Additional Recent California Privacy Enactments
California recently enacted three laws affecting privacy rights and obligations, which deal with medical information use, credit reporting and state government responsibilities. These September approvals are in addition to the five new California statutes discussed in November's edition of Privacy In Focus(A.B. 2246, S.B. 1903, A.B. 2869, A.B. 1897 and A.B. 1862).
A.B. 1836 - Medical Records Confidentiality
This statute, approved by Governor Gray Davis on September 30, for January 1, 2001 effectiveness, amends Section 56.10 of California's Confidentiality of Medical Information Act, which embodies a general rule that a provider of health care, health care service plan or contractor shall not disclose medical information regarding its patients or subscribers without first obtaining their authorization. This general rule is subject to numerous specified exceptions.
A.B. 1836 (Chapter 1068) broadens the express exceptions to the general requirement for authorization. It makes express that a "provider of health service" or a "health care service plan" may disclose "medical information" without authorization to (1) "contractors" for purposes of diagnosis or treatment, (2) contractors responsible for paying for health care services, (3) independent medial review organizations, their reviewers and contractors engaged in reviewing competence or qualifications, or in reviewing health care services necessity or charges or (4) disease management organizations or contractors that are subcontractors to a health care service plan in a disease management program. Prohibitions against further sharing, sale or use by contractors without authorization are expanded expressly to encompass a "corporation and its subsidiaries and affiliates."
The amendments to Section 56.10 also provide (until January 1, 2003) for mandatory disclosure of a decedent's medical information by a provider of health care, health care service plan or contractor to coroners for use in identifying the decedent, locating next of kin, or when investigating the descendant's death.
S.B. 2166 - Credit Reporting for Insurance Purposes
S.B. 2166 (Chapter 1012), approved September 29, for January 1, 2001 effectiveness, amends California's Consumer Credit Reporting Agencies Act. Prior to the amendment, the law provided that consumer credit reporting agencies may not include "medical information" on consumers in their files on consumers without consent of the consumer and may not furnish medical information for employment or credit purposes without consent. The amendment adds a further restriction so that a credit reporting agency may not furnish medical information for "insurance" purposes in a consumer credit report without the consent of the consumer.
S.B. 2166 also makes clarifying amendments to the provisions authorizing consumers to opt-out and have their names excluded from lists of names provided by a consumer credit reporting agency in connection with the potential issuance of a firm offer of credit in a transaction that is not initiated by the consumer.
S.B. 129 - Office of Privacy Protection/Privacy Policies
S.B. 129 also provides for the establishment of an Office of Privacy Protection within the California Department of Consumer Affairs, which Office shall "commence activities" no later than January 1, 2002. The new Office's purpose will "be protecting the privacy of individuals' personal information in a manner consistent with the California Constitution" by "identifying consumer problems in the privacy area" and "facilitating development of fair information practices." Functions assigned by the statute directly to the Office include informing the public on "options for protecting the privacy of personal information," making "recommendations to organizations for privacy policies and practices," and promoting "nonbinding arbitration and mediation of privacy related disputes."
Additional new duties, assigned to the Director of the Department of Consumer Affairs, include to receive and refer complaints of unlawful use of personal information, to develop public information programs, and to "investigate and assist in the prosecution of identity theft and other privacy related crimes."
For additional information, please contact Bruce L. McDonald (202/719-7014 or ).