Current through the 2024 Legislative Session.
Section 1798.91 - Business requesting medical information from individual(a) For purposes of this title, the following definitions shall apply:(1) "Direct marketing purposes" means the use of personal information for marketing or advertising products, goods, or services directly to individuals. "Direct marketing purposes" does not include the use of personal information (A) by bona fide tax exempt charitable or religious organizations to solicit charitable contributions or (B) to raise funds from and communicate with individuals regarding politics and government.(2) "Medical information" means any individually identifiable information, in electronic or physical form, regarding the individual's medical history, or medical treatment or diagnosis by a health care professional. "Individually identifiable" means that the medical information includes or contains any element of personal identifying information sufficient to allow identification of the individual, such as the individual's name, address, electronic mail address, telephone number, or social security number, or other information that, alone or in combination with other publicly available information, reveals the individual's identity. For purposes of this section, "medical information" does not mean a subscription to, purchase of, or request for a periodical, book, pamphlet, video, audio, or other multimedia product or nonprofit association information.(3) "Clear and conspicuous" means in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language.(4) For purposes of this section, the collection of medical information online constitutes "in writing." For purposes of this section, "written consent" includes consent obtained online.(b) A business may not orally request medical information directly from an individual regardless of whether the information pertains to the individual or not, and use, share, or otherwise disclose that information for direct marketing purposes, without doing both of the following prior to obtaining that information:(1) Orally disclosing to the individual in the same conversation during which the business seeks to obtain the information, that it is obtaining the information to market or advertise products, goods, or services to the individual.(2) Obtaining the consent of either the individual to whom the information pertains or a person legally authorized to consent for the individual, to permit his or her medical information to be used or shared to market or advertise products, goods, or services to the individual, and making and maintaining for two years after the date of the conversation, an audio recording of the entire conversation.(c) A business may not request in writing medical information directly from an individual regardless of whether the information pertains to the individual or not, and use, share, or otherwise disclose that information for direct marketing purposes, without doing both of the following prior to obtaining that information: (1) Disclosing in a clear and conspicuous manner that it is obtaining the information to market or advertise products, goods, or services to the individual.(2) Obtaining the written consent of either the individual to whom the information pertains or a person legally authorized to consent for the individual, to permit his or her medical information to be used or shared to market or advertise products, goods, or services to the individual.(d) This section does not apply to a provider of health care, health care service plan, or contractor, as defined in Section 56.05.(e) This section shall not apply to an insurance institution, agent, or support organization, as defined in Section 791.02 of the Insurance Code, when engaged in an insurance transaction, as defined in Section 791.02 of the Insurance Code, pursuant to all the requirements of Article 6.6 (commencing with Section 791) of Chapter 1 of Part 2 of Division 1 of the Insurance Code, and the regulations promulgated thereunder.(f) This section does not apply to a telephone corporation, as defined in Section 234 of the Public Utilities Code, when that corporation is engaged in providing telephone services and products pursuant to Sections 2881, 2881.1, and 2881.2 of the Public Utilities Code, if the corporation does not share or disclose medical information obtained as a consequence of complying with those sections of the Public Utilities Code, to third parties for direct marketing purposes.Amended by Stats 2013 ch 444 (SB 138),s 7, eff. 1/1/2014.Added by Stats 2004 ch 861 (SB 1633),s 1, eff. 1/1/2005.