Download Zipped Introduced WordPerfect SB0020.ZIP
[Status][Bill Documents][Fiscal Note][Bills Directory]

S.B. 20

             1     

STATE SECURITY STANDARDS FOR PERSONAL

             2     
INFORMATION

             3     
2013 GENERAL SESSION

             4     
STATE OF UTAH

             5     
Chief Sponsor: Stuart C. Reid

             6     
House Sponsor: Paul Ray

             7     
             8      LONG TITLE
             9      Committee Note:
             10          The Health and Human Services Interim Committee recommended this bill.
             11      General Description:
             12          This bill amends the Medical Assistance Act to require a health care provider to give a
             13      patient notice that some personal identifying information about the patient may be
             14      shared with the state's Medicaid and Children's Health Insurance Program eligibility
             15      database, and amends provisions in the Utah Technology Governance Act related to
             16      statewide security standards for personal information stored or transmitted on state
             17      servers.
             18      Highlighted Provisions:
             19          This bill:
             20          .    beginning July 1, 2013, requires a health care provider who participates in the state
             21      Medicaid program or the Children's Health Insurance Program to include in the
             22      health care provider's notice of privacy practices that the health care provider either
             23      has, or may submit, personally identifiable information about the patient to the
             24      state's Medicaid and Children's Health Insurance Program eligibility database;
             25          .    requires the state Medicaid program and Children's Health Insurance Program,
             26      before giving a provider access to the state's eligibility database, to verify that the
             27      health care provider's notice of privacy practices complies with federal and state


             28      law;
             29          .    gives the Department of Health administrative rulemaking authority to establish
             30      uniform language for the state requirement regarding notice of privacy practices to
             31      patients;
             32          .    amends the Utah Technology Governance Act to require the state's chief
             33      information officer to:
             34              .    in coordination with the governor's office, convene a group of experts to identify
             35      industry best practices for data security standards;
             36              .    incorporate industry best practices for data security standards into the
             37      Department of Technology Services and executive branch agency practices;
             38              .    modify the state's executive branch information technology strategic plan to
             39      incorporate the industry best practices standards as feasible within the
             40      Department of Technology Services or executive branch agency budgets;
             41              .    inform the speaker of the House of Representatives and the president of the
             42      Senate if security standards are not adopted due to budget issues; and
             43              .    conduct an assessment of the Department of Technology Services and executive
             44      branch agency security standards at least once every two years;
             45          .    provides a process in which a state agency that contracts for services from the
             46      Department of Technology Services may enter into an agreement with the
             47      department to audit the security standards implemented by the department; and
             48          .    makes technical and conforming amendments.
             49      Money Appropriated in this Bill:
             50          None
             51      Other Special Clauses:
             52          None
             53      Utah Code Sections Affected:
             54      AMENDS:
             55          63F-1-104, as last amended by Laws of Utah 2011, Chapter 270
             56          63F-1-202, as last amended by Laws of Utah 2010, Chapter 286
             57          63F-1-203, as last amended by Laws of Utah 2011, Chapter 270
             58          63F-1-204, as last amended by Laws of Utah 2008, Chapter 382


             59          63F-1-604, as last amended by Laws of Utah 2011, Chapter 270
             60      ENACTS:
             61          26-18-17, Utah Code Annotated 1953
             62     
             63      Be it enacted by the Legislature of the state of Utah:
             64          Section 1. Section 26-18-17 is enacted to read:
             65          26-18-17. Patient notice of health care provider privacy practices.
             66          (1) (a) For purposes of this section:
             67          (i) "Health care provider" means a health care provider as defined in Section
             68      78B-3-403 who:
             69          (A) receives payment for medical services from the Medicaid program established in
             70      this chapter, or the Children's Health Insurance Program established in Chapter 40, Utah
             71      Children's Health Insurance Act; and
             72          (B) submits a patient's personally identifiable information to the Medicaid eligibility
             73      database or the Children's Health Insurance Program eligibility database.
             74          (ii) "HIPAA" means 45 C.F.R. Parts 160, 162, and 164, Health Insurance Portability
             75      and Accountability Act of 1996, as amended.
             76          (b) Beginning July 1, 2013, this section applies to the Medicaid program, the
             77      Children's Health Insurance Program created in Chapter 40, Utah Children's Health Insurance
             78      Act, and a health care provider.
             79          (2) A health care provider shall, as part of the notice of privacy practices required by
             80      HIPAA, provide notice to the patient or the patient's personal representative that the health care
             81      provider either has, or may submit, personally identifiable information about the patient to the
             82      Medicaid eligibility database and the Children's Health Insurance Program eligibility database.
             83          (3) The Medicaid program and the Children's Health Insurance Program may not give a
             84      health care provider access to the Medicaid eligibility database or the Children's Health
             85      Insurance Program eligibility database unless the health care provider's notice of privacy
             86      practices complies with Subsection (2).
             87          (4) The department may adopt an administrative rule to establish uniform language for
             88      the state requirement regarding notice of privacy practices to patients required under
             89      Subsection (2).


             90          Section 2. Section 63F-1-104 is amended to read:
             91           63F-1-104. Purposes.
             92          The department shall:
             93          (1) lead state executive branch agency efforts to reengineer the state's information
             94      technology architecture with the goal of coordinating central and individual agency information
             95      technology in a manner that:
             96          (a) ensures compliance with the executive branch agency strategic plan; and
             97          (b) ensures that cost-effective, efficient information and communication systems and
             98      resources are being used by agencies to:
             99          (i) reduce data, hardware, and software redundancy;
             100          (ii) improve system interoperability and data accessibility between agencies; and
             101          (iii) meet the agency's and user's business and service needs;
             102          (2) [(a)] coordinate an executive branch strategic plan for all agencies;
             103          [(b)] (3) each year, in coordination with the governor's office, convene a group of
             104      public and private sector information technology and data security experts to identify best
             105      practices from agencies and other public and private sector entities[; and], including best
             106      practices for data and information technology system security standards;
             107          [(c)] (4) develop and implement processes to replicate information technology best
             108      practices and standards identified in Subsection (3), throughout the executive branch;
             109          (5) by December 1, 2014, and at least once every two years thereafter:
             110          (a) evaluate the adequacy of the department's and the executive branch agencies' data
             111      and information technology system security standards through an independent third party
             112      assessment; and
             113          (b) communicate the results of the independent third party assessment to the
             114      appropriate executive branch agencies and to the president of the Senate and the speaker of the
             115      House of Representatives;
             116          [(3)] (6) oversee the expanded use and implementation of project and contract
             117      management principles as they relate to information technology projects within the executive
             118      branch;
             119          [(4)] (7) serve as general contractor between the state's information technology users
             120      and private sector providers of information technology products and services;


             121          [(5)] (8) work toward building stronger partnering relationships with providers;
             122          [(6)] (9) develop service level agreements with executive branch departments and
             123      agencies to ensure quality products and services are delivered on schedule and within budget;
             124          [(7)] (10) develop standards for application development including a standard
             125      methodology and cost-benefit analysis that all agencies shall utilize for application
             126      development activities;
             127          [(8)] (11) determine and implement statewide efforts to standardize data elements and
             128      determine data ownership assignments among executive branch agencies;
             129          [(9)] (12) develop systems and methodologies to review, evaluate, and prioritize
             130      existing information technology projects within the executive branch and report to the governor
             131      and the Public Utilities and Technology Interim Committee on a semiannual basis regarding
             132      the status of information technology projects; and
             133          [(10)] (13) assist the Governor's Office of Planning and Budget with the development
             134      of information technology budgets for agencies.
             135          Section 3. Section 63F-1-202 is amended to read:
             136           63F-1-202. Technology Advisory Board -- Membership -- Duties.
             137          (1) There is created the Technology Advisory Board to the chief information officer.
             138      The board shall have seven members as follows:
             139          (a) three members appointed by the governor who are individuals actively involved in
             140      business planning for state agencies;
             141          (b) one member appointed by the governor who is actively involved in business
             142      planning for higher education or public education;
             143          (c) one member appointed by the speaker of the House of Representatives and
             144      president of the Senate from the Legislative Automation Committee of the Legislature to
             145      represent the legislative branch;
             146          (d) one member appointed by the Judicial Council to represent the judicial branch; and
             147          (e) one member appointed by the governor who represents private sector business
             148      needs in the state, but who is not an information technology vendor for the state.
             149          (2) (a) The members of the advisory board shall elect a chair from the board by
             150      majority vote.
             151          (b) The department shall provide staff to the board.


             152          (c) (i) A majority of the members of the board constitutes a quorum.
             153          (ii) Action by a majority of a quorum of the board constitutes an action of the board.
             154          (3) The board shall meet as necessary to advise the chief information officer and assist
             155      the chief information officer and executive branch agencies in coming to consensus on:
             156          (a) the development and implementation of the state's information technology strategic
             157      plan;
             158          (b) critical information technology initiatives for the state;
             159          (c) the development of standards for state information architecture;
             160          (d) identification of the business and technical needs of state agencies;
             161          (e) the department's performance measures for service agreements with executive
             162      branch agencies and subscribers of services, including a process in which an executive branch
             163      agency may review the department's implementation of and compliance with an executive
             164      branch agency's data security requirements; and
             165          (f) the efficient and effective operation of the department.
             166          (4) A member may not receive compensation or benefits for the member's service, but
             167      may receive per diem and travel expenses in accordance with:
             168          (a) Section 63A-3-106 ;
             169          (b) Section 63A-3-107 ; and
             170          (c) rules made by the Division of Finance pursuant to Sections 63A-3-106 and
             171      63A-3-107 .
             172          Section 4. Section 63F-1-203 is amended to read:
             173           63F-1-203. Executive branch information technology strategic plan.
             174          (1) In accordance with this section, the chief information officer shall prepare an
             175      executive branch information technology strategic plan:
             176          (a) that complies with this chapter; and
             177          (b) which shall include:
             178          (i) a strategic plan for the:
             179          (A) interchange of information related to information technology between executive
             180      branch agencies;
             181          (B) coordination between executive branch agencies in the development and
             182      maintenance of information technology and information systems, including the coordination of


             183      agency information technology plans described in Section 63F-1-204 ; and
             184          (C) protection of the privacy of individuals who use state information technology or
             185      information systems, including the implementation of industry best practices for data and
             186      system security that are identified in Subsection 63F-1-104 (3);
             187          (ii) priorities for the development and implementation of information technology or
             188      information systems including priorities determined on the basis of:
             189          (A) the importance of the information technology or information system; and
             190          (B) the time sequencing of the information technology or information system; and
             191          (iii) maximizing the use of existing state information technology resources.
             192          (2) In the development of the executive branch strategic plan, the chief information
             193      officer shall consult with:
             194          (a) all cabinet level officials [and];
             195          (b) the advisory board created in Section 63F-1-202 [.]; and
             196          (c) the group convened in accordance with Subsection 63F-1-104 (3).
             197          (3) (a) Unless withdrawn by the chief information officer or the governor in accordance
             198      with Subsection (3)(b), the executive branch strategic plan takes effect 30 days after the day on
             199      which the executive branch strategic plan is submitted to:
             200          (i) the governor; and
             201          (ii) the Public Utilities and Technology Interim Committee.
             202          (b) The chief information officer or the governor may withdraw the executive branch
             203      strategic plan submitted under Subsection (3)(a) if the governor or chief information officer
             204      determines that the executive branch strategic plan:
             205          (i) should be modified; or
             206          (ii) for any other reason should not take effect.
             207          (c) The Public Utilities and Technology Interim Committee may make
             208      recommendations to the governor and to the chief information officer if the commission
             209      determines that the executive branch strategic plan should be modified or for any other reason
             210      should not take effect.
             211          (d) Modifications adopted by the chief information officer shall be resubmitted to the
             212      governor and the Public Utilities and Technology Interim Committee for their review or
             213      approval as provided in Subsections (3)(a) and (b).


             214          (4) (a) The chief information officer shall, on or before January 1, 2014, and each year
             215      thereafter, modify the executive branch information technology strategic plan to incorporate
             216      security standards that:
             217          (i) are identified as industry best practices in accordance with Subsections
             218      63F-1-104 (3) and (4); and
             219          (ii) can be implemented within the budget of the department or the executive branch
             220      agencies.
             221          (b) The chief information officer shall inform the speaker of the House of
             222      Representatives and the president of the Senate on or before January 1 of each year if best
             223      practices identified in Subsection (4)(a)(i) are not adopted due to budget issues considered
             224      under Subsection (4)(a)(ii).
             225          [(4)] (5) The executive branch strategic plan is to be implemented by executive branch
             226      agencies through each executive branch agency adopting an agency information technology
             227      plan in accordance with Section 63F-1-204 .
             228          Section 5. Section 63F-1-204 is amended to read:
             229           63F-1-204. Agency information technology plans.
             230          (1) (a) By July 1 of each year, each executive branch agency shall submit an agency
             231      information technology plan to the chief information officer at the department level, unless the
             232      governor or the chief information officer request an information technology plan be submitted
             233      by a subunit of a department, or by an executive branch agency other than a department.
             234          (b) The information technology plans required by this section shall be in the form and
             235      level of detail required by the chief information officer, by administrative rule adopted in
             236      accordance with Section 63F-1-206 , and shall include, at least:
             237          (i) the information technology objectives of the agency;
             238          (ii) any performance measures used by the agency for implementing the agency's
             239      information technology objectives;
             240          (iii) any planned expenditures related to information technology;
             241          (iv) the agency's need for appropriations for information technology;
             242          (v) how the agency's development of information technology coordinates with other
             243      state and local governmental entities;
             244          (vi) any efforts the agency has taken to develop public and private partnerships to


             245      accomplish the information technology objectives of the agency; [and]
             246          (vii) the efforts the executive branch agency has taken to conduct transactions
             247      electronically in compliance with Section 46-4-503 [.]; and
             248          (viii) the executive branch agency's plan for the timing and method of verifying the
             249      department's security standards, if an agency intends to verify the department's security
             250      standards for the data that the agency maintains or transmits through the department's servers.
             251          (2) (a) Except as provided in Subsection (2)(b), an agency information technology plan
             252      described in Subsection (1) shall comply with the executive branch strategic plan established in
             253      accordance with Section 63F-1-203 .
             254          (b) If the executive branch agency submitting the agency information technology plan
             255      justifies the need to depart from the executive branch strategic plan, an agency information
             256      technology plan may depart from the executive branch strategic plan to the extent approved by
             257      the chief information officer.
             258          (3) (a) On receipt of a state agency information technology plan, the chief information
             259      officer shall forward a complete copy of the agency information technology plan to the
             260      Division of Enterprise Technology created in Section 63F-1-401 and the Division of Integrated
             261      Technology created in Section 63F-1-501 .
             262          (b) The divisions shall provide the chief information officer a written analysis of each
             263      agency plan submitted in accordance with [Sections] Subsections 63F-1-404 (14) and
             264      63F-1-504 (3).
             265          (4) (a) The chief information officer shall review each agency plan to determine:
             266          (i) (A) whether the agency plan complies with the executive branch strategic plan and
             267      state information architecture; or
             268          (B) to the extent that the agency plan does not comply with the executive branch
             269      strategic plan or state information architecture, whether the executive branch entity is justified
             270      in departing from the executive branch strategic plan, or state information architecture; and
             271          (ii) whether the agency plan meets the information technology and other needs of:
             272          (A) the executive branch agency submitting the plan; and
             273          (B) the state.
             274          (b) In conducting the review required by Subsection (4)(a), the chief information
             275      officer shall consider the analysis submitted by the divisions under Subsection (3).


             276          (5) After the chief information officer conducts the review described in Subsection (4)
             277      of an agency information technology plan, the chief information officer may:
             278          (a) approve the agency information technology plan;
             279          (b) disapprove the agency information technology plan; or
             280          (c) recommend modifications to the agency information technology plan.
             281          (6) An executive branch agency or the department may not submit a request for
             282      appropriation related to information technology or an information technology system to the
             283      governor in accordance with Section 63J-1-201 until after the executive branch agency's
             284      information technology plan is approved by the chief information officer.
             285          Section 6. Section 63F-1-604 is amended to read:
             286           63F-1-604. Duties of the division.
             287          The division shall:
             288          (1) be responsible for providing support to executive branch agencies for an agency's
             289      information technology assets and functions that are unique to the executive branch agency and
             290      are mission critical functions of the agency;
             291          (2) conduct audits of an executive branch agency when requested under the provisions
             292      of Section 63F-1-208 ;
             293          (3) conduct cost-benefit analysis of delegating a department function to an agency in
             294      accordance with Section 63F-1-208 ;
             295          (4) provide in-house information technology staff support to executive branch
             296      agencies;
             297          (5) establish accountability and performance measures for the division to assure that
             298      the division is:
             299          (a) meeting the business and service needs of the state and individual executive branch
             300      agencies; and
             301          (b) implementing security standards in accordance with Subsection 63F-1-203 (4);
             302          (6) establish a committee composed of agency user groups for the purpose of
             303      coordinating department services with agency needs;
             304          (7) assist executive branch agencies in complying with the requirements of any rule
             305      adopted by the chief information officer; and
             306          (8) by July 1, [2006] 2013, and each July 1 thereafter, report to the Public Utilities and


             307      Technology Interim Committee on the performance measures used by the division under
             308      Subsection (5) and the results.




Legislative Review Note
    as of 11-15-12 8:20 AM


Office of Legislative Research and General Counsel


[Bill Documents][Bills Directory]