SUMMARY AS OF:
6/30/1999--Introduced.
TABLE OF CONTENTS:
- Title I: Individual's Rights
- Subtitle A: Review of Protected Health Information by Subjects of the
Information
- Subtitle B: Establishment of Safeguards
- Title II: Restrictions on Use and Disclosure
- Title III: Sanctions
- Subtitle A: Criminal Provisions
- Subtitle B: Civil Sanction
- Title IV: Miscellaneous
Personal Medical Information Protection Act of 1999 - Title I:
Individual's Rights - Subtitle A: Review of Protected Health Information
by Subjects of the Information - Grants to individuals who are the subject
of protected health information, or to the individual's designee, the right to
inspect and copy such information. Provides for: (1) procedures and fees; (2) a
special rule relating to ongoing clinical trials; (3) amendment of protected
health information; (4) rules governing agents; and (5) notice of
confidentiality practices.
Subtitle B: Establishment of Safeguards - Mandates safeguards to
protect the confidentiality, security, accuracy, and integrity of protected
health information created, received, obtained, maintained, used, transmitted,
or disposed of by a health care provider, health plan, health oversight agency,
public health authority, employer, health or life insurer, health researcher,
law enforcement official, school, or university (entity). Recommends encryption
technology with regard to computer database medical record protection against
unauthorized disclosure of protected health information. Details disclosure
recordkeeping requirements.
Title II: Restrictions on Use and Disclosure - Sets forth general
rules regarding use and authorized disclosure of protected health information,
including rules on such use or disclosure of protected health information within
an entity.
(Sec. 202) Details requirements for employers, health plans, and providers in
obtaining a signed, written authorization meeting specified requirements
concerning the use and disclosure of protected health information for treatment,
payment, and health care operations with respect to employer and group health
plan enrollees and the uninsured, respectively. Allows, generally, for
revocation of authorizations, and mandates recordkeeping of individual
authorizations and revocations.
(Sec. 203) Provides for similar written authorizations for disclosure of
protected health information other than for treatment, payment, or health care
operations. Permits an individual to revoke or amend an authorization.
Sets out requirements for release of protected health information to coroners
and medical examiners.
States that a recipient of information pursuant to an authorization may use
or disclose such information solely to carry out the purpose for which the
information was authorized for release.
Directs the Secretary of Health and Human Services (HHS) to develop and
disseminate model written authorizations.
(Sec. 204) Outlines requirements governing information disclosure to next of
kin, as well as disclosure of certain directory information.
(Sec. 205) Authorizes any person who creates or receives protected health
information under this title to disclose such information in emergency
circumstances when necessary to protect the health or safety of the individual
who is the subject of such information from serious, imminent harm.
(Sec. 206) Allows, generally, any person to disclose protected health
information to an accrediting body or public health authority, a health
oversight agency, or a State insurance department, for purposes of an oversight
function authorized by law.
(Sec. 207) Outlines the rules governing authorized entity disclosures with
regard to public health, health research, civil, judicial, and administrative
procedures, and law enforcement purposes.
(Sec. 208) Directs the Secretary to: (1) review the requirements of the
common rule (the Federal agency policy for the protection of human subjects from
research risks) pertaining to the privacy of protected health information, and
promulgate any necessary amendments; (2) submit to Congress recommendations on
standards with respect to the privacy of individually identifiable health
information in certain research; and (3) promulgate final regulations containing
such standards if appropriate legislation governing them is not enacted.
(Sec. 211) Provides that if an individual pays for health care by presenting
a debit, credit, or other payment card or account number, or by any other
electronic payment means, the entity receiving payment may disclose to
transaction personnel only such protected health information about the
individual as is necessary for payment processing, billing, or collecting
amounts paid by electronic means.
(Sec. 212) Directs the Secretary to promulgate standards for disclosing,
authorizing, and authenticating protected health information in electronic form
consistent with this title.
(Sec. 213) Specifies guidelines for agents of protected individuals
(including health care powers of attorney) and for executors of the estates of
deceased individuals.
Applies this Act to protected health information concerning a deceased
individual for two years following death.
(Sec. 214) Provides limited liability for Federal and State law enforcement
officers for violations of this Act.
(Sec. 215) Shields from common law liability to the protected individual an
entity that makes permissible disclosures under this Act.
Title III: Sanctions - Subtitle A: Criminal Provisions - Amends
the Federal criminal code to establish criminal penalties for the knowing and
intentional wrongful disclosure of protected health information in violation of
title II of this Act.
Subtitle B: Civil Sanctions - Establishes civil money penalties for
health care providers, health researchers, health plans, health oversight
agencies, public health agencies, law enforcement agencies, employers, health or
life insurers, schools, or universities, or the agent of any such individual or
entity, who the Secretary determines has substantially and materially failed to
comply with this Act. Outlines procedures for imposition of such penalties, and
provides for judicial review. Allows the Secretary to bring an action to seek
injunctive relief to prevent any activities which subject a person to a civil
monetary penalty.
(Sec. 313) Allows individuals whose rights under this Act have been knowingly
or negligently violated to bring a civil action for damages and appropriate
relief.
(Sec. 314) Directs the Secretary to develop alternative dispute resolution
procedures, including mediation and arbitration, to resolve civil claims,
possibly even before the individual brings a civil action.
Title IV: Miscellaneous - Sets forth: (1) the relationship of this Act
to other Federal and State laws, including the Privacy Act of 1974, and
regulations relating to protected health information or to an individual's
access to it; and (2) mandatory outreach efforts, including downloadable
availability on the HHS website, to explain this Act and resulting final
regulations.