement agency” shall not include a federal law enforcement agency.
(b) On or before July 1, 2021, the Government Operations Agency shall appoint a working group to explore methods of using verifiable health credentials for communication of COVID-19 test results or other medical test results in this state. The purpose of the working group shall be to develop methods, using a verifiable credential model, to provide secure, private, and portable access to COVID-19 test results and other medical test results, as well as to develop best practices for the implementation of this technology in a manner that prioritizes privacy of personal information and equitable access.
(c) The working group shall consist of representatives from the public and private sectors, including state health-related agencies, health care providers, privacy and civil liberties groups, independent nonprofit or not-for-profit information technology groups with specific expertise in the development and use of verifiable credentials, and a business based in California that offers services centered on the provision and authentication of verifiable credentials.
(d) (1) On or before July 1, 2022, the working group shall report to the Legislature on the methods and best practices developed pursuant to subdivision (b).
(2) The working group’s report shall include recommendations subject to enactment by the Legislature.
(3) A report submitted pursuant to this subdivision shall be submitted in compliance with Section 9795 of the Government Code.
(e) (1) The Department of Consumer Affairs shall maintain sole jurisdiction over the authorization of health care providers for the issuing of verifiable health credentials and shall, in consultation with the working group, establish procedures for the authorization of issuers for verifiable health credentials, including developing and maintaining a verifiable issuer registry.
(2) The Department of Consumer Affairs may utilize blockchain technology for the purposes of the verifiable issuer registry pursuant to paragraph (1).
(f) A law enforcement agency shall not require a patient to show a verifiable health credential.
(g) This section shall not be construed to alter the scope of practice of a health care provider or authorize the delivery of health care services in a setting, or in a manner, not otherwise authorized by law.
(h) All laws regarding the confidentiality of health care information and a patient’s rights to the patient’s medical information shall apply to verifiable health credentials.
(i) All relevant laws and regulations governing professional responsibility, unprofessional conduct, and standards of practice that apply to a health care provider under the health care provider’s license shall apply to the issuing of verifiable health credentials by an authorized health care provider.