HR 2404 IH
106th CONGRESS
1st Session
H. R. 2404
To protect the privacy of individuals by ensuring the confidentiality
of information contained in their medical records and health-care-related
information, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
June 30, 1999
Mr. MURTHA introduced the following bill; which was referred to the Committee
on Commerce, and in addition to the Committee on the Judiciary, for a period to
be subsequently determined by the Speaker, in each case for consideration of
such provisions as fall within the jurisdiction of the committee concerned
A BILL
To protect the privacy of individuals by ensuring the confidentiality
of information contained in their medical records and health-care-related
information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the `Personal Medical
Information Protection Act of 1999'.
(b) TABLE OF CONTENTS- The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
Sec. 101. Inspection and copying of protected health information.
Sec. 102. Amendment of protected health information.
Sec. 103. Notice of confidentiality practices.
Subtitle B--Establishment of Safeguards
Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
Sec. 201. General rules regarding use and disclosure.
Sec. 202. Procurement of authorizations for disclosure of protected
health information for treatment, payment, and health care operations.
Sec. 203. Authorizations for disclosure of protected health information
other than for treatment, payment, or health care operations.
Sec. 204. Next of kin and directory information.
Sec. 205. Emergency circumstances.
Sec. 208. Health research.
Sec. 209. Disclosure in civil, judicial, and administrative
procedures.
Sec. 210. Disclosure for law enforcement purposes.
Sec. 211. Payment card and electronic payment transaction.
Sec. 212. Standards for electronic disclosures.
Sec. 213. Individual representatives.
Sec. 214. Limited liability for law enforcement officers.
Sec. 215. No liability for permissible disclosures.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
Sec. 301. Wrongful disclosure of protected health information.
Subtitle B--Civil Sanctions
Sec. 312. Procedures for imposition of penalties.
Sec. 313. Civil action by individuals.
Sec. 314. Alternative dispute resolution.
TITLE IV--MISCELLANEOUS
Sec. 401. Relationship to other laws.
Sec. 402. Notification of seniors
Sec. 403. Effective date.
SEC. 2. FINDINGS.
The Congress finds that--
(1) individuals have a right of confidentiality with respect to their
personal health information and records;
(2) the personal and protected medical information of an individual is
uniquely private and should only be disclosed with proper consent;
(4) an individual's protected medical information contains sensitive and
personal details that could cause professional and personal embarrassment
and stigmatization, even impermissible discrimination, if such information
is released without authorization;
(5) with respect to information about medical care and health status,
the traditional right of confidentiality is at risk;
(6) an erosion of the right of confidentiality may reduce the
willingness of patients to confide in physicians and other practitioners,
thus jeopardizing quality health care;
(7) an individual's confidentiality right means that an individual's
consent is needed to disclose his or her protected health information,
except in rare and limited circumstances required by the public
interest;
(8) any disclosure of protected health information should be limited to
that information or portion of the medical record necessary to fulfill the
purpose of the disclosure;
(9) incentives need to be created to use nonidentifiable health
information where appropriate;
(10) the availability of timely and accurate personal health data for
the delivery of health care services throughout the Nation is needed;
(11) personal health care data may be essential for selected types of
medical research;
(12) public health uses of personal health data are critical to both
personal health as well as public health; and
(13) confidentiality of an individual's health information must be
assured without jeopardizing the pursuit of clinical and epidemiological
research undertaken to improve health care and health outcomes and to assure
the quality and efficiency of health care.
SEC. 3. PURPOSES.
The purposes of this Act are to--
(1) establish strong and effective mechanisms to protect against the
unauthorized and inappropriate use of protected health information that is
created or maintained as part of health care treatment, diagnosis,
enrollment, payment, plan administration, testing, or research
processes;
(2) promote the efficiency and security of the health information
infrastructure so that members of the health care community may more
effectively exchange and transfer health information in a manner that will
ensure the confidentiality of protected health information without impeding
the delivery of high quality health care;
(3) create incentives to turn personal health information into
nonidentifiable health information for oversight, health research, public
health, law enforcement, judicial, and administrative purposes, where
appropriate;
(4) establish strong and effective remedies for violations of this Act;
and
(5) establish a national board to oversee implementation of this Act,
promulgate rules and regulations, serve as an advisory body on the subject
of protecting personal medical information and make recommendations to the
President on improving the mechanisms for protecting the privacy of personal
medical information, without stifling research and the free flow of
scientific medical data.
SEC. 4. DEFINITIONS.
(1) ACCREDITING BODY- The term `accrediting body' means a national body,
committee, organization, or institution (such as the Joint Commission on
Accreditation of Health Care Organizations or the National Committee for
Quality Assurance) that has been authorized by law or is recognized by a
health care regulating authority as an accrediting entity or any other
entity that has been similarly authorized or recognized by law to perform
specific accreditation, licensing or credentialing activities.
(2) AGENT- The term `agent' means a person who represents and acts for
another under the contract or relation of agency, or whose function is to
bring about, modify, affect, accept performance of, or terminate contractual
obligations between the principal and a third person, including a
contractor.
(A) IN GENERAL- The term `anonymous link' means a number assigned to
nonidentifiable health information which, by itself, contains no
information about an individual, but which, under specific, controlled
conditions, can be used to link to additional health information about the
same individual which may be used to identify that individual.
(B) DISCLOSURE- Any subsequent disclosure of an anonymous link with
any information which, together with information previously disclosed with
the same link might reasonably be used to identify an individual, shall be
considered to be a disclosure of protected health information. Such a
disclosure shall convert any previously disclosed, nonidentifiable
information with the same link into protected health information.
(4) COMMON RULE- The term `common rule' means the Federal policy for the
protection of human subjects from research risks originally published as 56
Federal Register 28012 (et seq.) (June 18, 1991) as adopted and implemented
by a Federal department or agency.
(5) DISCLOSE- The term `disclose' means to release, transfer, provide
access to, or otherwise divulge protected health information to any person
other than the individual who is the subject of such information. Such term
includes the initial disclosure and any subsequent disclosures of protected
health information.
(6) EMPLOYER- The term `employer' has the meaning given such term under
section 3(5) of the Employee Retirement Income Security Act of 1974 (29
U.S.C. 1002(5)), except that such term shall include only employers of two
or more employees.
(7) HEALTH CARE- The term `health care' means--
(A) preventive, diagnostic, therapeutic, rehabilitative, maintenance,
or palliative care, including appropriate assistance with disease or
symptom management and maintenance, counseling, service, or
procedure--
(i) with respect to the physical or mental condition of an
individual; or
(ii) affecting the structure or function of the human body or any
part of the human body, including the banking of blood, sperm, organs,
or any other tissue; or
(B) pursuant to a prescription or medical order any sale or dispensing
of a drug, device, equipment, or other health care related item to an
individual, or for the use of an individual.
(8) HEALTH CARE OPERATIONS- The term `health care operations' means
services provided by or on behalf of a health plan or health care provider
for the purpose of carrying out the management functions of a health care
provider or health plan, or implementing the terms of a contract for health
plan benefits. Such term means--
(A) conducting quality assurance activities or outcomes
assessments;
(B) reviewing the competence or qualifications of health care
professionals;
(C) performing accreditation, licensing, or credentialing
activities;
(D) analysis of health plan claims or health care records
data;
(E) evaluating health plan and provider performance;
(F) carrying out utilization review, precertification or
preauthorization of services;
(G) underwriting or experience rating of health plans;
(H) conducting or arranging for auditing services; or
(I) such other services as the Secretary determines
appropriate.
(9) HEALTH CARE PROVIDER- The term `health care provider' means a
person, who with respect to a specific item of protected health information,
receives, creates, uses, maintains, or discloses the information while
acting in whole or in part in the capacity of--
(A) a person who is licensed, certified, registered, or otherwise
authorized by Federal or State law to provide an item or service that
constitutes health care in the ordinary course of business, or practice of
a profession;
(B) a Federal, State, or employer sponsored program that directly
provides items or services that constitute health care to beneficiaries;
or
(C) an officer, employee, or agent of a person described in
subparagraph (A) or (B) that is engaged in the provision of health
care.
(10) HEALTH OR LIFE INSURER- The term `health or life insurer' means a
health insurance issuer as defined in section 9805(b)(2) of the Internal
Revenue Code of 1986 or a life insurance company as defined in section 816
of such Code.
(11) HEALTH OVERSIGHT AGENCY- The term `health oversight agency' means a
person who, with respect to a specific item of protected health information,
receives, creates, uses, maintains, or discloses the information while
acting in whole or in part in the capacity of--
(A) a person who performs or oversees the performance of an
assessment, evaluation, determination, or investigation, relating to the
licensing, accreditation, or credentialing of health care providers;
or
(i) performs or oversees the performance of an audit, assessment,
evaluation, determination, or investigation relating to the
effectiveness of, compliance with, or applicability of, legal, fiscal,
medical, or scientific standards or aspects of performance related to
the delivery of, or payment for, health care; and
(ii) is a public agency, acting on behalf of a public agency, acting
pursuant to a requirement of a public agency, or carrying out activities
under a Federal or State law governing the assessment, evaluation,
determination, investigation, or prosecution described in subparagraph
(A).
(12) HEALTH PLAN- The term `health plan' means any health insurance
plan, including any hospital or medical service plan, dental or other health
service plan or health maintenance organization plan, provider sponsored
organization, or other program providing or arranging for the provision of
health benefits. Such term includes employee welfare benefits plans and
group health plans as defined in sections 3 and 607 of the Employee
Retirement Income Security Act of 1974 (29 U.S.C. 1002 and 1167).
(13) HEALTH RESEARCHER- The term `health researcher' means a person, or
an officer, employee or independent contractor of a person, who receives
protected health information as part of a systematic investigation, testing
or evaluation designed to develop or contribute to generalized scientific
and clinical knowledge.
(14) INDIVIDUAL REPRESENTATIVE- The term `individual representative'
means a person who is authorized by law or by an instrument recognized under
law, to act as an agent, attorney, proxy, or other legal representative of a
protected individual. Such term includes a health care power of
attorney.
(15) LAW ENFORCEMENT INQUIRY- The term `law enforcement inquiry' means a
lawful investigation conducted by an appropriate government agency or
official inquiring into a violation of, or failure to comply with, any
criminal or civil statute or any regulation, rule, or order issued pursuant
to such a statute.
(16) NETWORK PLAN- The term `network plan' means health care coverage
provided under a health plan under which the financing and delivery of
health care are provided, in whole or in part, through a defined set of
health care providers under contract with the health plan.
(17) NONIDENTIFIABLE HEALTH INFORMATION- The term `nonidentifiable
health information' means any information that would otherwise be protected
health information except that such information does not directly reveal the
identity of the individual whose health or health care is the subject of the
information and there is no reasonable basis to believe that such
information could be used, either alone or with other information that is,
or should reasonably be known to be, available to predictable recipients of
such information, to reveal the identity of that individual.
(18) ORIGINATING PROVIDER- The term `originating provider' means a
health care provider who creates or originates medical information that is
or that becomes protected health information.
(19) PAYMENT- The term `payment' means--
(A) the activities undertaken by--
(i) or on behalf of a health plan to determine its responsibility
for coverage under the plan and the actual payment under such plan;
and
(ii) a health care provider to obtain payment for items or services
provided under a health plan or provided based on a determination by the
health plan of responsibility for coverage under the plan;
and
(B) activities undertaken as described in subparagraph (A)
including--
(i) billing, claims management, medical data processing or other
administrative services;
(ii) determinations of coverage or adjudication of health benefit
claims; and
(iii) review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges.
(20) PERSON- The term `person' means a government, governmental
subdivision, agency or authority, corporation, company, association, firm,
partnership, society, estate, trust, joint venture, individual, individual
representative, tribal government, and any other legal entity.
(21) PROTECTED HEALTH INFORMATION- The term `protected health
information' means any information (including demographic information)
whether or not recorded in any form or medium--
(A) that relates to the past, present or future--
(i) physical or mental health or condition of an individual
(including the condition or other attributes of individual cells or
their components, including genetic and pharmaceutical
information);
(ii) provision of health care to an individual; or
(iii) payment for the provision of health care to an
individual;
(B) that is created or received by a health care provider, health
plan, health researcher, health oversight agency, public health authority,
employer, law enforcement official, health or life insurer, school or
university; and
(C) that is not nonidentifiable health information.
(22) PUBLIC HEALTH AUTHORITY- The term `public health authority' means
an authority or instrumentality of the United States, a tribal government, a
State, or a political subdivision of a State that is--
(A) primarily responsible for public health matters; and
(B) primarily engaged in activities such as injury reporting, public
health surveillance, and public health investigation or
intervention.
(23) SCHOOL OR UNIVERSITY- The term `school or university' means an
institution or place for instruction or education, including an elementary
school, secondary school, or institution of higher learning, a college, or
an assemblage of colleges united under one corporate organization or
government.
(24) SECRETARY- The term `Secretary' means the Secretary of Health and
Human Services.
(25) STATE- The term `State' includes the District of Columbia, Puerto
Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana
Islands.
(26) TREATMENT- The term `treatment' means the provision of health care
by, or the coordination of health care among, health care providers, or the
referral of a patient from one provider to another, or coordination of
health care or other services among health care providers and third parties
authorized by the health plan or the plan member.
(27) WRITING- The term `writing' means writing in either a paper-based
or computer-based form, including electronic signatures.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.
(1) IN GENERAL- A health care provider, health plan, employer, health or
life insurer, school, or university, or a person acting as the agent of any
such person, shall permit an individual who is the subject of protected
health information, or the individual's designee, to inspect and copy
protected health information concerning the individual, including records
created under sections 102, 112, 202, 203, 208, and 211, that such person
maintains.
(2) PROCEDURES AND FEES- A person described in paragraph (1) may set
forth appropriate procedures to be followed for inspection and copying under
such paragraph and may require an individual to pay fees associated with
such inspection and copying in an amount that is not in excess of the actual
costs of providing such copying. Such procedures and fees shall not be
inconsistent with current State law governing the inspection and copying of
medical records.
(b) DEADLINE- A person described in subsection (a)(1) shall comply with a
request for inspection or copying of protected health information under this
section in good faith and within a reasonable timeframe after the date on
which the person receives the request in writing.
(c) RULES GOVERNING AGENTS- A person acting as the agent of a person
described in subsection (a) shall provide for the inspection and copying of
protected health information if--
(1) the protected health information is retained by the agency;
and
(2) the agent has been asked by the person involved to fulfill the
requirements of this section.
(d) SPECIAL RULE RELATING TO ONGOING CLINICAL TRIALS- With respect to
protected health information that is created as part of an individual's
participation in an ongoing clinical trial, access to the information shall be
provided consistent with the individual's agreement to participate in the
clinical trial.
SEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.
(1) IN GENERAL- Except as provided in subsections (b) and (e), not later
than 45 days after the date on which a health care provider, health plan,
employer, health or life insurer, school, or university receives from an
individual a request in writing to correct or amend information that meets
the requirements of paragraph (2), such entity shall--
(A) make the correction or amendment requested;
(B) inform the individual of the amendment that has been made;
and
(C) inform the individual of any other person to whom the unamended
portion of the information was previously disclosed.
(2) INFORMATION- The requirements of this paragraph are that the
information that is the subject of the request is in fact inaccurate.
(b) REFUSAL TO AMEND- If an entity described in subsection (a) refuses to
make the correction or amendment requested under such subsection, the entity
shall inform the individual in writing of--
(1) the reasons for the refusal to make the amendment;
(2) any procedures for further review of the refusal; and
(3) the individual's right to file with the entity a concise statement
setting forth the requested amendment and the individual's reasons for
disagreeing with the refusal.
(c) STATEMENT OF DISAGREEMENT- If an individual has filed a statement of
disagreement under subsection (b)(3), the entity involved--
(1) shall ensure such statement is retained as a permanent part of the
file not to be separated from the disputed information;
(2) shall include a copy of the individual's statement in any subsequent
disclosure of the disputed information; and
(3) may include a concise statement of the reasons for not making the
requested amendment.
(d) RULES GOVERNING AGENTS- The agent of an entity described in subsection
(a) shall not be required to make amendments to protected health information,
except where--
(1) the protected health information is retained by the agent; and
(2) the agent has been asked by such entity to fulfill the requirements
of this section.
If the agent is required to comply with this section as provided for in
paragraph (2), such agent shall be subject to the 45-day deadline described in
subsection (a).
(e) EXTENSION FOR PAPER RECORDS OFF PREMISES- In the case of a request
described in subsection (a), if the information involved is in paper form,
located off the premises of the entity involved, and not readily available,
the entity shall have 60 days to comply with or deny such request.
(f) RULES OF CONSTRUCTION- This section shall not be construed to--
(1) require that an entity described in subsection (a) conduct a formal,
informal, or other hearing or proceeding concerning a request for an
amendment to protected health information.
(2) require a provider to amend an individual's record as to the type,
duration, or quality of treatment the individual believes he or she should
have been provided; or
(3) require any deletion or alteration of the original
information.
SEC. 103. NOTICE OF CONFIDENTIALITY PRACTICES.
(a) PREPARATION OF WRITTEN NOTICE- A health care provider, health plan,
health oversight agency, public health authority, employer, health or life
insurer, health researcher, school, or university shall post or provide, in
writing and in a clear and conspicuous manner, notice of the entity's
confidentiality practices, that shall include--
(1) a description of an individual's rights with respect to protected
health information;
(2) the uses and disclosures of protected health information authorized
under this Act;
(3) the procedures for authorizing disclosures of protected health
information and for revoking such authorizations;
(4) the procedures established by the entity for the exercise of the
individual's rights; and
(5) the right to obtain a copy of the notice of the confidentiality
practices required under this Act.
(b) MODEL NOTICE- The Secretary, after notice and opportunity for public
comment, shall develop and disseminate model notices of confidentiality
practices. Use of the model notice shall serve as an absolute defense against
claims of receiving inappropriate notice.
Subtitle B--Establishment of Safeguards
SEC. 111. ESTABLISHMENT OF SAFEGUARDS.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, public health authority, employer, health or life insurer, health
researcher, law enforcement official, school, or university shall establish
and maintain appropriate administrative, technical, and physical safeguards to
protect the confidentiality, security, accuracy, and integrity of protected
health information created, received, obtained, maintained, used, transmitted,
or disposed of by such entity.
(b) ENCRYPTION TECHNOLOGY- Custodians that maintain medical records on a
computer data base should implement encryption technology whenever possible to
protect the unauthorized disclosure of protected health information.
Custodians should also seek to anonymize medical records to the fullest extent
practicable through the use of coding and the removal of personally
identifiable information within an individual's medical records.
(c) REGULATIONS- The Secretary shall have the authority to promulgate
regulations for the implementation of subsections (a) and (b).
(d) RULE OF CONSTRUCTION- Safeguards to protect the security of protected
health information under subsection (a) shall include the implementation of
policies or procedures to consider whether protected health information is
essential for a use of disclosure undertaken by an entity described in such
subsection.
SEC. 112. ACCOUNTING FOR DISCLOSURES.
(1) HEALTH RELATED ENTITIES- Except as provided in paragraph (3), a
health care provider, health plan, health oversight agency, public health
authority, employer, health or life insurer, health researcher, law
enforcement official, school, or university shall establish and maintain,
with respect to any protected health information disclosure, a record of
such disclosure in accordance with regulations issued by the
Secretary.
(2) AGENT- Except as provided in paragraph (3), an agent shall maintain
a record of its disclosures made pursuant to sections 205 through 212.
(3) EXCEPTION- A record of disclosures under this subsection is not
required with respect to disclosures made to officers or employees of the
entity that maintains the record involved who, in the performance of their
duties, have a need for the protected health information.
(b) RECORD OF DISCLOSURE- A record established under subsection (a) shall
be maintained for not less than 7 years.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.
(1) GENERAL RULE- A health care provider, health plan, health oversight
agency, public health authority, employer, health or life insurer, health
researcher, law enforcement official, school, or university may not disclose
protected health information except as authorized under this title.
(2) RULE OF CONSTRUCTION- Disclosure of health information in the form
of nonidentifiable health information shall not be construed as a disclosure
of protected health information.
(b) USE OR DISCLOSURE OF PROTECTED HEALTH INFORMATION WITHIN AN ENTITY-
(1) IN GENERAL- An entity described in subsection (a) may use protected
health information or disclose such information within the entity if such
use or disclosure is made pursuant to an authorization under section 202 or
203 and consistent with the limitations under subsection (d) on the scope of
disclosure.
(2) AGENTS- Disclosure to agents of an entity described in subsection
(a) shall be considered as a disclosure within an entity.
(c) DISCLOSURE BY AGENTS- An agent who receives protected health
information from an entity described in subsection (a) shall be subject to all
rules of disclosure and safeguard requirements under this title.
(d) SCOPE OF DISCLOSURE- Every disclosure of protected health information
by an entity under this title shall be limited to the information necessary to
accomplish the purpose for which the information is disclosed.
(e) NO GENERAL REQUIREMENT TO DISCLOSE- Nothing in this title permitting
the disclosure of protected health information shall be construed to require
such disclosure.
(f) LABELING OF DISCLOSED INFORMATION AS PROTECTED INFORMATION- Except as
otherwise provided in this title, protected health information may not be
disclosed unless such information is clearly labeled as protected health
information that is subject to this Act.
(g) CREATION OF NONIDENTIFIABLE INFORMATION- An entity described in
subsection (a) may disclose protected health information to an employee or
agent of the entity for purposes of creating nonidentifiable information, if
the entity prohibits the employee or agent of the entity from using or
disclosing the protected health information for purposes other than the sole
purpose of creating nonidentifiable information as specified by the entity.
(h) REDISCLOSURE PROHIBITED- Once authorization for disclosure of personal
medical information has been granted, the recipient cannot release the
information to another third party without the prior written consent of the
individual that meets the requirements of section 102(a).
SEC. 202. PROCUREMENT OF AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH
INFORMATION FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS.
(a) REQUIREMENTS RELATING TO EMPLOYERS, HEALTH PLANS, UNINSURED
INDIVIDUALS, AND PROVIDERS-
(1) IN GENERAL- To meet the requirements relating to the authorized
disclosure of protected health information under section 201, an
authorization form must be secured for each individual in connection with
treatment, payment and health care operations.
(2) CONSOLIDATED AUTHORIZATION- A single authorization may be secured
for each individual in connection with treatment, payment, and health care
operations.
(3) EMPLOYERS- Every employer offering a health plan to its employees
shall, at the time of, and as a condition of enrollment in the health plan,
obtain a signed, written authorization that is a legal, informed
authorization concerning the use and disclosure of protected health
information for treatment, payment, and health care operations with respect
to each individual who is eligible to receive care under the health
plan.
(4) HEALTH PLANS- Every health plan offering enrollment to individual or
non-employer groups shall, at the time of, and as a condition of enrollment
in the health plan, obtain a signed, written authorization that is a legal,
informed authorization concerning the use and disclosure of protected health
information for treatment, payment, and health care operations with respect
to each individual who is eligible to receive care under the plan.
(5) UNINSURED- An originating provider providing health care to an
uninsured individual, shall obtain a signed, written authorization that is a
legal, informed authorization concerning the use and disclosure of protected
health information, in providing health care or arranging for health care
from other providers or seeking payment for the provision of health care
services.
(b) REQUIREMENTS FOR INDIVIDUAL AUTHORIZATION- To be valid, an
authorization to disclose protected health information shall--
(1) identify the individual involved;
(2) describe the nature of the health care information to be
disclosed;
(3) identify the type of person to whom the information is to be
disclosed;
(4) describe the purpose of the disclosure, including whether the
information may be used for disease management or medication
compliance;
(5) be subject to revocation by the individual and indicate that the
authorization is valid until revocation by the individual; and
(i) in writing, dated, and signed by the individual; or
(ii) in electronic form, dated and authenticated by the individual
using a unique identifier; and
(B) not have been revoked under paragraph (c).
(c) REVOCATION OF AUTHORIZATION-
(1) IN GENERAL- An individual may revoke in writing an authorization
under this section at any time, unless the disclosure that is the subject of
the authorization is required to effectuate payment for health care that has
been provided to the individual for which the individual has not agreed to
assume personal financial responsibility.
(2) EXCEPTION FOR SELF-PAYMENT- An individual may revoke a prior
authorization for payment or health care operations described in paragraphs
(1) through (6) of subsection (a) prior to a single or series of encounters
with a health care provider if such individual has agreed to assume personal
financial responsibility for the treatment.
(3) HEALTH PLANS- With respect to a health plan, the authorization of an
individual is deemed to be revoked at the time of the cancellation or
non-renewal of enrollment in the health plan, except as may be necessary to
complete health care operations and payment requirements related to the
individual's period of enrollment.
(4) ACTIONS- An individual may not maintain an action against a person
for disclosure of protected health information made in good faith reliance
on the individual's authorization at the time disclosure was made.
(d) RECORD OF INDIVIDUAL'S AUTHORIZATION AND REVOCATIONS-
(1) IN GENERAL- Each person collecting or storing protected health
information shall maintain a record for a period of 7 years of each
authorization of an individual and revocation thereof.
(2) RULE OF CONSTRUCTION- Records of authorizations and revocations
maintained under paragraph (1) shall not be construed to be protected health
information under this Act.
(e) NO WAIVER- Except as provided for in this Act, an authorization to
disclose protected health information by an individual shall not be construed
as a waiver of any rights that the individual has under other Federal or State
laws, the rules of evidence, or common law.
(f) RULE OF CONSTRUCTION- Authorizations for the disclosure of protected
health information for treatment, payment, and health care operations shall
not authorize the disclosure of such information by an individual with the
intent to sell, transfer, or use protected health information for the purpose
of marketing a product or service. For such disclosures a separate
authorization is required under section 203.
SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION
OTHER THAN FOR TREATMENT, PAYMENT, OR HEALTH CARE OPERATIONS.
(a) WRITTEN AUTHORIZATIONS- A health care provider, health plan, health
oversight agency, health researcher, public health authority, law enforcement
official, employer, health or life insurer, school, or university may disclose
protected health information, for purposes other than those authorized under
section 202, pursuant to an authorization executed by the individual who is
the subject
of the information that meets the requirements of section 202(b).
Such an authorization shall be separate from an authorization provided
under section 202.
(b) LIMITATION ON AUTHORIZATIONS- An entity described in section 202 may
not condition the delivery of treatment or payment for services on the receipt
of an authorization described in this section.
(c) REVOCATION OR AMENDMENT OF AUTHORIZATION-
(1) IN GENERAL- An individual may in writing revoke or amend an
authorization described in subsection (a).
(2) NOTICE OF REVOCATION- An entity described in subsection (a) that
discloses protected health information pursuant to an authorization that has
been revoked under paragraph (1) shall not be subject to any liability or
penalty under this title if that entity had no actual or constructive notice
of the revocation.
(d) REQUIREMENT TO RELEASE PROTECTED HEALTH INFORMATION TO CORONERS AND
MEDICAL EXAMINERS-
(1) IN GENERAL- When a Coroner or Medical Examiner or their duly
appointed deputies seek protected health information for the purpose of
inquiry into and determination of, the cause, manner, and circumstances of a
death, the health care provider, health plan, health oversight agency,
public health authority, employer, health or life insurer, health
researcher, law enforcement official, school, or university involved shall
provide the protected health information to the Coroner or Medical Examiner
or to the duly appointed deputies without undue delay.
(2) PRODUCTION OF ADDITIONAL INFORMATION- If a Coroner or Medical
Examiner or their duly appointed deputies receives health information from
an entity referred to in paragraph (1), such health information shall remain
as protected health information unless the health information is attached to
or otherwise made a part of a Coroner's or Medical Examiner's official
report, in which case it shall no longer be protected.
(3) EXEMPTION- Health information attached to or otherwise made a part
of a Coroner's or Medical Examiner's official report, shall be exempt from
the provisions of this Act except as provided for in this subsection.
(4) REIMBURSEMENT- A Coroner or Medical Examiner may require a person to
reimburse their Office for the reasonable costs associated with such
inspection or copying.
(e) DISCLOSURE FOR PURPOSE ONLY- A recipient of information pursuant to an
authorization under this section may use or disclose such information solely
to carry out the purpose for which the information was authorized for
release.
(f) MODEL AUTHORIZATIONS- The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model written authorizations of
the type described in subsection (a). Any authorization obtained on a model
authorization form developed by the Secretary shall be deemed to meet the
authorization requirements of this section.
SEC. 204. NEXT OF KIN AND DIRECTORY INFORMATION.
(a) NEXT OF KIN- A health care provider, or a person who receives
protected health information under section 205, may disclose protected health
information regarding an individual to the individual's spouse, parent, child,
sister, brother, next of kin, or individual representative if--
(1) the individual who is the subject of the protected health
information is physically or mentally incapacitated such that the individual
is not capable of authorizing the disclosure and there are no prior
indications that the individual would object; and
(2) the disclosure of the protected health information to parties
described in this subsection--
(A) is necessary for the purpose of aiding said parties in making a
necessary decision regarding the individual's treatment that would be the
prerogative of the individual if the individual were not
incapacitated;
(B) is consistent with good medical or professional practice;
and
(C) is not inconsistent with State laws in effect prior to the
effective date of this Act governing the release of medical records to
parties described in this subsection.
(b) DIRECTORY INFORMATION-
(A) IN GENERAL- Except as provided in paragraph (2), a person
described in subsection (a) may disclose the information described in
subparagraph (B) to any person if the individual who is the subject of the
information--
(i) has been notified of the individual's right to object and the
individual has not objected to the disclosure; or
(ii) is in a physical or mental condition such that the individual
is not capable of objecting, the individual's next of kin has not
objected, and there are no prior indications that the individual would
object.
(B) INFORMATION- Information described in this subparagraph is
information that consists only of 1 or more of the following
items:
(i) The name of the individual who is the subject of the
information.
(ii) The general health status of the individual, described as
critical, poor, fair, stable, or satisfactory or in terms denoting
similar conditions.
(iii) The location of the individual on premises controlled by a
provider.
(A) LOCATION- Paragraph (1)(B)(iii) shall not apply if disclosure of
the location of the individual would reveal specific information about the
physical or mental condition of the individual, unless the individual
expressly authorizes such disclosure.
(B) DIRECTORY OF NEXT OF KIN INFORMATION- A disclosure may not be made
under this section if the health care provider involved has reason to
believe that the disclosure of directory or next of kin information could
lead to the physical or mental harm of the individual, unless the
individual expressly authorizes such disclosure.
SEC. 205. EMERGENCY CIRCUMSTANCES.
Any person who creates or receives protected health information under this
title may disclose protected health information in emergency circumstances
when necessary to protect the health or safety of the individual who is the
subject of such information from serious, imminent harm. No disclosure made in
the good faith belief that the disclosure was necessary to protect the health
or safety or an individual from serious, imminent harm shall be in violation
of, or punishable under, this Act.
SEC. 206. OVERSIGHT.
(a) IN GENERAL- Any person may disclose protected health information to an
accrediting body or public health authority, a health oversight agency, or a
State insurance department, for purposes of an oversight function authorized
by law.
(b) PROTECTION FROM FURTHER DISCLOSURE- Protected health information that
is disclosed under this section shall not be further disclosed by an
accrediting body or public health authority, a health oversight agency, a
State insurance department, or their agents for any purpose unrelated to the
authorized oversight function. Notwithstanding any other provision of law,
protected health information disclosed under this section shall be protected
from further disclosure by an accrediting body or public health authority, a
health oversight agency, a State insurance department, or their agents
pursuant to a subpoena, discovery request, introduction as evidence,
testimony, or otherwise.
(c) AUTHORIZATION BY A SUPERVISOR- For purposes of this section, the
individual with authority to authorize the oversight function involved shall
provide to the person described in subsection (a) a statement that the
protected health information is being sought for a legally authorized
oversight function.
(d) USE IN ACTION AGAINST INDIVIDUALS- Protected health information about
an individual that is disclosed under this section may not be used by the
recipient in, or disclosed by the recipient to any person for use in, an
administrative, civil, or criminal action or investigation directed against
the individual who is the subject of the protected health information unless
the action or investigation arises out of and is directly related to--
(1) the receipt of health care or payment for health care; or
(2) a fraudulent claim related to health care, or a fraudulent or
material misrepresentation of the health of the individual.
SEC. 207. PUBLIC HEALTH.
A health care provider, health plan, public health authority, employer,
health or life insurer, law enforcement official, school, or university may
disclose protected health information to a public health authority or other
person authorized by law for use in a legally authorized--
(1) disease or injury report;
(2) public health surveillance; or
(3) public health investigation or intervention.
SEC. 208. HEALTH RESEARCH.
(a) IN GENERAL- A health care provider, health plan, public health
authority, employer, health or life insurer, school, or university may
disclose protected health information to a health researcher if--
(1) the research involves human subjects conducted or supported by any
Federal department or agency and the researcher complies with the common
rule;
(2) the research is a clinical investigation involving human subjects
and the researcher follows
the regulations of the Food and Drug Administration governing confidentiality
procedures; or
(3) the research is not subject to the Federal Policy for the Protection
of Human Subjects.
(b) Periodic Review and Technical Assistance of Institutional Review
Boards Involved With the Federal Policy for Protection of Human Subjects-
(1) INSTITUTIONAL REVIEW BOARD- Any institutional review board that
authorizes research under this section pursuant to the common rule shall
keep records of the names and addresses of all members who participate in
such authorizations for possible review or audit.
(2) TECHNICAL ASSISTANCE- The Secretary may provide technical assistance
to institutional review boards described in this section.
(3) MONITORING- The Secretary shall periodically monitor institutional
review boards described in this section.
(4) REPORTS- Not later than 3 years after the date of enactment of this
Act, the Secretary shall report to Congress regarding the activities of
institutional review boards described in this section.
(c) REVIEW OF THE COMMON RULE BY THE SECRETARY- The Secretary shall review
the requirements of the common rule pertaining to the privacy of protected
health information and shall promulgate any amendments to the common rule that
may be necessary to ensure the confidentiality of such information.
(d) RECOMMENDATIONS WITH RESPECT TO PRIVACY-
(1) IN GENERAL- Not later than the date that is 12 months after the date
of the enactment of this Act, the Secretary shall submit to Congress
detailed recommendations on standards with respect to the privacy of
individually identifiable health information in research described in
subsection (a)(3).
(2) RULE OF CONSTRUCTION- In formulating the recommendations under
paragraph (1), the Secretary shall consider the findings of the National
Bioethics Advisory Commission and the results of the General Accounting
Office report authorized by section 402.
(3) REGULATIONS- If legislation governing standards with respect to the
privacy of individually identifiable health information transmitted in
connection with research described in subsection (a)(3) is not enacted by
the date that is 24 months after the date of the enactment of this Act, the
Secretary shall promulgate final regulations containing such standards not
later than the date that is 30 months after the date of the enactment of
this Act.
SEC. 209. DISCLOSURE IN CIVIL, JUDICIAL, AND ADMINISTRATIVE PROCEDURES.
(a) IN GENERAL- A health care provider, health plan, public health
authority, employer, health or life insurer, law enforcement official, school,
or university may disclose protected health information pursuant to a
discovery request or subpoena in a civil action brought in a Federal or State
court or a request or subpoena related to a Federal or State administrative
proceeding, but only if the disclosure is made pursuant to a court order as
provided for in subsection (b).
(1) STANDARD FOR ISSUANCE- In considering a request for a court order
regarding the disclosure of protected health information under subsection
(a), the court shall issue such order if the court determines that without
the disclosure of such information, the person requesting the order would be
impaired from establishing a claim or defense.
(2) REQUIREMENTS- An order issued under paragraph (1) shall--
(A) provide that the protected health information involved is subject
to court protection;
(B) specify to whom the information may be disclosed;
(C) specify that such information may not otherwise be disclosed or
used; and
(D) meet any other requirements that the court determines are needed
to protect the confidentiality of the information.
(c) APPLICABILITY- This section shall not apply in a case in which the
protected health information sought under such discovery request or
subpoena--
(1) is nonidentifiable health information;
(2) is related to a party to the litigation whose medical condition is
at issue; or
(3) could be disclosed under any of sections 202 through 208, 210, and
212.
(d) EFFECT OF SECTION- This section shall not be construed to supersede
any grounds that may apply under Federal or State law for objecting to turning
over the protected health information.
SEC. 210. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, employer, health or life
insurer, school, university, or person who receives protected health
information pursuant to sections 203 through 208, may disclose protected health
information under this section, except to a health oversight agency governed by
section 206, if the disclosure is pursuant to--
(1) a subpoena issued under the authority of a grand jury;
(2) an administrative subpoena or summons or judicial subpoena or
warrant; or
(3) a Federal or State law requiring the reporting of specific medical
information to law enforcement authorities.
(b) PROBABLE CAUSE- A subpoena or summons for a disclosure under paragraph
(1) or (2) of subsection (a) shall only be issued if the law enforcement
agency involved shows that there is probable cause to believe that the
information is relevant to a legitimate law enforcement inquiry.
(c) DESTRUCTION OR RETURN OF INFORMATION- When the matter or need for
which protected health information was disclosed to a law enforcement agency
or grand jury under subsection (a) has concluded, including any derivative
matters arising from such matter or need, the law enforcement agency or grand
jury shall either destroy the protected health information, or return it to
the person from whom it was obtained.
(d) REDACTIONS- To the extent practicable, and consistent with the
requirements of due process, a law enforcement agency shall redact personally
identifying information from protected health information prior to the public
disclosure of such protected information in a judicial or administrative
proceeding.
(e) USE OF INFORMATION- Protected health information obtained by a law
enforcement agency pursuant to this section may only be used for purposes of a
legitimate law enforcement activity.
(f) EXCLUSION OF EVIDENCE- If protected health information is obtained
without meeting the requirements of paragraphs (1), (2), and (3) of subsection
(a), any such information that is unlawfully obtained shall be excluded from
court proceedings unless the defendant requests otherwise.
SEC. 211. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTION.
(a) PAYMENT FOR HEALTH CARE THROUGH CARD OR ELECTRONIC MEANS- If an
individual pays for health care by presenting a debit, credit, or other
payment card or account number, or by any other electronic payment means, the
entity receiving payment may disclose to a person described in subsection (b)
only such protected health information about the individual as is necessary
for the processing of the payment transaction or the billing or collection of
amounts charged to, debited from, or otherwise paid by, the individual using
the card, number, or other electronic means.
(b) TRANSACTION PROCESSING- A person who is a debit, credit, or other
payment card issuer, or is otherwise directly involved in the processing of
payment transactions involving such cards or other electronic payment
transactions, or is otherwise directly involved in the billing or collection
of amounts paid through such means, may use or disclose protected health
information about an individual that has been disclosed in accordance with
subsection (a) only when necessary for--
(1) the authorization, settlement, billing or collection of amounts
charged to, debited from, or otherwise paid the individual using a debit,
credit, or other payment card or account number, or by other electronic
payment means;
(2) the transfer of receivables, accounts, or interest therein;
(3) the audit of the debit, credit, or other payment card account
information;
(4) compliance with Federal, State, or local law; or
(5) compliance with a properly authorized civil, criminal, or regulatory
investigation by Federal, State, or local authorities as governed by the
requirements of this section.
SEC. 212. STANDARDS FOR ELECTRONIC DISCLOSURES.
The Secretary shall promulgate standards for disclosing, authorizing, and
authenticating, protected health information in electronic form consistent
with this title.
SEC. 213. INDIVIDUAL REPRESENTATIVES.
(a) IN GENERAL- Except as provided in subsections (b) and (c), a person
who is authorized by law (based on grounds other than the individual being a
minor), or by an instrument recognized under law, to act as an agent,
attorney, proxy, or other legal representative of a protected individual, may,
to the extent so authorized, exercise and discharge the rights of the
individual under this Act.
(b) HEALTH CARE POWER OF ATTORNEY- A person who is authorized by law
(based on grounds other than being a minor), or by an instrument recognized
under law, to make decisions about the provision of health care to an
individual who is incapacitated, may exercise and discharge the rights of the
individual under this Act to the
extent necessary to effectuate the terms or purposes of the grant of
authority.
(c) NO COURT DECLARATION- If a health care provider determines that an
individual, who has not been declared to be legally incompetent, suffers from
a medical condition that prevents the individual from acting knowingly or
effectively on the individual's own behalf, the right of the individual to
authorize disclosure under this Act may be exercised and discharged in the
best interest of the individual by--
(1) a person described in subsection (b) with respect to the
individual;
(2) a person described in subsection (a) with respect to the individual,
but only if a person described in paragraph (1) cannot be contacted after a
reasonable effort;
(3) the next of kin of the individual, but only if a person described in
paragraph (1) or (2) cannot be contacted after a reasonable effort;
(4) the health care provider, but only if a person described in
paragraph (1), (2); or
(5) cannot be contacted after a reasonable effort.
(d) APPLICATION TO DECEASED INDIVIDUALS- The provisions of this Act shall
continue to apply to protected health information concerning a deceased
individual for a period of 2 years following the death of that individual.
(e) EXERCISE OF RIGHTS ON BEHALF OF A DECEASED INDIVIDUAL- A person who is
authorized by law or by an instrument recognized under law, to act as an
executor of the estate of a deceased individual, or otherwise to exercise the
rights of the deceased individual, may, to the extent so authorized, exercise
and discharge the rights of such deceased individual under this Act for a
period of 2 years following the death of that individual. If no such designee
has been authorized, the rights of the deceased individual may be exercised as
provided for in subsection (c).
SEC. 214. LIMITED LIABILITY FOR LAW ENFORCEMENT OFFICERS.
Federal and State law enforcement officers shall not be personally liable
for violations of this Act unless it is shown that the violation was a result
of intentional conduct committed with the intent to sell, transfer, or use
protected health information for commercial advantage, personal gain, or
malicious harm.
SEC. 215. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.
A health care provider, health plan, health oversight agency, health
researcher, public health authority, law enforcement official, employer,
health or life insurer, school, or university who makes a disclosure of
protected health information about an individual that is permitted by this Act
shall not be liable to the individual for such disclosure under common law.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
SEC. 301. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- Part I of title 18, United States Code, is amended by
adding at the end the following:
`CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH
INFORMATION
`Sec. 2801. Wrongful disclosure of protected health information.
`Sec. Sec. 2801. Wrongful disclosure of protected health information
`(a) OFFENSE- The penalties described in subsection (b) shall apply to a
person that knowingly and intentionally--
`(1) obtains protected health information relating to an individual in
violation of title II of the Personal Medical Information Protection Act of
1999;
`(2) discloses protected health information to another person in
violation of title II of the Personal Medical Information Protection Act of
1999; or
`(3) uses protected health information in violation of title II of the
Personal Medical Information Protection Act of 1999.
`(b) PENALTIES- A person described in subsection (a) shall--
`(1) be fined not more than $50,000, imprisoned not more than 1 year, or
both;
`(2) if the offense is committed under false pretenses, be fined not
more than $250,000, imprisoned not more than 5 years, or any combination of
such penalties;
`(3) if the offense is committed with the intent to sell, transfer, or
use protected health information for commercial advantage, personal gain, or
malicious harm, be fined not more than $500,000, imprisoned not more than 20
years, excluded from participation in any federally funded health care
programs, or any combination of such penalties.
`(c) SUBSEQUENT OFFENSES- In the case of a person described in subsection
(a), the maximum penalties described in subsection (b) shall be doubled for
every subsequent conviction for an offense arising out of a violation or
violations related to a set of circumstances that are different from those
involved in the previous violation or set of related violations described in
such subsection (a).'.
(b) CLERICAL AMENDMENT- The Table of chapters for part I of title 18,
United States Code, is amended by inserting after the item relating to chapter
123 the following new item:
2801'.
Subtitle B--Civil Sanctions
SEC. 311. CIVIL PENALTY.
(a) VIOLATION- A health care provider, health researcher, health plan,
health oversight agency, public health agency, law enforcement agency,
employer, health or life insurer, school, or university, or the agent of any
such individual or entity, who the Secretary, in consultation with the
Attorney General, determines has substantially and materially failed to comply
with this Act shall be subject, in addition to any other penalties that may be
prescribed by law--
(1) in a case in which the violation relates to title I, to a civil
penalty of not more than $500 for each such violation, but not to exceed
$5,000 in the aggregate for multiple violations;
(2) in a case in which the violation relates to title II, to a civil
penalty of not more than $10,000 for each such violation, but not to exceed
$50,000 in the aggregate for multiple violations; or
(3) in a case in which the Secretary finds that such violations have
occurred with such frequency as to constitute a general business practice,
to a civil penalty of not more than $100,000.
(b) PROCEDURES FOR IMPOSITION OF PENALTIES- Section 1128A of the Social
Security Act, other than subsections (a) and (b) and the second sentence of
subsection (f) of that section, shall apply to the imposition of a civil,
monetary, or exclusionary penalty under this section in the same manner as
such provisions apply with respect to the imposition of a penalty under
section 1128A of such Act.
SEC. 312. PROCEDURES FOR IMPOSITION OF PENALTIES.
(a) Initiation of Proceedings--
(1) IN GENERAL- The Secretary, in consultation with the Attorney
general, may initiate a proceeding to determine whether to impose a civil
money penalty under section 311. The Secretary may not initiate an action
under this section with respect to any violation described in section 311
after the expiration of the 6-year period beginning on the date on which
such violation was alleged to have occurred. The Secretary may initiate an
action under this section by serving notice of the action in any manner
authorized by rule 4 of the Federal Rules of Civil Procedure.
(2) NOTICE AND OPPORTUNITY FOR HEARING- The Secretary shall not make a
determination adverse to any person under paragraph (1) until the person has
been given written notice and an opportunity for the determination to be
made on the record after a hearing at which the person is entitled to be
represented by counsel, to present witnesses, and to cross-examine witnesses
against the person.
(3) ESTOPPEL- In a proceeding under paragraph (1) that--
(A) is against a person who has been convicted (whether upon a verdict
after trial or upon a plea of guilty or nolo contendere) of a crime under
section 2801 of title 18, United States Code; and
(B) involves the same conduct as in the criminal action; the person is
estopped from denying the essential elements of the criminal
offense.
(4) SANCTIONS FOR FAILURE TO COMPLY- The official conducting a hearing
under this section may sanction a person, including any party or attorney,
for failing to comply with an order or procedure, failing to defend an
action, or other misconduct as would interfere with the speedy, orderly, or
fair conduct of the hearing. Such sanction shall reasonably relate to the
severity and nature of the failure or misconduct. Such sanction may
include--
(A) in the case of refusal to provide or permit discovery, drawing
negative factual inferences of treating such refusal as an admission by
deeming the matter, or certain facts , to be established;
(B) prohibiting a party from introducing certain evidence or otherwise
supporting a particular claim or defense;
(C) striking pleadings, in whole or in part;
(D) staying the proceedings;
(E) dismissal of the action:
(F) entering a default judgment;
(G) ordering the party or attorney to pay attorneys' fees and other
costs caused by the failure or misconduct; and
(H) refusing to consider any motion or other action which is not filed
in a timely manner.
(b) SCOPE OF PENALTY- In determining the amount or scope of any penalty
imposed pursuant to section 311, the Secretary shall take into account--
(1) the nature of claims and the circumstances under which they were
presented;
(2) the degree of culpability, history of prior offenses, and financial
condition of the person presenting the claims; and
(3) such other matters as justice may require.
(c) REVIEW OF DETERMINATION-
(1) IN GENERAL- Any person adversely affected by a determination of the
Secretary under this section may obtain a retie of such determination in the
Untied States Court of Appeals for the circuit in which the person resides,
or which the claim was presented, by filing in such court (within 60 days
following the date the person is notified of the determination of the
Secretary) a written petition requesting that the determination be modified
or set aside.
(2) FILING OF RECORD- A copy of the petition filed under paragraph (1)
shall be forthwith transmitted by the clerk of the court to the Secretary,
and thereupon the Secretary shall file in the court the record in the
proceeding as provided in section 2112 of title 28, United States Code. Upon
such filing, the court shall have jurisdiction of the proceeding and of the
question determined therein, and shall have the power to make and enter upon
the pleadings, testimony, and proceedings set forth in such record a decree
affirming, modifying, remanding for further consideration, or setting aside,
in whole or in part, the determination of the Secretary and enforcing the
same to the extent that such order is affirmed or modified.
(3) CONSIDERATION OF OBJECTIONS- No objection that has not been raised
before the Secretary with respect to a determination described in paragraph
(1) shall be considered by the court, unless the failure or neglect to raise
such objection shall be excused because of extraordinary
circumstances.
(4) FINDINGS- The findings of the Secretary with respect to questions of
fact in an action under this subsection, if supported by substantial
evidence on the record considered as a whole, shall be conclusive. If any
party shall apply to the court for leave to adduce additional evidence and
shall show to the satisfaction of the court that such additional evidence is
material and that there were reasonable grounds for the failure to adduce
such evidence in the hearing before, the Secretary, the court may order such
additional evidence to be taken before the Secretary and to be made a part
of the record. The Secretary may modify findings as to facts, or make new
findings, by reason of additional evidence so taken and filed, and shall
file with the court such modified or new findings, and such findings with
respect to questions of fact, if supported by substantial evidence on the
record considered as a whole, and the recommendations of the Secretary, if
any, for the modification or setting aside of the original order, shall be
conclusive.
(5) EXCUSLIVE JURISDICTION- Upon the filing of the record with the court
under paragraph (2), the jurisdiction of the court shall be exclusive and
its judgment and decree shall be final, except that the same shall be
subject to review by the Supreme Court of the United States, as provided for
in section 1254 of title 28, United States Code.
(d) RECOVERY OF PENALTIES-
(1) IN GENERAL- Civil money penalties imposed under this subtitle may be
compromised by the Secretary and may be recovered in a civil action in the
name of the United States brought in United States district court for the
district where the claim was presented, or where the claimant resides, as
determined by the Secretary. Amounts recovered under this section shall be
paid to the Secretary and deposited as miscellaneous receipts of the
Treasury of the United States.
(2) DEDUCTION FROM AMOUNTS OWING- The amount of any penalty, when
finally determined under this section, or the amount agreed upon in
compromise under paragraph (1), may be deducted from any sum then or later
owing by the United States or a State to the person against whom the penalty
has been assessed.
(e) DETERMINATION FINAL- A determination by the Secretary to impose a
penalty under section 321 shall be final upon the expiration of the 60-day
period referred to in subsection (c)(1). Matters that were raised or that
could have been raised in a hearing before the Secretary or in an appeal
pursuant to subsection (c) may not be raised as a defense to a civil action by
the United States to collect a penalty under section 311.
(1) IN GENERAL- For the purpose of any hearing, investigation, or other
proceeding authorized or directed under this section, or relative to any
other matter within the jurisdiction of the Attorney General hereunder, the
Attorney General, acting through the Secretary shall have the power to issue
subpoenas requiring the attendance and testimony of
witnesses and the production of any evidence that relates to any matter under
investigation or in question before the Secretary. Such attendance of witnesses
and production of evidence at the designated place of such hearing,
investigation, or other proceeding may be required from any place in the United
States or in any Territory or possession thereof.
(2) SERVICE- Subpoensas of the Secretary under paragraph (1) shall be
served by anyone authorized by the Secretary by delivering a copy thereof to
the individual named therein.
(3) PROOF OF SERVICE- A verified return by the individual serving the
individual serving the subpoena under this subsection setting forth the
manner of service shall be proof of service.
(4) FEES- Witnesses subpoenaed under this subsection shall be paid the
same fees and mileage as are paid witnesses in the district court of the
United States.
(5) REFUSAL TO OBEY- In case of contumacy by, or refusal to obey a duly
served upon, any person, any district court of the United States for the
judicial district in which such person charged with contumacy or refusal to
obey is found or resides or transacts business, upon application by the
Secretary, shall have jurisdiction to issue an order requiring such person
to appear and give testimony, or to appear and produce evidence, or both.
Any failure to obey such order of the court may be punished by the court as
contempt thereof.
(g) INJUNCTIVE RELIEF- Whenever the Secretary has reason to believe that
any person has engaged, is engaging, or is about to engage in any activity
which makes the person subject to a civil monetary penalty under section 311,
the Secretary may bring an action in an appropriate district court of the
United States (or, if applicable, a United States court of any territory) to
enjoin such activity, or to enjoin the person from concealing, removing,
encumbering, or disposing of assets which may be required in order to pay a
civil monetary penalty if any such penalty were to be imposed or to seek other
appropriate relief.
(h) AGENCY- A principal is liable for penalties under section 311 for the
actions of the principal's agent acting within the scope of the agency.
SEC. 313. CIVIL ACTION BY INDIVIDUALS.
(a) IN GENERAL- Any individual whose rights under this Act have been
knowingly or negligently violated may bring a civil action to recover--
(1) such preliminary and equitable relief as the court determines to be
appropriate; and
(2) the greater of compensatory damages or liquidated damages of
$5,000.
(b) PUNITIVE DAMAGES- In any action brought under this section in which
the individual has prevailed because of a knowing violation of a provision of
this Act, the court may, in addition to any relief awarded under subsection
(a), award such punitive damages as may be appropriate.
(c) ATTORNEY'S FEES- In the case of a civil action brought under
subsection (a) in which the individual has substantially prevailed, the court
may assess against the respondent a reasonable attorney's fee and other
litigation costs and expenses (including expert fees) reasonably incurred.
(d) LIMITATION- No action may be commended under this section more than 3
years after the date on which the violation was or should reasonably have been
discovered.
SEC. 314. ALTERNATIVE DISPUTE RESOLUTION.
(a) IN GENERAL- The Secretary shall, within 2 years following enactment of
this Act, promulgate regulations to develop alternative dispute resolution
procedures to resolve claims under section 314.
(b) METHODS OF ALTERNATIVE DISPUTE RESOLUTION- The regulations promulgated
under subsection (a) may require that an individual, before filing a civil
claim, pursue at least one avenue of alternative dispute resolution,
including--
(3) the use of a process under which parties make early offers of
settlements.
TITLE IV--MISCELLANEOUS
SEC. 401. RELATIONSHIP TO OTHER LAWS.
(a) FEDERAL AND STATE LAWS- Nothing in this Act shall be construed as
preempting, superseding, or repealing, explicitly or implicitly, other Federal
or State laws or regulations relating to protected health information or
relating to an individual's access to protected health information or health
care services, if such laws or regulations provide protections for the rights
of individuals to the privacy of, and access to, their health information that
are greater than those provided for in this Act.
(b) PRIVILEGES- Nothing in this Act shall be construed to preempt or
modify any provisions of State statutory or common law to the extent that such
law concerns a privilege of a witness or person in a court of that State. This
Act shall not be constructed to supersede or modify
any provision of Federal statutory or common law to the extent such law
concerns a privilege of a witness or person in a court of the United States.
Authorizations pursuant to section 202 shall not be construed as a waiver of any
such privilege.
(c) CERTAIN DUTIES UNDER LAW- Nothing in this Act shall be construed to
preempt, supersede, or modify the operation of any State law that--
(1) provides for the reporting of vital statistics such as birth or
death information;
(2) requires the reporting of abuse or neglect information about any
individual;
(3) regulates the disclosure or reporting of information concerning an
individual's mental health; or
(4) governs a minor's rights to access protected health information or
health care services.
(1) MEDICAL EXEMPTIONS- Section 552a of title 5, United States Code, is
amended by adding at the end the following:
`(w) CERTAIN PROTECTED HEALTH INFORMATION- The head of an agency that is a
health care provider, health plan, health oversight agency, employer, insurer,
health or life insurer, school or university, or person who receives protected
health information under section 204 of the Personal Medical Information
Protection Act shall promulgate rules, in accordance with the requirements
(including general notice) of subsections (b)(1), (b)(2), (b)(3), (c), (e) of
section 553 of this title, to exempt a system of records within the agency, to
the extent that the system of records contains protected health information
(as defined in section 4 of such Act), from all provisions of this section
except subsections (b)(6), (d), (e)(1), (e)(2), subparagraphs (A) through (C)
and (E) through (I) of subsection (e)(4), and subsections (e)(5), (e)(6),
(e)(9), (e)(12), (l), (n), (o), (p), (q), (r), and (u).'.
(2) TECHNICAL AMENDMENT- Section 552a(f)(3) of title 5, United States
Code, is amended by striking `pertaining to him,' and all that follows
through the semicolon and inserting `pertaining to the individual.'
(e) CONSTITUTION- Nothing in this Act shall be construed to alter,
diminish, or otherwise weaken existing legal standards under the Constitution
regarding the confidentiality of protected health information.
SEC. 402. NOTIFICATION OF SENIORS.
The Secretary shall publish a pamphlet which explains the provisions of
this Act and the resulting final regulations in plain language as directed in
the President's memorandum of June 1, 1998, to the heads of executive
departments and agencies (63 Federal Register 31885, 3 CFR 1998 Comp., p. 289)
within 1 year from the effective date. The secretary shall also ensure that
the contents of such pamphlet may be viewed and downloaded online free of
charge through the website of the Department of Health and Human Services.
SEC. 403. EFFECTIVE DATE.
(a) EFFECTIVE DATE- Unless specifically provided for otherwise, this Act
shall take effect on the date that is 12 months after the date of the
promulgation of the regulations required under subsection (b), or 30 months
after the date of enactment of this Act, whichever is earlier.
(b) REGULATIONS- Not later than 12 months after the date of enactment of
this Act, or as specifically provided for otherwise, the Secretary shall
promulgate regulations implementing this Act.
END