California recently enacted legislation that goes even beyond HIPAA for patient privacy, particularly as privacy relates to the bevy of new healthcare products hitting the market through mobile apps and personal health records.
Assembly Bill 658, the Confidentiality of Medical Information Act, was signed into law by Gov. Jerry Brown last September with seemingly little attention apart from the ever-watchful policy wonks over at California Healthline. It went into effect in January.
“This law has important implications for consumers, developers of consumer-facing health tools and the quality of privacy and security protections afforded to health information stored in some PHRs and mobile health apps,” authors Deven McGraw and Susan Ingargiola of Manatt Health Solutions write.
When Investment Rhymes with Canada
Canada has a proud history of achievement in the areas of science and technology, and the field of biomanufacturing and life sciences is no exception.
With Apple’s HealthKit and Microsoft’s HealthVault, among scores of other platforms and products and apps being developed, the issue is sure to spark the interest of many within healthcare, including entrepreneurs.
While HIPAA covers providers and provider associates, it does not cover PHRs and mobile health apps “comprehensively,” McGraw and Ingargiola write, noting furthermore:
“HIPAA does not apply to freestanding PHRs (e.g., HealthVault) that are not offered by HIPAA-covered entities. While some commercial PHRs may advertise themselves as “HIPAA-compliant,” the only privacy protections they offer are those in their own privacy notices and practices, which they may change at any time.”
Hence California felt compelled to act. From Healthline:
Health Benefit Consultants, Share Your Expert Insights in Our Survey
Share some of the trends you are seeing among your clients across healthcare, including chronic conditions, behavioral health, healthcare navigation, and more.
The law “applies to any business that offers software or hardware to consumers, including a mobile application or other related device that is designed to maintain medical information … in order to make the information available to an individual or a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis, treatment or management of a medical condition of the individual.”
The law applies to software or hardware that maintains “medical information,” which is limited to individually identifiable information regarding a patient’s medical history, mental or physical condition, or treatment that is either in the possession of or is derived from a health care provider, health plan, pharmaceutical company or contractor thereof. This means that CMIA may not reach all PHRs and mobile health apps.”
So what’s the impact going to be?
“Given that most mobile apps obtain user consent through general assent to terms and conditions, the effect of extending CMIA’s authorization requirements to mobile app developers could be significant… Newly covered businesses that have a business model that includes the sale or marketing use of certain customer information that meets the definition of medical information will have to change their business model or obtain their customers’ specific authorization. Failure to comply with the law could result in penalties of nominal damages of $1,000 and the amount of actual damages, if any, sustained by the patient, as well as administrative fines and possible civil and criminal penalties.”
That seems worth noting if you’re in the digital health space.
