HB 91-FN-A - AS AMENDED BY THE HOUSE

 

14Feb2023... 0142h

2023 SESSION

23-0057

07/05

 

HOUSE BILL 91-FN-A

 

AN ACT relative to privacy obligations of the department of health and human services.

 

SPONSORS: Rep. Edwards, Rock. 31; Rep. M. Pearson, Rock. 34; Rep. McMahon, Rock. 17; Rep. Ammon, Hills. 42; Rep. T. Lekas, Hills. 38; Rep. Ulery, Hills. 13; Rep. Moffett, Merr. 4; Sen. Rosenwald, Dist 13

 

COMMITTEE: Health, Human Services and Elderly Affairs

 

-----------------------------------------------------------------

 

ANALYSIS

 

This bill establishes a data privacy and information technology security governance board within the department of health and human services to oversee data privacy risk calculation and risk mitigation efforts.  The bill also makes an appropriation to the department for 2 classified employees to accomplish these objectives.

 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

14Feb2023... 0142h 23-0057

07/05

 

STATE OF NEW HAMPSHIRE

 

In the Year of Our Lord Two Thousand Twenty Three

 

AN ACT relative to privacy obligations of the department of health and human services.

 

Be it Enacted by the Senate and House of Representatives in General Court convened:

 

1  Declaration of Purpose.  New Hampshire voters passed the Right of Privacy into the state constitution in November 2018 with an 81 percent approval.  With that vote, state government culture and behavior needed to be shaped by the words, “An individual's right to live free from governmental intrusion in private or personal information is natural, essential, and inherent”.  The department of health and human services has been subject to the Health Insurance Portability and Accountability Act since 1996 which drove initial efforts to develop a culture and infrastructure to protect personal data privacy.  As a holder of personal information in state government, the department has a responsibility to demonstrate to the public the state’s commitment to actively and overtly respect personal privacy, including privacy of personal information.  Establishing and maturing a culture of privacy is core to successfully driving future efforts to implement and enhance privacy policies, procedures, and practices.  Continuous improvement requires appropriate governance and policy leadership.

2  New Subdivision; Data Privacy and Information Technology Security Governance Board.  Amend RSA 126-A by inserting after section 98 the following new subdivision:

Data Privacy and Information Technology Security Governance Board

126-A:99  Data Privacy and Information Technology Security Governance Board Established.  There is hereby established a data privacy and information technology security governance board to oversee the department's use of data, data privacy, and information technology security that shall be maintained by the department of health and human services.

126-A:100  Membership; Quorum.

I.  The data privacy and information technology security governance board shall consist of the following members:

(a)  The commissioner of the department of health and human services, who shall serve as the governance board chair.

(b)  The department's privacy officer.

(c)  Three directors of the department who have responsibility for one of the following areas: medicaid services, public health, behavioral health, children, youth and families, or long-term support and services.

(d)  The director of the department's bureau of human resource management.

(e)  The director of the department's bureau of information services.

(f)  The department's chief legal officer.

(g)  The commissioner of the department of information technology.

(h)  Up to 2 additional voting members appointed by the commissioner of the department of health and human services, if needed.

II.  A quorum of this board shall consist of the named positions being in attendance with greater than 50 percent present.  Members may delegate authority to represent them for the purposes of maintaining a quorum.  The chair of the board may also delegate authority to another appropriate member of the governance board to serve during a specified meeting.

126-A:101  Duties.  

I.  The data privacy and information technology security governance board shall:

(a)  Meet at least 3 times a year and post public facing meeting minutes within 2 weeks of the completion of each meeting on the department's web page.

(b)  Become educated in what data governance means, how it will work for the organization, and what it means to embrace data governance and activate enterprise data stewards.

(c)  Actively promote improved data governance practices across the department.

(d)  Identify and approve of pivotal data governance roles and responsibilities for the department including cross-enterprise domain stewards and coordinators.

(e)  Advise, review, and approve the department's data control, governance, and privacy practices in compliance with federal and state law and federal and state information privacy and security policies, with the goal to meet or exceed private market benchmarks for governance, risk management, and compliance.

(f)  Drive strategic and timely implementation of a department-wide privacy policy, related procedures and processes to operationalize policy-derived controls, and effective risk management methodologies, including industry standards such as privacy impact assessments and privacy by design.

II.  The data privacy and information technology security governance board may solicit information from any person or entity the board deems relevant to its quest.

126-A:102  Risk Management.

I.  The department shall conduct a written risk assessment and mitigation remediation plan in the form of a privacy impact assessment (PIA).

II.  The assessment and plan shall:

(a)  Assess risks to an individual's right to privacy within the department's information technology systems where the individual does not possess immediate control over their information.

(b)  Recommend alternatives to both mitigate the risks and achieve the stated objectives of the department's systems.

(c)  Identify those individuals and offices within the department who shall be directly accountable for the assessment and plan, the system at the time the assessment and plan are compiled, and any approved alternatives and mitigations as a result of the assessment and plan.

III.  Unless otherwise required by law or applicable regulation, no personal information shall be collected prior to the completion of the assessment and plan and any subsequent measures as a result of the assessment and plan, as determined by the governance board for any systems implemented subsequent to March 31, 2024.

IV.  The assessment and plan shall be approved and may be acted upon by the commissioner.  All assessments and plans conducted before the date of the next data privacy and information technology security governance board meeting shall be submitted to the board for review.   

3  Data Privacy and Information Technology Security Governance Board; Specialized Employees Authorized; Appropriation.

I.  The department is hereby authorized to establish 2 full-time, permanent employees to support and conduct the required data privacy and information technology security assessments, as well as manage the implementation of mitigation efforts and other necessary updates.

II.  The qualifications of the 2 employees shall include privacy certifications, information systems expertise, and project management and communications experience.  Certifications may be deferred for up to 2 years post-hiring.

III.  The 2 employees shall be classified, full time employees who shall work on assisting in implementing the objectives of the data privacy and information technology security governance board, conducting the privacy assessment and mitigation plan, and other, related data privacy and information technology security activities in the department of health and human services.  The classification shall be information technology manager IV, labor grade 32, step 7.  

IV.  The sum of $300,000 for the fiscal year ending June 30, 2024 is hereby appropriated to the department of health and human services for the purpose of funding 2 information technology manager IV positions as required in paragraph III of this section.  The governor is authorized to draw a warrant for said sum out of any money in the treasury not otherwise appropriated.

V.  The department is authorized to use contract support available from funds prior to July 1, 2024.

4  Effective Date.  

I.  Section 3 of this act shall take effect July 1, 2023.

II.  The remainder of this act shall take effect 60 days after its passage.

 

LBA

23-0057

11/22/22

 

HB 91-FN-A- FISCAL NOTE

AS INTRODUCED

 

AN ACT relative to privacy obligations of the department of health and human services.

 

FISCAL IMPACT:      [ X ] State              [    ] County               [    ] Local              [    ] None

 

 

 

Estimated Increase / (Decrease)

STATE:

FY 2023

FY 2024

FY 2025

FY 2026

   Appropriation

$0

$300,000

$0

$0

   Revenue

$0

$0

$0

$0

   Expenditures

$0

$150,000 general funds; $99,000 federal funds

$152,000 general funds; $100,000 federal funds

$158,000 general funds; $104,000 federal funds

Funding Source:

  [ X ] General            [    ] Education            [    ] Highway           [ X ] Other - Federal matching funds

 

METHODOLOGY:

This bill establishes a Data Privacy and Information Technology Governance Board within the Department of Health and Human Services to oversee data privacy risk calculation and risk mitigation efforts.  The bill establishes two full-time classified positions (Business Systems Analyst II, Labor Grade 32, step 5) for the purposes of implementing mitigation efforts and other necessary updates.  The portion of the bill that establishes the positions is effective 60 days after passage; accordingly, the Department anticipates that there will be no fiscal impact until FY 24. Combined, salary and benefits for the two positions will cost $249,000  ($150,000 general funds / $99,000 federal funds) in FY24, $252,000 ($152,000 general funds / $100,000 federal funds) in FY25, and $262,000 ($158,000 general funds, $104,000 federal funds) in FY26.  The bill contains a general fund appropriation of $300,000 in FY24.

 

AGENCIES CONTACTED:

Departments of Health and Human Services & Information Technology