Bill Text: WV HB5271 | 2024 | Regular Session | Introduced
Bill Title: Relating to Privacy of Social Care information
Spectrum: Partisan Bill (Republican 1-0)
Status: (Introduced - Dead) 2024-02-02 - To House Judiciary [HB5271 Detail]
Download: West_Virginia-2024-HB5271-Introduced.html
WEST VIRGINIA LEGISLATURE
2024 REGULAR SESSION
Introduced
House Bill 5271
By Delegate Linville
[Introduced January 29, 2024; Referred to the Committee on Technology and Infrastructure then the Judiciary]
A BILL to amend the Code of West Virginia, 1931, as amended, by adding thereto a new article, designated §9-11-1, §9-11-2, §9-11-3, §9-11-4, and §9-11-5, all relating to creating a Privacy of Social Care Information Act; providing a statement of legislative intent; setting forth definitions; clarifying applicability; providing for use of data; and describing article's relation to other privacy laws.
Be it enacted by the Legislature of West Virginia:
Article 11. Privacy of social care information.
§9-11-1. Statement of Legislative Intent.
(a) This article shall be known as the Privacy of Social Care Information Act. Nothing in this article may be construed as superseding, preempting, or altering rights and protections afforded under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Nothing in this article may be construed as affecting the obligations of covered entities under existing HIPAA regulations.
(b) No provisions in this article relating to social care information apply to or alter the status of information considered protected health information (PHI) under HIPAA. Nothing in this article may be construed as affecting the ability of HIPAA covered entities to access, use, transmit, receive, or maintain PHI.
§9-11-2. Definitions.
"Closed-Loop Referral System" or "CLRS" is defined as any system that:
(1) Stores an individual's social care information for the purpose of referrals;
(2) Shares its data with a network of entities including, but not limited to, healthcare providers, health plans, health information exchanges (HIEs), public agencies, nonprofits, charitable organizations, and other entities that provide social care; and
(3) Is capable of updating or showing updated referral activity, including data related to participating organizations closing the loop on referrals, by updating downstream systems.
"Participating organization" is defined as any entity including, but not limited to, healthcare providers, health plans, HIEs, public agencies, nonprofits, charitable organizations, CLRS technology vendors, and entities that provide social care, that have the ability to create, receive, or update referrals or other social care information in a CLRS. This definition applies to entities that use a CLRS regardless of whether they have entered into contractual agreements with a CLRS vendor.
"Social care" is defined as care, services, goods, or supplies related to an individual's social needs. Social care as used in this article includes, but is not limited to, support and assistance for an individual’s food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, child care and family relationship needs, and environmental and physical safety.
"Individually identifiable social care information" is defined as social care information that:
(1) Identifies the individual receiving social care; or
(2) With respect to which there is a reasonable basis to believe the information can be used to identify the individual receiving social care.
"Social care information" is defined as any information, in any form, that relates to the need for, payment for, or provision of social care. Social care information created or received by a HIPAA covered entity that meets the HIPAA statutory definition for "protected health information" shall always be handled in accordance with HIPAA and all related regulations.
§9-11-3. Applicability.
This article applies only to state or local government entities including, but not limited to, public agencies, municipalities, county governments, and public-private partnerships, that directly or through a contracted entity provide a CLRS.
§9-11-4. Use of Data.
(a) Individual Control of Data. -- An individual's personally identifiable information or social care information may be added to a CLRS only if:
(1) The individual consents to its inclusion on each instance of a referral for services; and
(2) The individual retains the right to revoke consent to be in the system at any time.
(b) Organization Access to Data. -- No participating organization utilizing the CLRS may have access to an individual’s personally identifiable information or social care information unless:
(1) The individual has been referred to that provider or organization for services; or
(2) The individual has consented for that organization to access such information.
(c) Permission-based Access Policies. -- Participating organizations shall have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination. These policies shall:
(1) Provide access to social care information as necessary to ensure uninterrupted and efficient delivery of services and care coordination; and
(2) Restrict or prohibit access to social care information by staff, volunteers, and any other individuals who do not need access to complete their duties.
(d) Services Separate from Consent. -- A participating organization may not condition the provision of services on consent to share a service recipient's social care information with additional employees, partner organizations, or other parties not necessary for the provision of services.
(e) Third Parties.
(1) A participating organization may not share or transmit individually identifiable social care information it holds with a third party unless:
(A) It is necessary to comply with a legal obligation imposed by federal, state, tribal, or local law or for reporting required to receive government grant funds; or
(B) The individual consents through active opt-in consent for the participating organization to share or transmit the information; and
(C) That third party is required to meet the same privacy and security obligations as the participating organization under this article.
(2) If the third party is not a participating organization under this article, a participating organization may ensure the third party meets these requirements through contractual provisions. A participating organization shall exercise reasonable oversight and take reasonable actions to ensure compliance with such contractual obligations.
(f) Sale of data. -- A participating organization may not sell or license individually identifiable social care information without explicit written consent of the individual. For the purposes of this provision, simply checking a box or radio button on a website does not constitute explicit written consent.
§9-11-5. Relation to other privacy laws.
Preemption. -- Nothing in this article may be construed to supersede or preempt the applicability of the following:
(a) The Health Insurance Portability and Accountability Act of 1996 (HIPAA);
(b) The Family Educational Rights and privacy Act (FERPA);
(c) Financial records covered by the Gramm-Leach-Bliley Act; or
(d) Any governing state privacy laws.
NOTE: The purpose of this bill is to create a Privacy of Social Care Information Act. It provides a statement of legislative intent; sets forth definitions; clarifies applicability; provides for use of data; and describes article's relation to other privacy laws.
Strike-throughs indicate language that would be stricken from a heading or the present law and underscoring indicates new language that would be added.