AB 658 closes a loophole on medical app privacy (signed into law)

Update: AB 658 was signed by Governor Brown on September 9.

One of the biggest concerns related to the use of smartphones in medical care is the potential breach of patient confidentiality. The increasing use of mobile application software (apps) adds new issues to patient information security and requires new privacy measures. When Personal Health Records (PHRs) are stored electronically, they can become exposed to data breaches.

According to the California State Office of Privacy Protection, PHRs are defined as ‘Internet-based applications that allow you to gather, store, manage, and in some cases share, information about your health or the health of someone in your care.’ The information typically provided by your health care providers is stored and accessible on a website.

Sometimes PHRs are offered as a service by a health care provider or health care plan, but they are also increasingly offered by private companies for a fee. The private company maintains the medical information in one place so the individual may access it or have it disclosed to the appropriate health care provider.

The main benefit of a PHR is that it allows an individual to manage his or her own medical information. For example, people with chronic health conditions may use a PHR to track how their medications are affecting them or how they’re feeling from day to day. Diabetics might use a PHR to record glucose levels, while people with hypertension may use it to track their blood pressure readings.

Currently, the only privacy protections that apply to PHRs depend on where the PHR originates.

A PHR from a doctor or a health plan would fall under the laws that protect medical privacy and have standards for maintaining the security of your medical information. This would include both Health Insurance Portability and Accountability Act (HIPAA, federal) and the Confidentiality of Medical Information Act (CMIA, California).

However, PHRs from commercial vendors, including mobile app vendors, are not covered under HIPAA regulations. While some commercial PHRs may advertise themselves as ‘HIPAA-compliant,’ the only privacy protections they offer are those in their own privacy notices and practices, which they can change at any time. In addition, with commercial vendors, there is nothing to prevent the sale of your medical information to marketers, researchers, employers, insurers, or even drug companies.

Unfortunately, CMIA protections do not cover issues related to the storage of protected health information in commercial medical-related apps. CMIA generally prohibits any health care provider, health insurer, or medial service contractor from disclosing a patient’s medical information without the patient’s consent, subject to certain mandatory and voluntary exceptions.

The Consumer Federation of California supports SB 658 (Calderon) that closes the loophole in the existing protection of CMIA. It will protect privacy for people using mobile apps for medical purposes and will not allow commercial vendors who provide PHR services through mobile apps to disclose or share confidential medical information.

This bill clarifies that businesses offering personal health care records, whether online or through a mobile app, are subject to CMIA requirements if they maintain medical information that is derived from a health care provider, health service plan, or other medical service contractor. It would also apply to any business that maintains medical information, regardless of whether the business was organized for that purpose or not.

AB 658 would bring commercial vendors of PHRs on mobile devices under the covered entities of CMIA and protect your medical privacy.