House
File
2116
-
Introduced
HOUSE
FILE
2116
BY
PETTENGILL
A
BILL
FOR
An
Act
prohibiting
the
disclosure
of
personal
information
1
except
under
specified
circumstances
and
providing
2
penalties.
3
BE
IT
ENACTED
BY
THE
GENERAL
ASSEMBLY
OF
THE
STATE
OF
IOWA:
4
TLSB
5508YH
(6)
85
rn/nh
H.F.
2116
Section
1.
NEW
SECTION
.
715D.1
Definitions.
1
As
used
in
this
chapter,
unless
the
context
otherwise
2
requires:
3
1.
“Governmental
agency”
means
the
same
as
defined
in
4
section
28J.1.
5
2.
“Person
or
entity”
means
any
individual;
business
6
entity;
nonprofit
organization;
governmental
agency;
health
7
care
office,
network,
or
organization;
employer;
pharmacist;
8
religious
organization;
or
any
other
individual
or
entity
which
9
is
in
possession
of
another
individual’s
personal
information.
10
3.
“Personal
information”
means
the
same
as
defined
11
in
section
715C.1.
In
addition,
“personal
information”
12
includes
any
health
or
prescription-related
information
not
13
otherwise
protected
from
or
subject
to
disclosure
pursuant
to
14
state
or
federal
law
contained
in
an
individual’s
medical,
15
pharmaceutical,
or
insurance-related
information,
applications,
16
or
records;
and
any
work-related
information
including
but
not
17
limited
to
an
employees
salary
level
and
information
contained
18
in
an
employee’s
personnel
file.
“Personal
information”
does
19
not
include
information
that
is
lawfully
obtained
from
publicly
20
available
sources,
or
from
federal,
state,
or
local
government
21
records
lawfully
made
available
to
the
general
public.
22
Sec.
2.
NEW
SECTION
.
715D.2
Personal
information
——
23
disclosure
limitations.
24
Subject
to
the
exceptions
contained
in
section
715D.3,
25
a
person
or
entity
shall
not
voluntarily
or
intentionally
26
disclose
an
individual’s
personal
information
without
27
informing
the
individual
of
the
intent
to
disclose
the
28
personal
information,
identifying
the
intended
recipient
of
29
the
information,
indicating
how
the
disclosed
information
is
30
intended
to
be
used,
and
obtaining
the
individual’s
written
31
consent
to
the
disclosure.
32
Sec.
3.
NEW
SECTION
.
715D.3
Exceptions.
33
The
disclosure
limitations
specified
in
section
715D.2
shall
34
not
be
applicable
to
the
following:
35
-1-
LSB
5508YH
(6)
85
rn/nh
1/
6
H.F.
2116
1.
Elective
participation
in
the
Iowa
health
information
1
network
established
pursuant
to
section
135.155A.
2
2.
Disclosure
of
personal
information
which
is
subject
to
3
any
provision
of
state
or
federal
law
which
either
supersedes
4
or
is
more
restrictive
than
the
provisions
of
section
715D.2.
5
3.
The
breach
of
security
provisions
of
chapter
715C.
6
4.
Disclosure
in
response
to
a
subpoena
or
court
order
7
issued
pursuant
to
a
civil
or
criminal
investigation
or
8
proceeding.
9
Sec.
4.
NEW
SECTION
.
715D.4
Rulemaking.
10
The
attorney
general
shall
adopt
rules
to
administer
and
11
interpret
this
chapter.
12
Sec.
5.
NEW
SECTION
.
715D.5
Unauthorized
disclosure
——
13
penalties.
14
1.
In
the
event
of
a
disclosure
of
personal
information
15
in
violation
of
this
chapter,
a
person
or
entity
shall
notify
16
the
individual
whose
personal
information
was
disclosed
that
17
the
disclosure
has
occurred
by
certified
mail
return
receipt
18
requested
within
ten
business
days
of
the
date
the
disclosure
19
occurred.
The
notification
shall
identify,
to
the
extent
able
20
to
be
determined,
the
person
to
whom
the
disclosure
was
made.
21
2.
The
person
or
entity
shall
be
responsible
for
full
22
restitution
to
an
individual
whose
personal
information
was
23
disclosed
in
violation
of
this
chapter
for
any
losses
incurred
24
resulting
from
the
disclosure.
25
3.
A
violation
of
this
chapter
is
punishable
by
a
civil
26
penalty
not
to
exceed
five
thousand
dollars.
27
Sec.
6.
HEALTHCARE.GOV
——
DATA
SECURITY
STANDARDS
AND
28
PRACTICES.
The
attorney
general
shall
coordinate
with
29
the
department
of
public
health,
the
department
of
human
30
services,
and
the
office
of
the
chief
information
officer
to
31
determine
whether
and
to
what
extent
personal
information
32
disclosure
requirements
and
safeguards
developed
by
the
33
centers
for
Medicare
and
Medicaid
services
of
the
United
34
States
department
of
health
and
human
services
in
connection
35
-2-
LSB
5508YH
(6)
85
rn/nh
2/
6
H.F.
2116
with
the
healthcare.gov
internet
site
afford
the
citizens
1
of
this
state
adequate
personal
information
safeguards
and
2
protection
and
reflect
best
practices
for
data
security.
Based
3
on
this
determination,
the
attorney
general
shall
develop
4
recommendations
and
guidelines
containing
suggestions
for
5
utilizing
the
internet
site
and
areas
of
concern
identified
6
concerning
personal
information
data
security
by
October
1,
7
2014.
8
EXPLANATION
9
The
inclusion
of
this
explanation
does
not
constitute
agreement
with
10
the
explanation’s
substance
by
the
members
of
the
general
assembly.
11
This
bill
prohibits
the
disclosure
of
personal
information
12
except
under
specified
circumstances.
13
The
bill
provides
several
definitions.
The
bill
defines
a
14
“person
or
entity”
to
mean
any
individual;
business
entity;
15
nonprofit
organization;
governmental
agency;
health
care
16
office,
network,
or
organization;
employer;
pharmacist;
17
religious
organization;
or
any
other
individual
or
entity
which
18
is
in
possession
of
another
individual’s
personal
information.
19
The
bill
defines
“personal
information”
to
mean
the
same
20
as
defined
in
Code
section
715C.1.
That
Code
section
defines
21
“personal
information”
as
an
individual’s
first
name
or
22
first
initial
and
last
name
in
combination
with
any
one
or
23
more
data
elements
that
relate
to
the
individual
if
any
of
24
the
data
elements
are
not
encrypted,
redacted,
or
otherwise
25
altered
by
any
method
or
technology
in
such
a
manner
that
26
the
name
or
data
elements
are
unreadable.
The
data
elements
27
include
a
social
security
number;
driver’s
license
number
or
28
other
unique
identification
number
created
or
collected
by
a
29
government
body;
financial
account
number,
credit
card
number,
30
or
debit
card
number
in
combination
with
any
required
security
31
code,
access
code,
or
password
that
would
permit
access
to
an
32
individual’s
financial
account;
unique
electronic
identifier
33
or
routing
code
in
combination
with
any
required
security
34
code,
access
code,
or
password
that
would
permit
access
35
-3-
LSB
5508YH
(6)
85
rn/nh
3/
6
H.F.
2116
to
an
individual’s
financial
account;
and
unique
biometric
1
data,
such
as
a
fingerprint,
retina
or
iris
image,
or
other
2
unique
physical
representation
or
digital
representation
of
3
biometric
data.
In
addition,
the
bill
provides
that
“personal
4
information”
includes
any
health
or
prescription-related
5
information
not
otherwise
protected
from
or
subject
to
6
disclosure
pursuant
to
state
or
federal
law
contained
in
an
7
individual’s
medical,
pharmaceutical,
or
insurance-related
8
information,
applications,
and
records;
and
any
work-related
9
information
including
but
not
limited
to
an
employee’s
salary
10
level
and
information
contained
in
an
employee’s
personnel
11
file.
The
bill
provides
that
“personal
information”
does
not
12
include
information
that
is
lawfully
obtained
from
publicly
13
available
sources,
or
from
federal,
state,
or
local
government
14
records
lawfully
made
available
to
the
general
public.
15
The
bill
references
a
definition
of
“governmental
agency”
16
contained
in
Code
section
28J.1
as
meaning
a
department,
17
division,
or
other
unit
of
state
government
of
Iowa
or
any
18
other
state,
city,
county,
township,
or
other
governmental
19
subdivision,
or
any
other
public
corporation
or
agency
created
20
under
the
laws
of
Iowa,
any
other
state,
the
United
States,
or
21
any
department
or
agency
thereof,
or
any
agency,
commission,
22
or
authority
established
pursuant
to
an
interstate
compact
or
23
agreement
or
combination
thereof.
24
The
bill
provides
that
a
person
or
entity
shall
not
25
voluntarily
or
intentionally
disclose
an
individual’s
26
personal
information
without
informing
the
individual
of
the
27
intent
to
disclose
the
personal
information,
identifying
the
28
intended
recipient
of
the
information,
indicating
how
the
29
disclosed
information
is
intended
to
be
used,
and
obtaining
30
the
individual’s
written
consent
to
the
disclosure.
The
31
bill
provides
that
this
restriction
does
not
apply
to
32
elective
participation
in
the
Iowa
health
information
network
33
established
pursuant
to
Code
section
135.155A,
to
disclosure
of
34
personal
information
which
is
subject
to
any
provision
of
state
35
-4-
LSB
5508YH
(6)
85
rn/nh
4/
6
H.F.
2116
or
federal
law
which
either
supersedes
or
is
more
restrictive
1
than
the
provisions
of
the
bill,
to
the
breach
of
security
2
provisions
of
Code
chapter
715C,
or
to
disclosure
in
response
3
to
a
subpoena
or
court
order
issued
pursuant
to
a
civil
or
4
criminal
investigation
or
proceeding.
5
The
bill
directs
the
attorney
general
to
adopt
6
administrative
rules
to
administer
and
interpret
the
bill’s
7
provisions.
8
The
bill
provides
that
in
the
event
of
a
disclosure
of
9
personal
information
in
violation
of
the
bill’s
provisions,
a
10
person
or
entity
shall
notify
the
individual
whose
personal
11
information
was
disclosed
that
the
disclosure
has
occurred
by
12
certified
mail
return
receipt
requested
within
10
business
13
days
of
the
date
the
disclosure
occurred.
The
notification
14
shall
identify,
to
the
extent
able
to
be
determined,
the
person
15
to
whom
the
disclosure
was
made.
The
person
or
entity
shall
16
be
responsible
for
full
restitution
to
an
individual
whose
17
personal
information
was
disclosed
for
any
losses
incurred
18
resulting
from
the
disclosure.
Further,
a
violation
of
the
19
bill’s
provisions
is
punishable
by
a
civil
penalty
not
to
20
exceed
$5,000.
21
Finally,
the
bill
directs
the
attorney
general,
in
22
conjunction
with
the
department
of
public
health,
the
23
department
of
human
services,
and
the
office
of
the
chief
24
information
officer,
to
determine
whether
and
to
what
extent
25
personal
information
disclosure
requirements
and
safeguards
26
developed
by
the
centers
for
Medicare
and
Medicaid
services
of
27
the
United
States
department
of
health
and
human
services
in
28
connection
with
the
healthcare.gov
internet
site
afford
the
29
citizens
of
this
state
adequate
personal
information
safeguards
30
and
protection
and
reflect
best
practices
for
data
security.
31
Based
on
this
determination,
the
bill
requires
the
attorney
32
general
to
develop
recommendations
containing
suggestions
for
33
utilizing
the
internet
site
and
areas
of
concern
identified
34
concerning
personal
information
data
security
by
October
1,
35
-5-
LSB
5508YH
(6)
85
rn/nh
5/
6
H.F.
2116
2014.
1
-6-
LSB
5508YH
(6)
85
rn/nh
6/
6