Subtitle B: Establishment of Safeguards - Mandates safeguards to protect the confidentiality, security, accuracy, and integrity of protected health information created, received, obtained, maintained, used, transmitted, or disposed of by a health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, health researcher, law enforcement official, school, or university (entity). Recommends encryption technology with regard to computer database medical record protection against unauthorized disclosure of protected health information. Details disclosure recordkeeping requirements.
Title II: Restrictions on Use and Disclosure - Sets forth general rules regarding use and authorized disclosure of protected health information, including rules on such use or disclosure of protected health information within an entity.
(Sec. 202) Details requirements for employers, health plans, and providers in obtaining a signed, written authorization meeting specified requirements concerning the use and disclosure of protected health information for treatment, payment, and health care operations with respect to employer and group health plan enrollees and the uninsured, respectively. Allows, generally, for revocation of authorizations, and mandates recordkeeping of individual authorizations and revocations.
(Sec. 203) Provides for similar written authorizations for disclosure of protected health information other than for treatment, payment, or health care operations. Permits an individual to revoke or amend an authorization.
Sets out requirements for release of protected health information to coroners and medical examiners.
States that a recipient of information pursuant to an authorization may use or disclose such information solely to carry out the purpose for which the information was authorized for release.
Directs the Secretary of Health and Human Services (HHS) to develop and disseminate model written authorizations.
(Sec. 204) Outlines requirements governing information disclosure to next of kin, as well as disclosure of certain directory information.
(Sec. 205) Authorizes any person who creates or receives protected health information under this title to disclose such information in emergency circumstances when necessary to protect the health or safety of the individual who is the subject of such information from serious, imminent harm.
(Sec. 206) Allows, generally, any person to disclose protected health information to an accrediting body or public health authority, a health oversight agency, or a State insurance department, for purposes of an oversight function authorized by law.
(Sec. 207) Outlines the rules governing authorized entity disclosures with regard to public health, health research, civil, judicial, and administrative procedures, and law enforcement purposes.
(Sec. 208) Directs the Secretary to: (1) review the requirements of the common rule (the Federal agency policy for the protection of human subjects from research risks) pertaining to the privacy of protected health information, and promulgate any necessary amendments; (2) submit to Congress recommendations on standards with respect to the privacy of individually identifiable health information in certain research; and (3) promulgate final regulations containing such standards if appropriate legislation governing them is not enacted.
(Sec. 211) Provides that if an individual pays for health care by presenting a debit, credit, or other payment card or account number, or by any other electronic payment means, the entity receiving payment may disclose to transaction personnel only such protected health information about the individual as is necessary for payment processing, billing, or collecting amounts paid by electronic means.
(Sec. 212) Directs the Secretary to promulgate standards for disclosing, authorizing, and authenticating protected health information in electronic form consistent with this title.
(Sec. 213) Specifies guidelines for agents of protected individuals (including health care powers of attorney) and for executors of the estates of deceased individuals.
Applies this Act to protected health information concerning a deceased individual for two years following death.
(Sec. 214) Provides limited liability for Federal and State law enforcement officers for violations of this Act.
(Sec. 215) Shields from common law liability to the protected individual an entity that makes permissible disclosures under this Act.
Title III: Sanctions - Subtitle A: Criminal Provisions - Amends the Federal criminal code to establish criminal penalties for the knowing and intentional wrongful disclosure of protected health information in violation of title II of this Act.
Subtitle B: Civil Sanctions - Establishes civil money penalties for health care providers, health researchers, health plans, health oversight agencies, public health agencies, law enforcement agencies, employers, health or life insurers, schools, or universities, or the agent of any such individual or entity, who the Secretary determines has substantially and materially failed to comply with this Act. Outlines procedures for imposition of such penalties, and provides for judicial review. Allows the Secretary to bring an action to seek injunctive relief to prevent any activities which subject a person to a civil monetary penalty.
(Sec. 313) Allows individuals whose rights under this Act have been knowingly or negligently violated to bring a civil action for damages and appropriate relief.
(Sec. 314) Directs the Secretary to develop alternative dispute resolution procedures, including mediation and arbitration, to resolve civil claims, possibly even before the individual brings a civil action.
Title IV: Miscellaneous - Sets forth: (1) the relationship of this Act to other Federal and State laws, including the Privacy Act of 1974, and regulations relating to protected health information or to an individual's access to it; and (2) mandatory outreach efforts, including downloadable availability on the HHS website, to explain this Act and resulting final regulations.
[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2404 Introduced in House (IH)]
106th CONGRESS
1st Session
H. R. 2404
To protect the privacy of individuals by ensuring the confidentiality
of information contained in their medical records and health-care-
related information, and for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
June 30, 1999
Mr. Murtha introduced the following bill; which was referred to the
Committee on Commerce, and in addition to the Committee on the
Judiciary, for a period to be subsequently determined by the Speaker,
in each case for consideration of such provisions as fall within the
jurisdiction of the committee concerned
_______________________________________________________________________
A BILL
To protect the privacy of individuals by ensuring the confidentiality
of information contained in their medical records and health-care-
related information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Personal Medical
Information Protection Act of 1999''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Purposes.
Sec. 4. Definitions.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
Sec. 101. Inspection and copying of protected health information.
Sec. 102. Amendment of protected health information.
Sec. 103. Notice of confidentiality practices.
Subtitle B--Establishment of Safeguards
Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
Sec. 201. General rules regarding use and disclosure.
Sec. 202. Procurement of authorizations for disclosure of protected
health information for treatment, payment,
and health care operations.
Sec. 203. Authorizations for disclosure of protected health information
other than for treatment, payment, or
health care operations.
Sec. 204. Next of kin and directory information.
Sec. 205. Emergency circumstances.
Sec. 206. Oversight.
Sec. 207. Public health.
Sec. 208. Health research.
Sec. 209. Disclosure in civil, judicial, and administrative procedures.
Sec. 210. Disclosure for law enforcement purposes.
Sec. 211. Payment card and electronic payment transaction.
Sec. 212. Standards for electronic disclosures.
Sec. 213. Individual representatives.
Sec. 214. Limited liability for law enforcement officers.
Sec. 215. No liability for permissible disclosures.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
Sec. 301. Wrongful disclosure of protected health information.
Subtitle B--Civil Sanctions
Sec. 311. Civil penalty.
Sec. 312. Procedures for imposition of penalties.
Sec. 313. Civil action by individuals.
Sec. 314. Alternative dispute resolution.
TITLE IV--MISCELLANEOUS
Sec. 401. Relationship to other laws.
Sec. 402. Notification of seniors
Sec. 403. Effective date.
SEC. 2. FINDINGS.
The Congress finds that--
(1) individuals have a right of confidentiality with
respect to their personal health information and records;
(2) the personal and protected medical information of an
individual is uniquely private and should only be disclosed
with proper consent;
(4) an individual's protected medical information contains
sensitive and personal details that could cause professional
and personal embarrassment and stigmatization, even
impermissible discrimination, if such information is released
without authorization;
(5) with respect to information about medical care and
health status, the traditional right of confidentiality is at
risk;
(6) an erosion of the right of confidentiality may reduce
the willingness of patients to confide in physicians and other
practitioners, thus jeopardizing quality health care;
(7) an individual's confidentiality right means that an
individual's consent is needed to disclose his or her protected
health information, except in rare and limited circumstances
required by the public interest;
(8) any disclosure of protected health information should
be limited to that information or portion of the medical record
necessary to fulfill the purpose of the disclosure;
(9) incentives need to be created to use nonidentifiable
health information where appropriate;
(10) the availability of timely and accurate personal
health data for the delivery of health care services throughout
the Nation is needed;
(11) personal health care data may be essential for
selected types of medical research;
(12) public health uses of personal health data are
critical to both personal health as well as public health; and
(13) confidentiality of an individual's health information
must be assured without jeopardizing the pursuit of clinical
and epidemiological research undertaken to improve health care
and health outcomes and to assure the quality and efficiency of
health care.
SEC. 3. PURPOSES.
The purposes of this Act are to--
(1) establish strong and effective mechanisms to protect
against the unauthorized and inappropriate use of protected
health information that is created or maintained as part of
health care treatment, diagnosis, enrollment, payment, plan
administration, testing, or research processes;
(2) promote the efficiency and security of the health
information infrastructure so that members of the health care
community may more effectively exchange and transfer health
information in a manner that will ensure the confidentiality of
protected health information without impeding the delivery of
high quality health care;
(3) create incentives to turn personal health information
into nonidentifiable health information for oversight, health
research, public health, law enforcement, judicial, and
administrative purposes, where appropriate;
(4) establish strong and effective remedies for violations
of this Act; and
(5) establish a national board to oversee implementation of
this Act, promulgate rules and regulations, serve as an
advisory body on the subject of protecting personal medical
information and make recommendations to the President on
improving the mechanisms for protecting the privacy of personal
medical information, without stifling research and the free
flow of scientific medical data.
SEC. 4. DEFINITIONS.
As used in this Act:
(1) Accrediting body.--The term ``accrediting body'' means
a national body, committee, organization, or institution (such
as the Joint Commission on Accreditation of Health Care
Organizations or the National Committee for Quality Assurance)
that has been authorized by law or is recognized by a health
care regulating authority as an accrediting entity or any other
entity that has been similarly authorized or recognized by law
to perform specific accreditation, licensing or credentialing
activities.
(2) Agent.--The term ``agent'' means a person who
represents and acts for another under the contract or relation
of agency, or whose function is to bring about, modify, affect,
accept performance of, or terminate contractual obligations
between the principal and a third person, including a
contractor.
(3) Anonymous link.--
(A) In general.--The term ``anonymous link'' means
a number assigned to nonidentifiable health information
which, by itself, contains no information about an
individual, but which, under specific, controlled
conditions, can be used to link to additional health
information about the same individual which may be used
to identify that individual.
(B) Disclosure.--Any subsequent disclosure of an
anonymous link with any information which, together
with information previously disclosed with the same
link might reasonably be used to identify an
individual, shall be considered to be a disclosure of
protected health information. Such a disclosure shall
convert any previously disclosed, nonidentifiable
information with the same link into protected health
information.
(4) Common rule.--The term ``common rule'' means the
Federal policy for the protection of human subjects from
research risks originally published as 56 Federal Register
28012 (et seq.) (June 18, 1991) as adopted and implemented by a
Federal department or agency.
(5) Disclose.--The term ``disclose'' means to release,
transfer, provide access to, or otherwise divulge protected
health information to any person other than the individual who
is the subject of such information. Such term includes the
initial disclosure and any subsequent disclosures of protected
health information.
(6) Employer.--The term ``employer'' has the meaning given
such term under section 3(5) of the Employee Retirement Income
Security Act of 1974 (29 U.S.C. 1002(5)), except that such term
shall include only employers of two or more employees.
(7) Health care.--The term ``health care'' means--
(A) preventive, diagnostic, therapeutic,
rehabilitative, maintenance, or palliative care,
including appropriate assistance with disease or
symptom management and maintenance, counseling,
service, or procedure--
(i) with respect to the physical or mental
condition of an individual; or
(ii) affecting the structure or function of
the human body or any part of the human body,
including the banking of blood, sperm, organs,
or any other tissue; or
(B) pursuant to a prescription or medical order any
sale or dispensing of a drug, device, equipment, or
other health care related item to an individual, or for
the use of an individual.
(8) Health care operations.--The term `health care
operations' means services provided by or on behalf of a health
plan or health care provider for the purpose of carrying out
the management functions of a health care provider or health
plan, or implementing the terms of a contract for health plan
benefits. Such term means--
(A) conducting quality assurance activities or
outcomes assessments;
(B) reviewing the competence or qualifications of
health care professionals;
(C) performing accreditation, licensing, or
credentialing activities;
(D) analysis of health plan claims or health care
records data;
(E) evaluating health plan and provider
performance;
(F) carrying out utilization review,
precertification or preauthorization of services;
(G) underwriting or experience rating of health
plans;
(H) conducting or arranging for auditing services;
or
(I) such other services as the
Secretary determines appropriate.
(9) Health care provider.--The term ``health care
provider'' means a person, who with respect to a specific item
of protected health information, receives, creates, uses,
maintains, or discloses the information while acting in whole
or in part in the capacity of--
(A) a person who is licensed, certified,
registered, or otherwise authorized by Federal or State
law to provide an item or service that constitutes
health care in the ordinary course of business, or
practice of a profession;
(B) a Federal, State, or employer sponsored program
that directly provides items or services that
constitute health care to beneficiaries; or
(C) an officer, employee, or agent of a person
described in subparagraph (A) or (B) that is engaged in
the provision of health care.
(10) Health or life insurer.--The term ``health or life
insurer'' means a health insurance issuer as defined in section
9805(b)(2) of the Internal Revenue Code of 1986 or a life
insurance company as defined in section 816 of such Code.
(11) Health oversight agency.--The term ``health oversight
agency'' means a person who, with respect to a specific item of
protected health information, receives, creates, uses,
maintains, or discloses the information while acting in whole
or in part in the capacity of--
(A) a person who performs or oversees the
performance of an assessment, evaluation,
determination, or investigation, relating to the
licensing, accreditation, or credentialing of health
care providers; or
(B) a person who--
(i) performs or oversees the performance of
an audit, assessment, evaluation,
determination, or investigation relating to the
effectiveness of, compliance with, or
applicability of, legal, fiscal, medical, or
scientific standards or aspects of performance
related to the delivery of, or payment for,
health care; and
(ii) is a public agency, acting on behalf
of a public agency, acting pursuant to a
requirement of a public agency, or carrying out
activities under a Federal or State law
governing the assessment, evaluation,
determination, investigation, or prosecution
described in subparagraph (A).
(12) Health plan.--The term ``health plan'' means any
health insurance plan, including any hospital or medical
service plan, dental or other health service plan or health
maintenance organization plan, provider sponsored organization,
or other program providing or arranging for the provision of
health benefits. Such term includes employee welfare benefits
plans and group health plans as defined in sections 3 and 607
of the Employee Retirement Income Security Act of 1974 (29
U.S.C. 1002 and 1167).
(13) Health researcher.--The term ``health researcher''
means a person, or an officer, employee or independent
contractor of a person, who receives protected health
information as part of a systematic investigation, testing or
evaluation designed to develop or contribute to generalized
scientific and clinical knowledge.
(14) Individual representative.--The term ``individual
representative'' means a person who is authorized by law or by
an instrument recognized under law, to act as an agent,
attorney, proxy, or other legal representative of a protected
individual. Such term includes a health care power of attorney.
(15) Law enforcement inquiry.--The term ``law enforcement
inquiry'' means a lawful investigation conducted by an
appropriate government agency or official inquiring into a
violation of, or failure to comply with, any criminal or civil
statute or any regulation, rule, or order issued pursuant to
such a statute.
(16) Network plan.--The term ``network plan'' means health
care coverage provided under a health plan under which the
financing and delivery of health care are provided, in whole or
in part, through a defined set of health care providers under
contract with the health plan.
(17) Nonidentifiable health information.--The term
``nonidentifiable health information'' means any information
that would otherwise be protected health information except
that such information does not directly reveal the identity of
the individual whose health or health care is the subject of
the information and there is no reasonable basis to believe
that such information could be used, either alone or with other
information that is, or should reasonably be known to be,
available to predictable recipients of such information, to
reveal the identity of that individual.
(18) Originating provider.--The term ``originating
provider'' means a health care provider who creates or
originates medical information that is or that becomes
protected health information.
(19) Payment.--The term ``payment'' means--
(A) the activities undertaken by--
(i) or on behalf of a health plan to
determine its responsibility for coverage under
the plan and the actual payment under such
plan; and
(ii) a health care provider to obtain
payment for items or services provided under a
health plan or provided based on a
determination by the health plan of
responsibility for coverage under the plan; and
(B) activities undertaken as described in
subparagraph (A) including--
(i) billing, claims management, medical
data processing or other administrative
services;
(ii) determinations of coverage or
adjudication of health benefit claims; and
(iii) review of health care services with
respect to medical necessity, coverage under a
health plan, appropriateness of care, or
justification of charges.
(20) Person.--The term ``person'' means a government,
governmental subdivision, agency or authority, corporation,
company, association, firm, partnership, society, estate,
trust, joint venture, individual, individual representative,
tribal government, and any other legal entity.
(21) Protected health information.--The term ``protected
health information'' means any information (including
demographic information) whether or not recorded in any form or
medium--
(A) that relates to the past, present or future--
(i) physical or mental health or condition
of an individual (including the condition or
other attributes of individual cells or their
components, including genetic and
pharmaceutical information);
(ii) provision of health care to an
individual; or
(iii) payment for the provision of health
care to an individual;
(B) that is created or received by a health care
provider, health plan, health researcher, health
oversight agency, public health authority, employer,
law enforcement official, health or life insurer,
school or university; and
(C) that is not nonidentifiable health information.
(22) Public health authority.--The term ``public health
authority'' means an authority or instrumentality of the United
States, a tribal government, a State, or a political
subdivision of a State that is--
(A) primarily responsible for public health
matters; and
(B) primarily engaged in activities such as injury
reporting, public health surveillance, and public
health investigation or intervention.
(23) School or university.--The term ``school or
university'' means an institution or place for instruction or
education, including an elementary school, secondary school, or
institution of higher learning, a college, or an assemblage of
colleges united under one corporate organization or government.
(24) Secretary.--The term ``Secretary'' means the Secretary
of Health and Human Services.
(25) State.--The term ``State'' includes the District of
Columbia, Puerto Rico, the Virgin Islands, Guam, American
Samoa, and the Northern Mariana Islands.
(26) Treatment.--The term ``treatment'' means the provision
of health care by, or the coordination of health care among,
health care providers, or the referral of a patient from one
provider to another, or coordination of health care or other
services among health care providers and third parties
authorized by the health plan or the plan member.
(27) Writing.--The term ``writing'' means writing in either
a paper-based or computer-based form, including electronic
signatures.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.
(a) Right of Individual.--
(1) In general.--A health care provider, health plan,
employer, health or life insurer, school, or university, or a
person acting as the agent of any such person, shall permit an
individual who is the subject of protected health information,
or the individual's designee, to inspect and copy protected
health information concerning the individual, including records
created under sections 102, 112, 202, 203, 208, and 211, that
such person maintains.
(2) Procedures and fees.--A person described in paragraph
(1) may set forth appropriate procedures to be followed for
inspection and copying under such paragraph and may require an
individual to pay fees associated with such inspection and
copying in an amount that is not in excess of the actual costs
of providing such copying. Such procedures and fees shall not
be inconsistent with current State law governing the inspection
and copying of medical records.
(b) Deadline.--A person described in subsection (a)(1) shall comply
with a request for inspection or copying of protected health
information under this section in good faith and within a reasonable
timeframe after the date on which the person receives the request in
writing.
(c) Rules Governing Agents.--A person acting as the agent of a
person described in subsection (a) shall provide for the inspection and
copying of protected health information if--
(1) the protected health information is retained by the
agency; and
(2) the agent has been asked by the person involved to
fulfill the requirements of this section.
(d) Special Rule Relating to Ongoing Clinical Trials.--With respect
to protected health information that is created as part of an
individual's participation in an ongoing clinical trial, access to the
information shall be provided consistent with the individual's
agreement to participate in the clinical trial.
SEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.
(a) Requirements.--
(1) In general.--Except as provided in subsections (b) and
(e), not later than 45 days after the date on which a health
care provider, health plan, employer, health or life insurer,
school, or university receives from an individual a request in
writing to correct or amend information that meets the
requirements of paragraph (2), such entity shall--
(A) make the correction or amendment requested;
(B) inform the individual of the amendment that has
been made; and
(C) inform the individual of any other person to
whom the unamended portion of the information was
previously disclosed.
(2) Information.--The requirements of this paragraph are
that the information that is the subject of the request is in
fact inaccurate.
(b) Refusal To Amend.--If an entity described in subsection (a)
refuses to make the correction or amendment requested under such
subsection, the entity shall inform the individual in writing of--
(1) the reasons for the refusal to make the amendment;
(2) any procedures for further review of the refusal; and
(3) the individual's right to file with the entity a
concise statement setting forth the requested amendment and the
individual's reasons for disagreeing with the refusal.
(c) Statement of Disagreement.--If an individual has filed a
statement of disagreement under subsection (b)(3), the entity
involved--
(1) shall ensure such statement is retained as a permanent
part of the file not to be separated from the disputed
information;
(2) shall include a copy of the individual's statement in
any subsequent disclosure of the disputed information; and
(3) may include a concise statement of the reasons for not
making the requested amendment.
(d) Rules Governing Agents.--The agent of an entity described in
subsection (a) shall not be required to make amendments to protected
health information, except where--
(1) the protected health information is retained by the
agent; and
(2) the agent has been asked by such entity to fulfill the
requirements of this section.
If the agent is required to comply with this section as provided for in
paragraph (2), such agent shall be subject to the 45-day deadline
described in subsection (a).
(e) Extension for Paper Records Off Premises.--In the case of a
request described in subsection (a), if the information involved is in
paper form, located off the premises of the entity involved, and not
readily available, the entity shall have 60 days to comply with or deny
such request.
(f) Rules of Construction.--This section shall not be construed
to--
(1) require that an entity described in subsection (a)
conduct a formal, informal, or other hearing or proceeding
concerning a request for an amendment to protected health
information.
(2) require a provider to amend an individual's record as
to the type, duration, or quality of treatment the individual
believes he or she should have been provided; or
(3) require any deletion or alteration of the original
information.
SEC. 103. NOTICE OF CONFIDENTIALITY PRACTICES.
(a) Preparation of Written Notice.--A health care provider, health
plan, health oversight agency, public health authority, employer,
health or life insurer, health researcher, school, or university shall
post or provide, in writing and in a clear and conspicuous manner,
notice of the entity's confidentiality practices, that shall include--
(1) a description of an individual's rights with respect to
protected health information;
(2) the uses and disclosures of protected health
information authorized under this Act;
(3) the procedures for authorizing disclosures of protected
health information and for revoking such authorizations;
(4) the procedures established by the entity for the
exercise of the individual's rights; and
(5) the right to obtain a copy of the notice of the
confidentiality practices required under this Act.
(b) Model Notice.--The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model notices of
confidentiality practices. Use of the model notice shall serve as an
absolute defense against claims of receiving inappropriate notice.
Subtitle B--Establishment of Safeguards
SEC. 111. ESTABLISHMENT OF SAFEGUARDS.
(a) In General.--A health care provider, health plan, health
oversight agency, public health authority, employer, health or life
insurer, health researcher, law enforcement official, school, or
university shall establish and maintain appropriate administrative,
technical, and physical safeguards to protect the confidentiality,
security, accuracy, and integrity of protected health information
created, received, obtained, maintained, used, transmitted, or disposed
of by such entity.
(b) Encryption Technology.--Custodians that maintain medical
records on a computer data base should implement encryption technology
whenever possible to protect the unauthorized disclosure of protected
health information. Custodians should also seek to anonymize medical
records to the fullest extent practicable through the use of coding and
the removal of personally identifiable information within an
individual's medical records.
(c) Regulations.--The Secretary shall have the authority to
promulgate regulations for the implementation of subsections (a) and
(b).
(d) Rule of Construction.--Safeguards to protect the security of
protected health information under subsection (a) shall include the
implementation of policies or procedures to consider whether protected
health information is essential for a use of disclosure undertaken by
an entity described in such subsection.
SEC. 112. ACCOUNTING FOR DISCLOSURES.
(a) In General.--
(1) Health related entities.--Except as provided in
paragraph (3), a health care provider, health plan, health
oversight agency, public health authority, employer, health or
life insurer, health researcher, law enforcement official,
school, or university shall establish and maintain, with
respect to any protected health information disclosure, a
record of such disclosure in accordance with regulations issued
by the Secretary.
(2) Agent.--Except as provided in paragraph (3), an agent
shall maintain a record of its disclosures made pursuant to
sections 205 through 212.
(3) Exception.--A record of disclosures under this
subsection is not required with respect to disclosures made to
officers or employees of the entity that maintains the record
involved who, in the performance of their duties, have a need
for the protected health information.
(b) Record of Disclosure.--A record established under subsection
(a) shall be maintained for not less than 7 years.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.
(a) Prohibition.--
(1) General rule.--A health care provider, health plan,
health oversight agency, public health authority, employer,
health or life insurer, health researcher, law enforcement
official, school, or university may not disclose protected
health information except as authorized under this title.
(2) Rule of construction.--Disclosure of health information
in the form of nonidentifiable health information shall not be
construed as a disclosure of protected health information.
(b) Use or Disclosure of Protected Health Information Within an
Entity.--
(1) In general.--An entity described in subsection (a) may
use protected health information or disclose such information
within the entity if such use or disclosure is made pursuant to
an authorization under section 202 or 203 and consistent with
the limitations under subsection (d) on the scope of
disclosure.
(2) Agents.--Disclosure to agents of an entity described in
subsection (a) shall be considered as a disclosure within an
entity.
(c) Disclosure by agents.--An agent who receives protected health
information from an entity described in subsection (a) shall be subject
to all rules of disclosure and safeguard requirements under this title.
(d) Scope of Disclosure.--Every disclosure of protected health
information by an entity under this title shall be limited to the
information necessary to accomplish the purpose for which the
information is disclosed.
(e) No General Requirement To Disclose.--Nothing in this title
permitting the disclosure of protected health information shall be
construed to require such disclosure.
(f) Labeling of Disclosed Information as Protected Information.--
Except as otherwise provided in this title, protected health
information may not be disclosed unless such information is clearly
labeled as protected health information that is subject to this Act.
(g) Creation of Nonidentifiable Information.--An entity described
in subsection (a) may disclose protected health information to an
employee or agent of the entity for purposes of creating
nonidentifiable information, if the entity prohibits the employee or
agent of the entity from using or disclosing the protected health
information for purposes other than the sole purpose of creating
nonidentifiable information as specified by the entity.
(h) Redisclosure Prohibited.--Once authorization for disclosure of
personal medical information has been granted, the recipient cannot
release the information to another third party without the prior
written consent of the individual that meets the requirements of
section 102(a).
SEC. 202. PROCUREMENT OF AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED
HEALTH INFORMATION FOR TREATMENT, PAYMENT, AND HEALTH
CARE OPERATIONS.
(a) Requirements Relating to Employers, Health Plans, Uninsured
Individuals, and Providers.--
(1) In general.--To meet the requirements relating to the
authorized disclosure of protected health information under
section 201, an authorization form must be secured for each
individual in connection with treatment, payment and health
care operations.
(2) Consolidated authorization.--A single authorization may
be secured for each individual in connection with treatment,
payment, and health care operations.
(3) Employers.--Every employer offering a health plan to
its employees shall, at the time of, and as a condition of
enrollment in the health plan, obtain a signed, written
authorization that is a legal, informed authorization
concerning the use and disclosure of protected health
information for treatment, payment, and health care operations
with respect to each individual who is eligible to receive care
under the health plan.
(4) Health plans.--Every health plan offering enrollment to
individual or non-employer groups shall, at the time of, and as
a condition of enrollment in the health plan, obtain a signed,
written authorization that is a legal, informed authorization
concerning the use and disclosure of protected health
information for treatment, payment, and health care operations
with respect to each individual who is eligible to receive care
under the plan.
(5) Uninsured.--An originating provider providing health
care to an uninsured individual, shall obtain a signed, written
authorization that is a legal, informed authorization
concerning the use and disclosure of protected health
information, in providing health care or arranging for health
care from other providers or seeking payment for the provision
of health care services.
(b) Requirements for Individual Authorization.--To be valid, an
authorization to disclose protected health information shall--
(1) identify the individual involved;
(2) describe the nature of the health care information to
be disclosed;
(3) identify the type of person to whom the information is
to be disclosed;
(4) describe the purpose of the disclosure, including
whether the information may be used for disease management or
medication compliance;
(5) be subject to revocation by the individual and indicate
that the authorization is valid until revocation by the
individual; and
(6)(A) be either--
(i) in writing, dated, and signed by the
individual; or
(ii) in electronic form, dated and authenticated by
the individual using a unique identifier; and
(B) not have been revoked under paragraph (c).
(c) Revocation of Authorization.--
(1) In general.--An individual may revoke in writing an
authorization under this section at any time, unless the
disclosure that is the subject of the authorization is required
to effectuate payment for health care that has been provided to
the individual for which the individual has not agreed to
assume personal financial responsibility.
(2) Exception for self-payment.--An individual may revoke a
prior authorization for payment or health care operations
described in paragraphs (1) through (6) of subsection (a) prior
to a single or series of encounters with a health care provider
if such individual has agreed to assume personal financial
responsibility for the treatment.
(3) Health plans.--With respect to a health plan, the
authorization of an individual is deemed to be revoked at the
time of the cancellation or non-renewal of enrollment in the
health plan, except as may be necessary to complete health care
operations and payment requirements related to the individual's
period of enrollment.
(4) Actions.--An individual may not maintain an action
against a person for disclosure of protected health information
made in good faith reliance on the individual's authorization
at the time disclosure was made.
(d) Record of Individual's Authorization and Revocations.--
(1) In general.--Each person collecting or storing
protected health information shall maintain a record for a
period of 7 years of each authorization of an individual and
revocation thereof.
(2) Rule of construction.--Records of authorizations and
revocations maintained under paragraph (1) shall not be
construed to be protected health information under this Act.
(e) No Waiver.--Except as provided for in this Act, an
authorization to disclose protected health information by an individual
shall not be construed as a waiver of any rights that the individual
has under other Federal or State laws, the rules of evidence, or common
law.
(f) Rule of Construction.--Authorizations for the disclosure of
protected health information for treatment, payment, and health care
operations shall not authorize the disclosure of such information by an
individual with the intent to sell, transfer, or use protected health
information for the purpose of marketing a product or service. For such
disclosures a separate authorization is required under section 203.
SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION
OTHER THAN FOR TREATMENT, PAYMENT, OR HEALTH CARE
OPERATIONS.
(a) Written Authorizations.--A health care provider, health plan,
health oversight agency, health researcher, public health authority,
law enforcement official, employer, health or life insurer, school, or
university may disclose protected health information, for purposes
other than those authorized under section 202, pursuant to an
authorization executed by the individual who is the subject of the
information that meets the requirements of section 202(b).
Such an authorization shall be separate from an authorization
provided under section 202.
(b) Limitation on Authorizations.--An entity described in section
202 may not condition the delivery of treatment or payment for services
on the receipt of an authorization described in this section.
(c) Revocation or Amendment of Authorization.--
(1) In general.--An individual may in writing revoke or
amend an authorization described in subsection (a).
(2) Notice of revocation.--An entity described in
subsection (a) that discloses protected health information
pursuant to an authorization that has been revoked under
paragraph (1) shall not be subject to any liability or penalty
under this title if that entity had no actual or constructive
notice of the revocation.
(d) Requirement To Release Protected Health Information to Coroners
and Medical Examiners.--
(1) In general.--When a Coroner or Medical Examiner or
their duly appointed deputies seek protected health information
for the purpose of inquiry into and determination of, the
cause, manner, and circumstances of a death, the health care
provider, health plan, health oversight agency, public health
authority, employer, health or life insurer, health researcher,
law enforcement official, school, or university involved shall
provide the protected health information to the Coroner or
Medical Examiner or to the duly appointed deputies without
undue delay.
(2) Production of additional information.--If a Coroner or
Medical Examiner or their duly appointed deputies receives
health information from an entity referred to in paragraph (1),
such health information shall remain as protected health
information unless the health information is attached to or
otherwise made a part of a Coroner's or Medical Examiner's
official report, in which case it shall no longer be protected.
(3) Exemption.--Health information attached to or otherwise
made a part of a Coroner's or Medical Examiner's official
report, shall be exempt from the provisions of this Act except
as provided for in this subsection.
(4) Reimbursement.--A Coroner or Medical Examiner may
require a person to reimburse their Office for the reasonable
costs associated with such inspection or copying.
(e) Disclosure for Purpose Only.--A recipient of information
pursuant to an authorization under this section may use or disclose
such information solely to carry out the purpose for which the
information was authorized for release.
(f) Model Authorizations.--The Secretary, after notice and
opportunity for public comment, shall develop and disseminate model
written authorizations of the type described in subsection (a). Any
authorization obtained on a model authorization form developed by the
Secretary shall be deemed to meet the authorization requirements of
this section.
SEC. 204. NEXT OF KIN AND DIRECTORY INFORMATION.
(a) Next of Kin.--A health care provider, or a person who receives
protected health information under section 205, may disclose protected
health information regarding an individual to the individual's spouse,
parent, child, sister, brother, next of kin, or individual
representative if--
(1) the individual who is the subject of the protected
health information is physically or mentally incapacitated such
that the individual is not capable of authorizing the
disclosure and there are no prior indications that the
individual would object; and
(2) the disclosure of the protected health information to
parties described in this subsection--
(A) is necessary for the purpose of aiding said
parties in making a necessary decision regarding the
individual's treatment that would be the prerogative of
the individual if the individual were not
incapacitated;
(B) is consistent with good medical or professional
practice; and
(C) is not inconsistent with State laws in effect
prior to the effective date of this Act governing the
release of medical records to parties described in this
subsection.
(b) Directory Information.--
(1) Disclosure.--
(A) In general.--Except as provided in paragraph
(2), a person described in subsection (a) may disclose
the information described in subparagraph (B) to any
person if the individual who is the subject of the
information--
(i) has been notified of the individual's
right to object and the individual has not
objected to the disclosure; or
(ii) is in a physical or mental condition
such that the individual is not capable of
objecting, the individual's next of kin has not
objected, and there are no prior indications
that the individual would object.
(B) Information.--Information described in this
subparagraph is information that consists only of 1 or
more of the following items:
(i) The name of the individual who is the
subject of the information.
(ii) The general health status of the
individual, described as critical, poor, fair,
stable, or satisfactory or in terms denoting
similar conditions.
(iii) The location of the individual on
premises controlled by a provider.
(2) Exception.--
(A) Location.--Paragraph (1)(B)(iii) shall not
apply if disclosure of the location of the individual
would reveal specific information about the physical or
mental condition of the individual, unless the
individual expressly authorizes such disclosure.
(B) Directory of next of kin information.--A
disclosure may not be made under this section if the
health care provider involved has reason to believe
that the disclosure of directory or next of kin
information could lead to the physical or mental harm
of the individual, unless the individual expressly
authorizes such disclosure.
SEC. 205. EMERGENCY CIRCUMSTANCES.
Any person who creates or receives protected health information
under this title may disclose protected health information in emergency
circumstances when necessary to protect the health or safety of the
individual who is the subject of such information from serious,
imminent harm. No disclosure made in the good faith belief that the
disclosure was necessary to protect the health or safety or an
individual from serious, imminent harm shall be in violation of, or
punishable under, this Act.
SEC. 206. OVERSIGHT.
(a) In General.--Any person may disclose protected health
information to an accrediting body or public health authority, a health
oversight agency, or a State insurance department, for purposes of an
oversight function authorized by law.
(b) Protection From Further Disclosure.--Protected health
information that is disclosed under this section shall not be further
disclosed by an accrediting body or public health authority, a health
oversight agency, a State insurance department, or their agents for any
purpose unrelated to the authorized oversight function. Notwithstanding
any other provision of law, protected health information disclosed
under this section shall be protected from further disclosure by an
accrediting body or public health authority, a health oversight agency,
a State insurance department, or their agents pursuant to a subpoena,
discovery request, introduction as evidence, testimony, or otherwise.
(c) Authorization by a Supervisor.--For purposes of this section,
the individual with authority to authorize the oversight function
involved shall provide to the person described in subsection (a) a
statement that the protected health information is being sought for a
legally authorized oversight function.
(d) Use in Action Against Individuals.--Protected health
information about an individual that is disclosed under this section
may not be used by the recipient in, or disclosed by the recipient to
any person for use in, an administrative, civil, or criminal action or
investigation directed against the individual who is the subject of the
protected health information unless the action or investigation arises
out of and is directly related to--
(1) the receipt of health care or payment for health care;
or
(2) a fraudulent claim related to health care, or a
fraudulent or material misrepresentation of the health of the
individual.
SEC. 207. PUBLIC HEALTH.
A health care provider, health plan, public health authority,
employer, health or life insurer, law enforcement official, school, or
university may disclose protected health information to a public health
authority or other person authorized by law for use in a legally
authorized--
(1) disease or injury report;
(2) public health surveillance; or
(3) public health investigation or intervention.
SEC. 208. HEALTH RESEARCH.
(a) In General.--A health care provider, health plan, public health
authority, employer, health or life insurer, school, or university may
disclose protected health information to a health researcher if--
(1) the research involves human subjects conducted or
supported by any Federal department or agency and the
researcher complies with the common rule;
(2) the research is a clinical investigation involving
human subjects and the researcher follows the regulations of
the Food and Drug Administration governing confidentiality procedures;
or
(3) the research is not subject to the Federal Policy for
the Protection of Human Subjects.
(b) Periodic Review and Technical Assistance of Institutional
Review Boards Involved With the Federal Policy for Protection of Human
Subjects.--
(1) Institutional review board.--Any institutional review
board that authorizes research under this section pursuant to
the common rule shall keep records of the names and addresses
of all members who participate in such authorizations for
possible review or audit.
(2) Technical assistance.--The Secretary may provide
technical assistance to institutional review boards described
in this section.
(3) Monitoring.--The Secretary shall periodically monitor
institutional review boards described in this section.
(4) Reports.--Not later than 3 years after the date of
enactment of this Act, the Secretary shall report to Congress
regarding the activities of institutional review boards
described in this section.
(c) Review of the Common Rule by the Secretary.--The Secretary
shall review the requirements of the common rule pertaining to the
privacy of protected health information and shall promulgate any
amendments to the common rule that may be necessary to ensure the
confidentiality of such information.
(d) Recommendations With Respect to Privacy.--
(1) In general.--Not later than the date that is 12 months
after the date of the enactment of this Act, the Secretary
shall submit to Congress detailed recommendations on standards
with respect to the privacy of individually identifiable health
information in research described in subsection (a)(3).
(2) Rule of construction.--In formulating the
recommendations under paragraph (1), the Secretary shall
consider the findings of the National Bioethics Advisory
Commission and the results of the General Accounting Office
report authorized by section 402.
(3) Regulations.--If legislation governing standards with
respect to the privacy of individually identifiable health
information transmitted in connection with research described
in subsection (a)(3) is not enacted by the date that is 24
months after the date of the enactment of this Act, the
Secretary shall promulgate final regulations containing such
standards not later than the date that is 30 months after the
date of the enactment of this Act.
SEC. 209. DISCLOSURE IN CIVIL, JUDICIAL, AND ADMINISTRATIVE PROCEDURES.
(a) In General.--A health care provider, health plan, public health
authority, employer, health or life insurer, law enforcement official,
school, or university may disclose protected health information
pursuant to a discovery request or subpoena in a civil action brought
in a Federal or State court or a request or subpoena related to a
Federal or State administrative proceeding, but only if the disclosure
is made pursuant to a court order as provided for in subsection (b).
(b) Court Orders.--
(1) Standard for issuance.--In considering a request for a
court order regarding the disclosure of protected health
information under subsection (a), the court shall issue such
order if the court determines that without the disclosure of
such information, the person requesting the order would be
impaired from establishing a claim or defense.
(2) Requirements.--An order issued under paragraph (1)
shall--
(A) provide that the protected health information
involved is subject to court protection;
(B) specify to whom the information may be
disclosed;
(C) specify that such information may not otherwise
be disclosed or used; and
(D) meet any other requirements that the court
determines are needed to protect the confidentiality of
the information.
(c) Applicability.--This section shall not apply in a case in which
the protected health information sought under such discovery request or
subpoena--
(1) is nonidentifiable health information;
(2) is related to a party to the litigation whose medical
condition is at issue; or
(3) could be disclosed under any of sections 202 through
208, 210, and 212.
(d) Effect of Section.--This section shall not be construed to
supersede any grounds that may apply under Federal or State law for
objecting to turning over the protected health information.
SEC. 210. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.
(a) In General.--A health care provider, health plan, health
oversight agency, employer, health or life insurer, school, university,
or person who receives protected health information pursuant to
sections 203 through 208, may disclose protected health information
under this section, except to a health oversight agency governed by
section 206, if the disclosure is pursuant to--
(1) a subpoena issued under the authority of a grand jury;
(2) an administrative subpoena or summons or judicial
subpoena or warrant; or
(3) a Federal or State law requiring the reporting of
specific medical information to law enforcement authorities.
(b) Probable Cause.--A subpoena or summons for a disclosure under
paragraph (1) or (2) of subsection (a) shall only be issued if the law
enforcement agency involved shows that there is probable cause to
believe that the information is relevant to a legitimate law
enforcement inquiry.
(c) Destruction or Return of Information.--When the matter or need
for which protected health information was disclosed to a law
enforcement agency or grand jury under subsection (a) has concluded,
including any derivative matters arising from such matter or need, the
law enforcement agency or grand jury shall either destroy the protected
health information, or return it to the person from whom it was
obtained.
(d) Redactions.--To the extent practicable, and consistent with the
requirements of due process, a law enforcement agency shall redact
personally identifying information from protected health information
prior to the public disclosure of such protected information in a
judicial or administrative proceeding.
(e) Use of Information.--Protected health information obtained by a
law enforcement agency pursuant to this section may only be used for
purposes of a legitimate law enforcement activity.
(f) Exclusion of Evidence.--If protected health information is
obtained without meeting the requirements of paragraphs (1), (2), and
(3) of subsection (a), any such information that is unlawfully obtained
shall be excluded from court proceedings unless the defendant requests
otherwise.
SEC. 211. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTION.
(a) Payment for Health Care Through Card or Electronic Means.--If
an individual pays for health care by presenting a debit, credit, or
other payment card or account number, or by any other electronic
payment means, the entity receiving payment may disclose to a person
described in subsection (b) only such protected health information
about the individual as is necessary for the processing of the payment
transaction or the billing or collection of amounts charged to, debited
from, or otherwise paid by, the individual using the card, number, or
other electronic means.
(b) Transaction Processing.--A person who is a debit, credit, or
other payment card issuer, or is otherwise directly involved in the
processing of payment transactions involving such cards or other
electronic payment transactions, or is otherwise directly involved in
the billing or collection of amounts paid through such means, may use
or disclose protected health information about an individual that has
been disclosed in accordance with subsection (a) only when necessary
for--
(1) the authorization, settlement, billing or collection of
amounts charged to, debited from, or otherwise paid the
individual using a debit, credit, or other payment card or
account number, or by other electronic payment means;
(2) the transfer of receivables, accounts, or interest
therein;
(3) the audit of the debit, credit, or other payment card
account information;
(4) compliance with Federal, State, or local law; or
(5) compliance with a properly authorized civil, criminal,
or regulatory investigation by Federal, State, or local
authorities as governed by the requirements of this section.
SEC. 212. STANDARDS FOR ELECTRONIC DISCLOSURES.
The Secretary shall promulgate standards for disclosing,
authorizing, and authenticating, protected health information in
electronic form consistent with this title.
SEC. 213. INDIVIDUAL REPRESENTATIVES.
(a) In General.--Except as provided in subsections (b) and (c), a
person who is authorized by law (based on grounds other than the
individual being a minor), or by an instrument recognized under law, to
act as an agent, attorney, proxy, or other legal representative of a
protected individual, may, to the extent so authorized, exercise and
discharge the rights of the individual under this Act.
(b) Health Care Power of Attorney.--A person who is authorized by
law (based on grounds other than being a minor), or by an instrument
recognized under law, to make decisions about the provision of health
care to an individual who is incapacitated, may exercise and discharge
the rights of the individual under this Act to the extent necessary to
effectuate the terms or purposes of the grant of authority.
(c) No Court Declaration.--If a health care provider determines
that an individual, who has not been declared to be legally
incompetent, suffers from a medical condition that prevents the
individual from acting knowingly or effectively on the individual's own
behalf, the right of the individual to authorize disclosure under this
Act may be exercised and discharged in the best interest of the
individual by--
(1) a person described in subsection (b) with respect to
the individual;
(2) a person described in subsection (a) with respect to
the individual, but only if a person described in paragraph (1)
cannot be contacted after a reasonable effort;
(3) the next of kin of the individual, but only if a person
described in paragraph (1) or (2) cannot be contacted after a
reasonable effort;
(4) the health care provider, but only if a person
described in paragraph (1), (2); or
(5) cannot be contacted after a reasonable effort.
(d) Application to Deceased Individuals.--The provisions of this
Act shall continue to apply to protected health information concerning
a deceased individual for a period of 2 years following the death of
that individual.
(e) Exercise of Rights on Behalf of a Deceased Individual.--A
person who is authorized by law or by an instrument recognized under
law, to act as an executor of the estate of a deceased individual, or
otherwise to exercise the rights of the deceased individual, may, to
the extent so authorized, exercise and discharge the rights of such
deceased individual under this Act for a period of 2 years following
the death of that individual. If no such designee has been authorized,
the rights of the deceased individual may be exercised as provided for
in subsection (c).
SEC. 214. LIMITED LIABILITY FOR LAW ENFORCEMENT OFFICERS.
Federal and State law enforcement officers shall not be personally
liable for violations of this Act unless it is shown that the violation
was a result of intentional conduct committed with the intent to sell,
transfer, or use protected health information for commercial advantage,
personal gain, or malicious harm.
SEC. 215. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.
A health care provider, health plan, health oversight agency,
health researcher, public health authority, law enforcement official,
employer, health or life insurer, school, or university who makes a
disclosure of protected health information about an individual that is
permitted by this Act shall not be liable to the individual for such
disclosure under common law.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
SEC. 301. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.
(a) In General.--Part I of title 18, United States Code, is amended
by adding at the end the following:
``CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION
``Sec. 2801. Wrongful disclosure of protected health information.
``Sec. Sec. 2801. Wrongful disclosure of protected health information
``(a) Offense.--The penalties described in subsection (b) shall
apply to a person that knowingly and intentionally--
``(1) obtains protected health information relating to an
individual in violation of title II of the Personal Medical
Information Protection Act of 1999;
``(2) discloses protected health information to another
person in violation of title II of the Personal Medical
Information Protection Act of 1999; or
``(3) uses protected health information in violation of
title II of the Personal Medical Information Protection Act of
1999.
``(b) Penalties.--A person described in subsection (a) shall--
``(1) be fined not more than $50,000, imprisoned not more
than 1 year, or both;
``(2) if the offense is committed under false pretenses, be
fined not more than $250,000, imprisoned not more than 5 years,
or any combination of such penalties;
``(3) if the offense is committed with the intent to sell,
transfer, or use protected health information for commercial
advantage, personal gain, or malicious harm, be fined not more
than $500,000, imprisoned not more than 20 years, excluded from
participation in any federally funded health care programs, or
any combination of such penalties.
``(c) Subsequent Offenses.--In the case of a person described in
subsection (a), the maximum penalties described in subsection (b) shall
be doubled for every subsequent conviction for an offense arising out
of a violation or violations related to a set of circumstances that are
different from those involved in the previous violation or set of
related violations described in such subsection (a).''.
(b) Clerical Amendment.--The Table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 123 the following new item:
``124. Wrongful disclosure of protected health information.. 2801''.
Subtitle B--Civil Sanctions
SEC. 311. CIVIL PENALTY.
(a) Violation.--A health care provider, health researcher, health
plan, health oversight agency, public health agency, law enforcement
agency, employer, health or life insurer, school, or university, or the
agent of any such individual or entity, who the Secretary, in
consultation with the Attorney General, determines has substantially
and materially failed to comply with this Act shall be subject, in
addition to any other penalties that may be prescribed by law--
(1) in a case in which the violation relates to title I, to
a civil penalty of not more than $500 for each such violation,
but not to exceed $5,000 in the aggregate for multiple
violations;
(2) in a case in which the violation relates to title II,
to a civil penalty of not more than $10,000 for each such
violation, but not to exceed $50,000 in the aggregate for
multiple violations; or
(3) in a case in which the Secretary finds that such
violations have occurred with such frequency as to constitute a
general business practice, to a civil penalty of not more than
$100,000.
(b) Procedures for Imposition of Penalties.--Section 1128A of the
Social Security Act, other than subsections (a) and (b) and the second
sentence of subsection (f) of that section, shall apply to the
imposition of a civil, monetary, or exclusionary penalty under this
section in the same manner as such provisions apply with respect to the
imposition of a penalty under section 1128A of such Act.
SEC. 312. PROCEDURES FOR IMPOSITION OF PENALTIES.
(a) Initiation of Proceedings--
(1) In general.--The Secretary, in consultation with the
Attorney general, may initiate a proceeding to determine
whether to impose a civil money penalty under section 311. The
Secretary may not initiate an action under this section with
respect to any violation described in section 311 after the
expiration of the 6-year period beginning on the date on which
such violation was alleged to have occurred. The Secretary may
initiate an action under this section by serving notice of the
action in any manner authorized by rule 4 of the Federal Rules
of Civil Procedure.
(2) Notice and opportunity for hearing.--The Secretary
shall not make a determination adverse to any person under
paragraph (1) until the person has been given written notice
and an opportunity for the determination to be made on the
record after a hearing at which the person is entitled to be
represented by counsel, to present witnesses, and to cross-
examine witnesses against the person.
(3) Estoppel.--In a proceeding under paragraph (1) that--
(A) is against a person who has been convicted
(whether upon a verdict after trial or upon a plea of
guilty or nolo contendere) of a crime under section
2801 of title 18, United States Code; and
(B) involves the same conduct as in the criminal
action; the person is estopped from denying the
essential elements of the criminal offense.
(4) Sanctions for failure to comply.--The official
conducting a hearing under this section may sanction a person,
including any party or attorney, for failing to comply with an
order or procedure, failing to defend an action, or other
misconduct as would interfere with the speedy, orderly, or fair
conduct of the hearing. Such sanction shall reasonably relate
to the severity and nature of the failure or misconduct. Such
sanction may include--
(A) in the case of refusal to provide or permit
discovery, drawing negative factual inferences of
treating such refusal as an admission by deeming the
matter, or certain facts , to be established;
(B) prohibiting a party from introducing certain
evidence or otherwise supporting a particular claim or
defense;
(C) striking pleadings, in whole or in part;
(D) staying the proceedings;
(E) dismissal of the action:
(F) entering a default judgment;
(G) ordering the party or attorney to pay
attorneys' fees and other costs caused by the failure
or misconduct; and
(H) refusing to consider any motion or other action
which is not filed in a timely manner.
(b) Scope of Penalty.--In determining the amount or scope of any
penalty imposed pursuant to section 311, the Secretary shall take into
account--
(1) the nature of claims and the circumstances under which
they were presented;
(2) the degree of culpability, history of prior offenses,
and financial condition of the person presenting the claims;
and
(3) such other matters as justice may require.
(c) Review of Determination.--
(1) In general.--Any person adversely affected by a
determination of the Secretary under this section may obtain a
retie of such determination in the Untied States Court of
Appeals for the circuit in which the person resides, or which
the claim was presented, by filing in such court (within 60
days following the date the person is notified of the
determination of the Secretary) a written petition requesting
that the determination be modified or set aside.
(2) Filing of record.--A copy of the petition filed under
paragraph (1) shall be forthwith transmitted by the clerk of
the court to the Secretary, and thereupon the Secretary shall
file in the court the record in the proceeding as provided in
section 2112 of title 28, United States Code. Upon such filing,
the court shall have jurisdiction of the proceeding and of the
question determined therein, and shall have the power to make
and enter upon the pleadings, testimony, and proceedings set
forth in such record a decree affirming, modifying, remanding
for further consideration, or setting aside, in whole or in
part, the determination of the Secretary and enforcing the same
to the extent that such order is affirmed or modified.
(3) Consideration of objections.--No objection that has not
been raised before the Secretary with respect to a
determination described in paragraph (1) shall be considered by
the court, unless the failure or neglect to raise such
objection shall be excused because of extraordinary
circumstances.
(4) Findings.--The findings of the Secretary with respect
to questions of fact in an action under this subsection, if
supported by substantial evidence on the record considered as a
whole, shall be conclusive. If any party shall apply to the
court for leave to adduce additional evidence and shall show to
the satisfaction of the court that such additional evidence is
material and that there were reasonable grounds for the failure
to adduce such evidence in the hearing before, the Secretary,
the court may order such additional evidence to be taken before
the Secretary and to be made a part of the record. The
Secretary may modify findings as to facts, or make new
findings, by reason of additional evidence so taken and filed,
and shall file with the court such modified or new findings,
and such findings with respect to questions of fact, if
supported by substantial evidence on the record considered as a
whole, and the recommendations of the Secretary, if any, for
the modification or setting aside of the original order, shall
be conclusive.
(5) Excuslive jurisdiction.--Upon the filing of the record
with the court under paragraph (2), the jurisdiction of the
court shall be exclusive and its judgment and decree shall be
final, except that the same shall be subject to review by the
Supreme Court of the United States, as provided for in section
1254 of title 28, United States Code.
(d) recovery of Penalties.--
(1) In general.--Civil money penalties imposed under this
subtitle may be compromised by the Secretary and may be
recovered in a civil action in the name of the United States
brought in United States district court for the district where
the claim was presented, or where the claimant resides, as
determined by the Secretary. Amounts recovered under this
section shall be paid to the Secretary and deposited as
miscellaneous receipts of the Treasury of the United States.
(2) Deduction from amounts owing.--The amount of any
penalty, when finally determined under this section, or the
amount agreed upon in compromise under paragraph (1), may be
deducted from any sum then or later owing by the United States
or a State to the person against whom the penalty has been
assessed.
(e) Determination Final.--A determination by the Secretary to
impose a penalty under section 321 shall be final upon the expiration
of the 60-day period referred to in subsection (c)(1). Matters that
were raised or that could have been raised in a hearing before the
Secretary or in an appeal pursuant to subsection (c) may not be raised
as a defense to a civil action by the United States to collect a
penalty under section 311.
(f) Subpoena Authority.--
(1) In general.--For the purpose of any hearing,
investigation, or other proceeding authorized or directed under
this section, or relative to any other matter within the
jurisdiction of the Attorney General hereunder, the Attorney
General, acting through the Secretary shall have the power to
issue subpoenas requiring the attendance and testimony
of witnesses and the production of any evidence that relates to any
matter under investigation or in question before the Secretary. Such
attendance of witnesses and production of evidence at the designated
place of such hearing, investigation, or other proceeding may be
required from any place in the United States or in any Territory or
possession thereof.
(2) Service.--Subpoensas of the Secretary under paragraph
(1) shall be served by anyone authorized by the Secretary by
delivering a copy thereof to the individual named therein.
(3) Proof of service.--A verified return by the individual
serving the individual serving the subpoena under this
subsection setting forth the manner of service shall be proof
of service.
(4) Fees.--Witnesses subpoenaed under this subsection shall
be paid the same fees and mileage as are paid witnesses in the
district court of the United States.
(5) Refusal to obey.--In case of contumacy by, or refusal
to obey a duly served upon, any person, any district court of
the United States for the judicial district in which such
person charged with contumacy or refusal to obey is found or
resides or transacts business, upon application by the
Secretary, shall have jurisdiction to issue an order requiring
such person to appear and give testimony, or to appear and
produce evidence, or both. Any failure to obey such order of
the court may be punished by the court as contempt thereof.
(g) Injunctive Relief.--Whenever the Secretary has reason to
believe that any person has engaged, is engaging, or is about to engage
in any activity which makes the person subject to a civil monetary
penalty under section 311, the Secretary may bring an action in an
appropriate district court of the United States (or, if applicable, a
United States court of any territory) to enjoin such activity, or to
enjoin the person from concealing, removing, encumbering, or disposing
of assets which may be required in order to pay a civil monetary
penalty if any such penalty were to be imposed or to seek other
appropriate relief.
(h) Agency.--A principal is liable for penalties under section 311
for the actions of the principal's agent acting within the scope of the
agency.
SEC. 313. CIVIL ACTION BY INDIVIDUALS.
(a) In general.--Any individual whose rights under this Act have
been knowingly or negligently violated may bring a civil action to
recover--
(1) such preliminary and equitable relief as the court
determines to be appropriate; and
(2) the greater of compensatory damages or liquidated
damages of $5,000.
(b) Punitive Damages.--In any action brought under this section in
which the individual has prevailed because of a knowing violation of a
provision of this Act, the court may, in addition to any relief awarded
under subsection (a), award such punitive damages as may be
appropriate.
(c) Attorney's Fees.--In the case of a civil action brought under
subsection (a) in which the individual has substantially prevailed, the
court may assess against the respondent a reasonable attorney's fee and
other litigation costs and expenses (including expert fees) reasonably
incurred.
(d) Limitation.--No action may be commended under this section more
than 3 years after the date on which the violation was or should
reasonably have been discovered.
SEC. 314. ALTERNATIVE DISPUTE RESOLUTION.
(a) In General.--The Secretary shall, within 2 years following
enactment of this Act, promulgate regulations to develop alternative
dispute resolution procedures to resolve claims under section 314.
(b) Methods of Alternative Dispute Resolution.--The regulations
promulgated under subsection (a) may require that an individual, before
filing a civil claim, pursue at least one avenue of alternative dispute
resolution, including--
(1) medication;
(2) arbitration; or
(3) the use of a process under which parties make early
offers of settlements.
TITLE IV--MISCELLANEOUS
SEC. 401. RELATIONSHIP TO OTHER LAWS.
(a) Federal and State Laws.--Nothing in this Act shall be construed
as preempting, superseding, or repealing, explicitly or implicitly,
other Federal or State laws or regulations relating to protected health
information or relating to an individual's access to protected health
information or health care services, if such laws or regulations
provide protections for the rights of individuals to the privacy of,
and access to, their health information that are greater than those
provided for in this Act.
(b) Privileges.--Nothing in this Act shall be construed to preempt
or modify any provisions of State statutory or common law to the extent
that such law concerns a privilege of a witness or person in a court of
that State. This Act shall not be constructed to supersede or
modify any provision of Federal statutory or common law to the extent
such law concerns a privilege of a witness or person in a court of the
United States. Authorizations pursuant to section 202 shall not be
construed as a waiver of any such privilege.
(c) Certain Duties Under Law.--Nothing in this Act shall be
construed to preempt, supersede, or modify the operation of any State
law that--
(1) provides for the reporting of vital statistics such as
birth or death information;
(2) requires the reporting of abuse or neglect information
about any individual;
(3) regulates the disclosure or reporting of information
concerning an individual's mental health; or
(4) governs a minor's rights to access protected health
information or health care services.
(d) Federal Privacy Act.--
(1) Medical exemptions.--Section 552a of title 5, United
States Code, is amended by adding at the end the following:
``(w) Certain Protected Health Information.--The head of an agency
that is a health care provider, health plan, health oversight agency,
employer, insurer, health or life insurer, school or university, or
person who receives protected health information under section 204 of
the Personal Medical Information Protection Act shall promulgate rules,
in accordance with the requirements (including general notice) of
subsections (b)(1), (b)(2), (b)(3), (c), (e) of section 553 of this
title, to exempt a system of records within the agency, to the extent
that the system of records contains protected health information (as
defined in section 4 of such Act), from all provisions of this section
except subsections (b)(6), (d), (e)(1), (e)(2), subparagraphs (A)
through (C) and (E) through (I) of subsection (e)(4), and subsections
(e)(5), (e)(6), (e)(9), (e)(12), (l), (n), (o), (p), (q), (r), and
(u).''.
(2) Technical amendment.--Section 552a(f)(3) of title 5,
United States Code, is amended by striking ``pertaining to
him,'' and all that follows through the semicolon and inserting
``pertaining to the individual.''
(e) Constitution.--Nothing in this Act shall be construed to alter,
diminish, or otherwise weaken existing legal standards under the
Constitution regarding the confidentiality of protected health
information.
SEC. 402. NOTIFICATION OF SENIORS.
The Secretary shall publish a pamphlet which explains the
provisions of this Act and the resulting final regulations in plain
language as directed in the President's memorandum of June 1, 1998, to
the heads of executive departments and agencies (63 Federal Register
31885, 3 CFR 1998 Comp., p. 289) within 1 year from the effective date.
The secretary shall also ensure that the contents of such pamphlet may
be viewed and downloaded online free of charge through the website of
the Department of Health and Human Services.
SEC. 403. EFFECTIVE DATE.
(a) Effective Date.--Unless specifically provided for otherwise,
this Act shall take effect on the date that is 12 months after the date
of the promulgation of the regulations required under subsection (b),
or 30 months after the date of enactment of this Act, whichever is
earlier.
(b) Regulations.--Not later than 12 months after the date of
enactment of this Act, or as specifically provided for otherwise, the
Secretary shall promulgate regulations implementing this Act.
<all>
Introduced in House
Introduced in House
Referred to the Committee on Commerce, and in addition to the Committee on the Judiciary, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Commerce, and in addition to the Committee on the Judiciary, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Committee on Commerce, and in addition to the Committee on the Judiciary, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
Referred to the Subcommittee on Health and Environment.
Referred to the Subcommittee on Crime.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line