BILL ANALYSIS ��
SB 974
Page 1
Date of Hearing: June 24, 2014
ASSEMBLY COMMITTEE ON HEALTH
Richard Pan, Chair
SB 974 (Anderson) - As Amended: May 6, 2014
SENATE VOTE : 34-0
SUBJECT : California Health Benefit Exchange.
SUMMARY : Requires the Covered California Board to allow a
Covered California applicant to indicate in his/her application
for health insurance whether he/she would like assistance in
completing the application from a certified insurance agent
(CIA) or certified enrollment counselor (CEC). Prohibits
Covered California from disclosing personal information if the
applicant indicates that he/she does not want assistance from a
CIA or CEC. Contains an urgency clause to ensure that the
provisions of this bill go into immediate effect upon enactment.
Specifically, this bill :
EXISTING LAW :
1)Establishes the California Health Benefit Exchange (Exchange,
now called Covered California) as an independent public entity
in state government. Requires the Exchange to compare and
make available through selective contracting health insurance
for individual and small business purchasers as authorized
under the federal Patient Protection and Affordable Care Act
(ACA).
2)Requires, under the ACA, an applicant for insurance coverage
or for a premium tax credit or cost-sharing reduction to be
required to provide only the information strictly necessary to
authenticate identity, determine eligibility, and determine
the amount of the credit or reduction. Requires, under the
ACA, any person who receives such information provided by an
applicant to use the information only for ensuring the
efficient operation of the Exchange.
3)Allows, under federal regulations effective May 12, 2014, an
exchange to use or disclose personally identifiable
information to carry out functions other than determining
eligibility for enrollment, affordability programs, or
exemptions, provided that the U.S. Secretary of the Department
�
SB 974
Page 2
of Health and Human Services (HHS) determines those functions
are in compliance with the ACA, and the individual provides
consent.
4)Requires, under federal regulations, each exchange to
establish and implement written privacy and security standards
including: allowing individuals to access and correct their
own personal information; maintaining openness and
transparency of policies; ensuring data quality and integrity,
protection of personal information with reasonable safeguards;
and, appropriate monitoring to detect and mitigate
non-adherence and breaches.
5)Requires, under federal regulations, each exchange's policies
and procedures regarding the creation, collection, use, and
disclosure of personally identifiable information to be in
writing and to be available to the Secretary of HHS upon
request.
6)Requires, under federal regulations, entities such as
navigators, agents, and brokers that have access to
applicants' or enrollees' personal information in the course
of performing their functions to be subject to the same
privacy or security provisions that govern the Exchange.
7)Creates, under the ACA, a civil penalty of not more than
$25,000 per person or entity, per use or disclosure, for use
or disclosure of personal information in violation of the ACA.
8)Requires the Exchange to perform fingerprint-based background
checks of all employees, prospective employees, contractors,
subcontractors, employees of contractors, volunteers, or
vendors whose duties include access to confidential, personal,
or financial information, or any other information as required
by federal law or guidance.
9)Under the federal Health Insurance Portability and
Accountability Act of 1996 (HIPAA), provides protections for
individually identifiable health information held by covered
entities and their business associates and gives patients an
array of rights with respect to that information. HIPAA also
permits the disclosure of certain health information as needed
for patient care and certain other purposes, including: public
health activities, research, prevention of a serious threat to
health or safety, law enforcement purposes, and judicial and
�
SB 974
Page 3
administrative proceedings. Covered entities under the HIPAA
Privacy Rule are health care providers, health plans, and
health care clearinghouses.
10)Under the Information Practices Act of 1977 (IPA Act),
prohibits state agencies from disclosing any personal
information in a manner that would link the information
disclosed to the individual to whom it pertains. Provides
several exceptions to this prohibition, including:
a) Information that is disclosed with prior written
voluntary consent by the individual to whom the record
pertains; or,
b) Information that is disclosed to a person or another
agency as necessary for the performance of the transferee
agency's duties; the use is compatible with a purpose for
which the information was collected; and, an accurate
accounting is made of the date, nature, and purpose of the
transfer.
11)Under the IPA Act, requires state agencies that own or
license data that include personal information to disclose any
security breach to any California resident whose personal
information was obtained by an unauthorized person. Requires
this disclosure in the most expedient time possible and
without unreasonable delay, consistent with the legitimate
needs of law enforcement or any measures necessary to
determine the scope of the breach and restore the reasonable
integrity of the data system.
12)Under the Confidentiality of Medical Information Act (CMIA),
prohibits providers of healthcare, health care service plans,
their contractors, and any business organized for the purpose
of maintaining medical information, from using medical
information for any purpose other than providing health care
services, except as expressly authorized by the patient or as
otherwise required or authorized by law.
FISCAL EFFECT : According to the Senate Appropriations
Committee, one-time costs of about $350,000 to modify
information technology systems by Covered California to allow
applicants to indicate whether they would like assistance.
COMMENTS :
�
SB 974
Page 4
1)PURPOSE OF THIS BILL . The author of this bill contends that
Covered California recently violated the reasonable
expectation of consumer privacy by sharing personally
identifiable information with insurance companies without the
express consent of consumers. Customers' names and contact
information were provided to firms and insurance agents, and
consumers received unsolicited calls from agents working for
commission. The author argues this bill is necessary to
protect shoppers in the insurance marketplace from suffering a
disclosure of their personal data to outside companies without
having given their permission. The author further states that
consumers deserve every appropriate protection as they seek to
make the best decision possible for themselves and their
families.
2)BACKGROUND .
a) Enrollment counselors and agents. CECs are certified by
the Exchange to provide culturally and linguistically
appropriate one-on-one counseling and assistance to
consumers in need of help with applying for Covered
California programs. CECs must be registered with either
the In-Person Assistance Program or the Navigator Program
and are often referred to as in-person assisters or
navigators. Counselors work for certified enrollment
entities, which are community-based organizations that
conduct outreach and enrollment activities, and are not
employees of the Exchange. Counselors must pass a
fingerprint-based criminal background check; receive
training in a range of topics, including privacy and
security standards for consumers' personal information;
and, comply with the Exchange's privacy and security
standards established pursuant to federal regulations.
All insurance agents interested in selling qualified health
plans (QHPs) offered through the Exchange must be trained
and certified by Covered California. Covered California
indicates that all of CIAs sign a confidentiality agreement
that prohibits the use of consumer information for any
purposes beyond the scope of the contract; pass a
fingerprint-based criminal background check; agree to
follow federal and state privacy laws; and, are required to
implement safeguards that are at least as strong as those
required of the Exchange.
�
SB 974
Page 5
As of April 8, 2014, Covered California has 5,598 CECs and
12,236 CIAs. During the open enrollment period, the role
of CECs increased substantially, from completing 3% of
total enrollments in October through December 2013 to 12%
of total enrollment in January through March 2014. Over
the entire enrollment period, CECs and agents together
accounted for roughly half of all enrollments in QHPs
through the Exchange. Latino applicants account for 48% of
individuals enrolled by CECs compared to 22% of individuals
who self-enrolled.
b) Covered California privacy policy. Covered California's
website provides an extensive notice of privacy practices.
The notice informs consumers that personal information
collected by the website includes contact information,
social security numbers, demographic information, health
information, financial information, and alien status. The
notice further states that the collection of personal
information is limited to what is relevant and necessary to
accomplish the Exchange's lawful purpose, defined in the
California ACA.
The privacy policy further states that a consumer's
personal information may be disclosed to: i) other
governmental agencies that determine eligibility for
premium assistance or other insurance affordability
programs; ii) contractors that manage health plan
enrollment and other Exchange operations (e.g., health
plans and information technology contractors); and, iii)
contractors like insurance agents or enrollment counselors
that facilitate enrollment and contact consumers when
necessary. The policy further states that information may
also be used in order to create a more personalized
experience. The privacy policy additionally provides that
personal information may be shared to help with public
health and safety; to do research; to respond to lawsuits
and legal actions; and, to comply with state or federal
law, including responding to a Public Records Act request.
According to Covered California, the privacy policy was
adapted from a model notice of privacy practices for HIPAA
covered entities issued by the HHS Office of Civil Rights
earlier this year. Covered California indicates that this
template was modified to reflect its unique operational
activities. In addition, Covered California indicates that
it has a separate set of privacy and security standards
�
SB 974
Page 6
that it uses internally, in compliance with federal
regulations. Covered California indicates it is currently
in the process of updating these standards.
c) Enrollment Follow-up Program. Covered California states
that, when it saw that thousands of consumers who were
interested in coverage had not yet completed their
enrollments, it enlisted roughly 2,100 CIA subcontractors
to offer additional assistance to roughly 41,000
households. According to Covered California, basic contact
information (name, telephone number, etc.) was securely
transmitted to CIAs, with instructions to quickly contact
consumers to ensure that they were offered additional
assistance to complete their enrollments. Consumer
information was carefully protected: each agent who
participated in the program was given only a small batch of
leads at a time, according to their capacity to reach
consumers, and results were reported back. The program was
put on hold when some consumers were surprised to be
contacted by someone they did not realize was calling on
behalf of Covered California. Covered California indicates
that, overall, five complaints have been received about
their policy for handling consumers' information (not
necessarily limited to the handling by agents).
3) CENTER FOR DEMOCRACY AND TECHNOLOGY ARTICLE . A 2012
article published by the Center for Democracy and
Technology provides an overview of state and federal laws
and privacy rules that may be relevant for California's
Exchange, including the federal Privacy Act of 1974,
California's Information Privacy Act, CMIA, and HIPAA. The
article notes, because the Exchange will give consumers a
single online portal to access private health insurance,
Medi-Cal, and children's health programs, Exchange
operations will require new and unique exchanges of data
among state agencies, the federal government, private
health plans, businesses, individuals, and the Exchange.
The paper concludes, to build trust in the Exchange,
California must create specific policies that implement
fair information practices and adhere to ACA requirements.
The paper urges the state to work with consumers and other
stakeholders to begin developing strong policies and best
practices to govern information collected and shared by the
state's Exchange.
�
SB 974
Page 7
4) FEDERAL REGULATIONS . On May 27, 2014, HHS released new
final rules, including information about the assessment of
civil monetary penalties for unlawful disclosures of
Exchange personally identifiable information. These rules
also make several changes to update the standards
applicable to these consumer assistance entities and
individuals, such as prohibiting them from specified
marketing or solicitation activities. Navigators and
non-Navigator assistance personnel must obtain
authorization before accessing a consumer's personally
identifiable information and are prohibit from charging
consumers for their services.
Existing regulations specify that an exchange may only use or
disclose exchange personally identifying information to carry
out the functions described in regulation or to carry out
additional functions which the Secretary has determined ensure
the efficient operation of the Exchange and for which the
individual has provided consent for his or her information to
be so used or disclosed.
5)SUPPORT . Lieutenant Governor Gavin Newsom writes that
successful deployment of new technology is dependent on
maintaining trust with the consumer and that sharing private
information with insurance agents without consent of the
consumer is a violation of this trust. A coalition of health
insurance agents and underwriters writes that this bill
supports professional handling of private health information
using the best professional practices that meet the many
confidentiality requirements of federal and state law. The
Western Center on Law and Poverty notes that consumer's
personal information should not be shared without the
individual knowing it will happen, while still allowing the
necessary transfer to Medi-Cal and the county systems
administering it.
6)OPPOSITION . The American Federation of State, County and
Municipal Employees (AFSCME) writes that in order for the ACA
and Exchange to be successful, it is critical to balance
consumers' privacy rights with the need of the Exchange to
facilitate outreach and enrollment in coverage. AFSCME
further argues that existing ACA prohibitions on misuse or
disclosure of private information adequately supports
consumers' privacy rights while recognizing the need for
outreach and enrollment entities to reach potentially eligible
�
SB 974
Page 8
people to get them enrolled.
7)RELATED LEGISLATION .
AB 1560 (Gorell), prohibits Covered California from disclosing
an individual's personal information to third parties.
Requires the Exchange to immediately notify the public of any
breach of the security of personal information, regardless of
severity and regardless of whether the information was
actually accessed by an unauthorized person. AB 1560 was
referred to this Committee but was not heard, at the request
of the author.
AB 1428 (Conway), Chapter 561, Statutes of 2013, clarifies
criminal background check requirements for employees,
contractors, and vendors who facilitate enrollment in the
Exchange.
AB 1829 (Conway) would have prohibited the Exchange from
hiring or contracting with individuals who have been convicted
of certain felonies or violations if the person would be
facilitating enrollment or have access to financial or medical
information. AB 1829 failed passage in this Committee.
AB 1830 (Conway) would have prohibited the Exchange from using
or disclosing personal information except as necessary to
carry out the Exchange's functions under the ACA and creates a
civil penalty of up to $25,000 per individual or entity, per
use or disclosure. AB 1830 failed passage in this Committee.
AB 2147 (Melendez) requires agencies to obtain an individual's
prior written voluntary consent before releasing the
individual's personal information to an independent contractor
or other worker who is not an agency employee. AB 2147 was
held on the suspense file in Assembly Appropriations
Committee.
AB 2301 (Mansoor) requires the Exchange to report on a
quarterly basis on enrollments and disenrollments under QHPs
purchased through the Exchange by specified categories. AB
2301 was held on the suspense file in Assembly Appropriations
Committee.
SB 509 (DeSaulnier and Emmerson), Chapter 10, Statutes of
2013, requires fingerprint-based background checks for all
�
SB 974
Page 9
Exchange employees, contractors, volunteers, or vendors with
access to enrollees' personal information.
8)PREVIOUS LEGISLATION . AB 1602 (John A. P�rez), Chapter 655,
Statutes of 2010, and SB 900 (Alquist), Chapter 659, Statutes
of 2010, establish the Exchange and its powers and duties.
9)POLICY COMMENTS.
a) Potential conflict with federal guidelines. On May 27,
2014, HHS released final regulations regarding privacy and
security of personally identifiable information by
Exchanges, including improper use and disclosure of
information, civil penalties for disclosure, and
re-certification of agents and representatives. These
regulations also update the standards applicable to these
consumer assistance entities and individuals, such as
prohibiting them from specified marketing or solicitation
activities. Since these regulations were just finalized
and Covered California is still addressing compliance and
implementation, it may be premature to impose new state law
that may not match federal regulation.
b) Implementation date. Covered California is currently
addressing many technical updates to their system in time
for the 2015 benefit year's open enrollment period (which
begins November 15, 2014). However, in light of several
competing and urgent priorities for the California
Healthcare Eligibility, Enrollment and Retention System
(CalHEERS) release schedule (such as improving the
communication between the county Medi-Cal systems and
CalHEERS), compliance with this bill by the October 1, 2014
may not be feasible.
Suggested amendment . Delay full implementation to provide
the Exchange and the Department of Health Care Services
time to address the requirement of the bill, but ensure
protection of consumer privacy in the meantime by only
permitting information-sharing with CECs or CIAs when
requested by a consumer.
c) Ambiguous definition of application. The reference to
an "application for a qualified health plan" is undefined.
Covered California provides consumers with a single
streamlined application for both Covered California QHPs
�
SB 974
Page 10
and the state's Medi-Cal program. There is no way to know
which program a consumer qualifies for until they have
submitted their application.
Suggested amendment: Clarify the definition of
"application" to cover an application for "health care
coverage."
d) Potential disruption of renewals for 2014 enrollees who
were assisted by certified representatives. This bill
could limit the ability of insurance agents to contact
consumers who enrolled in 2013-2014 next year. Covered
California states that roughly half of all enrollees in
2014 were assisted with their applications by either CIAs
or CECs. Many of these enrollees will need to take action
to renew their coverage in 2014, but because some of them
may not know that action is needed, Covered California
expects that certified representatives may contact
consumers who initially applied with that same certified
representative to let them know action is needed.
In its current design, the CalHEERS web portal for
certified representatives provides the representative with
some personal information about a consumer. If renewing
consumers are considered "applicants," and because these
consumers did not have the opportunity to indicate their
preference about information sharing when they applied in
2014, it is unclear if this bill would potentially prohibit
Covered California and the CalHEERS system from "sharing"
information about a consumer who enrolled with a certified
representative even if the "sharing" is only providing
access to the agent's book of business through CalHEERS.
Covered California states that this prohibition would have
a substantial impact on the Exchange's planned strategy for
providing enrollment assistance for renewals, and would
especially hamper the work of CIAs, who rely on the
CalHEERS system to review and assist consumers who have
"delegated" their application to the agent.
Suggested amendment: Clarify that nothing in this
legislation is intended to prevent Covered California from
providing certified representatives with access to personal
information of the consumers they previously worked with on
enrollment assistance.
�
SB 974
Page 11
REGISTERED SUPPORT / OPPOSITION :
Support
Lieutenant Governor Gavin Newsom
California Association of Health Underwriters
California Chiropractic Association
Independent Insurance Agents and Brokers of California
National Association of Insurance and Financial Advisors of
California
Western Center on Law and Poverty
Opposition
American Federation of State, County and Municipal Employees,
AFL-CIO
Analysis Prepared by : Dharia McGrew / HEALTH / (916) 319-2097