Download Zipped Introduced WordPerfect SB0020.ZIP
[Status][Bill Documents][Fiscal Note][Bills Directory]
8 LONG TITLE
9 Committee Note:
10 The Health and Human Services Interim Committee recommended this bill.
11 General Description:
12 This bill amends the Medical Assistance Act to require a health care provider to give a
13 patient notice that some personal identifying information about the patient may be
14 shared with the state's Medicaid and Children's Health Insurance Program eligibility
15 database, and amends provisions in the Utah Technology Governance Act related to
16 statewide security standards for personal information stored or transmitted on state
18 Highlighted Provisions:
19 This bill:
20 . beginning July 1, 2013, requires a health care provider who participates in the state
21 Medicaid program or the Children's Health Insurance Program to include in the
22 health care provider's notice of privacy practices that the health care provider either
23 has, or may submit, personally identifiable information about the patient to the
24 state's Medicaid and Children's Health Insurance Program eligibility database;
25 . requires the state Medicaid program and Children's Health Insurance Program,
26 before giving a provider access to the state's eligibility database, to verify that the
27 health care provider's notice of privacy practices complies with federal and state
29 . gives the Department of Health administrative rulemaking authority to establish
30 uniform language for the state requirement regarding notice of privacy practices to
32 . amends the Utah Technology Governance Act to require the state's chief
33 information officer to:
34 . in coordination with the governor's office, convene a group of experts to identify
35 industry best practices for data security standards;
36 . incorporate industry best practices for data security standards into the
37 Department of Technology Services and executive branch agency practices;
38 . modify the state's executive branch information technology strategic plan to
39 incorporate the industry best practices standards as feasible within the
40 Department of Technology Services or executive branch agency budgets;
41 . inform the speaker of the House of Representatives and the president of the
42 Senate if security standards are not adopted due to budget issues; and
43 . conduct an assessment of the Department of Technology Services and executive
44 branch agency security standards at least once every two years;
45 . provides a process in which a state agency that contracts for services from the
46 Department of Technology Services may enter into an agreement with the
47 department to audit the security standards implemented by the department; and
48 . makes technical and conforming amendments.
49 Money Appropriated in this Bill:
51 Other Special Clauses:
53 Utah Code Sections Affected:
55 63F-1-104, as last amended by Laws of Utah 2011, Chapter 270
56 63F-1-202, as last amended by Laws of Utah 2010, Chapter 286
57 63F-1-203, as last amended by Laws of Utah 2011, Chapter 270
58 63F-1-204, as last amended by Laws of Utah 2008, Chapter 382
59 63F-1-604, as last amended by Laws of Utah 2011, Chapter 270
61 26-18-17, Utah Code Annotated 1953
63 Be it enacted by the Legislature of the state of Utah:
64 Section 1. Section 26-18-17 is enacted to read:
65 26-18-17. Patient notice of health care provider privacy practices.
66 (1) (a) For purposes of this section:
67 (i) "Health care provider" means a health care provider as defined in Section
68 78B-3-403 who:
69 (A) receives payment for medical services from the Medicaid program established in
70 this chapter, or the Children's Health Insurance Program established in Chapter 40, Utah
71 Children's Health Insurance Act; and
72 (B) submits a patient's personally identifiable information to the Medicaid eligibility
73 database or the Children's Health Insurance Program eligibility database.
74 (ii) "HIPAA" means 45 C.F.R. Parts 160, 162, and 164, Health Insurance Portability
75 and Accountability Act of 1996, as amended.
76 (b) Beginning July 1, 2013, this section applies to the Medicaid program, the
77 Children's Health Insurance Program created in Chapter 40, Utah Children's Health Insurance
78 Act, and a health care provider.
79 (2) A health care provider shall, as part of the notice of privacy practices required by
80 HIPAA, provide notice to the patient or the patient's personal representative that the health care
81 provider either has, or may submit, personally identifiable information about the patient to the
82 Medicaid eligibility database and the Children's Health Insurance Program eligibility database.
83 (3) The Medicaid program and the Children's Health Insurance Program may not give a
84 health care provider access to the Medicaid eligibility database or the Children's Health
85 Insurance Program eligibility database unless the health care provider's notice of privacy
86 practices complies with Subsection (2).
87 (4) The department may adopt an administrative rule to establish uniform language for
88 the state requirement regarding notice of privacy practices to patients required under
89 Subsection (2).
90 Section 2. Section 63F-1-104 is amended to read:
91 63F-1-104. Purposes.
92 The department shall:
93 (1) lead state executive branch agency efforts to reengineer the state's information
94 technology architecture with the goal of coordinating central and individual agency information
95 technology in a manner that:
96 (a) ensures compliance with the executive branch agency strategic plan; and
97 (b) ensures that cost-effective, efficient information and communication systems and
98 resources are being used by agencies to:
99 (i) reduce data, hardware, and software redundancy;
100 (ii) improve system interoperability and data accessibility between agencies; and
101 (iii) meet the agency's and user's business and service needs;
102 (2) [
104 public and private sector information technology and data security experts to identify best
105 practices from agencies and other public and private sector entities[
106 practices for data and information technology system security standards;
108 practices and standards identified in Subsection (3), throughout the executive branch;
109 (5) by December 1, 2014, and at least once every two years thereafter:
110 (a) evaluate the adequacy of the department's and the executive branch agencies' data
111 and information technology system security standards through an independent third party
112 assessment; and
113 (b) communicate the results of the independent third party assessment to the
114 appropriate executive branch agencies and to the president of the Senate and the speaker of the
115 House of Representatives;
117 management principles as they relate to information technology projects within the executive
120 and private sector providers of information technology products and services;
123 agencies to ensure quality products and services are delivered on schedule and within budget;
125 methodology and cost-benefit analysis that all agencies shall utilize for application
126 development activities;
128 determine data ownership assignments among executive branch agencies;
130 existing information technology projects within the executive branch and report to the governor
131 and the Public Utilities and Technology Interim Committee on a semiannual basis regarding
132 the status of information technology projects; and
134 of information technology budgets for agencies.
135 Section 3. Section 63F-1-202 is amended to read:
136 63F-1-202. Technology Advisory Board -- Membership -- Duties.
137 (1) There is created the Technology Advisory Board to the chief information officer.
138 The board shall have seven members as follows:
139 (a) three members appointed by the governor who are individuals actively involved in
140 business planning for state agencies;
141 (b) one member appointed by the governor who is actively involved in business
142 planning for higher education or public education;
143 (c) one member appointed by the speaker of the House of Representatives and
144 president of the Senate from the Legislative Automation Committee of the Legislature to
145 represent the legislative branch;
146 (d) one member appointed by the Judicial Council to represent the judicial branch; and
147 (e) one member appointed by the governor who represents private sector business
148 needs in the state, but who is not an information technology vendor for the state.
149 (2) (a) The members of the advisory board shall elect a chair from the board by
150 majority vote.
151 (b) The department shall provide staff to the board.
152 (c) (i) A majority of the members of the board constitutes a quorum.
153 (ii) Action by a majority of a quorum of the board constitutes an action of the board.
154 (3) The board shall meet as necessary to advise the chief information officer and assist
155 the chief information officer and executive branch agencies in coming to consensus on:
156 (a) the development and implementation of the state's information technology strategic
158 (b) critical information technology initiatives for the state;
159 (c) the development of standards for state information architecture;
160 (d) identification of the business and technical needs of state agencies;
161 (e) the department's performance measures for service agreements with executive
162 branch agencies and subscribers of services, including a process in which an executive branch
163 agency may review the department's implementation of and compliance with an executive
164 branch agency's data security requirements; and
165 (f) the efficient and effective operation of the department.
166 (4) A member may not receive compensation or benefits for the member's service, but
167 may receive per diem and travel expenses in accordance with:
168 (a) Section 63A-3-106 ;
169 (b) Section 63A-3-107 ; and
170 (c) rules made by the Division of Finance pursuant to Sections 63A-3-106 and
171 63A-3-107 .
172 Section 4. Section 63F-1-203 is amended to read:
173 63F-1-203. Executive branch information technology strategic plan.
174 (1) In accordance with this section, the chief information officer shall prepare an
175 executive branch information technology strategic plan:
176 (a) that complies with this chapter; and
177 (b) which shall include:
178 (i) a strategic plan for the:
179 (A) interchange of information related to information technology between executive
180 branch agencies;
181 (B) coordination between executive branch agencies in the development and
182 maintenance of information technology and information systems, including the coordination of
183 agency information technology plans described in Section 63F-1-204 ; and
184 (C) protection of the privacy of individuals who use state information technology or
185 information systems, including the implementation of industry best practices for data and
186 system security that are identified in Subsection 63F-1-104 (3);
187 (ii) priorities for the development and implementation of information technology or
188 information systems including priorities determined on the basis of:
189 (A) the importance of the information technology or information system; and
190 (B) the time sequencing of the information technology or information system; and
191 (iii) maximizing the use of existing state information technology resources.
192 (2) In the development of the executive branch strategic plan, the chief information
193 officer shall consult with:
194 (a) all cabinet level officials [
195 (b) the advisory board created in Section 63F-1-202 [
196 (c) the group convened in accordance with Subsection 63F-1-104 (3).
197 (3) (a) Unless withdrawn by the chief information officer or the governor in accordance
198 with Subsection (3)(b), the executive branch strategic plan takes effect 30 days after the day on
199 which the executive branch strategic plan is submitted to:
200 (i) the governor; and
201 (ii) the Public Utilities and Technology Interim Committee.
202 (b) The chief information officer or the governor may withdraw the executive branch
203 strategic plan submitted under Subsection (3)(a) if the governor or chief information officer
204 determines that the executive branch strategic plan:
205 (i) should be modified; or
206 (ii) for any other reason should not take effect.
207 (c) The Public Utilities and Technology Interim Committee may make
208 recommendations to the governor and to the chief information officer if the commission
209 determines that the executive branch strategic plan should be modified or for any other reason
210 should not take effect.
211 (d) Modifications adopted by the chief information officer shall be resubmitted to the
212 governor and the Public Utilities and Technology Interim Committee for their review or
213 approval as provided in Subsections (3)(a) and (b).
214 (4) (a) The chief information officer shall, on or before January 1, 2014, and each year
215 thereafter, modify the executive branch information technology strategic plan to incorporate
216 security standards that:
217 (i) are identified as industry best practices in accordance with Subsections
218 63F-1-104 (3) and (4); and
219 (ii) can be implemented within the budget of the department or the executive branch
221 (b) The chief information officer shall inform the speaker of the House of
222 Representatives and the president of the Senate on or before January 1 of each year if best
223 practices identified in Subsection (4)(a)(i) are not adopted due to budget issues considered
224 under Subsection (4)(a)(ii).
226 agencies through each executive branch agency adopting an agency information technology
227 plan in accordance with Section 63F-1-204 .
228 Section 5. Section 63F-1-204 is amended to read:
229 63F-1-204. Agency information technology plans.
230 (1) (a) By July 1 of each year, each executive branch agency shall submit an agency
231 information technology plan to the chief information officer at the department level, unless the
232 governor or the chief information officer request an information technology plan be submitted
233 by a subunit of a department, or by an executive branch agency other than a department.
234 (b) The information technology plans required by this section shall be in the form and
235 level of detail required by the chief information officer, by administrative rule adopted in
236 accordance with Section 63F-1-206 , and shall include, at least:
237 (i) the information technology objectives of the agency;
238 (ii) any performance measures used by the agency for implementing the agency's
239 information technology objectives;
240 (iii) any planned expenditures related to information technology;
241 (iv) the agency's need for appropriations for information technology;
242 (v) how the agency's development of information technology coordinates with other
243 state and local governmental entities;
244 (vi) any efforts the agency has taken to develop public and private partnerships to
245 accomplish the information technology objectives of the agency; [
246 (vii) the efforts the executive branch agency has taken to conduct transactions
247 electronically in compliance with Section 46-4-503 [
248 (viii) the executive branch agency's plan for the timing and method of verifying the
249 department's security standards, if an agency intends to verify the department's security
250 standards for the data that the agency maintains or transmits through the department's servers.
251 (2) (a) Except as provided in Subsection (2)(b), an agency information technology plan
252 described in Subsection (1) shall comply with the executive branch strategic plan established in
253 accordance with Section 63F-1-203 .
254 (b) If the executive branch agency submitting the agency information technology plan
255 justifies the need to depart from the executive branch strategic plan, an agency information
256 technology plan may depart from the executive branch strategic plan to the extent approved by
257 the chief information officer.
258 (3) (a) On receipt of a state agency information technology plan, the chief information
259 officer shall forward a complete copy of the agency information technology plan to the
260 Division of Enterprise Technology created in Section 63F-1-401 and the Division of Integrated
261 Technology created in Section 63F-1-501 .
262 (b) The divisions shall provide the chief information officer a written analysis of each
263 agency plan submitted in accordance with [
264 63F-1-504 (3).
265 (4) (a) The chief information officer shall review each agency plan to determine:
266 (i) (A) whether the agency plan complies with the executive branch strategic plan and
267 state information architecture; or
268 (B) to the extent that the agency plan does not comply with the executive branch
269 strategic plan or state information architecture, whether the executive branch entity is justified
270 in departing from the executive branch strategic plan, or state information architecture; and
271 (ii) whether the agency plan meets the information technology and other needs of:
272 (A) the executive branch agency submitting the plan; and
273 (B) the state.
274 (b) In conducting the review required by Subsection (4)(a), the chief information
275 officer shall consider the analysis submitted by the divisions under Subsection (3).
276 (5) After the chief information officer conducts the review described in Subsection (4)
277 of an agency information technology plan, the chief information officer may:
278 (a) approve the agency information technology plan;
279 (b) disapprove the agency information technology plan; or
280 (c) recommend modifications to the agency information technology plan.
281 (6) An executive branch agency or the department may not submit a request for
282 appropriation related to information technology or an information technology system to the
283 governor in accordance with Section 63J-1-201 until after the executive branch agency's
284 information technology plan is approved by the chief information officer.
285 Section 6. Section 63F-1-604 is amended to read:
286 63F-1-604. Duties of the division.
287 The division shall:
288 (1) be responsible for providing support to executive branch agencies for an agency's
289 information technology assets and functions that are unique to the executive branch agency and
290 are mission critical functions of the agency;
291 (2) conduct audits of an executive branch agency when requested under the provisions
292 of Section 63F-1-208 ;
293 (3) conduct cost-benefit analysis of delegating a department function to an agency in
294 accordance with Section 63F-1-208 ;
295 (4) provide in-house information technology staff support to executive branch
297 (5) establish accountability and performance measures for the division to assure that
298 the division is:
299 (a) meeting the business and service needs of the state and individual executive branch
300 agencies; and
301 (b) implementing security standards in accordance with Subsection 63F-1-203 (4);
302 (6) establish a committee composed of agency user groups for the purpose of
303 coordinating department services with agency needs;
304 (7) assist executive branch agencies in complying with the requirements of any rule
305 adopted by the chief information officer; and
306 (8) by July 1, [
307 Technology Interim Committee on the performance measures used by the division under
308 Subsection (5) and the results.
Legislative Review Note
as of 11-15-12 8:20 AM