BILL ANALYSIS ��
AB 1830
Page 1
Date of Hearing: April 22, 2014
ASSEMBLY COMMITTEE ON HEALTH
Richard Pan, Chair
AB 1830 (Conway) - As Amended: April 21, 2014
SUBJECT : California Health Benefit Exchange: confidentiality of
personally identifiable information.
SUMMARY : Prohibits the California Health Benefit Exchange
(Exchange, now known as Covered California) and its contractors
from using or disclosing personal information, except as
necessary to carry out functions allowed under specified federal
regulations under the Patient Protection and Affordable Care Act
(ACA) and creates a civil penalty of up to $25,000 per
individual or entity, per use or disclosure in violation of this
bill. Specifically, this bill :
1)Prohibits the Exchange from using or disclosing an
individual's personally identifiable information gathered for
eligibility or enrollment purposes, except:
a) To the extent necessary to carry out its functions as
spelled out in federal regulations; or
b) To carry out other functions, as permitted under federal
regulations, that have been approved by the Secretary of
Health and Human Services (HHS), with the consent of the
individual.
2)Specifies that personally identifiable information includes an
individual's name, address, e-mail address, telephone number,
social security number, credit card number, place or date of
birth, biometric records, or other information that, alone or
in combination with other publicly available information,
reveals the individual's identity.
3)Requires the Exchange to comply with specified federal
regulations on privacy and security.
4)Requires the Exchange to establish and implement privacy and
security standards that are consistent with specified
�
AB 1830
Page 2
principles set out in federal regulations.
5)Requires the Exchange to execute a contract with each
non-Exchange entity that has access to personally identifiable
information that include: a) a description of the entity's
functions; b) a requirement for the entity to comply with the
Exchange's privacy and security standards; c) a requirement
for the entity to monitor, assess, and update is security
controls; d) a requirement that the entity inform the Exchange
of any change in its administrative, technical, or operational
environments; and e) a requirement that the entity bind any
downstream entities to the same privacy and security standards
and obligations.
6)Requires privacy and security standards for non-Exchange
entities to be consistent with specified federal regulations
and to take into consideration the environment in which the
entity is operating, the relevance of the standards to the
entity's activities, and any existing legal data handling
requirements.
7)Prohibits the use or disclosure of personally identifiable
information by a contractor, volunteer, or vendor of the
Exchange except as necessary to carry out their duties and
requires these personnel to comply with the privacy and
security standards adopted by the Exchange pursuant to federal
regulations on privacy and security. Exempts contractors,
volunteers, and vendors who are covered entities under the
Health Insurance Portability and Accountability Act (HIPAA)
Privacy Rule from this requirement.
8)Requires the Exchange and a non-Exchange entity with access to
federal tax information to keep the information confidential
and to use and disclose the information in compliance with
federal law.
9)Creates a civil penalty of up to $25,000 per individual or
entity, per use or disclosure, for individuals and entities
who knowingly and willingly violate this bill's provisions, in
addition to any other penalties prescribed by law.
EXISTING LAW :
�
AB 1830
Page 3
1)Establishes in state government the Exchange as an independent
public entity not affiliated with an agency or department.
Requires the Exchange to compare and make available, through
selective contracting, health insurance for individual and
small business purchasers as authorized under the ACA.
2)Requires, under the ACA, an applicant for insurance coverage
or for a premium tax credit or cost-sharing reduction to be
required to provide only the information strictly necessary to
authenticate identity, determine eligibility, and determine
the amount of the credit or reduction. Requires, under the
ACA, any person who receives such information provided by an
applicant to use the information only for ensuring the
efficient operation of the Exchange.
3)Allows, under federal regulations effective May 12, 2014, an
Exchange to use or disclose personally identifiable
information to carry out functions other than determining
eligibility for enrollment, affordability programs, or
exemptions, provided that the U.S. Secretary of HHS
determines those functions are in compliance with the ACA, and
the individual provides consent.
4)Requires, under federal regulations, each exchange to
establish and implement written privacy and security standards
in accordance with certain principles, including: allowing
individuals to access and correct their own personal
information; maintaining openness and transparency of
policies; ensuring data quality and integrity, protection of
personal information with reasonable safeguards; and
appropriate monitoring to detect and mitigate non-adherence
and breaches.
5)Requires, under federal regulations, each exchange's policies
and procedures regarding the creation, collection, use, and
disclosure of personally identifiable information to be in
writing, be available to the Secretary of HHS upon request,
and identify applicable law governing collection, use, and
disclosure of personally identifiable information.
6)Requires, under federal regulations, entities such as
�
AB 1830
Page 4
navigators, agents, and brokers that have access to
applicants' or enrollees' personal information in the course
of performing their functions to be subject to the same
privacy or security provisions that govern the Exchange.
7)Creates, under the ACA, a civil penalty of not more than
$25,000 per person or entity, per use or disclosure, for use
or disclosure of personal information in violation of the ACA.
8)Requires, under federal regulations, HHS to oversee and
monitor state exchanges for compliance with the privacy and
security standards and state exchanges to oversee and monitor
non-Exchange entities for compliance with the privacy and
security standards.
9)Requires the Exchange to only collect information from
individuals necessary to administer the Exchange and
consistent with the ACA and regulations and guidance issued
under the ACA. Allows the Exchange to share information with
relevant state departments, consistent with the
confidentiality provisions of the ACA, necessary for the
administration of the Exchange.
10)Requires the Exchange to perform fingerprint-based background
checks of all employees, prospective employees, contractors,
subcontractors, employees of contractors, volunteers, or
vendors whose duties include access to confidential, personal,
or financial information, or any other information as required
by federal law or guidance.
11)Provides protections, under HIPAA, for individually
identifiable health information held by covered entities and
their business associates and gives patients an array of
rights with respect to that information. Permits, under
HIPAA, the disclosure of certain health information as needed
for patient care and certain other purposes, including: public
health activities, research, prevention of a serious threat to
health or safety, law enforcement purposes, and judicial and
administrative proceedings. Covered entities under the HIPAA
Privacy Rule are health care providers, health plans, and
health care clearinghouses.
�
AB 1830
Page 5
12)Under the Information Practice Act of 1977, prohibits state
agencies from disclosing any personal information in a manner
that would link the information disclosed to the individual to
whom it pertains. Provides several exceptions to this
prohibition, including:
a) Information is disclosed with prior written voluntary
consent by the individual to whom the record pertains; or,
b) Information is disclosed to a person or another agency
as necessary for the performance of the transferee agency's
duties; the use is compatible with a purpose for which the
information was collected; and an accurate accounting is
made of the date, nature, and purpose of the transfer.
13)Under the Information Practices Act, requires state agencies
that own or license data that includes personal information to
disclose any security breach to any California resident whose
personal information was obtained by an unauthorized person.
14)Under the Confidentiality of Medical Information Act,
prohibits providers of healthcare, health care service plans,
their contractors, and any business organized for the purpose
of maintaining medical information, from using medical
information for any purpose other than providing health care
services, except as expressly authorized by the patient or as
otherwise required or authorized by law.
FISCAL EFFECT : This bill has not yet been analyzed by a fiscal
committee.
COMMENTS :
1)PURPOSE OF THIS BILL . According to the author, this bill is
intended to add federal safeguards and penalties related to
security and privacy of personally identifiable information
into state law. The author states that California has started
to enroll millions of individuals in the new state Exchange.
Some individuals contracted to promote the Exchange and enroll
the public will have access to enrollees' most sensitive
personal information, including: home addresses, social
security numbers, state and federal tax information, and
�
AB 1830
Page 6
personal health information. The author asserts that this
bill will ensure that Exchange employees, contractors,
vendors, and volunteers are subject to a similar privacy
standard as that imposed under current state law.
2)BACKGROUND .
a) Covered California privacy policy. Covered California's
Website provides an extensive notice of privacy practices.
The notice informs consumers that personal information
collected by the Website includes contact information,
social security numbers, demographic information, health
information, financial information, and alien status. The
notice further states that the collection of personal
information is limited to what is relevant and necessary to
accomplish the Exchange's lawful purpose, defined in the
California ACA.
The privacy policy further states that a consumer's
personal information may be disclosed to: a) other
governmental agencies that determine eligibility for
premium assistance or other insurance affordability
programs; b) contractors that manage health plan enrollment
and other Exchange operations (e.g., health plans and
information technology contractors); and c) contractors
like insurance agents or enrollment counselors that
facilitate enrollment and contact consumers when necessary.
The policy further states that information may also be
used in order to create a more personalized experience.
The privacy policy additionally provides that personal
information may be shared to help with public health and
safety; to do research; to respond to lawsuits and legal
actions; and to comply with state or federal law, including
responding to a Public Records Act request.
According to Covered California, the privacy policy was
adapted from a model notice of privacy practices for HIPAA
covered entities issued by the HHS Office of Civil Rights
earlier this year. Covered California indicates that this
template was modified to reflect its unique operational
activities. In addition, Covered California indicates that
it has a separate set of privacy and security standards
�
AB 1830
Page 7
that it uses internally, in compliance with federal
regulations. Covered California indicates it is currently
in the process of updating these standards.
b) Enrollment Follow-up Program. Covered California states
that, when it saw that thousands of consumers who were
interested in coverage had not yet completed their
enrollments, it enlisted roughly 2,100 certified insurance
agent subcontractors to offer additional assistance to
roughly 41,000 households. According to Covered
California, basic contact information (name, telephone
number, etc.) was securely transmitted to certified
insurance agents, with instructions to quickly contact
consumers to ensure that they were offered additional
assistance to complete their enrollments. Consumer
information was carefully protected: each agent who
participated in the program was given only a small batch of
leads at a time, according to their capacity to reach
consumers, and results were reported back. Covered
California indicates it is still evaluating the enrollment
follow-up program, and that it has focused its follow-up
efforts on targeted direct mail and email outreach to
consumers letting them know that there are certified
representatives near them who can help them complete their
applications.
3) CENTER FOR DEMOCRACY AND TECHNOLOGY ARTICLE . A 2012
article published by the Center for Democracy and
Technology provides an overview of state and federal laws
and privacy rules that may be relevant for California's
Exchange, including the federal Privacy Act of 1974,
California's Information Privacy Act, the California
Confidentiality of Medical Information Act, and HIPAA. The
article notes, because the Exchange will give consumers a
single online portal to access private health insurance,
Medi-Cal, and children's health programs, Exchange
operations will require new and unique exchanges of data
among state agencies, the federal government, private
health plans, businesses, individuals, and the Exchange.
The paper concludes, to build trust in the Exchange,
California must create specific policies that implement
fair information practices and adhere to ACA requirements.
�
AB 1830
Page 8
The paper urges the state to work with consumers and other
stakeholders to begin developing strong policies and best
practices to govern information collected and shared by the
state's Exchange.
4)PROPOSED FEDERAL REGULATIONS . On March 14, 2014, the federal
Centers for Medicare and Medicaid Services released a proposed
regulation titled "Patient Protection and Affordable Care Act:
Exchange and Insurance Market Standards for 2015 and Beyond"
that includes proposed processes for the imposition of civil
penalties by HHS for improper use or disclosure of
information. HHS states the intent of this proposed rule is
to create appropriate penalties for any person who does not
comply with relevant statutory and regulatory provisions which
limit the ways in which information provided by an applicant
or from a federal agency can be used. HHS further states that
it intends to work in collaboration with states to oversee,
monitor, and enforce compliance to protect consumers, avoid
duplication of efforts, and provide consistent enforcement
practices. The proposed regulations also include new
standards for navigators and non-navigator assistance
personnel for consumer contact, interaction, and marketing
practices, with the intent to ensure that practices are
protective of the privacy and security interests of the
consumers they serve.
5)BUREAU OF STATE AUDITS REPORT . Current law authorizes the
State Auditor to establish a high-risk audit program, to issue
reports with recommendations for improving issues it
identifies as high risk, either due to vulnerability to fraud,
waste, abuse, and mismanagement, or because an issue is of
particular interest to the citizens of the state or has
potentially significant effects on public health, safety, and
economic well-being. In July 2013, the State Auditor, due to
potential financial challenges, added Covered California's
operations to its list of high-risk issues. The audit report
finds that, within the limits of the information it currently
has, Covered California appears to have engaged in a
deliberate, thoughtful financial planning effort to anticipate
the several contingencies it may face.
The report notes that Covered California's financial
�
AB 1830
Page 9
sustainability is wholly dependent on enrollment in qualified
health plans (QHPs) offered through the Exchange. The report
notes enrollment in QHPs is, in turn, largely dependent upon
the success of outreach efforts. Accordingly, one of the
report's recommendations is for Covered California to track
the effect of outreach and marketing activities and of the
assister program. Covered California agreed with this
recommendation (and the report's other recommendations) and
indicated it will use various data components generated
throughout the customer relationship to track key metrics such
as organizational awareness, media campaign drivers, response
rates, Website visits, lead generation, and ultimately
enrollment. Covered California indicates its goal is to use
insights from these data to allocate and adjust outreach
efforts to have the best possible enrollment for the
investment.
6)SUPPORT . The Electronic Frontier Foundation (EFF), in
support, asserts federal regulations properly limit the use
and disclosure of personally identifiable information. EFF
further states that the Exchange should be required to publish
the policies and procedures regarding the creation,
collection, use, and disclosure of personally identifiable
information that it is required to have in writing and make
available to the Secretary of HHS upon request.
7)OPPOSITION . In opposition, the American Federation of State,
County and Municipal Employees (AFSCME) writes it is important
to balance consumers' privacy rights with the need of the
Exchange to facilitate outreach and enrollment in coverage.
AFSCME asserts this bill fails to recognize the need for
outreach and enrollment entities to reach potentially eligible
people to get them enrolled. Health Access California, in
opposition, writes this bill, as drafted, may prevent the
sharing of marketing leads with outreach grantees, thus
hamstringing its marketing and outreach and denying
Californians access to low cost or no cost coverage. Health
Access further notes this bill may be premature in light of
recently proposed federal privacy regulations for Exchanges.
8)RELATED LEGISLATION .
�
AB 1830
Page 10
a) AB 1428 (Conway), Chapter 561, Statutes of 2013,
clarifies criminal background check requirements for
employees, contractors, and vendors who facilitate
enrollment in the Exchange.
b) AB 1560 (Gorell) prohibits the Exchange from disclosing
an individual's personal information to third parties for
the purpose of eligibility or enrollment in health care
coverage unless the individual confirms specified
information and provides prior written consent. AB 1560 is
pending in this Committee and is set for hearing April 22,
2014.
c) AB 1829 (Conway) prohibits the Exchange from hiring or
contracting with individuals who have been convicted of
certain felonies or violations if the person would be
facilitating enrollment or have access to financial or
medical information. AB 1829 is pending in this Committee
and is set for hearing April 22, 2014.
d) AB 2147 (Melendez) requires agencies to obtain an
individual's prior written voluntary consent before
releasing the individual's personal information to an
independent contractor or other worker who is not an agency
employee. AB 2147 is pending in the Assembly Judiciary
Committee.
e) AB 2301 (Mansoor) requires the Exchange to report on a
quarterly basis on enrollments and disenrollments under
qualified health plans purchased through the Exchange by
specified categories. AB 2301 is pending in this Committee
and is set for hearing April 22, 2014.
f) SB 509 (DeSaulnier and Emmerson), Chapter 10, Statutes
of 2013, requires fingerprint-based background checks for
all Exchange employees, contractors, volunteers, or vendors
with access to enrollees' personal information.
g) SB 974 (Anderson) prohibits the Exchange from disclosing
an individual's personal information to any other person or
entity without explicit permission and requires the
Exchange to report a disclosure in violation of this
�
AB 1830
Page 11
provision within five business days. SB 974 is pending in
the Senate Appropriations Committee.
9)PREVIOUS LEGISLATION . AB 1602 (John A. P�rez), Chapter 655,
Statutes of 2010, and SB 900 (Alquist), Chapter 659, Statutes
of 2010, establish the Exchange and its powers and duties.
10)DOUBLE REFERRAL . This bill is double referred. Should this
bill pass out of this committee, it will be referred to the
Assembly Committee on Judiciary.
11)POLICY COMMENTS .
a) This bill, in part, conforms state law to existing
federal regulations. However, additional regulations
governing privacy and civil penalties were proposed March
14, 2014. These regulations lay out specific circumstances
for imposing a penalty, factors for determining the amount
of the penalty, required notice of intent to issue a
penalty, appeals, and time limitations, that are not
included in this bill. Because these regulations may or
may not be adopted in their current proposed form (comments
are being accepted through April 18, 2014), it may be
premature to codify federal privacy and security
regulations for state Exchanges and create a civil penalty
in state law.
b) California often codifies federal regulations to
facilitate state enforcement of federal standards. For
example, California codified (and expanded upon) the
numerous federal reforms that health plans and insurers are
required to comply with, in part so that the Department of
Managed Health Care and the Department of Insurance can
enforce those standards. However, in the case of this
bill, it is not clear what state entity will enforce the
federal standards.
c) This bill codifies some, but not all, of the federal
regulations on security and privacy for state Exchanges.
Among the omissions are: i) a requirement for the Exchange
to monitor, periodically assess, and update its security
controls; ii) a requirement for the Exchange to develop and
�
AB 1830
Page 12
use secure electronic interfaces; iii) a requirement for
the Exchange to enforce workforce compliance; iv) a
requirement for the exchange to keep its privacy policies
and procedures in writing and for the policies to identify
applicable law governing personally identifiable
information; and v) requirements for data sharing between
the exchange and agencies administering Medicaid and the
Children's Health Insurance Program.
d) This bill contains some provisions that differ from
federal regulations on security and privacy for state
Exchanges. In particular, this bill exempts contractors,
subcontractors, volunteers, and vendors who are covered
entities under the HIPAA Privacy Rule from the civil
penalty.
REGISTERED SUPPORT / OPPOSITION :
Support
Criminal Justice Legal Foundation
Electronic Frontier Foundation
Opposition
American Federation of State, County and Municipal Employees,
AFL-CIO
California Pan-Ethnic Health Network
Health Access California
Service Employees International Union, California State Council
Analysis Prepared by : Ben Russell / HEALTH / (916) 319-2097