WEST VIRGINIA LEGISLATURE
2023 REGULAR SESSION
Introduced House Bill 3326
By Delegates Linville and Summers [Introduced February 07, 2023; Referred to the Committee on Technology and Infrastructure then the Judiciary]
 Intr HB 2023R3300
1 A BILL to amend the Code of West Virginia, 1931, as amended, by adding thereto a new article,
2 designated §9-11-1, §9-11-2, §9-11-3, §9-11-4, and §9-11-5, all relating to creating a
3 Privacy of Social Care Information Act; providing a statement of legislative intent; setting
4 forth definitions; clarifying applicability; providing for use of data; and describing article's
5 relation to other privacy laws.
Be it enacted by the Legislature of West Virginia:
ARTICLE 11. PRIVACY OF SOCIAL CARE INFORMATION.
§9-11-1. Statement of Legislative Intent.
1 (a) This article shall be known as the Privacy of Social Care Information Act. Nothing in this
2 article shall be construed as superseding, preempting, or altering rights and protections afforded
3 under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Nothing in this
4 article shall be construed as affecting the obligations of covered entities under existing HIPAA
5 regulations.
6 (b) No provisions in this article relating to social care information apply to or alter the status
7 of information considered protected health information (PHI) under HIPAA. Nothing in this article
8 shall be construed as affecting the ability of HIPAA covered entities to access, use, transmit,
9 receive, or maintain PHI.
§9-11-2. Definitions.
1 (a) "Closed-Loop Referral System" or "CLRS" is defined as any system that:
2 (1) stores an individual’s social care information for the purpose of referrals;
3 (2) shares its data with a network of entities including, but not limited to, healthcare
4 providers, health plans, health information exchanges (HIEs), public agencies, nonprofits,
5 charitable organizations, and other entities that provide social care; and
6 (3) is capable of updating or showing updated referral activity, including data related to
7 participating organizations closing the loop on referrals, by updating downstream systems.
8 (b) "Participating organization" is defined as any entity including, but not limited to,
1
 Intr HB 2023R3300
9 healthcare providers, health plans, HIEs, public agencies, nonprofits, charitable organizations,
10 CLRS technology vendors, and entities that provide social care, that have the ability to create,
11 receive, or update referrals or other social care information in a CLRS. This definition applies to
12 entities that use a CLRS regardless of whether they have entered into contractual agreements
13 with a CLRS vendor.
14 (c) "Social care" is defined as care, services, goods, or supplies related to an individual’s
15 social needs. Social care as used in this article includes, but is not limited to, support and
16 assistance for an individual’s food stability and nutritional needs, housing, transportation,
17 economic stability, employment, education access and quality, child care and family relationship
18 needs, and environmental and physical safety.
19 (d) "Individually identifiable social care information" is defined as social care information
20 that:
21 (1) Identifies the individual receiving social care; or
22 (2) With respect to which there is a reasonable basis to believe the information can be used
23 to identify the individual receiving social care.
24 (e) "Social care information" is defined as any information, in any form, that relates to the
25 need for, payment for, or provision of social care. Social care information created or received by a
26 HIPAA covered entity that meets the HIPAA statutory definition for "protected health information"
27 shall always be handled in accordance with HIPAA and all related regulations.
§9-11-3. Applicability.
1 This article shall apply only to state or local government entities including, but not limited
2 to, public agencies, municipalities, county governments, and public-private partnerships, that
3 directly or through a contracted entity provide a CLRS.
§9-11-4. Use of Data.
1 (a) Individual Control of Data. -- An individual’s personally identifiable information or social
2 care information may be added to a CLRS only if:
2
 Intr HB 2023R3300
3 (1) The individual consents to its inclusion on each instance of a referral for services; and
4 (2) The individual retains the right to revoke consent to be in the system at any time.
5 (b) Organization Access to Data. -- No participating organization utilizing the CLRS shall
6 have access to an individual’s personally identifiable information or social care information unless:
7 (1) The individual has been referred to that provider or organization for services; or
8 (2) The individual has consented for that organization to access such information.
9 (c) Permission-based Access Policies. -- Participating organizations must have policies
10 and controls in place defining staff roles necessary for the referral and provision of services and for
11 the purpose of providing care coordination. These policies shall:
12 (1) Provide access to social care information as necessary to ensure uninterrupted and
13 efficient delivery of services and care coordination; and
14 (2) Restrict or prohibit access to social care information by staff, volunteers, and any other
15 individuals who do not need access to complete their duties.
16 (d) Services Separate from Consent. -- A participating organization may not condition the
17 provision of services on consent to share a service recipient’s social care information with
18 additional employees, partner organizations, or other parties not necessary for the provision of
19 services.
20 (e) Third Parties.
21 (1) A participating organization shall not share or transmit individually identifiable social
22 care information it holds with a third party unless:
23 (A) It is necessary to comply with a legal obligation imposed by federal, state, tribal, or local
24 law or for reporting required to receive government grant funds; or
25 (B) The individual consents through active opt-in consent for the participating organization
26 to share or transmit the information; and
27 (C) That third party is required to meet the same privacy and security obligations as the
28 participating organization under this article.
3
 Intr HB 2023R3300
29 (2) If the third party is not a participating organization under this article, a participating
30 organization may ensure the third party meets these requirements through contractual provisions.
31 A participating organization shall exercise reasonable oversight and take reasonable actions to
32 ensure compliance with such contractual obligations.
33 (f) Sale of data. -- A participating organization shall not sell or license individually
34 identifiable social care information without explicit written consent of the individual. For the
35 purposes of this provision, simply checking a box or radio button on a website does not constitute
36 explicit written consent.
§9-11-5. Relation to other privacy laws.
1 Preemption. -- Nothing in this article shall be construed to supersede or preempt the
2 applicability of the following:
3 (a) The Health Insurance Portability and Accountability Act of 1996 (HIPAA);
4 (b) The Family Educational Rights and privacy Act (FERPA);
5 (c) Financial records covered by the Gramm-Leach-Bliley Act; or
6 (d) Any governing state privacy laws.
NOTE: The purpose of this bill is to create a Privacy of Social Care Information Act. It provides a statement of legislative intent; sets forth definitions; clarifies applicability;
provides for use of data; and describes article's relation to other privacy laws.
Strike-throughs indicate language that would be stricken from a heading or the present law and underscoring indicates new language that would be added.
4


Statutes affected:
Introduced Version: 9-11-1, 9-11-2, 9-11-3, 9-11-4, 9-11-5