With the increasing use of mobile applications and the storage of medical information online, there is a growing concern for preventing the unauthorized use, disclosure and access to such highly confidential information. According to the California Department of Justice’s Privacy Enforcement and Protection Unit, personal health records (PHRs) are defined as “Internet-based applications that allow you to gather, store, manage, and in some cases share, information about your health or the health of someone in your care.” Commonly, health care providers offer PHRs so members can easily access all of their health care information online and in one location. PHRs present additional benefits, such as allowing patients to keep track of their medication regime, record how they are responding to prescribed orders, or transfer medical records to other hospitals or labs.
However, PHRs are increasingly being offered by commercial vendors for a fee. A.B. 658, passed by the California legislature on August 22, 2013, and signed into law by Governor Brown on September 9, 2013, is designed to clearly bring all PHRs, including commercial vendors and businesses offering mobile health care applications, within the California Confidentiality of Medical Information Act (CMIA).
Currently, the CMIA prohibits health care providers from intentionally sharing, selling, using for marketing or otherwise using any medical information for any purpose other than to provide health care services to a patient. A.B. 658 expands such prohibitions to any business that offers software or hardware (including mobile applications) to consumers that is designed to maintain medical information in order for a consumer to manage their medical information.
Additionally, the new law would require these businesses to maintain the same standards of confidentiality required of a provider of health care with respect to medical information disclosed to the business. The failure to abide by these new provisions may subject the business to penalties for improper use and disclosure of medical information.
Businesses offering PHRs or mobile applications that collect medical information of California consumers should become familiar with the limitations of the use of such information along with the standard of confidentiality as set forth in the CMIA.