HB3326 H T&I AM #1-1
Casto 3264
The Committee on Technology and Infrastructure moved to amend the bill on page 1 by striking everything after the enacting clause and inserting in lieu thereof the following:
(a) This article shall be known as the Privacy of Social Care Information Act.
(b). This Article specifically excludes data that is otherwise subject to other privacy requirements, rules, or regulations as set forth in §9-11-5.
(a) "Closed-Loop Referral System" or "CLRS" is defined as any system that:
(1) stores an individual’s social care information for the purpose of referrals;
(2) shares its data with a network of entities including, but not limited to, healthcare providers, health plans, health information exchanges (HIEs), public agencies, nonprofits, charitable organizations, and other entities that provide social care; and
(3) is capable of updating or showing updated referral activity, including data related to participating organizations closing the loop on referrals, by updating downstream systems.
(b) "Participating organization" is defined as any entity including, but not limited to, healthcare providers, health plans, HIEs, public agencies, nonprofits, charitable organizations, CLRS technology vendors, and entities that provide social care, that have the ability to create, receive, or update referrals or other social care information in a CLRS; provided that such data are not otherwise excluded from coverage under this Article as set forth in 9-11-5. This definition applies to entities that use a CLRS regardless of whether they have entered into contractual agreements with a CLRS vendor.
(c) "Social care" is defined as care, services, goods, or supplies related to an individual’s social needs. Social care as used in this article includes, but is not limited to, support and assistance for an individual’s food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, child care and family relationship needs, and environmental and physical safety.
(d) "Individually identifiable social care information" is defined as social care information that:
(1) Identifies the individual receiving social care; or
(2) With respect to which there is a reasonable basis to believe the information can be used to identify the individual receiving social care.
(e) "Social care information" is defined as any information, in any form, that relates to the need for, payment for, or provision of social care. Social care information does not include data covered by another privacy law specifically excluded from this Article as set forth in §9-11-5.
This article shall apply only to state or local government entities including, but not limited to, public agencies, municipalities, county governments, and public-private partnerships, that directly or through a contracted entity provide a CLRS.
(a) Individual Control of Data. -- An individual’s personally identifiable information or social care information may be added to a CLRS only if:
(1) The individual consents to its inclusion on each instance of a referral for services; and
(2) The individual retains the right to revoke consent to be in the system at any time.
(b) Organization Access to Data. -- No participating organization utilizing the CLRS shall have access to an individual’s personally identifiable information or social care information unless:
(1) The individual has been referred to that provider or organization for services; or
(2) The individual has consented for that organization to access such information.
(c) Permission-based Access Policies. -- Participating organizations must have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination. These policies shall:
(1) Provide access to social care information as necessary to ensure uninterrupted and efficient delivery of services and care coordination; and
(2) Restrict or prohibit access to social care information by staff, volunteers, and any other individuals who do not need access to complete their duties.
(d) Services Separate from Consent. -- A participating organization may not condition the provision of services on consent to share a service recipient’s social care information with additional employees, partner organizations, or other parties not necessary for the provision of services.
(e) Third Parties.
(1) A participating organization shall not share or transmit individually identifiable social care information it holds with a third party unless:
(A) It is necessary to comply with a legal obligation imposed by federal, state, tribal, or local law or for reporting required to receive government grant funds; or
(B) The individual consents through active opt-in consent for the participating organization to share or transmit the information; and
(C) That third party is required to meet the same privacy and security obligations as the participating organization under this article.
(2) If the third party is not a participating organization under this article, a participating organization may ensure the third party meets these requirements through contractual provisions. A participating organization shall exercise reasonable oversight and take reasonable actions to ensure compliance with such contractual obligations.
(f) Sale of data. -- A participating organization shall not sell or license individually identifiable social care information without explicit written consent of the individual. For the purposes of this provision, simply checking a box or radio button on a website does not constitute explicit written consent.
(a) Preemption. -- Nothing in this article shall be construed to supersede or preempt the applicability of the following:
(1) The Health Insurance Portability and Accountability Act of 1996 (HIPAA);
(2) The Family Educational Rights and privacy Act (FERPA);
(3) Financial records covered by the Gramm-Leach-Bliley Act; or
(4) Any governing state privacy laws.
(b) Exclusions – This article shall not apply to any data protected by the following:
(1) The Health Insurance Portability and Accountability Act of 1996 (HIPAA);
(2) The Family Educational Rights and privacy Act (FERPA);
(3) Financial records covered by the Gramm-Leach-Bliley Act;
(4) Confidentiality of Substance Use Disorder patient identifying information;
(5) Employment records;
(6) Any governing state privacy laws;
(7) Information derived from health care-related information that is de-identified in accordance with HIPAA’s requirements for de-identification; or
(8) Identifiable information that is collected for purposes of human subjects research pursuant to 45 C.F.R. § 46.”
Adopted
Rejected