Consolidated Amendment #A to S.2619

Consolidated Amendment "A" to S2619

Consolidated A

Fiscal Note: $0

Amendments: 2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43

Mr. Michlewitz of Boston and others move to amend H.5472 in section 1 by striking out, in line 89, the words “, as amended from time to time” and inserting in place thereof the following words:- ; and subtitle D of Title XIII of Division A of the American Recovery and Reinvestment Act of 2009, and the regulations promulgated thereunder by the United States Department of Health and Human Services.

And further amend the bill in said section 1 by striking out paragraphs (7) and (8), in lines, 247 to 253, inclusive, and inserting in place thereof the following 3 paragraphs:-

(7) a nonprofit organization that establishes or maintains a blood bank or transfusion service pursuant to section 184B of chapter 111 and in compliance with applicable requirements of the United States Food and Drug Administration, including, but not limited to, 21 C.F.R. Parts 600, 601, 606, 607, 610, 630 and 640, as amended, and any successor provisions;

(8) an agent, broker-dealer, investment adviser or investment adviser representative, as defined in section 401 of chapter 110A, who is regulated by the secretary of the commonwealth or the United States Securities and Exchange Commission; or

(9) a covered entity or business associate governed by the privacy, security and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established under the Health Insurance Portability and Accountability Act of 1996; provided that, for purposes of this clause, the following words shall, unless the context clearly requires otherwise, have the following meanings:

(A) “business associate“, as defined in 45 C.F.R. 160.103 and, consistent with said 45 C.F.R 160.103, shall include: (i) a Health Information Organization, E-prescribing Gateway or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information; (ii) a person that offers a personal health record to 1 or more individuals on behalf of a covered entity; and (iii) a subcontractor that creates, receives, maintains or transmits protected health information on behalf of the business associate;

(B) “covered entity”, as defined in 45 C.F.R. 160.103 and, consistent with said 45 C.F.R. 160.103, shall include: (i) a health plan; (ii) a health care clearinghouse; or (iii) a health care provider who transmits any health information in electronic form in connection with a transaction covered by said 45 C.F.R. Parts 160 and 164.

And further amend the bill in said section 1 by striking out, in lines 257 and 258, the words “collects or processes” and inserting in place thereof the following words:- collects, processes or creates.

And further amend the bill in said section 1 by striking out, in lines 259 to 260, the words:- , as in effect on the effective date of this chapter.

And further amend the bill in said section 1 by striking out, in line 382, the words:- or processor.

And further amend the bill in said section 1 by inserting after the word “behalf”, in line 398, the following words:- ; provided, however, that no controller shall share with an authorized agent any personal data related to a minor and their LGBTQ+ protected status.

And further amend the bill in said section 1 by inserting after the word “behalf”, in line 401, the following words:- ; provided, however, that no controller shall share with an authorized agent any personal data related to a consumer and their LGBTQ+ protected status.

And further amend the bill in said section 1 by striking out, in lines 408 to 415, inclusive, the words “; provided, that in determining what is reasonably necessary and proportionate the following shall be taken into account, the: (i) consumer’s reasonable expectation regarding the personal data at the time the personal data was collected based on the purposes that were disclosed to the consumer; (ii) relationship that the new purpose bears to the purposes that were disclosed to the consumer; (iii) impact that processing the personal data for the new purpose might have on the consumer; (iv) relationship between the consumer and the controller and the context in which the personal data were collected; and (v) existence of additional safeguards, including, but not limited to, encryption, in processing such personal data for such new purpose” and inserting in place thereof the following words:- ; provided, that such purposes shall be consistent with the reasonable expectations of the consumer, taking into account: (i) the personal data that is reasonably necessary to achieve the purpose for which the personal data is collected; (ii) the impact that processing the personal data might have on the consumer; (iii) the relationship between the consumer and the controller and the context in which the personal data were collected; and (iv) the existence of additional safeguards, including, but not limited to, encryption.

And further amend the bill by inserting after said section 1 the following section:-

SECTION 1A. (a) The office of consumer affairs and business regulation shall conduct a study and issue a report on how to best regulate data brokers in the commonwealth.

(b) The office shall:

(i) examine what qualifies an entity as a data broker;

(ii) estimate the number of data brokers operating in the commonwealth and the scope of data broker operations;

(iii) estimate the cost, feasibility and efficacy of establishing and maintaining a data broker registry;

(iv) consider whether existing data privacy and consumer protection laws and regulations are sufficient to protect the residents of the commonwealth from any negative impacts associated with data brokers;

(v) evaluate laws and regulations in other jurisdictions in terms of their cost, feasibility, utility and efficacy; and

(vi) consider any other matters that are relevant to the regulation of data brokers, including, but not limited to, any positive impacts associated with data brokers.

(b) The report shall include, but shall not be limited to: (i) proposed definitions that may be appropriate for statute or regulations on how to define a data broker; (ii) a review of other states’ regulation of data brokers; and (iii) data related to cost and feasibility of regulating data brokers.

(b) Not later than July 1, 2027, the office of consumer affairs and business regulation shall submit a report of its findings and recommendations, including any proposed legislation, by filing the same with the clerks of the house of representatives and the senate, the house and senate committees on ways and means and the joint committee on advanced information technology, the internet and cybersecurity.