1798.85.
(a) Except as provided in this section, a person or entity may not do any of the following:(1) Publicly post or publicly display in any manner an individual’s social security number. “Publicly post” or “publicly display” means to intentionally communicate or otherwise make available to the general public.
(2) Print an individual’s social security number on any card required for the individual to access products products, goods, or services provided by the person or entity.
(3) Require an individual to transmit his or her
their social security number over the Internet, internet, unless the connection is secure or the social security number is encrypted.
(4) Require an individual to use his or her their social security number to access an Internet Web site, internet website, unless a password or unique personal identification number or other authentication
device is also required to access the Internet Web site. internet website.
(5) Print an individual’s social security number on any materials that are mailed to the individual, unless state or federal law requires the social security number to be on the document to be mailed. Notwithstanding this paragraph, social security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrollment process, or to establish, amend or terminate an account, contract or policy, or to confirm the accuracy of the social security number. A social security number that is permitted to be mailed under this section may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or
visible on the envelope or without the envelope having been opened.
(6) Sell, advertise for sale, or offer to sell an individual’s social security number. For purposes of this paragraph, the following apply:
(A) “Sell” shall not include the release of an individual’s social security number if the release of the social security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose. Release of an individual’s social security number for marketing purposes is not permitted.
(B) “Sell” shall not include the release of an individual’s social security number for a purpose specifically authorized or specifically allowed by federal or state law.
(b) This section does not
prevent the collection, use, or release of a social security number as required by state or federal law or the use of a social security number for internal verification or administrative purposes.
(c) This section does not prevent an adult state correctional facility, an adult city jail, or an adult county jail from releasing an inmate’s social security number, with the inmate’s consent and upon request by the county veterans service officer or the United States Department of Veterans Affairs, for the purposes of determining the inmate’s status as a military veteran and his or her their eligibility for federal, state, or local veterans’ benefits or services.
(d) This section does not apply to
documents that are recorded or required to be open to the public pursuant to Chapter 3.5 (commencing with Section 6250), Chapter 14 (commencing with Section 7150) or Chapter 14.5 (commencing with Section 7220) of Division 7 of Title 1 of, Article 9 (commencing with Section 11120) of Chapter 1 of Part 1 of Division 3 of Title 2 of, or Chapter 9 (commencing with Section 54950) of Part 1 of Division 2 of Title 5 of, the Government Code. This section does not apply to records that are required by statute, case law, or California Rule of Court, to be made available to the public by entities provided for in Article VI of the California Constitution.
(e) (1) In the case of a health care service plan, a provider of health care, an insurer or a pharmacy benefits manager, a contractor as defined in Section 56.05, or the provision by any person or entity of administrative or other services relative to health care or insurance
products or services, including third-party administration or administrative services only, this section shall become operative in the following manner:
(A) On or before January 1, 2003, the entities listed in paragraph (1) shall comply with paragraphs (1), (3), (4), and (5) of subdivision (a) as these requirements pertain to individual policyholders or individual contractholders.
(B) On or before January 1, 2004, the entities listed in paragraph (1) shall comply with paragraphs (1) to (5), inclusive, of subdivision (a) as these requirements pertain to new individual policyholders or new individual contractholders and new groups, including new groups administered or issued on or after January 1, 2004.
(C) On or before July 1, 2004, the entities listed in paragraph (1) shall comply with paragraphs (1) to (5),
inclusive, of subdivision (a) for all individual policyholders and individual contractholders, for all groups, and for all enrollees of the Healthy Families and Medi-Cal programs, except that for individual policyholders, individual contractholders and groups in existence prior to January 1, 2004, the entities listed in paragraph (1) shall comply upon the renewal date of the policy, contract, or group on or after July 1, 2004, but no later than July 1, 2005.
(2) A health care service plan, a provider of health care, an insurer or a pharmacy benefits manager, a contractor, or another person or entity as described in paragraph (1) shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of this article are implemented on or before the dates specified in this section.
(3) Notwithstanding paragraph (2), the Director of the
Department of Managed Health Care, pursuant to the authority granted under Section 1346 of the Health and Safety Code, or the Insurance Commissioner, pursuant to the authority granted under Section 12921 of the Insurance Code, and upon a determination of good cause, may grant extensions not to exceed six months for compliance by health care service plans and insurers with the requirements of this section when requested by the health care service plan or insurer. Any extension granted shall apply to the health care service plan or insurer’s affected providers, pharmacy benefits manager, and contractors.
(f) If a federal law takes effect requiring the United States Department of Health and Human Services to establish a national unique patient health identifier program, a provider of health care, a health care service plan, a licensed health care professional, or a contractor, as those terms are defined in Section 56.05, that complies with the
federal law shall be deemed in compliance with this section.
(g) A person or entity may not encode or embed a social security number in or on a card or document, including, but not limited to, using a barcode, chip, magnetic strip, or other technology, in place of removing the social security number, as required by this section.
(h) This section shall become operative, with respect to the University of California, in the following manner:
(1) On or before January 1, 2004, the University of California shall comply with paragraphs (1), (2), and (3) of subdivision (a).
(2) On or before January 1, 2005, the University of California shall comply with paragraphs (4) and (5) of subdivision (a).
(i) This section shall become operative with respect to the Franchise Tax Board on January 1, 2007.
(j) This section shall become operative with respect to the California community college districts on January 1, 2007.
(k) This section shall become operative with respect to the California State University system on July 1, 2005.
(l) This section shall become operative, with respect to the California Student Aid Commission and its auxiliary organization, in the following manner:
(1) On or before January 1, 2004, the commission and its auxiliary organization shall comply with paragraphs (1), (2), and (3) of subdivision (a).
(2) On or before January 1, 2005, the commission
and its auxiliary organization shall comply with paragraphs (4) and (5) of subdivision (a).