[Congressional Bills 113th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3299 Introduced in House (IH)]

113th CONGRESS
  1st Session
                                H. R. 3299

 To amend section 340A of the Public Health Service Act to protect the 
     privacy of personally identifiable information in relation to 
  enrollment activities of health insurance exchanges, and for other 
                               purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 16, 2013

   Mr. Ross introduced the following bill; which was referred to the 
 Committee on Energy and Commerce, and in addition to the Committee on 
   Ways and Means, for a period to be subsequently determined by the 
  Speaker, in each case for consideration of such provisions as fall 
           within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
 To amend section 340A of the Public Health Service Act to protect the 
     privacy of personally identifiable information in relation to 
  enrollment activities of health insurance exchanges, and for other 
                               purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Security Before Access Act of 
2013''.

SEC. 2. PROTECTING THE PRIVACY OF PERSONALLY IDENTIFIABLE INFORMATION 
              IN ENROLLMENT ACTIVITIES OF HEALTH INSURANCE EXCHANGES.

    (a) In General.--Section 340A(c) of the Public Health Service Act 
(42 U.S.C. 256a(c)) is amended by adding at the end the following new 
paragraph:
            ``(3) Ensuring privacy of personally identifiable 
        information; liability; penalties; consumer opt out.--
                    ``(A) In general.--The Secretary shall require each 
                recipient of a grant under this section to implement 
                procedures specified by the Secretary consistent with 
                this paragraph in order protect the privacy of 
                personally identifiable information.
                    ``(B) Required procedures.--The procedures 
                specified by the Secretary under subparagraph (A) shall 
                include at least the following:
                            ``(i) Prohibition of access without 
                        explicit consent.--No certified application 
                        counselor, health insurance navigator, or non-
                        navigator assistance personnel shall have 
                        access to personally identifiable information 
                        relating to an individual without the express, 
                        witnessed, written consent of that individual.
                            ``(ii) Requiring licensure, background 
                        checks.--No such individual shall have access 
                        to personally identifiable information unless 
                        the individual--
                                    ``(I) has undergone, within 60 days 
                                before commencing enrollment assistance 
                                for any consumer seeking coverage 
                                through health insurance exchanges, 
                                both a criminal background and 
                                fingerprint check and has a clean 
                                record free of criminal infractions; 
                                and
                                    ``(II) meets educational and 
                                licensure requirements that are 
                                identical or comparable to those 
                                currently applicable to health 
                                insurance agents and brokers within the 
                                State they seek to assist consumers 
                                with health insurance enrollment.
                            ``(iii) Requirement for prior certification 
                        of safeguards.--The recipient of the grant may 
                        not collect personally identifiable information 
                        for any reason until the Comptroller General of 
                        the United States, in agreement with the 
                        Inspector General of the Department of Health 
                        and Human Services, certifies to Congress that 
                        such Department, along with any other relevant 
                        Federal agencies involved with health insurance 
                        assistance or enrollment, or collection or 
                        verification of personally identifiable 
                        information, have implemented all appropriate 
                        and necessary actions to safeguard both the 
                        such information and financial information of 
                        individuals seeking enrollment in a health plan 
                        through an Exchange and to protect such 
                        individuals from fraud and abuse.
                    ``(C) Liability.--Not later than 90 days after the 
                date of the enactment of this paragraph, the 
                Secretary--
                            ``(i) shall issue guidance concerning how 
                        liability and penalties will be applied in 
                        instances of failure to comply with 
                        requirements of this paragraph, including where 
                        consumer outreach and enrollment assistance 
                        causes harm to an individual as a result of 
                        misuse or negligence in protection and privacy 
                        of personally identifiable information;
                            ``(ii) shall determine whether such 
                        liability lies with the person (such as a 
                        navigator, certified application counselor, or 
                        non-navigator assistance personnel) having 
                        direct contact with the prospective enrollee in 
                        enrollment assistance-related actions or 
                        whether liability lies with the entity that 
                        received Federal or Exchange-generated funds to 
                        carry out consumer outreach activities; and
                            ``(iii) shall determine whether the 
                        entities identified under clause (ii) are 
                        required to obtain professional liability 
                        coverage.
                    ``(D) Penalties.--
                            ``(i) Criminal penalties.--
                                    ``(I) Any individual or entity who, 
                                under this section, has possession of, 
                                or access to, personally identifiable 
                                information the disclosure of which is 
                                prohibited by this section (or section 
                                552a of title 5, United States Code) or 
                                by rules or regulations established 
                                thereunder, and who knowing that 
                                disclosure of the specific material is 
                                so prohibited, willfully discloses the 
                                material in any manner to any person or 
                                entity not entitled to receive it, 
                                shall be guilty of a misdemeanor and 
                                fined not more than $5,000.
                                    ``(II) A person who commits the 
                                offense described under subclause (I) 
                                with the intent to sell, transfer, or 
                                use personally identifiable information 
                                for commercial advantage, personal 
                                gain, or malicious harm shall be fined 
                                not more than $250,000, imprisoned for 
                                not more than 10 years, or both.
                                    ``(III) Any person who knowingly 
                                and willfully requests or obtains any 
                                personally identifiable information 
                                protected under this section concerning 
                                an individual under false pretenses 
                                shall be guilty of a felony and fined 
                                not more than $100,000, imprisoned for 
                                not more than 5 years, or both.
                            ``(ii) Potential exposure to tax penalty.--
                        Any navigator, certified application counselor, 
                        or non-navigator assistance personnel who 
                        engages in health plan enrollment consumer 
                        assistance activities under this section and 
                        who is exposed to consumer tax return 
                        information is potentially subject to criminal 
                        liability under section 7213(a) of the Internal 
                        Revenue Code of 1986 for any instances of 
                        unauthorized disclosure of such information.
                            ``(iii) Disqualification from further 
                        assistance.--If the Secretary determines that 
                        any individual, including any navigator, 
                        certified application counselor, or non-
                        navigator assistance personnel, has a criminal 
                        background or is otherwise in violation of this 
                        paragraph with respect to the requirements 
                        relating to disclosure and use of personally 
                        identifiable information, the Secretary shall 
                        permanently disqualify the individual from any 
                        further involvement in consumer assistance 
                        activities required under this section or the 
                        Patient Protection and Affordable Care Act and 
                        may disqualify and rescind the Federal and 
                        Exchange-generated funds from the entity which 
                        employs or contracts with such an individual.
                    ``(E) Consumer opt out for lack of privacy 
                protection.--Beginning on the date of health insurance 
                exchange operations for both individuals and 
                businesses, no individual consumer shall be made 
                responsible for failure to meet a requirement under the 
                Patient Protection and Affordable Care Act (including 
                any amendments made by this Act) for obtaining 
                qualified health insurance coverage through an Exchange 
                unless the Secretary has demonstrated with reasonable 
                certainty that effective and comprehensive protection 
                of personally identifiable information, with respect to 
                any health insurance enrollment activity electronic or 
                otherwise, are in place prior to any consumer 
                disclosure or transmission of personally identifiable 
                information for health insurance enrollment purposes.
                    ``(F) Personally identifiable information 
                defined.--In this paragraph, the term `personally 
                identifiable information' includes Social Security 
                numbers, bank account information, insurance records, 
                health records, personal income data, and any other 
                information deemed personally identifiable and 
                sensitive in nature by the Federal Trade Commission, 
                the Department of Justice, the Social Security 
                Administration, the Consumer Financial Protection 
                Bureau, the President's Task Force on Identity Theft, 
                and any other relevant Federal agency, which is 
                disclosed or obtained in connection with any health 
                insurance enrollment activity conducted under this 
                section.''.
    (b) Effective Date.--The amendment made by subsection (a) shall 
take effect on the date of the enactment of this Act and shall apply to 
grants made before, on, or after the date of the enactment of this Act. 
The Secretary of Health and Human Services shall provide for the prompt 
modification of such grants made before the date of the enactment of 
this Act in order to comply with the requirement imposed by such 
amendment.
                                 <all>