NHLA Bill Review: Bill Text

Bill Text - HB1662 (2022)

(Second New Title) relative to the privacy obligations of the department of health and human services, an appropriation for housing expenses for homeless people and parameters thereof, electronic wage payments, and requiring online marketplaces to disclose certain information to consumers.

Revision: Dec. 30, 2021, 11:14 a.m.

HB 1662-FN - AS INTRODUCED

2022 SESSION

22-2019

07/05

HOUSE BILL 1662-FN

SPONSORS: Rep. Edwards, Rock. 4; Rep. M. Pearson, Rock. 34; Rep. Salloway, Straf. 5; Rep. McMahon, Rock. 7; Rep. Nelson, Carr. 5; Rep. Lang, Belk. 4; Sen. Giuda, Dist 2; Sen. Gray, Dist 6

COMMITTEE: Health, Human Services and Elderly Affairs

-----------------------------------------------------------------

ANALYSIS

This bill establishes a data privacy and information technology security governance board within the department of health and human services to oversee data privacy risk calculation and risk mitigation efforts, as well as provides for 2 employees within the department to accomplish these objectives.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Explanation: Matter added to current law appears in bold italics.

Matter removed from current law appears [in brackets and struckthrough.]

Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.

22-2019

07/05

STATE OF NEW HAMPSHIRE

In the Year of Our Lord Two Thousand Twenty Two

Be it Enacted by the Senate and House of Representatives in General Court convened:

1 Declaration of Purpose. New Hampshire voters passed the Right of Privacy into the state constitution in November 2018 with an 81 percent approval. With that vote, state government culture and behavior needed to be shaped by the words, “An individual's right to live free from governmental intrusion in private or personal information is natural, essential, and inherent”. The department of health and human services has been subject to the Health Insurance Portability and Accountability Act since 1996 which drove initial efforts to develop a culture and infrastructure to protect personal data privacy. As a holder of personal information in state government, the department has a responsibility to demonstrate to the public the state’s commitment to actively and overtly respect personal privacy, including privacy of personal information. Establishing and maturing a culture of privacy is core to successfully driving future efforts to implement and enhance privacy policies, procedures, and practices. Continuous improvement requires appropriate governance and policy leadership.

2 New Subdivision; Data Privacy and Information Technology Security Governance Board. Amend RSA 126-A by inserting after section 97 the following new subdivision:

Data Privacy and Information Technology Security Governance Board

126-A:98 Data Privacy and Information Technology Security Governance Board Established. There is hereby established a data privacy and information technology security governance board to oversee the department's use of data, data privacy, and information technology security that shall be maintained by the department of health and human services.

126-A:99 Membership.

I. The data privacy and information technology security governance board shall consist of the following members:

(a) The department commissioner.

(b) The department's privacy officer.

(d) The director of the department's division of medicaid services.

(e) The director of the department's division for behavioral health.

(f) The director of the department's division for children, youth and families.

(g) The director of the department's bureau of human resource management.

(h) The director of the department's bureau of information services.

(i) An individual with industry expertise, appointed by the governor.

II. The data privacy and information technology security governance board may solicit information from any person or entity the board deems relevant to its quest.

126-A:100 Duties. The data privacy and information technology security governance board shall:

I. Meet at least 3 times a year and post public facing meeting minutes within 2 weeks of the completion of each meeting on the department's web page.

II. Become educated in what data governance means, how it will work for the organization, and what it means to embrace data governance and activate enterprise data stewards.

III. Actively promote improved data governance practices across the department.

IV. Identify and approve of pivotal data governance roles and responsibilities for the department including cross-enterprise domain stewards and coordinators.

V. Advise, review, and approve the department's data control, governance, and privacy practices with the goal to meet or exceed private market benchmarks for governance, risk management, and compliance.

VI. Drive strategic and timely implementation of a department-wide privacy policy, related procedures and processes to operationalize policy-derived controls, and effective risk management methodologies, including industry standards such as privacy impact assessments and privacy by design.

126-A:101 Notice, Consent, and Data Subjects.

I. All personal information, both manually and electronically collected, shall be collected on an opt-in basis only by July 1, 2022.

(a) Opt-in consent shall include specifics regarding how the data is to be collected, used, retained, destroyed, an individual's process for retrieval and removal of their data, and a clear commitment to not use the data for any purpose not included.

(b) Written notice and consent for the opt-in consent shall meet private sector benchmark standards for ease of readability.

(d) The department shall bring all proposed exceptions to the opt-in requirement to the oversight committee on health and human services, established in RSA 126-A:13, for approval.

126-A:102 Risk Management.

I. The department shall conduct a written and signed risk assessment and mitigation remediation plan in the form of a privacy impact assessment that shall be submitted to the data privacy and information technology security governance board.

II. The assessment and plan shall:

(a) Assess risks to an individual's right to privacy within the department's information technology systems where the individual does not possess immediate control over their information.

(b) Recommend alternatives to both mitigate the risks and achieve the stated objectives of the department's systems.

(c) Identify those individuals and offices within the department who shall be directly accountable for the assessment and plan, the system at the time the assessment and plan are compiled, and any approved alternatives and mitigations as a result of the assessment and plan.

III. No personal information shall be collected prior to the completion of the assessment and plan and any subsequent measures as a result of the assessment and plan, as determined by the governance board.

IV. The assessment and plan shall be approved by the commissioner.

V. No state or federal funds shall be spent on any system that does not have a completed assessment and plan after January 1, 2024.

3 Data Privacy and Information Technology Security Governance Board; Specialized Employees Authorized.

I. The department is hereby authorized to establish 2 full-time, permanent employees to support and conduct the required data privacy and information technology security assessments, as well as implement mitigation efforts and other necessary updates.

II. The qualifications of the 2 employees shall include privacy certifications, information systems expertise, and project management and communications experience.

III. The 2 employees shall be classified, full time employees who shall work exclusively on assisting in implementing the objectives of the data privacy and information technology security governance board, conducting the privacy assessment and mitigation plan, and other, related data privacy and information technology security activities in the department of health and human services. The classification shall be planning analyst/data system, labor grade 24.

IV. The department is authorized to use contract support available from funds prior to July 1, 2023.

4 Effective Date.

I. Section 3 of this act shall take effect July 1, 2022.

II. The remainder of this act shall take effect 60 days after its passage.

LBA

22-2019

Redraft 12/27/21

HB 1662-FN- FISCAL NOTE

AS INTRODUCED

FISCAL IMPACT: [ X ] State [ ] County [ ] Local [ ] None


	Estimated Increase / (Decrease)
STATE:	FY 2022	FY 2023	FY 2024	FY 2025
Appropriation	$0	$0	$0	$0
Revenue	$0	$0	$0	$0
Expenditures	$0	Indeterminable Increase	Indeterminable Increase	Indeterminable Increase
Funding Source:	[ X ] General [ ] Education [ ] Highway [ ] Other

The Department of Information Technology was contacted for a fiscal note worksheet on 11/11/2021, and has not responded as of 12/27/2021.

METHODOLOGY:

This bill:

Establishes a Data Privacy and Information Technology Governance Board within the Department of Health and Human Services. The Board would be charged with overseeing data privacy risk calculation and risk mitigation efforts.
Requires the Department to conduct a risk assessment and remediation plan in the form of a privacy impact assessment submitted to the Board established in (1) above.
Stipulates that all personal information collected by the Department shall be collected on an opt-in basis only, effective July 1, 2022. The bill states the opt-in consent shall include specifics regarding how the data is to be collected, used, retained, destroyed, an individual's process for retrieval and removal of their data, and a clear commitment to not use the data for any purpose not included.
Requires that all systems that are currently organized on an opt-out basis shall be converted during system replacement or other major upgrades.
Establishes two labor grade 24 employees within the Department for the purposes of conducting data privacy and information technology security assessments, as well as implementing mitigation efforts and other necessary updates. The bill does not contain an appropriation for the new positions; it does allow for the Department to fund the positions within existing appropriations.

The Department of Health and Human Services anticipates the bill may result in a significant but indeterminable cost, driven by the following factors:

Many IT systems are currently organized on an opt-out basis, resulting in the need for additional professional services to analyze the current systems, identify those that comply with the bill's intent, and work with service vendors to address changes as needed. The Department expects this to require amendments to several vendors' contracts, the cost of which is indeterminable until further research is conducted.
There will be a need to update all systems consent processes and documentation to include how data is collected, used, retained, etc.
Many federal programs (Medicaid, the Supplemental Nutrition Assistance Program, child support and welfare programs, etc) require the identification of personal information in order for the state to receive funding. The Department anticipates complying with the bill's opt-in requirement through the initial consent for services, but states that due to federal reporting requirements, individuals would not be able to remove their data once services were consented to be provided.
Allowing individuals the ability to remove collected data from departmental systems would require modifications to each of those systems, at a cost which cannot currently be determined and, according to the Department, may result in the loss of federal funding as many programs require data to remain intact in order to receive federal funding.

The Department has identified 17 major systems that will likely be impacted by the bill, in the areas of Medicaid; Behavioral Health; Long-Term Supports and Services; Children, Youth, and Families; Public Health; Economic Housing and Stability; and the NH Hospital. The Department states that several smaller, manual systems will be impacted as well. The Department also supplied a list of seven approved capital budget projects that would be impacted by the bill's requirements. The Department anticipates the bill will result in the following costs, which are presumably in addition to the two positions contemplated by the bill itself.

Resources to accommodate Privacy Impact Assessments – $470,646
- Supporting the analysis and assessments of the existing systems and new systems (7,680 hours) - Estimated to be 960 hours of work for each of eight division. Resources will be allocated 20 hours per week for 8 weeks with a total of six people working on each team to include Business Systems Analyst II for project management, business analysts (two – Business Systems Analyst I), security officer (Information Technology Manager V), privacy officer (Attorney IV), and subject matter specialist (Program Coordinator).
Chief Privacy Officer - $185,000 - $243,000 for salary and benefits.
Resources for identification of existing systems needing changes– $235,323
- Supporting analysis of the existing systems in conjunction with the bill (3,840 hours). Estimated to be 480 hours of work for each of eight divisions; resources will be allocated 20 hours per week for 4 weeks with a total of six people working on each team to include Business Systems Analyst II for project management, business analysts (two – Business Systems Analyst I), security officer (Information Technology Manager V), privacy officer (Attorney IV), and subject matter specialist (Program Coordinator).
Systems Impact – (Indeterminable)
- Identification of system exceptions to the bill – Indeterminable expenditures
- Changes to existing systems to comply with the bill – Indeterminable expenditures
- Changes to future system strategies to comply with the bill – Indeterminable expenditures

As noted above, the bill itself establishes two labor grade 24 positions to perform data privacy and security assessments, as well as conduct mitigation efforts. If these positions are in addition to the costs identified by the Department, they would cost a combined $162,000 - $178,000 per year in salary and benefits.

AGENCIES CONTACTED:

Department of Health and Human Services and Department of Information Technology