Regular Session 2015-2016 Senate Bill 1020 P.N. 1286

PRINTER'S NO. 1286

THE GENERAL ASSEMBLY OF PENNSYLVANIA

SENATE BILL

No.

1020

Session of

2015

INTRODUCED BY McILHINNEY, FONTANA, VANCE, ALLOWAY, TARTAGLIONE,

VULAKOVICH, RAFFERTY, DINNIMAN, BROOKS AND MENSCH,

SEPTEMBER 29, 2015

REFERRED TO BANKING AND INSURANCE, SEPTEMBER 29, 2015

AN ACT

Providing for health insurance computerized records security;

and imposing a penalty.

The General Assembly of the Commonwealth of Pennsylvania

hereby enacts as follows:

Section 1. Short title.

This act shall be known and may be cited as the Health

Insurance Computerized Records Security Act.

Section 2. Definitions.

The following words and phrases when used in this act shall

have the meanings given to them in this section unless the

context clearly indicates otherwise:

"Computer." An electronic, magnetic, optical,

electrochemical or other high speed data processing device or

another similar device capable of executing a computer program,

including arithmetic, logic, memory, data storage or input-

output operations. The term includes computer equipment

connected to a device, computer system or computer network.

"Computer equipment." Any equipment or device, including all

input, output, processing, storage, software or communications

facilities, intended to interface with a computer.

"Computer network." The interconnection of communication

lines, including microwave or other means of electronic

communication, with a computer through remote terminals or a

complex consisting of two or more interconnected computers.

"Computer program." A series of instructions or statements

executable on a computer, which directs the computer system to

produce a desired result.

"Computer software." A set of computer programs, data,

procedures and associated documentation involving the operation

of a computer system.

"Computer system." A set of interconnected computer

equipment intended to operate as a cohesive system.

"Computerized record." A record which is recorded or

preserved on a computer, computer equipment, computer network,

computer program, computer software or computer system.

"End user computer system." A computer system that is

designed to allow end users to access computerized information,

computer software, computer programs or computer networks. The

term includes a desktop computer, laptop computer, tablet or

other mobile device or removable media.

"Health benefits plan." A benefits plan which pays or

provides hospital and medical expense benefits for covered

services and is delivered or issued for delivery in this

Commonwealth by or through an insurer. The term includes

Medicare supplement coverage and risk contracts to the extent

not otherwise prohibited by Federal law. The term does not

include the following plans, policies or contracts:

20150SB1020PN1286 - 2 -

(1) Fixed indemnity.

(2) Limited benefit.

(3) Credit.

(4) Dental.

(5) Vision.

(6) Specified disease.

(7) Medicare supplemental.

(8) Civilian Health and Medical Program of the Uniformed

Services (CHAMPUS) supplement.

(9) Long-term care.

(10) Disability income.

(11) Workers' compensation.

(12) Automobile medical payment.

"Identifiable health information." Individually identifiable

health information as defined in 45 CFR 160.103 (relating to

definitions).

"Insurer." An entity subject to any of the following:

(1) The act of May 17, 1921 (P.L.682, No.284), known as

The Insurance Company Law of 1921, including a society as

defined in section 2402 of the Insurance Company Law of 1921.

(2) The act of December 29, 1972 (P.L.1701, No.364),

known as the Health Maintenance Organization Act.

(3) 40 Pa.C.S. Ch. 61 (relating to hospital plan

corporations) or 63 (relating to professional health services

plan corporations).

"Personal information." An individual's first name or first

initial and last name linked with one or more of the following

data elements:

(1) Social Security number.

(2) Driver's license number or State identification card

20150SB1020PN1286 - 3 -

number.

(3) Address.

(4) Identifiable health information.

The term includes dissociated data that, if linked, would

constitute personal information if the means to link the

dissociated data were accessed in connection with access to the

dissociated data.

"Public network." A network to which anyone, including the

general public, has access and through which a person can

connect to other networks or the Internet.

"Record." Any material, regardless of the physical form, on

which information is recorded or preserved by any means,

including written or spoken words, graphically depicted,

printed, or electromagnetically transmitted. The term does not

include publicly available directories containing information an

individual has voluntarily consented to have publicly

disseminated or listed.

Section 3. Security.

An insurer that offers, issues or renews a health benefits

plan in this Commonwealth may not compile or maintain

computerized records that include personal information, unless

the information is secured by encryption or by any other method

of technology rendering the information unreadable,

undecipherable or otherwise unusable by an unauthorized person.

Compliance with this section requires more than the use of a

password protection computer program which only prevents general

unauthorized access to the personal information.

Section 4. Penalty.

Upon satisfactory evidence of a violation of this act by an

insurer, the Insurance Commissioner may impose a fine of not

20150SB1020PN1286 - 4 -

more than $10,000 for a first violation of this act and a fine

of not more than $20,000 for a second or subsequent violation of

this act.

Section 5. Applicability.

This act shall apply only to end user computer systems and

computerized records transmitted across public networks.

Section 6. Effective date.

This act shall take effect in 180 days.

20150SB1020PN1286 - 5 -