California Health Privacy Information Legislation Update
When it comes to the privacy of health information, California belongs to the select group of states that have implemented broad consumer privacy protections above and beyond those provided by the federal Health Insurance Portability and Accountability Act (HIPAA) and the Federal Trade Commission Act (FTCA). This year, the state’s ongoing legislative efforts to protect the health information of its residents included: Assembly Bill 1436 (AB 1436) which if enacted would have revised California’s existing Confidentiality of Medical Information Act (CMIA), and Senate Bill 41 (SB 41), which if enacted will create the new Genetic Information Privacy Act (GIPA). As further discussed below, only SB 41 is moving forward, and if signed by Governor Newsom GIPA will go into effect on January 1, 2022.
SB 41 Awaiting Governor Newsom’s Signature
Recently, the California legislature unanimously passed SB 41, which would establish GIPA. If signed by Governor Newsom, GIPA will impose privacy requirements on direct-to-consumer genetic testing companies (DTC Companies).
A patchwork of existing laws apply to the privacy of genetic information at the state and federal level, but they don’t always apply, particularly outside of health care. SB 41 aims to improve privacy protections for “genetic data” that is not otherwise protected by the CMIA or HIPAA.
GIPA defines DTC Companies as entities that do any of the following:
Sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to consumers;
Analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition; or
Collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.
“Genetic data” as defined in GIPA means identifiable data that results from the analysis of a biological sample from a consumer, or from another element that enables equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), un-interpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.
While GIPA does not apply to de-identified data, GIPA does not incorporate HIPAA’s de-identification standards, but instead imposes a more stringent standard requiring that data cannot be used to infer information about, or otherwise be linked to, a particular individual and requires that DTC Companies do all of the following:
Take reasonable measures to ensure that the information cannot be associated with a consumer or household.
Publicly commit to maintain and use the information only in de-identified form and not to attempt to re-identify the information, except that the business may attempt to re-identify the information solely for the purpose of determining whether its de-identification processes comply with the Act’s requirements, provided that the business does not use or disclose any information re-identified in this process and destroys the re-identified information upon completion of that assessment.
Contractually obligate any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in de-identified form and not to re-identify the information.
GIPA would require DTC Companies to provide consumers with information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data, and to obtain an express authorization for collection, use, or disclosure of consumers’ genetic data, subject to limited exceptions for research and educational purposes.
GIPA would also require DTC Companies to honor any revocation of consent to use, collect, or disclose a consumer’s genetic data and destroy a consumer’s biological sample within 30 days of their revocation of consent. DTC Companies would need to implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data.
Penalties under GIPA can be up to $10,000 per violation plus court costs, depending on whether negligence or willful conduct was involved.
Notably, SB 41 replaces an earlier version of the legislation (Senate Bill 980) that Governor Newsom vetoed in October of 2020 out of concern the bill would interfere with mandatory COVID-19 test reporting. SB 41 seems to address Governor Newsom’s concerns by exempting tests conducted exclusively to diagnose whether an individual has a specific disease in certain circumstances and genetic data maintained by employers relating to compliance with health and safety laws, regulations, and ordinances, and thus it seems likely that this version of GIPA will be enacted. If so, we will discuss the provisions of GIPA and its implications for DTC Companies in greater detail in a future blog post.
AB 1436 Held Under Submission in Appropriations Committee
On August 26, 2021, AB 1436 was held under submission by California’s Senate Appropriations Committee and therefore will not progress out of committee this year. AB 1436 would have expanded privacy protections under the CMIA to a broader range of health technology companies. Thus, businesses who collect health information in connection with consumer health and wellness products and services that are not currently subject to the CMIA should continue to monitor any subsequent legislative developments and keep an eye out for future proposed legislation similar in nature.
Currently, the CMIA protects the privacy of medical information (as defined under the Act), and applies to health care providers, health plans, and certain non-provider contractors, including medical groups, independent practice associations, pharmaceutical benefits managers, and medical service organizations. Under the CMIA, businesses that offer software or hardware to consumers, including mobile applications and medical devices, for the purpose of allowing individuals to manage their own medical information in connection with their medical diagnosis and treatment are deemed providers of health care. While the CMIA applies to many health technology providers, for this reason, it does not apply in cases where the health information collected is not in the possession of or derived from a health care provider, health plan, pharmaceutical company, or contractor. While certain privacy requirements may still apply under the California Consumer Privacy Act, these are less stringent requirements with respect to the use and disclosure of individually identifiable health information.
The author of AB 1436 aimed to close this gap by imposing new privacy requirements under the CMIA to products, devices, commercial internet websites, online services, and mobile applications used by individuals and designed to collect and transmit individually identifiable information relating to an individual’s mental or physical condition in connection with the diagnosis, treatment, or management of a medical condition. AB 1436 would have required companies offering personal health record systems (PHRS) that are not already subject to the CMIA to obtain a signed CMIA compliant authorization from an individual before using or disclosing (directly or through a third party) their personal health record information, with limited exceptions. AB 1436 also would have required PHRS companies to communicate the scope of permissible uses to recipients of medical information, and recipients would have been required to obtain a new authorization before further disclosing medical information. PHRS companies and medical information recipients failing to comply would have been subject to administrative fines or civil penalties under the CMIA ranging from $2,500 to $250,000 per violation depending on the level of culpability.