Consumer Reports writes with a support if amended position on AB 2280. For over 80 years, Consumer Reports has worked with consumers for truth, transparency, and fairness in the marketplace. And, we are strong proponents of public policy that bolsters consumers’ privacy and their individual right to choose who accesses their data and for what purposes. It is within this framework that we have supported earlier versions of this bill, because it would extend existing health privacy protections to innovative medical technology not contemplated when current laws were put in place.
In California, patient privacy is protected by the Confidentiality of Medical Information Act (CMIA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, combined, these two laws only protect sensitive health information that is generated by healthcare providers, insurers and health plans, pharmaceutical companies, healthcare clearinghouses and businesses organized for the purpose of maintaining medical information. The information created by new health technology, such as digital health feedback systems and online health services, do not fall into this rubric.
Drafters of these laws did not anticipate future technology that would facilitate personal health information being generated by technology outside the traditional care setting and by the patients themselves. That future, however, is here and our state laws must keep pace. Although the California Consumer Privacy Act (CCPA) would apply to this data, the law does not protect consumer data to the same extent as the medical privacy laws, creating an uneven privacy plane between health information collected by new health technology versus data created by providers and insurers and plans themselves. For example, whereas the CCPA permits data sharing but requires access, deletion, and limits on the sale of data to third parties upon request, the CMIA and HIPAA prohibit most cases of sharing at all.
We supported earlier versions of this bill because it would protect sensitive information generated by new forms of health technology, aligning privacy rights around data collected in new ways with all other medical information, and would also require that manufacturers apply appropriate data security standards. In this vein, we welcome the intent of the amendment to last year’s bill, AB 384, introduced on June 25, 2019, which expanded the scope of the bill to include a wide range of health technology rather than limiting protections to users of digital feedback systems.
Although we strongly support broadening the scope of this bill, section (l), which limits the application of this bill to health technology that is both FDA-approved and used at the direction of a healthcare provider, is overly restrictive and risks significant confusion.
- Restricting this bill to only the health technology that is FDA-approved could create a disincentive for developers to go through the FDA-approval process and could create an uneven framework between products that are similar but for FDA-approval.
- Limiting the bill to covering only health technology that is used “at the direction of a provider of health care with the primary purpose of collecting the individual’s individually identifiable personal health record information,” could create confusion and a loophole. Confusion, because it is unclear how a business would know that a consumer is using the product at the recommendation of a provider. And a loophole because a business could collect, outside the confines of CMIA, information about consumers’ mental and physical conditions so long as it is not the primary purpose of the product.
We have supported earlier versions of this bill based on its potential to add certainty for patients that using new health technology will not jeopardize their privacy and potentially impact them in other areas of their lives. However, the amendment adds uncertainty of its own. Therefore, we must request amendments to section 56.05(l) in order to continue to support this bill.