American Civil Liberties Union of California, Consumer Reports, the Electronic Frontier Foundation, and Privacy Rights Clearinghouse write in support of AB 1252 (Information privacy: digital health feedback systems). We are strong proponents of public policy that bolsters consumers’ privacy and their individual right to choose who accesses their data and for what purposes. It is within this framework that we support this bill, because it could extend existing health privacy protections to innovative medical technology not contemplated when current laws were put in place.
In California, patient privacy is protected by the Confidentiality of Medical Information Act (CMIA and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, combined, these two laws only protect sensitive health information that is generated by healthcare providers, insurers and health plans, pharmaceutical companies, healthcare clearinghouses and businesses organized for the purpose of maintaining medical information. The information created by new health technology, such as digital health feedback systems and online health services, do not fall into this rubric.
Drafters of these laws did not anticipate future technology that would facilitate personal health information being generated by technology outside the traditional care setting and by the patients themselves. That future, however, is here and our state laws must keep pace. Although the California Consumer Privacy Act (CCPA) would apply to this data, the law does not protect consumer data to the same extent as the medical privacy laws, creating an uneven privacy plane between health information collected by new health technology versus data created by providers and insurers and plans themselves. For example, whereas the CCPA permits data sharing but requires access, deletion, and limits on the sale of data to third parties upon request, the CMIA and HIPAA prohibit most cases of sharing at all.
This bill would help protect sensitive information generated by new forms of health technology, aligning privacy rights around data collected in new ways with all other medical information, and would also require that manufacturers apply appropriate data security standards.
This bill adds certainty for patients that using new health technology will not jeopardize their privacy and potentially impact them in other areas of their lives. For these reasons and many others, we support this bill.