AB 1830, as introduced, Conway. California Health Benefit Exchange: confidentiality of personally identifiable information.
Existing law, the federal Patient Protection and Affordable Care Act (PPACA), requires each state to establish an American Health Benefit Exchange by January 1, 2014, that makes available qualified health plans to qualified individuals and small employers. PPACA prohibits an Exchange from using or disclosing the personally identifiable information it creates or collects other than to the extent necessary to carry out specified functions. Existing law also requires an Exchange to establish and implement privacy and security standards that are consistent with specified principles and to require the same or more stringent privacy and security standards as a condition of contract or agreement with individuals or entities. A person who knowingly and willfully uses or discloses information in violation of PPACA is subject to a civil penalty of no more than $25,000 per person or entity, per use or disclosure, in additional to any other penalties prescribed by law.
Existing state law establishes the California Health Benefit Exchange within state government, specifies the powers and duties of the board governing the Exchange, and requires the board to facilitate the purchase of qualified health plans through the Exchange by qualified individuals and small employers by January 1, 2014. Existing law requires the board to employ necessary staff and authorizes the board to enter into contracts. Under existing law, the board of the Exchange is required to submit fingerprint images to the Department of Justice for all employees, prospective employees, contractors, subcontractors, volunteers, or vendors of the Exchange whose duties include access to specified personal information for the purposes of obtaining state or federal conviction records, as specified.
This bill would, where the Exchange creates or collects personally identifiable information for the purpose of determining eligibility for specified plans and programs, authorize the Exchange to use or disclose that information only to the extent necessary to carry out specified functions authorized under PPACA. The bill would prohibit a contractor, subcontractor, volunteer, or vendor of the Exchange who gains access to personally identifiable information in the course of fulfilling his, her, or its duties as a contractor, subcontractor, volunteer, or vendor from using or disclosing that information other than to the extent necessary to carry out those duties. The bill would require a contractor, subcontractor, volunteer, or vendor of the Exchange to comply with the privacy and security standards adopted by the Exchange pursuant to PPACA. An individual or entity who knowingly and willfully violates these provisions would be subject to a civil penalty of not more than $25,000 per individual or entity, per use or disclosure, in addition to any other penalties prescribed by law.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 100509 is added to the Government Code,
2to read:
(a) (1) Where the Exchange creates or collects
4personally identifiable information for the purpose of determining
5eligibility for enrollment in a qualified health plan, determining
6eligibility for other insurance affordability programs, as defined
7in Section 155.20 of Title 45 of the Code of Federal Regulations,
8or determining eligibility for exemptions from the individual
9responsibility provisions in Section 5000A of the federal Internal
10Revenue Code, the Exchange may only use or disclose the
11information to the extent necessary to carry out the functions
P3 1described in Section 155.200 of Title 45 of the Code of Federal
2Regulations.
3(2) The Exchange shall not create, collect, use, or disclose
4personally identifiable
information while fulfilling its
5responsibilities in accordance with this title and Section 155.200
6of Title 45 of the Code of Federal Regulations unless the creation,
7collection, use, or disclosure is consistent with Section 155.260
8of Title 45 of the Code of Federal Regulations.
9(3) For purposes of this subdivision, “Exchange” includes a
10member of the board or staff of the Exchange.
11(b) A contractor, subcontractor, volunteer, or vendor of the
12Exchange who gains access to personally identifiable information
13in the course of fulfilling his, her, or its duties as a contractor,
14subcontractor, volunteer, or vendor of the Exchange shall not use
15or disclose that information other than to the extent necessary to
16carry out those duties.
17(c) A contractor, subcontractor, volunteer, or vendor of the
18Exchange shall comply with
the privacy and security standards
19adopted by the Exchange pursuant to Section 155.260 of Title 45
20of the Code of Federal Regulations.
21(d) This section does not apply when the use or disclosure of
22personally identifiable information is otherwise compelled by
23judicial or administrative process or by any other provision of law,
24except as otherwise provided in the federal act.
25(e) Where the Exchange or a contractor, subcontractor,
26volunteer, or vendor of the Exchange has access to federal tax
27return information, that information shall be kept confidential and
28disclosed, used, and maintained only in accordance with Section
296103 of the federal Internal Revenue Code.
30(f) An individual or entity who knowingly and willfully violates
31this section shall be subject to a civil penalty of not more than
32twenty-five thousand
dollars ($25,000) per individual or entity,
33per use or disclosure, in addition to any other penalties prescribed
34by law.
35(g) For purposes of this section, “personally identifiable
36information” means information that includes or contains any
37element of personal identifying information sufficient to allow
38identification of the individual, including, but not limited to, the
39individual’s name, address, electronic mail address, telephone
40number, social security number, credit card number, place or date
P4 1of birth, biometric records, or other information that, alone or in
2combination with other publicly available information, reveals the
3individual’s identity.
O
99