BILL ANALYSIS ��
SENATE COMMITTEE ON HEALTH
Senator Ed Hernandez, O.D., Chair
BILL NO: SB 974
AUTHOR: Anderson
INTRODUCED: February 11, 2014
HEARING DATE: April 9, 2014
CONSULTANT: Boughton
SUBJECT : California Health Benefit Exchange: confidentiality of
personal information.
SUMMARY : Prohibits the California Health Benefit Exchange, or
any of its employees, agents, subcontractors, representatives,
or partners from disclosing an individual's personal information
to any other person or entity without explicit permission from
the individual. Requires the Exchange to report any disclosures
to the individuals affected and to the appropriate policy
committees of the Legislature within five business days of the
date of the disclosure. Defines personal information as any
information that an individual has submitted to the Exchange
through its Website, call center, or other technology, or in
person through the Exchange's employees, agents, subcontractors,
representatives, or partners.
Existing law:
1.Establishes the Health Benefit Exchange (Covered California)
in state government as a state-based marketplace where
individuals and small businesses can purchase qualified health
plans.
2.Establishes the Information Practices Act of 1977 (IPA), which
prohibits every state office, officer, department, division,
bureau, board, commission or other state agency from
disclosing personal information unless the information is
disclosed according to one of a specified list of provisions,
such as:
a. With prior voluntary written consent, not more
than 30 days in advance of the disclosure, or in the
time limit agreed to by the individual; or,
b. To those officers, employees, attorneys,
agents, or volunteers of the agency that has custody
of the information if the disclosure is relevant and
necessary in the ordinary course of the performance of
Continued---
�
SB 974 | Page 2
their official duties and is related to the purpose
for which the information was acquired.
3.Defines, under the IPA, "personal information" as any
information that is maintained by an agency that identifies or
describes an individual, including, but not limited to, his or
her name, social security number, physical description, home
address, home telephone number, education, financial matters,
and medical or employment history.
4.Makes, under the IPA, any person who willfully requests or
obtains any record containing personal information from an
agency under false pretenses guilty of a misdemeanor and fined
not more than $5,000, or imprisoned not more than one year, or
both, and also under the IPA subject to civil action for
invasion of privacy, in addition to any special or general
damages awarded, awarded a minimum of $2,500 in exemplary
damages as well as attorney's fees and other litigation costs
reasonably incurred in the suit.
5.Establishes, under the IPA, any agency that owns or licenses
computerized data that includes personal information to
disclose any breach of the security of the system following
discovery or notification of the breach in the security of the
data to any resident of California whose unencrypted personal
information was, or is reasonably believed to have been,
acquired by an unauthorized person. Requires the disclosure to
be made in the most expedient time possible and without
unreasonable delay, consistent with the legitimate needs of
law enforcement, as specified or any measures necessary to
determine the scope of the breach and restore the reasonable
integrity of the data system.
6.Establishes, under federal law, the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), which
among various provisions, mandates industry-wide standards for
health care information on electronic billing and other
processes; and, requires the protection and confidential
handling of protected health information.
7.Establishes, under the federal Affordable Care Act, (ACA), the
procedures for determining eligibility for Exchange
participation, premium tax credits and reduced cost sharing,
and individual responsibility exemption. Requires an
applicant for coverage or for a premium tax credit or cost
sharing reduction to be required to provide only the
�
SB 974 | Page
3
information strictly necessary to authenticate identity,
determine eligibility, and determine the amount of the credit
or reduction.
8.Requires under the ACA any person who receives information
provided by an applicant for insurance coverage to use the
information only for the purposes of, and to the extent
necessary in, ensuring the efficient operation of the
Exchange, including verifying eligibility of an individual to
enroll through an Exchange or to claim a premium tax credit or
cost sharing reduction or the amount of the credit or
reduction, and not disclose the information to any other
person except as provided.
9.Subjects any person who knowingly and willfully uses or
discloses information in violation of 7) and 8) to a civil
penalty of not more than $25,000, in addition to any other
penalties that may be prescribed by law.
10.Authorizes under federal regulations an Exchange to only use
or disclose such personally identifiable information for the
purposes of determining eligibility in a qualified health
plan, for other insurance affordability programs, or for
exemptions from the individual responsibility provisions, as
specified, to the extent such information is necessary to
carry out the functions of the Exchange, as specified. For
other uses which the Secretary of Health and Human Services
(HHS) determines are in compliance with the ACA but are not to
carry out the Exchange functions, requires individual consent.
To carry out other functions, requires consent and
substantive and procedural requirements, as specified.
11.Subjects, under federal regulations, any person who knowingly
and willfully uses or discloses information in violation of
the ACA to a civil penalty of not more than $25,000 per person
or entity, per use or disclosure, in addition to other
penalties that may be prescribed by law.
This bill:
1.Prohibits Covered California, or any of its employees, agents,
subcontractors, representatives, or partners from disclosing
an individual's personal information to any other person or
entity without explicit permission from the individual.
2.Requires Covered California to report any disclosures of 1)
�
SB 974 | Page 4
above to the individuals affected and to the appropriate
policy committees of the Legislature within five business days
of the date of the disclosure.
3.Defines personal information as any information that an
individual has submitted to Covered California through its
Website, call center, or other technology, or in person
through the Covered California's employees, agents,
subcontractors, representatives, or partners.
4.Contains an urgency clause that will make this bill effective
upon enactment.
FISCAL EFFECT : This bill has not been analyzed by a fiscal
committee.
COMMENTS :
1.Author's statement. According to the author, the ACA has directed
states to provide marketplaces, or exchanges, for consumers
seeking health insurance. Covered California, the health benefit
exchange in our state, has provided this platform for individuals
shopping for a plan. Unfortunately, due to a security loophole in
the law, shoppers on the website have suffered a disclosure of
their data to outside companies without having given their
permission. This bill is a bipartisan effort to close that
loophole, so that consumers may shop free from fear of losing
their privacy to unknown, outside entities.
2.Covered California Launch. Covered California opened for
enrollment October 1, 2013. Enrollment reports indicate 30,830
enrolled in October, 78,377 enrolled in November with a jump to
400,096 in December or about 12,096 per day. As of January 15,
625,564 individual health plans had been selected. While the
California launch was a success it was not without issues.
Surveys indicate 40 percent of those surveyed found the overall
enrollment process difficult to complete. Covered California
identified the following challenges and opportunities based on the
October-December period. Tremendous interest in Covered
California created high service center volume and some
unanticipated drivers of service center volume included: slow
ramp up of service channels (e.g. agents and enrollment
counselors) limited the success of ground efforts; service center
staffing levels for Covered California and qualified health plans
were inadequate; issues with inaccurate and undelivered notices
left consumers waiting for verification of enrollment status; "One
touch and done" assumption was not correct for consumers. With
�
SB 974 | Page
5
this analysis, Covered California identified an opportunity to
improve operational performance for the remainder of open
enrollment with a focus on high potential demand in March.
Through the end of March, enrollment is at 1,209,791. Due to
technical difficulties in the final month of open enrollment,
Covered California is allowing people who have started
applications by March 31st to complete those applications until
April 15th. Medi-Cal, which allows people to enroll throughout
the year enrolled 1.9 million people during this same period,
including 1.1 million who enrolled through Covered California and
county offices.
3.Enrollment Follow-up Program. According to Covered California, to
follow-up on applications started to ensure coverage effective
January 1, 2014, Covered California enlisted the help of roughly
2,100 of its Certified Insurance Agent subcontractors to offer
additional assistance to roughly 41,000 households. The basic
contact information (name, telephone number, etc.) was securely
transmitted to Certified Insurance Agents by General Agent
partners, with instructions to quickly touch as many of these
consumers as possible to ensure that they were offered additional
assistance to complete their enrollments. Consumer information was
carefully protected: each Certified Insurance Agent who
participated in the program was given only a small batch of
"leads" at a time, according to their capacity to reach consumers,
and results were reported back to the General Agents. The program
was put on hold when some consumers were surprised to be contacted
by someone they did not realize was calling on behalf of Covered
California. Covered California indicates that, overall, five
complaints have been received about their policy for handling
consumers' information (not necessarily limited to the handling by
agents).
4.Covered California Privacy Practices. Covered California
Notice of Privacy Practices, Use and Disclosure explain that
Covered California may use and disclose a consumer's personal
information with contractors to help with enrollment and
contact the consumer when necessary. Additionally, all
contractors who Covered California shares information with for
these purposes undergo a fingerprint and background check,
receive specialized training on keeping information
confidential, and require signed confidentiality agreements
that requires contractors to follow the safeguards applicable
to Covered California, and prohibit the use for any purposes
outside the scope of the contract.
�
SB 974 | Page 6
According to Covered California, both the paper and online
application include disclosures about Covered California's
privacy policy, and require the consumer to agree that they
are aware of those privacy policies and practices. This is
required under the IPA and the ACA. On the paper
application, the privacy policy is described immediately above
the "rights and responsibilities" section of the application,
and is referenced in the declaration and signature which are
submitted under penalty of perjury. Specifically, the paper
application states, "We will share your information with other
state, federal and local agencies, contractors, health plans,
and programs only to enroll you in a plan or program or to
administer programs, and with other state and federal agencies
as required by law." For the web-based application, in
order to initially set up an online application a user must
actively consent by clicking a box to agree to the Terms of
Conditions. The Terms and Conditions direct users to
information on the privacy policy that applies to personal
information collected on the site. It discloses that Covered
California maintains administrative, physical, technical,
electronic and procedural safeguards to protect the
confidentiality and security of the personal information. It
allows links to additional information about how data is
collected online and used, and how to request restrictions on
the use and disclosure of information, among other
information.
5.CDT Paper. A March 28, 2012 paper "Privacy and Security
Protections for Personal Information in California's Health
Benefit Exchange," written by Kate Black at the Center for
Democracy and Technology (CDT) calls on state policymakers to
develop a comprehensive framework of privacy and security
policies to build and maintain public trust in the Exchange.
The paper reviews California and Federal data privacy laws,
including the IPA, HIPAA and others and indicates that HHS
explanatory rule states that HIPAA is "not broad enough to
adequately protect the various types of personally identifying
information that will be created, collected, used or disclosed
by Exchanges and individuals or entities who have access to
information created, collected, and used by Exchanges." The
paper also indicates that the IPA sets potentially stricter
standards for sharing of information between or among agencies
versus sharing information within a single agency. A December
17, 2013 article written by Christopher Rasmussen and
published on CDT.org asserts that Covered California
�
SB 974 | Page
7
incorrectly sees itself as a HIPAA covered entity and suggests
that Covered California's privacy policy goes beyond the ACA's
privacy protections.
6.Federal Regulations. On March 14, 2014, HHS released new
proposed rules, including information about the assessment of
civil monetary penalties for unlawful disclosures of Exchange
personally identifiable information. These rules propose
types of activities that would be in violation of the ACA,
which specifies that any person who receives information
required to be provided by an applicant, whether the person
receives the information directly or by another person at the
request of the applicant, or receives information from a
Federal agency that has been verified as being consistent or
inconsistent with the records of that Federal agency, may use
the information only for the purposes of, and to the extent
necessary in, ensuring the efficient operation of the
Exchange. The ACA also specifies that any person who receives
Exchange personally identifiable information may not disclose
the information to any other person except as provided in the
ACA. Existing regulations specify that an Exchange may only
use or disclose Exchange personally identifying information to
carry out the functions described in regulation or to carry
out additional functions which the Secretary has determined
ensure the efficient operation of the Exchange and for which
the individual has provided consent for his or her information
to be so used or disclosed.
In these rules HHS proposes that any other use or disclosure
that has not been determined by the Secretary to ensure the
efficient operation of the Exchange and which is not necessary
to carry out a function described in a contract with a
non-Exchange entity executed, as specified, may constitute a
violation of the ACA. More specific examples of activities
that would violate the ACA include a person selling lists of
Exchange personally identifiable information belonging to
individuals who apply for enrollment or enroll in an Exchange
qualified health plan, or a non-Exchange entity using the
personally identifiable information of individuals who sought
enrollment in an Exchange qualified health plan to market
products or services to those individuals. HHS notes that
without the express, specific consent of the consumer for
their personally identifiable information to be used for
marketing purposes, use of Exchange personally identifiable
information for marketing purposes is prohibited. In
�
SB 974 | Page 8
addition, HHS notes that any person who obtains specific
consent from an applicant or enrollee to use personally
identifiable information for marketing purposes must clearly
inform the applicant or enrollee that the marketing activities
have no relationship to or bearing on an eligibility
determination for or enrollment in the Exchange. To the extent
any person plans to obtain such consent to market products to
Exchange applicants and enrollees, the person should be
prepared to provide proof of consent upon request by the
agency during the course of the agency's normal oversight
activities. HHS defines person broadly to include agents,
brokers, Web-brokers, qualified health plans, certified
application counselors, etc.
7.Double referral. This bill is double referred. Should it
pass out of this committee, it will be referred to the Senate
Committee on Judiciary.
8.Related legislation. AB 1829 (Conway) would prohibit Covered
California from hiring or contracting with a person, including
an employee or prospective employee, who has been convicted of
specified crimes if the person's duties would involve
facilitating enrollment in qualified health plans or would
give the person access to the financial or medical information
of enrollees or potential enrollees of the Exchange. Requires
a person who has filed an application for employment with the
Exchange to notify the Exchange of any prescribed misdemeanor
or felony convictions, filing of misdemeanor or felony
charges, or administrative actions that occur after submitting
his or her application.
AB 1830 (Conway) would authorize Covered California to use or
disclose that information only to the extent necessary to
carry out specified functions authorized under the ACA, and
prohibits a contractor, subcontractor, volunteer, or vendor of
Covered California who gains access to personally identifiable
information in the course of fulfilling his, her, or its
duties as a contractor, subcontractor, volunteer, or vendor
from using or disclosing that information other than to the
extent necessary to carry out those duties. Requires a
contractor, subcontractor, volunteer, or vendor of the
Exchange to comply with the privacy and security standards
adopted by Covered California pursuant to the ACA and makes an
individual or entity who knowingly and willfully violates
these provisions subject to a civil penalty of not more than
$25,000 per individual or entity, per use or disclosure, in
�
SB 974 | Page
9
addition to any other penalties prescribed by law.
AB 1560 (Gorell) would prohibit Covered California from
disclosing an individual's personal information, as defined,
to third parties for the purpose of determining eligibility
for, or enrolling the individual in, health care coverage
unless, prior to the disclosure, the individual confirms his
or her eligibility for a qualified health plan offered by
Covered California, and receives an estimate for the cost of
the qualified health plans he or she may purchase, and Covered
California obtains the individual's written consent to the
disclosure, as prescribed. Requires Covered California to
immediately notify the public of any breach of the security of
personal information created, collected, or maintained by
Covered California, regardless of the severity of the breach
and regardless of whether personal information was acquired by
an unauthorized person during the breach.
9.Prior legislation. SB 900 (Alquist), Chapter 659, Statutes of
2010, and AB 1602 (Perez), Chapter 655, Statutes of 2010,
established the California Health Benefit Exchange.
10.Oppose unless amended. SEIU California writes that in its
current form, this bill would apply so broadly as to impact a
variety of Covered California functions, such as enrollment
and eligibility determinations in both Covered California
qualified health plans and Medi-Cal, and the transfer of
important information for ongoing operations and reporting,
including public reporting, interagency reporting or internal
reporting functions performed by Covered California.
Specifically, SEIU California requests that this bill be
amended to exempt the Medi-Cal related information, the
counties as partners, information shared between health plans
and Covered California regarding enrollees assigned to those
plans, and aggregated data included in Covered California's
public reports and reporting between Covered California, the
federal government, the state and counties. The Western
Center on Law and Poverty believes this bill would interfere
with enrollment into health coverage because it is written so
broadly. Western Center believes the definition of personal
information is overly broad, there are numbers of laws
protecting persons information and requiring disclosures of
breaches, and supports the notion that consumers' personal
information should not be shared with a broker, agent or
enrollment counselor without the individual knowing that will
�
SB 974 | Page 10
happen. Health Access California believes this bill may
prevent the sharing of marketing leads with outreach grantees.
Health Access raises concerns about how "explicit permission"
may be interpreted.
11.Request for Amendments. CDT believes this bill should be
amended to revise its focus not on permission but on limiting
the use of the data. CDT believes Covered California's
current Notice of Privacy Practices is inconsistent with the
federal privacy rule established under the ACA.
12.Policy Comment. While it appears the Exchange policy is
consistent with recent proposed rules concerns raised by
consumers, news reports and privacy advocates suggest that the
Exchange should do a thorough review of its policies and
practices, not just from a legal standpoint, but from a
consumer confidence perspective. There seems to be general
support for a narrowing of this bill to allow for an applicant
to agree to be contacted for enrollment follow-up by an
Exchange contractor. Committee staff recommends narrowing
this bill to require the Exchange to allow an applicant to
indicate on both the paper and online application whether or
not he or she would like to be contacted by an Exchange
certified contractor for assistance completing the
application.
SUPPORT AND OPPOSITION :
Support: None received
Oppose: None received
-- END --