Many companies are beginning to get into the business of enabling individuals to store and manage their health records on their web sites. Often, these companies are not HIPAA-covered entities. Are there any other privacy laws that they need to consider as they enter this market?
Until recently, there was no privacy law that specifically applied to a personal health record service provider that is not covered by HIPAA. But there is a lot of focus on the part of legislative and regulatory bodies on the lack of a specific law that covers this emerging industry. In fact, California just amended its Confidentiality of Medical Information Act (CMIA) to expand its scope to cover the personal health records industry. (Civil Code 56.05 – 56.37)
California’s CMIA, among other things, requires that companies allow individuals to access their medical information and obtain patient consent before disclosing medical information to third parties. CMIA also requires that medical information not be used for purposes beyond health care services without patient consent.
Any company that collects medical information from individuals should check to see if CMIA applies to its practices and, if so, ensure that it is complying with CMIA. In particular, it should obtain all the patient approvals that are necessary for the company to use the medical information it collects as intended. Companies that are not covered by CMIA should nonetheless consult generally-applicable state privacy laws, some of which specifically cover medical information and apply to companies who are otherwise unregulated by industry-specific laws (e.g., California’s Civil Code 1798.91, requiring consumer notification when collecting medical information that will be used for direct marketing purposes).