Amended  IN  Senate  July 15, 2021
Amended  IN  Senate  June 29, 2021
Amended  IN  Assembly  March 25, 2021

CALIFORNIA LEGISLATURE— 2021–2022 REGULAR SESSION

Assembly Bill
No. 1184


Introduced by Assembly Member Chiu
(Coauthor: Assembly Member Burke)
(Coauthor: Senator Eggman)

February 18, 2021


An act to amend Sections 56.05, 56.107, and 56.35 of the Civil Code, and to amend Sections 791.02 and 791.29 of amend Sections 56.05 and 56.35 of, and to amend, repeal, and add Section 56.107 of, the Civil Code, and to amend Section 791.02 of, and to amend, repeal, and add Section 791.29 of, the Insurance Code, relating to medical information.


LEGISLATIVE COUNSEL'S DIGEST


AB 1184, as amended, Chiu. Medical information: confidentiality.
Existing law, the Confidentiality of Medical Information Act, prohibits specified entities from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, unless a specified exception applies. Existing law, with specified exceptions, prohibits an employer from using, disclosing, or knowingly permitting its employees or agents to use or disclose medical information that the employer possesses pertaining to its employees without the prescribed permission of the patient. Existing law makes a violation of these provisions a crime. Existing law, the Insurance Information and Privacy Protection Act, generally regulates how insurers collect, use, and disclose information gathered in connection with insurance transactions.
Existing law specifies the manner in which a health care service plan or health insurer is required to maintain confidentiality of medical information regarding the treatment of an insured, subscriber, or enrollee, including requiring a health care service plan or health insurer to accommodate requests by insureds, subscribers, and enrollees relating to the form and format of communication of confidential medical information in situations involving sensitive services or situations in which disclosure would endanger the individual.
This bill, on and after July 1, 2022, would revise and recast these provisions to require the health care service plan or health insurer to accommodate requests for confidential communication of medical information regardless of whether there is a situation involving sensitive services or a situation in which disclosure would endanger the individual.
This bill, on and after July 1, 2022, would prohibit a health care service plan or health insurer from requiring a protected individual, as defined, to obtain the policyholder, primary subscriber, or other enrollee’s authorization to receive sensitive services or to submit a claim for sensitive services if the protected individual has the right to consent to care. The bill would require the health care service plan or health insurer to direct all communications regarding a protected individual’s receipt of sensitive services directly to the protected individual, and would prohibit the disclosure of that information to the policyholder, primary subscriber, or any plan enrollees without the authorization of the protected individual, as provided. This bill would require a health care service plan to notify subscribers and enrollees and a health insurer to notify insureds that they may request a confidential communication in a specified manner and how to make the request, and would require a health care service plan and health insurer to post the information in specified areas, including the internet website of the health care service plan or health insurer.
Because a violation of these provisions by a health care service plan would be a crime, and because this bill would expand the scope of a crime, the bill would create a state-mandated local program.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: YES  

The people of the State of California do enact as follows:


SECTION 1.

 Section 56.05 of the Civil Code is amended to read:

56.05.
 For purposes of this part:
(a) “Authorization” means permission granted in accordance with Section 56.11 or 56.21 for the disclosure of medical information.
(b) “Authorized recipient” means a person who is authorized to receive medical information pursuant to Section 56.10 or 56.20.
(c) “Confidential communications request” means a request by a subscriber or enrollee that health care service plan communications containing medical information be communicated to them at a specific mail or email address or specific telephone number, as designated by the subscriber or enrollee.
(d) “Contractor” means a person or entity that is a medical group, independent practice association, pharmaceutical benefits manager, or a medical service organization and is not a health care service plan or provider of health care. “Contractor” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code or pharmaceutical benefits managers licensed pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
(e) “Enrollee” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.
(f) “Health care service plan” means an entity regulated pursuant to the Knox-Keene Health Care Service Plan Act of 1975 (Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code).
(g) “Licensed health care professional” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code, the Osteopathic Initiative Act or the Chiropractic Initiative Act, or Division 2.5 (commencing with Section 1797) of the Health and Safety Code.
(h) “Marketing” means to make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.
“Marketing” does not include any of the following:
(1) Communications made orally or in writing for which the communicator does not receive direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication.
(2) Communications made to current enrollees solely for the purpose of describing a provider’s participation in an existing health care provider network or health plan network of a Knox-Keene licensed health plan to which the enrollees already subscribe; communications made to current enrollees solely for the purpose of describing if, and the extent to which, a product or service, or payment for a product or service, is provided by a provider, contractor, or plan or included in a plan of benefits of a Knox-Keene licensed health plan to which the enrollees already subscribe; or communications made to plan enrollees describing the availability of more cost-effective pharmaceuticals.
(3) Communications that are tailored to the circumstances of a particular individual to educate or advise the individual about treatment options, and otherwise maintain the individual’s adherence to a prescribed course of medical treatment, as provided in Section 1399.901 of the Health and Safety Code, for a chronic and seriously debilitating or life-threatening condition as defined in subdivisions (d) and (e) of Section 1367.21 of the Health and Safety Code, if the health care provider, contractor, or health plan receives direct or indirect remuneration, including, but not limited to, gifts, fees, payments, subsidies, or other economic benefits, from a third party for making the communication, if all of the following apply:
(A) The individual receiving the communication is notified in the communication in typeface no smaller than 14-point type of the fact that the provider, contractor, or health plan has been remunerated and the source of the remuneration.
(B) The individual is provided the opportunity to opt out of receiving future remunerated communications.
(C) The communication contains instructions in typeface no smaller than 14-point type describing how the individual can opt out of receiving further communications by calling a toll-free number of the health care provider, contractor, or health plan making the remunerated communications. Further communication shall not be made to an individual who has opted out after 30 calendar days from the date the individual makes the opt-out request.
(i) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the identity of the individual.
(j) “Patient” means a natural person, whether or not still living, who received health care services from a provider of health care and to whom medical information pertains.
(k) “Pharmaceutical company” means a company or business, or an agent or representative thereof, that manufactures, sells, or distributes pharmaceuticals, medications, or prescription drugs. “Pharmaceutical company” does not include a pharmaceutical benefits manager, as included in subdivision (c), or a provider of health care.
(l) “Protected individual” means any adult covered by the subscriber’s health care service plan or a minor who can consent to a health care service without the consent of a parent or legal guardian, pursuant to state or federal law. “Protected individual” does not include an individual that lacks the capacity to give informed consent for health care pursuant to Section 813 of the Probate Code.
(m) “Provider of health care” means a person licensed or certified pursuant to Division 2 (commencing with Section 500) of the Business and Professions Code; a person licensed pursuant to the Osteopathic Initiative Act or the Chiropractic Initiative Act; a person certified pursuant to Division 2.5 (commencing with Section 1797) of the Health and Safety Code; or a clinic, health dispensary, or health facility licensed pursuant to Division 2 (commencing with Section 1200) of the Health and Safety Code. “Provider of health care” does not include insurance institutions as defined in subdivision (k) of Section 791.02 of the Insurance Code.
(n) “Sensitive services” means all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient at or above the minimum age specified for consenting to the service specified in the section.
(o) “Subscriber” has the same meaning as that term is defined in Section 1345 of the Health and Safety Code.

SEC. 2.Section 56.107 of the Civil Code is amended to read:
56.107.

Notwithstanding any other law, and to the extent permitted by federal law, a health care service plan shall take the following steps to protect the confidentiality of a subscriber’s or enrollee’s medical information on and after July 1, 2022:

(a)(1)A health care service plan shall not require a protected individual to obtain the policyholder, primary subscriber, or other enrollee’s authorization to receive sensitive services or to submit a claim for sensitive services if the protected individual has the right to consent to care.

(2)A health care service plan shall recognize the right of a protected individual to exclusively exercise rights granted under this section regarding medical information related to sensitive services that the protected individual has received.

(3)A health care service plan shall direct all communications regarding a protected individual’s receipt of sensitive services directly to the protected individual receiving care as follows:

(A)If the protected individual has designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health care service plan shall send or make all communications related to the protected individual’s receipt of sensitive services to the alternative mailing address, email address, or telephone number designated.

(B)If the protected individual has not designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health care service plan shall send or make all communications related to the protected individual’s receipt of sensitive services in the name of the protected individual at the address or telephone number on file.

(C)Communications subject to this paragraph shall include the following written, verbal, or electronic communications related to the receipt of sensitive services:

(i)Bills and attempts to collect payment.

(ii)A notice of adverse benefits determinations.

(iii)An explanation of benefits notice.

(iv)A health care service plan’s request for additional information regarding a claim.

(v)A notice of a contested claim.

(vi)The name and address of a provider, description of services provided, and other information related to a visit.

(vii)Any written, oral, or electronic communication from a health care service plan that contains protected health information.

(4)A health care service plan shall not disclose medical information related to sensitive health care services provided to a protected individual to the policyholder, primary subscriber, or any plan enrollees other than the protected individual receiving care, absent an express written authorization of the protected individual receiving care.

(b)(1)A health care service plan shall permit subscribers and enrollees to request, and shall accommodate requests for, confidential communication in the form and format requested by the individual, if it is readily producible in the requested form and format, or at alternative locations.

(2)A health care service plan may require the subscriber or enrollee to make a request for a confidential communication described in paragraph (1), in writing or by electronic transmission.

(3)The confidential communication request shall be valid until the subscriber or enrollee submits a revocation of the request or a new confidential communication request is submitted.

(4)

For the purposes of this section, a confidential communications request shall be implemented by the health care service plan within 7 calendar days of receipt of an electronic transmission or telephonic request or within 14 calendar days of receipt by first-class mail. The health care service plan shall acknowledge receipt of the confidential communications request and advise the subscriber or enrollee of the status of implementation of the request if a subscriber or enrollee contacts the health care service plan.

(c)(1)A health care service plan shall notify subscribers and enrollees that they may request a confidential communication pursuant to subdivision (b) and how to make the request.

(2)The information required to be provided pursuant to this subdivision shall be provided to subscribers and enrollees with individual coverage upon initial enrollment and annually thereafter upon renewal, and to subscribers and enrollees with group coverage upon initial enrollment and annually thereafter upon renewal. The information shall also be provided in the following manner:

(A)In a conspicuously visible location in the evidence of coverage.

(B)In a conspicuously visible location in an adverse benefits determination, an explanation of benefits notice, a health care service plan’s request for additional information regarding a claim, a notice of a contested claim, and in any written or electronic communication from a health care service plan that contains the name and address of a provider, description of services provided, and other information related to a visit.

(C)On the health care service plan’s internet website, accessible through a hyperlink on the internet website’s home page and in a manner that allows subscribers, enrollees, prospective subscribers, prospective enrollees, and members of the public to easily locate the information.

(d)Notwithstanding subdivision (b), the provider of health care may make arrangements with the subscriber or enrollee for the payment of benefit cost sharing and communicate that arrangement with the health care service plan.

(e)A health care service plan shall not condition enrollment or coverage on the waiver of rights provided in this section.

SEC. 2.

 Section 56.107 of the Civil Code is amended to read:

56.107.
 (a) Notwithstanding any other law, and to the extent permitted by federal law, a health care service plan shall take the following steps to protect the confidentiality of a subscriber’s or enrollee’s medical information on and after January 1, 2015:
(1) A health care service plan shall permit subscribers and enrollees to request, and shall accommodate requests for, communication in the form and format requested by the individual, if it is readily producible in the requested form and format, or at alternative locations, if the subscriber or enrollee clearly states either that the communication discloses medical information or provider name and address relating to receipt of sensitive services or that disclosure of all or part of the medical information or provider name and address could endanger the subscriber or enrollee.
(2) A health care service plan may require the subscriber or enrollee to make a request for a confidential communication described in paragraph (1), in writing or by electronic transmission.
(3) A health care service plan may require that a confidential communications request contain a statement that the request pertains to either medical information related to the receipt of sensitive services or that disclosure of all or part of the medical information could endanger the subscriber or enrollee. The health care service plan shall not require an explanation as to the basis for a subscriber’s or enrollee’s statement that disclosure could endanger the subscriber or enrollee.
(4) The confidential communication request shall be valid until the subscriber or enrollee submits a revocation of the request or a new confidential communication request is submitted.
(5) For the purposes of this section, a confidential communications request shall be implemented by the health care service plan within seven calendar days of receipt of an electronic transmission or telephonic request or within 14 calendar days of receipt by first-class mail. The health care service plan shall acknowledge receipt of the confidential communications request and advise the subscriber or enrollee of the status of implementation of the request if a subscriber or enrollee contacts the health care service plan.
(b) Notwithstanding subdivision (a), the provider of health care may make arrangements with the subscriber or enrollee for the payment of benefit cost sharing and communicate that arrangement with the health care service plan.
(c) A health care service plan shall not condition enrollment or coverage on the waiver of rights provided in this section.
(d) This section shall remain in effect only until July 1, 2022, and as of that date is repealed.

SEC. 3.

 Section 56.107 is added to the Civil Code, to read:

56.107.
 Notwithstanding any other law, and to the extent permitted by federal law, a health care service plan shall take the following steps to protect the confidentiality of a subscriber’s or enrollee’s medical information:
(a) (1) A health care service plan shall not require a protected individual to obtain the policyholder, primary subscriber, or other enrollee’s authorization to receive sensitive services or to submit a claim for sensitive services if the protected individual has the right to consent to care.
(2) A health care service plan shall recognize the right of a protected individual to exclusively exercise rights granted under this section regarding medical information related to sensitive services that the protected individual has received.
(3) A health care service plan shall direct all communications regarding a protected individual’s receipt of sensitive services directly to the protected individual receiving care as follows:
(A) If the protected individual has designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health care service plan shall send or make all communications related to the protected individual’s receipt of sensitive services to the alternative mailing address, email address, or telephone number designated.
(B) If the protected individual has not designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health care service plan shall send or make all communications related to the protected individual’s receipt of sensitive services in the name of the protected individual at the address or telephone number on file.
(C) Communications subject to this paragraph shall include the following written, verbal, or electronic communications related to the receipt of sensitive services:
(i) Bills and attempts to collect payment.
(ii) A notice of adverse benefits determinations.
(iii) An explanation of benefits notice.
(iv) A health care service plan’s request for additional information regarding a claim.
(v) A notice of a contested claim.
(vi) The name and address of a provider, description of services provided, and other information related to a visit.
(vii) Any written, oral, or electronic communication from a health care service plan that contains protected health information.
(4) A health care service plan shall not disclose medical information related to sensitive health care services provided to a protected individual to the policyholder, primary subscriber, or any plan enrollees other than the protected individual receiving care, absent an express written authorization of the protected individual receiving care.
(b) (1) A health care service plan shall permit subscribers and enrollees to request, and shall accommodate requests for, confidential communication in the form and format requested by the individual, if it is readily producible in the requested form and format, or at alternative locations.
(2) A health care service plan may require the subscriber or enrollee to make a request for a confidential communication described in paragraph (1), in writing or by electronic transmission.
(3) The confidential communication request shall be valid until the subscriber or enrollee submits a revocation of the request or a new confidential communication request is submitted.
(4) The confidential communication request shall apply to all communications that disclose medical information or provider name and address related to receipt of medical services by the individual requesting the confidential communication.
(5) For the purposes of this section, a confidential communications request shall be implemented by the health care service plan within 7 calendar days of receipt of an electronic transmission or telephonic request or within 14 calendar days of receipt by first-class mail. The health care service plan shall acknowledge receipt of the confidential communications request and advise the subscriber or enrollee of the status of implementation of the request if a subscriber or enrollee contacts the health care service plan.
(c) (1) A health care service plan shall notify subscribers and enrollees that they may request a confidential communication pursuant to subdivision (b) and how to make the request.
(2) The information required to be provided pursuant to this subdivision shall be provided to subscribers and enrollees with individual coverage upon initial enrollment and annually thereafter upon renewal, and to subscribers and enrollees with group coverage upon initial enrollment and annually thereafter upon renewal. The information shall also be provided in the following manner:
(A) In a conspicuously visible location in the evidence of coverage.
(B) In a conspicuously visible location in an adverse benefits determination, a health care service plan’s request for additional information regarding a claim, a notice of a contested claim, and in any written or electronic communication from a health care service plan that contains the name and address of a provider, description of services provided, and other information related to a visit, except for an explanation of benefits notice.
(C) On the health care service plan’s internet website, accessible through a hyperlink on the internet website’s home page and in a manner that allows subscribers, enrollees, prospective subscribers, prospective enrollees, and members of the public to easily locate the information.
(d) Notwithstanding subdivision (b), the provider of health care may make arrangements with the subscriber or enrollee for the payment of benefit cost sharing and communicate that arrangement with the health care service plan.
(e) A health care service plan shall not condition enrollment or coverage on the waiver of rights provided in this section.
(f) This section shall become operative on July 1, 2022.

SEC. 3.SEC. 4.

 Section 56.35 of the Civil Code is amended to read:

56.35.
 In addition to any other remedies available at law, a patient whose medical information has been used or disclosed in violation of Section 56.10, 56.104, 56.107, or 56.20 or subdivision (a) of Section 56.26 and who has sustained economic loss or personal injury therefrom may recover compensatory damages, punitive damages not to exceed three thousand dollars ($3,000), attorney’s fees not to exceed one thousand dollars ($1,000), and the costs of litigation.

SEC. 4.SEC. 5.

 Section 791.02 of the Insurance Code is amended to read:

791.02.
 As used in this act:
(a) (1) “Adverse underwriting decision” means any of the following actions with respect to insurance transactions involving insurance coverage that is individually underwritten:
(A) A declination of insurance coverage.
(B) A termination of insurance coverage.
(C) Failure of an agent to apply for insurance coverage with a specific insurance institution that the agent represents and that is requested by an applicant.
(D) In the case of a property or casualty insurance coverage:
(i) Placement by an insurance institution or agent of a risk with a residual market mechanism, with an unauthorized insurer, or with an insurance institution that provides insurance to other than preferred or standard risks, if in fact the placement is at other than a preferred or standard rate. An adverse underwriting decision, in case of placement with an insurance institution that provides insurance to other than preferred or standard risks, shall not include placement if the applicant or insured did not specify or apply for placement as a preferred or standard risk or placement with a particular company insuring preferred or standard risks, or
(ii) The charging of a higher rate on the basis of information which differs from that which the applicant or policyholder furnished.
(E) In the case of a life, health, or disability insurance coverage, an offer to insure at higher than standard rates.
(2) Notwithstanding paragraph (1), any of the following actions shall not be considered adverse underwriting decisions but the insurance institution or agent responsible for their occurrence shall nevertheless provide the applicant or policyholder with the specific reason or reasons for their occurrence:
(A) The termination of an individual policy form on a class or statewide basis.
(B) A declination of insurance coverage solely because coverage is not available on a class or statewide basis.
(C) The rescission of a policy.
(b) “Affiliate” or “affiliated” means a person that directly, or indirectly through one or more intermediaries, controls, is controlled by or is under common control with another person.
(c) “Agent” means any person licensed pursuant to Chapter 5 (commencing with Section 1621), Chapter 5A (commencing with Section 1759), Chapter 6 (commencing with Section 1760), Chapter 7 (commencing with Section 1800), or Chapter 8 (commencing with Section 1831).
(d) “Applicant” means any person who seeks to contract for insurance coverage other than a person seeking group insurance that is not individually underwritten.
(e) “Consumer report” means any written, oral, or other communication of information bearing on a natural person’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is used or expected to be used in connection with an insurance transaction.
(f) “Consumer reporting agency” means any person who:
(1) Regularly engages, in whole or in part, in the practice of assembling or preparing consumer reports for a monetary fee.
(2) Obtains information primarily from sources other than insurance institutions.
(3) Furnishes consumer reports to other persons.
(g) “Control,” including the terms “controlled by” or “under common control with,” means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of voting securities, by contract other than a commercial contract for goods or nonmanagement services, or otherwise, unless the power is the result of an official position with or corporate office held by the person.
(h) “Declination of insurance coverage” means a denial, in whole or in part, by an insurance institution or agent of requested insurance coverage.
(i) “Individual” means any natural person who is any of the following:
(1) In the case of property or casualty insurance, is a past, present, or proposed named insured or certificate holder.
(2) In the case of life or disability insurance, is a past, present, or proposed principal insured or certificate holder.
(3) Is a past, present, or proposed policyowner.
(4) Is a past or present applicant.
(5) Is a past or present claimant.
(6) Derived, derives, or is proposed to derive insurance coverage under an insurance policy or certificate subject to this act.
(j) “Institutional source” means any person or governmental entity that provides information about an individual to an agent, insurance institution, or insurance-support organization, other than any of the following:
(1) An agent.
(2) The individual who is the subject of the information.
(3) A natural person acting in a personal capacity rather than in a business or professional capacity.
(k) “Insurance institution” means any corporation, association, partnership, reciprocal exchange, interinsurer, Lloyd’s insurer, fraternal benefit society, or other person engaged in the business of insurance. “Insurance institution” shall not include agents, insurance-support organizations, or health care service plans regulated pursuant to the Knox-Keene Health Care Service Plan Act, Chapter 2.2 (commencing with Section 1340) of Division 2 of the Health and Safety Code.
(l) “Insurance-support organization” means:
(1) Any person who regularly engages, in whole or in part, in the business of assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions, including either of the following:
(A) The furnishing of consumer reports or investigative consumer reports to an insurance institution or agent for use in connection with an insurance transaction.
(B) The collection of personal information from insurance institutions, agents, or other insurance-support organizations for the purpose of detecting or preventing fraud, material misrepresentation, or material nondisclosure in connection with insurance underwriting or insurance claim activity.
(2) Notwithstanding paragraph (1), the following persons shall not be considered “insurance-support organizations”: agents, governmental institutions, insurance institutions, medical care institutions, medical professionals, and peer review committees.
(m) “Insurance transaction” means any transaction involving insurance primarily for personal, family, or household needs rather than business or professional needs that entails either of the following:
(1) The determination of an individual’s eligibility for an insurance coverage, benefit, or payment.
(2) The servicing of an insurance application, policy, contract, or certificate.
(n) “Investigative consumer report” means a consumer report or portion thereof in which information about a natural person’s character, general reputation, personal characteristics, or mode of living is obtained through personal interviews with the person’s neighbors, friends, associates, acquaintances, or others who may have knowledge concerning those items of information.
(o) “Medical care institution” means any facility or institution that is licensed to provide health care services to natural persons, including, but not limited to, hospitals, skilled nursing facilities, home health agencies, medical clinics, rehabilitation agencies, and public health agencies.
(p) “Medical professional” means any person licensed or certified to provide health care services to natural persons, including, but not limited to, a physician, dentist, nurse, optometrist, physical or occupational therapist, psychiatric social worker, clinical dietitian, clinical psychologist, chiropractor, pharmacist, or speech therapist.
(q) “Medical record information” means personal information that is both of the following:
(1) Relates to an individual’s physical or mental condition, medical history, or medical treatment.
(2) Is obtained from a medical professional or medical care institution, from the individual, or from the individual’s spouse, parent, or legal guardian.
(r) “Person” means any natural person, corporation, association, partnership, limited liability company, or other legal entity.
(s) “Personal information” means any individually identifiable information gathered in connection with an insurance transaction from which judgments can be made about an individual’s character, habits, avocations, finances, occupation, general reputation, credit, health, or any other personal characteristics. “Personal information” includes an individual’s name and address and “medical record information” but does not include “privileged information.”
(t) “Policyholder” means any person who is any of the following:
(1) In the case of individual property or casualty insurance, is a present named insured.
(2) In the case of individual life or disability insurance, is a present policyowner.
(3) In the case of group insurance, which is individually underwritten, is a present group certificate holder.
(u) “Pretext interview” means an interview whereby a person, in an attempt to obtain information about a natural person, performs one or more of the following acts:
(1) Pretends to be someone they are not.
(2) Pretends to represent a person they are not in fact representing.
(3) Misrepresents the true purpose of the interview.
(4) Refuses to identify who they are upon request.
(v) “Privileged information” means any individually identifiable information that both:
(1) Relates to a claim for insurance benefits or a civil or criminal proceeding involving an individual.
(2) Is collected in connection with or in reasonable anticipation of a claim for insurance benefits or civil or criminal proceeding involving an individual. However, information otherwise meeting the requirements of this division shall nevertheless be considered “personal information” under this act if it is disclosed in violation of Section 791.13.
(w) “Residual market mechanism” means the California FAIR Plan Association, Chapter 10 (commencing with Section 10101) of Part 1 of Division 2, and the assigned risk plan, Chapter 1 (commencing with Section 11550) of Part 3 of Division 2.
(x) “Termination of insurance coverage” or “termination of an insurance policy” means either a cancellation or nonrenewal of an insurance policy, in whole or in part, for any reason other than the failure to pay a premium as required by the policy.
(y) “Unauthorized insurer” means an insurance institution that has not been granted a certificate of authority by the director to transact the business of insurance in this state.
(z) “Commissioner” means the Insurance Commissioner.
(aa) “Confidential communications request” means a request by an insured covered under a health insurance policy that insurance communications containing medical information be communicated to the insured at a specific mail or email address or specific telephone number, as designated by the insured.
(ab) “Protected individual” means any adult insured covered under a health insurance policy or a minor who can consent to a health care service without the consent of a parent or legal guardian, pursuant to state or federal law. “Protected individual” does not include an individual that lacks the capacity to give informed consent for health care pursuant to Section 813 of the Probate Code.
(ac) “Sensitive services” means all health care services related to mental or behavioral health, sexual and reproductive health, sexually transmitted infections, substance use disorder, gender affirming care, and intimate partner violence, and includes services described in Sections 6924, 6925, 6926, 6927, 6928, 6929, and 6930 of the Family Code, and Sections 121020 and 124260 of the Health and Safety Code, obtained by a patient of any age at or above the minimum age specified for consenting to the service specified in the section.
(ad) “Medical information” means any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health insurer, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment. “Individually identifiable” means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the patient’s name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.

SEC. 5.Section 791.29 of the Insurance Code is amended to read:
791.29.

Notwithstanding any other law, and to the extent permitted by federal law, a health insurer shall take the following steps to protect the confidentiality of an insured’s medical information on and after July 1, 2022:

(a)(1)A health insurer shall not require a protected individual to obtain the policyholder’s authorization to receive sensitive services or to submit a claim for sensitive services if the protected individual has the right to consent to care.

(2)A health insurer shall recognize the right of a protected individual to exclusively exercise rights granted under this section regarding medical information related to sensitive services that the protected individual has received.

(3)A health insurer shall direct all communications regarding a protected individual’s receipt of sensitive services directly to the protected individual receiving care as follows:

(A)If the protected individual has designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health insurer shall send or make all communications related to the protected individual’s receipt of sensitive services to the alternative mailing address, email address, or telephone number designated.

(B)If the protected individual has not designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health insurer shall send or make all communications related to the protected individual’s receipt of sensitive services in the name of the protected individual at the address or telephone number on file.

(C)Communications subject to this paragraph shall include the following written, verbal, or electronic communications:

(i)Bills and attempts to collect payment.

(ii)A notice of adverse benefits determinations.

(iii)An explanation of benefits notice.

(iv)A health insurer’s request for additional information regarding a claim.

(v)A notice of a contested claim.

(vi)The name and address of a provider, description of services provided, and other information related to a visit.

(vii)Any written, oral, or electronic communication from a health insurer that contains protected health information.

(4)A health insurer shall not disclose medical information related to sensitive health care services provided to a protected individual to the policyholder or any insureds other than the protected individual receiving care, absent an express written authorization of the protected individual receiving care.

(b)(1)A health insurer shall permit an insured to request, and shall accommodate requests for, confidential communication in the form and format requested by the insured, if it is readily producible in the requested form and format, or at alternative locations.

(2)A health insurer may require the insured to make a request for a confidential communication described in paragraph (1) in writing or by electronic transmission.

(3)

The confidential communication request shall be valid until the insured submits a revocation of the request, or a new confidential communication request is submitted.

(4)

For the purposes of this section, a confidential communications request shall be implemented by the health insurer within 7 calendar days of the receipt of an electronic transmission, telephonic request, or request submitted through the health insurer’s internet website, or within 14 calendar days of receipt by first-class mail. The health insurer shall acknowledge receipt of the confidential communications request and advise the insured of the status of implementation of the request if an insured contacts the insurer.

(c)(1)A health insurer shall notify insureds that they may request a confidential communication pursuant to subdivision (b) and how to make the request.

(2)The information required to be provided pursuant to this subdivision shall be provided to insureds with individual coverage upon initial enrollment and annually thereafter upon renewal, and to insureds with group coverage upon initial enrollment and annually thereafter upon renewal. The information shall also be provided in the following manner:

(A)In a conspicuously visible location in the evidence of coverage.

(B)In a conspicuously visible location in an adverse benefits determination, an explanation of benefits notice, a health insurer’s request for additional information regarding a claim, a notice of a contested claim, and in any written or electronic communication from a health insurer that contains the name and address of a provider, description of services provided, and other information related to a visit.

(C)On the health insurer’s internet website, accessible through a hyperlink on the internet website’s home page and in a manner that allows insureds, prospective insureds, and members of the public to easily locate the information.

(d)Notwithstanding subdivision (b), a provider of health care may make arrangements with the insured for the payment of benefit cost sharing and communicate that arrangement with the insurer.

(e)A health insurer shall not condition coverage on the waiver of rights provided in this section.

SEC. 6.

 Section 791.29 of the Insurance Code is amended to read:

791.29.
 (a) Notwithstanding any other law, and to the extent permitted by federal law, a health insurer shall take the following steps to protect the confidentiality of an insured’s medical information on and after January 1, 2015:
(1) A health insurer shall permit an insured to request, and shall accommodate requests for, communication in the form and format requested by the individual, if it is readily producible in the requested form and format, or at alternative locations, if the insured clearly states either that the communication discloses medical information or provider name and address relating to receipt of sensitive services or that disclosure of all or part of the medical information or provider name and address could endanger him or her. the individual.
(2) A health insurer may require the insured to make a request for a confidential communication described in paragraph (1) in writing or by electronic transmission.
(3) A health insurer may require that a confidential communications request contain a statement that the request pertains to either medical information related to the receipt of sensitive services or that disclosure of all or part of the medical information could endanger the insured. The health insurer shall not require an explanation as to the basis for a insured’s statement that disclosure could endanger the insured.
(4) The confidential communication request shall be valid until the insured submits a revocation of the request, or a new confidential communication request is submitted.
(5) For the purposes of this section, a confidential communications request shall be implemented by the health insurer within seven calendar days of the receipt of an electronic transmission or telephonic request or within 14 calendar days of receipt by first-class mail. The health insurer shall acknowledge receipt of the confidential communications request and advise the insured of the status of implementation of the request if an insured contacts the insurer.
(b) Notwithstanding subdivision (a), a provider of health care may make arrangements with the insured for the payment of benefit cost sharing and communicate that arrangement with the insurer.
(c) A health insurer shall not condition coverage on the waiver of rights provided in this section.
(d) This section shall remain in effect only until July 1, 2022, and as of that date is repealed.

SEC. 7.

 Section 791.29 is added to the Insurance Code, to read:

791.29.
 Notwithstanding any other law, and to the extent permitted by federal law, a health insurer shall take the following steps to protect the confidentiality of an insured’s medical information:
(a) (1) A health insurer shall not require a protected individual to obtain the policyholder’s authorization to receive sensitive services or to submit a claim for sensitive services if the protected individual has the right to consent to care.
(2) A health insurer shall recognize the right of a protected individual to exclusively exercise rights granted under this section regarding medical information related to sensitive services that the protected individual has received.
(3) A health insurer shall direct all communications regarding a protected individual’s receipt of sensitive health care services directly to the protected individual receiving care as follows:
(A) If the protected individual has designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health insurer shall send or make all communications related to the protected individual’s receipt of sensitive services to the alternative mailing address, email address, or telephone number designated.
(B) If the protected individual has not designated an alternative mailing address, email address, or telephone number pursuant to subdivision (b), the health insurer shall send or make all communications related to the protected individual’s receipt of sensitive services in the name of the protected individual at the address or telephone number on file.
(C) Communications subject to this paragraph shall include the following written, verbal, or electronic communications:
(i) Bills and attempts to collect payment.
(ii) A notice of adverse benefits determinations.
(iii) An explanation of benefits notice.
(iv) A health insurer’s request for additional information regarding a claim.
(v) A notice of a contested claim.
(vi) The name and address of a provider, description of services provided, and other information related to a visit.
(vii) Any written, oral, or electronic communication from a health insurer that contains protected health information.
(4) A health insurer shall not disclose medical information related to sensitive health care services provided to a protected individual to the policyholder or any insureds other than the protected individual receiving care, absent an express written authorization of the protected individual receiving care.
(b) (1) A health insurer shall permit an insured to request, and shall accommodate requests for, confidential communication in the form and format requested by the insured, if it is readily producible in the requested form and format, or at alternative locations.
(2) A health insurer may require the insured to make a request for a confidential communication described in paragraph (1) in writing or by electronic transmission.
(3) The confidential communication request shall apply to all communications that disclose medical information or provider name and address related to receipt of medical services by the individual requesting the confidential communication.
(4) The confidential communication request shall be valid until the insured submits a revocation of the request, or a new confidential communication request is submitted.
(5) For the purposes of this section, a confidential communications request shall be implemented by the health insurer within 7 calendar days of the receipt of an electronic transmission, telephonic request, or request submitted through the health insurer’s internet website, or within 14 calendar days of receipt by first-class mail. The health insurer shall acknowledge receipt of the confidential communications request and advise the insured of the status of implementation of the request if an insured contacts the insurer.
(c) (1) A health insurer shall notify insureds that they may request a confidential communication pursuant to subdivision (b) and how to make the request.
(2) The information required to be provided pursuant to this subdivision shall be provided to insureds with individual coverage upon initial enrollment and annually thereafter upon renewal, and to insureds with group coverage upon initial enrollment and annually thereafter upon renewal. The information shall also be provided in the following manner:
(A) In a conspicuously visible location in the evidence of coverage.
(B) In a conspicuously visible location in an adverse benefits determination, a health insurer’s request for additional information regarding a claim, a notice of a contested claim, and in any written or electronic communication from a health insurer that contains the name and address of a provider, description of services provided, and other information related to a visit, except an explanation of benefits notice.
(C) On the health insurer’s internet website, accessible through a hyperlink on the internet website’s home page and in a manner that allows insureds, prospective insureds, and members of the public to easily locate the information.
(d) Notwithstanding subdivision (b), a provider of health care may make arrangements with the insured for the payment of benefit cost sharing and communicate that arrangement with the insurer.
(e) A health insurer shall not condition coverage on the waiver of rights provided in this section.
(f) This section shall become operative on July 1, 2022.

SEC. 6.SEC. 8.

 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.