Hawaii Social Security Number Protection
Haw. Rev. Stat. §§ 487J-1 - § 487J-7
CHAPTER 487J
PERSONAL INFORMATION PROTECTION
Section
487J-1 Definitions
487J-2 Social security number protection
487J-3 Penalties; civil action
487J-4 Reporting requirements
487J-5 Policy and oversight responsibility
487J-6 Unlawful use of identification card or driver's license
487J-7 Pharmacy benefit managers; health information; prohibited marketing practices
Note
Chapter heading amended by L 2012, c 191, §3.
Personal information protection requirements. L Sp 2008, c 10, §§7 to 15.
Cross References
Information privacy and security council; personal information security, see §§487N-5 to 7.
§487J-1 Definitions. As used in this chapter:
"Affiliated" means businesses or persons who have contractual arrangements with, or are subject to the control of, the pharmacy benefit manager.
"Business" means a sole proprietorship, partnership, limited partnership, corporation, limited liability company, association, or any other form of business entity. The term also includes a financial institution organized, chartered, or holding a license or authorization certificate under the laws of this State, any other state, the United States, or any other country, or the parent or the subsidiary of any such financial institution. The term also includes an entity whose business is records destruction.
"Employee benefit plan" means any plan as defined in title 29 United States Code section 1002(3), as amended.
"Government agency" means any department, division, board, commission, public corporation, or other agency or instrumentality of the State or of any county.
"Health benefits plan" has the same meaning as in section 87A-1.
"Health information" has the same meaning as in 45 Code of Federal Regulations section 160.103, as may be amended.
"Managed care plan" has the same meaning as in section 432E-1.
"Marketing" means making a communication about a product or service that encourages a recipient of the communication to purchase or use the product or service.
"Personal information" has the same meaning as in section 487N-1.
"Redacted" means the rendering of data so that it is unreadable or is truncated so that no more than the last four digits of the identification number are accessible as part of the data.
"Pharmacy benefit manager" means any person, business, or entity that performs pharmacy benefit management, including but not limited to a person or entity under contract with a pharmacy benefit manager to perform pharmacy benefit management on behalf of a managed care company, nonprofit hospital or medical service organization, insurance company, third-party payor, or health program administered by the State.
"Scan" or "scanning" means to access the machine-readable zone of an individual's Hawaii identification card or driver's license with an electronic device capable of deciphering, in an electronically readable format, information electronically encoded on an individual's Hawaii identification card or driver's license. [L 2006, c 137, pt of §2; am L Sp 2008, c 10, §3; am L 2012, c 191, §2; am L 2013, c 225, §3]
§487J-2 Social security number protection. (a) Except as otherwise provided in subsection (b), a business or government agency may not do any of the following:
(1) Intentionally communicate or otherwise make available to the general public an individual's entire social security number;
(2) Intentionally print or imbed an individual's entire social security number on any card required for the individual to access products or services provided by the business or government agency;
(3) Require an individual to transmit the individual's entire social security number over the Internet, unless the connection is secure or the social security number is encrypted. For purposes of this paragraph, "encrypted" means that an algorithmic process has been used to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key;
(4) Require an individual to use the individual's entire social security number to access an internet website, unless a password or unique personal identification number or other authentication device is also required to access the internet website; or
(5) Print an individual's entire social security number on any materials that are mailed to the individual, unless the materials are employer-to-employee communications, or where specifically requested by the individual.
(b) Subsection (a) shall not apply to:
(1) The inclusion of a social security number in documents that are mailed and:
(A) Are specifically requested by the individual identified by the social security number;
(B) Required by state or federal law to be on the document to be mailed;
(C) Required as part of an application or enrollment process;
(D) Used to establish, amend, or terminate an account, contract, or policy; or
(E) Used to confirm the accuracy of the social security number for the purpose of obtaining a credit report pursuant to 15 U.S.C. section 1681(b).
A social security number that is permitted to be mailed under this paragraph may not be printed, in whole or in part, on a postcard or other mailer not requiring an envelope, or visible on the envelope or without the envelope having been opened;
(2) The opening of an account or the provision of or payment for a product or service authorized by an individual;
(3) The collection, use, or release of a social security number to investigate or prevent fraud; conduct background checks; conduct social or scientific research; collect a debt; obtain a credit report from or furnish data to a consumer reporting agency pursuant to the Fair Credit Reporting Act, 15 U.S.C. sections 1681 to 1681x, as amended; undertake a permissible purpose enumerated under the federal Gramm Leach Bliley Act, 15 U.S.C. sections 6801 to 6809, as amended; locate an individual who is missing or due a benefit, such as a pension, insurance, or unclaimed property benefit; or locate a lost relative;
(4) A business or government agency acting pursuant to a court order, warrant, subpoena, or when otherwise required by law;
(5) A business or government agency providing the social security number to a federal, state, or local government entity including a law enforcement agency or court, or their agents or assigns;
(6) The collection, use, or release of a social security number in the course of administering a claim, benefit, or procedure relating to an individual's employment, including an individual's termination from employment, retirement from employment, injuries suffered during the course of employment, and other related claims, benefits, or procedures;
(7) The collection, use, or release of a social security number as required by state or federal law;
(8) The sharing of the social security number by business affiliates;
(9) The use of a social security number for internal verification or administrative purposes;
(10) A social security number that has been redacted; and
(11) Documents or records that are recorded or required to be open to the public pursuant to the constitution or laws of the State or court rule or order.
(c) A business or government agency covered by this section shall make reasonable efforts to cooperate, through systems testing and other means, to ensure that the requirements of this chapter are complied with. [L 2006, c 137, pt of §2; am L 2008, c 19, §68]
[§487J-3] Penalties; civil action. (a) Any business that violates any provision of this chapter shall be subject to penalties of not more than $2,500 for each violation. The attorney general or the executive director of the office of consumer protection may bring an action pursuant to this section. No such action may be brought against a government agency.
(b) In addition to any penalty provided for in subsection (a), any business that violates any provision of this chapter shall be liable to the injured party in an amount equal to the sum of any actual damages sustained by the injured party as a result of the violation. The court in any action brought under this section may award reasonable attorneys' fees to the prevailing party. No such action may be brought against a government agency.
(c) The penalties provided in this section shall be cumulative to the remedies or penalties available under all other laws of this State. [L 2006, c 137, pt of §2]
[§487J-4] Reporting requirements. A government agency shall submit a written report to the legislature within twenty days after the discovery of a material occurrence of a social security number disclosure by the government agency that is prohibited by this chapter. The report shall contain information relating to the nature of the incident, the number of individuals affected by the incident, and any procedures that have been implemented to prevent the incident from reoccurring. In the event that a law enforcement agency informs the government agency that the report may impede a criminal investigation or jeopardize national security, the report to the legislature may be delayed until twenty days after the law enforcement agency has determined that the report will no longer impede the investigation or jeopardize national security. [L 2006, c 137, pt of §2]
[§487J-5] Policy and oversight responsibility. (a) By September 1, 2009, each government agency shall designate an agency employee to have policy and oversight responsibilities for the protection of personal information.
(b) The designated agency employee shall:
(1) Ensure and coordinate agency compliance with this chapter, chapter 487N, and chapter 487R;
(2) Assist individuals who have identity theft and other privacy-related concerns;
(3) Provide education and information to agency staff on privacy and security issues;
(4) Coordinate with state, county, and federal law enforcement agencies on identity theft investigations; and
(5) Recommend policies and practices to protect individual privacy rights relating to the individual's personal information. [L Sp 2008, c 10, §2]
§487J-6 Unlawful use of identification card or driver's license. (a) No business may scan the machine-readable zone of an individual's identification card or driver's license, except for the following purposes:
(1) To verify authenticity of the identification card or driver's license or to verify the identity of the individual if the individual pays for goods or services with a method other than cash, returns an item, or requests a refund or an exchange;
(2) To verify the individual's age when providing age-restricted goods or services to the individual if there is a reasonable doubt of the individual having reached the minimum age required for purchasing the age-restricted goods or services;
(3) To prevent fraud or other criminal activity if the individual returns an item or requests a refund or an exchange and the business uses a fraud prevention service company or system. Information collected by scanning an individual's identification card or driver's license pursuant to this subsection shall be limited to the following information from the individual:
(A) Name;
(B) Address;
(C) Date of birth; and
(D) Driver's license number or identification card number;
(4) To establish or maintain a contractual relationship. Information collected by scanning the individual's identification card or driver's license pursuant to this subsection shall be limited to the following information from the individual:
(A) Name;
(B) Address;
(C) Date of birth; and
(D) Driver's license number or identification card number;
(5) To record, retain, or transmit information as required by state or federal law;
(6) To transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the federal Fair Credit Reporting Act, Gramm-Leach-Bliley Act, or the Fair Debt Collection Practices Act; and
(7) To record, retain, or transmit information by a covered entity governed by the medical privacy and security rules issued by the federal Department of Health and Human Services, parts 160 and 164 of title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996.
(b) No business shall retain any information obtained pursuant to subsection (a), except as permitted in subsections (a)(3) through (7).
(c) No business shall sell or disseminate to a third party any information obtained under this section for any purpose, including marketing, advertising, or promotional activities, except as permitted in subsections (a)(3) through (7).
(d) A business covered under this section shall make reasonable efforts, through systems testing and other means, to ensure that the requirements of this chapter are met.
e) Any waiver of a provision of this section is contrary to public policy and is void and unenforceable.
(f) For purposes of this section:
"Consumer reporting agency" shall have the same meaning as in the federal Fair Credit Reporting Act, title 15 United States Code section 1681a(f).
"Covered entity" shall have the same meaning as in the security rules issued by the federal Department of Health and Human Services, parts 160 and 164 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and [Accountability] Act of 1996.
"Debt collector" shall have the same meaning as in the federal Fair Debt Collection Practices Act, title 15 United States Code section 1692a.
"Financial institution" shall have the same meaning as in the federal Gramm-Leach-Bliley Act, title 15 United States Code section 6809. [L 2012, c 191, §1; am L 2013, c 195, §§1, 3; am L 2014, c 67, §§1, 2]
[§487J-7] Pharmacy benefit managers; health information; prohibited marketing practices. (a) A pharmacy benefit manager shall not:
(1) Use an individual's health information, or share an individual's health information with any pharmacy affiliated with or owned, wholly or in part, by the pharmacy benefit manager, for the purpose of marketing, unless:
(A) Use of the individual's health information is medically necessary to the health and safety of the individual;
(B) Use of the individual's health information is consistent with regulations of the federal Centers for Medicare and Medicaid, if the plan is governed by those rules; or
(C) The individual has affirmatively opted in, in writing, to use of the information;
(2) Sell or disseminate such information unless the sale or dissemination complies with all federal and state laws and the pharmacy benefit manager has received written approval for such sale or dissemination from the employee benefit plan, health benefits plan, or managed care plan sponsor, and the individual; or
(3) Directly contact an individual by any means, including via electronic delivery, telephonic, SMS text, or direct mail, for the purposes of marketing pharmacy benefit manager-owned pharmacies without the express written permission of the employee benefit plan, health benefits plan, or managed care plan sponsor, and the individual, unless the employee benefit plan, health benefits plan, or managed care plan sponsor first determines that the contact is medically necessary to the health and safety of the individual.
(b) Nothing in this section shall prohibit the use of a patient's health information that is used in conjunction with an insurer-authorized program to more effectively use prescription drugs to improve the health and safety of the individual.
(c) A pharmacy benefit manager shall provide each individual with an opportunity to affirmatively opt in to the sale or dissemination of their health information prior to entering into any arrangement for the lease, rental, dissemination, or sale of such information to any other entity, or to any subsidiary owned, wholly or in part, by the pharmacy benefit manager; provided that an individual may freely revoke the affirmative opt in at any time. [L 2013, c 225, §2]
Social Security Number Protection (Hawaii Revised Statutes Sec. 487J-1 through 487J-4, added by Laws of 2006, Chapter 137, effective July 1, 2009, as amended by Laws of 2008, First Special Session, Chapter 10, enacted July 8, 2008.)
For more information, see here: http://www.capitol.hawaii.gov/hrscurrent/Vol11_Ch0476-0490/HRS0487J/HRS_0487J-.htm
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.