Increasing Privacy Protections for Consumers in State Health Departments Act
|Model Bill Info|
|Bill Title||Increasing Privacy Protections for Consumers in State Health Departments Act|
|Date Introduced||July 28, 2022|
|Task Forces||Health and Human Services, Communications and Technology|
|Keywords||Health, human services, privacy and security|
Increasing Privacy Protections for Consumers in State Health Departments Act
(1) Declaration of Purpose. State government culture and behavior should be shaped by the words, “An individual’s right to live free from governmental intrusion in private or personal information is natural, essential, and inherent”. Health & Human Services Departments have been subject to the Health Insurance Portability and Accountability Act since 1996 which drove initial efforts to develop a culture and infrastructure to protect personal data privacy. As a holder of personal information in state government, departments have a responsibility to demonstrate to the public the state’s commitment to actively and overtly respect personal privacy, including privacy of personal information. Establishing and maturing a culture of privacy is core to successfully driving future efforts to implement and enhance privacy policies, procedures, and practices. Continuous improvement requires appropriate governance and policy leadership. As such, the establishment of a closed loop referral system should establish clear privacy protections.
(2) Data Privacy and Information Technology Security Governance Board Established. There is hereby established a data privacy and information technology security governance board to oversee the [health and human services agency/agencies of jurisdiction]‘s use of data, data privacy, and information technology security that shall be maintained by the department.
(I) The data privacy and information technology security governance board shall consist of the following members:
(a) The commissioner of the [health and human services agency/agencies of jurisdiction], who shall serve as the governance board chair.
(b) The department’s privacy officer.
(c) Three directors of the department who have responsibility for one of the following areas: medicaid services, public health, behavioral health, children, youth and families, or long-term support and services.
(d) The director of the department’s bureau of human resource management.
(e) The director of the department’s bureau of information services.
(f) The department’s chief legal officer.
(g) The commissioner of the department of information technology.
(h) Up to 2 additional voting members appointed by the commissioner of [health and human services agency/agencies of jurisdiction], if needed.
(II) A quorum of this board shall consist of the named positions being in attendance with greater than 50 percent present. Members may delegate authority to represent them for the purposes of maintaining a quorum. The chair of the board may also delegate authority to another appropriate member of the governance board to serve during a specified meeting.
(3) Duties. The data privacy and information technology security governance board shall:
(I) Meet at least 3 times a year and post public facing meeting minutes within 2 weeks of the completion of each meeting on the department’s web page.
(II) Become educated in what data governance means, how it will work for the organization, and what it means to embrace data governance and activate enterprise data stewards.
(III) Actively promote improved data governance practices across the department.
(IV) Identify and approve of pivotal data governance roles and responsibilities for the department including cross-enterprise domain stewards and coordinators.
(V) Advise, review, and approve the department’s data control, governance, and privacy practices in compliance with federal and state law and federal and state information privacy and security policies, with the goal to meet or exceed private market benchmarks for governance, risk management, and compliance.
(VII) The data privacy and information technology security governance board may solicit information from any person or entity the board deems relevant to its quest.
(4) Risk Management.
(I) For each information technology system that contains personal information, the department shall conduct a written risk assessment and mitigation remediation plan in the form of a privacy impact assessment.
(II) The assessment and plan shall:
(a) Assess risks to an individual’s right to privacy within the department’s information technology systems where the individual does not possess immediate control over their information.
(b) Recommend alternatives to both mitigate the risks and achieve the stated objectives of the department’s systems.
(c) Identify those individuals and offices within the department who shall be directly accountable for the assessment and plan, the system at the time the assessment and plan are compiled, and any approved alternatives and mitigations as a result of the assessment and plan.
(III) Unless otherwise required by law or applicable regulation, no personal information shall be collected prior to the completion of the assessment and plan and any subsequent measures as a result of the assessment and plan, as determined by the governance board for any systems implemented subsequent to March 31, 2023.
(IV) The assessment and plan shall be approved and may be acted upon by the commissioner. All assessments and plans conducted before the date of the next data privacy and information technology security governance board meeting shall be submitted to the board for review.
(5) Closed Loop Referral System. If a department itself or through a contracted entity provides a closed loop referral system, the following privacy and security provisions shall be included:
(a) The department shall not access any individual’s personally identifiable information or protected health information from or through any closed loop referral system unless the individual has previously given consent for the department to access their personally identifiable information or protected health information and has not revoked consent.
(b) Notwithstanding the foregoing, the department may obtain specific consent from an individual to access the individual’s personally identifiable information or protected health information on each consent for a referral for services, provided that in obtaining consent:
(1) A separate page, in hard copy or electronically, shall be used; and
(2) The request shall be phrased as follows: “Do you consent to allow the [State] to have access to your personally identifiable information and your private health information along with information about your referrals for services? Please note that you will receive the same services whether you sign this form or not.”
(c) Within 48 hours of becoming aware of a data breach, the contracted entity providing a closed loop referral system shall begin the process of notification by first class mail or other individually agreed to communication mechanisms to all individuals impacted by the data breach.
(d)(1) An individual’s personally identifiable information or protected health information may be added to the closed loop referral system only if:
(A) The individual consents to its inclusion on each instance of a referral for services; and
(B) The individual whose information is intended to be included in the closed loop referral system shall retain the right to opt into the system on each referral and retain the right to revoke consent to be in the system at any time.
(2) If an individual revokes consent to be in the system, then, to the extent allowed under federal or state law, information relative to the individual’s referrals for services shall be deleted from the system within 7 days of the revocation.
(e) No provider or organization utilizing the closed loop referral system network shall have access to an individual’s personally identifiable information or protected health information unless the individual has been referred to that provider or organization for services and the provider or organization requested consent from and was given consent by the individual to access such information.
(6) Effective Date. Upon passage.
Definition if needed:
Closed-Loop Referral System: Any system that stores an individual’s personal identifiable information in a database that is shared by a network of healthcare entities, public agencies, and community-based organizations for referral purposes, which includes referrals to entities that are not covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A Closed-Loop Referral System encompasses datasets containing personal referral information captured and stored in a database for use by public and private entities, including community-based organizations, to provide services, update referral activity, and close the loop on a referral by updating downstream systems.