AB 1830, as amended, Conway. California Health Benefit Exchange: confidentiality of personally identifiable information.
Existing law, the federal Patient Protection and Affordable Care Act (PPACA), requires each state to establish an American Health Benefit Exchange by January 1, 2014, that makes available qualified health plans to qualified individuals and small employers. PPACA prohibits an Exchange from using or disclosing the personally identifiable information it creates or collects other than to the extent necessary to carry out specified functions. Existing law also requires an Exchange to establish and implement privacy and security standards that are consistent with specified principles and to require the same or more stringent privacy and security standards as a condition of contract or agreement with individuals or entities. A person who knowingly and willfully uses or discloses information in violation of PPACA is subject to a civil penalty of no more than $25,000 per person or entity, per use or disclosure, in additional to any other penalties prescribed by law.
Existing state law establishes the California Health Benefit Exchange within state government, specifies the powers and duties of the board governing the Exchange, and requires the board to facilitate the purchase of qualified health plans through the Exchange by qualified individuals and small employers by January 1, 2014. Existing law requires the board to employ necessary staff and authorizes the board to enter into contracts. Under existing law, the board of the Exchange is required to submit fingerprint images to the Department of Justice for all employees, prospective employees, contractors, subcontractors, volunteers, or vendors of the Exchange whose duties include access to specified personal information for the purposes of obtaining state or federal conviction records, as specified.
This bill would, where the Exchange creates or collects
personally identifiable information for the purpose of determining eligibility for specified plans and programs, authorize the Exchange to use or disclose that information only to the extent necessary to carry out specified functions authorized under PPACAbegin insert or to carry out other nonspecified functions that satisfy certain federal criteria. The bill would require the Exchange to establish and implement privacy and security standards that are consistent with specified principles and to execute a contract with a non-Exchange entity that contains various provisions, including a provision requiring the non-Exchange entity to comply with the same privacy and security standards and to bind any downstream entity to those privacy and security standardsend insert. The bill would prohibit a contractor, subcontractor, volunteer, or vendor of the Exchange who gains access to personally identifiable information in the course
of fulfilling his, her, or its duties as a contractor, subcontractor, volunteer, or vendor from using or disclosing that information other than to the extent necessary to carry out those dutiesbegin insert, except as specifiedend insert.begin delete The bill would require a contractor, subcontractor, volunteer, or vendor of the Exchange to comply with the privacy and security standards adopted by the Exchange pursuant to PPACA.end delete An individual or entity who knowingly and willfully violatesbegin delete theseend deletebegin insert the bill’s disclosureend insert provisions would be subject to a civil penalty of not more than $25,000 per individual or entity, per use or disclosure, in addition to any other
penalties prescribed by law.
Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.
The people of the State of California do enact as follows:
Section 100509 is added to the Government Code,
2to read:
(a) (1) Where the Exchange creates or collects
4personally identifiable information for the purpose of determining
5eligibility for enrollment in a qualified health plan, determining
6eligibility for other insurance affordability programs, as defined
7in Section 155.20 of Title 45 of the Code of Federal Regulations,
8or determining eligibility for exemptions from the individual
9responsibility provisions in Section 5000A of the federal Internal
10Revenue Code, the Exchange may only use or disclose the
11information to the extent necessary to carry out the functions
12described in Section 155.200 of Title 45 of the Code of Federal
13Regulationsbegin insert
or to carry out the functions not described in Section
14155.200 of Title 45 of the Code of Federal Regulations that satisfy
15Section 155.260(a)(1)(ii) or (iii) of Title 45 of the Code of Federal
16Regulationsend insert.
17(2) The Exchange shall not create, collect, use, or disclose
18personally identifiable informationbegin delete while fulfilling its unless the creation,
19responsibilities in accordance with this title and Section 155.200
20of Title 45 of the Code of Federal Regulationsend delete
21collection, use, or disclosure is consistent with Section 155.260
22of Title 45 of the Code of Federal Regulations.
23(3) The Exchange shall establish and implement privacy
and
24security standards that are consistent with the principles listed in
25Section 155.260(a)(3) of Title 45 of the Code of Federal
26Regulations.
27(3)
end delete
28begin insert(4)end insert For purposes of this subdivision, “Exchange” includes a
29member of the board or staff of the Exchange.
30(b) Prior to becoming a non-Exchange entity, the Exchange
31shall execute a contract with the entity that includes all of the
32following:
33(1) A description of the functions
to be performed by the
34non-Exchange entity.
35(2) A provision requiring the non-Exchange entity to comply
36with the privacy and security standards adopted by the Exchange
37pursuant to subdivision (c), and specifically listing or incorporating
38those standards.
P4 1(3) A provision requiring the non-Exchange entity to monitor,
2periodically assess, and update its security controls and related
3system risks to ensure the continued effectiveness of those controls
4in accordance with Section 155.260(a)(5) of Title 45 of the Code
5of Federal Regulations.
6(4) A provision requiring the non-Exchange entity to inform the
7Exchange of any change in its administrative, technical, or
8operational environments defined as material within the contract.
9(5) A provision that requires
the non-Exchange entity to bind
10any downstream entities to the same privacy and security standards
11and obligations to which the non-Exchange entity has agreed in
12its contract or agreement with the Exchange under paragraph (2).
13(c) When the collection, use, or disclosure of personally
14identifiable information is not otherwise required by law, the
15privacy and security standards to which the Exchange shall bind
16a non-Exchange entity shall meet all of the following requirements:
17(1) Be consistent with the principles and requirements listed in
18Section 155.260(a)(1) to (6), inclusive, of Title 45 of the Code of
19Federal Regulations.
20(2) Comply with Section 155.260(c), (d), (f), and (g) of Title 45
21of the Code of Federal Regulations.
22(3) Take into consideration all of the following:
end insertbegin insert
23(A) The environment in which the non-Exchange entity is
24operating.
25(B) Whether the standards are relevant and applicable to the
26non-Exchange entity’s duties and activities in connection with the
27Exchange.
28(C) Any existing legal requirements to which the non-Exchange
29entity is bound in relation to its administrative, technical, and
30operational controls and practices, including, but not limited to,
31its existing data handling and information technology processes
32and protocols.
33(b)
end delete
34begin insert(d)end insert A contractor, subcontractor, volunteer, or vendor of the
35Exchange who gains access to personally identifiable information
36in the course of fulfilling his, her, or its duties as a contractor,
37subcontractor, volunteer, or vendor of the Exchange shall not use
38or disclose that information other than to the extent necessary to
39carry out those duties.begin insert
This subdivision shall not apply to a
40contractor, subcontractor, volunteer, or vendor of the Exchange
P5 1who is a covered entity under the federal Health Insurance end insert
2begin insertPortability and Accountability Act and the regulations issued
3pursuant to Part C of that act (45 C.F.R. Parts 160 and 164),
4provided that the contractor, subcontractor, volunteer, or vendor
5otherwise complies with those federal laws and any other
6requirements applicable to the contractor, subcontractor,
7volunteer, or vendor pursuant to this section.end insert
8(c) A contractor, subcontractor, volunteer, or vendor of the
9Exchange shall comply with
the privacy and security standards
10adopted by the Exchange pursuant to Section 155.260 of Title 45
11of the Code of Federal Regulations.
12(d)
end delete
13begin insert(e)end insert This section does not apply when the use or disclosure of
14personally identifiable information is otherwise compelled by
15judicial or administrative process or by any other provision of law,
16except as otherwise provided in the federal act.
17(e)
end delete
18begin insert(f)end insert Where the Exchange or abegin delete contractor, subcontractor, volunteer, begin insert
non-Exchange entityend insert has access to
19or vendor of the Exchangeend delete
20federal tax return information, that information shall be kept
21confidential and disclosed, used, and maintained only in accordance
22with Section 6103 of the federal Internal Revenue Code.
23(f)
end delete
24begin insert(g)end insert An individual or entity who knowingly and willfully violates
25begin delete this sectionend deletebegin insert subdivision (a) or (d)end insert shall be subject to a civil penalty
26of not more than twenty-five
thousand dollars ($25,000) per
27individual or entity, per use or disclosure, in addition to any other
28penalties prescribed by law.
29(g)
end delete
30begin insert(h)end insert For purposes of this section,begin delete “personallyend deletebegin insert the following
31definitions shall apply:end insert
32(1) “Non-Exchange entity” means an individual or entity that
33does either of the following:
34(A) Gains access to personally identifiable information
35submitted to the Exchange.
36(B) Collects, uses, or discloses personally identifiable
37information gathered directly from applicants, qualified
38individuals, or enrollees while that individual or entity is
39performing functions agreed to with the Exchange.
P6 1begin insert(2)end insertbegin insert end insertbegin insert“Personallyend insert
identifiable information” means information
2that includes or contains any element of personal identifying
3information sufficient to allow identification of the individual,
4including, but not limited to, the individual’s name, address,
5electronic mail address, telephone number, social security number,
6credit card number, place or date of birth, biometric records, or
7other information that, alone or in combination with other publicly
8available information, reveals the individual’s identity.
O
98