If your company manufactures or otherwise distributes an app, software, hardware or other medical device that stores the user’s medical or health data, a recent change in California law is important to you. The California Confidentiality of Medical Information Act (CMIA), California Civil Code sections 56 et seq., provides in general that a provider of health care, a health plan, and other similar entities are prohibited from using anyone’s medical information for any purpose other than as expressly authorized by the individual or as otherwise required or authorized by law.
The California legislature passed Assembly Bill No. 658, which took effect as of January 2014. The new law amends the CMIA to extend the definition of a “provider of health care” who is subject to the CMIA. Particularly, the legislature intended to extend the prohibitions of the CMIA to certain software or hardware providers, including mobile application providers. As amended, the CMIA defines a “provider of health care” as any business that enables a consumer to manage his or her medical information or that otherwise facilitates the diagnosis or treatment of such consumer. This extension of the definition of “provider of health care” is limited to the CMIA and does not make any business a health care provider for other purposes.
The CMIA now specifically provides that a business that offers software, hardware, or a mobile app, among other similar devices or services, are “providers of health care” so long as the devices or software are intended to maintain the individual user’s medical information for the individual’s own use or for the purpose of diagnosing, treating or managing the individual’s medical condition. As can be seen, this amendment can potentially reach many companies whose products gather medical information (e.g. heart rate) generated by the user. But under the CMIA “medical information” is defined generally as information that is “in possession of or derived from” a health care provider. It would appear that the focus of the amendment is not to cover companies whose devices merely record and store a user’s medical information but whose devices or services store and mange such information when such information comes from the user’s health care provider (i.e. physician) and is not just user generated. Under this amendment it does not matter whether or not the business of the device maker or provider of the software is mainly to manage and store medical information or whether or not such management and storage is an incident to another service. It now only matters that the software or device manages or stores “medical information” as defined by the CMIA.
This discussion is not legal advice, a solicitation of you as a client, nor the engaging in the practice of law in any jurisdiction. This discussion is merely for information/education and should not be relied upon for legal advice by anyone because the facts discussed may be different from your own situation. If you need legal advice, consult a qualified attorney. For more information please visit my website at http://www.palacioslawoffice.com.