BILL NUMBER: AB 322 AMENDED
BILL TEXT
AMENDED IN ASSEMBLY MARCH 26, 2015
INTRODUCED BY Assembly Member Waldron
FEBRUARY 13, 2015
An act to amend Section 130300 of the Health and Safety
Code, relating to health insurance 1798.85 of the
Civil Code, relating to privacy .
LEGISLATIVE COUNSEL'S DIGEST
AB 322, as amended, Waldron. Health insurance.
Privacy: social security numbers.
Existing law prohibits a person or entity, with specified
exceptions, from publicly posting or displaying an individual's
social security number, print a social security number on any card,
require the transmitting of a social security number over the
internet, require the use of a social security number, or the sale of
a social security number, as specified.
This bill would prohibit a person, entity, state agency, or local
agency from electronically collecting, retaining, maintaining,
licensing, or using a social security number unless the social
security number is encrypted. This bill would also prohibit a person,
entity, state agency, or local agency from electronically sharing,
transmitting, or disclosing a social security number unless it is
encrypted.
Existing law, the Health Insurance Portability and Accountability
Implementation Act of 2001, establishes the Office of HIPAA
Implementation within the California Health and Human Services
Agency, which is responsible for implementing the provisions of the
federal Health Insurance Portability and Accountability Act (HIPAA).
Under the act, the office is required, until January 1, 2016, to,
among other things, determine the provisions of state law that are
preempted by HIPAA. The provisions of the act will repeal on that
date.
This bill would make technical, nonsubstantive changes to those
provisions.
Vote: majority. Appropriation: no. Fiscal committee: no
yes . State-mandated local program: no.
THE PEOPLE OF THE STATE OF CALIFORNIA DO ENACT AS FOLLOWS:
SECTION 1. Section 1798.85 of the Civil
Code is amended to read:
1798.85. (a) Except as provided in this section, a person or
entity may not do any of the following:
(1) Publicly post or publicly display in any manner an individual'
s social security number. "Publicly post" or "publicly display" means
to intentionally communicate or otherwise make available to the
general public.
(2) Print an individual's social security number on any card
required for the individual to access products or services provided
by the person or entity.
(3) Require an individual to transmit his or her social security
number over the Internet, unless the connection is secure or the
social security number is encrypted.
(4) Require an individual to use his or her social security number
to access an Internet Web site, unless a password or unique personal
identification number or other authentication device is also
required to access the Internet Web site.
(5) Print an individual's social security number on any materials
that are mailed to the individual, unless state or federal law
requires the social security number to be on the document to be
mailed. Notwithstanding this paragraph, social security numbers may
be included in applications and forms sent by mail, including
documents sent as part of an application or enrollment process, or to
establish, amend or terminate an account, contract or policy, or to
confirm the accuracy of the social security number. A social security
number that is permitted to be mailed under this section may not be
printed, in whole or in part, on a postcard or other mailer not
requiring an envelope, or visible on the envelope or without the
envelope having been opened.
(6) Sell, advertise for sale, or offer to sell an individual's
social security number. For purposes of this paragraph, the following
apply:
(A) "Sell" shall not include the release of an individual's social
security number if the release of the social security number is
incidental to a larger transaction and is necessary to identify the
individual in order to accomplish a legitimate business purpose.
Release of an individual's social security number for marketing
purposes is not permitted.
(B) "Sell" shall not include the release of an individual's social
security number for a purpose specifically authorized or
specifically allowed by federal or state law.
(b) This section does not prevent the collection, use, or release
of a social security number as required by state or federal law or
the use of a social security number for internal verification or
administrative purposes.
(c) This section does not prevent an adult state correctional
facility, an adult city jail, or an adult county jail from releasing
an inmate's social security number, with the inmate's consent and
upon request by the county veterans service officer or the United
States Department of Veterans Affairs, for the purposes of
determining the inmate's status as a military veteran and his or her
eligibility for federal, state, or local veterans' benefits or
services.
(d) This section does not apply to documents that are recorded or
required to be open to the public pursuant to Chapter 3.5 (commencing
with Section 6250), Chapter 14 (commencing with Section 7150) or
Chapter 14.5 (commencing with Section 7220) of Division 7 of Title 1
of, Article 9 (commencing with Section 11120) of Chapter 1 of Part 1
of Division 3 of Title 2 of, or Chapter 9 (commencing with Section
54950) of Part 1 of Division 2 of Title 5 of, the Government Code.
This section does not apply to records that are required by statute,
case law, or California Rule of Court, to be made available to the
public by entities provided for in Article VI of the California
Constitution.
(e) (1) In the case of a health care service plan, a provider of
health care, an insurer or a pharmacy benefits manager, a contractor
as defined in Section 56.05, or the provision by any person or entity
of administrative or other services relative to health care or
insurance products or services, including third-party administration
or administrative services only, this section shall become operative
in the following manner:
(A) On or before January 1, 2003, the entities listed in paragraph
(1) shall comply with paragraphs (1), (3), (4), and (5) of
subdivision (a) as these requirements pertain to individual
policyholders or individual contractholders.
(B) On or before January 1, 2004, the entities listed in paragraph
(1) shall comply with paragraphs (1) to (5), inclusive, of
subdivision (a) as these requirements pertain to new individual
policyholders or new individual contractholders and new groups,
including new groups administered or issued on or after January 1,
2004.
(C) On or before July 1, 2004, the entities listed in paragraph
(1) shall comply with paragraphs (1) to (5), inclusive, of
subdivision (a) for all individual policyholders and individual
contractholders, for all groups, and for all enrollees of the Healthy
Families and Medi-Cal programs, except that for individual
policyholders, individual contractholders and groups in existence
prior to January 1, 2004, the entities listed in paragraph (1) shall
comply upon the renewal date of the policy, contract, or group on or
after July 1, 2004, but no later than July 1, 2005.
(2) A health care service plan, a provider of health care, an
insurer or a pharmacy benefits manager, a contractor, or another
person or entity as described in paragraph (1) shall make reasonable
efforts to cooperate, through systems testing and other means, to
ensure that the requirements of this article are implemented on or
before the dates specified in this section.
(3) Notwithstanding paragraph (2), the Director of the Department
of Managed Health Care, pursuant to the authority granted under
Section 1346 of the Health and Safety Code, or the Insurance
Commissioner, pursuant to the authority granted under Section 12921
of the Insurance Code, and upon a determination of good cause, may
grant extensions not to exceed six months for compliance by health
care service plans and insurers with the requirements of this section
when requested by the health care service plan or insurer. Any
extension granted shall apply to the health care service plan or
insurer's affected providers, pharmacy benefits manager, and
contractors.
(f) If a federal law takes effect requiring the United States
Department of Health and Human Services to establish a national
unique patient health identifier program, a provider of health care,
a health care service plan, a licensed health care professional, or a
contractor, as those terms are defined in Section 56.05, that
complies with the federal law shall be deemed in compliance with this
section.
(g) A person or entity may not encode or embed a social security
number in or on a card or document, including, but not limited to,
using a barcode, chip, magnetic strip, or other technology, in place
of removing the social security number, as required by this section.
(h) (1) A person,
entity, state agency, or local agency may not electronically
collect, retain, maintain, license, or use a social security number
unless the social security number is encrypted.
(2) A person, entity, state agency, or local agency may not
electronically share, transmit, or disclose a social security number
unless the connection is secure or the social security number is
encrypted.
(3) Paragraphs (1) and (2) shall not apply if any of the following
circumstances are met:
(A) The person, entity, state agency, or local agency that
electronically collects, retains, maintains, licenses, uses, shares,
transmits, or discloses an individual's social security number alters
the social security number or uses other security measures such that
the social security number could not be linked to a specific
individual.
(B) The person, entity, state agency, or local agency causes to be
covered by a contractual or other legally enforceable prohibition on
each third party to which the person, entity, state agency, or local
agency electronically collects, retains, maintains, licenses, uses,
shares, transmits, or discloses an individual's social security
number from attempting to link the data to a specific individual.
(C) The social security number is used for any public licenses or
public records associated with employment, when that information is
collected or used by an employer or a third party in connection with
employment status.
(D) The person, entity, state agency, or local agency
electronically collects, retains, maintains, licenses, uses, shares,
transmits, or discloses fewer than 10,000 social security numbers
during a 12-month period or has five or fewer employees, and does not
knowingly collect, retain, maintain, license, use, share, transmit,
or disclose any information that includes personal data linked with
social security numbers.
(E) A person or entity has 25 or fewer employees and would
otherwise be covered under this subdivision because the data that the
person or entity processes related to job applicants and employees
in the ordinary course of business.
(F) A person, entity, state agency, or local agency covered by
this subdivision is also covered by one of the following provisions
of federal privacy or security law:
(i) The Privacy Act of 1974 (5 U.S.C. Sec. 552a).
(ii) The Right to Financial Privacy Act of 1978 (12 U.S.C. Sec.
3401 et seq.).
(iii) The Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).
(iv) The Fair Debt Collection Practices Act (15 U.S.C. Sec. 1692
et seq.).
(v) The Children's Online Privacy Protection Act of 1998 (15
U.S.C. Sec. 6501 et seq.).
(vi) Title V of the Gramm-Leach-Bliley Financial Modernization Act
(15 U.S.C. Sec. 6801 et seq.).
(vii) Chapters 119, 121, 123, and 206 of Title 18 of the United
States Code.
(viii) The Family Educational Rights and Privacy Act of 1974 (20
U.S.C. Sec. 1232g).
(ix) The Protection of Pupil Rights Amendment (20 U.S.C. Sec.
1232h).
(x) Sections 5701 and 7332 of Title 38 of the United States Code.
(xi) The Health Insurance Portability and Accountability Act of
1996 (42 U.S.C. Sec. 1320d-2 et seq.).
(xii) The Privacy Protection Act of 1980 (42 U.S.C. Sec. 2000aa et
seq.).
(xiii) Part C of Title XI of the Social Security Act.
(xiv) Subtitle D of Title IV of the Health Information Technology
for Economic and Clinical Health Act, which was enacted under Title
XIII of the American Recovery and Reinvestment Act of 2009 (Public
Law 111-5).
(xv) The E-Government Act of 2002 (44 U.S.C. Sec. 101 et seq.).
(xvi) The Paperwork Reduction Act of 1995 (44 U.S.C. Sec. 3501 et
seq.).
(xvii) Any other federal privacy law or regulation enacted after
January 1, 2015.
(4) The amendments made to this section by the act adding this
paragraph shall become operative on July 1, 2017.
(h)
(i) This section shall become operative, with respect
to the University of California, in the following manner:
(1) On or before January 1, 2004, the University of California
shall comply with paragraphs (1), (2), and (3) of subdivision (a).
(2) On or before January 1, 2005, the University of California
shall comply with paragraphs (4) and (5) of subdivision (a).
(i)
(j) This section shall become operative with respect to
the Franchise Tax Board on January 1, 2007.
(j)
(k) This section shall become operative with respect to
the California community college districts on January 1, 2007.
(k)
(l) This section shall become operative with respect to
the California State University system on July 1, 2005.
( l )
(m) This section shall become operative, with respect
to the California Student Aid Commission and its auxiliary
organization, in the following manner:
(1) On or before January 1, 2004, the commission and its auxiliary
organization shall comply with paragraphs (1), (2), and (3) of
subdivision (a).
(2) On or before January 1, 2005, the commission and its auxiliary
organization shall comply with paragraphs (4) and (5) of subdivision
(a).
SECTION 1. Section 130300 of the Health and
Safety Code is amended to read:
130300. This division shall be known, and may be cited as, the
Health Insurance Portability and Accountability Implementation Act of
2001.