100509.
(a) (1) Where the Exchange creates or collects personally identifiable information for the purpose of determining eligibility for enrollment in a qualified health plan, determining eligibility for other insurance affordability programs, as defined in Section 155.20 of Title 45 of the Code of Federal Regulations, or determining eligibility for exemptions from the individual responsibility provisions in Section 5000A of the federal Internal Revenue Code, the Exchange may only use or disclose the information to the extent necessary to carry out the functions described in Section 155.200 of Title 45 of the Code of Federal Regulations or to carry out the functions not described in Section 155.200 of Title 45 of the Code of Federal Regulations that satisfy Section 155.260(a)(1)(ii) or (iii) of Title 45 of the Code of Federal Regulations.(2) The Exchange shall not create, collect, use, or disclose personally identifiable information unless the creation, collection, use, or disclosure is consistent with Section 155.260 of Title 45 of the Code of Federal Regulations.
(3) The Exchange shall establish and implement privacy and security standards that are consistent with the principles listed in Section 155.260(a)(3) of Title 45 of the Code of Federal Regulations.
(4) For purposes of this subdivision, “Exchange” includes a member of the board or staff of the Exchange.
(b) Prior to becoming a non-Exchange entity, the Exchange shall execute a contract with the entity that includes all of the following:
(1) A description of the functions to be performed by the non-Exchange entity.
(2) A provision requiring the non-Exchange entity to comply with the privacy and security standards adopted by the Exchange pursuant to subdivision (c), and specifically listing or incorporating those standards.
(3) A provision requiring the non-Exchange entity to monitor, periodically assess, and update its security controls and related system risks to ensure the continued effectiveness of those controls in accordance with Section 155.260(a)(5) of Title 45 of the Code of Federal Regulations.
(4) A provision requiring the non-Exchange entity to inform the Exchange of any change in its administrative, technical, or operational environments defined as material within the contract.
(5) A provision that requires the non-Exchange entity to bind any downstream entities to the same privacy and security standards and obligations to which the non-Exchange entity has agreed in its contract or agreement with the Exchange under paragraph (2).
(c) When the collection, use, or disclosure of personally identifiable information is not otherwise required by law, the privacy and security standards to which the Exchange shall bind a non-Exchange entity shall meet all of the following requirements:
(1) Be consistent with the principles and requirements listed in Section 155.260(a)(1) to (6), inclusive, of Title 45 of the Code of Federal Regulations.
(2) Comply with Section 155.260(c), (d), (f), and (g) of Title 45 of the Code of Federal Regulations.
(3) Take into consideration all of the following:
(A) The environment in which the non-Exchange entity is operating.
(B) Whether the standards are relevant and applicable to the non-Exchange entity’s duties and activities in connection with the Exchange.
(C) Any existing legal requirements to which the non-Exchange entity is bound in relation to its administrative, technical, and operational controls and practices, including, but not limited to, its existing data handling and information technology processes and protocols.
(d) A contractor, subcontractor, volunteer, or vendor of the Exchange who gains access to personally identifiable information in the course of fulfilling his, her, or its duties as a contractor, subcontractor, volunteer, or vendor of the Exchange shall not use or disclose that information other than to the extent necessary to carry out those duties. This subdivision shall not apply to a contractor, subcontractor, volunteer, or vendor of the Exchange who is a covered entity under the federal Health Insurance Portability and Accountability Act and the regulations issued pursuant to Part C of that act (45 C.F.R. Parts 160 and 164), provided that the contractor, subcontractor, volunteer, or vendor otherwise complies with those federal laws and any other requirements applicable to the contractor, subcontractor, volunteer, or vendor pursuant to this section.
(e) This section does not apply when the use or disclosure of personally identifiable information is otherwise compelled by judicial or administrative process or by any other provision of law, except as otherwise provided in the federal act.
(f) Where the Exchange or a non-Exchange entity has access to federal tax return information, that information shall be kept confidential and disclosed, used, and maintained only in accordance with Section 6103 of the federal Internal Revenue Code.
(g) An individual or entity who knowingly and willfully violates subdivision (a) or (d) shall be subject to a civil penalty of not more than twenty-five thousand dollars ($25,000) per individual or entity, per use or disclosure, in addition to any other penalties prescribed by law.
(h) For purposes of this section, the following definitions shall apply:
(1) “Non-Exchange entity” means an individual or entity that does either of the following:
(A) Gains access to personally identifiable information submitted to the Exchange.
(B) Collects, uses, or discloses personally identifiable information gathered directly from applicants, qualified individuals, or enrollees while that individual or entity is performing functions agreed to with the Exchange.
(2) “Personally identifiable information” means information that includes or contains any element of personal identifying information sufficient to allow identification of the individual, including, but not limited to, the individual’s name, address, electronic mail address, telephone number, social security number, credit card number, place or date of birth, biometric records, or other information that, alone or in combination with other publicly available information, reveals the individual’s identity.