AB 322,
as amended, Waldron. begin deleteHealth insurance. end deletebegin insertPrivacy: social security numbers.end insert
Existing law prohibits a person or entity, with specified exceptions, from publicly posting or displaying an individual’s social security number, print a social security number on any card, require the transmitting of a social security number over the internet, require the use of a social security number, or the sale of a social security number, as specified.
end insertbegin insertThis bill would prohibit a person, entity, state agency, or local agency from electronically collecting, retaining, maintaining, licensing, or using a social security number unless the social security number is encrypted. This bill would also prohibit a person, entity, state agency, or local agency from electronically sharing, transmitting, or disclosing a social security number unless it is encrypted.
end insertExisting law, the Health Insurance Portability and Accountability Implementation Act of 2001, establishes the Office of HIPAA Implementation within the California Health and Human Services Agency, which is responsible for implementing the provisions of the federal Health Insurance Portability and Accountability Act (HIPAA). Under the act, the office is required, until January 1, 2016, to, among other things, determine the provisions of state law that are preempted by HIPAA. The provisions of the act will repeal on that date.
end deleteThis bill would make technical, nonsubstantive changes to those provisions.
end deleteVote: majority.
Appropriation: no.
Fiscal committee: begin deleteno end deletebegin insertyesend insert.
State-mandated local program: no.
The people of the State of California do enact as follows:
begin insertSection 1798.85 of the end insertbegin insertCivil Codeend insertbegin insert is amended to
2read:end insert
(a) Except as provided in this section, a person or
4entity may not do any of the following:
5(1) Publicly post or publicly display in any manner an
6individual’s social security number. “Publicly post” or “publicly
7display” means to intentionally communicate or otherwise make
8available to the general public.
9(2) Print an individual’s social security number on any card
10required for the individual to access products or services provided
11by the person or entity.
12(3) Require an individual to transmit his or her social security
13number over the Internet, unless the connection is secure or the
14social security number is encrypted.
15(4) Require an individual to use his or her social security number
16to access an Internet Web site, unless a password or unique
17personal identification number or other authentication device is
18also required to access the Internet Web site.
19(5) Print an individual’s social security number on any materials
20that are mailed to the individual, unless state or federal law requires
21the social security number to be on the document to be mailed.
22Notwithstanding this paragraph, social security numbers may be
23included in applications and forms sent by mail, including
24documents sent as part of an application or enrollment process, or
25to establish, amend or terminate an account, contract or policy, or
26to confirm the accuracy of the social security number. A social
27security number that is permitted to be mailed under this section
28may not be printed, in whole or in part, on a postcard or other
29
mailer not requiring an envelope, or visible on the envelope or
30without the envelope having been opened.
P3 1(6) Sell, advertise for sale, or offer to sell an individual’s social
2security number. For purposes of this paragraph, the following
3apply:
4(A) “Sell” shall not include the release of an individual’s social
5security number if the release of the social security number is
6incidental to a larger transaction and is necessary to identify the
7individual in order to accomplish a legitimate business purpose.
8Release of an individual’s social security number for marketing
9purposes is not permitted.
10(B) “Sell” shall not include the release of an individual’s social
11security number for a purpose specifically authorized or specifically
12allowed by federal or state law.
13(b) This section does not prevent the collection, use, or release
14of a social security number as required by state or federal law or
15the use of a social security number for internal verification or
16administrative purposes.
17(c) This section does not prevent an adult state correctional
18facility, an adult city jail, or an adult county jail from releasing an
19inmate’s social security number, with the inmate’s consent and
20upon request by the county veterans service officer or the United
21States Department of Veterans Affairs, for the purposes of
22determining the inmate’s status as a military veteran and his or her
23eligibility for federal, state, or local veterans’ benefits or services.
24(d) This section does not apply to documents that are recorded
25or required to be open to the public pursuant to Chapter 3.5
26(commencing with Section 6250), Chapter 14 (commencing with
27Section
7150) or Chapter 14.5 (commencing with Section 7220)
28of Division 7 of Title 1 of, Article 9 (commencing with Section
2911120) of Chapter 1 of Part 1 of Division 3 of Title 2 of, or Chapter
309 (commencing with Section 54950) of Part 1 of Division 2 of
31Title 5 of, the Government Code. This section does not apply to
32records that are required by statute, case law, or California Rule
33of Court, to be made available to the public by entities provided
34for in Article VI of the California Constitution.
35(e) (1) In the case of a health care service plan, a provider of
36health care, an insurer or a pharmacy benefits manager, a contractor
37as defined in Section 56.05, or the provision by any person or
38entity of administrative or other services relative to health care or
39insurance products or services, including third-party administration
P4 1or administrative services only, this section shall become operative
2in the following manner:
3(A) On or before January 1, 2003, the entities listed in paragraph
4(1) shall comply with paragraphs (1), (3), (4), and (5) of subdivision
5(a) as these requirements pertain to individual policyholders or
6individual contractholders.
7(B) On or before January 1, 2004, the entities listed in paragraph
8(1) shall comply with paragraphs (1) to (5), inclusive, of
9subdivision (a) as these requirements pertain to new individual
10policyholders or new individual contractholders and new groups,
11including new groups administered or issued on or after January
121, 2004.
13(C) On or before July 1, 2004, the entities listed in paragraph
14(1) shall comply with paragraphs (1) to (5), inclusive, of
15subdivision (a) for all individual policyholders and individual
16contractholders, for all groups, and for all enrollees of the Healthy
17Families and
Medi-Cal programs, except that for individual
18policyholders, individual contractholders and groups in existence
19prior to January 1, 2004, the entities listed in paragraph (1) shall
20comply upon the renewal date of the policy, contract, or group on
21or after July 1, 2004, but no later than July 1, 2005.
22(2) A health care service plan, a provider of health care, an
23insurer or a pharmacy benefits manager, a contractor, or another
24person or entity as described in paragraph (1) shall make reasonable
25efforts to cooperate, through systems testing and other means, to
26ensure that the requirements of this article are implemented on or
27before the dates specified in this section.
28(3) Notwithstanding paragraph (2), the Director of the
29Department of Managed Health Care, pursuant to the authority
30granted under Section 1346 of the Health and Safety Code, or the
31Insurance Commissioner, pursuant to
the authority granted under
32Section 12921 of the Insurance Code, and upon a determination
33of good cause, may grant extensions not to exceed six months for
34compliance by health care service plans and insurers with the
35requirements of this section when requested by the health care
36service plan or insurer. Any extension granted shall apply to the
37health care service plan or insurer’s affected providers, pharmacy
38benefits manager, and contractors.
39(f) If a federal law takes effect requiring the United States
40Department of Health and Human Services to establish a national
P5 1unique patient health identifier program, a provider of health care,
2a health care service plan, a licensed health care professional, or
3a contractor, as those terms are defined in Section 56.05, that
4complies with the federal law shall be deemed in compliance with
5this section.
6(g) A person or entity may not encode
or embed a social security
7number in or on a card or document, including, but not limited to,
8using a barcode, chip, magnetic strip, or other technology, in place
9of removing the social security number, as required by this section.
10begin insert(h)end insertbegin insert end insertbegin insert(1)end insertbegin insert end insertbegin insertA person, entity, state agency, or local agency may not
11electronically collect, retain, maintain, license, or use a social
12security number unless the social security number is encrypted.end insert
13(2) A person, entity, state agency, or local agency may not
14electronically share, transmit, or disclose a social security number
15unless the connection is secure or the social security number is
16encrypted.
17(3) Paragraphs (1) and (2) shall not apply if any of the following
18circumstances are met:
19(A) The person, entity, state agency, or local agency that
20electronically collects, retains, maintains, licenses, uses, shares,
21transmits, or discloses an individual’s social security number
22alters the social security number or uses other security measures
23such that the social security number could not be linked to a
24specific individual.
25(B) The person, entity, state agency, or local agency causes to
26be covered by a contractual or other legally enforceable
27prohibition on each third party to which the person, entity, state
28agency, or local agency electronically collects, retains, maintains,
29licenses, uses, shares, transmits, or discloses an individual’s social
30security number from attempting to link the data to a specific
31individual.
32(C) The social security number is used for any public licenses
33or public records associated with employment, when that
34information is collected or used by an employer or a third party
35in connection
with employment status.
36(D) The person, entity, state agency, or local agency
37electronically collects, retains, maintains, licenses, uses, shares,
38transmits, or discloses fewer than 10,000 social security numbers
39during a 12-month period or has five or fewer employees, and
40does not knowingly collect, retain, maintain, license, use, share,
P6 1transmit, or disclose any information that includes personal data
2linked with social security numbers.
3(E) A person or entity has 25 or fewer employees and would
4otherwise be covered under this subdivision because the data that
5the person or entity processes related to job applicants and
6employees in the ordinary course of business.
7(F) A person, entity, state agency, or local agency covered by
8this subdivision is also covered by one of the following provisions
9of federal privacy or security law:
10(i) The Privacy Act of 1974 (5 U.S.C. Sec. 552a).
end insertbegin insert
11(ii) The Right to Financial Privacy Act of 1978 (12 U.S.C. Sec.
123401 et seq.).
13(iii) The Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
end insertbegin insert
14(iv) The Fair Debt Collection Practices Act (15 U.S.C. Sec.
151692 et seq.).
16(v) The Children’s Online Privacy Protection Act of 1998 (15
17U.S.C. Sec. 6501 et seq.).
18(vi) Title V of the Gramm-Leach-Bliley Financial Modernization
19Act (15 U.S.C. Sec. 6801 et seq.).
20(vii) Chapters 119, 121, 123, and 206 of Title 18 of the United
21States Code.
22(viii) The Family Educational Rights and Privacy Act of 1974
23(20 U.S.C. Sec. 1232g).
24(ix) The Protection of Pupil Rights Amendment (20 U.S.C. Sec.
251232h).
26(x) Sections 5701 and 7332 of Title 38 of the United States Code.
end insertbegin insert
27(xi) The Health Insurance Portability and
Accountability Act
28of 1996 (42 U.S.C. Sec. 1320d-2 et seq.).
29(xii) The Privacy Protection Act of 1980 (42 U.S.C. Sec. 2000aa
30et seq.).
31(xiii) Part C of Title XI of the Social Security Act.
end insertbegin insert
32(xiv) Subtitle D of Title IV of the Health Information Technology
33for Economic and Clinical Health Act, which was enacted under
34Title XIII of the American Recovery and Reinvestment Act of 2009
35(Public Law 111-5).
36(xv) The E-Government Act of 2002 (44 U.S.C. Sec. 101 et seq.).
end insertbegin insert
37(xvi) The Paperwork Reduction Act of 1995 (44 U.S.C. Sec.
383501 et seq.).
39(xvii) Any other federal privacy law or regulation enacted after
40January 1, 2015.
P7 1(4) The amendments made to this section by the act adding this
2paragraph shall become operative on July 1, 2017.
3(h)
end delete
4begin insert(i)end insert This section shall become operative, with respect to the
5University of California, in the following manner:
6(1) On or before January 1, 2004, the University of California
7shall comply with paragraphs (1), (2), and (3) of subdivision (a).
8(2) On or before January 1, 2005, the University of California
9shall comply with paragraphs (4) and (5) of subdivision (a).
10(i)
end delete
11begin insert(j)end insert This
section shall become operative with respect to the
12Franchise Tax Board on January 1, 2007.
13(j)
end delete
14begin insert(k)end insert This section shall become operative with respect to the
15California community college districts on January 1, 2007.
16(k)
end delete
17begin insert(l)end insert This section shall become operative with respect to the
18California State University system on July 1, 2005.
19(l)
end delete
20begin insert(m)end insert This section shall become operative, with respect to the
21California Student Aid Commission and its auxiliary organization,
22in the following manner:
23(1) On or before January 1, 2004, the commission and its
24auxiliary organization shall comply with paragraphs (1), (2), and
25(3) of subdivision (a).
26(2) On or before January 1, 2005, the commission and its
27auxiliary organization shall comply with paragraphs (4) and (5)
28of subdivision (a).
Section 130300 of the Health and Safety Code
30 is amended to read:
This division shall be known, and may be cited as,
32the Health Insurance Portability and Accountability Implementation
33Act of 2001.
O
98