LB592 LB592
2023 2023
LEGISLATURE OF NEBRASKA
ONE HUNDRED EIGHTH LEGISLATURE
FIRST SESSION
LEGISLATIVE BILL 592
Introduced by Hardin, 48; Ballard, 21.
Read first time January 17, 2023
Committee: Health and Human Services
1 A BILL FOR AN ACT relating to privacy; to adopt the Social Care
2 Information Privacy Act.
3 Be it enacted by the people of the State of Nebraska,
-1-
LB592 LB592
2023 2023
1 Section 1. Sections 1 to 9 of this act shall be known and may be
2 cited as the Social Care Information Privacy Act.
3 Sec. 2. For purposes of the Social Care Information Privacy Act:
4 (1) Closed-loop referral system means a system that:
5 (a) Stores an individual's social care information for the purpose
6 of referrals;
7 (b) Shares its data with a network of entities, including, but not
8 limited to, any health care provider, health plan, health information
9 exchange, public agency, nonprofit organization, charitable organization,
10 and other entity that provides social care; and
11 (c) Is capable of updating or showing updated referral activity,
12 including data related to a participating organization closing the loop
13 on referrals, by updating a downstream system;
14 (2) Individually identifiable social care information means social
15 care information:
16 (a) That identifies the individual receiving social care; or
17 (b) With respect to which there is a reasonable basis to believe
18 that the information can be used to identify the individual receiving
19 social care;
20 (3) Participating organization means an entity that has the ability
21 to create, receive, or update referrals or other social care information
22 in a closed-loop referral system, including, but not limited to, any
23 health care provider, health plan, health information exchange, public
24 agency, nonprofit organization, charitable organization, closed-loop-
25 referral-system technology vendor, and entity that provides social care;
26 (4) Social care means any care, service, good, or supply related to
27 an individual's social needs. Social care includes, but is not limited
28 to, support and assistance for an individual's food stability and
29 nutritional needs, housing, transportation, economic stability,
30 employment, education access and quality, child care and family
31 relationship needs, and environmental and physical safety; and
-2-
LB592 LB592
2023 2023
1 (5) Social care information means any information, in any form, that
2 relates to the need for, payment for, or provision of social care.
3 Sec. 3. Social care information created or received by a covered
4 entity under the federal Health Insurance Portability and Accountability
5 Act of 1996 that meets the definition of protected health information
6 under the federal Health Insurance Portability and Accountability Act of
7 1996 shall always be handled in accordance with the federal Health
8 Insurance Portability and Accountability Act of 1996 and all related
9 regulations under the federal Health Insurance Portability and
10 Accountability Act of 1996.
11 Sec. 4. (1) Nothing in the Social Care Information Privacy Act
12 shall be construed as superseding, preempting, or altering rights and
13 protections afforded under the federal Health Insurance Portability and
14 Accountability Act of 1996.
15 (2) Nothing in the Social Care Information Privacy Act shall be
16 construed as affecting the obligations of covered entities under existing
17 regulations pursuant to the federal Health Insurance Portability and
18 Accountability Act of 1996.
19 (3) Nothing in the Social Care Information Privacy Act relating to
20 social care information shall apply to or alter the status of information
21 considered protected health information under the federal Health
22 Insurance Portability and Accountability Act of 1996.
23 (4) Nothing in the Social Care Information Privacy Act shall be
24 construed as affecting the ability of covered entities under the federal
25 Health Insurance Portability and Accountability Act of 1996 to access,
26 use, transmit, receive, or maintain protected health information.
27 Sec. 5. Nothing in the Social Care Information Privacy Act shall be
28 construed to supersede or preempt the applicability of the following:
29 (1) The federal Health Insurance Portability and Accountability Act
30 of 1996;
31 (2) The federal Family Educational Rights and Privacy Act;
-3-
LB592 LB592
2023 2023
1 (3) Financial records covered by the federal Gramm-Leach-Bliley Act;
2 or
3 (4) Any governing state privacy laws.
4 Sec. 6. (1) The Social Care Information Privacy Act shall apply
5 only to a state or local government entity, including, but not limited
6 to, a state department or agency, a city, a village, a county, a joint
7 entity formed under the Interlocal Cooperation Act, a joint public agency
8 formed under the Joint Public Agency Act, or a public-private
9 partnership, that directly or through a contracted entity provides a
10 closed-loop referral system.
11 (2) An entity is a participating organization if it uses a closed-
12 loop referral system regardless of whether the entity has entered into
13 contractual agreement with a closed-loop referral system vendor.
14 Sec. 7. An individual's personally identifiable information or
15 social care information may be added to a closed-loop referral system
16 only if:
17 (1) The individual consents to its inclusion on each instance of a
18 referral for services; and
19 (2) The individual retains the right to revoke consent to be in the
20 closed-loop referral system at any time.
21 Sec. 8. (1) No participating organization utilizing a closed-loop
22 referral system shall have access to an individual's personally
23 identifiable information or social care information unless:
24 (a) The individual has been referred to that participating
25 organization for services; and
26 (b) The individual has consented for that participating organization
27 to access such information.
28 (2) A participating organization shall have policies and controls in
29 place defining staff roles necessary for the referral and provision of
30 services and for the purpose of providing care coordination. The policies
31 shall:
-4-
LB592 LB592
2023 2023
1 (a) Provide access to social care information as necessary to ensure
2 uninterrupted and efficient delivery of services and care coordination;
3 and
4 (b) Restrict or prohibit access to social care information by any
5 member of the staff, volunteer, and other individual who does not need
6 access to complete the duties of the person in the participating
7 organization.
8 (3) A participating organization may not condition the provision of
9 services on consent to share a service recipient's social care
10 information with any additional employee, partner organization, or other
11 party not necessary for the provision of services.
12 Sec. 9. (1)(a) A participating organization shall not share or
13 transmit individually identifiable social care information the
14 organization holds with a third party unless:
15 (i) It is necessary to comply with a legal obligation imposed by
16 federal, state, tribal, or local law or for reporting required to receive
17 government grant funds; or
18 (ii)(A) The individual consents through active opt-in consent for
19 the participating organization to share or transmit the information; and
20 (B) The third party is required to meet the same privacy and
21 security obligations as the participating organization under the Social
22 Care Information Privacy Act.
23 (b) If the third party is not a participating organization under the
24 Social Care Information Privacy Act, a participating organization may
25 ensure the third party meets the requirements of this subsection through
26 contractual provisions. A participating organization shall exercise
27 reasonable oversight and take reasonable actions to ensure compliance
28 with such contractual obligations.
29 (2) A participating organization shall not sell or license
30 individually identifiable social care information without explicit
31 written consent of the individual. For purposes of this subsection,
-5-
LB592 LB592
2023 2023
1 simply checking a box or radio button on a website does not constitute
2 explicit written consent.
-6-