Amended IN Assembly April 27, 2023 Amended IN Assembly March 16, 2023 CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Assembly Bill No. 1011Introduced by Assembly Member WeberFebruary 15, 2023An act to add Part 2.8 (commencing with Section 60) to Division 1 of the Civil Code, relating to social care.LEGISLATIVE COUNSEL'S DIGESTAB 1011, as amended, Weber. Social care: data privacy.Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. Existing state law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided.This bill would, among other things, prohibit a participating organization of a closed-loop referral system (CLRS) from adding to, or accessing from, a CLRS an individuals personally identifiable information or social care information unless specified requirements are met, including that the individual provides consent. The bill would require a participating organization to have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination, as specified. would prohibit a participating entity of a closed-loop referral system (CLRS) from selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, social care information stored in or transmitted through a CLRS in exchange for monetary or other valuable consideration. The bill would further prohibit a participating entity from using social care information stored in, or transmitted through, a CLRS for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as specified. The bill would define social care to mean any care, services, goods, or supplies related to an individuals social needs, including, but not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety. The bill would also define social care information to mean any information, in any form, that relates to the need for, payment for, or provision of, social care. social care, and the individuals personal information, as specified.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO Bill TextThe people of the State of California do enact as follows:SECTION 1. Part 2.8 (commencing with Section 60) is added to Division 1 of the Civil Code, to read:PART 2.8. Social Care Data Privacy60. For purposes of this part, all of the following definitions apply:(a) Closed-loop referral system or CLRS means a technology platform or network that does all of the following:(1) Stores the social care information of one or more individuals.(2) Enables the sharing of social care information with and between participating entities for the purpose of referring individuals for social care.(3) Provides information to participating entities regarding the progress and outcomes of referrals for social care.(b) Participating entity means an entity that meets all of the following:(1) Provides social care or refers individuals for social care, including, but not limited to, a public agency, nonprofit organization, charitable organization, provider of health care, health care service plan, or CLRS technology vendor.(2) Has the ability to create, receive, or update social care information in a CLRS.(3) Has the ability to create, receive, or update referrals for social care in a CLRS.(c) Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.(d) Social care information means both of the following regarding an individual:(1) Any information, in any form, that relates to the need for, payment for, or provision of, social care to the individual.(2) The individuals personal information, as that term is defined in subdivision (v) of Section 1798.140 of the Civil Code.61. (a) A participating entity shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, social care information stored in or transmitted through a closed-loop referral system in exchange for monetary or other valuable consideration.(b) A participating entity shall not use social care information stored in, or transmitted through, a closed-loop referral system for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as required by federal law or as authorized or required by state law.SECTION 1.Part 2.8 (commencing with Section 60) is added to Division 1 of the Civil Code, to read:2.8.Social Care Data Privacy60.For purposes of this part, all of the following definitions apply:(a)Closed-loop referral system or CLRS means any system that does all of the following:(1)Stores an individuals social care information for the purpose of referrals.(2)Shares its data with a network of entities, including, but not limited to, health care providers, health care service plans, health information exchanges, public agencies, nonprofit organizations, charitable organizations, and other entities that provide social care.(3)Is capable of updating or showing updated referral activity, including data related to participating organizations closing the loop on referrals, by updating downstream systems.(b)Individually identifiable social care information means social care information that meets either of the following:(1)Identifies the individual receiving social care.(2)There is a reasonable basis to believe that the information can be used to identify the individual receiving social care.(c)Participating organization means any entity, including, but not limited to, public agencies, nonprofit organizations, charitable organizations, CLRS technology vendors, and other entities that provide social care, that have the ability to create, receive, or update referrals or other social care information in a CLRS, regardless of whether they have entered into contractual agreements with a CLRS vendor.(d)Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.(e)Social care information means any information, in any form, that relates to the need for, payment for, or provision of, social care.61.(a)A participating organization shall not add an individuals personally identifiable information or social care information to a CLRS unless both of the following conditions are met:(1)The individual consents to its inclusion on each instance of a referral for social care.(2)The individual retains the right to revoke consent for their information to be in the CLRS at any time.(b)A participating organization utilizing the CLRS shall not have access to an individuals personally identifiable information or social care information unless one of the following conditions is met:(1)The individual has been referred to that participating organization for social care.(2)The individual has consented for that participating organization to access the information.(c)Participating organizations shall have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination. These policies shall do both of the following:(1)Provide access to social care information, as necessary, to ensure uninterrupted and efficient delivery of social care and care coordination.(2)Restrict or prohibit access to social care information by staff, volunteers, and any other individuals who do not need access to complete their duties.(d)A participating organization shall not condition the provision of social care on consent to share a social care recipients social care information with additional employees, partner organizations, or other parties not necessary for the provision of social care.(e)A participating organization shall not share or transmit social care information it holds with a third party unless both of the following conditions are met:(1)The individual consents through an active opt-in consent for the participating organization to share or transmit the information.(2)(A)The third party is required to meet the same privacy and security obligations as the participating organization under this part.(B)If the third party is not a participating organization under this part, a participating organization may ensure the third party meets these requirements through contractual provisions. A participating organization shall exercise reasonable oversight and take reasonable actions to ensure compliance with the contractual obligations.(f)A participating organization shall not sell or license individually identifiable social care information without explicit written consent of the individual. For the purposes of this subdivision, simply checking a box or radio button on an internet website does not constitute explicit written consent.62.(a)Nothing in this act shall be construed to supersede or preempt the applicability of any of the following:(1)Health Insurance Portability and Accountability Act of 1996 (HIPAA)(Public Law 104-191).(2)Family Educational Rights and Privacy Act of 1974 (FERPA)(20 U.S.C. Sec 1232g).(3)Financial records covered by the Gramm-Leach-Bliley Act (Public Law 106-102).(4)Confidentiality of Medical Information Act (CMIA)(Part 2.6 (commencing with Section 56)).(5)The California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3) and the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(b)(1)Nothing in this part shall be construed as superseding, preempting, or altering rights and protections afforded under HIPAA or CMIA, or affecting the obligations of covered entities under HIPAA or CMIA regulations.(2)No provisions in this part relating to social care information apply to or alter the status of information considered protected health information (PHI) under HIPAA or information considered medical information under CMIA. Nothing in this part shall be construed as affecting the ability of HIPAA-covered entities to access, use, transmit, receive, or maintain PHI. Nothing in this part shall be construed as affecting the ability of authorized recipients under CMIA to access, use, transmit, receive, or maintain medical information.(3)Social care information created or received by a HIPAA-covered entity that meets the definition of protected health information under HIPAA shall always be handled in accordance with HIPAA and all related regulations.
Amended IN Assembly April 27, 2023 Amended IN Assembly March 16, 2023 CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION Assembly Bill No. 1011Introduced by Assembly Member WeberFebruary 15, 2023An act to add Part 2.8 (commencing with Section 60) to Division 1 of the Civil Code, relating to social care.LEGISLATIVE COUNSEL'S DIGESTAB 1011, as amended, Weber. Social care: data privacy.Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. Existing state law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided.This bill would, among other things, prohibit a participating organization of a closed-loop referral system (CLRS) from adding to, or accessing from, a CLRS an individuals personally identifiable information or social care information unless specified requirements are met, including that the individual provides consent. The bill would require a participating organization to have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination, as specified. would prohibit a participating entity of a closed-loop referral system (CLRS) from selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, social care information stored in or transmitted through a CLRS in exchange for monetary or other valuable consideration. The bill would further prohibit a participating entity from using social care information stored in, or transmitted through, a CLRS for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as specified. The bill would define social care to mean any care, services, goods, or supplies related to an individuals social needs, including, but not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety. The bill would also define social care information to mean any information, in any form, that relates to the need for, payment for, or provision of, social care. social care, and the individuals personal information, as specified.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: NO
Amended IN Assembly April 27, 2023 Amended IN Assembly March 16, 2023
Amended IN Assembly April 27, 2023
Amended IN Assembly March 16, 2023
CALIFORNIA LEGISLATURE 20232024 REGULAR SESSION
Assembly Bill
No. 1011
Introduced by Assembly Member WeberFebruary 15, 2023
Introduced by Assembly Member Weber
February 15, 2023
An act to add Part 2.8 (commencing with Section 60) to Division 1 of the Civil Code, relating to social care.
LEGISLATIVE COUNSEL'S DIGEST
## LEGISLATIVE COUNSEL'S DIGEST
AB 1011, as amended, Weber. Social care: data privacy.
Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. Existing state law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided.This bill would, among other things, prohibit a participating organization of a closed-loop referral system (CLRS) from adding to, or accessing from, a CLRS an individuals personally identifiable information or social care information unless specified requirements are met, including that the individual provides consent. The bill would require a participating organization to have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination, as specified. would prohibit a participating entity of a closed-loop referral system (CLRS) from selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, social care information stored in or transmitted through a CLRS in exchange for monetary or other valuable consideration. The bill would further prohibit a participating entity from using social care information stored in, or transmitted through, a CLRS for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as specified. The bill would define social care to mean any care, services, goods, or supplies related to an individuals social needs, including, but not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety. The bill would also define social care information to mean any information, in any form, that relates to the need for, payment for, or provision of, social care. social care, and the individuals personal information, as specified.
Existing federal law, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes certain requirements relating to the provision of health insurance, including provisions relating to the confidentiality of health records. Existing state law, the Confidentiality of Medical Information Act, prohibits a provider of health care, a health care service plan, a contractor, a corporation and its subsidiaries and affiliates, or any business that offers software or hardware to consumers, including a mobile application or other related device, as defined, from intentionally sharing, selling, using for marketing, or otherwise using any medical information, as defined, for any purpose not necessary to provide health care services to a patient, except as provided.
This bill would, among other things, prohibit a participating organization of a closed-loop referral system (CLRS) from adding to, or accessing from, a CLRS an individuals personally identifiable information or social care information unless specified requirements are met, including that the individual provides consent. The bill would require a participating organization to have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination, as specified. would prohibit a participating entity of a closed-loop referral system (CLRS) from selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, social care information stored in or transmitted through a CLRS in exchange for monetary or other valuable consideration. The bill would further prohibit a participating entity from using social care information stored in, or transmitted through, a CLRS for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as specified. The bill would define social care to mean any care, services, goods, or supplies related to an individuals social needs, including, but not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety. The bill would also define social care information to mean any information, in any form, that relates to the need for, payment for, or provision of, social care. social care, and the individuals personal information, as specified.
## Digest Key
## Bill Text
The people of the State of California do enact as follows:SECTION 1. Part 2.8 (commencing with Section 60) is added to Division 1 of the Civil Code, to read:PART 2.8. Social Care Data Privacy60. For purposes of this part, all of the following definitions apply:(a) Closed-loop referral system or CLRS means a technology platform or network that does all of the following:(1) Stores the social care information of one or more individuals.(2) Enables the sharing of social care information with and between participating entities for the purpose of referring individuals for social care.(3) Provides information to participating entities regarding the progress and outcomes of referrals for social care.(b) Participating entity means an entity that meets all of the following:(1) Provides social care or refers individuals for social care, including, but not limited to, a public agency, nonprofit organization, charitable organization, provider of health care, health care service plan, or CLRS technology vendor.(2) Has the ability to create, receive, or update social care information in a CLRS.(3) Has the ability to create, receive, or update referrals for social care in a CLRS.(c) Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.(d) Social care information means both of the following regarding an individual:(1) Any information, in any form, that relates to the need for, payment for, or provision of, social care to the individual.(2) The individuals personal information, as that term is defined in subdivision (v) of Section 1798.140 of the Civil Code.61. (a) A participating entity shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, social care information stored in or transmitted through a closed-loop referral system in exchange for monetary or other valuable consideration.(b) A participating entity shall not use social care information stored in, or transmitted through, a closed-loop referral system for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as required by federal law or as authorized or required by state law.SECTION 1.Part 2.8 (commencing with Section 60) is added to Division 1 of the Civil Code, to read:2.8.Social Care Data Privacy60.For purposes of this part, all of the following definitions apply:(a)Closed-loop referral system or CLRS means any system that does all of the following:(1)Stores an individuals social care information for the purpose of referrals.(2)Shares its data with a network of entities, including, but not limited to, health care providers, health care service plans, health information exchanges, public agencies, nonprofit organizations, charitable organizations, and other entities that provide social care.(3)Is capable of updating or showing updated referral activity, including data related to participating organizations closing the loop on referrals, by updating downstream systems.(b)Individually identifiable social care information means social care information that meets either of the following:(1)Identifies the individual receiving social care.(2)There is a reasonable basis to believe that the information can be used to identify the individual receiving social care.(c)Participating organization means any entity, including, but not limited to, public agencies, nonprofit organizations, charitable organizations, CLRS technology vendors, and other entities that provide social care, that have the ability to create, receive, or update referrals or other social care information in a CLRS, regardless of whether they have entered into contractual agreements with a CLRS vendor.(d)Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.(e)Social care information means any information, in any form, that relates to the need for, payment for, or provision of, social care.61.(a)A participating organization shall not add an individuals personally identifiable information or social care information to a CLRS unless both of the following conditions are met:(1)The individual consents to its inclusion on each instance of a referral for social care.(2)The individual retains the right to revoke consent for their information to be in the CLRS at any time.(b)A participating organization utilizing the CLRS shall not have access to an individuals personally identifiable information or social care information unless one of the following conditions is met:(1)The individual has been referred to that participating organization for social care.(2)The individual has consented for that participating organization to access the information.(c)Participating organizations shall have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination. These policies shall do both of the following:(1)Provide access to social care information, as necessary, to ensure uninterrupted and efficient delivery of social care and care coordination.(2)Restrict or prohibit access to social care information by staff, volunteers, and any other individuals who do not need access to complete their duties.(d)A participating organization shall not condition the provision of social care on consent to share a social care recipients social care information with additional employees, partner organizations, or other parties not necessary for the provision of social care.(e)A participating organization shall not share or transmit social care information it holds with a third party unless both of the following conditions are met:(1)The individual consents through an active opt-in consent for the participating organization to share or transmit the information.(2)(A)The third party is required to meet the same privacy and security obligations as the participating organization under this part.(B)If the third party is not a participating organization under this part, a participating organization may ensure the third party meets these requirements through contractual provisions. A participating organization shall exercise reasonable oversight and take reasonable actions to ensure compliance with the contractual obligations.(f)A participating organization shall not sell or license individually identifiable social care information without explicit written consent of the individual. For the purposes of this subdivision, simply checking a box or radio button on an internet website does not constitute explicit written consent.62.(a)Nothing in this act shall be construed to supersede or preempt the applicability of any of the following:(1)Health Insurance Portability and Accountability Act of 1996 (HIPAA)(Public Law 104-191).(2)Family Educational Rights and Privacy Act of 1974 (FERPA)(20 U.S.C. Sec 1232g).(3)Financial records covered by the Gramm-Leach-Bliley Act (Public Law 106-102).(4)Confidentiality of Medical Information Act (CMIA)(Part 2.6 (commencing with Section 56)).(5)The California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3) and the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.(b)(1)Nothing in this part shall be construed as superseding, preempting, or altering rights and protections afforded under HIPAA or CMIA, or affecting the obligations of covered entities under HIPAA or CMIA regulations.(2)No provisions in this part relating to social care information apply to or alter the status of information considered protected health information (PHI) under HIPAA or information considered medical information under CMIA. Nothing in this part shall be construed as affecting the ability of HIPAA-covered entities to access, use, transmit, receive, or maintain PHI. Nothing in this part shall be construed as affecting the ability of authorized recipients under CMIA to access, use, transmit, receive, or maintain medical information.(3)Social care information created or received by a HIPAA-covered entity that meets the definition of protected health information under HIPAA shall always be handled in accordance with HIPAA and all related regulations.
The people of the State of California do enact as follows:
## The people of the State of California do enact as follows:
SECTION 1. Part 2.8 (commencing with Section 60) is added to Division 1 of the Civil Code, to read:PART 2.8. Social Care Data Privacy60. For purposes of this part, all of the following definitions apply:(a) Closed-loop referral system or CLRS means a technology platform or network that does all of the following:(1) Stores the social care information of one or more individuals.(2) Enables the sharing of social care information with and between participating entities for the purpose of referring individuals for social care.(3) Provides information to participating entities regarding the progress and outcomes of referrals for social care.(b) Participating entity means an entity that meets all of the following:(1) Provides social care or refers individuals for social care, including, but not limited to, a public agency, nonprofit organization, charitable organization, provider of health care, health care service plan, or CLRS technology vendor.(2) Has the ability to create, receive, or update social care information in a CLRS.(3) Has the ability to create, receive, or update referrals for social care in a CLRS.(c) Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.(d) Social care information means both of the following regarding an individual:(1) Any information, in any form, that relates to the need for, payment for, or provision of, social care to the individual.(2) The individuals personal information, as that term is defined in subdivision (v) of Section 1798.140 of the Civil Code.61. (a) A participating entity shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, social care information stored in or transmitted through a closed-loop referral system in exchange for monetary or other valuable consideration.(b) A participating entity shall not use social care information stored in, or transmitted through, a closed-loop referral system for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as required by federal law or as authorized or required by state law.
SECTION 1. Part 2.8 (commencing with Section 60) is added to Division 1 of the Civil Code, to read:
### SECTION 1.
PART 2.8. Social Care Data Privacy60. For purposes of this part, all of the following definitions apply:(a) Closed-loop referral system or CLRS means a technology platform or network that does all of the following:(1) Stores the social care information of one or more individuals.(2) Enables the sharing of social care information with and between participating entities for the purpose of referring individuals for social care.(3) Provides information to participating entities regarding the progress and outcomes of referrals for social care.(b) Participating entity means an entity that meets all of the following:(1) Provides social care or refers individuals for social care, including, but not limited to, a public agency, nonprofit organization, charitable organization, provider of health care, health care service plan, or CLRS technology vendor.(2) Has the ability to create, receive, or update social care information in a CLRS.(3) Has the ability to create, receive, or update referrals for social care in a CLRS.(c) Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.(d) Social care information means both of the following regarding an individual:(1) Any information, in any form, that relates to the need for, payment for, or provision of, social care to the individual.(2) The individuals personal information, as that term is defined in subdivision (v) of Section 1798.140 of the Civil Code.61. (a) A participating entity shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, social care information stored in or transmitted through a closed-loop referral system in exchange for monetary or other valuable consideration.(b) A participating entity shall not use social care information stored in, or transmitted through, a closed-loop referral system for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as required by federal law or as authorized or required by state law.
PART 2.8. Social Care Data Privacy60. For purposes of this part, all of the following definitions apply:(a) Closed-loop referral system or CLRS means a technology platform or network that does all of the following:(1) Stores the social care information of one or more individuals.(2) Enables the sharing of social care information with and between participating entities for the purpose of referring individuals for social care.(3) Provides information to participating entities regarding the progress and outcomes of referrals for social care.(b) Participating entity means an entity that meets all of the following:(1) Provides social care or refers individuals for social care, including, but not limited to, a public agency, nonprofit organization, charitable organization, provider of health care, health care service plan, or CLRS technology vendor.(2) Has the ability to create, receive, or update social care information in a CLRS.(3) Has the ability to create, receive, or update referrals for social care in a CLRS.(c) Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.(d) Social care information means both of the following regarding an individual:(1) Any information, in any form, that relates to the need for, payment for, or provision of, social care to the individual.(2) The individuals personal information, as that term is defined in subdivision (v) of Section 1798.140 of the Civil Code.61. (a) A participating entity shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, social care information stored in or transmitted through a closed-loop referral system in exchange for monetary or other valuable consideration.(b) A participating entity shall not use social care information stored in, or transmitted through, a closed-loop referral system for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as required by federal law or as authorized or required by state law.
PART 2.8. Social Care Data Privacy
PART 2.8. Social Care Data Privacy
60. For purposes of this part, all of the following definitions apply:(a) Closed-loop referral system or CLRS means a technology platform or network that does all of the following:(1) Stores the social care information of one or more individuals.(2) Enables the sharing of social care information with and between participating entities for the purpose of referring individuals for social care.(3) Provides information to participating entities regarding the progress and outcomes of referrals for social care.(b) Participating entity means an entity that meets all of the following:(1) Provides social care or refers individuals for social care, including, but not limited to, a public agency, nonprofit organization, charitable organization, provider of health care, health care service plan, or CLRS technology vendor.(2) Has the ability to create, receive, or update social care information in a CLRS.(3) Has the ability to create, receive, or update referrals for social care in a CLRS.(c) Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.(d) Social care information means both of the following regarding an individual:(1) Any information, in any form, that relates to the need for, payment for, or provision of, social care to the individual.(2) The individuals personal information, as that term is defined in subdivision (v) of Section 1798.140 of the Civil Code.
60. For purposes of this part, all of the following definitions apply:
(a) Closed-loop referral system or CLRS means a technology platform or network that does all of the following:
(1) Stores the social care information of one or more individuals.
(2) Enables the sharing of social care information with and between participating entities for the purpose of referring individuals for social care.
(3) Provides information to participating entities regarding the progress and outcomes of referrals for social care.
(b) Participating entity means an entity that meets all of the following:
(1) Provides social care or refers individuals for social care, including, but not limited to, a public agency, nonprofit organization, charitable organization, provider of health care, health care service plan, or CLRS technology vendor.
(2) Has the ability to create, receive, or update social care information in a CLRS.
(3) Has the ability to create, receive, or update referrals for social care in a CLRS.
(c) Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.
(d) Social care information means both of the following regarding an individual:
(1) Any information, in any form, that relates to the need for, payment for, or provision of, social care to the individual.
(2) The individuals personal information, as that term is defined in subdivision (v) of Section 1798.140 of the Civil Code.
61. (a) A participating entity shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, social care information stored in or transmitted through a closed-loop referral system in exchange for monetary or other valuable consideration.(b) A participating entity shall not use social care information stored in, or transmitted through, a closed-loop referral system for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as required by federal law or as authorized or required by state law.
61. (a) A participating entity shall not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, social care information stored in or transmitted through a closed-loop referral system in exchange for monetary or other valuable consideration.
(b) A participating entity shall not use social care information stored in, or transmitted through, a closed-loop referral system for any purpose or purposes other than the purpose or purposes for which that social care information was collected or generated, except as required by federal law or as authorized or required by state law.
For purposes of this part, all of the following definitions apply:
(a)Closed-loop referral system or CLRS means any system that does all of the following:
(1)Stores an individuals social care information for the purpose of referrals.
(2)Shares its data with a network of entities, including, but not limited to, health care providers, health care service plans, health information exchanges, public agencies, nonprofit organizations, charitable organizations, and other entities that provide social care.
(3)Is capable of updating or showing updated referral activity, including data related to participating organizations closing the loop on referrals, by updating downstream systems.
(b)Individually identifiable social care information means social care information that meets either of the following:
(1)Identifies the individual receiving social care.
(2)There is a reasonable basis to believe that the information can be used to identify the individual receiving social care.
(c)Participating organization means any entity, including, but not limited to, public agencies, nonprofit organizations, charitable organizations, CLRS technology vendors, and other entities that provide social care, that have the ability to create, receive, or update referrals or other social care information in a CLRS, regardless of whether they have entered into contractual agreements with a CLRS vendor.
(d)Social care means care, services, goods, or supplies related to an individuals social needs. Social care includes, but is not limited to, support and assistance for an individuals food stability and nutritional needs, housing, transportation, economic stability, employment, education access and quality, childcare and family relationship needs, and environmental and physical safety.
(e)Social care information means any information, in any form, that relates to the need for, payment for, or provision of, social care.
(a)A participating organization shall not add an individuals personally identifiable information or social care information to a CLRS unless both of the following conditions are met:
(1)The individual consents to its inclusion on each instance of a referral for social care.
(2)The individual retains the right to revoke consent for their information to be in the CLRS at any time.
(b)A participating organization utilizing the CLRS shall not have access to an individuals personally identifiable information or social care information unless one of the following conditions is met:
(1)The individual has been referred to that participating organization for social care.
(2)The individual has consented for that participating organization to access the information.
(c)Participating organizations shall have policies and controls in place defining staff roles necessary for the referral and provision of services and for the purpose of providing care coordination. These policies shall do both of the following:
(1)Provide access to social care information, as necessary, to ensure uninterrupted and efficient delivery of social care and care coordination.
(2)Restrict or prohibit access to social care information by staff, volunteers, and any other individuals who do not need access to complete their duties.
(d)A participating organization shall not condition the provision of social care on consent to share a social care recipients social care information with additional employees, partner organizations, or other parties not necessary for the provision of social care.
(e)A participating organization shall not share or transmit social care information it holds with a third party unless both of the following conditions are met:
(1)The individual consents through an active opt-in consent for the participating organization to share or transmit the information.
(2)(A)The third party is required to meet the same privacy and security obligations as the participating organization under this part.
(B)If the third party is not a participating organization under this part, a participating organization may ensure the third party meets these requirements through contractual provisions. A participating organization shall exercise reasonable oversight and take reasonable actions to ensure compliance with the contractual obligations.
(f)A participating organization shall not sell or license individually identifiable social care information without explicit written consent of the individual. For the purposes of this subdivision, simply checking a box or radio button on an internet website does not constitute explicit written consent.
(a)Nothing in this act shall be construed to supersede or preempt the applicability of any of the following:
(1)Health Insurance Portability and Accountability Act of 1996 (HIPAA)(Public Law 104-191).
(2)Family Educational Rights and Privacy Act of 1974 (FERPA)(20 U.S.C. Sec 1232g).
(3)Financial records covered by the Gramm-Leach-Bliley Act (Public Law 106-102).
(4)Confidentiality of Medical Information Act (CMIA)(Part 2.6 (commencing with Section 56)).
(5)The California Consumer Privacy Act of 2018 (Title 1.81.5 (commencing with Section 1798.100) of Part 4 of Division 3) and the California Privacy Rights Act of 2020, approved by the voters as Proposition 24 at the November 3, 2020, statewide general election.
(b)(1)Nothing in this part shall be construed as superseding, preempting, or altering rights and protections afforded under HIPAA or CMIA, or affecting the obligations of covered entities under HIPAA or CMIA regulations.
(2)No provisions in this part relating to social care information apply to or alter the status of information considered protected health information (PHI) under HIPAA or information considered medical information under CMIA. Nothing in this part shall be construed as affecting the ability of HIPAA-covered entities to access, use, transmit, receive, or maintain PHI. Nothing in this part shall be construed as affecting the ability of authorized recipients under CMIA to access, use, transmit, receive, or maintain medical information.
(3)Social care information created or received by a HIPAA-covered entity that meets the definition of protected health information under HIPAA shall always be handled in accordance with HIPAA and all related regulations.