H.F. 2116 Section 1. NEW SECTION . 715D.1 Definitions. 1 As used in this chapter, unless the context otherwise 2 requires: 3 1. “Governmental agency” means the same as defined in 4 section 28J.1. 5 2. “Person or entity” means any individual; business 6 entity; nonprofit organization; governmental agency; health 7 care office, network, or organization; employer; pharmacist; 8 religious organization; or any other individual or entity which 9 is in possession of another individual’s personal information. 10 3. “Personal information” means the same as defined 11 in section 715C.1. In addition, “personal information” 12 includes any health or prescription-related information not 13 otherwise protected from or subject to disclosure pursuant to 14 state or federal law contained in an individual’s medical, 15 pharmaceutical, or insurance-related information, applications, 16 or records; and any work-related information including but not 17 limited to an employees salary level and information contained 18 in an employee’s personnel file. “Personal information” does 19 not include information that is lawfully obtained from publicly 20 available sources, or from federal, state, or local government 21 records lawfully made available to the general public. 22 Sec. 2. NEW SECTION . 715D.2 Personal information —— 23 disclosure limitations. 24 Subject to the exceptions contained in section 715D.3, 25 a person or entity shall not voluntarily or intentionally 26 disclose an individual’s personal information without 27 informing the individual of the intent to disclose the 28 personal information, identifying the intended recipient of 29 the information, indicating how the disclosed information is 30 intended to be used, and obtaining the individual’s written 31 consent to the disclosure. 32 Sec. 3. NEW SECTION . 715D.3 Exceptions. 33 The disclosure limitations specified in section 715D.2 shall 34 not be applicable to the following: 35 -1- LSB 5508YH (6) 85 rn/nh 1/ 6

H.F. 2116 1. Elective participation in the Iowa health information 1 network established pursuant to section 135.155A. 2 2. Disclosure of personal information which is subject to 3 any provision of state or federal law which either supersedes 4 or is more restrictive than the provisions of section 715D.2. 5 3. The breach of security provisions of chapter 715C. 6 4. Disclosure in response to a subpoena or court order 7 issued pursuant to a civil or criminal investigation or 8 proceeding. 9 Sec. 4. NEW SECTION . 715D.4 Rulemaking. 10 The attorney general shall adopt rules to administer and 11 interpret this chapter. 12 Sec. 5. NEW SECTION . 715D.5 Unauthorized disclosure —— 13 penalties. 14 1. In the event of a disclosure of personal information 15 in violation of this chapter, a person or entity shall notify 16 the individual whose personal information was disclosed that 17 the disclosure has occurred by certified mail return receipt 18 requested within ten business days of the date the disclosure 19 occurred. The notification shall identify, to the extent able 20 to be determined, the person to whom the disclosure was made. 21 2. The person or entity shall be responsible for full 22 restitution to an individual whose personal information was 23 disclosed in violation of this chapter for any losses incurred 24 resulting from the disclosure. 25 3. A violation of this chapter is punishable by a civil 26 penalty not to exceed five thousand dollars. 27 Sec. 6. HEALTHCARE.GOV —— DATA SECURITY STANDARDS AND 28 PRACTICES. The attorney general shall coordinate with 29 the department of public health, the department of human 30 services, and the office of the chief information officer to 31 determine whether and to what extent personal information 32 disclosure requirements and safeguards developed by the 33 centers for Medicare and Medicaid services of the United 34 States department of health and human services in connection 35 -2- LSB 5508YH (6) 85 rn/nh 2/ 6

H.F. 2116 with the healthcare.gov internet site afford the citizens 1 of this state adequate personal information safeguards and 2 protection and reflect best practices for data security. Based 3 on this determination, the attorney general shall develop 4 recommendations and guidelines containing suggestions for 5 utilizing the internet site and areas of concern identified 6 concerning personal information data security by October 1, 7 2014. 8 EXPLANATION 9 The inclusion of this explanation does not constitute agreement with 10 the explanation’s substance by the members of the general assembly. 11 This bill prohibits the disclosure of personal information 12 except under specified circumstances. 13 The bill provides several definitions. The bill defines a 14 “person or entity” to mean any individual; business entity; 15 nonprofit organization; governmental agency; health care 16 office, network, or organization; employer; pharmacist; 17 religious organization; or any other individual or entity which 18 is in possession of another individual’s personal information. 19 The bill defines “personal information” to mean the same 20 as defined in Code section 715C.1. That Code section defines 21 “personal information” as an individual’s first name or 22 first initial and last name in combination with any one or 23 more data elements that relate to the individual if any of 24 the data elements are not encrypted, redacted, or otherwise 25 altered by any method or technology in such a manner that 26 the name or data elements are unreadable. The data elements 27 include a social security number; driver’s license number or 28 other unique identification number created or collected by a 29 government body; financial account number, credit card number, 30 or debit card number in combination with any required security 31 code, access code, or password that would permit access to an 32 individual’s financial account; unique electronic identifier 33 or routing code in combination with any required security 34 code, access code, or password that would permit access 35 -3- LSB 5508YH (6) 85 rn/nh 3/ 6

H.F. 2116 to an individual’s financial account; and unique biometric 1 data, such as a fingerprint, retina or iris image, or other 2 unique physical representation or digital representation of 3 biometric data. In addition, the bill provides that “personal 4 information” includes any health or prescription-related 5 information not otherwise protected from or subject to 6 disclosure pursuant to state or federal law contained in an 7 individual’s medical, pharmaceutical, or insurance-related 8 information, applications, and records; and any work-related 9 information including but not limited to an employee’s salary 10 level and information contained in an employee’s personnel 11 file. The bill provides that “personal information” does not 12 include information that is lawfully obtained from publicly 13 available sources, or from federal, state, or local government 14 records lawfully made available to the general public. 15 The bill references a definition of “governmental agency” 16 contained in Code section 28J.1 as meaning a department, 17 division, or other unit of state government of Iowa or any 18 other state, city, county, township, or other governmental 19 subdivision, or any other public corporation or agency created 20 under the laws of Iowa, any other state, the United States, or 21 any department or agency thereof, or any agency, commission, 22 or authority established pursuant to an interstate compact or 23 agreement or combination thereof. 24 The bill provides that a person or entity shall not 25 voluntarily or intentionally disclose an individual’s 26 personal information without informing the individual of the 27 intent to disclose the personal information, identifying the 28 intended recipient of the information, indicating how the 29 disclosed information is intended to be used, and obtaining 30 the individual’s written consent to the disclosure. The 31 bill provides that this restriction does not apply to 32 elective participation in the Iowa health information network 33 established pursuant to Code section 135.155A, to disclosure of 34 personal information which is subject to any provision of state 35 -4- LSB 5508YH (6) 85 rn/nh 4/ 6

H.F. 2116 or federal law which either supersedes or is more restrictive 1 than the provisions of the bill, to the breach of security 2 provisions of Code chapter 715C, or to disclosure in response 3 to a subpoena or court order issued pursuant to a civil or 4 criminal investigation or proceeding. 5 The bill directs the attorney general to adopt 6 administrative rules to administer and interpret the bill’s 7 provisions. 8 The bill provides that in the event of a disclosure of 9 personal information in violation of the bill’s provisions, a 10 person or entity shall notify the individual whose personal 11 information was disclosed that the disclosure has occurred by 12 certified mail return receipt requested within 10 business 13 days of the date the disclosure occurred. The notification 14 shall identify, to the extent able to be determined, the person 15 to whom the disclosure was made. The person or entity shall 16 be responsible for full restitution to an individual whose 17 personal information was disclosed for any losses incurred 18 resulting from the disclosure. Further, a violation of the 19 bill’s provisions is punishable by a civil penalty not to 20 exceed $5,000. 21 Finally, the bill directs the attorney general, in 22 conjunction with the department of public health, the 23 department of human services, and the office of the chief 24 information officer, to determine whether and to what extent 25 personal information disclosure requirements and safeguards 26 developed by the centers for Medicare and Medicaid services of 27 the United States department of health and human services in 28 connection with the healthcare.gov internet site afford the 29 citizens of this state adequate personal information safeguards 30 and protection and reflect best practices for data security. 31 Based on this determination, the bill requires the attorney 32 general to develop recommendations containing suggestions for 33 utilizing the internet site and areas of concern identified 34 concerning personal information data security by October 1, 35 -5- LSB 5508YH (6) 85 rn/nh 5/ 6