HB 1662-FN - AS AMENDED BY THE HOUSE
16Feb2022... 0577h
31Mar2022... 1134h
2022 SESSION
22-2019
07/05
HOUSE BILL 1662-FN
AN ACT related to privacy obligations of the department of health and human services.
SPONSORS: Rep. Edwards, Rock. 4; Rep. M. Pearson, Rock. 34; Rep. Salloway, Straf. 5; Rep. McMahon, Rock. 7; Rep. Nelson, Carr. 5; Rep. Lang, Belk. 4; Sen. Giuda, Dist 2; Sen. Gray, Dist 6
COMMITTEE: Health, Human Services and Elderly Affairs
─────────────────────────────────────────────────────────────────
ANALYSIS
This bill establishes a data privacy and information technology security governance board within the department of health and human services to oversee data privacy risk calculation and risk mitigation efforts, as well as provides for 2 employees within the department to accomplish these objectives.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Explanation: Matter added to current law appears in bold italics.
Matter removed from current law appears [in brackets and struckthrough.]
Matter which is either (a) all new or (b) repealed and reenacted appears in regular type.
16Feb2022... 0577h
31Mar2022... 1134h 22-2019
07/05
STATE OF NEW HAMPSHIRE
In the Year of Our Lord Two Thousand Twenty Two
AN ACT related to privacy obligations of the department of health and human services.
Be it Enacted by the Senate and House of Representatives in General Court convened:
1 Declaration of Purpose. New Hampshire voters passed the Right of Privacy into the state constitution in November 2018 with an 81 percent approval. With that vote, state government culture and behavior needed to be shaped by the words, “An individual's right to live free from governmental intrusion in private or personal information is natural, essential, and inherent”. The department of health and human services has been subject to the Health Insurance Portability and Accountability Act since 1996 which drove initial efforts to develop a culture and infrastructure to protect personal data privacy. As a holder of personal information in state government, the department has a responsibility to demonstrate to the public the state’s commitment to actively and overtly respect personal privacy, including privacy of personal information. Establishing and maturing a culture of privacy is core to successfully driving future efforts to implement and enhance privacy policies, procedures, and practices. Continuous improvement requires appropriate governance and policy leadership.
2 New Subdivision; Data Privacy and Information Technology Security Governance Board. Amend RSA 126-A by inserting after section 97 the following new subdivision:
Data Privacy and Information Technology Security Governance Board
126-A:98 Data Privacy and Information Technology Security Governance Board Established. There is hereby established a data privacy and information technology security governance board to oversee the department's use of data, data privacy, and information technology security that shall be maintained by the department of health and human services.
126-A:99 Membership; Quorum.
I. The data privacy and information technology security governance board shall consist of the following members:
(a) The commissioner of the department of health and human services, who shall serve as the governance board chair.
(b) The department's privacy officer.
(c) Three directors of the department who have responsibility for one of the following areas: medicaid services, public health, behavioral health, children, youth and families, or long-term support and services.
(d) The director of the department's bureau of human resource management.
(e) The director of the department's bureau of information services.
(f) The department's chief legal officer.
(g) The commissioner of the department of information technology.
(h) Up to 2 additional voting members appointed by the commissioner of the department of health and human services, if needed.
II. A quorum of this board shall consist of the named positions being in attendance with greater than 50 percent present. Members may delegate authority to represent them for the purposes of maintaining a quorum. The chair of the board may also delegate authority to another appropriate member of the governance board to serve during a specified meeting.
126-A:100 Duties. The data privacy and information technology security governance board shall:
I. Meet at least 3 times a year and post public facing meeting minutes within 2 weeks of the completion of each meeting on the department's web page.
II. Become educated in what data governance means, how it will work for the organization, and what it means to embrace data governance and activate enterprise data stewards.
III. Actively promote improved data governance practices across the department.
IV. Identify and approve of pivotal data governance roles and responsibilities for the department including cross-enterprise domain stewards and coordinators.
V. Advise, review, and approve the department's data control, governance, and privacy practices in compliance with federal and state law and federal and state information privacy and security policies, with the goal to meet or exceed private market benchmarks for governance, risk management, and compliance.
VI. Drive strategic and timely implementation of a department-wide privacy policy, related procedures and processes to operationalize policy-derived controls, and effective risk management methodologies, including industry standards such as privacy impact assessments and privacy by design.
VII. The data privacy and information technology security governance board may solicit information from any person or entity the board deems relevant to its quest.
126-A:101 Risk Management.
I. For each information technology system that contains personal information, the department shall conduct a written risk assessment and mitigation remediation plan in the form of a privacy impact assessment.
II. The assessment and plan shall:
(a) Assess risks to an individual's right to privacy within the department's information technology systems where the individual does not possess immediate control over their information.
(b) Recommend alternatives to both mitigate the risks and achieve the stated objectives of the department's systems.
(c) Identify those individuals and offices within the department who shall be directly accountable for the assessment and plan, the system at the time the assessment and plan are compiled, and any approved alternatives and mitigations as a result of the assessment and plan.
III. Unless otherwise required by law or applicable regulation, no personal information shall be collected prior to the completion of the assessment and plan and any subsequent measures as a result of the assessment and plan, as determined by the governance board for any systems implemented subsequent to March 31, 2023.
IV. The assessment and plan shall be approved and may be acted upon by the commissioner. All assessments and plans conducted before the date of the next data privacy and information technology security governance board meeting shall be submitted to the board for review.
3 Data Privacy and Information Technology Security Governance Board; Specialized Employees Authorized; Appropriation.
I. The department is hereby authorized to establish 2 full-time, permanent employees to support and conduct the required data privacy and information technology security assessments, as well as manage the implementation of mitigation efforts and other necessary updates.
II. The qualifications of the 2 employees shall include privacy certifications, information systems expertise, and project management and communications experience. Certifications may be deferred for up to 2 years post-hiring.
III. The 2 employees shall be classified, full time employees who shall work on assisting in implementing the objectives of the data privacy and information technology security governance board, conducting the privacy assessment and mitigation plan, and other, related data privacy and information technology security activities in the department of health and human services. The classification shall be business systems analyst II, labor grade 30, step 5. The sum of $137,480 in general funds for the fiscal year ending June 30, 2023 is hereby appropriated to the department of health and human services for the purpose of funding 2 business systems analyst II positions for the purpose of implementation of this act. The governor is authorized to draw a warrant for said amounts out of any money in the treasury not otherwise appropriated. The department is authorized to accept and expend matching federal funds for the purposes of this section without prior approval of the fiscal committee of the general court.
IV. The department is authorized to use contract support available from funds prior to July 1, 2023.
I. Section 3 of this act shall take effect July 1, 2022.
II. The remainder of this act shall take effect 60 days after its passage.
22-2019
Amended 4/26/22
HB 1662-FN- FISCAL NOTE
AS AMENDED BY THE HOUSE (AMENDMENT #2022-1134h)
AN ACT related to privacy obligations of the department of health and human services.
FISCAL IMPACT: [ X ] State [ ] County [ ] Local [ ] None
| Estimated Increase / (Decrease) | |||
STATE: | FY 2022 | FY 2023 | FY 2024 | FY 2025 |
Appropriation | $0 | $137,480 | $0 | $0 |
Revenue | $0 | $0 | $0 | $0 |
Expenditures | $0 | $137,000 general funds; $91,000 federal funds | $139,000 general funds; $91,000 federal funds | $146,000 general funds; $96,000 federal funds |
Funding Source: | [ X ] General [ ] Education [ ] Highway [ X ] Other - Federal Funds | |||
METHODOLOGY:
This bill establishes a Data Privacy and Information Technology Governance Board within the Department of Health and Human Services to oversee data privacy risk calculation and risk mitigation efforts. The bill establishes two full-time classified positions (Business Systems Analyst II, Labor Grade 30) for the purposes of implementing mitigation efforts and other necessary updates. The Department anticipates that in total, these positions will cost $228,000 ($137,000 general funds / $91,000 federal funds) in FY23, $230,000 ($139,000 general funds / $91,000 federal funds) in FY24, and $242,000 ($146,000 general funds, $96,000 federal funds) in FY25. The bill contains a general fund appropriation of $137,480 in FY23, which is expected to be the exact cost of salary and benefits in that fiscal year.
AGENCIES CONTACTED:
Department of Health and Human Services