BILL ANALYSIS Ó AB 1560 Page 1 Date of Hearing: April 22, 2014 ASSEMBLY COMMITTEE ON HEALTH Richard Pan, Chair AB 1560 (Gorell) - As Amended: April 2, 2014 SUBJECT : California Health Benefit Exchange: confidentiality of personal information. SUMMARY : Prohibits the California Health Benefit Exchange (Exchange, now known as Covered California) from disclosing an individual's personal information to third parties, except under certain circumstances. Contains an urgency clause to ensure that the provisions of this bill go into immediate effect upon enactment. Specifically, this bill : 1)Prohibits the Exchange, including employees and board members, from disclosing an individual's personal information to third parties for the purpose of determining eligibility for, or enrolling the individual in, health care coverage. Includes in this prohibition any information that identifies or describes an individual, including: name; social security number; physical description; home address; home telephone number; education; financial matters; medical or employment history; and statements made by, or attributed to, the individual. 2)Provides an exception to the prohibition in 1) above if both of the following requirements are satisfied prior to the disclosure: a) The individual confirms his or her eligibility for a qualified health plan offered by the Exchange and receives a cost estimate for plans offered; and b) The Exchange obtains written consent from the individual on a stand-alone item in 12-point font that requests the individual's consent for disclosure of personal information to third parties for the purposes of determining eligibility for, or enrolling the individual in, health care coverage. 3)Requires the Exchange to immediately notify the public of any breach of the security of personal information, regardless of severity and regardless of whether the information was AB 1560 Page 2 actually accessed by an unauthorized person. EXISTING LAW : 1)Establishes the Exchange as an independent public entity in state government. Requires the Exchange to compare and make available through selective contracting health insurance for individual and small business purchasers as authorized under the Patient Protection and Affordable Care Act (ACA). 2)Requires, under the ACA, an applicant for insurance coverage or for a premium tax credit or cost-sharing reduction to be required to provide only the information strictly necessary to authenticate identity, determine eligibility, and determine the amount of the credit or reduction. Requires, under the ACA, any person who receives such information provided by an applicant to use the information only for ensuring the efficient operation of the Exchange. 3)Allows, under federal regulations effective May 12, 2014, an Exchange to use or disclose personally identifiable information to carry out functions other than determining eligibility for enrollment, affordability programs, or exemptions, provided that the U.S. Secretary of Health and Human Services (HHS) determines those functions are in compliance with the ACA, and the individual provides consent. 4)Requires, under federal regulations, each Exchange to establish and implement written privacy and security standards in accordance with certain principles, including: allowing individuals to access and correct their own personal information; maintaining openness and transparency of policies; ensuring data quality and integrity, protection of personal information with reasonable safeguards; and appropriate monitoring to detect and mitigate non-adherence and breaches. 5)Requires, under federal regulations, each Exchange's policies and procedures regarding the creation, collection, use, and disclosure of personally identifiable information to be in writing, be available to the Secretary of HHS upon request, and identify applicable law governing collection, use, and disclosure of personally identifiable information. 6)Requires, under federal regulations, entities such as AB 1560 Page 3 navigators, agents, and brokers that have access to applicants' or enrollees' personal information in the course of performing their functions to be subject to the same privacy or security provisions that govern the Exchange. 7)Creates, under the ACA, a civil penalty of not more than $25,000 per person or entity, per use or disclosure, for use or disclosure of personal information in violation of the ACA. 8)Requires the Exchange to perform fingerprint-based background checks of all employees, prospective employees, contractors, subcontractors, employees of contractors, volunteers, or vendors whose duties include access to confidential, personal, or financial information, or any other information as required by federal law or guidance. 9)Under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), provides protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. HIPAA also permits the disclosure of certain health information as needed for patient care and certain other purposes, including: public health activities, research, prevention of a serious threat to health or safety, law enforcement purposes, and judicial and administrative proceedings. Covered entities under the HIPAA Privacy Rule are health care providers, health plans, and health care clearinghouses. 10)Under the Information Practice Act of 1977, prohibits state agencies from disclosing any personal information in a manner that would link the information disclosed to the individual to whom it pertains. Provides several exceptions to this prohibition, including: a) Information is disclosed with prior written voluntary consent by the individual to whom the record pertains; or, b) Information is disclosed to a person or another agency as necessary for the performance of the transferee agency's duties; the use is compatible with a purpose for which the information was collected; and an accurate accounting is made of the date, nature, and purpose of the transfer. 11)Under the Information Practices Act, requires state agencies AB 1560 Page 4 that own or license data that include personal information to disclose any security breach to any California resident whose personal information was obtained by an unauthorized person. Requires this disclosure in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. 12)Under the Confidentiality of Medical Information Act, prohibits providers of healthcare, health care service plans, their contractors, and any business organized for the purpose of maintaining medical information, from using medical information for any purpose other than providing health care services, except as expressly authorized by the patient or as otherwise required or authorized by law. FISCAL EFFECT : This bill has not yet been analyzed by a fiscal committee. COMMENTS : 1)PURPOSE OF THIS BILL . The author of this bill contends that Covered California recently violated the reasonable expectation of consumer privacy by sharing personally identifiable information with insurance companies without the express consent of consumers. Customers' names and contact information were provided to firms and insurance agents, and consumers received unsolicited calls from agents working for commission. The author argues that Covered California, like other state exchanges, will increase consumers' vulnerability to data breaches. The author argues that, at a time when data theft is more prevalent than ever, Californians deserve to know their data is secure. 2)BACKGROUND . a) Enrollment counselors and agents. Certified enrollment counselors are certified by the Exchange to provide culturally and linguistically appropriate one-on-one counseling and assistance to consumers in need of help with applying for Covered California programs. Certified enrollment counselors must be registered with either the In-Person Assistance Program or the Navigator Program and are often referred to as in-person assisters or navigators. AB 1560 Page 5 Counselors work for certified enrollment entities, which are community-based organizations that conduct outreach and enrollment activities, and are not employees of the Exchange. Counselors must pass a fingerprint-based criminal background check; receive training in a range of topics, including privacy and security standards for consumers' personal information; and comply with the Exchange's privacy and security standards established pursuant to federal regulations. All insurance agents interested in selling QHPs offered through the Exchange must be trained and certified by Covered California. Covered California indicates that all of certified insurance agents sign a confidentiality agreement that prohibits the use of consumer information for any purposes beyond the scope of the contract; pass a fingerprint-based criminal background check; agree to follow federal and state privacy laws; and are required to implement safeguards that are at least as strong as those required of the Exchange. As of April 8, 2014, Covered California has 5,598 certified enrollment counselors and 12,236 certified insurance agents. During the open enrollment period, the role of certified enrollment counselors increased substantially, from completing 3% of total enrollments in October through December to 12% of total enrollment in January through March. Over the entire enrollment period, certified enrollment counselors and agents together accounted for roughly half of all enrollments in QHPs through the Exchange. Latino applicants account for 48% of individuals enrolled by certified enrollment counselors compared to 22% of individuals who self-enrolled. b) Covered California privacy policy. Covered California's website provides an extensive notice of privacy practices. The notice informs consumers that personal information collected by the website includes contact information, social security numbers, demographic information, health information, financial information, and alien status. The notice further states that the collection of personal information is limited to what is relevant and necessary to accomplish the Exchange's lawful purpose, defined in the California ACA. The privacy policy further states that a consumer's AB 1560 Page 6 personal information may be disclosed to: a) other governmental agencies that determine eligibility for premium assistance or other insurance affordability programs; b) contractors that manage health plan enrollment and other Exchange operations (e.g., health plans and information technology contractors); and c) contractors like insurance agents or enrollment counselors that facilitate enrollment and contact consumers when necessary. The policy further states that information may also be used in order to create a more personalized experience. The privacy policy additionally provides that personal information may be shared to help with public health and safety; to do research; to respond to lawsuits and legal actions; and to comply with state or federal law, including responding to a Public Records Act request. According to Covered California, the privacy policy was adapted from a model notice of privacy practices for HIPAA covered entities issued by the HHS Office of Civil Rights earlier this year. Covered California indicates that this template was modified to reflect its unique operational activities. In addition, Covered California indicates that it has a separate set of privacy and security standards that it uses internally, in compliance with federal regulations. Covered California indicates it is currently in the process of updating these standards. c) Enrollment Follow-up Program. Covered California states that, when it saw that thousands of consumers who were interested in coverage had not yet completed their enrollments, it enlisted roughly 2,100 certified insurance agent subcontractors to offer additional assistance to roughly 41,000 households. According to Covered California, basic contact information (name, telephone number, etc.) was securely transmitted to certified insurance agents, with instructions to quickly contact consumers to ensure that they were offered additional assistance to complete their enrollments. Consumer information was carefully protected: each agent who participated in the program was given only a small batch of leads at a time, according to their capacity to reach consumers, and results were reported back. Covered California indicates it is still evaluating the enrollment follow-up program, and that it has focused its follow-up efforts on targeted direct mail and email outreach to AB 1560 Page 7 consumers letting them know that there are certified representatives near them who can help them complete their applications. 3) CENTER FOR DEMOCRACY AND TECHNOLOGY ARTICLE . A 2012 article published by the Center for Democracy and Technology provides an overview of state and federal laws and privacy rules that may be relevant for California's Exchange, including the federal Privacy Act of 1974, California's Information Privacy Act, the California Confidentiality of Medical Information Act, and HIPAA. The article notes, because the Exchange will give consumers a single online portal to access private health insurance, Medi-Cal, and children's health programs, Exchange operations will require new and unique exchanges of data among state agencies, the federal government, private health plans, businesses, individuals, and the Exchange. The paper concludes, to build trust in the Exchange, California must create specific policies that implement fair information practices and adhere to ACA requirements. The paper urges the state to work with consumers and other stakeholders to begin developing strong policies and best practices to govern information collected and shared by the state's Exchange. 4)PROPOSED FEDERAL REGULATIONS . On March 14, 2014, the federal Centers for Medicare and Medicaid Services released a proposed regulation titled "Patient Protection and Affordable Care Act: Exchange and Insurance Market Standards for 2015 and Beyond" that includes proposed processes for the imposition of civil penalties by HHS for improper use or disclosure of information. HHS states the intent of this proposed rule is to create appropriate penalties for any person who does not comply with relevant statutory and regulatory provisions which limit the ways in which information provided by an applicant or from a federal agency can be used. HHS further states that it intends to work in collaboration with states to oversee, monitor, and enforce compliance to protect consumers, avoid duplication of efforts, and provide consistent enforcement practices. The proposed regulations also include new standards for navigators and non-navigator assistance personnel for consumer contact, interaction, and marketing practices, with the intent to ensure that practices are protective of the privacy and security interests of the consumers they serve. AB 1560 Page 8 5)BUREAU OF STATE AUDITS REPORT . Current law authorizes the State Auditor to establish a high-risk audit program, to issue reports with recommendations for improving issues it identifies as high risk, either due to vulnerability to fraud, waste, abuse, and mismanagement, or because an issue is of particular interest to the citizens of the state or has potentially significant effects on public health, safety, and economic well-being. In July 2013, the State Auditor, due to potential financial challenges, added Covered California's operations to its list of high-risk issues. The audit report finds that, within the limits of the information it currently has, Covered California appears to have engaged in a deliberate, thoughtful financial planning effort to anticipate the several contingencies it may face. The report notes that Covered California's financial sustainability is wholly dependent on enrollment in QHPs offered through the Exchange. The report notes enrollment in QHPs is, in turn, largely dependent upon the success of outreach efforts. Accordingly, one of the report's recommendations is for Covered California to track the effect of outreach and marketing activities and of the assister program. Covered California agreed with this recommendation (and the report's other recommendations) and indicated it will use various data components generated throughout the customer relationship to track key metrics such as organizational awareness, media campaign drivers, response rates, Website visits, lead generation, and ultimately enrollment. Covered California indicates its goal is to use insights from these data to allocate and adjust outreach efforts to have the best possible enrollment for the investment. 6)OPPOSITION . The Electronic Frontier Foundation, with a position of "oppose unless amended," argues that this bill is silent on larger privacy, security, and accountability issues that federal rules mandate, and requests an amendment to address the full range of privacy and security requirements in federal regulations. In opposition, the American Federation of State, County and Municipal Employees (AFSCME) writes it is important to balance consumers' privacy rights with the need of the Exchange to facilitate outreach and enrollment in coverage. AFSCME asserts this bill fails to recognize the need for outreach and enrollment entities to reach potentially eligible people to get them enrolled. Health Access AB 1560 Page 9 California, in opposition, writes this bill, as drafted, may prevent the sharing of marketing leads with outreach grantees, thus hamstringing its marketing and outreach and denying Californians access to low cost or no cost coverage. Health Access further notes this bill may be premature in light of recently proposed federal privacy regulations for Exchanges. The California State Council of the Service Employees International Union (SEIU), with a position of "oppose unless amended," writes that this bill, as drafted, requires an individual to confirm his or her eligibility for a qualified health plan offered by the Exchange prior to the individual's information being shared. SEIU states that this bill therefore would prohibit Covered California from sharing any information about Medi-Cal eligible individuals with counties who are required to make Medi-Cal eligibility determinations and enrollments. SEIU writes that, by interfering with the transfer of information between Covered California and counties, this bill creates a "wrong door" for these individuals, violating one of the core principles of the ACA. SEIU therefore requests amendments to more narrowly address the problem, to only apply to eligibility determinations and enrollments in QHPs through Covered California, and to exclude county human services departments from the individuals with whom information is shared under this bill. SEIU further asserts that its experience over the past six months has been that individuals, interested in getting additional information and assistance, have been frustrated by existing barriers to sharing information among Covered California's employees, agents, subcontractors, representatives, or partners. Under privacy protections already in place, leads were sent to Covered California with no ability for community partners to assess the outcome of those leads, making it difficult for these partners to provide consumers the help they requested. 7)RELATED LEGISLATION . a) AB 1428 (Conway), Chapter 561, Statutes of 2013, clarifies criminal background check requirements for employees, contractors, and vendors who facilitate enrollment in the Exchange. b) AB 1829 (Conway) prohibits the Exchange from hiring or AB 1560 Page 10 contracting with individuals who have been convicted of certain felonies or violations if the person would be facilitating enrollment or have access to financial or medical information. AB 1829 is pending in this Committee and is set for hearing April 22, 2014. c) AB 1830 (Conway) prohibits the Exchange from using or disclosing personal information except as necessary to carry out the Exchange's functions under the ACA and creates a civil penalty of up to $25,000 per individual or entity, per use or disclosure. AB 1830 is pending in this Committee and is set for hearing April 22, 2014. d) AB 2147 (Melendez) requires agencies to obtain an individual's prior written voluntary consent before releasing the individual's personal information to an independent contractor or other worker who is not an agency employee. AB 2147 is pending in the Assembly Judiciary Committee. e) AB 2301 (Mansoor) requires the Exchange to report on a quarterly basis on enrollments and disenrollments under QHPs purchased through the Exchange by specified categories. AB 2301 is pending in this Committee and is set for hearing April 22, 2014. f) SB 509 (DeSaulnier and Emmerson), Chapter 10, Statutes of 2013, requires fingerprint-based background checks for all Exchange employees, contractors, volunteers, or vendors with access to enrollees' personal information. g) SB 974 (Anderson) prohibits the Exchange from disclosing an individual's personal information to any other person or entity without explicit permission and requires the Exchange to report a disclosure in violation of this provision within five business days. SB 974 is pending in the Senate Appropriations Committee. 8)PREVIOUS LEGISLATION . AB 1602 (John A. Pérez), Chapter 655, Statutes of 2010, and SB 900 (Alquist), Chapter 659, Statutes of 2010, establish the Exchange and its powers and duties. 9)DOUBLE REFERRED . This bill is double referred, should it pass out of this Committee, it will be referred to the Assembly Committee on Judiciary. AB 1560 Page 11 10)POLICY COMMENTS . a) This bill creates a broad prohibition on the sharing of consumer information by Covered California. In addition to the limitations this places on Covered California's partnership with Medi-Cal raised by the opposition, this prohibition could be detrimental to the financial sustainability of Covered California, which depends on an enrollment strategy that includes third party enrollment entities and insurance agents. b) Proposed federal regulations governing civil penalties for privacy and security violations and creating standards for navigators and non-navigator assistance personnel are still pending. Because these regulations may or may not be adopted in their current proposed form (comments are being accepted through April 18, 2014), this bill may be premature. REGISTERED SUPPORT / OPPOSITION : Support None on file. Opposition American Civil Liberties Union of California (unless amended) American Federation of State, County and Municipal Employees California Coverage and Health Initiatives Electronic Frontier Foundation (unless amended) Health Access California (unless amended) Service Employees International Union, California State Council (unless amended) Service Employees International Union Local 1000 (unless amended) Western Center on Law and Poverty (unless amended) Analysis Prepared by : Ben Russell / HEALTH / (916) 319-2097