AB 1560, as amended, Gorell. California Health Benefit Exchange: confidentiality of personal information.
Existing law, the federal Patient Protection and Affordable Care Act (PPACA), requires each state to establish an American Health Benefit Exchange by January 1, 2014, that makes available qualified health plans to qualified individuals and small employers. PPACA prohibits an Exchange from using or disclosing the personally identifiable information it creates or collects other than to the extent necessary to carry out specified functions. Existing law also requires an Exchange to establish and implement privacy and security standards that are consistent with specified principles and to require the same or more stringent privacy and security standards as a condition of contract or agreement with individuals or entities. A person who knowingly and willfully uses or discloses information in violation of PPACA is subject to a civil penalty of no more than $25,000 per person or entity, per use or disclosure, in additional to any other penalties prescribed by law.
Existing state law establishes the California Health Benefit Exchange within state government, specifies the powers and duties of the board governing the Exchange, and requires the board to facilitate the purchase of qualified health plans through the Exchange by qualified individuals and small employers by January 1, 2014. Existing law requires the board to employ necessary staff and authorizes the board to enter into contracts. Under existing law, the board of the Exchange is required to submit fingerprint images to the Department of Justice for all employees, prospective employees, contractors, subcontractors, volunteers, or vendors of the Exchange whose duties include access to specified personal information for the purposes of obtaining state or federal conviction records, as specified.
This bill would prohibit the Exchange from disclosing an
individual’s personal information, as defined, to 3rd parties for the purpose of determining eligibility for, or enrolling the individual in, health care coverage unlessbegin insert, prior to the disclosure, the individual confirms his or her eligibility for a qualified health plan offered by the Exchange, and receives an estimate for the cost of the qualified health plans he or she may purchase, andend insert the Exchange obtainsbegin delete priorend deletebegin insert the individual’send insert written consentbegin insert to the disclosureend insert, as prescribed. The bill would also require the Exchange to immediately notify the public of any breach of the security of personal information
created, collected, or maintained by the Exchange, regardless of the severity of the breach and regardless of whether personal information was acquired by an unauthorized person during the breach.
This bill would declare that it is to take effect immediately as an urgency statute.
Vote: 2⁄3. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 100509 is added to the Government Code,
2to read:
(a) The Exchange shall not disclose an individual’s
4personal information to third parties for the purpose of determining
5eligibility for, or enrolling the individual in, health care coverage
P3 1unlessbegin delete theend deletebegin insert both of the following requirements are satisfied prior
2to the disclosure:end insert
3(1) The individual, through communication with the Exchange,
4including the Internet Web site of the Exchange,
confirms his or
5her eligibility for a qualified health plan offered by the Exchange
6and receives an estimate of the cost of the qualified health plans
7offered by the Exchange that he or she may purchase.
8begin insert(2)end insertbegin insert end insertbegin insertAfter paragraph (1) has been satisfied, the end insertExchange obtains
9begin delete priorend delete written begin deleteconsent.end delete
10begin delete(b)end deletebegin delete end deletebegin deleteTo comply with subdivision (a), the Exchange shall include, begin insertconsent
from the individual on end inserta stand-alone
11as part of its application for health care coverage, including its
12online application, end delete
13item in 12-point font that requests the individual’s consent for
14disclosure of personal information to third parties for the purposes
15of determining eligibility for, or enrolling the individual in, health
16care coverage.
17(c)
end delete
18begin insert(b)end insert The Exchange shall immediately notify the public of any
19
breach of the security of personal information, regardless of the
20severity of the breach and regardless of whether personal
21information was acquired by an unauthorized person during the
22breach. This subdivision shall apply in addition to any other
23disclosure requirements applicable to the Exchange, including, but
24not limited to, Section 1798.29 of the Civil Code.
8 25(d)
end delete
26begin insert(c)end insert For purposes of this section,begin delete “personalend deletebegin insert the following
27definitions shall
apply:end insert
28(1) “Exchange” includes an employee of the Exchange or a
29member of the board of the Exchange.
30begin insert(2)end insertbegin insert end insertbegin insert“Personalend insert information” means any information that is
31created, collected, or maintained by the Exchange that identifies
32or describes an individual, including, but not limited to, his or her
33name, social security number, physical description, home address,
34home telephone number, education, financial matters, and medical
35or employment history. “Personal information” includes statements
36made by, or attributed to, the individual.
37(3) “Third party” means a person or entity other than the
38Exchange.
This act is an urgency statute necessary for the
40immediate preservation of the public peace, health, or safety within
P4 1the meaning of Article IV of the Constitution and shall go into
2immediate effect. The facts constituting the necessity are:
3The California Health Benefit Exchange is currently releasing
4to third parties the personal information of individuals using the
5Covered California Internet Web site without their knowledge. In
6order to protect the privacy rights of individuals applying for health
7care coverage through the Exchange, it is necessary that this act
8take effect immediately.
O
97