S 578 IS
106th CONGRESS
1st Session
S. 578
To ensure confidentiality with respect to medical records and health
care-related information, and for other purposes.
IN THE SENATE OF THE UNITED STATES
March 10, 1999
Mr. JEFFORDS (for himself and Mr. DODD) introduced the following bill; which
was read twice and referred to the Committee on Health, Education, Labor, and
Pensions
A BILL
To ensure confidentiality with respect to medical records and health
care-related information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the `Health Care Personal
Information Nondisclosure Act of 1999' or the `Health Care PIN Act'.
(b) TABLE OF CONTENTS- The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
Sec. 101. Inspection and copying of protected health information.
Sec. 102. Amendment of protected health information.
Sec. 103. Notice of confidentiality practices.
Subtitle B--Establishment of Safeguards
Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
Sec. 201. General rules regarding use and disclosure.
Sec. 202. Procurement of authorizations for disclosure of protected
health information for treatment, payment, and health care operations.
Sec. 203. Authorizations for disclosure of protected health information
other than for treatment, payment, or health care operations.
Sec. 204. Next of kin and directory information.
Sec. 205. Emergency circumstances.
Sec. 208. Health research.
Sec. 209. Disclosure in civil, judicial, and administrative
procedures.
Sec. 210. Disclosure for law enforcement purposes.
Sec. 211. Disclosures for postmarketing adverse experience reporting for
human drug and licensed biological products.
Sec. 212. Payment card and electronic payment transaction.
Sec. 213. Standards for electronic disclosures.
Sec. 214. Individual representatives.
Sec. 215. Limited liability for law enforcement officers.
Sec. 216. No liability for permissible disclosures.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
Sec. 301. Wrongful disclosure of protected health information.
Sec. 302. Debarment for crimes.
Subtitle B--Civil Sanctions
Sec. 312. Procedures for imposition of penalties.
Sec. 313. Report on use of existing enforcement mechanisms.
Sec. 314. Civil action by individuals.
TITLE IV--MISCELLANEOUS
Sec. 401. Relationship to other laws.
Sec. 402. Effective date.
SEC. 2. FINDINGS.
The Congress finds that--
(1) individuals have a right of confidentiality with respect to their
personal health information and records;
(2) with respect to information about medical care and health status,
the traditional right of confidentiality is at risk;
(3) an erosion of the right of confidentiality may reduce the
willingness of patients to confide in physicians and other practitioners,
thus jeopardizing quality health care;
(4) an individual's confidentiality right means that an individual's
consent is needed to disclose his or her protected health information,
except in rare and limited circumstances required by the public
interest;
(5) any disclosure of protected health information should be limited to
that information or portion of the medical record necessary to fulfill the
purpose of the disclosure;
(6) incentives need to be created to use nonidentifiable health
information where appropriate;
(7) the availability of timely and accurate personal health data for the
delivery of health care services throughout the Nation is needed;
(8) personal health care data may be essential for selected types of
medical research;
(9) public health uses of personal health data are critical to both
personal health as well as public health; and
(10) confidentiality of an individual's health information must be
assured without jeopardizing the pursuit of clinical and epidemiological
research undertaken to improve health care and health outcomes and to assure
the quality and efficiency of health care.
SEC. 3. PURPOSES.
The purpose of this Act is to--
(1) establish strong and effective mechanisms to protect against the
unauthorized and inappropriate use of protected health information that is
created or maintained as part of health care treatment, diagnosis,
enrollment, payment, plan administration, testing, or research
processes;
(2) promote the efficiency and security of the health information
infrastructure so that members of the health care community may more
effectively exchange and transfer health information in a manner that will
ensure the confidentiality of protected
health information without impeding the delivery of high quality health care;
(3) create incentives to turn personal health information into
nonidentifiable health information for oversight, health research, public
health, law enforcement, judicial, and administrative purposes, where
appropriate; and
(4) establish strong and effective remedies for violations of this
Act.
SEC. 4. DEFINITIONS.
(1) ACCREDITING BODY- The term `accrediting body' means a national body,
committee, organization, or institution (such as the Joint Commission on
Accreditation of Health Care Organizations or the National Committee for
Quality Assurance) that has been authorized by law or is recognized by a
health care regulating authority as an accrediting entity or any other
entity that has been similarly authorized or recognized by law to perform
specific accreditation, licensing or credentialing activities.
(2) AGENT- The term `agent' means a person who represents and acts for
another under the contract or relation of agency, or whose function is to
bring about, modify, affect, accept performance of, or terminate contractual
obligations between the principal and a third person, including a
contractor.
(A) IN GENERAL- The term `anonymous link' means a number assigned to
nonidentifiable health information which, by itself, contains no
information about an individual, but which, under specific, controlled
conditions, can be used to link to additional health information about the
same individual which may be used to identify that individual.
(B) DISCLOSURE- Any subsequent disclosure of an anonymous link with
any information which, together with information previously disclosed with
the same link might reasonably be used to identify an individual, shall be
considered to be a disclosure of protected health information. Such a
disclosure shall convert any previously disclosed, nonidentifiable
information with the same link into protected health information.
(4) COMMON RULE- The term `common rule' means the Federal policy for the
protection of human subjects from research risks originally published as 56
Federal Register 28.012 (et seq.) (June 18, 1991) as adopted and implemented
by a Federal department or agency.
(5) DISCLOSE- The term `disclose' means to release, transfer, provide
access to, or otherwise divulge protected health information to any person
other than the individual who is the subject of such information. Such term
includes the initial disclosure and any subsequent disclosures of protected
health information.
(6) EMPLOYER- The term `employer' has the meaning given such term under
section 3(5) of the Employee Retirement Income Security Act of 1974 (29
U.S.C. 1002(5)), except that such term shall include only employers of two
or more employees.
(7) HEALTH CARE- The term `health care' means--
(A) preventive, diagnostic, therapeutic, rehabilitative, maintenance,
or palliative care, including appropriate assistance with disease or
symptom management and maintenance, counseling, service, or
procedure--
(i) with respect to the physical or mental condition of an
individual; or
(ii) affecting the structure or function of the human body or any
part of the human body, including the banking of blood, sperm, organs,
or any other tissue; or
(B) pursuant to a prescription or medical order any sale or dispensing
of a drug, device, equipment, or other health care related item to an
individual, or for the use of an individual.
(8) HEALTH CARE OPERATIONS- The term `health care operations' means
services provided by or on behalf of a health plan or health care provider
for the purpose of carrying out the management functions of a health care
provider or health plan, or implementing the terms of a contract for health
plan benefits. Such term means--
(A) conducting quality assurance activities or outcomes
assessments;
(B) reviewing the competence or qualifications of health care
professionals;
(C) performing accreditation, licensing, or credentialing
activities;
(D) analysis of health plan claims or health care records
data;
(E) evaluating health plan and provider performance;
(F) carrying out utilization review, precertification or
preauthorization of services;
(G) underwriting or experience rating of health plans;
(H) conducting or arranging for auditing services; or
(I) such other services as the Secretary determines
appropriate.
(9) HEALTH CARE PROVIDER- The term `health care provider' means a
person, who with respect to a specific item of protected health information,
receives, creates, uses, maintains, or discloses the information while
acting in whole or in part in the capacity of--
(A) a person who is licensed, certified, registered, or otherwise
authorized by Federal or State law to provide an item or service that
constitutes health care in the ordinary course of business, or practice of
a profession;
(B) a Federal, State, or employer sponsored program that directly
provides items or services that constitute health care to beneficiaries;
or
(C) an officer, employee, or agent of a person described in
subparagraph (A) or (B) that is engaged in the provision of health
care.
(10) HEALTH OR LIFE INSURER- The term `health or life insurer' means a
health insurance issuer as defined in section 9805(b)(2) of the Internal
Revenue Code of 1986 or a life insurance company as defined in section 816
of such Code.
(11) HEALTH OVERSIGHT AGENCY- The term `health oversight agency' means a
person who, with respect to a specific item of protected health information,
receives, creates, uses, maintains, or discloses the information while
acting in whole or in part in the capacity of--
(A) a person who performs or oversees the performance of an
assessment, evaluation, determination, or investigation, relating to the
licensing, accreditation, or credentialing of health care providers;
or
(i) performs or oversees the performance of an audit, assessment,
evaluation, determination, or investigation relating to the
effectiveness of, compliance with, or applicability of, legal, fiscal,
medical, or scientific standards or aspects of performance related to
the delivery of, or payment for, health care; and
(ii) is a public agency, acting on behalf of a public agency, acting
pursuant to a requirement of a public agency, or carrying out activities
under a Federal or State law governing the assessment, evaluation,
determination, investigation, or prosecution described in subparagraph
(A).
(12) HEALTH PLAN- The term `health plan' means any health insurance
plan, including any hospital or medical service plan, dental or other health
service plan or health maintenance organization plan, provider sponsored
organization, or other program providing or arranging for the provision of
health benefits. Such term includes employee welfare benefits plans and
group health plans as defined in sections 3 and 607 of the Employee
Retirement Income Security Act of 1974 (29 U.S.C. 1002 and 1167).
(13) HEALTH RESEARCHER- The term `health researcher' means a person, or
an officer, employee or independent contractor of a person, who receives
protected health information as part of a systematic investigation, testing
or evaluation designed to develop or contribute to generalized scientific
and clinical knowledge.
(14) INDIVIDUAL REPRESENTATIVE- The term `individual representative'
means a person who is authorized by law (based on grounds other than the
individual being a minor), or by an instrument recognized under law, to act
as an agent, attorney, proxy, or other legal representative of a protected
individual. Such term includes a health care power of attorney.
(15) INSTITUTIONAL REVIEW BOARD- The term `institutional review board'
means a review panel, that is generally associated with a particular
university or other research institution, that is responsible for
implementing Federal human subject protection requirements for research
conducted at or supported by the university or institution involved.
(16) LAW ENFORCEMENT INQUIRY- The term `law enforcement inquiry' means a
lawful investigation conducted by an appropriate government agency or
official inquiring into a violation of, or failure to comply with, any
criminal or civil statute or any regulation, rule, or order issued pursuant
to such a statute.
(17) NETWORK PLAN- The term `network plan' means health care coverage
provided under a health plan under which the financing and delivery of
health care are provided, in whole or in part, through a defined set of
health care providers under contract with the health plan.
(18) NONIDENTIFIABLE HEALTH INFORMATION- The term `nonidentifiable
health information' means any information that would otherwise be protected
health information except that such information does not directly reveal the
identity of the individual whose health or health care is the subject of the
information and there is no reasonable basis to believe that such
information could be used, either alone or with other information that is,
or should reasonably be known to be, available to predictable recipients of
such information, to reveal the identity of that individual.
(19) ORIGINATING PROVIDER- The term `originating provider' means a
health care provider who creates or originates medical information that is
or that becomes protected health information.
(20) PAYMENT- The term `payment' means--
(A) the activities undertaken by--
(i) or on behalf of a health plan to determine its responsibility
for coverage under the plan and the actual payment under such plan;
and
(ii) a health care provider to obtain payment for items or services
provided under a health plan or provided based on a determination by the
health plan of responsibility for coverage under the plan;
and
(B) activities undertaken as described in subparagraph (A)
including--
(i) billing, claims management, medical data processing or other
administrative services;
(ii) determinations of coverage or adjudication of health benefit
claims; and
(iii) review of health care services with respect to medical
necessity, coverage under a health plan, appropriateness of care, or
justification of charges.
(21) PERSON- The term `person' means a government, governmental
subdivision, agency or authority; corporation; company; association; firm;
partnership; society; estate; trust; joint venture; individual; individual
representative; tribal government; and any other legal entity.
(22) PROTECTED HEALTH INFORMATION- The term `protected health
information' means any information (including demographic information)
whether or not recorded in any form or medium--
(A) that relates to the past, present or future--
(i) physical or mental health or condition of an individual
(including the condition or other attributes of individual cells or
their components);
(ii) provision of health care to an individual; or
(iii) payment for the provision of health care to an
individual;
(B) that is created or received by a health care provider, health
plan, health researcher, health oversight agency, public health authority,
employer, law enforcement official, health or life insurer, school or
university; and
(C) that is not nonidentifiable health information.
(23) PUBLIC HEALTH AUTHORITY- The term `public health authority' means
an authority or instrumentality of the United States, a tribal government, a
State, or a political subdivision of a State that is--
(A) primarily responsible for public health matters; and
(B) primarily engaged in activities such as injury reporting, public
health surveillance, and public health investigation or
intervention.
(24) SCHOOL OR UNIVERSITY- The term `school or university' means an
institution or place for instruction or education, including an elementary
school, secondary school, or institution of higher learning, a college, or
an assemblage of colleges united under one corporate organization or
government.
(25) SECRETARY- The term `Secretary' means the Secretary of Health and
Human Services.
(26) STATE- The term `State' includes the District of Columbia, Puerto
Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana
Islands.
(27) TREATMENT- The term `treatment' means the provision of health care
by, or the coordination of health care among, health care providers, or the
referral of a patient from one provider to another, or coordination of
health care or other services among health care providers and third parties
authorized by the health plan or the plan member.
(28) WRITING- The term `writing' means writing in either a paper-based
or computer-based form, including electronic signatures.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- At the request of an individual and except as provided in
subsection (b), a health care provider, health plan, employer, health or life
insurer, school, or university shall permit an individual who is the subject
of protected health information or the individual's designee, to inspect and
copy protected health information concerning the individual, including records
created under sections 102 and 112, that such entity maintains. The entity may
set forth appropriate procedures to be followed for such inspection or copying
and may require an individual to pay reasonable costs associated with such
inspection or copying.
(b) EXCEPTIONS- Unless ordered by a court of competent jurisdiction, an
entity described in subsection (a)
is not required to permit the inspection or copying of protected health
information if any of the following conditions are met:
(1) ENDANGERMENT TO LIFE OR SAFETY- The entity determines that the
disclosure of the information could reasonably be expected to endanger the
life or physical safety of, or cause substantial mental harm to, the
individual who is the subject of the record.
(2) CONFIDENTIAL SOURCE- The information identifies, or could reasonably
lead to the identification of, a person who provided information under a
promise of confidentiality concerning the individual who is the subject of
the information.
(3) INFORMATION COMPILED IN ANTICIPATION OF LITIGATION- The information
is compiled principally--
(A) in the reasonable anticipation of a civil, criminal, or
administrative action or proceeding; or
(B) for use in such action or proceeding.
(4) RESEARCH PURPOSES- The information was collected for a research
project monitored by an institutional review board, such project is not
complete, and the researcher reasonably believes that access would harm the
conduct of the research or invalidate or undermine the validity of the
research.
(c) DENIAL OF A REQUEST FOR INSPECTION OR COPYING- If an entity described
in subsection (a) denies a request for inspection or copying pursuant to
subsection (b), the entity shall inform the individual in writing of--
(1) the reasons for the denial of the request for inspection or
copying;
(2) any procedures for further review of the denial; and
(3) the individual's right to file with the entity a concise statement
setting forth the request for inspection or copying.
(d) STATEMENT REGARDING REQUEST- If an individual has filed a statement
under subsection (c)(3), the entity in any subsequent disclosure of the
portion of the information requested under subsection (a) shall include--
(1) a copy of the individual's statement; and
(2) a concise statement of the reasons for denying the request for
inspection or copying.
(e) INSPECTION AND COPYING OF SEGREGABLE PORTION- An entity described in
subsection (a) shall permit the inspection and copying under subsection (a) of
any reasonably segregable portion of a record after deletion of any portion
that is exempt under subsection (b).
(1) IN GENERAL- Except as provided in paragraph (2), an entity described
in subsection (a) shall comply with or deny, in accordance with subsection
(c), a request for inspection or copying of protected health information
under this section not later than 30 days after the date on which the entity
receives the request.
(2) OFF PREMISES- In the case of a request described in paragraph (1),
if the information involved is in paper form, located off the premises of
the entity involved, and not readily available, the entity shall have 60
days to comply with or deny such request.
(g) RULES GOVERNING AGENTS- An agent of an entity described in subsection
(a) shall not be required to provide for the inspection and copying of
protected health information, except where--
(1) the protected health information is retained by the agent; and
(2) the agent has received in writing a request from the entity involved
to fulfill the requirements of this section;
at which time such information shall be provided to the requesting entity.
Such requesting entity shall comply with subsection (f) with respect to any
such information.
(h) RULE OF CONSTRUCTION- This section shall not be construed to require
an entity described in subsection (a) to conduct a formal, informal, or other
hearing or proceeding concerning a request for inspection or copying of
protected health information.
SEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.
(1) IN GENERAL- Except as provided in subsections (b) and (e), not later
than 45 days after the date on which a health care provider, health plan,
employer, health or life insurer, school, or university receives from an
individual a request in writing to amend information that meets the
requirements of paragraph (2), such entity shall--
(A) make the amendment requested;
(B) inform the individual of the amendment that has been made;
and
(C) make reasonable efforts to inform any person to whom the unamended
portion of the information was previously disclosed, of any nontechnical
amendment that has been made.
(2) INFORMATION- The requirements of this paragraph are that--
(A) the information that is the subject of the request is in fact
inaccurate; and
(B) the entity receiving the request created the information that is
at issue.
(b) REFUSAL TO AMEND- If an entity described in subsection (a) refuses to
make the amendment requested under such subsection, the entity shall inform
the individual in writing of--
(1) the reasons for the refusal to make the amendment;
(2) any procedures for further review of the refusal; and
(3) the individual's right to file with the entity a concise statement
setting forth the requested amendment and the individual's reasons for
disagreeing with the refusal.
(c) STATEMENT OF DISAGREEMENT- If an individual has filed a statement of
disagreement under subsection (b)(3), the entity involved, in any subsequent
disclosure of the disputed portion of the information--
(1) shall include a copy of the individual's statement; and
(2) may include a concise statement of the reasons for not making the
requested amendment.
(d) RULES GOVERNING AGENTS- The agent of an entity described in subsection
(a) shall not be required to make amendments to protected health information,
except where--
(1) the protected health information is retained by the agent; and
(2) the agent has been asked by such entity to fulfill the requirements
of this section.
If the agent is required to comply with this section as provided for in
paragraph (2), such agent shall be subject to the 45-day deadline described in
subsection (a).
(e) EXTENSION FOR PAPER RECORDS OFF PREMISES- In the case of a request
described in subsection (a), if the information involved is in paper form,
located off the premises of the entity involved, and not readily available,
the entity shall have 60 days to comply with or deny such request.
(f) REPEATED REQUESTS FOR AMENDMENTS- If an entity described in subsection
(a) receives a request for an amendment of information as provided for in such
subsection and a statement of disagreement has been filed pursuant to
subsection (c), the entity shall inform the individual of such filing and
shall not be required to carry out the procedures required under this
section.
(g) RULES OF CONSTRUCTION- This section shall not be construed to--
(1) require that an entity described in subsection (a) conduct a formal,
informal, or other hearing or proceeding concerning a request for an
amendment to protected health information;
(2) require a provider to amend an individual's record as to the type,
duration, or quality of treatment the individual believes he or she should
have been provided; or
(3) require any deletion or alteration of the original
information.
SEC. 103. NOTICE OF CONFIDENTIALITY PRACTICES.
(a) PREPARATION OF WRITTEN NOTICE- A health care provider, health plan,
health oversight agency, public health authority, employer, health or life
insurer, health researcher, school, or university shall post or provide, in
writing and in a clear and conspicuous manner, notice of the entity's
confidentiality practices, that shall include--
(1) a description of an individual's rights with respect to protected
health information;
(2) the uses and disclosures of protected health information authorized
under this Act;
(3) the procedures for authorizing disclosures of protected health
information and for revoking such authorizations;
(4) the procedures established by the entity for the exercise of the
individual's rights; and
(5) the right to obtain a copy of the notice of the confidentiality
practices required under this Act.
(b) MODEL NOTICE- The Secretary, after notice and opportunity for public
comment, shall develop and disseminate model notices of confidentiality
practices. Use of the model notice shall serve as an absolute defense against
claims of receiving inappropriate notice.
Subtitle B--Establishment of Safeguards
SEC. 111. ESTABLISHMENT OF SAFEGUARDS.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, public health authority, employer, health or life insurer, health
researcher, law enforcement official, school, or university shall establish
and maintain appropriate administrative, technical, and physical safeguards to
protect the confidentiality, security, accuracy, and integrity of protected
health information created, received, obtained, maintained, used, transmitted,
or disposed of by such entity.
(b) REGULATIONS- The Secretary shall have the authority to promulgate
regulations for the implementation of subsection (a).
(c) RULE OF CONSTRUCTION- Safeguards to protect the security of protected
health information under subsection (a) shall include the implementation of
policies or procedures to consider whether protected health information is
essential for a use or disclosure undertaken by an entity described in such
subsection.
SEC. 112. ACCOUNTING FOR DISCLOSURES.
(1) HEALTH RELATED ENTITIES- Except as provided in paragraph (3), a
health care provider, health plan, health oversight agency, public health
authority, employer, health or life insurer, health researcher, law
enforcement official, school, or university shall establish and maintain,
with respect to any protected health information disclosure, a record of
such disclosure in accordance with regulations issued by the
Secretary.
(2) AGENT- Except as provided in paragraph (3), an agent shall maintain
a record of its disclosures made pursuant to sections 205 through 212.
(3) EXCEPTION- A record of disclosures under this subsection is not
required with respect to disclosures made to officers or employees of the
entity that maintains the record involved who, in the performance of their
duties, have a need for the protected health information.
(b) RECORD OF DISCLOSURE- A record established under subsection (a) shall
be maintained for not less than 7 years.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.
(1) GENERAL RULE- A health care provider, health plan, health oversight
agency, public health authority, employer, health or life insurer, health
researcher, law enforcement official, school, or university may not disclose
protected health information except as authorized under this title.
(2) RULE OF CONSTRUCTION- Disclosure of health information in the form
of nonidentifiable health information shall not be construed as a disclosure
of protected health information.
(b) USE OR DISCLOSURE OF PROTECTED HEALTH INFORMATION WITHIN AN ENTITY-
(1) IN GENERAL- An entity described in subsection (a) may use protected
health information or disclose such information within the entity if such
use or disclosure is made pursuant to an authorization under section 202 or
203 and consistent with the limitations under subsection (d) on the scope of
disclosure.
(2) AGENTS- Disclosure to agents of an entity described in subsection
(a) shall be considered as a disclosure within an entity.
(c) DISCLOSURE BY AGENTS- An agent who receives protected health
information from an entity described in subsection (a) shall be subject to all
rules of disclosure and safeguard requirements under this title.
(d) SCOPE OF DISCLOSURE- Every disclosure of protected health information
by an entity under this title shall be limited to the information necessary to
accomplish the purpose for which the information is disclosed.
(e) NO GENERAL REQUIREMENT TO DISCLOSE- Nothing in this title permitting
the disclosure of protected health information shall be construed to require
such disclosure.
(f) IDENTIFICATION OF DISCLOSED INFORMATION AS PROTECTED INFORMATION-
Except as otherwise provided in this title, protected health information may
not be disclosed unless such information is clearly identified as protected
health information that is subject to this Act.
(g) CREATION OF NONIDENTIFIABLE INFORMATION- An entity described in
subsection (a) may disclose protected health information to an employee or
agent of the entity for purposes of creating nonidentifiable information, if
the entity prohibits the employee or agent of the entity from using or
disclosing the protected health information for purposes other than the sole
purpose of creating nonidentifiable information as specified by the entity.
(h) DEEMED DISCLOSURES OF PROTECTED HEALTH INFORMATION-
(1) IN GENERAL- Any individual or entity who manipulates a
nonidentifiable database in order to identify an individual shall be deemed
to have disclosed protected health information.
(2) DISCLOSURE OR TRANSMISSION OF AN ANONYMOUS LINK- The disclosure or
transmission of an anonymous link with any information which, together with
information previously disclosed with the same link, might reasonably be
used to identify an individual, shall be deemed to be a disclosure of
protected health information. Such a disclosure shall have the effect of
converting any previously disclosed, nonidentifiable information with the
same link into the protected health information.
SEC. 202. PROCUREMENT OF AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH
INFORMATION FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS.
(a) REQUIREMENTS RELATING TO EMPLOYERS, HEALTH PLANS, UNINSURED
INDIVIDUALS, AND PROVIDERS-
(1) IN GENERAL- To meet the requirements relating to the authorized
disclosure of protected health information under section 201, an
authorization form must be secured for each individual in connection with
treatment, payment and health care operations.
(2) CONSOLIDATED AUTHORIZATION- A single authorization may be secured
for each individual in connection with treatment, payment, and health care
operations.
(3) EMPLOYERS- Every employer offering a health plan to its employees
shall, at the time of, and as a condition of enrollment in the health plan,
obtain a signed, written authorization that is a legal, informed
authorization concerning the use and disclosure of protected health
information for treatment, payment, and health care operations with respect
to each individual who is eligible to receive care under the health
plan.
(4) HEALTH PLANS- Every health plan offering enrollment to individual or
non-employer groups shall, at the time of, and as a condition of enrollment
in the health plan, obtain a signed, written authorization that is a legal,
informed authorization concerning the use and disclosure of protected health
information for treatment, payment, and health care operations with respect
to each individual who is eligible to receive care under the plan.
(5) UNINSURED- An originating provider providing health care to an
uninsured individual, shall obtain a signed, written authorization that is a
legal, informed authorization concerning the use and disclosure of protected
health information, in providing health care or arranging for health care
from other providers or seeking payment for the provision of health care
services.
(6) PROVIDERS- Every health care provider providing health care to an
individual who has not given an authorization under paragraph (3), (4), or
(5), shall, at the time of providing such care, obtain a signed, written
authorization concerning the use and disclosure of protected health
information for treatment, payment, and health care operations with respect
to such individual. Nothing in this section shall be construed to require
that a health care provider secure an authorization in addition to an
authorization secured under paragraph (3), (4), or (5).
(b) REQUIREMENTS FOR INDIVIDUAL AUTHORIZATION- To be valid, an
authorization to disclose protected health information shall--
(1) identify the individual involved;
(2) describe the nature of the health care information to be
disclosed;
(3) identify the type of person to whom the information is to be
disclosed;
(4) describe the purpose of the disclosure, including whether the
information may be used for disease management or medication
compliance;
(5) be subject to revocation by the individual and indicate that the
authorization is valid until revocation by the individual; and
(i) in writing, dated, and signed by the individual; or
(ii) in electronic form, dated and authenticated by the individual
using a unique identifier; and
(B) not have been revoked under paragraph (c).
(c) REVOCATION OF AUTHORIZATION-
(1) IN GENERAL- An individual may revoke in writing an authorization
under this section at any time, unless the disclosure that is the subject of
the authorization is required to effectuate payment for health care that has
been provided to the individual for which the individual has not agreed to
assume personal financial responsibility.
(2) EXCEPTION FOR SELF-PAYMENT- An individual may revoke a prior
authorization for payment or health care operations described in paragraphs
(1) through (6) of subsection (a) prior to a single or series of encounters
with a health care provider if such individual has agreed to assume personal
financial responsibility for the treatment.
(3) HEALTH PLANS- With respect to a health plan, the authorization of an
individual is deemed to be revoked at the time of the cancellation or
non-renewal of enrollment in the health plan, except as may be necessary to
complete health care operations and payment requirements related to the
individual's period of enrollment.
(4) ACTIONS- An individual may not maintain an action against a person
for disclosure of protected health information made in good faith reliance
on the individual's authorization at the time disclosure was made.
(d) RECORD OF INDIVIDUAL'S AUTHORIZATIONS AND REVOCATIONS-
(1) IN GENERAL- Each person collecting or storing protected health
information shall maintain a record for a period of 7 years of each
authorization of an individual and revocation thereof.
(2) RULE OF CONSTRUCTION- Records of authorizations and revocations
maintained under paragraph (1) shall not be construed to be protected health
information under this Act.
(e) NO WAIVER- Except as provided for in this Act, an authorization to
disclose protected health information by an individual shall not be construed
as a waiver of any rights that the individual has under other Federal or State
laws, the rules of evidence, or common law.
(f) RULE OF CONSTRUCTION- Authorizations for the disclosure of protected
health information for treatment, payment, and health care operations shall
not authorize the disclosure of such information by an individual with the
intent to sell, transfer, or use protected health information for the purpose
of marketing a product or service. For such disclosures a separate
authorization is required under section 203.
SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION
OTHER THAN FOR TREATMENT, PAYMENT, OR HEALTH CARE OPERATIONS.
(a) WRITTEN AUTHORIZATIONS- A health care provider, health plan, health
oversight agency, health researcher, public health authority, law enforcement
official, employer, health or life insurer, school, or university may disclose
protected health information, for purposes other than those authorized under
section 202, pursuant to an authorization executed by the individual who is
the subject of the information that meets the requirements of section 202(b).
Such an authorization shall be separate from an authorization provided under
section 202.
(b) LIMITATION ON AUTHORIZATIONS- An entity described in section 202 may
not condition the delivery of treatment or payment for services on the receipt
of an authorization described in this section.
(c) REVOCATION OR AMENDMENT OF AUTHORIZATION-
(1) IN GENERAL- An individual may in writing revoke or amend an
authorization described in subsection (a).
(2) NOTICE OF REVOCATION- An entity described in subsection (a) that
discloses protected health information pursuant to an authorization that has
been revoked under paragraph (1) shall not be subject to any liability or
penalty under this title if that entity had no actual or constructive notice
of the revocation.
(d) REQUIREMENT TO RELEASE PROTECTED HEALTH INFORMATION TO CORONERS AND
MEDICAL EXAMINERS-
(1) IN GENERAL- When a Coroner or Medical Examiner or their duly
appointed deputies seek protected health information for the purpose of
inquiry into and determination of, the cause, manner, and circumstances of a
death, the health care provider, health plan, health oversight agency,
public health authority, employer, health or life insurer, health
researcher, law enforcement official, school, or university involved shall
provide the protected health information to the Coroner or Medical Examiner
or to the duly appointed deputies without undue delay.
(2) PRODUCTION OF ADDITIONAL INFORMATION- If a Coroner or Medical
Examiner or their duly appointed deputies receives health information from
an entity referred to in paragraph (1), such health information shall remain
as protected health information unless the health information is attached to
or otherwise made a part of a Coroner's or Medical Examiner's official
report, in which case it shall no longer be protected.
(3) EXEMPTION- Health information attached to or otherwise made a part
of a Coroner's or Medical Examiner's official report, shall be exempt from
the provisions of this Act except as provided for in this subsection.
(4) REIMBURSEMENT- A Coroner or Medical Examiner may require a person to
reimburse their Office for the reasonable costs associated with such
inspection or copying.
(e) DISCLOSURE FOR PURPOSE ONLY- A recipient of information pursuant to an
authorization under this section may use or disclose such information solely
to carry out the purpose for which the information was authorized for
release.
(f) MODEL AUTHORIZATIONS- The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model written authorizations of
the type described in subsection (a). Any authorization obtained on a model
authorization form developed by the Secretary shall be deemed to meet the
authorization requirements of this section.
SEC. 204. NEXT OF KIN AND DIRECTORY INFORMATION.
(a) NEXT OF KIN- A health care provider, or a person who receives
protected health information under section 205, may disclose protected health
information regarding an individual to the individual's next of kin, an
individual's representative, or to another person whom the individual has
identified, if--
(1) the individual who is the subject of the information--
(A) has been notified of the individual's right to object to such
disclosure and the individual has not objected to the disclosure;
or
(B) is in a physical or mental condition such that the individual is
not capable of objecting, and there are no prior indications that the
individual would object;
(2) the information disclosed relates to health care currently being
provided to that individual; or
(3) the disclosure of the protected health information is consistent
with good medical or professional practice.
(b) DIRECTORY INFORMATION-
(A) IN GENERAL- Except as provided in paragraph (2), an entity
described in subsection (a) may disclose the information described in
subparagraph (B) to any person if the individual who is the subject of the
information--
(i) has been notified of the individual's right to object and the
individual has not objected to the disclosure; or
(ii) is in a physical or mental condition such that the individual
is not capable of objecting, the individual's next of kin has not
objected, and there are no prior indications that the individual would
object.
(B) INFORMATION- Information described in this subparagraph is
information that consists only of 1 or more of the following
items:
(i) The name of the individual who is the subject of the
information.
(ii) The general health status of the individual, described as
critical, poor, fair, stable, or satisfactory or in terms denoting
similar conditions.
(iii) The location of the individual on premises controlled by a
provider.
(A) LOCATION- Paragraph (1)(B)(iii) shall not apply if disclosure of
the location of the individual would reveal specific information about the
physical or mental condition of the individual, unless the individual
expressly authorizes such disclosure.
(B) DIRECTORY OR NEXT OF KIN INFORMATION- A disclosure may not be made
under this section if the health care provider involved has reason to
believe that the disclosure of directory or next of kin information could
lead to the physical or mental harm of the individual, unless the
individual expressly authorizes such disclosure.
(c) IDENTIFICATION OF DECEASED INDIVIDUAL- An entity described in
subsection (a) may disclose protected health information if such disclosure is
necessary to assist in the identification or safe handling of a deceased
individual.
(1) INDIVIDUALS WHO ARE 18 OR LEGALLY CAPABLE- In the case of an
individual--
(A) who is 18 years of age or older, all rights of the individual
under this title shall be exercised by the individual; or
(B) who, acting alone, can obtain a type of health care without
violating any applicable Federal or State law, and who has sought such
care, the individual shall exercise all rights of the individual under
this title with respect to protected health information relating to such
health care.
(2) INDIVIDUALS UNDER 18- Except as provided in paragraph (1)(B), in the
case of an individual who is--
(A) under 14 years of age, all of the individual's rights under this
title shall be exercised through the parent or legal guardian; or
(B) at least 14 but under 18 years of age, the rights of inspection
and amendment, and the right to authorize use and disclosure of protected
health information of the individual shall be exercised by the individual,
or by the parent or legal guardian of the individual.
SEC. 205. EMERGENCY CIRCUMSTANCES.
Any person who creates or receives protected health information under this
title may disclose protected health information in emergency circumstances
when necessary to protect the health or safety of the individual who is the
subject of such information from serious, imminent harm. No disclosure made in
the good faith belief that the disclosure was necessary to protect the health
or safety or an individual from serious, imminent harm shall be in violation
of, or punishable under, this Act.
SEC. 206. OVERSIGHT.
(a) IN GENERAL- A health care provider, health plan, employer, health or
life insurer, law enforcement official, school, or university may disclose
protected health information to a health oversight agency for purposes of an
oversight function authorized by law.
(b) PUBLIC HEALTH AND HEALTH RESEARCH- A public health authority or health
researcher may disclose protected health information to a health oversight
agency for purposes of an oversight function of the public health authority or
health researcher authorized by law.
(c) AUTHORIZATION BY A SUPERVISOR- For purposes of this section, the
individual with authority to authorize the oversight function involved shall
provide to the entity described in subsection (a) or (b) a statement that the
protected health information is being sought for a legally authorized
oversight function.
(d) USE IN ACTION AGAINST INDIVIDUALS- Protected health information about
an individual that is disclosed under this section may not be used in, or
disclosed to any person for use in, an administrative, civil, or criminal
action or investigation directed against the individual unless the action or
investigation arises out of and is directly related to--
(1) the receipt of health care or payment for health care;
(2) an action involving a fraudulent claim related to health; or
(3) an action involving oversight of a public health authority or a
health researcher.
SEC. 207. PUBLIC HEALTH.
A health care provider, health plan, public health authority, employer,
health or life insurer, law enforcement official, school, or university may
disclose protected health information to a public health authority or other
person authorized by law for use in a legally authorized--
(1) disease or injury report;
(2) public health surveillance; or
(3) public health investigation or intervention.
SEC. 208. HEALTH RESEARCH.
(a) IN GENERAL- A health care provider, health plan, public health
authority, employer, health or life insurer, school, or university may
disclose protected health information to a health researcher if--
(1) the research involves human subjects conducted or supported by any
Federal department or agency and the researcher complies with the common
rule;
(2) the research is a clinical investigation involving human subjects
and the researcher follows the regulations of the Food and Drug
Administration governing confidentiality procedures; or
(3) the research is not subject to the Federal Policy for the Protection
of Human Subjects.
(b) PERIODIC REVIEW AND TECHNICAL ASSISTANCE OF INSTITUTIONAL REVIEW
BOARDS INVOLVED WITH THE FEDERAL POLICY FOR PROTECTION OF HUMAN SUBJECTS-
(1) INSTITUTIONAL REVIEW BOARD- Any institutional review board that
authorizes research under this section pursuant to the common rule shall
keep records of the names and addresses of all members who participate in
such authorizations for possible review or audit.
(2) TECHNICAL ASSISTANCE- The Secretary may provide technical assistance
to institutional review boards described in this section.
(3) MONITORING- The Secretary shall periodically monitor institutional
review boards described in this section.
(4) REPORTS- Not later than 3 years after the date of enactment of this
Act, the Secretary shall report to Congress regarding the activities of
institutional review boards described in this section.
(c) REVIEW OF THE COMMON RULE BY THE SECRETARY- The Secretary shall review
the requirements of the common rule pertaining to the privacy of protected
health information and shall promulgate any amendments to the common rule that
may be necessary to ensure the confidentiality of such information.
(d) RECOMMENDATIONS WITH RESPECT TO PRIVACY-
(1) IN GENERAL- Not later than the date that is 12 months after the date
of the enactment of this Act, the Secretary shall submit to the Committee on
Labor and Human Resources of the Senate detailed recommendations on
standards with respect to the privacy of individually identifiable health
information in research described in subsection (a)(3).
(2) RULE OF CONSTRUCTION- In formulating the recommendations under
paragraph (1), the Secretary shall consider the findings of the National
Bioethics Advisory Commission and the results of the General Accounting
Office report authorized by section 402.
(3) REGULATIONS- If legislation governing standards with respect to the
privacy of individually identifiable health information transmitted in
connection with research described in subsection (a)(3) is not enacted by
the date that is 24 months after the date of the enactment of this Act, the
Secretary shall promulgate final regulations containing such standards not
later than the date that is 30 months after the date of the enactment of
this Act.
SEC. 209. DISCLOSURE IN CIVIL, JUDICIAL, AND ADMINISTRATIVE PROCEDURES.
(a) IN GENERAL- A health care provider, health plan, public health
authority, employer, health or life insurer, law enforcement official, school,
or university may disclose protected health information pursuant to a
discovery request or subpoena in a civil action brought in a Federal or State
court or a request or subpoena related to a Federal or State administrative
proceeding, but only if the disclosure is made pursuant to a court order as
provided for in subsection (b).
(1) STANDARD FOR ISSUANCE- In considering a request for a court order
regarding the disclosure of protected health information under subsection
(a), the court shall issue such order if the court determines that without
the disclosure of such information, the person requesting the order would be
impaired from establishing a claim or defense.
(2) REQUIREMENTS- An order issued under paragraph (1) shall--
(A) provide that the protected health information involved is subject
to court protection;
(B) specify to whom the information may be disclosed;
(C) specify that such information may not otherwise be disclosed or
used; and
(D) meet any other requirements that the court determines are needed
to protect the confidentiality of the information.
(c) APPLICABILITY- This section shall not apply in a case in which the
protected health information sought under such discovery request or
subpoena--
(1) is nonidentifiable health information;
(2) is related to a party to the litigation whose medical condition is
at issue; or
(3) could be disclosed under any of sections 202 through 208, 210, and
212.
(d) EFFECT OF SECTION- This section shall not be construed to supersede
any grounds that may apply under Federal or State law for objecting to turning
over the protected health information.
SEC. 210. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, employer, health or life insurer, school, university, or person who
receives protected health information pursuant to sections 203 through 208,
may disclose protected health information under this section, except to a
health oversight agency governed by section 206, if the disclosure is pursuant
to--
(1) a subpoena issued under the authority of a grand jury;
(2) an administrative subpoena or summons or judicial subpoena or
warrant; or
(3) a Federal or State law requiring the reporting of specific medical
information to law enforcement authorities.
(b) PROBABLE CAUSE- A subpoena or summons for a disclosure under paragraph
(1) or (2) of subsection (a) shall only be issued if the law enforcement
agency involved shows that there is probable cause to believe that the
information is relevant to a legitimate law enforcement inquiry.
(c) DESTRUCTION OR RETURN OF INFORMATION- When the matter or need for
which protected health information was disclosed to a law enforcement agency
or grand jury under subsection (a) has concluded, including any derivative
matters arising from such matter or need, the law enforcement agency or grand
jury shall either destroy the protected health information, or return it to
the person from whom it was obtained.
(d) REDACTIONS- To the extent practicable, and consistent with the
requirements of due process, a law enforcement agency shall redact personally
identifying information from protected health information prior to the public
disclosure of such protected information in a judicial or administrative
proceeding.
(e) USE OF INFORMATION- Protected health information obtained by a law
enforcement agency pursuant to this section may only be used for purposes of a
legitimate law enforcement activity.
(f) EXCLUSION OF EVIDENCE- If protected health information is obtained
without meeting the requirements of paragraphs (1), (2), and (3) of subsection
(a), any such information that is unlawfully obtained shall be excluded from
court proceedings unless the defendant requests otherwise.
SEC. 211. DISCLOSURES FOR POSTMARKETING ADVERSE EXPERIENCE REPORTING FOR
HUMAN DRUG AND LICENSED BIOLOGICAL PRODUCTS.
(a) ADVERSE EXPERIENCE REPORTS-
(1) IN GENERAL- Pursuant to the regulations of the Food and Drug
Administration at sections 310.305, 314.80, and 600.80 of title 21, Code of
Federal Regulations, manufacturers, packers, and distributors of approved
new drug applications, abbreviated new drug applications, antibiotic
applications, marketed prescription of drugs for human use, and approved
biologic product license applications shall report adverse experiences in
accordance with such section.
(2) NO IDENTIFICATION OF PATIENTS- In accordance with the August 1997
Guidance for Industry of the Food and Drug Administration, patients shall
not be identified by name, address, or social security number in any report
described in paragraph (1). The manufacturer, packer, or distributor
involved shall assign a code for a patient in each such report.
(3) NON LIABILITY UNDER ACT- A manufacturer, packer, or distributor who
submits an adverse report in accordance with this subsection and the
regulations described in paragraph (1) shall not be liable under this
Act.
(b) RULE OF CONSTRUCTION- An adverse experience report written in
accordance with the regulations described in subsection (a) shall be deemed to
be a disclosure of non-identifiable information under this Act.
SEC. 212. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTION.
(a) PAYMENT FOR HEALTH CARE THROUGH CARD OR ELECTRONIC MEANS- If an
individual pays for health care by presenting a debit, credit, or other
payment card or account number, or by any other electronic payment means, the
entity receiving payment may disclose to a person described in subsection (b)
only such protected health information about the individual as is necessary
for the processing of the payment transaction or the billing or collection of
amounts charged to, debited from, or otherwise paid by, the individual using
the card, number, or other electronic means.
(b) TRANSACTION PROCESSING- A person who is a debit, credit, or other
payment card issuer, or is otherwise directly involved in the processing of
payment transactions involving such cards or other electronic payment
transactions, or is otherwise directly involved in the billing or collection
of amounts paid through such means, may use or disclose protected health
information about an individual that has been disclosed in accordance with
subsection (a) only when necessary for--
(1) the authorization, settlement, billing or collection of amounts
charged to, debited from, or otherwise paid the individual using a debit,
credit, or other payment card or account number, or by other electronic
payment means;
(2) the transfer of receivables, accounts, or interest therein;
(3) the audit of the debit, credit, or other payment card account
information;
(4) compliance with Federal, State, or local law, or
(5) compliance with a properly authorized civil, criminal, or regulatory
investigation by Federal, State, or local authorities as governed by the
requirements of this section.
SEC. 213. STANDARDS FOR ELECTRONIC DISCLOSURES.
The Secretary shall promulgate standards for disclosing, authorizing, and
authenticating, protected health information in electronic form consistent
with this title.
SEC. 214. INDIVIDUAL REPRESENTATIVES.
(a) IN GENERAL- Except as provided in subsections (b) and (c), a person
who is authorized by law (based on grounds other than the individual being a
minor), or by an instrument recognized under law, to act as an agent,
attorney, proxy, or other legal representative of a protected individual, may,
to the extent so authorized, exercise and discharge the rights of the
individual under this Act.
(b) HEALTH CARE POWER OF ATTORNEY- A person who is authorized by law
(based on grounds other than being a minor), or by an instrument recognized
under law, to make decisions about the provision of health care to an
individual who is incapacitated, may exercise and discharge the rights of the
individual under this Act to the extent necessary to effectuate the terms or
purposes of the grant of authority.
(c) NO COURT DECLARATION- If a health care provider determines that an
individual, who has not been declared to be legally incompetent, suffers from
a medical condition that prevents the individual from acting knowingly or
effectively on the individual's own behalf, the right
of the individual to authorize disclosure under this Act may be exercised and
discharged in the best interest of the individual by--
(1) a person described in subsection (b) with respect to the
individual;
(2) a person described in subsection (a) with respect to the individual,
but only if a person described in paragraph (1) cannot be contacted after a
reasonable effort;
(3) the next of kin of the individual, but only if a person described in
paragraph (1) or (2) cannot be contacted after a reasonable effort; or
(4) the health care provider, but only if a person described in
paragraph (1), (2), or (3) cannot be contacted after a reasonable
effort.
(d) APPLICATION TO DECEASED INDIVIDUALS- The provisions of this Act shall
continue to apply to protected health information concerning a deceased
individual for a period of 2-years following the death of that individual.
(e) EXERCISE OF RIGHTS ON BEHALF OF A DECEASED INDIVIDUAL- A person who is
authorized by law or by an instrument recognized under law, to act as an
executor of the estate of a deceased individual, or otherwise to exercise the
rights of the deceased individual, may, to the extent so authorized, exercise
and discharge the rights of such deceased individual under this Act for a
period of 2-years following the death of that individual. If no such designee
has been authorized, the rights of the deceased individual may be exercised as
provided for in subsection (c).
SEC. 215. LIMITED LIABILITY FOR LAW ENFORCEMENT OFFICERS.
Federal and State law enforcement officers shall not be personally liable
for violations of this Act unless it is shown that the violation was a result
of intentional conduct committed with the intent to sell, transfer, or use
protected health information for commercial advantage, personal gain, or
malicious harm.
SEC. 216. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.
A health care provider, health plan, health oversight agency, health
researcher, public health authority, law enforcement official, employer,
health or life insurer, school, or university who makes a disclosure of
protected health information about an individual that is permitted by this Act
shall not be liable to the individual for such disclosure under common law.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
SEC. 301. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- Part I of title 18, United States Code, is amended by
adding at the end the following:
`CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH
INFORMATION
`Sec.
`2801. Wrongful disclosure of protected health information.
`Sec. 2801. Wrongful disclosure of protected health information
`(a) OFFENSE- The penalties described in subsection (b) shall apply to a
person that knowingly and intentionally--
`(1) obtains protected health information relating to an individual in
violation of title II of the Health Care PIN Act;
`(2) discloses protected health information to another person in
violation of title II of the Health Care PIN Act; or
`(3) uses protected health information in violation of title II of the
Health Care PIN Act.
`(b) PENALTIES- A person described in subsection (a) shall--
`(1) be fined not more than $50,000, imprisoned not more than 1 year, or
both;
`(2) if the offense is committed under false pretenses, be fined not
more than $250,000, imprisoned not more than 5 years, or any combination of
such penalties;
`(3) if the offense is committed with the intent to sell, transfer, or
use protected health information for commercial advantage, personal gain, or
malicious harm, be fined not more than $500,000, imprisoned not more than 10
years, excluded from participation in any federally funded health care
programs, or any combination of such penalties.
`(c) SUBSEQUENT OFFENSES- In the case of a person described in subsection
(a), the maximum penalties described in subsection (b) shall be doubled for
every subsequent conviction for an offense arising out of a violation or
violations related to a set of circumstances that are different from those
involved in the previous violation or set of related violations described in
such subsection (a).'.
(b) CLERICAL AMENDMENT- The table of chapters for part I of title 18,
United States Code, is amended by inserting after the item relating to chapter
123 the following new item:
2801'.
SEC. 302. DEBARMENT FOR CRIMES.
(a) PURPOSE- The purpose of this section is to promote the prevention and
deterrence of instances of intentional criminal actions which violate criminal
laws which are designed to safeguard the protected health information in a
manner consistent with this Act.
(b) DEBARMENT- Not later than 270 days after the effective date of this
Act, the Attorney General, in consultation with the Secretary, shall
promulgate regulations and establish procedures to permit the debarment of
health care providers, health researchers, health or life insurers, or schools
or universities from receiving benefits under any Federal health programs if
the managers or officers of such entities are found guilty of violating
section 2801 of title 18, United States Code, have civil penalties imposed
against such officers or managers under section 311 in connection with the
illegal disclosure of protected health information, or are found guilty of
making a false statement or obstructing justice related to attempting to
conceal or concealing such illegal disclosure. Such regulations shall take
into account the need for continuity of medical care and may provide for a
delay of any debarment imposed under this section to take into account the
medical needs of patients.
(c) CONSULTATION- Before publishing a proposed rule to implement
subsection (b), the Attorney General shall consult with State law enforcement
officials, health care providers, patient privacy rights' advocates, and other
appropriate individuals and entities, to gain additional information regarding
the debarment of entities under subsection (b) and the best methods to ensure
the continuity of medical care.
(d) REPORT- The Attorney General shall annually prepare and submit to the
Committee on the Judiciary of the House of Representatives and the Committee
on the Judiciary of the Senate a report concerning the activities and
debarment actions taken by the Attorney General under this section.
(e) ASSISTANCE TO PREVENT CRIMINAL VIOLATIONS- The Attorney General, in
cooperation with any other appropriate individual, organization, or agency,
may provide advice, training, technical assistance, and guidance regarding
ways to reduce the incidence of improper disclosure of protected health
information.
(f) RELATIONSHIP TO OTHER AUTHORITIES- A debarment imposed under this
section shall not reduce or diminish the authority of a Federal, State, or
local governmental agency or court to penalize, imprison, fine, suspend,
debar, or take other adverse action against a person, in a civil, criminal, or
administrative proceeding.
Subtitle B--Civil Sanctions
SEC. 311. CIVIL PENALTY.
(a) VIOLATION- A health care provider, health researcher, health plan,
health oversight agency, public health agency, law enforcement agency,
employer, health or life insurer, school, or university, or the agent of any
such individual or entity, who the Secretary, in consultation with the
Attorney General, determines has substantially and materially failed to comply
with this Act shall be subject, in addition to any other penalties that may be
prescribed by law--
(1) in a case in which the violation relates to title I, to a civil
penalty of not more than $500 for each such violation, but not to exceed
$5,000 in the aggregate for multiple violations;
(2) in a case in which the violation relates to title II, to a civil
penalty of not more than $10,000 for each such violation, but not to exceed
$50,000 in the aggregate for multiple violations; or
(3) in a case in which the Secretary finds that such violations have
occurred with such frequency as to constitute a general business practice,
to a civil penalty of not more than $100,000.
(b) PROCEDURES FOR IMPOSITION OF PENALTIES- Section 1128A of the Social
Security Act, other than subsections (a) and (b) and the second sentence of
subsection (f) of that section, shall apply to the imposition of a civil,
monetary, or exclusionary penalty under this section in the same manner as
such provisions apply with respect to the imposition of a penalty under
section 1128A of such Act.
SEC. 312. PROCEDURES FOR IMPOSITION OF PENALTIES.
(a) INITIATION OF PROCEEDINGS-
(1) IN GENERAL- The Secretary, in consultation with the Attorney
General, may initiate a proceeding to determine whether to impose a civil
money penalty under section 311. The Secretary may not initiate an action
under this section with respect to any violation described in section 311
after the expiration of the 6-year period beginning on the date on which
such violation was alleged to have occurred. The Secretary may initiate an
action under this section by serving notice of the action in any manner
authorized by Rule 4 of the Federal Rules of Civil Procedure.
(2) NOTICE AND OPPORTUNITY FOR HEARING- The Secretary shall not make a
determination adverse to any person under paragraph (1) until the person has
been given written notice and an opportunity for the determination to be
made on the record after a hearing at which the person is entitled
to be represented by counsel, to present witnesses, and to cross-examine
witnesses against the person.
(3) ESTOPPEL- In a proceeding under paragraph (1) that--
(A) is against a person who has been convicted (whether upon a verdict
after trial or upon a plea of guilty or nolo contendere) of a crime under
section 2801 of title 18, United States Code; and
(B) involves the same conduct as in the criminal action;
the person is estopped from denying the essential elements of the
criminal offense.
(4) SANCTIONS FOR FAILURE TO COMPLY- The official conducting a hearing
under this section may sanction a person, including any party or attorney,
for failing to comply with an order or procedure, failing to defend an
action, or other misconduct as would interfere with the speedy, orderly, or
fair conduct of the hearing. Such sanction shall reasonably relate to the
severity and nature of the failure or misconduct. Such sanction may
include--
(A) in the case of refusal to provide or permit discovery, drawing
negative factual inferences or treating such refusal as an admission by
deeming the matter, or certain facts, to be established;
(B) prohibiting a party from introducing certain evidence or otherwise
supporting a particular claim or defense;
(C) striking pleadings, in whole or in part;
(D) staying the proceedings;
(E) dismissal of the action;
(F) entering a default judgment;
(G) ordering the party or attorney to pay attorneys' fees and other
costs caused by the failure or misconduct; and
(H) refusing to consider any motion or other action which is not filed
in a timely manner.
(b) SCOPE OF PENALTY- In determining the amount or scope of any penalty
imposed pursuant to section 311, the Secretary shall take into account--
(1) the nature of claims and the circumstances under which they were
presented;
(2) the degree of culpability, history of prior offenses, and financial
condition of the person presenting the claims; and
(3) such other matters as justice may require.
(c) REVIEW OF DETERMINATION-
(1) IN GENERAL- Any person adversely affected by a determination of the
Secretary under this section may obtain a review of such determination in
the United States Court of Appeals for the circuit in which the person
resides, or in which the claim was presented, by filing in such court
(within 60 days following the date the person is notified of the
determination of the Secretary) a written petition requesting that the
determination be modified or set aside.
(2) FILING OF RECORD- A copy of the petition filed under paragraph (1)
shall be forthwith transmitted by the clerk of the court to the Secretary,
and thereupon the Secretary shall file in the Court the record in the
proceeding as provided in section 2112 of title 28, United States Code. Upon
such filing, the court shall have jurisdiction of the proceeding and of the
question determined therein, and shall have the power to make and enter upon
the pleadings, testimony, and proceedings set forth in such record a decree
affirming, modifying, remanding for further consideration, or setting aside,
in whole or in part, the determination of the Secretary and enforcing the
same to the extent that such order is affirmed or modified.
(3) CONSIDERATION OF OBJECTIONS- No objection that has not been raised
before the Secretary with respect to a determination described in paragraph
(1) shall be considered by the court, unless the failure or neglect to raise
such objection shall be excused because of extraordinary
circumstances.
(4) FINDINGS- The findings of the Secretary with respect to questions of
fact in an action under this subsection, if supported by substantial
evidence on the record considered as a whole, shall be conclusive. If any
party shall apply to the court for leave to adduce additional evidence and
shall show to the satisfaction of the court that such additional evidence is
material and that there were reasonable grounds for the failure to adduce
such evidence in the hearing before the Secretary, the court may order such
additional evidence to be taken before the Secretary and to be made a part
of the record. The Secretary may modify findings as to the facts, or make
new findings, by reason of additional evidence so taken and filed, and shall
file with the court such modified or new findings, and such findings with
respect to questions of fact, if supported by substantial evidence on the
record considered as a whole, and the recommendations of the Secretary, if
any,
for the modification or setting aside of the original order, shall be
conclusive.
(5) EXCLUSIVE JURISDICTION- Upon the filing of the record with the court
under paragraph (2), the jurisdiction of the court shall be exclusive and
its judgment and decree shall be final, except that the same shall be
subject to review by the Supreme Court of the United States, as provided for
in section 1254 of title 28, United States Code.
(d) RECOVERY OF PENALTIES-
(1) IN GENERAL- Civil money penalties imposed under this subtitle may be
compromised by the Secretary and may be recovered in a civil action in the
name of the United States brought in United States district court for the
district where the claim was presented, or where the claimant resides, as
determined by the Secretary. Amounts recovered under this section shall be
paid to the Secretary and deposited as miscellaneous receipts of the
Treasury of the United States.
(2) DEDUCTION FROM AMOUNTS OWING- The amount of any penalty, when
finally determined under this section, or the amount agreed upon in
compromise under paragraph (1), may be deducted from any sum then or later
owing by the United States or a State to the person against whom the penalty
has been assessed.
(e) DETERMINATION FINAL- A determination by the Secretary to impose a
penalty under section 321 shall be final upon the expiration of the 60-day
period referred to in subsection (c)(1). Matters that were raised or that
could have been raised in a hearing before the Secretary or in an appeal
pursuant to subsection (c) may not be raised as a defense to a civil action by
the United States to collect a penalty under section 311.
(1) IN GENERAL- For the purpose of any hearing, investigation, or other
proceeding authorized or directed under this section, or relative to any
other matter within the jurisdiction of the Attorney General hereunder, the
Attorney General, acting through the Secretary shall have the power to issue
subpoenas requiring the attendance and testimony of witnesses and the
production of any evidence that relates to any matter under investigation or
in question before the Secretary. Such attendance of witnesses and
production of evidence at the designated place of such hearing,
investigation, or other proceeding may be required from any place in the
United States or in any Territory or possession thereof.
(2) SERVICE- Subpoenas of the Secretary under paragraph (1) shall be
served by anyone authorized by the Secretary by delivering a copy thereof to
the individual named therein.
(3) PROOF OF SERVICE- A verified return by the individual serving the
subpoena under this subsection setting forth the manner of service shall be
proof of service.
(4) FEES- Witnesses subpoenaed under this subsection shall be paid the
same fees and mileage as are paid witnesses in the district court of the
United States.
(5) REFUSAL TO OBEY- In case of contumacy by, or refusal to obey a duly
served upon, any person, any district court of the United States for the
judicial district in which such person charged with contumacy or refusal to
obey is found or resides or transacts business, upon application by the
Secretary, shall have jurisdiction to issue an order requiring such person
to appear and give testimony, or to appear and produce evidence, or both.
Any failure to obey such order of the court may be punished by the court as
contempt thereof.
(g) INJUNCTIVE RELIEF- Whenever the Secretary has reason to believe that
any person has engaged, is engaging, or is about to engage in any activity
which makes the person subject to a civil monetary penalty under section 311,
the Secretary may bring an action in an appropriate district court of the
United States (or, if applicable, a United States court of any territory) to
enjoin such activity, or to enjoin the person from concealing, removing,
encumbering, or disposing of assets which may be required in order to pay a
civil monetary penalty if any such penalty were to be imposed or to seek other
appropriate relief.
(h) AGENCY- A principal is liable for penalties under section 311 for the
actions of the principal's agent acting within the scope of the agency.
SEC. 313. REPORT ON USE OF EXISTING ENFORCEMENT MECHANISMS.
In addition to the criminal and civil penalties that may be applied under
this title, the Secretary shall prepare and submit to Congress a report
regarding the use of existing Federal, State and other licensure,
certification and regulatory mechanisms, including State insurance
regulations, for the imposition of sanctions or penalties for the wrongful
disclosure of protected health information.
SEC. 314. CIVIL ACTION BY INDIVIDUALS.
(a) IN GENERAL- Any individual whose rights under this Act have been
knowingly or negligently violated may bring a civil action to recover--
(1) such preliminary and equitable relief as the court determines to be
appropriate; and
(2) the greater of compensatory damages or liquidated damages of
$5,000.
(b) PUNITIVE DAMAGES- In any action brought under this section in which
the individual has prevailed because of a knowing violation of a provision of
this Act, the court may, in addition to any relief awarded under subsection
(a), award such punitive damages as may be appropriate.
(c) ATTORNEY'S FEES- In the case of a civil action brought under
subsection (a) in which the individual has substantially prevailed, the court
may assess against the respondent a reasonable attorney's fee and other
litigation costs and expenses (including expert fees) reasonably incurred.
(d) LIMITATION- No action may be commenced under this section more than 3
years after the date on which the violation was or should reasonably have been
discovered.
TITLE IV--MISCELLANEOUS
SEC. 401. RELATIONSHIP TO OTHER LAWS.
(a) STATE AND FEDERAL LAW-
(1) STATE LAW ENACTED PRIOR TO EFFECTIVE DATE- Nothing in this Act shall
be construed to supersede any provision of State law that establishes,
implements, or continues in effect any standard or requirement relating to
the privacy of protected health information if such provision is enacted
prior to the effective date of this Act. Such laws shall not be superseded
after such effective date to the extent that such laws are at least as
protective of the privacy of protected health information as the protections
provided under this Act.
(2) STATE LAW ENACTED AFTER EFFECTIVE DATE- Except as provided in
subsections (b) and (c), the provisions of this Act shall preempt any State
law relating to the privacy of protected health information if such law is
enacted after the effective date of this Act.
(3) FEDERAL LAW- Nothing in this Act shall be construed as repealing,
explicitly or implicitly, other Federal laws or regulations relating to
protected health information or relating to an individual's access to
protected health information or health care services.
(b) PRIVILEGES- Nothing in this title shall be construed to preempt or
modify any provisions of State statutory or common law to the extent that such
law concerns a privilege of a witness or person in a court of that State. This
title shall not be construed to supersede or modify any provision of Federal
statutory or common law to the extent such law concerns a privilege of a
witness or person in a court of the United States. Authorizations pursuant to
sections 202 and 203 shall not be construed as a waiver of any such
privilege.
(c) CERTAIN DUTIES UNDER LAW- Nothing in this title shall be construed to
preempt, supersede, or modify the operation of any State law that--
(1) provides for the reporting of vital statistics such as birth or
death information;
(2) requires the reporting of abuse or neglect information about any
individual;
(3) relates to public or mental health and that prevents or otherwise
restricts disclosure of information otherwise permissible under this
Act;
(4) governs a minor's right to access protected health information or
health care services; or
(5) authorizes the collecting, analysis, or dissemination of information
from an entity described in section 201(a) for the purpose of developing
use, cost effectiveness, performance, or quality data.
(1) MEDICAL EXEMPTIONS- Sections 552a of title 5, United States Code, is
amended by adding at the end thereof the following: `The head of an agency
that is an entity described in section 311(a) of the Health Care PIN Act
shall promulgate rules, in accordance with the requirements (including
general notice) of subsections (b)(1), (b)(2), (b)(3), (c), and (e) of
section 553 of this title, to exempt a system of records within an agency,
to the extent that the system of records contains protected health
information (as defined in section 4(20) of such Act), from all provisions
of this section except subsections (b)(6), (d), (e)(1), (e)(2),
subparagraphs (A) and (C) and (E) through (I) of subsection (e)(4), and
subsections (e)(5), (e)(6), (e)(9), (e)(12), (l), (n), (o), (p), (r), and
(u).'.
(2) TECHNICAL AMENDMENT- Section 552a(f)(3) of title 5, United States
Code, is amended by striking `pertaining to him,' and all that follows
through the semicolon and inserting `pertaining to the individual.'
(e) APPLICATION TO CERTAIN FEDERAL AGENCIES-
(1) DEPARTMENT OF DEFENSE-
(A) EXCEPTIONS- The Secretary of Defense may, by regulation, establish
exceptions to the disclosure requirements of this Act to the extent such
Secretary determines that disclosure of protected health information
relating to members of the armed forces from systems of records operated
by the Department of Defense is necessary under circumstances different
from those permitted under this Act for the proper conduct of national
defense functions by members of the armed forces.
(B) APPLICATION TO CIVILIAN EMPLOYEES- The Secretary of Defense may,
by regulation, establish for civilian employees of the Department of
Defense and employees of Department of Defense contractors, limitations on
the right of such persons to revoke or amend authorizations for
disclosures under section 203 when such authorizations were provided by
such employees as a condition of employment and the disclosure is
determined necessary by the Secretary of Defense to the proper conduct of
national defense functions by such employees.
(2) DEPARTMENT OF TRANSPORTATION-
(A) EXCEPTIONS- The Secretary of Transportation may, with respect to
members of the Coast Guard, exercise the same powers as the Secretary of
Defense may exercise under paragraph (1)(A).
(B) APPLICATION TO CIVILIAN EMPLOYEES- The Secretary of Transportation
may, with respect to civilian employees of the Coast Guard and Coast Guard
contractors, exercise the same powers as the Secretary of Defense may
exercise under paragraph (1)(B).
(3) DEPARTMENT OF VETERANS AFFAIRS- The limitations on use and
disclosure of protected health information under this Act shall not be
construed to prevent any exchange of such information within and among
components of the Department of Veterans Affairs that determine eligibility
for or entitlement to, or that provide, benefits under laws administered by
the Secretary of Veteran Affairs.
SEC. 402. EFFECTIVE DATE.
(a) EFFECTIVE DATE- Except as provided in subsection (b), this Act shall
take effect on the date that is 18 months after the date of enactment of this
Act.
(b) REGULATIONS- The Secretary shall promulgate regulations implementing
this Act not later than 12 months after the date of enactment of this Act.
END