Bill Text: CA AB1011 | 2023-2024 | Regular Session | Amended

California Assembly Bill 1011

NOTE: There are more recent revisions of this legislation. Read Latest Draft

Bill Title: Social care: data privacy.

Spectrum: Partisan Bill (Democrat 1-0)

Status: (Engrossed) 2023-09-01 - In committee: Held under submission. [AB1011 Detail]

Download: California-2023-AB1011-Amended.html

Amended IN Assembly March 16, 2023

CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Assembly Bill

No. 1011

Introduced by Assembly Member Weber

February 15, 2023

~~An act to amend Section 20104.70 of the Public Contract Code, relating to public contracts.~~ An act to add Part 2.8 (commencing with Section 60) to Division 1 of the Civil Code, relating to social care.

LEGISLATIVE COUNSEL'S DIGEST

AB 1011, as amended, Weber. ~~Local public contracts: second lowest bidder.~~ Social care: data privacy.

Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. Existing state law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided.
This bill would, among other things, prohibit a participating organization of a closed-loop referral system (CLRS) from adding to, or accessing from, a CLRS an individual’s personally identifiable information or social care information unless specified requirements are met, including that the individual provides consent. The bill would require a participating organization to have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination, as specified. The bill would define “social care” to mean any care, services, goods, or supplies related to an individual’s social needs, including, but not limited to, support and assistance for an individual’s food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety. The bill would also define “social care information” to mean any information, in any form, that relates to the need for, payment for, or provision of, social care.
Existing law, the Local Agency Public Construction Act, sets forth the requirements for competitive bidding on various types of contracts awarded by local agencies. The act authorizes the 2nd lowest bidder to bring an action in superior court if the 2nd lowest bidder suffers damages as a result of the successful bidder’s violation of specified laws, but prohibits the action if the 2nd lowest bidder has been convicted of a violation of specified labor laws or unemployment insurance laws within one year prior to fulfilling the bid for public work and has failed to take affirmative steps to correct the violation.
~~This bill would make nonsubstantive changes to those provisions.~~

Vote: MAJORITY Appropriation: NO Fiscal Committee: NOYES Local Program: NO

The people of the State of California do enact as follows:

SECTION 1.
Part 2.8 (commencing with Section 60) is added to Division 1 of the Civil Code, to read:
PART 2.8. Social Care Data Privacy
60.
For purposes of this part, all of the following definitions apply:
(a) “Closed-loop referral system” or “CLRS” means any system that does all of the following:
(1) Stores an individual’s social care information for the purpose of referrals.
(2) Shares its data with a network of entities, including, but not limited to, health care providers, health care service plans, health information exchanges, public agencies, nonprofit organizations, charitable organizations, and other entities that provide social care.
(3) Is capable of updating or showing updated referral activity, including data related to participating organizations closing the loop on referrals, by updating downstream systems.
(b) “Individually identifiable social care information” means social care information that meets either of the following:
(1) Identifies the individual receiving social care.
(2) There is a reasonable basis to believe that the information can be used to identify the individual receiving social care.
(c) “Participating organization” means any entity, including, but not limited to, public agencies, nonprofit organizations, charitable organizations, CLRS technology vendors, and other entities that provide social care, that have the ability to create, receive, or update referrals or other social care information in a CLRS, regardless of whether they have entered into contractual agreements with a CLRS vendor.
(d) “Social care” means care, services, goods, or supplies related to an individual’s social needs. “Social care” includes, but is not limited to, support and assistance for an individual’s food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.
(e) “Social care information” means any information, in any form, that relates to the need for, payment for, or provision of, social care.
61.
(a) A participating organization shall not add an individual’s personally identifiable information or social care information to a CLRS unless both of the following conditions are met:
(1) The individual consents to its inclusion on each instance of a referral for social care.
(2) The individual retains the right to revoke consent for their information to be in the CLRS at any time.
(b) A participating organization utilizing the CLRS shall not have access to an individual’s personally identifiable information or social care information unless one of the following conditions is met:
(1) The individual has been referred to that participating organization for social care.
(2) The individual has consented for that participating organization to access the information.
(c) Participating organizations shall have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination. These policies shall do both of the following:
(1) Provide access to social care information, as necessary, to ensure uninterrupted and efficient delivery of social care and care coordination.
(2) Restrict or prohibit access to social care information by staff, volunteers, and any other individuals who do not need access to complete their duties.
(d) A participating organization shall not condition the provision of social care on consent to share a social care recipient’s social care information with additional employees, partner organizations, or other parties not necessary for the provision of social care.
(e) A participating organization shall not share or transmit social care information it holds with a third party unless both of the following conditions are met:
(1) The individual consents through an active opt-in consent for the participating organization to share or transmit the information.
(2) (A) The third party is required to meet the same privacy and security obligations as the participating organization under this part.
(B) If the third party is not a participating organization under this part, a participating organization may ensure the third party meets these requirements through contractual provisions. A participating organization shall exercise reasonable oversight and take reasonable actions to ensure compliance with the contractual obligations.
(f) A participating organization shall not sell or license individually identifiable social care information without explicit written consent of the individual. For the purposes of this subdivision, simply checking a box or radio button on an internet website does not constitute explicit written consent.
62.
(a) Nothing in this act shall be construed to supersede or preempt the applicability of any of the following:
(1) Health Insurance Portability and Accountability Act of 1996 (HIPAA)(Public Law 104-191).
(2) Family Educational Rights and Privacy Act of 1974 (FERPA)(20 U.S.C. Sec 1232g).
(3) Financial records covered by the Gramm-Leach-Bliley Act (Public Law 106-102).
(4) Confidentiality of Medical Information Act (CMIA)(Part 2.6 (commencing with Section 56)).
(5) The California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3) and the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.
(b) (1) Nothing in this part shall be construed as superseding, preempting, or altering rights and protections afforded under HIPAA or CMIA, or affecting the obligations of covered entities under HIPAA or CMIA regulations.
(2) No provisions in this part relating to social care information apply to or alter the status of information considered protected health information (PHI) under HIPAA or information considered medical information under CMIA. Nothing in this part shall be construed as affecting the ability of HIPAA-covered entities to access, use, transmit, receive, or maintain PHI. Nothing in this part shall be construed as affecting the ability of authorized recipients under CMIA to access, use, transmit, receive, or maintain medical information.
(3) Social care information created or received by a HIPAA-covered entity that meets the definition of “protected health information” under HIPAA shall always be handled in accordance with HIPAA and all related regulations.

SECTION 1.Section 20104.70 of the Public Contract Code is amended to read:
20104.70.
(a)(1)The second lowest bidder, and any person, firm, association, trust, partnership, labor organization, corporation, or other legal entity which has, prior to the letting of the bids on the public works project in question, entered into a contract with the second lowest bidder, may bring an action in superior court if that entity suffers damages as a result of the bid of the second lowest bidder for any contract subject to this part not being accepted due to the successful bidder’s violation, as evidenced by the conviction of the successful bidder therefor, of any provision of either or both Division 4 (commencing with Section 3200) of the Labor Code or the Unemployment Insurance Code.
(2)There shall be a rebuttable presumption that a successful bidder who has been convicted of a violation of any provision of either or both Division 4 (commencing with Section 3200) of the Labor Code or the Unemployment Insurance Code was awarded the bid because that successful bidder was able to lower the bid due to this violation or these violations occurring on the contract for public work awarded by the public agency.
~~(b)In an action brought pursuant to this section, the court may award costs and reasonable attorney’s fees, in an amount to be determined in the court’s discretion, to the prevailing party.~~
~~(c)For purposes of an action brought pursuant to this section:~~
(1)Employee status shall be determined pursuant to Division 4 (commencing with Section 3200) of the Labor Code with respect to alleged violations of that division, pursuant to the Unemployment Insurance Code with respect to alleged violations of that code, or pursuant to Section 2750.5 of the Labor Code with respect to alleged violations of either Division 4 (commencing with Section 3200) or of the Unemployment Insurance Code, or of both.
~~(2)“Second lowest bidder” means the second lowest qualified bidder deemed responsive by the public agency awarding the contract for public work.~~
~~(3)The “second lowest bidder” and the “successful bidder” may include any person, firm, association, corporation, or other legal entity.~~
(d)A second lowest bidder who has been convicted of a violation of any provision of either or both Division 4 (commencing with Section 3200) of the Labor Code or the Unemployment Insurance Code within one year prior to filing the bid for public work, and who has failed to take affirmative steps to correct that violation or those violations, is prohibited from taking any action authorized by this section.