AB 1560, as introduced, Gorell. California Health Benefit Exchange: confidentiality of personal information.
Existing law, the federal Patient Protection and Affordable Care Act (PPACA), requires each state to establish an American Health Benefit Exchange by January 1, 2014, that makes available qualified health plans to qualified individuals and small employers. PPACA prohibits an Exchange from using or disclosing the personally identifiable information it creates or collects other than to the extent necessary to carry out specified functions. Existing law also requires an Exchange to establish and implement privacy and security standards that are consistent with specified principles and to require the same or more stringent privacy and security standards as a condition of contract or agreement with individuals or entities. A person who knowingly and willfully uses or discloses information in violation of PPACA is subject to a civil penalty of no more than $25,000 per person or entity, per use or disclosure, in additional to any other penalties prescribed by law.
Existing state law establishes the California Health Benefit Exchange within state government, specifies the powers and duties of the board governing the Exchange, and requires the board to facilitate the purchase of qualified health plans through the Exchange by qualified individuals and small employers by January 1, 2014. Existing law requires the board to employ necessary staff and authorizes the board to enter into contracts. Under existing law, the board of the Exchange is required to submit fingerprint images to the Department of Justice for all employees, prospective employees, contractors, subcontractors, volunteers, or vendors of the Exchange whose duties include access to specified personal information for the purposes of obtaining state or federal conviction records, as specified.
This bill would prohibit the Exchange from disclosing an individual’s personal information, as defined, to 3rd parties for the purpose of determining eligibility for, or enrolling the individual in, health care coverage unless the Exchange obtains prior written consent, as prescribed. The bill would also require the Exchange to immediately notify the public of any breach of the security of personal information created, collected, or maintained by the Exchange, regardless of the severity of the breach.
This bill would declare that it is to take effect immediately as an urgency statute.
Vote: 2⁄3. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 100509 is added to the Government Code,
2to read:
(a) The Exchange shall not disclose an individual’s
4personal information to third parties for the purpose of determining
5eligibility for, or enrolling the individual in, health care coverage
6unless the Exchange obtains prior written consent.
7(b) To comply with subdivision (a), the Exchange shall include,
8as part of its application for health care coverage, including its
9online application, a stand-alone item in 12-point font that requests
10the individual’s consent for disclosure of personal information to
11third parties for the purposes of determining eligibility for, or
12enrolling the individual in, health care coverage.
13(c) The Exchange shall immediately notify the public of any
14
breach of the security of personal information, regardless of the
15severity of the breach. This subdivision shall apply in addition to
16any other disclosure requirements applicable to the Exchange,
17including, but not limited to, Section 1798.29 of the Civil Code.
P3 1(d) For purposes of the is section, “personal information” means
2any information that is created, collected, or maintained by the
3Exchange that identifies or describes an individual, including, but
4not limited to, his or her name, social security number, physical
5description, home address, home telephone number, education,
6financial matters, and medical or employment history. “Personal
7information” includes statements made by, or attributed to, the
8individual.
This act is an urgency statute necessary for the
10immediate preservation of the public peace, health, or safety within
11the meaning of Article IV of the Constitution and shall go into
12immediate effect. The facts constituting the necessity are:
13The California Health Benefit Exchange is currently releasing
14to third parties the personal information of individuals using the
15Covered California Internet Web site without their knowledge. In
16order to protect the privacy rights of individuals applying for health
17care coverage through the Exchange, it is necessary that this act
18take effect immediately.
O
99