Bill Text: CA AB2089 | 2021-2022 | Regular Session | Amended

California Assembly Bill 2089 (Prior Session Legislation)

CA State Legislature page for AB2089

NOTE: There are more recent revisions of this legislation. Read Latest Draft

Bill Title: Privacy: mental health digital services: mental health application information.

Spectrum: Bipartisan Bill

Status: (Passed) 2022-09-28 - Chaptered by Secretary of State - Chapter 690, Statutes of 2022. [AB2089 Detail]

Download: California-2021-AB2089-Amended.html

Amended IN Assembly April 21, 2022

Amended IN Assembly March 24, 2022

CALIFORNIA LEGISLATURE— 2021–2022 REGULAR SESSION

Assembly Bill

No. 2089

Introduced by Assembly Member Bauer-Kahan
(Coauthor: Assembly Member Cunningham)

February 14, 2022

An act to ~~add Title 1.81.55 (commencing with Section 1798.100.150) to Part 4 of Division 3 of~~ amend Sections 56.05 and 56.06 of, and to add Chapter 4.1 (commencing with Section 56.251) to Part 2.6 of Division 1 of, the Civil Code, relating to privacy.

LEGISLATIVE COUNSEL'S DIGEST

AB 2089, as amended, Bauer-Kahan. Privacy: mental health applications: mental health application information.

Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. Existing state law, the Confidentiality of Medical Information Act (CMIA), prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided. Existing law, the California Consumer Privacy Act of 2018 (CCPA), imposes various obligations on businesses with respect to personal information, as defined. The California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election, amended, added to, and reenacted the CCPA. The CCPA grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared. Existing law makes a violation of these provisions that results in economic loss or personal injury to a patient punishable as a misdemeanor.

This bill would prohibit a mental health application developer, as defined, from sharing a consumer’s personal information with a third party unless certain conditions are met, including that the information is deidentified, the information is reasonably necessary to provide a mental health service that a consumer has requested, or the consumer affirmatively consents to the sharing of their personal information. The bill would subject a mental health application developer that violates these requirements to an injunction and would make them liable for a civil penalty. The bill would subject any medical information entered in, or collected by, the online application or mobile application from a health care provider to the confidentiality requirements set forth in HIPPA and CMIA.
On or before January 31, 2023, and annually thereafter, this bill would require a mental health application developer to register with the Attorney General. As part of registering, the bill would require a mental health application developer to provide specified identifying and contact information to the Attorney General, and to pay a registration fee. The bill would require the registration fee to be deposited in the Mental Health Application Developer Fund, which would be created by the bill, within the State Treasury. Under the bill, the money in the fund would be used by the Attorney General, upon appropriation, to create an informational internet website page on which the information provided by a mental health application developer to the Attorney General would be accessible to the public. The bill would subject a mental health application developer that fails to register with the Attorney General to an injunction and would make them liable for civil penalties, fees, and expenses, as specified. The bill would require the penalties, fees, and costs to be deposited in the Consumer Privacy Fund, established by the CCPA, to be used, upon appropriation by the Legislature, to fully offset costs incurred by the state courts and the Attorney General in connection with the registry.
This bill would revise the definition of medical information to include mental health application information. The bill would define mental health application information to mean information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as specified, collected by a mental health application, as defined. The bill would provide that any business that offers a mental health application to a consumer for the purpose of allowing the individual to manage their information, or for the diagnosis, treatment, or management of a medical condition of the individual, is deemed to be a provider of health care subject to the requirements of CMIA. The bill would require a business that offers a mental health application, when partnering with a provider of health care, to notify the provider of all reportable data breaches and known violations of CMIA in the past three years. Because the bill would expand the definition of a crime, it would impose a state-mandated local program.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.

Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NOYES

The people of the State of California do enact as follows:

SECTION 1.

Section 56.05 of the Civil Code is amended to read:

56.05.

For purposes of this part:

(a) “Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.

(b) “Authorized recipient” means a person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.

(c) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications containing medical information be communicated to them at a specific mail or email address or specific telephone number, as designated by the subscriber or enrollee.

(d) “Contractor” means a person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(e) “Enrollee” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

(f) “Health care service plan” means an entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).

(g) “Licensed health care professional” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.

(h) “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.

“Marketing” does not include any of the following:

(1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.

(2) Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.

(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:

(A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.

(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.

(C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. Further communication shall not be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt-out request.

(i) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental health application information, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.

(j) “Patient” means a natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.

(k) “Pharmaceutical company” means a company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.

(l) “Protected individual” means any adult covered by the subscriber’s health care service plan or a minor who can consent to a health care service without the consent of a parent or legal guardian, pursuant to state or federal law. “Protected individual” does not include an individual that lacks the capacity to give informed consent for health care pursuant to Section 813 of the Probate Code.

(m) “Provider of health care” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; a person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; a person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; or a clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.

(n) “Sensitive services” means all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.

(o) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

(p) “Mental health application” means a mobile-based application that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.
(q) “Mental health application information” means information related to a consumer’s inferred or diagnosed mental health or substance use disorder, as defined in Section 1374.72 of the Health and Safety Code, collected by a mental health application.

SEC. 2.

Section 56.06 of the Civil Code is amended to read:

56.06.

(a) Any business organized for the purpose of maintaining medical information, as defined in subdivision (j) of Section 56.05, in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage ~~his or her~~ their information, or for the diagnosis and treatment of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.

(b) Any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information, as defined in subdivision (j) of Section 56.05, in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage ~~his or her~~ their information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.

(c) Any business that is licensed pursuant to Division 10 (commencing with Section 26000) of the Business and Professions Code that is authorized to receive or receives identification cards issued pursuant to Section 11362.71 of the Health and Safety Code or information contained in a physician’s recommendation issued in accordance with Article 25 (commencing with Section 2525) of Chapter 5 of Division 2 of the Business and Professions Code shall be deemed to be a provider of health care subject to the requirements of this part. However, this section shall not be construed to make a business specified in this subdivision a provider of health care for purposes of any law other than this part, including laws that specifically incorporate by reference the definitions of this part.

(d) Any business that offers a mental health application to a consumer for the purpose of allowing the individual to manage their information, or for the diagnosis, treatment, or management of a medical condition of the individual, shall be deemed to be a provider of health care subject to the requirements of this part.
~~(d)~~

(e) Any business described in this section shall maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business.

~~(e)~~

(f) Any business described in this section is subject to the penalties for improper use and disclosure of medical information prescribed in this part.

SEC. 3.

Chapter 4.1 (commencing with Section 56.251) is added to Part 2.6 of Division 1 of the Civil Code, to read:

CHAPTER 4.1. Notifications
56.251.
When partnering with a provider of health care to provide mental health application services, any business that offers a mental health application shall notify the provider of health care of all reportable data breaches and known violations of this part in the past three years before finalizing an agreement between the entities.

SEC. 4.
No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.

SECTION 1.Title 1.81.55 (commencing with Section 1798.100.150) is added to Part 4 of Division 3 of the Civil Code, to read:
1.81.55.Mental Health Application Developers
1.Definitions
1798.100.150.
~~For purposes of this chapter, the following definitions apply:~~
~~(a)“Medical information” has the same meaning as defined in subdivision (i) of Section 56.05.~~
(b)“Mental health application developer” means a person or entity that develops an online or mobile-based application that collects information from a consumer related to the consumer’s inferred or diagnosed mental health or substance use disorder and that uses the information to facilitate mental health services to that consumer.
~~(c)“Mental health or substance use disorder” has the same meaning as defined in paragraph (2) of subdivision (a) of Section 1374.72 of the Health and Safety Code.~~
~~(d)“Personal information” has the same meaning as defined in Section 1798.140.~~
~~(e)“Third party” has the same meaning as defined in Section 1798.140.~~
2.Mental Health Information Privacy
1798.100.151.
~~(a)A mental health application developer shall not share a consumer’s personal information with a third party, including a parent company, unless one of the following conditions is satisfied:~~
(1)The information is deidentified in manner that, at a minimum, meets the deidentification requirements of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191), as contained in Section 164.514 of Title 45 of the Code of Federal Regulations.
(2)The personal information shared with a third party is reasonably necessary to provide a mental health service that a consumer has requested or is reasonably necessary for security protection or fraud prevention. The selling of information for profit shall not be considered reasonably necessary to provide a service that a consumer has requested or reasonably necessary for security protection or fraud prevention.
(3)The consumer affirmatively consents to the sharing of their personal information. The consumer’s affirmative consent to information sharing under this paragraph shall state the type of information to be shared and whether the information may be shared for profit, research, or any other reason. A consumer who gives consent to have their personal information shared pursuant to this paragraph may withdraw their consent at any time.
(b)A mental health application developer that violates this section shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.
1798.100.152.
(a)Any medical information entered into, or collected by, the online application or mobile application from a health care provider, including treatment and diagnosis information, is subject to the confidentiality requirements set forth in Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191).
(b)The mental health application developer shall ensure that all administrative, physical, and technical safeguards are in place to ensure the confidentiality, integrity, and security of the consumer’s personal information and mental health information, as required by the Confidentiality of Medical Information Act and HIPAA.
1798.100.153.
Any statements made by a mental health application developer regarding its privacy policy is subject to the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).
3.Mental Health Application Developer Registry
1798.100.154.
~~(a)On or before January 31, 2023, and annually thereafter, a mental health application developer shall register with the Attorney General pursuant to the requirements of this section.~~
~~(b)In registering with the Attorney General, as described in subdivision (a), a mental health application developer shall do all of the following:~~
(1)Pay a registration fee in an amount determined by the Attorney General, not to exceed the reasonable costs of establishing and maintaining the informational internet website page described in Section 1798.100.156. Registration fees shall be deposited in the Mental Health Application Developer Fund, created within the State Treasury pursuant to Section 1798.100.155, and used for the purposes described in this paragraph.
~~(2)Provide all of the following information:~~
~~(A)The name of the mental health application developer and its primary physical address, telephone number, email address, and internet website address.~~
~~(B)Any additional information or explanation the mental health application developer chooses to provide concerning its mental health information collection practices.~~
(c)A mental health application developer that fails to register as required by this section is subject to an injunction and is liable for civil penalties, fees, and expenses in an action brought in the name of the people of the State of California by the Attorney General as follows:
~~(1)A civil penalty of one hundred dollars ($100) for each day the mental health application developer fails to register as required by this section.~~
~~(2)An amount equal to the fees that were due during the period it failed to register.~~
~~(3)Expenses incurred by the Attorney General in the investigation and prosecution of the action as the court deems appropriate.~~
(d)Any penalties, fees, and expenses recovered in an action prosecuted under subdivision (c) shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160, to be used, upon appropriation, to fully offset costs incurred by the state courts and the Attorney General in connection with this chapter.
1798.100.155.
A fund to be known as the “Mental Health Application Developer Registry Fund” is hereby created within the State Treasury. All registration fees received pursuant to paragraph (1) of subdivision (b) of Section 1798.100.154 shall be deposited into the Mental Health Application Developer’s Registry Fund, to be available for expenditure by the Department of Justice, upon appropriation by the Legislature, to offset costs of establishing and maintaining the informational internet website page described in Section 1798.100.156.
1798.100.156.
The Attorney General shall create a page on its internet website on which the information provided by a mental health application developer pursuant to Section 1798.100.154 shall be accessible to the public.
4.Construction of Title
1798.100.157.
This title does not limit any rights available under the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1), the California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100), or the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Public Law 104-191)).