AB 1560, as amended, Gorell. California Health Benefit Exchange: confidentiality of personal information.
Existing law, the federal Patient Protection and Affordable Care Act (PPACA), requires each state to establish an American Health Benefit Exchange by January 1, 2014, that makes available qualified health plans to qualified individuals and small employers. PPACA prohibits an Exchange from using or disclosing the personally identifiable information it creates or collects other than to the extent necessary to carry out specified functions. Existing law also requires an Exchange to establish and implement privacy and security standards that are consistent with specified principles and to require the same or more stringent privacy and security standards as a condition of contract or agreement with individuals or entities. A person who knowingly and willfully uses or discloses information in violation of PPACA is subject to a civil penalty of no more than $25,000 per person or entity, per use or disclosure, in additional to any other penalties prescribed by law.
Existing state law establishes the California Health Benefit Exchange within state government, specifies the powers and duties of the board governing the Exchange, and requires the board to facilitate the purchase of qualified health plans through the Exchange by qualified individuals and small employers by January 1, 2014. Existing law requires the board to employ necessary staff and authorizes the board to enter into contracts. Under existing law, the board of the Exchange is required to submit fingerprint images to the Department of Justice for all employees, prospective employees, contractors, subcontractors, volunteers, or vendors of the Exchange whose duties include access to specified personal information for the purposes of obtaining state or federal conviction records, as specified.
This bill would prohibit the Exchange from disclosing an individual’s personal information, as defined, to 3rd parties for the purpose of determining eligibility for, or enrolling the individual in, health care coverage unless the Exchange obtains prior written consent, as prescribed. The bill would also require the Exchange to immediately notify the public of any breach of the security of personal information created, collected, or maintained by the Exchange, regardless of the severity of the breachbegin insert and regardless of whether personal information was acquired by an unauthorized person during the breachend insert.
This bill would declare that it is to take effect immediately as an urgency statute.
Vote: 2⁄3. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 100509 is added to the Government Code,
2to read:
(a) The Exchange shall not disclose an individual’s
4personal information to third parties for the purpose of determining
5eligibility for, or enrolling the individual in, health care coverage
6unless the Exchange obtains prior written consent.
7(b) To comply with subdivision (a), the Exchange shall include,
8as part of its application for health care coverage, including its
9online application, a stand-alone item in 12-point font that requests
10the individual’s consent for disclosure of personal information to
11third parties for the purposes of determining eligibility for, or
12enrolling the individual in, health care coverage.
P3 1(c) The
Exchange shall immediately notify the public of any
2
breach of the security of personal information, regardless of the
3severity of the breachbegin insert and regardless of whether personal
4information was acquired by an unauthorized person during the
5breachend insert. This subdivision shall apply in addition to any other
6disclosure requirements applicable to the Exchange, including, but
7not limited to, Section 1798.29 of the Civil Code.
8(d) For purposes ofbegin delete the isend deletebegin insert thisend insert section, “personal information”
9means any information that is created, collected, or maintained by
10the Exchange that identifies or describes an individual, including,
11but not limited
to, his or her name, social security number, physical
12description, home address, home telephone number, education,
13financial matters, and medical or employment history. “Personal
14information” includes statements made by, or attributed to, the
15individual.
This act is an urgency statute necessary for the
17immediate preservation of the public peace, health, or safety within
18the meaning of Article IV of the Constitution and shall go into
19immediate effect. The facts constituting the necessity are:
20The California Health Benefit Exchange is currently releasing
21to third parties the personal information of individuals using the
22Covered California Internet Web site without their knowledge. In
23order to protect the privacy rights of individuals applying for health
24care coverage through the Exchange, it is necessary that this act
25take effect immediately.
O
98