BILL ANALYSIS �Ó
AB 1560
Page 1
Date of Hearing: April 22, 2014
ASSEMBLY COMMITTEE ON HEALTH
Richard Pan, Chair
AB 1560 (Gorell) - As Amended: April 2, 2014
SUBJECT : California Health Benefit Exchange: confidentiality of
personal information.
SUMMARY : Prohibits the California Health Benefit Exchange
(Exchange, now known as Covered California) from disclosing an
individual's personal information to third parties, except under
certain circumstances. Contains an urgency clause to ensure
that the provisions of this bill go into immediate effect upon
enactment. Specifically, this bill :
1)Prohibits the Exchange, including employees and board members,
from disclosing an individual's personal information to third
parties for the purpose of determining eligibility for, or
enrolling the individual in, health care coverage. Includes
in this prohibition any information that identifies or
describes an individual, including: name; social security
number; physical description; home address; home telephone
number; education; financial matters; medical or employment
history; and statements made by, or attributed to, the
individual.
2)Provides an exception to the prohibition in 1) above if both
of the following requirements are satisfied prior to the
disclosure:
a) The individual confirms his or her eligibility for a
qualified health plan offered by the Exchange and receives
a cost estimate for plans offered; and
b) The Exchange obtains written consent from the individual
on a stand-alone item in 12-point font that requests the
individual's consent for disclosure of personal information
to third parties for the purposes of determining
eligibility for, or enrolling the individual in, health
care coverage.
3)Requires the Exchange to immediately notify the public of any
breach of the security of personal information, regardless of
severity and regardless of whether the information was
�
AB 1560
Page 2
actually accessed by an unauthorized person.
EXISTING LAW :
1)Establishes the Exchange as an independent public entity in
state government. Requires the Exchange to compare and make
available through selective contracting health insurance for
individual and small business purchasers as authorized under
the Patient Protection and Affordable Care Act (ACA).
2)Requires, under the ACA, an applicant for insurance coverage
or for a premium tax credit or cost-sharing reduction to be
required to provide only the information strictly necessary to
authenticate identity, determine eligibility, and determine
the amount of the credit or reduction. Requires, under the
ACA, any person who receives such information provided by an
applicant to use the information only for ensuring the
efficient operation of the Exchange.
3)Allows, under federal regulations effective May 12, 2014, an
Exchange to use or disclose personally identifiable
information to carry out functions other than determining
eligibility for enrollment, affordability programs, or
exemptions, provided that the U.S. Secretary of Health and
Human Services (HHS) determines those functions are in
compliance with the ACA, and the individual provides consent.
4)Requires, under federal regulations, each Exchange to
establish and implement written privacy and security standards
in accordance with certain principles, including: allowing
individuals to access and correct their own personal
information; maintaining openness and transparency of
policies; ensuring data quality and integrity, protection of
personal information with reasonable safeguards; and
appropriate monitoring to detect and mitigate non-adherence
and breaches.
5)Requires, under federal regulations, each Exchange's policies
and procedures regarding the creation, collection, use, and
disclosure of personally identifiable information to be in
writing, be available to the Secretary of HHS upon request,
and identify applicable law governing collection, use, and
disclosure of personally identifiable information.
6)Requires, under federal regulations, entities such as
�
AB 1560
Page 3
navigators, agents, and brokers that have access to
applicants' or enrollees' personal information in the course
of performing their functions to be subject to the same
privacy or security provisions that govern the Exchange.
7)Creates, under the ACA, a civil penalty of not more than
$25,000 per person or entity, per use or disclosure, for use
or disclosure of personal information in violation of the ACA.
8)Requires the Exchange to perform fingerprint-based background
checks of all employees, prospective employees, contractors,
subcontractors, employees of contractors, volunteers, or
vendors whose duties include access to confidential, personal,
or financial information, or any other information as required
by federal law or guidance.
9)Under the federal Health Insurance Portability and
Accountability Act of 1996 (HIPAA), provides protections for
individually identifiable health information held by covered
entities and their business associates and gives patients an
array of rights with respect to that information. HIPAA also
permits the disclosure of certain health information as needed
for patient care and certain other purposes, including: public
health activities, research, prevention of a serious threat to
health or safety, law enforcement purposes, and judicial and
administrative proceedings. Covered entities under the HIPAA
Privacy Rule are health care providers, health plans, and
health care clearinghouses.
10)Under the Information Practice Act of 1977, prohibits state
agencies from disclosing any personal information in a manner
that would link the information disclosed to the individual to
whom it pertains. Provides several exceptions to this
prohibition, including:
a) Information is disclosed with prior written voluntary
consent by the individual to whom the record pertains; or,
b) Information is disclosed to a person or another agency
as necessary for the performance of the transferee agency's
duties; the use is compatible with a purpose for which the
information was collected; and an accurate accounting is
made of the date, nature, and purpose of the transfer.
11)Under the Information Practices Act, requires state agencies
�
AB 1560
Page 4
that own or license data that include personal information to
disclose any security breach to any California resident whose
personal information was obtained by an unauthorized person.
Requires this disclosure in the most expedient time possible
and without unreasonable delay, consistent with the legitimate
needs of law enforcement or any measures necessary to
determine the scope of the breach and restore the reasonable
integrity of the data system.
12)Under the Confidentiality of Medical Information Act,
prohibits providers of healthcare, health care service plans,
their contractors, and any business organized for the purpose
of maintaining medical information, from using medical
information for any purpose other than providing health care
services, except as expressly authorized by the patient or as
otherwise required or authorized by law.
FISCAL EFFECT : This bill has not yet been analyzed by a fiscal
committee.
COMMENTS :
1)PURPOSE OF THIS BILL . The author of this bill contends that
Covered California recently violated the reasonable
expectation of consumer privacy by sharing personally
identifiable information with insurance companies without the
express consent of consumers. Customers' names and contact
information were provided to firms and insurance agents, and
consumers received unsolicited calls from agents working for
commission. The author argues that Covered California, like
other state exchanges, will increase consumers' vulnerability
to data breaches. The author argues that, at a time when data
theft is more prevalent than ever, Californians deserve to
know their data is secure.
2)BACKGROUND .
a) Enrollment counselors and agents. Certified enrollment
counselors are certified by the Exchange to provide
culturally and linguistically appropriate one-on-one
counseling and assistance to consumers in need of help with
applying for Covered California programs. Certified
enrollment counselors must be registered with either the
In-Person Assistance Program or the Navigator Program and
are often referred to as in-person assisters or navigators.
�
AB 1560
Page 5
Counselors work for certified enrollment entities, which
are community-based organizations that conduct outreach and
enrollment activities, and are not employees of the
Exchange. Counselors must pass a fingerprint-based
criminal background check; receive training in a range of
topics, including privacy and security standards for
consumers' personal information; and comply with the
Exchange's privacy and security standards established
pursuant to federal regulations.
All insurance agents interested in selling QHPs offered
through the Exchange must be trained and certified by
Covered California. Covered California indicates that all
of certified insurance agents sign a confidentiality
agreement that prohibits the use of consumer information
for any purposes beyond the scope of the contract; pass a
fingerprint-based criminal background check; agree to
follow federal and state privacy laws; and are required to
implement safeguards that are at least as strong as those
required of the Exchange.
As of April 8, 2014, Covered California has 5,598 certified
enrollment counselors and 12,236 certified insurance
agents. During the open enrollment period, the role of
certified enrollment counselors increased substantially,
from completing 3% of total enrollments in October through
December to 12% of total enrollment in January through
March. Over the entire enrollment period, certified
enrollment counselors and agents together accounted for
roughly half of all enrollments in QHPs through the
Exchange. Latino applicants account for 48% of individuals
enrolled by certified enrollment counselors compared to 22%
of individuals who self-enrolled.
b) Covered California privacy policy. Covered California's
website provides an extensive notice of privacy practices.
The notice informs consumers that personal information
collected by the website includes contact information,
social security numbers, demographic information, health
information, financial information, and alien status. The
notice further states that the collection of personal
information is limited to what is relevant and necessary to
accomplish the Exchange's lawful purpose, defined in the
California ACA.
The privacy policy further states that a consumer's
�
AB 1560
Page 6
personal information may be disclosed to: a) other
governmental agencies that determine eligibility for
premium assistance or other insurance affordability
programs; b) contractors that manage health plan enrollment
and other Exchange operations (e.g., health plans and
information technology contractors); and c) contractors
like insurance agents or enrollment counselors that
facilitate enrollment and contact consumers when necessary.
The policy further states that information may also be
used in order to create a more personalized experience.
The privacy policy additionally provides that personal
information may be shared to help with public health and
safety; to do research; to respond to lawsuits and legal
actions; and to comply with state or federal law, including
responding to a Public Records Act request.
According to Covered California, the privacy policy was
adapted from a model notice of privacy practices for HIPAA
covered entities issued by the HHS Office of Civil Rights
earlier this year. Covered California indicates that this
template was modified to reflect its unique operational
activities. In addition, Covered California indicates that
it has a separate set of privacy and security standards
that it uses internally, in compliance with federal
regulations. Covered California indicates it is currently
in the process of updating these standards.
c) Enrollment Follow-up Program. Covered California states
that, when it saw that thousands of consumers who were
interested in coverage had not yet completed their
enrollments, it enlisted roughly 2,100 certified insurance
agent subcontractors to offer additional assistance to
roughly 41,000 households. According to Covered
California, basic contact information (name, telephone
number, etc.) was securely transmitted to certified
insurance agents, with instructions to quickly contact
consumers to ensure that they were offered additional
assistance to complete their enrollments. Consumer
information was carefully protected: each agent who
participated in the program was given only a small batch of
leads at a time, according to their capacity to reach
consumers, and results were reported back. Covered
California indicates it is still evaluating the enrollment
follow-up program, and that it has focused its follow-up
efforts on targeted direct mail and email outreach to
�
AB 1560
Page 7
consumers letting them know that there are certified
representatives near them who can help them complete their
applications.
3) CENTER FOR DEMOCRACY AND TECHNOLOGY ARTICLE . A 2012
article published by the Center for Democracy and
Technology provides an overview of state and federal laws
and privacy rules that may be relevant for California's
Exchange, including the federal Privacy Act of 1974,
California's Information Privacy Act, the California
Confidentiality of Medical Information Act, and HIPAA. The
article notes, because the Exchange will give consumers a
single online portal to access private health insurance,
Medi-Cal, and children's health programs, Exchange
operations will require new and unique exchanges of data
among state agencies, the federal government, private
health plans, businesses, individuals, and the Exchange.
The paper concludes, to build trust in the Exchange,
California must create specific policies that implement
fair information practices and adhere to ACA requirements.
The paper urges the state to work with consumers and other
stakeholders to begin developing strong policies and best
practices to govern information collected and shared by the
state's Exchange.
4)PROPOSED FEDERAL REGULATIONS . On March 14, 2014, the federal
Centers for Medicare and Medicaid Services released a proposed
regulation titled "Patient Protection and Affordable Care Act:
Exchange and Insurance Market Standards for 2015 and Beyond"
that includes proposed processes for the imposition of civil
penalties by HHS for improper use or disclosure of
information. HHS states the intent of this proposed rule is
to create appropriate penalties for any person who does not
comply with relevant statutory and regulatory provisions which
limit the ways in which information provided by an applicant
or from a federal agency can be used. HHS further states that
it intends to work in collaboration with states to oversee,
monitor, and enforce compliance to protect consumers, avoid
duplication of efforts, and provide consistent enforcement
practices. The proposed regulations also include new
standards for navigators and non-navigator assistance
personnel for consumer contact, interaction, and marketing
practices, with the intent to ensure that practices are
protective of the privacy and security interests of the
consumers they serve.
�
AB 1560
Page 8
5)BUREAU OF STATE AUDITS REPORT . Current law authorizes the
State Auditor to establish a high-risk audit program, to issue
reports with recommendations for improving issues it
identifies as high risk, either due to vulnerability to fraud,
waste, abuse, and mismanagement, or because an issue is of
particular interest to the citizens of the state or has
potentially significant effects on public health, safety, and
economic well-being. In July 2013, the State Auditor, due to
potential financial challenges, added Covered California's
operations to its list of high-risk issues. The audit report
finds that, within the limits of the information it currently
has, Covered California appears to have engaged in a
deliberate, thoughtful financial planning effort to anticipate
the several contingencies it may face.
The report notes that Covered California's financial
sustainability is wholly dependent on enrollment in QHPs
offered through the Exchange. The report notes enrollment in
QHPs is, in turn, largely dependent upon the success of
outreach efforts. Accordingly, one of the report's
recommendations is for Covered California to track the effect
of outreach and marketing activities and of the assister
program. Covered California agreed with this recommendation
(and the report's other recommendations) and indicated it will
use various data components generated throughout the customer
relationship to track key metrics such as organizational
awareness, media campaign drivers, response rates, Website
visits, lead generation, and ultimately enrollment. Covered
California indicates its goal is to use insights from these
data to allocate and adjust outreach efforts to have the best
possible enrollment for the investment.
6)OPPOSITION . The Electronic Frontier Foundation, with a
position of "oppose unless amended," argues that this bill is
silent on larger privacy, security, and accountability issues
that federal rules mandate, and requests an amendment to
address the full range of privacy and security requirements in
federal regulations. In opposition, the American Federation
of State, County and Municipal Employees (AFSCME) writes it is
important to balance consumers' privacy rights with the need
of the Exchange to facilitate outreach and enrollment in
coverage. AFSCME asserts this bill fails to recognize the
need for outreach and enrollment entities to reach potentially
eligible people to get them enrolled. Health Access
�
AB 1560
Page 9
California, in opposition, writes this bill, as drafted, may
prevent the sharing of marketing leads with outreach grantees,
thus hamstringing its marketing and outreach and denying
Californians access to low cost or no cost coverage. Health
Access further notes this bill may be premature in light of
recently proposed federal privacy regulations for Exchanges.
The California State Council of the Service Employees
International Union (SEIU), with a position of "oppose unless
amended," writes that this bill, as drafted, requires an
individual to confirm his or her eligibility for a qualified
health plan offered by the Exchange prior to the individual's
information being shared. SEIU states that this bill
therefore would prohibit Covered California from sharing any
information about Medi-Cal eligible individuals with counties
who are required to make Medi-Cal eligibility determinations
and enrollments. SEIU writes that, by interfering with the
transfer of information between Covered California and
counties, this bill creates a "wrong door" for these
individuals, violating one of the core principles of the ACA.
SEIU therefore requests amendments to more narrowly address
the problem, to only apply to eligibility determinations and
enrollments in QHPs through Covered California, and to exclude
county human services departments from the individuals with
whom information is shared under this bill.
SEIU further asserts that its experience over the past six
months has been that individuals, interested in getting
additional information and assistance, have been frustrated by
existing barriers to sharing information among Covered
California's employees, agents, subcontractors,
representatives, or partners. Under privacy protections
already in place, leads were sent to Covered California with
no ability for community partners to assess the outcome of
those leads, making it difficult for these partners to provide
consumers the help they requested.
7)RELATED LEGISLATION .
a) AB 1428 (Conway), Chapter 561, Statutes of 2013,
clarifies criminal background check requirements for
employees, contractors, and vendors who facilitate
enrollment in the Exchange.
b) AB 1829 (Conway) prohibits the Exchange from hiring or
�
AB 1560
Page 10
contracting with individuals who have been convicted of
certain felonies or violations if the person would be
facilitating enrollment or have access to financial or
medical information. AB 1829 is pending in this Committee
and is set for hearing April 22, 2014.
c) AB 1830 (Conway) prohibits the Exchange from using or
disclosing personal information except as necessary to
carry out the Exchange's functions under the ACA and
creates a civil penalty of up to $25,000 per individual or
entity, per use or disclosure. AB 1830 is pending in this
Committee and is set for hearing April 22, 2014.
d) AB 2147 (Melendez) requires agencies to obtain an
individual's prior written voluntary consent before
releasing the individual's personal information to an
independent contractor or other worker who is not an agency
employee. AB 2147 is pending in the Assembly Judiciary
Committee.
e) AB 2301 (Mansoor) requires the Exchange to report on a
quarterly basis on enrollments and disenrollments under
QHPs purchased through the Exchange by specified
categories. AB 2301 is pending in this Committee and is
set for hearing April 22, 2014.
f) SB 509 (DeSaulnier and Emmerson), Chapter 10, Statutes
of 2013, requires fingerprint-based background checks for
all Exchange employees, contractors, volunteers, or vendors
with access to enrollees' personal information.
g) SB 974 (Anderson) prohibits the Exchange from disclosing
an individual's personal information to any other person or
entity without explicit permission and requires the
Exchange to report a disclosure in violation of this
provision within five business days. SB 974 is pending in
the Senate Appropriations Committee.
8)PREVIOUS LEGISLATION . AB 1602 (John A. Pérez), Chapter 655,
Statutes of 2010, and SB 900 (Alquist), Chapter 659, Statutes
of 2010, establish the Exchange and its powers and duties.
9)DOUBLE REFERRED . This bill is double referred, should it pass
out of this Committee, it will be referred to the Assembly
Committee on Judiciary.
�
AB 1560
Page 11
10)POLICY COMMENTS .
a) This bill creates a broad prohibition on the sharing of
consumer information by Covered California. In addition to
the limitations this places on Covered California's
partnership with Medi-Cal raised by the opposition, this
prohibition could be detrimental to the financial
sustainability of Covered California, which depends on an
enrollment strategy that includes third party enrollment
entities and insurance agents.
b) Proposed federal regulations governing civil penalties
for privacy and security violations and creating standards
for navigators and non-navigator assistance personnel are
still pending. Because these regulations may or may not be
adopted in their current proposed form (comments are being
accepted through April 18, 2014), this bill may be
premature.
REGISTERED SUPPORT / OPPOSITION :
Support
None on file.
Opposition
American Civil Liberties Union of California (unless amended)
American Federation of State, County and Municipal Employees
California Coverage and Health Initiatives
Electronic Frontier Foundation (unless amended)
Health Access California (unless amended)
Service Employees International Union, California State Council
(unless amended)
Service Employees International Union Local 1000 (unless
amended)
Western Center on Law and Poverty (unless amended)
Analysis Prepared by : Ben Russell / HEALTH / (916) 319-2097