|
THE SENATE |
S.B. NO. |
2167 |
|
THIRTY-THIRD LEGISLATURE, 2026 |
|
|
|
STATE OF HAWAII |
|
|
|
|
|
|
|
|
||
|
|
||
A BILL FOR AN ACT
relating to the hawaii patients' bill of rights and RESPONSIBILITIES act.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
The legislature recognizes that the original Hawaii Patients' Bill of Rights and Responsibilities Act, enacted over twenty-five years ago, now requires substantial updates to address modern challenges, such as AI-driven health insurance claim denials, telehealth accessibility, data-offshoring risks, and persistent network inadequacies on the neighbor islands and in rural areas. The legislature finds that patients, health care providers, and cybersecurity experts cite the need for robust data protection measures that accommodate legitimate offshoring services while maintaining safeguards compliant with the Health Insurance Portability and Accountability Act of 1996, timely breach notifications, and strong enforcement.
The legislature believes that the insurance commissioner needs expanded authority, resources, and reporting mechanisms to effectively audit, investigate, and sanction noncompliant insurers or billing entities, ensuring consistent and accountable enforcement of patients' rights. The legislature further believes that revising the Hawaii Patients' Bill of Rights and Responsibilities Act is an essential modernization step that prioritizes patient autonomy, transparent health care, timely access, robust data protection, AI accountability, and real enforcement--all while recognizing the practical realities of insurers, providers, and patients in a rapidly evolving health care landscape.
Accordingly, the purpose of this Act is to modernize and strengthen the Hawaii Patients' Bill of Rights and Responsibilities Act to reflect developments and improvements in prior authorization, telehealth, data protection, and enforcement standards.
SECTION 2. Chapter 432E, Hawaii Revised Statutes, is amended by adding a new part to be appropriately designated and to read as follows:
"Part . AUTOMATED DECISION SYSTEM, prior
authorization, and Telehealth
§432E- Definitions. As used in this part:
"Automated decision system" means any algorithmic or software-based platform that can autonomously generate or recommend coverage determinations without direct human supervision.
"Health professional shortage area" has the same meaning as defined in the Public Health Service Act of 1944.
"Prior authorization" means the process by which utilization review organizations determine the medical necessity or medical appropriateness of otherwise covered health care services prior to rendering the health care services. "Prior authorization" includes any health carrier or utilization review organization's requirement that an enrollee or health care provider notify the health carrier or utilization review organization prior to providing a health care service.
"Telehealth services" or "telehealth" has the same meaning as defined in section 431:10A-116.3.
§432E- Health professional shortage areas; telehealth services; reports. (a) Enrollees in health professional shortage areas shall have timely access to primary and specialty care.
(b) Telehealth services, if legally permissible within a provider's scope of practice, shall be covered at parity with in-person services to mitigate access barriers.
(c) Prior authorization procedures in health professional shortage areas shall not unduly limit provider productivity or delay critical patient care.
(d) A health carrier shall submit quarterly
reports to the commissioner detailing provider-to-patient ratios, average wait
times, and referral outcomes, disaggregated by region or island.
§432E- Prior authorization. (a) A health carrier shall issue prior authorization decisions within the following timeframes:
(1) For urgent requests, a determination shall be made within one business day of receipt; and
(2) For non-urgent requests, a determination shall be made within three business days of receipt.
(b) If an automated decision system initiates a health insurance claim denial, that denial shall be reviewed and co‑signed by a board-certified specialist in the relevant field before being finalized. Enrollees and providers shall be notified in writing when an automated decision system is used at any stage of the coverage determination.
(c) A health carrier shall compile and submit monthly data to the commissioner on prior authorization approval or denial rates, average processing times, and the percentage of automated decision system-based denials overturned on appeal.
(d) For the purposes of this section:
"Urgent request" means a request for health care services for which a delay in decision could reasonably be expected to seriously jeopardize the life or health of the enrollee or the enrollee's ability to regain maximum function.
"Non-urgent request" means any prior authorization request that does not meet the definition of an urgent request.
§432E- Technical support programs; rural areas. The commissioner, in collaboration with the department of health, shall explore or establish technical support programs to help smaller or rural practices adopt secure data systems, comply with prior authorization reporting requirements, and integrate telehealth services effectively."
SECTION 3. Chapter 432E, Hawaii Revised Statutes, is amended by adding four new sections to part II to be appropriately designated and to read as follows:
"§432E-A Coverage for emergency services. A
managed care plan shall not deny coverage for emergency services based on
retrospective review. If an enrollee believes
in good faith that their life or health is endangered, the enrollee shall have
the right to seek immediate emergency services without facing post-service
coverage denials.
§432E-B Data protection and privacy. (a)
A covered entity, whether located onshore or offshore, shall uphold a
standard of data protection meeting or exceeding security requirements set
forth in the Health Insurance Portability and Accountability Act of 1996,
codified at title 45 Code of Federal Regulations parts 160 and 164, when
storing or disclosing personally identifiable enrollee data, including social security
numbers and medical identification numbers.
(b) Before offshoring data, a covered entity shall
file an attestation with the commissioner confirming that any overseas
subcontractors adhere to encryption, breach notification, audit logging, and
confidentiality protocols. A covered
entity shall undergo random audits and shall produce security certifications
upon request.
(c) In the event of a suspected or actual data
breach, a covered entity shall notify affected enrollees and the commissioner
within seventy-two hours and shall implement a corrective action plan. Repeated or willful violations may result in
fines, revocation of accreditation, or other sanctions.
(d) For the purposes of this section,
"covered entity" has the same meaning as defined in title 45 Code of
Federal Regulations section 160.103.
§432E-C Multidisciplinary advisory group. (a)
There is established the multidisciplinary advisory group within the
department of health. The advisory group
shall consist of the following members or their designees:
(1) The director of health, who shall serve as
chairperson of the advisory group;
(2)
physicians licensed pursuant to chapter 453;
(3) individuals
with expertise in cybersecurity or a related field;
(4) enrollee
advocates;
(5)
telehealth specialists; and
(6) Any other person invited by the chairperson.
(b) The advisory group shall convene periodically
to review compliance, recommend updates, and study emerging issues related to
this chapter.
§432E-D Anti-retaliation. A health carrier, managed care plan, or
affiliated entity shall not retaliate against a provider for filing a formal
complaint, submitting testimony, or participating in external reviews
concerning compliance with this chapter."
SECTION 4. Section 432E-4, Hawaii Revised Statutes, is amended to read as follows:
"§432E-4
Enrollee participation in treatment decisions. (a) An enrollee shall have the right to be
informed fully prior to making any decision about any treatment, benefit, or
nontreatment[.], which shall include a clear explanation of
diagnosis, treatment options, and potential outcomes or risks.
(b) In order to inform enrollees fully, the provider shall:
(1) Discuss all treatment options with an enrollee, as provided by section 671-3, including the option of no treatment at all;
(2) Ensure that persons with disabilities have an effective means of communication with the provider and other members of the managed care plan; and
(3) Discuss all risks, benefits, and consequences to treatment and nontreatment, as provided by section 671-3(b).
(c) The provider shall discuss with the enrollee
and the enrollee's immediate family both [[]advance[]]
health-care directives, as provided for in chapter 327E, and durable powers of
attorney in relation to medical treatment.
(d) A managed care plan shall be prohibited from imposing any type of prohibition, disincentive, penalty, or other negative treatment upon a provider for discussing or providing any information regarding treatment options and medically necessary or appropriate care, including no treatment, even if the information relates to services or benefits not provided by the managed care plan.
(e) A mentally competent enrollee or their appointed representative shall have the right to accept, receive, reject, or discontinue any medical care, treatment, or prescribed medication from any health care provider, and shall have the right to not have that decision denied, prevented, restricted, or impeded by other persons."
SECTION 5. Section 432E-5, Hawaii Revised Statutes, is amended to read as follows:
"§432E-5 Complaints and appeals procedure for enrollees. (a) A health carrier with enrollees in this State shall establish and maintain a procedure to provide for the resolution of an enrollee's complaints and internal appeals. The procedure shall provide for expedited internal appeals under section 432E‑6.5. The definition of medical necessity in section 432E‑1.4 shall apply in a health carrier's complaints and internal appeals procedures.
(b) The health carrier shall at all times make available its complaints and internal appeals procedures. The complaints and internal appeals procedures shall be reasonably understandable to the average layperson and shall be provided in a language other than English upon request.
(c) A health carrier shall decide any expedited internal appeal as soon as possible after receipt of the complaint, taking into account the medical exigencies of the case, but not later than seventy-two hours after receipt of the request for expedited appeal.
(d) A health carrier shall send notice of its final internal determination within sixty days of the submission of the complaint to the enrollee, the enrollee's appointed representative, if applicable, the enrollee's treating provider, and the commissioner. The notice shall include the following information regarding the enrollee's rights and procedures:
(1) The enrollee's right to request an external review;
(2) The one hundred thirty day deadline for requesting an external review;
(3) Instructions on how to request an external review; and
(4) Where to submit the request for an external review.
In addition to these general requirements, the notice shall conform to the requirements of sections 432E-35 and 432E-36.
(e) Whenever a health carrier issues an adverse
determination, the health carrier shall provide the enrollee with:
(1) A universal external review request
form prescribed by the commissioner; and
(2) A clear, step-by-step guide, in
print or electronic form, explaining the enrollee's rights and procedures to
request an internal appeal or external review.
(f) Any notice of denial for insurance coverage,
appeal, or any request for clinical services shall describe the specific
reasons for the denial. The specifics of
the description shall contain information that references the:
(1) Enrollee and health care provider
contract or agreement;
(2) Specialty of the health care
provider reviewing the appeal or request for clinical services;
(3) Specific sections of medical or
clinical policy or guidelines, or where none of the foregoing are applicable;
and
(4) Specific reasoning for the
determination by the reviewing health care provider.
(g) A health carrier shall maintain a publicly
accessible website that includes a "frequently asked questions" section
regarding enrollee complaint and appeal procedures and shall provide a
toll-free hotline to assist enrollees with questions about filing or pursuing
an appeal.
(h) The commissioner may impose financial penalties or other administrative measures on health carriers failing to publicize or comply with state and federal appeals requirements."
SECTION 6. Section 432E-7, Hawaii Revised Statutes, is amended to read as follows:
"§432E-7 Information to enrollees. (a) The managed care plan shall provide to its enrollees upon enrollment and thereafter upon request the following information:
(1) A list of participating providers, which shall be updated on a regular basis indicating, at a minimum, their specialty and whether the provider is accepting new patients;
(2) A written, complete description and
explanation of benefits, covered- and non-covered services, and
copayments[;], which shall be presented at a reading level
understandable to the average enrollee;
(3) A statement on enrollee's rights, responsibilities, and obligations;
(4) An explanation of the referral process, if any;
(5) Where services or benefits may be obtained;
(6) Information on complaints and appeals procedures; and
(7) The telephone number of the insurance division.
This information shall be provided to prospective enrollees upon request.
(b) Every managed care plan shall provide to the commissioner and its enrollees notice of any material change in participating provider agreements, services, or benefits, if the change affects the organization or operation of the managed care plan and the enrollee's services or benefits. The managed care plan shall provide notice to enrollees not more than sixty days after the change in a format that makes the notice clear and conspicuous so that it is readily noticeable by the enrollee.
(c) A managed care plan shall provide generic participating provider contracts to enrollees, upon request.
(d) A managed care plan shall maintain and
publicly post an up-to-date, accurate, and easily accessible directory of in‑network
providers. The directory shall be updated
at least quarterly and shall list each provider's:
(1) Specialty;
(2) Languages spoken;
(3) Telehealth availability; and
(4) Current patient capacity.
(e) All enrollees shall be able to obtain timely specialist referrals without undue administrative barriers or delays. A managed care plan shall clearly communicate referral steps and expedite all referrals in urgent or complex cases."
SECTION 7. Section 432E-8, Hawaii Revised Statutes, is amended to read as follows:
"[[]§432E-8[]] Enforcement. (a)
All remedies, penalties, and proceedings in articles 2 and 13 of chapter
431 made applicable hereby to managed care plans shall be invoked and enforced
solely and exclusively by the commissioner.
(b) The commissioner shall have the authority to audit,
investigate, and enforce this chapter.
The commissioner may impose fines, clawbacks, revocations of
accreditation, and other appropriate remedies for noncompliance."
SECTION 8. Section 432E-13, Hawaii Revised Statutes, is amended to read as follows:
"[[]§432E-13[]]
Annual report. (a) The commissioner shall submit annually to the
legislature a report that shall contain the number of external review hearing
cases reviewed, the type of cases reviewed, a summary of the nature of the
cases reviewed, and the disposition of the cases reviewed. The identities of the plan and the enrollee
shall be protected from disclosure in the report.
(b) The commissioner shall publish an annual
report detailing enforcement actions, complaint data, automated decision system
usage rates, health insurance claim denial statistics, and any data breaches or
security infractions. The report shall
include trend analyses that include but are not limited to:
(1) Median time-to-decision for prior
authorizations;
(2) Telehealth adoption rates; and
(3) Network adequacy improvements."
SECTION
9. The insurance commissioner
shall submit a progress report of its findings and recommendations related to
the implementation of this Act, including any proposed legislation, to the
legislature no later than twenty days prior to the convening of the regular
session of 2028.
SECTION 10. In codifying the new sections added by section 3 of this Act, the revisor of statutes shall substitute appropriate section numbers for the letters used in designating the new sections in this Act.
SECTION 11. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
SECTION 12. This Act shall take effect upon its approval; provided that section 432E-B, Hawaii Revised Statutes, added by section 3 of this Act, shall take effect on January 1, 2027.
|
INTRODUCED BY: |
_____________________________ |
|
|
|
|
|
|
Report Title:
Patients' Bill of Rights and Responsibilities Act; Insurance Commissioner; Prior Authorization; Telehealth; Automated Decision System
Description:
Revises the Hawaii Patients' Bill of Rights and Responsibilities Act by: (1) Establishing new provisions on telehealth parity, prior authorization timelines, and automated decision systems; (2) Enhancing medical data protection and privacy standards; (3) Expanding the insurance commissioner's enforcement authority; and (4) Improving network adequacy, internal and external appeals procedures, and reporting requirements.
The summary description
of legislation appearing on this page is for informational purposes only and is
not legislation or evidence of legislative intent.