TABLE OF CONTENTS:
Title I: Individual's Rights
Subtitle A: Review of Protected Health Information by
Subjects of the Information
Subtitle B: Establishment of Safeguards
Title II: Restrictions on Use and Disclosure
Title III: Sanctions
Subtitle A: Criminal Provisions
Subtitle B: Civil Sanctions
Title IV: Miscellaneous
Medical Information Protection Act of 1999 - Title I: Individual's Rights - Subtitle A: Review of Protected Health Information by Subjects of the Information - Requires specified health entities in possession of protected health information to arrange (except in certain circumstances) for its inspection or copying upon the request of the individual subject of such information (subject individual). Prescribes procedures for: (1) notification upon request denial, including the reasons for such denial, and the concomitant review procedures; (2) requests by such individual to amend such information; and (3) conspicuous disclosure of such entities' confidentiality practices.
(Sec. 103) Directs the Secretary of Health and Human Services (the Secretary) to develop model notices of confidentiality.
Subtitle B: Establishment of Safeguards - Mandates: (1) administrative, technical, and physical safeguards for protected health information; (2) a record of any protected health information disclosures; and (3) identification of disclosed information as protected health information.
Title II: Restrictions on Use and Disclosure - Prescribes guidelines for disclosure of protected health information with respect to: (1) authorizations for treatment, payment, and health care operations; (3) the individual's next of kin and directory information; (4) emergency circumstances; (5) certain oversight agencies; (6) public health authorities; (7) health researchers; (8) civil, judicial, and administrative procedures; (9) certain law enforcement procedures; (10) payment for health care through card or electronic means; (11) certain duly authorized representatives acting on behalf of a subject individual (including a deceased subject individual, and a minor); and (12) certain business sales, transfers, or mergers.
(Sec. 213) Precludes permissible disclosures from liability.
Title III: Sanctions - Subtitle A: Criminal Provisions - Amends the Federal criminal code to impose criminal penalties for knowingly and intentionally obtaining or disclosing protected health information in violation of title II of this Act.
Subtitle B: Civil Sanctions - Establishes civil monetary penalties for substantial and material failure to comply with this Act.
(Sec. 312) Prescribes a procedure for imposition and judicial review of such penalties.
(Sec. 313) Grants exclusive enforcement authority to the insurance commissioner of the life insurer's domicile State.
Title IV: Miscellaneous - Preempts, subject to exceptions, any State law relating to matters covered by this Act.
(Sec. 401) Authorizes the Secretaries of Defense and of Transportation to establish exceptions to the disclosure requirements of this Act with respect to Department of Defense and Coast Guard personnel, respectively, pursuant to the Secretaries' determination that exceptions are necessary for national defense purposes.
(Sec. 403) Directs the National Research Council, in conjunction with the Institute of Medicine of the National Academy of Sciences, to study and report to the Congress on research issues relating to protected health information.
[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 881 Introduced in Senate (IS)]
106th CONGRESS
1st Session
S. 881
To ensure confidentiality with respect to medical records and health
care-related information, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
April 27, 1999
Mr. Bennett (for himself, Mr. Mack, Mr. Murkowski, and Mr. Santorum)
introduced the following bill; which was read twice and referred to the
Committee on Health, Education, Labor, and Pensions
_______________________________________________________________________
A BILL
To ensure confidentiality with respect to medical records and health
care-related information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Medical
Information Protection Act of 1999''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Purposes.
Sec. 4. Definitions.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
Sec. 101. Inspection and copying of protected health information.
Sec. 102. Amendment of protected health information.
Sec. 103. Notice of confidentiality practices.
Subtitle B--Establishment of Safeguards
Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
Sec. 201. General rules regarding use and disclosure.
Sec. 202. Procurement of authorizations for use and disclosure of
protected health information for treatment,
payment, and health care operations.
Sec. 203. Authorizations for use or disclosure of protected health
information other than for treatment,
payment, and health care operations.
Sec. 204. Next of kin and directory information.
Sec. 205. Emergency circumstances.
Sec. 206. Oversight.
Sec. 207. Public health.
Sec. 208. Health research.
Sec. 209. Disclosure in civil, judicial, and administrative procedures.
Sec. 210. Disclosure for law enforcement purposes.
Sec. 211. Payment card and electronic payment transaction.
Sec. 212. Individual representatives.
Sec. 213. No liability for permissible disclosures.
Sec. 214. Sale of business, mergers, etc.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
Sec. 301. Wrongful disclosure of protected health information.
Subtitle B--Civil Sanctions
Sec. 311. Civil penalty violation.
Sec. 312. Procedures for imposition of penalties.
Sec. 313. Enforcement by State insurance commissioners.
TITLE IV--MISCELLANEOUS
Sec. 401. Relationship to other laws.
Sec. 402. Conforming amendment.
Sec. 403. Study by Institute of Medicine.
Sec. 405. Effective date.
SEC. 2. FINDINGS.
The Congress finds that--
(1) individuals have a right of confidentiality with
respect to their personal health information and records;
(2) with respect to information about medical care and
health status, the traditional right of confidentiality is at
risk;
(3) an erosion of the right of confidentiality may reduce
the willingness of patients to confide in physicians and other
practitioners, thus jeopardizing quality health care;
(4) an individual's confidentiality right means that an
individual's consent is needed to disclose his or her protected
health information, except in limited circumstances required by
the public interest;
(5) any disclosure of protected health information should
be limited to that information or portion of the medical record
necessary to fulfill the purpose of the disclosure;
(6) the availability of timely and accurate personal health
data for the delivery of health care services throughout the
Nation is needed;
(7) personal health care data is essential for medical
research;
(8) public health uses of personal health data are critical
to both personal health as well as public health; and
(9) confidentiality of an individual's health information
must be assured without jeopardizing the pursuit of clinical
and epidemiological research undertaken to improve health care
and health outcomes and to assure the quality and efficiency of
health care.
SEC. 3. PURPOSES.
The purpose of this Act is to--
(1) establish strong and effective mechanisms to protect
against the unauthorized and inappropriate disclosure of
protected health information that is created or maintained as
part of health care treatment, diagnosis, enrollment, payment,
plan administration, testing, or research processes;
(2) promote the efficiency and security of the health
information infrastructure so that members of the health care
community may more effectively exchange and transfer health
information in a manner that will ensure the confidentiality of
protected health information without impeding the delivery of
high quality health care; and
(3) establish strong and effective remedies for violations
of this Act.
SEC. 4. DEFINITIONS.
As used in this Act:
(1) Accrediting body.--The term ``accrediting body'' means
a national body, committee, organization, or institution (such
as the Joint Commission on Accreditation of Health Care
Organizations or the National Committee for Quality Assurance)
that has been authorized by law or is recognized by a health
care regulating authority as an accrediting entity or any other
entity that has been similarly authorized or recognized by law
to perform specific accreditation, licensing or credentialing
activities.
(2) Agent.--The term ``agent'' means a person, including a
contractor, who represents and acts for another under the
contract or relation of agency, or whose function is to bring
about, modify, effect, accept performance of, or terminate
contractual obligations between the principal and a third
person.
(3) Common rule.--The term ``common rule'' means the
Federal policy for protection of human subjects from research
risks originally published as 56 Federal Register 28.025 (1991)
as adopted and implemented by a Federal department or agency.
(4) Disclose and disclosure.--
(A) Disclose.--The term ``disclose'' means to
release, transfer, provide access to, or otherwise
divulge protected health information to any person
other than the individual who is the subject of such
information.
(B) Disclosure.--
(i) In general.--The term ``disclosure''
refers to a release, transfer, provision for
access to, or communication of information as
described in subparagraph (A).
(ii) Use.--The use of protected health
information by an authorized person and its
agents shall not be considered a disclosure for
purposes of this Act if the use is consistent
with the purposes for which the information was
lawfully obtained. Using or providing access to
health information in the form of
nonidentifiable health information shall not be
construed as a disclosure of protected health
information.
(5) Employer.--The term ``employer'' has the meaning given
such term under section 3(5) of the Employee Retirement Income
Security Act of 1974 (29 U.S.C. 1002(5)), except that such term
shall include only employers of two or more employees.
(6) Health care.--The term ``health care'' means--
(A) preventive, diagnostic, therapeutic,
rehabilitative, maintenance, or palliative care,
including appropriate assistance with disease or
symptom management and maintenance, counseling,
assessment, service, or procedure--
(i) with respect to the physical or mental
condition of an individual; or
(ii) affecting the structure or function of
the human body or any part of the human body,
including the banking of blood, sperm, organs,
or any other tissue; or
(B) pursuant to a prescription or medical order any
sale or dispensing of a drug, device, equipment, or
other health care related item to an individual, or for
the use of an individual.
(7) Health care operations.--The term ``health care
operations'' means services provided by or on behalf of a
health plan or health care provider for the purpose of carrying
out the management functions of a health care provider or
health plan, or implementing the terms of a contract for health
plan benefits, including--
(A) coordinating health care, including health care
management of the individual through risk assessment
and case management;
(B) conducting quality assessment and improvement
activities, including outcomes evaluation, clinical
guideline development, and improvement;
(C) reviewing the competence or qualifications of
health care professionals, evaluating provider
performance, and conducting health care education,
accreditation, certification, licensing, or
credentialing activities;
(D) carrying out utilization review activities,
including precertification and preauthorization of
services, and health plan rating and insurance
activities, including underwriting, experience rating
and reinsurance; and
(E) conducting or arranging for auditing services,
including fraud detection and compliance programs.
(8) Health care provider.--The term ``health care
provider'' means a person, who with respect to a specific item
of protected health information, receives, creates, uses,
maintains, or discloses the information while acting in whole
or in part in the capacity of--
(A) a person who is licensed, certified,
registered, or otherwise authorized by Federal or State
law to provide an item or service that constitutes
health care in the ordinary course of business, or
practice of a profession;
(B) a Federal, State, employer sponsored or other
privately sponsored program that directly provides
items or services that constitute health care to
beneficiaries; or
(C) an officer or employee of a person described in
subparagraph (A) or (B).
(9) Health oversight agency.--The term ``health oversight
agency'' means a person who, with respect to a specific item of
protected health information, receives, creates, uses,
maintains, or discloses the information while acting in whole
or in part in the capacity of--
(A) a person who performs or oversees the
performance of an assessment, evaluation,
determination, or investigation, relating to the
licensing, accreditation, certification, or
credentialing of health care providers; or
(B) a person who--
(i) performs or oversees the performance of
an audit, assessment, evaluation,
determination, or investigation relating to the
effectiveness of, compliance with, or
applicability of, legal, fiscal, medical, or
scientific standards or aspects of performance
related to the delivery of health care; and
(ii) is a public agency, acting on behalf
of a public agency, acting pursuant to a
requirement of a public agency, or carrying out
activities under a Federal or State law
governing the assessment, evaluation,
determination, investigation, or prosecution
described in subparagraph (A).
(10) Health plan.--The term ``health plan'' means any
health insurance issuer, health insurance plan, including any
hospital or medical service plan, dental or other health
service plan or health maintenance organization plan, provider
sponsored organization, or other program providing or arranging
for the provision of health benefits. Such term does not
include any policy, plan or program to the extent that it
provides, arranges or administers health benefits pursuant to a
program of workers compensation or automobile insurance.
(11) Health research and health researcher.--
(A) Health research.--The term ``health research''
means a systematic investigation of health (including
basic biological processes and structures), health
care, or its delivery and financing, including research
development, testing and evaluation, designed to
develop or contribute to generalizable knowledge
concerning human health, health care, or health care
delivery.
(B) Health researcher.--The term ``health
researcher'' means a person involved in health
research, or an officer, employee, or agent of such
person.
(12) Key.--The term ``key'' means a method or procedure
used to transform nonidentifiable health information that is in
a coded or encrypted form into protected health information.
(13) Law enforcement inquiry.--The term ``law enforcement
inquiry'' means a lawful investigation or official proceeding
inquiring into a violation of, or failure to comply with, any
criminal or civil statute or any regulation, rule, or order
issued pursuant to such a statute.
(14) Life insurer.--The term ``life insurer'' means life
insurance company as defined in section 816 of the Internal
Revenue Code of 1986.
(15) Nonidentifiable health information.--The term
``nonidentifiable health information'' means protected health
information from which personal identifiers, that directly
reveal the identity of the individual who is the subject of
such information or provide a direct means of identifying the
individual (such as name, address, and social security number),
have been removed, encrypted, or replaced with a code, such
that the identity of the individual is not evident without (in
the case of encrypted or coded information) use of key.
(16) Originating provider.--The term ``originating
provider'' means a health care provider who initiates a
treatment episode, such as prescribing a drug, ordering a
diagnostic test, or admitting an individual to a health care
facility. A hospital or nursing facility is the originating
provider with respect to protected health information created
or received as part of inpatient or outpatient treatment
provided in such settings.
(17) Payment.--The term ``payment'' means--
(A) the activities undertaken by--
(i) or on behalf of a health plan to
determine its responsibility for coverage under
the plan; or
(ii) a health care provider to obtain
payment for items or services provided to an
individual, provided under a health plan, or
provided based on a determination by the health
plan of responsibility for coverage under the
plan; and
(B) activities undertaken as described in
subparagraph (A) including--
(i) billing, claims management, medical
data processing, other administrative services,
and actual payment;
(ii) determinations of coverage or
adjudication of health benefit or subrogation
claims; and
(iii) review of health care services with
respect to coverage under a health plan or
justification of charges.
(18) Person.--The term ``person'' means a government,
governmental subdivision, agency or authority; corporation;
company; association; firm; partnership; society; estate;
trust; joint venture; individual; individual representative;
tribal government; and any other legal entity.
(19) Protected health information.--The term ``protected
health information'' with respect to the individual who is the
subject of such information means any information which
identifies such individual, whether oral or recorded in any
form or medium, that--
(A) is created or received by a health care
provider, health plan, health oversight agency, public
health authority, employer, life insurer, school or
university;
(B) relates to the past, present, or future
physical or mental health or condition of an individual
(including individual cells and their components);
(C) is derived from--
(i) the provision of health care to the
individual; or
(ii) payment for the provision of health
care to the individual; and
(D) is not nonidentifiable health information.
(20) Public health authority.--The term ``public health
authority'' means an authority or instrumentality of the United
States, a tribal government, a State, or a political
subdivision of a State that is--
(A) primarily responsible for health or welfare
matters; and
(B) primarily engaged in activities such as
incidence reporting, public health surveillance, and
investigation or intervention.
(21) School or university.--The term ``school or
university'' means an institution or place accredited or
licensed for purposes of providing for instruction or
education, including an elementary school, secondary school, or
institution of higher learning, a college, or an assemblage of
colleges united under one corporate organization or government.
(22) Secretary.--The term ``Secretary'' means the Secretary
of Health and Human Services.
(23) Signed.--The term ``signed'' refers to documentation
of assent in any medium, whether ink, digital or biometric
signatures, or recorded oral authorizations.
(24) State.--The term ``State'' includes the District of
Columbia, Puerto Rico, the Virgin Islands, Guam, American
Samoa, and the Northern Mariana Islands.
(25) Treatment.--The term ``treatment'' means the provision
of health care by a health care provider.
(26) Writing and written.--
(A) Writing.--The term ``writing'' means any form
of documentation, whether paper, electronic, digital,
biometric or tape recorded.
(B) Written.--The term ``written'' includes paper,
electronic, digital, biometric and tape-recorded
formats.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.
(a) General Rules.--
(1) Compliance with section.--At the request of an
individual who is the subject of protected health information
and except as provided in subsection (c), a health care
provider, a health plan, employer, life insurer, school, or
university shall arrange for inspection or copying of protected
health information concerning the individual, including records
created under section 102, as provided for in this section.
(2) Availability of information through originating
provider.--Protected health information that is created or
received by a health plan or health care provider as part of
treatment or payment shall be made available for inspection or
copying as provided for in this title through the originating
provider.
(3) Other entities.--An employer, life insurer, school, or
university that creates or receives protected health
information in performing any function other than providing
treatment, payment, or health care operations with respect to
the individual who is the subject of such information, shall
make such information available for inspection or copying as
provided for in this title, or through any provider designated
by the individual.
(4) Procedures.--The person providing access to information
under this title may set forth appropriate procedures to be
followed for such inspection or copying and may require an
individual to pay reasonable costs associated with such
inspection or copying.
(b) Special Circumstances.--If an originating provider, its agent,
or contractor no longer maintains the protected health information
sought by an individual pursuant to subsection (a), a health plan or
another health care provider that maintains such information shall
arrange for inspection or copying.
(c) Exceptions.--Unless ordered by a court of competent
jurisdiction, a person acting pursuant to subsection (a) or (b) is not
required to permit the inspection or copying of protected health
information if any of the following conditions are met:
(1) Endangerment to life or safety.--The person determines
that the disclosure of the information could reasonably be
expected to endanger the life or physical safety of any
individual.
(2) Confidential source.--The information identifies, or
could reasonably lead to the identification of, a person who
provided information under a promise of confidentiality to a
health care provider concerning the individual who is the
subject of the information.
(3) Information compiled in anticipation of or in
connection with a fraud investigation or litigation.--The
information is compiled principally--
(A) in anticipation of or in connection with a
fraud investigation, an investigation of material
misrepresentation in connection with an insurance
policy, a civil, criminal, or administrative action or
proceeding; or
(B) for use in such action or proceeding.
(4) Investigational information.--The protected health
information was created, received or maintained by a health
researcher as provided in section 208.
(d) Denial of a Request for Inspection or Copying.--If a person
described in subsection (a) or (b) denies a request for inspection or
copying pursuant to subsection (c), the person shall inform the
individual in writing of--
(1) the reasons for the denial of the request for
inspection or copying;
(2) the availability of procedures for further review of
the denial; and
(3) the individual's right to file with the person a
concise statement setting forth the request for inspection or
copying.
(e) Statement Regarding Request.--If an individual has filed a
statement under subsection (d)(3), the person in any subsequent
disclosure of the portion of the information requested under subsection
(a) or (b)--
(1) shall include a notation concerning the individual's
statement; and
(2) may include a concise statement of the reasons for
denying the request for inspection or copying.
(f) Inspection and Copying of Segregable Portion.--A person
described in subsection (a) or (b) shall permit the inspection and
copying of any reasonably segregable portion of a record after deletion
of any portion that is exempt under subsection (c).
(g) Deadline.--A person described in subsection (a) or (b) shall
comply with or deny, in accordance with subsection (d), a request for
inspection or copying of protected health information under this
section not later than 60 days after the date on which the person
receives the request.
(h) Rules of Construction.--
(1) Agents.--An agent of a person described in subsection
(a) or (b) shall not be required to provide for the inspection
and copying of protected health information, except where--
(A) the protected health information is retained by
the agent; and
(B) the agent has been asked in writing by the
person involved to fulfill the requirements of this
section.
(2) No requirement for hearing.--This section shall not be
construed to require a person described in subsection (a) or
(b) to conduct a formal, informal, or other hearing or
proceeding concerning a request for inspection or copying of
protected health information.
SEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.
(a) Right To Amend.--
(1) In general.--Protected health information shall be
subject to amendment as provided for in this section.
(2) Compliance with request.--Except as provided in
subsection (c), not later than 45 days after the date on which
an originating provider, employer, life insurer, school, or
university receives from an individual a request in writing to
amend protected health information, such person shall--
(A) make the amendment requested;
(B) inform the individual of the amendment that has
been made; and
(C) inform any person identified by the individual
in the request for amendment and--
(i) who is not an officer, employee, or
agent of the person; and
(ii) to whom the unamended portion of the
information was disclosed within the previous
year by sending a notice to the individual's
last known address that there has been a
substantive amendment to the protected health
information of such individual.
(b) Request of Originating Providers.--
(1) In general.--Protected health information that is
created or received by a health plan or health care provider as
part of treatment or payment shall be subject to amendment as
provided for in this section upon a written request made to the
originating provider.
(2) Special circumstances.--If an originating provider, its
agent, or contractor no longer maintains the protected health
information sought to be amended by an individual pursuant to
paragraph (1), a health plan or another health care provider
that maintains such information may arrange for amendment
consistent with this section.
(c) Refusal To Amend.--If a person described in subsection (a)(2)
refuses to make the amendment requested under such subsection, the
person shall inform the individual in writing of--
(1) the reasons for the refusal to make the amendment;
(2) the availability of procedures for further review of
the refusal; and
(3) the procedures by which the individual may file with
the person a concise statement setting forth the requested
amendment and the individual's reasons for disagreeing with the
refusal.
(d) Statement of Disagreement.--If an individual has filed a
statement of disagreement under subsection (c)(3), the person involved,
in any subsequent disclosure of the disputed portion of the
information--
(1) shall include a notation concerning the individual's
statement; and
(2) may include a concise statement of the reasons for not
making the requested amendment.
(e) Rules Governing Agents.--The agent of a person described in
subsection (a)(2) shall not be required to make amendments to protected
health information, except where--
(1) the protected health information is retained by the
agent; and
(2) the agent has been asked in writing by such person to
fulfill the requirements of this section.
(f) Repeated Requests for Amendments.--If a person described in
subsection (a)(2) receives a request for an amendment of information as
provided for in such subsection and a statement of disagreement has
been filed pursuant to subsection (d), the person shall inform the
individual of such filing and shall not be required to carry out the
procedures required under this section.
(g) Rules of Construction.--This section shall not be construed
to--
(1) require that a person described in subsection (a)(2)
conduct a formal, informal, or other hearing or proceeding
concerning a request for an amendment to protected health
information;
(2) require a provider to amend an individual's protected
health information as to the type, duration, or quality of
treatment the individual believes he or she should have been
provided; or
(3) permit any deletions or alterations of the original
information.
SEC. 103. NOTICE OF CONFIDENTIALITY PRACTICES.
(a) Preparation of Written Notice.--A health care provider, health
plan, health oversight agency, public health authority, employer, life
insurer, health researcher, school, or university shall post or
provide, in writing and in a clear and conspicuous manner, notice of
the person's confidentiality practices, that shall include--
(1) a description of an individual's rights with respect to
protected health information;
(2) the uses and disclosures of protected health
information authorized under this Act;
(3) the procedures for authorizing disclosures of protected
health information and for revoking such authorizations;
(4) the procedures established by the person for the
exercise of the individual's rights; and
(5) the right to obtain a copy of the notice of the
confidentiality practices required under this Act.
(b) Model Notice.--The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model notices of
confidentiality practices, using the advice of the National Committee
on Vital Health Statistics, for use under this section. Use of the
model notice shall serve as an absolute defense against claims of
receiving inappropriate notice.
Subtitle B--Establishment of Safeguards
SEC. 111. ESTABLISHMENT OF SAFEGUARDS.
(a) In General.--A health care provider, health plan, health
oversight agency, public health authority, employer, life insurer,
health researcher, law enforcement official, school, or university
shall establish and maintain appropriate administrative, technical, and
physical safeguards to protect the confidentiality, security, accuracy,
and integrity of protected health information created, received,
obtained, maintained, used, transmitted, or disposed of by such person.
(b) Fundamental Safeguards.--The safeguards established pursuant to
subsection (a) shall address the following factors:
(1) The purpose for which protected health information is
needed and whether that purpose can be accomplished with
nonidentifiable health information.
(2) Appropriate procedures for maintaining the security of
protected health information and assuring the appropriate use
of any key used in creating nonidentifiable health information.
(3) The categories of personnel who will have access to
protected health information and appropriate training,
supervision and sanctioning of such personnel with respect to
their use of protected health information and adherence to
established safeguards.
(4) Appropriate limitations on access to individual
identifiers.
(5) Appropriate mechanisms for limiting disclosures of
protected information to the information necessary to respond
to the request for disclosure.
(6) Procedures for handling requests for protected health
information by persons other than the individual who is the
subject of such information, including relatives and affiliates
of such individual, law enforcement officials, parties in civil
litigation, health care providers, and health plans.
SEC. 112. ACCOUNTING FOR DISCLOSURES.
(a) In General.--A health care provider, health plan, health
oversight agency, public health authority, employer, life insurer,
health researcher, law enforcement official, school, or university
shall establish and maintain a process for documenting the disclosure
of protected health information by any such person through the
recording of the name and address of the recipient of the information,
or through the recording of another mean of contacting the recipient,
and the purpose of the disclosure.
(b) Record of Disclosure.--A record (or other means of
documentation) established under subsection (a) shall be maintained for
not less than 7 years.
(c) Identification of Disclosed Information as Protected Health
Information.--Except as otherwise provided in this title, protected
health information shall be clearly identified as protected health
information that is subject to this Act.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.
(a) Disclosure Prohibited.--A health care provider, health plan,
health oversight agency, public health authority, employer, life
insurer, health researcher, law enforcement official, school, or
university, or any agents of such a person, may not disclose protected
health information except as authorized under this Act or as authorized
by the individual who is the subject of such information.
(b) Applicability to Agents.--
(1) In general.--A person described in subsection (a) may
use an agent, including a contractor, to carry out an otherwise
lawful activity using protected health information maintained
by such person if the person specifies the activities for which
the agent is authorized to use such protected health
information and prohibits the agent from using or disclosing
protected health information for purposes other than carrying
out the specified activities.
(2) Limitation on liability.--Notwithstanding any other
provision of this Act, a person who has limited the activities
of an agent as provided for in paragraph (1), shall not be
liable for the actions or disclosures of the agent that are not
in fulfillment of those activities.
(3) Limitations on agents.--An agent who receives protected
health information from a person described in subsection (a)
shall, in its own right, be subject to the applicable
provisions of this Act.
(c) Applicability to Employers.--
(1) In general.--An employer may use an employee or agent
to create, receive, or maintain protected health information in
order to carry out an otherwise lawful activity so long as--
(A) the disclosure of the protected employee health
information within the entity is compatible with the
purpose for which the information was obtained and
limited to information necessary to accomplish the
purpose of the disclosure; and
(B) the employer prohibits the release, transfer or
communication of the protected health information to
officers, employees, or agents responsible for hiring,
promotion, and making work assignment decisions with
respect to the subject of the information.
(2) Determination.--For purposes of paragraph (1)(A), the
determination of what constitutes information necessary to
accomplish the purpose for which the information is obtained
shall be made by a health care provider, except in situations
involving payment for health plan operations undertaken by the
employer.
(d) Creation of Nonidentifiable Health Information.--A person
described in subsection (a) may use protected health information for
the purpose of creating nonidentifiable health information.
(e) Individual Authorization.--To be valid, an authorization to
disclose protected health information under this title shall--
(1) identify the individual who is the subject of the
protected health information;
(2) describe the nature of the information to be disclosed;
(3) identify the type of person to whom the information is
to be disclosed;
(4) describe the purpose of the disclosure;
(5) be subject to revocation by the individual and indicate
that the authorization is valid until revocation by the
individual; and
(6) be in writing, dated, and signed by the individual, a
family member or other authorized representative.
(f) Manipulation of Nonidentifiable Health Information.--Any person
who manipulates nonidentifiable health information in order to identify
an individual, or uses a key to identify an individual without
authorization, is deemed to have disclosed protected health
information.
SEC. 202. PROCUREMENT OF AUTHORIZATIONS FOR USE AND DISCLOSURE OF
PROTECTED HEALTH INFORMATION FOR TREATMENT, PAYMENT, AND
HEALTH CARE OPERATIONS.
(a) Authorizations.--
(1) In general.--With respect to each individual, a single
authorization that substantially complies with section 201(e)
must be secured to permit the use and disclosure of protected
health information concerning such individual for treatment,
payment, and health care operations, as provided for in this
subsection.
(2) Employers.--Every employer offering a health plan to
its employees shall, at the time of, and as a condition of
enrollment in the health plan, obtain a signed, written
authorization that is a legal, informed authorization
concerning the use and disclosure of protected health
information for treatment, payment, and health care operations
with respect to each individual who is eligible to receive care
under the health plan.
(3) Health plans.--Every health plan offering enrollment to
individuals or non-employer groups shall, at the time of, and
as a condition of enrollment in the health plan, obtain a
signed, written authorization that is a legal, informed
authorization concerning the use and disclosure of protected
health information for treatment, payment, and health care
operations, with respect to each individual who is eligible to
receive care under the plan.
(4) Uninsured.--An originating provider providing health
care to an uninsured individual, shall obtain a signed, written
authorization to use and disclose protected health information
with respect to such individual for treatment, payment, and
health care operations of such provider, and in arranging for
treatment and payment from other providers.
(5) Providers.--Any health care provider providing health
care to an individual may, in connection with providing such
care, obtain a signed, written authorization that is a legal,
informed authorization concerning the use and disclosure of
protected health information with respect to such individual
for treatment, payment, and health care operations of such
provider.
(b) Revocation of Authorization.--
(1) In general.--An individual may revoke an authorization
under this section at any time, by sending written notice to
the person who obtained such authorization, unless the
disclosure that is the subject of the authorization is required
to complete a course of treatment, effectuate payment, or
conduct health care operations for health care that has been
provided to the individual.
(2) Health plans.--With respect to a health plan, the
authorization of an individual is deemed to be revoked at the
time of the cancellation or non-renewal of enrollment in the
health plan, except as may be necessary to conduct health care
operations and complete payment requirements related to the
individual's period of enrollment.
(3) Termination of plan.--With respect to the revocation of
an authorization under this section by an enrollee in a health
plan, the health plan may terminate the coverage of such
enrollee under such plan if the health plan determines that the
revocation has resulted in the inability of the plan to provide
care for the enrollee or conduct health care operations.
(c) Record of Individual's Authorizations and Revocations.--Each
person who obtains or is required to obtain an authorization under this
section shall maintain a record for a period of 7 years of each such
authorization of an individual and revocation thereof.
(d) Model Authorizations.--The Secretary, after notice and
opportunity for public comment, shall develop and disseminate model
written authorizations of the type described in subsection (a). The
Secretary shall consult with the National Committee on Vital and Health
Statistics in developing such authorizations. An authorization obtained
on a model authorization form developed by the Secretary pursuant to
the preceding sentence shall be deemed to meet the authorization
requirements of this section.
(e) Rules of Construction.--
(1) Single authorizations.--An employer or health plan
shall be deemed to meet the requirements of subsection (a) with
respect to a spouse, child, or other eligible dependent if, at
the time of enrollment, a single authorization under subsection
(a) is obtained from the employee or other individual who
accepts responsibility for health plan enrollment.
(2) Requirement for separate authorization.--An
authorization for the disclosure of protected health
information for treatment, payment, and health care operations
shall not directly or indirectly authorize the disclosure of
such information for any other purpose. Any other such
disclosures shall require a separate authorization under
section 203.
SEC. 203. AUTHORIZATIONS FOR USE OR DISCLOSURE OF PROTECTED HEALTH
INFORMATION OTHER THAN FOR TREATMENT, PAYMENT, AND HEALTH
CARE OPERATIONS.
(a) In General.--An individual who is the subject of protected
health information may authorize any person to disclose or use such
information for any purpose. An authorization under this section shall
not be valid if the signing of such authorization by the individual is
a prerequisite for the signing of an authorization under section 202.
(b) Written Authorizations.--A person may disclose and use
protected health information, for purposes other than those authorized
under section 202, pursuant to a written authorization signed by the
individual who is the subject of the information that meets the
requirements of section 201(e). An authorization under this section
shall be separate from any authorization provided under section 202.
(c) Limitation on Authorizations.--
(1) In general.--Notwithstanding any other provision of
Federal law, life insurers, and any other entity that offers
disability income or long term care insurance under the laws of
any State, shall meet the requirements of section 201(a) with
respect to an individual for purposes of life, disability
income or long term care insurance, by obtaining the
authorization of the individual under this section.
(2) During period of coverage.--Notwithstanding paragraph
(1), an authorization obtained in the ordinary course of
business in connection with life, disability income or long-
term care insurance under this section shall remain in effect
during the term of the individual's insurance coverage and as
may be necessary to enable the issuer to meet its obligations with
respect to such individual under the terms of the policy, plan or
program.
(3) Other authorizations.--An authorization obtained from
an individual in connection with an application that does not
result in coverage with respect to such individual shall expire
the earlier of the date specified in the individual's
authorization or the effective date of any revocation under
subsection (d).
(d) Revocation or Amendment of Authorization.--
(1) In general.--Except as otherwise provided for in this
section, an individual may revoke or amend an authorization
described in this section by providing written notice to the
person who obtained such authorization unless the disclosure
that is the subject of the authorization is related to the
evaluation of an application for life, disability income or
long-term care insurance coverage or a claim for life,
disability income or long-term care insurance benefits.
(2) Notice of revocation.--A person that discloses
protected health information pursuant to an authorization that
has been revoked under paragraph (1) shall not be subject to
any liability or penalty under this title if that person had no
actual notice of the revocation.
(e) Disclosure for Purpose Only.--A recipient of protected health
information pursuant to an authorization under subsection (b) may
disclose such information only to carry out the purposes for which the
information was authorized to be disclosed.
(f) Model Authorizations.--
(1) In general.--The Secretary, after notice and
opportunity for public comment, shall develop and disseminate
model written authorizations of the type described in
subsection (b). The Secretary shall consult with the National
Committee on Vital and Health Statistics in developing such
authorizations.
(2) Authority of insurance commissioner.--Notwithstanding
paragraph (1), the insurance commissioner of the State of
domicile of a life insurer may exercise exclusive authority in
developing and disseminating model written authorizations for
purposes of subsection (c).
(3) Compliance with requirements.--An authorization
obtained using a model authorization promulgated under this
subsection shall be deemed to meet the authorization
requirements of this section.
(g) Authorizations for Research.--This section applies to health
research only where such research is not governed by section 208.
SEC. 204. NEXT OF KIN AND DIRECTORY INFORMATION.
(a) Next of Kin.--A health care provider, or a person who receives
protected health information under section 205, may disclose protected
health information regarding an individual to the individual's spouse,
parent, child, sister, brother, next of kin, or to another person whom
the individual has identified, if--
(1) the individual who is the subject of the information--
(A) has been notified of the individual's right to
object to such disclosure and the individual has not
objected to the disclosure; or
(B) is in a physical or mental condition such that
the individual is not capable of objecting, and there
are no prior indications that the individual would
object;
(2) the information disclosed relates to health care
currently being provided to that individual; and
(3) the disclosure of the protected health information is
consistent with good medical or professional practice.
(b) Directory Information.--
(1) Disclosure.--
(A) In general.--Except as provided in paragraph
(2), a person described in subsection (a) may disclose
the information described in subparagraph (B) to any
person if the individual who is the subject of the
information--
(i) has been notified of the individual's
right to object and the individual has not
objected to the disclosure; or
(ii) is in a physical or mental condition
such that the individual is not capable of
objecting, the individual's next of kin has not
objected, and there are no prior indications
that the individual would object.
(B) Information.--Information described in this
subparagraph is information that consists only of 1 or
more of the following items:
(i) The name of the individual who is the
subject of the information.
(ii) The general health status of the
individual, described as critical, poor, fair,
stable, or satisfactory or in terms denoting
similar conditions.
(iii) The location of the individual on
premises controlled by a provider.
(2) Exception.--
(A) Location.--Paragraph (1)(B)(iii) shall not
apply if disclosure of the location of the individual
would reveal specific information about the physical or
mental condition of the individual, unless the
individual expressly authorizes such disclosure.
(B) Directory or next of kin information.--A
disclosure may not be made under this section if the
health care provider involved has reason to believe
that the disclosure of directory or next of kin
information could lead to the physical or mental harm
of the individual, unless the individual expressly
authorizes such disclosure.
SEC. 205. EMERGENCY CIRCUMSTANCES.
Any person who creates or receives protected health information
under this title may disclose protected health information in emergency
circumstances when necessary to protect the health or safety of the
individual who is the subject of such information from serious,
imminent harm. No disclosure made in the good faith belief that the
disclosure was necessary to protect the health or safety of an
individual from serious, imminent harm shall be in violation of, or
punishable under, this Act.
SEC. 206. OVERSIGHT.
(a) In General.--Any person may disclose protected health
information to an accrediting body or public health authority, a health
oversight agency, or a State insurance department, for purposes of an
oversight function authorized by law.
(b) Protection From Further Disclosure.--Protected health
information this is disclosed under this section shall not be further
disclosed by an accrediting body or public health authority, a health
oversight agency, a State insurance department, or their agents for any
purpose unrelated to the authorized oversight function. Notwithstanding
any other provision of law, protected health information disclosed
under this section shall be protected from further disclosure by an
accrediting body or public health authority, a health oversight agency,
a State insurance department, or their agents pursuant to a subpoena,
discovery request, introduction as evidence, testimony, or otherwise.
(c) Authorization by a Supervisor.--For purposes of this section,
the individual with authority to authorize the oversight function
involved shall provide to the person described in subsection (a) a
statement that the protected health information is being sought for a
legally authorized oversight function.
(d) Use in Action Against Individuals.--Protected health
information about an individual that is disclosed under this section
may not be used by the recipient in, or disclosed by the recipient to
any person for use in, an administrative, civil, or criminal action or
investigation directed against the individual who is the subject of the
protected health information unless the action or investigation arises
out of and is directly related to--
(1) the receipt of health care or payment for health care;
or
(2) a fraudulent claim related to health care, or a
fraudulent or material misrepresentation of the health of the
individual.
SEC. 207. PUBLIC HEALTH.
(a) In General.--A health care provider, health plan, public health
authority, health researcher, employer, life insurer, law enforcement
official, school, or university may disclose protected health
information to a public health authority or other person authorized by
law for use in a legally authorized--
(1) disease or injury report;
(2) public health surveillance;
(3) public health investigation or intervention;
(4) vital statistics report, such as birth or death
information;
(5) report of abuse or neglect information about any
individual; or
(6) report of information concerning a communicable disease
status.
(b) Identification of Deceased Individual.--Any person may disclose
protected health information if such disclosure is necessary to assist
in the identification or safe handling of a deceased individual.
(c) Requirement To Release Protected Health Information to Coroners
and Medical Examiners.--
(1) In general.--When a Coroner or a Medical Examiner, or
the duly appointed deputy of a Coroner or Medical Examiner,
seeks protected health information for the purpose of inquiry
into and determination of, the cause, manner, and circumstances
of a death, the health care provider, health plan, health
oversight agency, public health authority, employer, life
insurer, health researcher, law enforcement official, school,
or university involved shall provide the protected health
information to the Coroner or Medical Examiner or to the duly
appointed deputy without undue delay.
(2) Production of additional information.--If a Coroner or
Medical Examiner, or the duly appointed deputy of a Coroner or
Medical Examiner, receives health information from a person
referred to in paragraph (1), such health information shall
remain as protected health information unless the health
information is attached to or otherwise made a part of a
Coroner's or Medical Examiner's official report, in which case
it shall no longer be protected.
(3) Exemption.--Health information attached to or otherwise
made a part of a Coroner's or Medical Examiner's official
report, shall be exempt from the provisions of this Act.
SEC. 208. HEALTH RESEARCH.
(a) In General.--A person lawfully in possession of protected
health information may disclose such information to a health researcher
under any of the following arrangements:
(1) Research governed by the common rule.--A person
identified in subsection (a) may disclose protected health
information to a health researcher if the research project has
been approved by an institutional review board pursuant to the
requirements of the common rule as implemented by a Federal
agency.
(2) Analyses of health care records and medical archives.--
A person identified in subsection (a) may disclose protected
health information to a health researcher if--
(A) consistent with the safeguards established
pursuant to section 111 and the person's policies and
procedures established under this section, the health
research has been reviewed by a board, committee, or
other group formally designated by such person to
review research programs;
(B) the health research involves analysis of
protected health information previously created or
collected by the person;
(C) the person that maintains the protected health
information to be used in the analyses has in place a
written policy and procedure to assure the security and
confidentiality of protected health information and to
specify permissible and impermissible uses of such
information for health research;
(D) the person that maintains the protected health
information to be used in the analyses enters into a
written agreement with the recipient health researcher
that specifies the permissible and impermissible uses
of the protected health information and provides notice
to the researcher that any misuse or further disclosure
of the information to other persons is prohibited and
may provide a basis for action against the health
researcher under this Act; and
(E) the person keeps a record of health researchers
to whom protected health information has been
disclosed.
(3) Safety and efficacy reports.--A person may disclose
protected health information to a manufacturer of a drug,
biologic or medical device, in connection with any monitoring
activity or reports made to such manufacturer for use in
verifying the safety or efficacy of such manufacturer's
approved product in special populations or for long term use.
(b) Oversight.--On the advice of the National Committee on Vital
and Health Statistics, the Secretary shall report to the Congress not
later than 18 months after the effective date of this section
concerning the adequacy of the policies and procedures implemented
pursuant to subsection (a)(2) for protecting the confidentiality of
protected health information while promoting its use in research
concerning health care outcomes, the epidemiology and etiology of
diseases and conditions and the safety, efficacy and cost effectiveness
of health care interventions. Based on the conclusions of such report,
the Secretary may promulgate model language for written agreements
deemed to comply with subsection (a)(2)(C).
(c) Statutory Assurance of Confidentiality.--
(1) In general.--Protected health information obtained by a
health researcher pursuant to this section shall be used and
maintained in confidence, consistent with the confidentiality
practices established by the health researcher pursuant to
section 111.
(2) Limitation on compelled disclosure.--A health
researcher may not be compelled in any Federal, State, or local
civil, criminal, administrative, legislative, or other
proceeding to disclose protected health information created,
maintained or received under this section. Nothing in this
paragraph shall be construed to prevent an audit or lawful
investigation pursuant to the authority of a Federal department
or agency, of a research project conducted, supported or
subject to regulation by such department or agency.
(3) Limitation on further use or disclosure.--
Notwithstanding any other provision of law, information
disclosed by a health researcher to a Federal department or
agency under this subsection may not be further used or
disclosed by the department or agency for a purpose unrelated
to the department's or agency's oversight or investigation.
SEC. 209. DISCLOSURE IN CIVIL, JUDICIAL, AND ADMINISTRATIVE PROCEDURES.
(a) In General.--A health care provider, health plan, public health
authority, employer, life insurer, law enforcement official, school, or
university may disclose protected health information pursuant to a
discovery request or subpoena in a civil action brought in a Federal or
State court or a request or subpoena related to a Federal or State
administrative proceeding if such discovery request or subpoena is made
through or pursuant to a court order as provided for in subsection (b).
(b) Court Orders.--
(1) Standard for issuance.--In considering a request for a
court order regarding the disclosure of protected health
information under subsection (a), the court shall issue such
order if the court determines that without the disclosure of
such information, the person requesting the order would be
impaired from establishing a claim or defense.
(2) Requirements.--An order issued under paragraph (1)
shall--
(A) provide that the protected health information
involved is subject to court protection;
(B) specify to whom the information may be
disclosed;
(C) specify that such information may not otherwise
be disclosed or used; and
(D) meet any other requirements that the court
determines are needed to protect the confidentiality of
the information.
(c) Applicability.--This section shall not apply in a case in which
the protected health information sought under such discovery request or
subpoena relates to a party to the litigation or an individual whose
medical condition is at issue.
(d) Effect of Section.--This section shall not be construed to
supersede any grounds that may apply under Federal or State law for
objecting to turning over the protected health information.
SEC. 210. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.
A person who receives protected health information pursuant to
sections 202 through 207, may disclose such information to a State or
Federal law enforcement agency if such disclosure is pursuant to--
(1) a subpoena issued under the authority of a grand jury;
(2) an administrative or judicial subpoena or summons;
(3) a warrant issued upon a showing of probable cause;
(4) a Federal or State law requiring the reporting of
specific medical information to law enforcement authorities;
(5) a written consent or waiver of privilege by an
individual allowing access to the individual's protected health
information; or
(6) by other court order.
SEC. 211. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTION.
(a) Payment for Health Care Through Card or Electronic Means.--If
an individual pays for health care by presenting a debit, credit, or
other payment card or account number, or by any other payment means,
the person receiving the payment may disclose to a person described in
subsection (b) only such protected health information about the
individual as is necessary in connection with activities described in
subsection (b), including the processing of the payment transaction or
the billing or collection of amounts charged to, debited from, or
otherwise paid by, the individual using the card, number, or other
means.
(b) Transaction Processing.--A person who is a debit, credit, or
other payment card issuer, a payment system operator, a financial
institution participant in a payment system or is an entity assisting
such an issuer, operator, or participant in connection with activities
described in this subsection, may use or disclose protected health
information about an individual in connection with--
(1) the authorization, settlement, billing, processing,
clearing, transferring, reconciling, or collection of amounts
charged, debited or otherwise paid using a debit, credit, or
other payment card or account number, or by other payment
means;
(2) the transfer of receivables, accounts, or interest
therein;
(3) the audit of the debit, credit, or other payment
information;
(4) compliance with Federal, State, or local law;
(5) compliance with a properly authorized civil, criminal,
or regulatory investigation by Federal, State, or local
authorities as governed by the requirements of this section; or
(6) fraud protection, risk control, resolving customer
disputes or inquiries, communicating with the person to whom
the information relates, or reporting to consumer reporting
agencies.
(c) Specific Prohibitions.--A person described in subsection (b)
may not disclose protected health information for any purpose that is
not described in subsection (b). Notwithstanding any other provision of
law, any health care provider, health plan, health oversight agency,
health researcher, employer, life insurer, school or university who
makes a good faith disclosure of protected health information to an
entity and for the purposes described in subsection (b) shall not be
liable for subsequent disclosures by such entity.
(d) Scope.--
(1) In general.--The use of protected health information by
a person described in subsection (b) and its agents shall not
be considered a disclosure for purposes of this Act, so long as
the use involved is consistent with the activities authorized
in subsection (b) or other purposes for which the information
was lawfully obtained.
(2) Regulated institutions.--A person who is subject to
enforcement pursuant to section 8 of the Federal Deposit
Insurance Act or who is a Federal credit union or State credit
union as defined in the Federal Credit Union Act or who is
registered pursuant to the Securities and Exchange Act, or who
is an entity assisting such a person--
(A) shall not be subject to this Act to the extent
that such person or entity is described in subsection
(b) and to the extent that such person or entity is
engaged in activities authorized in that subsection;
and
(B) shall be subject to enforcement exclusively
under section 8 of the Federal Deposit Insurance Act,
the Federal Credit Union Act, or the Securities and
Exchange Act, as applicable, to the extent that such
person or entity is engaged in activities other than
those permitted under subsection (b).
(3) Rule of Construction.--Nothing in this subsection shall
be construed to exempt entities described in paragraph (2) from
the prohibition set forth in subsection (c).
SEC. 212. INDIVIDUAL REPRESENTATIVES.
(a) In General.--Except as provided in subsections (b) and (c), a
person who is authorized by law (based on grounds other than the
individual being a minor), or by an instrument recognized under law, to
act as an agent, attorney, proxy, or other legal representative of a
protected individual, may, to the extent so authorized, exercise and
discharge the rights of the individual under this Act.
(b) Health Care Power of Attorney.--A person who is authorized by
law (based on grounds other than being a minor), or by an instrument
recognized under law, to make decisions about the provision of health
care to an individual who is incapacitated, may exercise and discharge
the rights of the individual under this Act to the extent necessary to
effectuate the terms or purposes of the grant of authority.
(c) No Court Declaration.--If a health care provider determines
that an individual, who has not been declared to be legally
incompetent, suffers from a medical condition that prevents the
individual from acting knowingly or effectively on the individual's own
behalf, the right of the individual to authorize disclosure under this
Act may be exercised and discharged in the best interest of the
individual by--
(1) a person described in subsection (b) with respect to
the individual;
(2) a person described in subsection (a) with respect to
the individual, but only if a person described in paragraph (1)
cannot be contacted after a reasonable effort;
(3) the next of kin of the individual, but only if a person
described in paragraph (1) or (2) cannot be contacted after a
reasonable effort; or
(4) the health care provider, but only if a person
described in paragraph (1), (2), or (3) cannot be contacted
after a reasonable effort.
(d) Application to Deceased Individuals.--The provisions of this
Act shall continue to prevent disclosure of protected health
information concerning a deceased individual.
(e) Exercise of Rights on Behalf of a Deceased Individual.--
(1) In general.--A person who is authorized by law or by an
instrument recognized under law, to act as an executor of the
estate of a deceased individual, or otherwise to exercise the
rights of the deceased individual, may, to the extent so
authorized, exercise and discharge the rights of such deceased
individual under this Act for a period of 2 years following the
death of such individual. If no such designee has been
authorized, the rights of the deceased individual may be
exercised as provided for in subsection (c).
(2) Insured individuals.--In the case of an individual who
is deceased and who was the insured under an insurance policy
or policies, the right to authorize disclosure of protected
health information may be exercised by the beneficiary or
beneficiaries of such insurance policy or policies.
(f) Rights of Minors.--The rights of minors under this Act shall be
exercised by a parent, the minor or other person as provided under
applicable state law.
SEC. 213. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.
A health care provider, health plan, health oversight agency,
health researcher, employer, life insurer, school, or university, or an
agent of any such person, that makes a disclosure of protected health
information about an individual that is permitted by this Act shall not
be liable to the individual for such disclosure under common law.
SEC. 214. SALE OF BUSINESS, MERGERS, ETC.
(a) In General.--A health care provider, health plan, health
oversight agency, employer, life insurer, school, or university may
disclose protected health information to a person or persons for
purposes of enabling business decisions to be made about or in
connection with the purchase, transfer, merger, or sale of a business
or businesses.
(b) No Further Use or Disclosure.--A person or persons who receive
protected health information under this section shall make no further
use or disclosure of such information unless otherwise authorized under
this Act.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
SEC. 301. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.
(a) In General.--Part I of title 18, United States Code, is amended
by adding at the end the following:
``CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION
``SEC. 2801. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.
``(a) Offense.--The penalties described in subsection (b) shall
apply to a person that knowingly and intentionally--
``(1) obtains protected health information relating to an
individual from a health care provider, health plan, health
oversight agency, public health authority, employer, life
insurer, health researcher, law enforcement official, school,
or university except as provided in title II of the Medical
Information Protection Act of 1999; or
``(2) discloses protected health information to another
person in a manner other than that which is permitted under
title II of the Medical Information Protection Act of 1999.
``(b) Penalties.--A person described in subsection (a) shall--
``(1) be fined not more than $50,000, imprisoned not more
than 1 year, or both;
``(2) if the offense is committed under false pretenses, be
fined not more than $100,000, imprisoned not more than 5 years,
or both; or
``(3) if the offense is committed with the intent to sell,
transfer, or use protected health information for monetary gain
or malicious harm, be fined not more than $250,000, imprisoned
not more than 10 years, or both.
``(c) Subsequent Offenses.--In the case of a person described in
subsection (a), the maximum penalties described in subsection (b) shall
be doubled for every subsequent conviction for an offense arising out
of a violation or violations related to a set of circumstances that are
different from those involved in the previous violation or set of
related violations described in such subsection (a).''.
(b) Clerical Amendment.--The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 123 the following new item:
``124. Wrongful disclosure of protected health information.. 2801''.
Subtitle B--Civil Sanctions
SEC. 311. CIVIL PENALTY VIOLATION.
A person who the Secretary, in consultation with the Attorney
General, determines has substantially and materially failed to comply
with this Act shall be subject, in addition to any other penalties that
may be prescribed by law--
(1) in a case in which the violation relates to title I, to
a civil penalty of not more than $500 for each such violation,
but not to exceed $5,000 in the aggregate for multiple
violations arising from the same failure to comply with the
Act;
(2) in a case in which the violation relates to title II,
to a civil penalty of not more than $10,000 for each such
violation, but not to exceed $50,000 in the aggregate for
multiple violations arising from the same failure to comply
with the Act; or
(3) in a case in which the Secretary finds that such
violations have occurred with such frequency as to constitute a
general business practice, to a civil penalty of not more than
$100,000.
SEC. 312. PROCEDURES FOR IMPOSITION OF PENALTIES.
(a) Initiation of Proceedings.--
(1) In general.--The Secretary, in consultation with the
Attorney General, may initiate a proceeding to determine
whether to impose a civil money penalty under section 311. The
Secretary may not initiate an action under this section with
respect to any violation described in section 311 after the
expiration of the 6-year period beginning on the date on which
such violation was alleged to have occurred. The Secretary may
initiate an action under this section by serving notice of the
action in any manner authorized by Rule 4 of the Federal Rules
of Civil Procedure.
(2) Notice and opportunity for hearing.--The Secretary
shall not make a determination adverse to any person under
paragraph (1) until the person has been given written notice
and an opportunity for the determination to be made on the
record after a hearing at which the person is entitled to be
represented by counsel, to present witnesses, and to cross-
examine witnesses against the person.
(3) Sanctions for failure to comply.--The official
conducting a hearing under this section may sanction a person,
including any party or attorney, for failing to comply with an
order or procedure, failing to defend an action, or other
misconduct as would interfere with the speedy, orderly, or fair
conduct of the hearing. Such sanction shall reasonably relate
to the severity and nature of the failure or misconduct. Such
sanction may include--
(A) in the case of refusal to provide or permit
discovery, drawing negative factual inferences or
treating such refusal as an admission by deeming the
matter, or certain facts, to be established;
(B) prohibiting a party from introducing certain
evidence or otherwise supporting a particular claim or
defense;
(C) striking pleadings, in whole or in part;
(D) staying the proceedings;
(E) dismissal of the action;
(F) entering a default judgment;
(G) ordering the party or attorney to pay
attorneys' fees and other costs caused by the failure
or misconduct; and
(H) refusing to consider any motion or other action
which is not filed in a timely manner.
(b) Scope of Penalty.--In determining the amount or scope of any
penalty imposed pursuant to section 311, the Secretary shall take into
account--
(1) the nature of claims and the circumstances under which
they were presented;
(2) the degree of culpability, history of prior offenses,
and financial condition of the person presenting the claims;
(3) evidence of good faith endeavor to protect the
confidentiality of protected health information; and
(4) such other matters as justice may require.
(c) Review of Determination.--
(1) In general.--Any person adversely affected by a
determination of the Secretary under this section may obtain a
review of such determination in the United States Court of
Appeals for the circuit in which the person resides, or in
which the claim was presented, by filing in such court (within
60 days following the date the person is notified of the
determination of the Secretary) a written petition requesting
that the determination be modified or set aside.
(2) Filing of record.--A copy of the petition filed under
paragraph (1) shall be forthwith transmitted by the clerk of
the court to the Secretary, and thereupon the Secretary shall
file in the Court the record in the proceeding as provided in
section 2112 of title 28, United States Code. Upon such filing,
the court shall have jurisdiction of the proceeding and of the
question determined therein, and shall have the power to make
and enter upon the pleadings, testimony, and proceedings set
forth in such record a decree affirming, modifying, remanding
for further consideration, or setting aside, in whole or in
part, the determination of the Secretary and enforcing the same
to the extent that such order is affirmed or modified.
(3) Consideration of objections.--No objection that has not
been raised before the Secretary with respect to a
determination described in paragraph (1) shall be considered by
the court, unless the failure or neglect to raise such
objection shall be excused because of extraordinary
circumstances.
(4) Findings.--The findings of the Secretary with respect
to questions of fact in an action under this subsection, if
supported by substantial evidence on the record considered as a
whole, shall be conclusive. If any party shall apply to the
court for leave to adduce additional evidence and shall show to
the satisfaction of the court that such additional evidence is
material and that there were reasonable grounds for the failure
to adduce such evidence in the hearing before the Secretary,
the court may order such additional evidence to be taken before
the Secretary and to be made a part of the record. The
Secretary may modify findings as to the facts, or make new
findings, by reason of additional evidence so taken and filed,
and shall file with the court such modified or new findings,
and such findings with respect to questions of fact, if
supported by substantial evidence on the record considered as a
whole, and the recommendations of the Secretary, if any, for
the modification or setting aside of the original order, shall
be conclusive.
(5) Exclusive jurisdiction.--Upon the filing of the record
with the court under paragraph (2), the jurisdiction of the
court shall be exclusive and its judgment and decree shall be
final, except that the same shall be subject to review by the
Supreme Court of the United States, as provided for in section
1254 of title 28, United States Code.
(d) Recovery of Penalties.--
(1) In general.--Civil money penalties imposed under this
subtitle may be compromised by the Secretary and may be
recovered in a civil action in the name of the United States brought in
United States district court for the district where the claim was
presented, or where the claimant resides, as determined by the
Secretary. Amounts recovered under this section shall be paid to the
Secretary and deposited as miscellaneous receipts of the Treasury of
the United States.
(2) Deduction from amounts owing.--The amount of any
penalty, when finally determined under this section, or the
amount agreed upon in compromise under paragraph (1), may be
deducted from any sum then or later owing by the United States
or a State to the person against whom the penalty has been
assessed.
(e) Determination Final.--A determination by the Secretary to
impose a penalty under section 311 shall be final upon the expiration
of the 60-day period referred to in subsection (c)(1). Matters that
were raised or that could have been raised in a hearing before the
Secretary or in an appeal pursuant to subsection (c) may not be raised
as a defense to a civil action by the United States to collect a
penalty under section 311.
(f) Subpoena Authority.--
(1) In general.--For the purpose of any hearing,
investigation, or other proceeding authorized or directed under
this section, or relative to any other matter within the
jurisdiction of the Attorney General hereunder, the Attorney
General, acting through the Secretary shall have the power to
issue subpoenas requiring the attendance and testimony of
witnesses and the production of any evidence that relates to
any matter under investigation or in question before the
Secretary. Such attendance of witnesses and production of
evidence at the designated place of such hearing,
investigation, or other proceeding may be required from any
place in the United States or in any Territory or possession
thereof.
(2) Service.--Subpoenas of the Secretary under paragraph
(1) shall be served by anyone authorized by the Secretary by
delivering a copy thereof to the individual named therein.
(3) Proof of service.--A verified return by the individual
serving the subpoena under this subsection setting forth the
manner of service shall be proof of service.
(4) Fees.--Witnesses subpoenaed under this subsection shall
be paid the same fees and mileage as are paid witnesses in the
district court of the United States.
(5) Refusal to obey.--In case of contumacy by, or refusal
to obey a subpoenaed duly served upon, any person, any district
court of the United States for the judicial district in which
such person charged with contumacy or refusal to obey is found
or resides or transacts business, upon application by the
Secretary, shall have jurisdiction to issue an order requiring
such person to appear and give testimony, or to appear and
produce evidence, or both. Any failure to obey such order of
the court may be punished by the court as contempt thereof.
(g) Injunctive Relief.--Whenever the Secretary has reason to
believe that any person has engaged, is engaging, or is about to engage
in any activity which makes the person subject to a civil monetary
penalty under section 311, the Secretary may bring an action in an
appropriate district court of the United States (or, if applicable, a
United States court of any territory) to enjoin such activity, or to
enjoin the person from concealing, removing, encumbering, or disposing
of assets which may be required in order to pay a civil monetary
penalty if any such penalty were to be imposed or to seek other
appropriate relief.
(h) Agency.--A principal is liable for penalties under section 311
for the actions of the principal's agent acting within the scope of the
agency.
SEC. 313. ENFORCEMENT BY STATE INSURANCE COMMISSIONERS.
(a) State Penalties.--Subject to section 401, and notwithstanding
any other provision of this title, the insurance commissioner of the
State of residence of an insured under a life, disability income or
long-term care insurance policy may exercise exclusive authority to
impose any penalties on a life insurer for violations of this Act in
connection with life, disability income or long-term care insurance
pursuant to the administrative procedures provided under that State's
insurance laws.
(b) Fail-Safe Federal Authority.--In the case of a State that fails
to substantially enforce the requirements of title I or title II of
this Act with respect to life insurers regulated by such State, the
provisions of this title shall apply with respect to a life insurer in
the same way that they apply to other persons subject to the Act.
TITLE IV--MISCELLANEOUS
SEC. 401. RELATIONSHIP TO OTHER LAWS.
(a) State and Federal Law.--Except as provided in this section, the
provisions of this Act shall preempt any State law that relates to
matters covered by this Act. Nothing in this Act shall be construed to
preempt, modify, repeal or affect the interpretation of a provision of
Federal or State law that relates to the disclosure of protected health
information or any other information about a minor to a parent or
guardian of such minor. This Act shall not be construed as repealing,
explicitly or implicitly, other Federal laws or regulations relating to
protected health information or relating to an individual's access to
protected health information or health care services.
(b) Privileges.--Nothing in this title shall be construed to
preempt or modify any provisions of State statutory or common law to
the extent that such law concerns a privilege of a witness or person in
a court of that State. This title shall not be construed to supersede
or modify any provision of Federal statutory or common law to the
extent such law concerns a privilege of a witness or person in a court
of the United States. Authorizations pursuant to sections 202 and 203
shall not be construed as a waiver of any such privilege.
(c) Reports Concerning Federal Privacy Act.--Not later than 1 year
after the date of enactment of this Act, the head of each Federal
agency shall prepare and submit to Congress a report concerning the
effect of this Act on each such agency. Such reports shall
include recommendations for legislation to address concerns relating to
the Federal Privacy Act.
(d) Application to Certain Federal Agencies.--
(1) Department of defense.--
(A) Exceptions.--The Secretary of Defense may, by
regulation, establish exceptions to the disclosure
requirements of this Act to the extent such Secretary
determines that disclosure of protected health
information relating to members of the armed forces
from systems of records operated by the Department of
Defense is necessary under circumstances different from
those permitted under this Act for the proper conduct
of national defense functions by members of the armed
forces.
(B) Application to civilian employees.--The
Secretary of Defense may, by regulation, establish for
civilian employees of the Department of Defense and
employees of Department of Defense contractors,
limitations on the right of such persons to revoke or
amend authorizations for disclosures under section 203
when such authorizations were provided by such
employees as a condition of employment and the
disclosure is determined necessary by the Secretary of
Defense to the proper conduct of national defense
functions by such employees.
(2) Department of transportation.--
(A) Exceptions.--The Secretary of Transportation
may, with respect to members of the Coast Guard,
exercise the same powers as the Secretary of Defense
may exercise under paragraph (1)(A).
(B) Application to civilian employees.--The
Secretary of Transportation may, with respect to
civilian employees of the Coast Guard and Coast Guard
contractors, exercise the same powers as the Secretary
of Defense may exercise under paragraph (1)(B).
(3) Department of veterans affairs.--The limitations on use
and disclosure of protected health information under this Act
shall not be construed to prevent any exchange of such
information within and among components of the Department of
Veterans Affairs that determine eligibility for or entitlement
to, or that provide, benefits under laws administered by the
Secretary of Veteran Affairs.
SEC. 402. CONFORMING AMENDMENT.
Section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)) is
amended to read as follows:
``(6) Individually identifiable health information.--The
term `individually identifiable health information' has the
same meaning given the term `protected health information' by
section 4 of the Medical Information Protection Act of 1999.''.
SEC. 403. STUDY BY INSTITUTE OF MEDICINE.
Not later than 2 years after the date of enactment of this Act, the
National Research Council in conjunction with the Institute of Medicine
of the National Academy of Sciences shall conduct a study to examine
research issues relating to protected health information, such as the
quality and uniformity of institutional review boards and their
practices with respect to data management for both researchers and
institutional review boards, as well as current and proposed protection
of health information in relation to the legitimate needs of law
enforcement. The Council shall prepare and submit to Congress a report
concerning the results of such study.
SEC. 405. EFFECTIVE DATE.
(a) Effective Date.--Except as provided in subsection (b), this Act
shall take effect on the date that is 12 months after the date on which
regulations are promulgated as required under subsection (c).
(b) Applicability.--The provisions of this Act shall only apply to
protected health information collected and disclosed 12 months after
the date on which regulations are promulgated as required under
subsection (c).
(c) Regulations.--Not later than 12 months after the date of
enactment of this Act, the Secretary shall, in consultation with the
National Committee on Vital and Health Statistics, promulgate
regulations implementing this Act.
(d) Exception.--If, not later than 18 months after the date of
enactment of this Act, the Secretary has not promulgated the
regulations required under subsection (c), the effective date for
purposes of subsections (a) and (b) shall be the date that is 30 months
after the date of enactment of this Act or 12 months after the
promulgation of such regulations, whichever is earlier.
<all>
Introduced in Senate
Sponsor introductory remarks on measure. (CR S4257)
Referred to the Committee on HELP.
Committee on Health, Education, Labor, and Pensions. Hearings held. Hearings printed: S.Hrg. 106-64.
Llama 3.2 · runs locally in your browser
Ask anything about this bill. The AI reads the full text to answer.
Enter to send · Shift+Enter for new line