News & Insights  |  Newsletters

Additional Recent California Privacy Enactments

December 2000

California recently enacted three laws affecting privacy rights and obligations, which deal with medical information use, credit reporting and state government responsibilities. These September approvals are in addition to the five new California statutes discussed in November's edition of Privacy In Focus(A.B. 2246, S.B. 1903, A.B. 2869, A.B. 1897 and A.B. 1862).

A.B. 1836 - Medical Records Confidentiality
This statute, approved by Governor Gray Davis on September 30, for January 1, 2001 effectiveness, amends Section 56.10 of California's Confidentiality of Medical Information Act, which embodies a general rule that a provider of health care, health care service plan or contractor shall not disclose medical information regarding its patients or subscribers without first obtaining their authorization. This general rule is subject to numerous specified exceptions.

A.B. 1836 (Chapter 1068) broadens the express exceptions to the general requirement for authorization. It makes express that a "provider of health service" or a "health care service plan" may disclose "medical information" without authorization to (1) "contractors" for purposes of diagnosis or treatment, (2) contractors responsible for paying for health care services, (3) independent medial review organizations, their reviewers and contractors engaged in reviewing competence or qualifications, or in reviewing health care services necessity or charges or (4) disease management organizations or contractors that are subcontractors to a health care service plan in a disease management program. Prohibitions against further sharing, sale or use by contractors without authorization are expanded expressly to encompass a "corporation and its subsidiaries and affiliates."

The amendments to Section 56.10 also provide (until January 1, 2003) for mandatory disclosure of a decedent's medical information by a provider of health care, health care service plan or contractor to coroners for use in identifying the decedent, locating next of kin, or when investigating the descendant's death.

S.B. 2166 - Credit Reporting for Insurance Purposes
S.B. 2166 (Chapter 1012), approved September 29, for January 1, 2001 effectiveness, amends California's Consumer Credit Reporting Agencies Act. Prior to the amendment, the law provided that consumer credit reporting agencies may not include "medical information" on consumers in their files on consumers without consent of the consumer and may not furnish medical information for employment or credit purposes without consent. The amendment adds a further restriction so that a credit reporting agency may not furnish medical information for "insurance" purposes in a consumer credit report without the consent of the consumer.

S.B. 2166 also makes clarifying amendments to the provisions authorizing consumers to opt-out and have their names excluded from lists of names provided by a consumer credit reporting agency in connection with the potential issuance of a firm offer of credit in a transaction that is not initiated by the consumer.

S.B. 129 - Office of Privacy Protection/Privacy Policies
S.B. 129 (Chapter 984), approved on September 29, for January 1, 2001 effectiveness, adopts "principles" that each California state department or agency must include in its "permanent privacy policy." These principles require that personally identifiable information be "only obtained through lawful means," that the purposes for collection be "specified at or prior to the time of collection" and that "any subsequent use be limited to the fulfillment of purposes not inconsistent with those purposes previously specified." Subject to certain exceptions, personal data "shall not be disclosed, made available or otherwise used" for other purposes. Collected personal data "must be relevant to the purpose for which it is collected." In general, the "means by which personal data is protected against loss, unauthorized access, use modification or disclosure shall be posted," and each agency shall "designate a position" whose occupant shall have "responsibility for the privacy policy." Existing provisions of the California Information Practices Act of 1977 require state agencies to follow many of these principles in recordkeeping but have not required that they be addressed in agency privacy policies.

S.B. 129 also provides for the establishment of an Office of Privacy Protection within the California Department of Consumer Affairs, which Office shall "commence activities" no later than January 1, 2002. The new Office's purpose will "be protecting the privacy of individuals' personal information in a manner consistent with the California Constitution" by "identifying consumer problems in the privacy area" and "facilitating development of fair information practices." Functions assigned by the statute directly to the Office include informing the public on "options for protecting the privacy of personal information," making "recommendations to organizations for privacy policies and practices," and promoting "nonbinding arbitration and mediation of privacy related disputes."

Additional new duties, assigned to the Director of the Department of Consumer Affairs, include to receive and refer complaints of unlawful use of personal information, to develop public information programs, and to "investigate and assist in the prosecution of identity theft and other privacy related crimes."

For additional information, please contact Bruce L. McDonald (202/719-7014 or ).