HR 1057 IH
106th CONGRESS
1st Session
H. R. 1057
To provide individuals with access to health information of which
they are a subject, ensure personal privacy with respect to health-care-related
information, impose criminal and civil penalties for unauthorized use of
protected health information, to provide for the strong enforcement of these
rights, and to protect States' rights.
IN THE HOUSE OF REPRESENTATIVES
March 10, 1999
Mr. MARKEY (for himself, Mr. MCDERMOTT, Mr. FROST, Ms. KAPTUR, Mr. MOAKLEY,
Ms. ROYBAL-ALLARD, Mr. NADLER, Mr. FRANK of Massachusetts, Mr. CROWLEY, Mr.
GREEN of Texas, Mr. MCGOVERN, Mr. LUTHER, Mr. SANDERS, Mr. MASCARA, Mr. BROWN of
California, Mr. ROMERO-BARCELO, Mr. DELAHUNT, Mr. DEFAZIO, Mr. CAPUANO, Mr.
STARK, Mr. STRICKLAND, and Ms. LOFGREN) introduced the following bill; which was
referred to the Committee on Commerce, and in addition to the Committee on the
Judiciary, for a period to be subsequently determined by the Speaker, in each
case for consideration of such provisions as fall within the jurisdiction of the
committee concerned
A BILL
To provide individuals with access to health information of which
they are a subject, ensure personal privacy with respect to health-care-related
information, impose criminal and civil penalties for unauthorized use of
protected health information, to provide for the strong enforcement of these
rights, and to protect States' rights.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the `Medical Information Privacy
and Security Act'.
(b) TABLE OF CONTENTS- The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--INDIVIDUALS' RIGHTS
Subtitle A--Access to Protected Health Information by Subjects of the
Information
Sec. 101. Inspection and copying of protected health information.
Sec. 102. Supplements to protected health information.
Sec. 103. Notice of privacy practices.
Subtitle B--Establishment of Safeguards
Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
Sec. 201. General rules regarding use and disclosure.
Sec. 202. Authorizations for disclosure of protected health information
for treatment and payment.
Sec. 203. Authorizations for disclosure of protected health information
other than for treatment or payment.
Sec. 204. Emergency circumstances.
Sec. 206. Protection and advocacy agencies.
Sec. 208. Disclosure for law enforcement purposes.
Sec. 209. Next of kin and directory information.
Sec. 210. Health research.
Sec. 211. Judicial and administrative purposes.
Sec. 212. Individual representatives.
Sec. 213. Prohibition against retaliation.
TITLE III--OFFICE OF HEALTH INFORMATION PRIVACY OF THE DEPARTMENT OF HEALTH
AND HUMAN SERVICES
Subtitle A--Designation
Subtitle B--Enforcement
CHAPTER 1--Criminal Provisions
Sec. 311. Wrongful disclosure of protected health information.
Sec. 312. Debarment for crimes.
CHAPTER 2--Civil Sanctions
Sec. 322. Procedures for imposition of penalties.
Sec. 323. Civil action by individuals.
TITLE IV--MISCELLANEOUS
Sec. 401. Relationship to other laws.
Sec. 402. Effective date.
SEC. 2. FINDINGS.
The Congress finds as follows:
(1) Individuals have a right of privacy with respect to their protected
health information and records.
(2) With respect to information about medical care and health status,
the traditional right of confidentiality (between a health care provider and
a patient) is at risk.
(3) An erosion of the right of privacy may reduce the willingness of
patients to confide in physicians and other practitioners and may inhibit
patients from seeking care.
(4) An individual's privacy right means that the individual's consent is
needed to disclose his or her protected health information and that the
individual has a right of access to that health information.
(5) Any disclosure of protected health information should be limited to
that information or portion of the medical record necessary to fulfill the
immediate and specific purpose of the disclosure.
(6) Health research often depends on access to both identifiable and
de-identified patient health information and health research is critically
important to the health and well-being of all people in the United
States.
(7) The Supreme Court found in Jaffee v. Redmond (116 S.Ct. 1923 (1996))
that there is an imperative need for confidence and trust between a
psychotherapist and a patient and that such trust can only be established by
an assurance of confidentiality. This assurance serves the public interest
by facilitating the provision of appropriate treatment for
individuals.
(8) Section 264 of the Health Insurance Portability and Accountability
Act of 1996 (42 U.S.C. 1320d-2 note) establishes a deadline that Congress
enact legislation, before August 21, 1999, to protect the privacy of
protected health information.
SEC. 3. PURPOSES.
The purposes of this Act are as follows:
(1) To recognize that there is a right to privacy with respect to health
information, including genetic information, and that this right must be
protected.
(2) To create incentives to turn protected health information into
de-identified health information, where appropriate.
(3) To designate an Office of Health Information Privacy within the
Department of Health and Human Services to protect that right of
privacy.
(4) To provide individuals with--
(A) access to health information of which they are the subject;
and
(B) the opportunity to challenge the accuracy and completeness of such
information by being able to file supplements to such
information.
(5) To provide individuals with the right to limit the use and
disclosure of protected health information.
(6) To establish strong and effective mechanisms to protect against the
unauthorized and inappropriate use of protected health information.
(7) To invoke the sweep of congressional powers, including the power to
enforce the 14th amendment, to regulate commerce, and to abrogate the
immunity of the States under the 11th amendment, in order to address
violations of the rights of individuals to privacy, to provide individuals
with access to their health information, and to prevent unauthorized use of
protected health information that is genetic information.
(8) To establish strong and effective remedies for violations of this
Act.
(9) To protect the rights of States.
SEC. 4. DEFINITIONS.
(1) ADMINISTRATIVE BILLING INFORMATION- The term `administrative billing
information' means any of the following forms of protected health
information:
(A) Date of service, policy, patient identifiers, and practitioner or
facility identifiers.
(B) Diagnostic codes, in accordance with medicare billing codes, for
which treatment is being rendered or requested.
(C) Complexity of service codes, indicating duration of
treatment.
(D) Total billed charges.
(2) AGENT- The term `agent' means a person who represents and acts for
another person (a principal) under a contract or relationship of agency, or
whose function is to bring about, modify, affect, accept performance of, or
terminate, contractual obligations between the principal and a third person.
With respect to an employer, the term includes the employees of the
employer.
(3) DE-IDENTIFIED HEALTH INFORMATION-
(A) IN GENERAL- The term `de-identified health information' means any
protected health information, with respect to which--
(i) all personal identifiers, or other information that may be used
by itself or in combination with other information which may be
available to re-identify the subject of the information, have been
removed; and
(ii) a good faith effort to evaluate the risks of re-identification
of the subject of such information in the context in which it will be
used or disclosed, has been made.
(B) EXAMPLES- The term includes aggregate statistics, redacted health
information, information in which random or fictitious alternatives have
been substituted for personally identifiable information, and information
in which personally identifiable information has been encrypted and the
decryption key is maintained by a person otherwise authorized to have
access to such protected health information in an identifiable
format.
(4) DISCLOSE- The term `disclose' means to release, publish, share,
transfer, transmit, disseminate, show, permit access to, re-identify, or
otherwise divulge protected health information to any person other than the
individual who is the subject of such information. The term includes the
initial disclosure and any subsequent redisclosure of protected health
information.
(5) DECRYPTION KEY- The term `decryption key' means the variable
information used in or produced by a mathematical formula, code, or
algorithm, or any component thereof, used to encrypt or decrypt wire or
electronic communications or electronically stored information.
(6) EMPLOYER- The term `employer' means a person engaged in business
affecting commerce who has employees.
(7) ENCRYPTION- The term `encryption' means the scrambling of electronic
or wire communications or electronically stored information using
mathematical formulas or algorithms sufficient to preserve the
confidentiality, integrity, and authenticity of such communications or
information.
(8) HEALTH CARE- The term `health care' means--
(A) preventive, diagnostic, therapeutic, rehabilitative, maintenance,
or palliative care, including appropriate assistance with disease or
symptom management and maintenance, counseling, service, or
procedure--
(i) with respect to the physical or mental condition of an
individual; or
(ii) affecting the structure or function of the human body or any
part of the human body, including the banking of blood, sperm, organs,
or any other tissue; and
(B) any sale or dispensing of a drug, device, equipment, or other
health care related item to an individual, or for the use of an
individual, pursuant to a prescription.
(9) HEALTH CARE PROVIDER- The term `health care provider' means a person
who, with respect to a specific item of protected health information,
receives, creates, uses, maintains, or discloses the information while
acting in whole or in part in the capacity of--
(A) a person who is licensed, certified, registered, or otherwise
authorized by Federal or State law to provide an item or service that
constitutes health care in the ordinary course of business, or practice of
a profession;
(B) a Federal or State program that directly provides items or
services that constitute health care to beneficiaries; or
(C) an officer or employee or agent of a person described in
subparagraph (A) or (B) who is engaged in the provision of health care or
who uses health information.
(10) HEALTH OR LIFE INSURER- The term `health or life insurer' means a
health insurance issuer (as defined in section 9805(b)(2) of the Internal
Revenue Code of 1986) or a life insurance company (as defined in section 816
of such Code) and includes the employees and agents of such a person.
(11) HEALTH OVERSIGHT AGENCY- The term `health oversight agency'--
(i) performs or oversees the performance of an assessment,
investigation, or prosecution relating to compliance with legal or
fiscal standards relating to health care fraud or fraudulent claims
regarding health care, health services or equipment, or related
activities and items; and
(ii) is a public executive branch agency, acting on behalf of a
public executive branch agency, acting pursuant to a requirement of a
public executive branch agency, or carrying out activities under a
Federal or State law governing an assessment, evaluation, determination,
investigation, or prosecution described in clause (i); and
(B) includes the employees and agents of such a person.
(12) HEALTH PLAN- The term `health plan' means any health insurance
plan, including any hospital or medical service plan, dental or other health
service plan or health maintenance organization plan, or other program
providing or arranging for the provision of health benefits, whether or not
funded through the purchase of insurance. The term includes employee welfare
benefit plans and group plans (as defined in sections 3 and 607 of the
Employee Retirement Income Security Act of 1974 (29 U.S.C. 1002 and
1167)).
(13) HEALTH RESEARCHER- The term `health researcher' means a person who,
with respect to a specific item of protected health information, receives
the information--
(A) pursuant to section 210 (relating to health research); or
(B) while acting in whole or in part in the capacity of an officer,
employee, or agent of a person who receives the information pursuant to
such section.
(14) LAW ENFORCEMENT INQUIRY- The term `law enforcement inquiry' means a
lawful executive branch investigation or official proceeding inquiring into
a violation of, or failure to comply with, any criminal or civil statute or
any regulation, rule, or order issued pursuant to such a statute.
(15) OFFICE OF HEALTH INFORMATION PRIVACY- The term `Office of Health
Information Privacy' means the Office of Health Information Privacy
designated under section 301.
(16) PERSON- The term `person' means a government, governmental
subdivision of an executive branch agency or authority; corporation;
company; association; firm; partnership; society; estate; trust; joint
venture; individual; individual representative; tribal government; and any
other legal entity.
(17) PROTECTED HEALTH INFORMATION-
(A) IN GENERAL- The term `protected health information' means any
information, including genetic information, demographic information, and
tissue samples collected from an individual, whether oral or recorded in
any form or medium, that--
(i) is created or received by a health care provider, health
researcher, health plan, health oversight agency, public health
authority, employer, health or life insurer, school or university;
and
(ii)(I) relates to the past, present, or future physical or mental
health or condition of an individual (including individual cells and
their components), the provision of health care to an individual, or the
past, present, or future payment for the provision of health care to an
individual; and
(II)(aa) identifies an individual; or
(bb) with respect to which there is a reasonable basis to believe
that the information can be used to identify an individual;
and
(B) DECRYPTION KEY- The term `protected health information' includes
any information described in paragraph (5).
(18) PUBLIC HEALTH AUTHORITY- The term `public health authority' means
an authority or instrumentality of the United States, a tribal government, a
State, or a political subdivision of a State that is--
(A) primarily responsible for public health matters; and
(B) primarily engaged in activities such as injury reporting, public
health surveillance, and public health investigation or
intervention.
(19) RE-IDENTIFY- The term `re-identify', when used with respect to
de-identified health information, means an attempt, successful or otherwise,
to ascertain--
(A) the identity of the individual who is the subject of such
information; or
(B) the decryption key with respect to the information (when
undertaken with knowledge that such key would allow for the
identification
of the individual who is the subject of such information).
(20) SCHOOL OR UNIVERSITY- The term `school or university' means an
institution or place for instruction or education, including an elementary
school, secondary school, or institution of higher learning, a college, or
an assemblage of colleges united under one corporate organization or
government.
(21) SECRETARY- The term `Secretary' means the Secretary of Health and
Human Services.
(22) STATE- The term `State' includes the District of Columbia, Puerto
Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana
Islands.
(23) TO THE MAXIMUM EXTENT PRACTICABLE- The term `to the maximum extent
practicable' means the level of compliance that a reasonable person would
deem technologically feasible so long as such feasibility is periodically
evaluated in light of scientific advances.
(24) WRITING- The term `writing' means writing in either a paper-based
or computer-based form, including electronic and digital signatures.
TITLE I--INDIVIDUALS' RIGHTS
Subtitle A--Access to Protected Health Information by Subjects of the
Information
SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.
(1) IN GENERAL- A health care provider, health plan, employer, health or
life insurer, school, or university, or a person acting as the agent of any
such person, shall permit an individual who is the subject of protected
health information, or the individual's designee, to inspect and copy
protected health information concerning the individual, including records
created under sections 102, 112, 202, 203, 208, and 211, that such person
maintains.
(2) PROCEDURES AND FEES- A person described in paragraph (1) may set
forth appropriate procedures to be followed for inspection and copying under
such paragraph and may require an individual to pay fees associated with
such inspection and copying in an amount that is not in excess of the actual
costs of providing such copying. Such fees may not be assessed where such an
assessment would have the effect of inhibiting an individual from gaining
access to the information described in paragraph (1).
(b) DEADLINE- A person described in subsection (a)(1) shall comply with a
request for inspection or copying of protected health information under this
section not later than 15 business days after the date on which the person
receives the request.
(c) RULES GOVERNING AGENTS- A person acting as the agent of a person
described in subsection (a) shall provide for the inspection and copying of
protected health information if--
(1) the protected health information is retained by the agent; and
(2) the agent has been asked by the person involved to fulfill the
requirements of this section.
(d) SPECIAL RULE RELATING TO ONGOING CLINICAL TRIALS- With respect to
protected health information that is created as part of an individual's
participation in an ongoing clinical trial, access to the information shall be
provided consistent with the individual's agreement to participate in the
clinical trial.
SEC. 102. SUPPLEMENTS TO PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- Not later than 45 days after the date on which a health
care provider, health plan, employer, health or life insurer, school, or
university, or a person acting as the agent of any such person, receives from
an individual a request in writing to supplement protected health information
concerning the individual, such person--
(1) shall add the supplement requested to the information;
(2) shall inform the individual that the supplement has been made;
and
(3) shall make reasonable efforts to inform any person to whom the
portion of the unsupplemented information was previously disclosed, of any
substantive supplement that has been made.
(b) REFUSAL TO SUPPLEMENT- If a person described in subsection (a)
declines to make the supplement requested under such subsection, the person
shall inform the individual in writing of--
(1) the reasons for declining to make the supplement;
(2) any procedures for further review of the declining of such
supplement; and
(3) the individual's right to file with the person a concise statement
setting forth the requested supplement and the individual's reasons for
disagreeing with the declining person and the individual's right
to include a copy of this refusal in his or her health record.
(c) STATEMENT OF DISAGREEMENT- If an individual has filed with a person a
statement of disagreement under subsection (b)(3), the person, in any
subsequent disclosure of the disputed portion of the information--
(1) shall include, at the individual's request, a copy of the
individual's statement; and
(2) may include a concise statement of the reasons for not making the
requested supplement.
(d) RULES GOVERNING AGENTS- A person acting as the agent of a person
described in subsection (a) shall not be required to make a supplement to
protected health information, except where--
(1) the protected health information is retained by the agent; and
(2) the agent has been asked by such person to fulfill the requirements
of this section.
SEC. 103. NOTICE OF PRIVACY PRACTICES.
(a) PREPARATION OF WRITTEN NOTICE- A health care provider, health plan,
health oversight agency, public health authority, employer, health or life
insurer, school, or university, or a person acting as the agent of any such
person, shall prepare a written notice of the privacy practices of the person
that provides information with respect to the following:
(1) The procedures for an individual to authorize disclosures of
protected health information, and to object to, modify, and revoke such
authorizations.
(2) The right of an individual to inspect, copy, and supplement the
protected health information.
(3) The right of an individual not to have employment or the receipt of
services conditioned upon the execution by the individual of an
authorization for disclosure.
(4) A description of the categories or types of employees, by general
category or by general job description, who have access to or use of
protected health information within the person.
(5) A simple, concise description of any information systems used to
store or transmit protected health information, including a description of
any linkages made with other electronic systems or databases outside the
person.
(6) The right of the individual to request segregation of protected
health information, and to restrict the use of such information by
employees, agents, and contractors of a person.
(7) The circumstances under which the information may be used or
disclosed without an authorization executed by the individual.
(8) A statement that an individual may elect to pay for health care from
the individual's own funds and information on the right of such an
individual to elect for identifying information not to be disclosed to
anyone other than health care providers, unless such disclosure is required
by mandatory reporting requirements or other similar information collection
duties required by law.
(b) PROVISION AND POSTING OF WRITTEN NOTICE-
(1) PROVISION- A person described in subsection (a) shall provide a copy
of the written notice of privacy practices required under such
subsection--
(A) at the time an authorization is sought for disclosure of protected
health information; and
(B) upon the request of an individual.
(2) POSTING- A person described in subsection (a) shall post, in a clear
and conspicuous manner, a brief summary of the privacy practices of the
person.
(c) MODEL NOTICE- The director of the Office of Health Information
Privacy, after notice and opportunity for public comment, shall develop and
disseminate model notices of privacy practices, and model summary notices for
posting, for use under this section. Use of such a model notice shall be
deemed to satisfy the requirements of this section.
Subtitle B--Establishment of Safeguards
SEC. 111. ESTABLISHMENT OF SAFEGUARDS.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, public health authority, employer, health researcher, law enforcement
official, health or life insurer, school, or university, or a person acting as
the agent of any such person, shall establish and maintain appropriate
administrative, organizational, technical, and physical safeguards and
procedures to ensure the confidentiality, security, accuracy, and integrity of
protected health information created, received, obtained, maintained, used,
transmitted, or disposed of by such person.
(b) FACTORS TO BE CONSIDERED- The policies and safeguards under subsection
(a) shall ensure that--
(1) protected health information is used or disclosed only when
necessary;
(2) the categories of personnel who will have access to protected health
information are identified; and
(3) the feasibility of limiting access to protected health information
is considered.
(c) MODEL GUIDELINES- The Secretary, in consultation with the Director of
the Office of Health Information Privacy appointed under section 301, after
notice and opportunity for public comment, shall develop and disseminate model
guidelines for the establishment of safeguards and procedures for use under
this section, such as, where appropriate, individual authentication of uses of
computer systems, access controls, audit trails, encryption, physical
security, protection of remote access points and protection of external
electronic communications, periodic security assessments, incident reports,
and sanctions. The director shall update and disseminate the guidelines, as
appropriate, to take advantage of new technologies.
SEC. 112. ACCOUNTING FOR DISCLOSURES.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, public health authority, employer, health researcher, law enforcement
official, health or life insurer, school, or university, or a person acting as
the agent of any such person, shall establish and maintain, with respect to
any protected health information disclosure that is not related to payment or
treatment, a record of the disclosure in accordance with regulations issued by
the Secretary in consultation with the director of the Office of Health
Information Privacy.
(b) MAINTENANCE OF RECORD- A record established under subsection (a) shall
be maintained for not less than 7 years.
(c) ELECTRONIC RECORDS- A health care provider, health plan, health
oversight agency, public health authority, employer, health researcher, law
enforcement official, health or life insurer, school, or university, or a
person acting as the agent of any such person, shall, to the maximum extent
practicable, maintain an accessible electronic record concerning each access,
or attempt to access, whether authorized or unauthorized, successful or
unsuccessful, protected health information maintained by such person in
electronic form. The record shall include the identity of the specific
individual accessing or attempting to gain such access (or a way to identify
that individual or information helpful in determining the identity of such
individual), information sufficient to identify the protected health
information sought or accessed, and other appropriate information.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.
(1) GENERAL RULE- A health care provider, health plan, health oversight
agency, public health authority, employer, health researcher, law
enforcement official, health or life insurer, school, or university may not
disclose or use protected health information except as authorized under this
Act.
(2) RULE OF CONSTRUCTION- Disclosure of de-identified health information
shall not be construed as a disclosure of protected health
information.
(1) IN GENERAL- A disclosure of protected health information under this
title shall be limited to the minimum amount of information necessary to
accomplish the purpose for which the disclosure is made.
(2) DETERMINATION- The determination as to what constitutes the minimum
disclosure possible for purposes of paragraph (1) shall be made by a health
care provider.
(c) USE OR DISCLOSURE FOR PURPOSE ONLY- A recipient of information
pursuant to this title may use or disclose such information solely to carry
out the purpose for which the information was disclosed.
(d) NO GENERAL REQUIREMENT TO DISCLOSE- Nothing in this title permitting
the disclosure of protected health information shall be construed to require
such disclosure.
(e) IDENTIFICATION OF DISCLOSED INFORMATION AS PROTECTED HEALTH
INFORMATION- Protected health information disclosed pursuant to this title
shall be clearly identified as protected health information that is subject to
this Act.
(f) DISCLOSURE BY AGENTS- An agent of a person described in subsection
(a)(1), who receives protected health information from the person while acting
within the scope of the agency, shall be subject to this title to the same
extent as the person and for the duration of the period in which the agent
holds the information.
(g) CREATION OF DE-IDENTIFIED INFORMATION- Notwithstanding subsection (c),
but subject to the other provisions of this section, a person described in
subsection (a)(1) may disclose protected health information to an employee or
other agent of the person for purposes of creating de-identified
information.
(h) UNAUTHORIZED USE OR DISCLOSURE OF THE DECRYPTION KEY- The unauthorized
disclosure of a decryption key shall be deemed to be a disclosure of protected
health information. The unauthorized use of a decryption key or de-identified
health information in order to identify an individual is deemed to be
disclosure of protected health information.
(i) NO WAIVER- Except as provided in this Act, an authorization to
disclose personally identifiable health information executed by an individual
pursuant to section 202 or 203 shall not be construed as a waiver of any
rights that the individual has under other Federal or State laws, the rules of
evidence, or common law.
(j) DEFINITIONS- For purposes of this title:
(1) INVESTIGATIVE OR LAW ENFORCEMENT OFFICER- The term `investigative or
law enforcement officer' means any officer of the United States or of a
State or political subdivision thereof, who is empowered by law to conduct
investigations of, or to make arrests for, criminal offenses, and any
attorney authorized by law to prosecute or participate in the prosecution of
such offenses.
(2) SEGREGATE- The term `segregate' means to place a designated subset
of an individuals protected health information in a location or computer
file that is separate from the location or computer file used to store
protected health information and where access to or use of any information
so segregated may be effectively limited to those persons who are authorized
by the individual to access or use such information.
(3) SIGNED- The term `signed' refers to both signatures in ink and
electronic signatures, and the term `written' refers to both paper and
computerized formats.
SEC. 202. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR
TREATMENT AND PAYMENT.
(a) REQUIREMENTS RELATING TO EMPLOYERS, HEALTH PLANS, HEALTH OR LIFE
INSURERS, UNINSURED INDIVIDUALS, AND PROVIDERS-
(1) IN GENERAL- To satisfy the requirement under section 201(a)(1), an
employer, health plan, health or life insurer, or health care provider that
seeks to disclose protected health information in connection with treatment
or payment shall obtain an authorization that satisfies the requirements of
this section. The authorization may be a single authorization.
(2) EMPLOYERS- Every employer offering a health plan to its employees
shall, at the time of an employee's enrollment in the health plan, obtain a
signed, written authorization that is a legal, informed authorization that
satisfies the requirements of subsection (b) concerning the use and
disclosure of protected health information for treatment or payment with
respect to each individual who is eligible to receive care under the health
plan.
(3) HEALTH PLANS, HEALTH OR LIFE INSURERS- Every health plan or health
or life insurer offering enrollment to individual or nonemployer groups
shall, at the time of enrollment in the plan or insurance, obtain a signed,
written authorization that is a legal, informed authorization that satisfies
the requirements of subsection (b) concerning the use and disclosure of
protected health information with respect to each individual who is eligible
to receive care under the plan or insurance.
(4) UNINSURED- An originating provider providing health care in other
than a network plan setting, or providing health care to an uninsured
individual, shall obtain a signed, written authorization that satisfies the
requirements of subsection (b) to use protected health information in
providing health care or arranging for health care from other providers or
seeking payment for the provision of health care services.
(A) IN GENERAL- Every health care provider providing health care to an
individual who has not given the appropriate authorization under this
section shall, at the time of providing such care, obtain a signed,
written authorization that is a legal, informed authorization, that
satisfies the requirements of subsection (b), concerning the use and
disclosure of protected health information with respect to such
individual.
(B) RULE OF CONSTRUCTION- Subparagraph (A) shall not be construed to
preclude the provision of health care to an individual who has not given
appropriate authorization prior to receipt of such care if--
(i) the health care provider involved determines that such care is
essential; and
(ii) the individual can reasonably be expected to sign an
authorization for such care when appropriate.
(b) REQUIREMENTS FOR INDIVIDUAL AUTHORIZATION- To satisfy the requirements
of this subsection, an authorization to disclose protected health
information--
(1) shall identify, by general job description or other functional
description, persons authorized to disclose the information;
(2) shall describe the nature of the information to be disclosed;
(3) shall identify, by general job description or other functional
description, persons to whom the information is to be disclosed, including
individuals employed by, or operating within, an entity to which information
is authorized to be disclosed;
(4) shall describe the purpose of the disclosures;
(5) shall permit the executing individual to indicate that a particular
individual listed on the authorization is not authorized to receive
protected health information concerning the individual, except as provided
for in subsection (c)(3);
(6) shall provide the means by which an individual may indicate that
some of the individual's protected health information should be segregated
and to what persons such segregated information may be disclosed;
(7) shall be subject to revocation by the individual and indicate that
the authorization is valid until revocation by the individual or until an
event or date specified; and
(i) in writing, dated, and signed by the individual; or
(ii) in electronic form, dated and authenticated by the individual
using an authentication method approved by the Secretary; and
(B) shall not have been revoked under subparagraph (A).
(c) LIMITATION ON AUTHORIZATIONS-
(1) IN GENERAL- Subject to paragraphs (2) and (3), a person described in
subsection (a) who seeks an authorization under such subsection may not
condition the delivery of treatment or payment for services on the receipt
of such an authorization.
(2) RIGHT TO REQUIRE SELF PAYMENT- If an individual has refused to
provide an authorization for disclosure of administrative billing
information to a person and such authorization is necessary for a health
care provider to receive payment for services delivered, the health care
provider may require the individual to pay from their own funds for the
services.
(3) RIGHT OF HEALTH CARE PROVIDER TO REQUIRE AUTHORIZATION FOR TREATMENT
PURPOSES- If a health care provider that is seeking an authorization for
disclosure of an individual's protected health information believes that the
disclosure of such information is necessary so as not to endanger the health
or treatment of the individual, the health care provider may condition the
provision of services upon the execution of the authorization by the
individual.
(d) MODEL AUTHORIZATIONS- The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model written authorizations of
the type described in this section and model statements of the limitations on
authorizations. Any authorization obtained on a model authorization form under
section 202 developed by the Secretary pursuant to the preceding sentence
shall be deemed to satisfy the requirements of this section.
(e) SEGREGATION OF FILES- A person described in subsection (a)(1) shall
comply, to the maximum extent practicable, with the request of an individual
who is the subject of protected health information--
(1) to segregate any type or amount of protected health information,
other than administrative billing information, held by the entity; and
(2) to limit the use or disclosure of the segregated health information
within the entity to those persons specifically designated by the subject of
the protected health information.
(f) REVOCATION OF AUTHORIZATION-
(1) IN GENERAL- An individual may in writing revoke or amend an
authorization under this section at any time, unless the disclosure that is
the subject of the authorization is required to effectuate payment for
health care that has been provided to the individual.
(2) HEALTH PLANS- With respect to a health plan, the authorization of an
individual is deemed to be revoked at the time of the cancellation or
non-renewal of enrollment in the health plan, except as may be necessary to
complete plan administration and payment requirements related to the
individual's period of enrollment.
(3) ACTIONS- An individual may not maintain an action against a person
for disclosure of personally identifiable health information--
(A) if the disclosure was made based on a good faith reliance on the
individual's authorization under this section at the time disclosure was
made;
(B) in a case in which the authorization is revoked, if the disclosing
person had no actual or constructive notice of the revocation; or
(C) if the disclosure was for the purpose of protecting another
individual from imminent physical harm, and is authorized under section
204.
(g) RECORD OF INDIVIDUAL'S AUTHORIZATIONS AND REVOCATIONS- Each person
collecting or storing personally identifiable health information shall
maintain a record for a period of 7 years of each authorization of an
individual and any revocation thereof, and such record shall become part of
the personally identifiable health information concerning such individual.
(h) RULE OF CONSTRUCTION- Authorizations for the disclosure of protected
health information for treatment or payment shall not authorize the disclosure
of such information by an individual with the intent to sell, transfer, or use
protected health information for commercial advantage other than the revenues
directly derived from the provision of health care to that individual. For
such disclosures, a separate authorization that satisfies the requirements of
section 203 is required.
SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION
OTHER THAN FOR TREATMENT OR PAYMENT.
(a) IN GENERAL- To satisfy the requirement under section 201(a)(1), a
health care provider, health plan, health oversight agency, public health
authority, employer, health researcher, law enforcement official, health or
life insurer, school, or university that seeks to disclose protected health
information for a purpose other than treatment or payment may obtain an
authorization that satisfies the requirements of subsections (b) and (g) of
section 202. Such an authorization under this section shall be separate from
an authorization provided under section 202.
(b) LIMITATION ON AUTHORIZATIONS-
(1) IN GENERAL- A person subject to section 202 may not condition the
delivery of treatment, or payment for services, on the receipt of an
authorization described in this section.
(2) REQUIREMENT FOR SEPARATE AUTHORIZATION- A person subject to section
202 may not disclose protected health information to any employees or agents
who are responsible for making employment, work assignment, or other
personnel decisions
with respect to the subject of the information without a separate
authorization permitting such a disclosure.
(c) MODEL AUTHORIZATIONS- The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model written authorizations of
the type described in subsection (a). Any authorization obtained on a model
authorization form under this section developed by the Secretary shall be
deemed to meet the authorization requirements of this section.
(d) REQUIREMENT TO RELEASE PROTECTED HEALTH INFORMATION TO CORONERS AND
MEDICAL EXAMINERS-
(1) IN GENERAL- When a Coroner or Medical Examiner or their duly
appointed deputies seek protected health information for the purpose of
inquiry into and determination of, the cause, manner, and circumstances of
an individual's death, the health care provider, health plan, health
oversight agency, public health authority, employer, health researcher, law
enforcement officer, health or life insurer, school or university involved
shall provide that individual's protected health information to the Coroner
or Medical Examiner or to the duly appointed deputies without undue
delay.
(2) PRODUCTION OF ADDITIONAL INFORMATION- If a Coroner or Medical
Examiner or their duly appointed deputies receives health information from
an entity referred to in paragraph (1), such health information shall remain
as protected health information unless the health information is attached to
or otherwise made a part of a Coroner's or Medical Examiner's official
report, in which case it shall no longer be protected.
(3) EXEMPTION- Health information attached to or otherwise made a part
of a Coroner's or Medical Examiner's official report, shall be exempt from
the provisions of this Act except as provided for in this subsection.
(4) REIMBURSEMENT- A Coroner or Medical Examiner may require a person to
reimburse their Office for the reasonable costs associated with such
inspection or copying.
(e) REVOCATION OR AMENDMENT OF AUTHORIZATION- An individual may, in
writing, revoke or amend an authorization under this section at any time.
(f) ACTIONS- An individual may not maintain an action against a person for
disclosure of protected health information--
(1) if the disclosure was made based on a good faith reliance on the
individual's authorization under this section at the time disclosure was
made;
(2) in a case in which the authorization is revoked, if the disclosing
person had no actual or constructive notice of the revocation; or
(3) if the disclosure was for the purpose of protecting another
individual from imminent physical harm, and is authorized under section
204.
SEC. 204. EMERGENCY CIRCUMSTANCES.
(a) GENERAL RULE- In the event of a threat of imminent physical or mental
harm to the subject of protected health information, any person may, in order
to allay or remedy such threat, disclose protected health information about
such subject to a health care practitioner, health care facility, law
enforcement authority, or emergency medical personnel.
(b) HARM TO OTHERS- Any person may disclose protected health information
about the subject of the information where--
(1) such subject has made an identifiable threat of serious injury or
death with respect to an identifiable individual or group of
individuals;
(2) the subject has the ability to carry out such threat; and
(3) the release of such information is necessary to prevent or
significantly reduce the possibility of such threat being carried out.
SEC. 205. PUBLIC HEALTH.
(a) IN GENERAL- A health care provider, health plan, public health
authority, employer, health or life insurer, law enforcement official, school,
or university may disclose protected health information to a public health
authority or other person authorized by public health law when receipt of such
information by the authority or other person--
(1) relates directly to a specified public health purpose;
(2) is reasonably likely to achieve such purpose; and
(3) is intended for a purpose that cannot be achieved through the
receipt or use of de-identified health information.
(b) PUBLIC HEALTH PURPOSE DEFINED- For purposes of subsection (a), the
term `public health purpose' means a population-based activity or individual
effort, authorized by law, aimed at the prevention of injury, disease, or
premature mortality, or the promotion of health, in a community,
including--
(1) assessing the health needs and status of the community through
public health surveillance and epidemiological research;
(2) developing public health policy;
(3) responding to public health needs and emergencies; and
(4) any other activities or efforts authorized by law.
SEC. 206. PROTECTION AND ADVOCACY AGENCIES.
Any person who creates protected health information or receives protected
health information under this title may disclose that information to a
protection and advocacy agency established under part C of title I of the
Developmental Disabilities Assistance and Bill of Rights Act (42 U.S.C. 6041
et seq.) or under the Protection and Advocacy for Mentally Ill Individuals Act
of 1986 (42 U.S.C. 10801 et seq.) when such agency can establish that there is
probable cause to believe that an individual who is the subject of the
protected health information is vulnerable to abuse and neglect by an entity
providing health or social services to the individual.
SEC. 207. OVERSIGHT.
(a) IN GENERAL- A health care provider, health plan, employer, law
enforcement official, health or life insurer, public health authority, health
researcher, school or university may disclose protected health information to
a health oversight agency to enable the agency to perform a health oversight
function authorized by law, if--
(1) the purpose for which the disclosure is to be made cannot reasonably
be accomplished without protected health information;
(2) the purpose for which the disclosure is to be made is of sufficient
importance to warrant the effect on, or the risk to, the privacy of the
individuals that additional exposure of the information might bring;
and
(3) there is a reasonable probability that the purpose of the disclosure
will be accomplished.
(b) USE AND MAINTENANCE OF PROTECTED HEALTH INFORMATION- A health
oversight agency that receives protected health information under this
section--
(1) shall rely upon a method to scramble or otherwise safeguard, to the
maximum extent practicable, the identity of the subject of the protected
health information in all work papers and all documents summarizing the
health oversight activity;
(2) shall maintain in its records only such information about an
individual as is relevant and necessary to accomplish the purpose for which
the protected health information was obtained;
(3) shall maintain such information securely and limit access to such
information to those persons with a legitimate need for access to carry out
the purpose for which the records were obtained; and
(4) shall remove or destroy the information that allows subjects of
protected health information to be identified at the earliest time at which
removal or destruction can be accomplished, consistent with the purpose of
the health oversight activity.
(c) USE OF PROTECTED HEALTH INFORMATION IN JUDICIAL PROCEEDINGS-
(1) IN GENERAL- The disclosure and use of protected health information
in any judicial, administrative, court, or other public, proceeding or
investigation relating to a health oversight activity shall be undertaken in
such a manner as to preserve the confidentiality and privacy of individuals
who are the subject of the information, unless disclosure is required by the
nature of the proceedings.
(2) LIMITING DISCLOSURE- Whenever disclosure of the identity of the
subject of protected health information is required by the nature of the
proceedings, or it is impracticable to redact the identity of such
individual, the agency shall request that the presiding judicial or
administrative officer enter an order limiting the disclosure of the
identity of the subject to the extent possible, including the redacting of
the protected health information from publicly disclosed or filed pleadings
or records.
(d) AUTHORIZATION BY A SUPERVISOR- For purposes of this section, the
individual with authority to authorize the oversight function involved shall
provide to the disclosing person described in subsection (a) a statement that
the protected health information is being sought for a legally authorized
oversight function.
(e) USE IN ACTION AGAINST INDIVIDUALS- Protected health information about
an individual that is disclosed under this section may not be used in, or
disclosed to any person for use in, an administrative, civil, or criminal
action or investigation directed against the individual, unless the action or
investigation arises out of and is directly related to--
(1) the receipt of health care or payment for health care;
(2) a fraudulent claim related to health; or
(3) oversight of a public health authority or a health researcher.
SEC. 208. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.
(a) LAW ENFORCEMENT ACCESS TO PROTECTED HEALTH INFORMATION- A health care
provider, health researcher, health plan, health oversight agency, employer,
health or life insurer, school, university, a person acting as the agent of
any such person, or a person who receives protected health information
pursuant to section 204, may disclose protected health information to an
investigative or law enforcement officer pursuant to a warrant issued under
the Federal Rules of Criminal Procedure, an equivalent State warrant, a grand
jury subpoena, or a court order under limitations set forth in subsection
(b).
(b) REQUIREMENTS FOR COURT ORDERS FOR ACCESS TO PROTECTED HEALTH
INFORMATION- A court order for the disclosure of protected health information
under subsection (a) may be issued by any court that is a court of competent
jurisdiction and shall issue only if the investigative or law enforcement
officer submits a written application upon oath or equivalent affirmation
demonstrating that there is probable cause to believe that--
(1) the protected health information sought is relevant and material to
an ongoing criminal investigation, except in the case of a State government
authority, such a court order shall not issue if prohibited by the law of
such State;
(2) the investigative or evidentiary needs of the investigative or law
enforcement officer cannot reasonably be satisfied by de-identified health
information or by any other information; and
(3) the law enforcement need for the information outweighs the privacy
interest of the individual to whom the information pertains.
(c) MOTIONS TO QUASH OR MODIFY- A court issuing an order pursuant to this
section, on a motion made promptly by the health care provider, health
researcher, health plan, health oversight agency, employer, health or life
insurer, school, university, a person acting as the agent of any such person,
or a person who receives protected health information pursuant to section 204,
may quash or modify such order if the court finds that information or records
requested are unreasonably voluminous or if compliance with such order
otherwise would cause an unreasonable burden on such persons.
(1) IN GENERAL- Except as provided in paragraph (2), no order for the
disclosure of protected health information about an individual may be issued
by a court under this section unless prior notice of the application for the
order has been served on the individual and the individual has been afforded
an opportunity to oppose the issuance of the order.
(2) NOTICE NOT REQUIRED- An order for the disclosure of protected health
information about an individual may be issued without prior notice to the
individual if the court finds that notice would be impractical
because--
(A) the name and address of the individual are unknown; or
(B) notice would risk destruction or unavailability of the
evidence.
(e) CONDITIONS- Upon the granting of an order for disclosure of protected
health information under this section, the court shall impose appropriate
safeguards to ensure the confidentiality of such information and to protect
against unauthorized or improper use or disclosure.
(f) LIMITATION ON USE AND DISCLOSURE FOR OTHER LAW ENFORCEMENT INQUIRIES-
Protected health information about an individual that is disclosed under this
section may not be used in, or disclosed to any person for use in, any
administrative, civil, or criminal action or investigation directed against
the individual, unless the action or investigation arises out of, or is
directly related to, the law enforcement inquiry for which the information was
obtained.
(g) DESTRUCTION OR RETURN OF INFORMATION- When the matter or need for
which protected health information was disclosed to an investigative or law
enforcement officer or grand jury has concluded, including any derivative
matters arising from such matter or need, the law enforcement agency or grand
jury shall either destroy the protected health information, or return it to
the person from whom it was obtained.
(h) REDACTIONS- To the extent practicable, and consistent with the
requirements of due process, a law enforcement agency shall redact personally
identifying information from protected health information prior to the public
disclosure of such protected information in a judicial or administrative
proceeding.
(i) EXCEPTION- This section shall not be construed to limit or restrict
the ability of law enforcement authorities to gain information while in hot
pursuit of a suspect or if other exigent circumstances exist.
SEC. 209. NEXT OF KIN AND DIRECTORY INFORMATION.
(a) NEXT OF KIN- A health care provider, or a person who receives
protected health information under section 204, may disclose protected health
information about health care services provided to an individual to the
individual's next of kin, or to another person whom the individual has
identified, if at the time of the treatment of the individual--
(A) has been notified of the individual's right to object to such
disclosure and the individual has not objected to the disclosure;
or
(B) is in a physical or mental condition such that the individual is
not capable of objecting, and there are no prior indications that the
individual would object; and
(2) the information disclosed relates to health care services currently
being provided to that individual.
(b) DIRECTORY INFORMATION-
(A) IN GENERAL- Except as provided in paragraph (2), with respect to
an individual who is admitted as an inpatient to a health care facility, a
person described in subsection (a) may disclose information described in
subparagraph (B) about the individual to any person if, at the time of the
admission, the individual--
(i) has been notified of the individual's right to object and has
not objected to the disclosure; or
(ii) is in a physical or mental condition such that the individual
is not capable of objecting and there are no prior indications that the
individual would object.
(B) INFORMATION- Information described in this subparagraph is
information that consists only of 1 or more of the following
items:
(i) The name of the individual who is the subject of the
information.
(ii) The general health status of the individual, described as
critical, poor, fair, stable, or satisfactory or in terms denoting
similar conditions.
(iii) The location of the individual within the health care facility
to which the individual is admitted.
(2) EXCEPTION- Paragraph (1)(B)(iii) shall not apply if disclosure of
the location of the individual would reveal specific information about the
physical or mental condition of the individual, unless the individual
expressly authorizes such disclosure.
(c) DIRECTORY OR NEXT-OF-KIN INFORMATION- A disclosure may not be made
under this section if the disclosing person described in subsection (a) has
reason to believe that the disclosure of directory or next-of-kin information
could lead to the physical or mental harm of the individual, unless the
individual expressly authorizes such disclosure.
SEC. 210. HEALTH RESEARCH.
(1) IN GENERAL- The requirements and protections provided for under part
46 of title 45, Code of Federal Regulations (as in effect on the date of
enactment of this Act), shall apply to all health research.
(2) EFFECTIVE DATE- Paragraph (1) shall not take effect until the
Secretary has promulgated final regulations to implement such
paragraph.
(b) EVALUATION- Not later than 24 months after the date of enactment of
this Act, the Secretary shall prepare and submit to Congress detailed
recommendations on whether written informed consent should be required, and if
so, under what circumstances, before protected health information can be used
for health research.
(c) RECOMMENDATIONS- The recommendations required to be submitted under
subsection (b) shall include--
(1) a detailed explanation of current institutional review board
practices, including the extent to which the privacy of individuals is taken
into account as a factor before allowing waivers and under what
circumstances informed consent is being waived;
(2) a summary of how technology could be used to strip identifying data
for the purposes of research;
(3) an analysis of the risks and benefits of requiring informed consent
versus the waiver of informed consent;
(4) an analysis of the risks and benefits of using protected health
information for research purposes other than the health research project for
which such information was obtained; and
(5) an analysis of the risks and benefits of allowing individuals to
consent or to use consent, at the time of receiving medical treatment, to
the possible future use of records of medical treatments for research
studies.
(d) CONSULTATION- In carrying out this section, the Secretary shall
consult with individuals who have distinguished themselves in the fields of
health research, privacy, related technology, consumer interests in health
information, health data standards, and the provision of health services.
(e) CONGRESSIONAL NOTICE- Not later than 6 months after the date on which
the Secretary submits to Congress the recommendations required under
subsection (b), the Secretary shall propose to implement such recommendations
through regulations promulgated on the record after opportunity for a hearing,
and shall advise the Congress of such proposal.
(1) OBLIGATIONS OF THE RECIPIENT- A person who receives protected health
information pursuant to this section shall remove or destroy, at the
earliest opportunity consistent with the purposes of the project involved,
information that would enable an individual to be identified, unless--
(A) an institutional review board has determined that there is a
health or research justification for the retention of such identifiers;
and
(B) there is an adequate plan to protect the identifiers from
disclosure consistent with this section; and
(2) PERIODIC REVIEW AND TECHNICAL ASSISTANCE-
(A) INSTITUTIONAL REVIEW BOARD- Any institutional review board that
authorizes research under this section shall provide the Secretary with
the names and addresses of the institutional review board
members.
(B) TECHNICAL ASSISTANCE- The Secretary may provide technical
assistance to institutional review boards described in this
subsection.
(C) MONITORING- The Secretary shall periodically monitor institutional
review boards described in this subsection.
(D) REPORTS- Not later than 3 years after the date of enactment of
this Act, the Secretary shall report to Congress regarding the activities
of institutional review boards described in this subsection.
(g) LIMITATION- Nothing in this section shall be construed to permit
protected health information that is received by a researcher under this
section to be accessed for purposes other than research or as authorized by
the individual.
SEC. 211. JUDICIAL AND ADMINISTRATIVE PURPOSES.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, employer, insurer, health or life insurer, school or university, a
person acting as the agent of any such person, or a person who receives
protected health information under section 204, may disclose protected health
information--
(1) pursuant to the standards and procedures established in the Federal
Rules of Civil Procedure or comparable rules of other courts or
administrative agencies, in connection with litigation or proceedings to
which an individual who is the subject of the information is a party and in
which the individual has placed his or her physical or mental condition at
issue;
(2) to a court, and to others ordered by the court, if in response to a
court order issued by a court of competent jurisdiction in accordance with
subsections (b) and (c); or
(3) if necessary to present to a court an application regarding the
provision of treatment of an individual or the appointment of a
guardian.
(b) COURT ORDERS FOR ACCESS TO PROTECTED HEALTH INFORMATION- A court order
for the disclosure of protected health information under subsection (a) may be
issued only if the person seeking disclosure submits a written application
upon oath or equivalent affirmation demonstrating by clear and convincing
evidence that--
(1) the protected health information sought is necessary for the
adjudication of a material fact in dispute in a civil proceeding;
(2) the adjudicative need cannot be reasonably satisfied by
de-identified health information or by any other information; and
(3) the need for the information outweighs the privacy interest of the
individual to whom the information pertains.
(1) IN GENERAL- Except as provided in paragraph (2), no order for the
disclosure of protected health information about an individual may be issued
by a court unless notice of the application for the order has been served on
the individual and the individual has been afforded an opportunity to oppose
the issuance of the order.
(2) NOTICE NOT REQUIRED- An order for the disclosure of protected health
information about an individual may be issued without notice to the
individual if the court finds, by clear and convincing evidence, that notice
would be impractical because--
(A) the name and address of the individual are unknown; or
(B) notice would risk destruction or unavailability of the
evidence.
(d) OBLIGATIONS OF RECIPIENT- A person seeking protected health
information pursuant to subsection (a)(1)--
(1) shall notify the individual or the individual's attorney of the
request for the information;
(2) shall provide the health care provider, health plan, health
oversight agency, employer, insurer, health or life insurer, school or
university, agent, or other person involved with a signed document
attesting--
(A) that the individual has placed his or her physical or mental
condition at issue in litigation or proceedings in which the individual is
a party; and
(B) the date on which the individual or the individual's attorney was
notified under paragraph (1); and
(3) shall not accept any requested protected health information from the
health care provider, health plan, health oversight agency, employer,
insurer, health or life insurer, school or university, agent, or person
until the termination of the 10-day period beginning on the date notice was
given under paragraph (1).
SEC. 212. INDIVIDUAL REPRESENTATIVES.
(a) IN GENERAL- Except as provided in subsections (b) and (c), a person
who is authorized by law (based on grounds other than an individual's status
as a minor), or by an instrument recognized under law, to act as an agent,
attorney, proxy, or other legal representative of a individual, may, to the
extent so authorized, exercise and discharge the rights of the individual
under this Act.
(b) HEALTH CARE POWER OF ATTORNEY- A person who is authorized by law
(based on grounds other than being a minor), or by an instrument recognized
under law, to make decisions about the provision of health care to an
individual who is incapacitated, may exercise and discharge the rights of the
individual under this Act to the extent necessary to effectuate the terms or
purposes of the grant of authority.
(c) NO COURT DECLARATION- If a physician or other health care provider
determines that an individual, who has not been declared to be legally
incompetent, suffers from a medical condition that prevents the individual
from acting knowingly or effectively on the individual's own behalf, the right
of the individual to authorize disclosure under this Act may be exercised and
discharged in the best interest of the individual by--
(1) a person described in subsection (b) with respect to the
individual;
(2) a person described in subsection (a) with respect to the individual,
but only if a person described in paragraph (1) cannot be contacted after a
reasonable effort;
(3) the next of kin of the individual, but only if a person described in
paragraph (1) or (2) cannot be contacted after a reasonable effort; or
(4) the health care provider, but only if a person described in
paragraph (1), (2), or (3) cannot be contacted after a reasonable
effort.
(1) INDIVIDUALS WHO ARE 18 OR LEGALLY CAPABLE- In the case of an
individual--
(A) who is 18 years of age or older, all rights of the individual
under this Act shall be exercised by the individual; or
(B) who, acting alone, can obtain a type of health care without
violating any applicable law, and who has sought such care, the individual
shall exercise all rights of an individual under this Act with respect to
protected health information relating to such health care.
(2) INDIVIDUALS UNDER 18- Except as provided in paragraph (1)(B), in the
case of an individual who is--
(A) under 14 years of age, all of the individual's rights under this
Act shall be exercised through the parent or legal guardian; or
(B) 14 through 17 years of age, the rights of inspection and
supplementation, and the right to authorize use and disclosure of
protected health information of the individual shall be exercised by the
individual, or by the parent or legal guardian of the individual.
(e) DECEASED INDIVIDUALS-
(1) APPLICATION OF ACT- The provisions of this Act shall continue to
apply to protected health information concerning a deceased
individual.
(2) EXERCISE OF RIGHTS ON BEHALF OF A DECEASED INDIVIDUAL- A person who
is authorized by law or by an instrument recognized under law, to act as an
executor of the estate of a deceased individual, or otherwise to exercise
the rights of the deceased individual, may, to the extent so authorized,
exercise and discharge the rights of such deceased individual under this
Act. If no such designee has been authorized, the rights of the deceased
individual may be exercised as provided for in subsection (c).
(3) IDENTIFICATION OF DECEASED INDIVIDUAL- A person described in section
209(a) may disclose protected health information if such disclosure is
necessary to assist in the identification of a deceased individual.
SEC. 213. PROHIBITION AGAINST RETALIATION.
A health care provider, health researcher, health plan, health oversight
agency, employer, health or life insurer, school or university, person acting
as an agent of any such person, or person who receives protected health
information under section 204 may not adversely affect another person,
directly or indirectly, because such person has exercised a right under this
Act, disclosed information relating to a possible violation of this Act, or
associated with, or assisted, a person in the exercise of a right under this
Act.
TITLE III--OFFICE OF HEALTH INFORMATION PRIVACY OF THE DEPARTMENT OF
HEALTH AND HUMAN SERVICES
Subtitle A--Designation
SEC. 301. DESIGNATION.
(a) IN GENERAL- The Secretary shall designate an office within the
Department of Health and Human Services to be known as the Office of Health
Information Privacy. The Office shall be headed by a Director, who shall be
appointed by the Secretary.
(b) DUTIES- The Director of the Office of Health Information Privacy
shall--
(1) receive and investigate complaints of alleged violations of this
Act;
(2) provide for the conduct of audits where appropriate;
(3) provide guidance to the Secretary in the implementation of this
Act;
(4) prepare and submit the report described in subsection (c);
(5) consult with, and provide recommendation to, the Secretary
concerning improvements in the privacy and security of protected health
information and concerning medical privacy research needs; and
(6) carry out any other activities determined appropriate by the
Secretary.
(c) REPORT ON COMPLIANCE- Not later than January 1 of the first calendar
year beginning more than 1 year after the establishment of the Office under
subsection (a), and every January 1 thereafter, the Director of the Office of
Health Information Privacy shall prepare and submit to Congress a report
concerning the number of complaints of alleged violations of this Act that are
received during the year for which the report is being prepared. Such report
shall describe the complaints and any remedial action taken concerning such
complaints.
Subtitle B--Enforcement
CHAPTER 1--CRIMINAL PROVISIONS
SEC. 311. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- Part I of title 18, United States Code, is amended by
adding at the end the following:
`CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH
INFORMATION
`Sec.
`2801. Wrongful disclosure of protected health information.
`Sec. 2801. Wrongful disclosure of protected health information
`(a) OFFENSE- The penalties described in subsection (b) shall apply to a
person that knowingly and intentionally--
`(1) obtains or attempts to obtain protected health information relating
to an individual in violation of title II of the Medical Information Privacy
and Security Act; or
`(2) discloses or attempts to disclose protected health information to
another person in violation of title II of the Medical Information Privacy
and Security Act.
`(b) PENALTIES- A person described in subsection (a) shall--
`(1) be fined not more than $50,000, imprisoned not more than 1 year, or
both;
`(2) if the offense is committed under false pretenses, be fined not
more than $250,000, imprisoned not more than 5 years, or any combination of
such penalties; or
`(3) if the offense is committed with the intent to sell, transfer, or
use protected health information for commercial advantage, personal gain, or
malicious harm, be fined not more than $500,000, imprisoned not more than 10
years, excluded from participation in any Federally funded health care
programs, or any combination of such penalties.
`(c) SUBSEQUENT OFFENSES- In the case of a person described in subsection
(a), the maximum penalties described in subsection (b) shall be doubled for
every subsequent conviction for an offense arising out of a violation or
violations related to a set of circumstances that are different from those
involved in the previous violation or set of related violations described in
such subsection (a).'.
(b) CLERICAL AMENDMENT- The table of chapters for part I of title 18,
United States Code, is amended by inserting after the item relating to chapter
123 the following new item:
2801'.
SEC. 312. DEBARMENT FOR CRIMES.
(a) PURPOSE- The purpose of this section is to promote the prevention and
deterrence of instances of intentional criminal actions which violate criminal
laws which are designed to protect the privacy of protected health information
in a manner consistent with this Act.
(b) DEBARMENT- Not later than 270 days after the date of enactment of this
Act, the Attorney General, in consultation with the Secretary, shall
promulgate regulations and establish procedures to permit the debarment of
health care providers, health researchers, health or life insurers, employers,
or schools or universities from receiving benefits under any Federal health
programs or other Federal procurement program if the managers or officers of
such persons are found guilty of violating section 2801 of title 18, United
States Code, have civil penalties imposed against such officers or managers
under section 321 in connection with the illegal disclosure of protected
health information, or are found guilty of making a false statement or
obstructing justice related to attempting to conceal or concealing such
illegal disclosure. Such regulations shall take into account the need for
continuity of medical care and may provide for a delay of any debarment
imposed under this section to take into account the medical needs of
patients.
(c) CONSULTATION- Before publishing a proposed rule to implement
subsection (b), the Attorney General shall consult with State law enforcement
officials, health care providers, patient privacy rights' advocates, and other
appropriate persons, to gain additional information regarding the debarment of
entities under subsection (b) and the best methods to ensure the continuity of
medical care.
(d) REPORT- The Attorney General shall annually prepare and submit to the
Committee on the Judiciary of the House of Representatives and the Committee
on the Judiciary of the Senate a report concerning the activities
and debarment actions taken by the Attorney General under this section.
(e) ASSISTANCE TO PREVENT CRIMINAL VIOLATIONS- The Attorney General, in
cooperation with any other appropriate individual, organization, or agency,
may provide advice, training, technical assistance, and guidance regarding
ways to reduce the incidence of improper disclosure of protected health
information.
(f) RELATIONSHIP TO OTHER AUTHORITIES- A debarment imposed under this
section shall not reduce or diminish the authority of a Federal, State, or
local governmental agency or court to penalize, imprison, fine, suspend,
debar, or take other adverse action against a person, in a civil, criminal, or
administrative proceeding.
CHAPTER 2--CIVIL SANCTIONS
SEC. 321. CIVIL PENALTY.
(a) VIOLATION- A health care provider, health researcher, health plan,
health oversight agency, public health agency, law enforcement agency,
employer, health or life insurer, school, or university, or a person acting as
the agent of any such person, who the Secretary, in consultation with the
Attorney General, determines has substantially and materially failed to comply
with this Act shall be subject, in addition to any other penalties that may be
prescribed by law--
(1) in a case in which the violation relates to title I, to a civil
penalty of not more than $500 for each such violation, but not to exceed
$5000 in the aggregate for multiple violations;
(2) in a case in which the violation relates to title II, to a civil
penalty of not more than $10,000 for each such violation, but not to exceed
$50,000 in the aggregate for multiple violations; or
(3) in a case in which the Secretary finds that such violations have
occurred with such frequency as to constitute a general business practice,
to a civil penalty of not more than $100,000.
(b) PROCEDURES FOR IMPOSITION OF PENALTIES- Section 1128A of the Social
Security Act (42 U.S.C. 1320a-7a), other than subsections (a) and (b) and the
second sentence of subsection (f) of that section, shall apply to the
imposition of a civil, monetary, or exclusionary penalty under this section in
the same manner as such provisions apply with respect to the imposition of a
penalty under section 1128A of such Act.
SEC. 322. PROCEDURES FOR IMPOSITION OF PENALTIES.
(a) INITIATION OF PROCEEDINGS-
(1) IN GENERAL- The Secretary, in consultation with the Attorney
General, may initiate a proceeding to determine whether to impose a civil
money penalty under section 321. The Secretary may not initiate an action
under this section with respect to any violation described in section 321
after the expiration of the 6-year period beginning on the date on which
such violation was alleged to have occurred. The Secretary may initiate an
action under this section by serving notice of the action in any manner
authorized by Rule 4 of the Federal Rules of Civil Procedure.
(2) NOTICE AND OPPORTUNITY FOR HEARING- The Secretary shall not make a
determination adverse to any person under paragraph (1) until the person has
been given written notice and an opportunity for the determination to be
made on the record after a hearing at which the person is entitled to be
represented by counsel, to present witnesses, and to cross-examine witnesses
against the person.
(3) ESTOPPEL- In a proceeding under paragraph (1) that--
(A) is against a person who has been convicted (whether upon a verdict
after trial or upon a plea of guilty or nolo contendere) of a crime under
section 2801 of title 18, United States Code; and
(B) involves the same conduct as in the criminal action;
the person is estopped from denying the essential elements of the
criminal offense.
(4) SANCTIONS FOR FAILURE TO COMPLY- The official conducting a hearing
under this section may sanction a person, including any party or attorney,
for failing to comply with an order or procedure, failing to defend an
action, or other misconduct as would interfere with the speedy, orderly, or
fair conduct of the hearing. Such sanction shall reasonably relate to the
severity and nature of the failure or misconduct. Such sanction may
include--
(A) in the case of refusal to provide or permit discovery, drawing
negative factual inferences or treating such refusal as an admission by
deeming the matter, or certain facts, to be established;
(B) prohibiting a party from introducing certain evidence or otherwise
supporting a particular claim or defense;
(C) striking pleadings, in whole or in part;
(D) staying the proceedings;
(E) dismissal of the action;
(F) entering a default judgment;
(G) ordering the party or attorney to pay attorneys' fees and other
costs caused by the failure or misconduct; and
(H) refusing to consider any motion or other action which is not filed
in a timely manner.
(b) SCOPE OF PENALTY- In determining the amount or scope of any penalty
imposed pursuant to section 321, the Secretary shall take into account--
(1) the nature of claims and the circumstances under which they were
presented;
(2) the degree of culpability, history of prior offenses, and financial
condition of the person against whom the claim is brought; and
(3) such other matters as justice may require.
(c) REVIEW OF DETERMINATION-
(1) IN GENERAL- Any person adversely affected by a determination of the
Secretary under this section may obtain a review of such determination in
the United States Court of Appeals for the circuit in which the person
resides, or in which the claim was presented, by filing in such court
(within 60 days following the date the person is notified of the
determination of the Secretary a written petition requesting that the
determination be modified or set aside.
(2) FILING OF RECORD- A copy of the petition filed under paragraph (1)
shall be forthwith transmitted by the clerk of the court to the Secretary,
and thereupon the Secretary shall file in the Court the record in the
proceeding as provided in section 2112 of title 28, United States Code. Upon
such filing, the court shall have jurisdiction of the proceeding and of the
question determined therein, and shall have the power to make and enter upon
the pleadings, testimony, and proceedings set forth in such record a decree
affirming, modifying, remanding for further consideration, or setting aside,
in whole or in part, the determination of the Secretary and enforcing the
same to the extent that such order is affirmed or modified.
(3) CONSIDERATION OF OBJECTIONS- No objection that has not been raised
before the Secretary with respect to a determination described in paragraph
(1) shall be considered by the court, unless the failure or neglect to raise
such objection shall be excused because of extraordinary
circumstances.
(4) FINDINGS- The findings of the Secretary with respect to questions of
fact in an action under this subsection, if supported by substantial
evidence on the record considered as a whole, shall be conclusive. If any
party shall apply to the court for leave to adduce additional evidence and
shall show to the satisfaction of the court that such additional evidence is
material and that there were reasonable grounds for the failure to adduce
such evidence in the hearing before the Secretary, the court may order such
additional evidence to be taken before the Secretary and to be made a part
of the record. The Secretary may modify findings as to the facts, or make
new findings, by reason of additional evidence so taken and filed, and shall
file with the court such modified or new findings, and such findings with
respect to questions of fact, if supported by substantial evidence on the
record considered as a whole, and the recommendations of the Secretary, if
any, for the modification or setting aside of the original order, shall be
conclusive.
(5) EXCLUSIVE JURISDICTION- Upon the filing of the record with the court
under paragraph (2), the jurisdiction of the court shall be exclusive and
its judgment and decree shall be final, except that the same shall be
subject to review by the Supreme Court of the United States, as provided for
in section 1254 of title 28, United States Code.
(d) RECOVERY OF PENALTIES-
(1) IN GENERAL- Civil money penalties imposed under this chapter may be
compromised by the Secretary and may be recovered in a civil action in the
name of the United States brought in United States district court for the
district where the claim was presented, or where the claimant resides, as
determined by the Secretary. Amounts recovered under this section shall be
paid to the Secretary and deposited as miscellaneous receipts of the
Treasury of the United States.
(2) DEDUCTION FROM AMOUNTS OWING- The amount of any penalty, when
finally determined under this section, or the amount agreed upon in
compromise under paragraph (1), may be deducted from any sum then or later
owing by the United States or a State to the person against whom the penalty
has been assessed.
(e) DETERMINATION FINAL- A determination by the Secretary to impose a
penalty under section 321 shall be final upon the expiration of the 60-day
period referred to in subsection (c)(1). Matters that were raised or that
could have been raised in a hearing before the Secretary or in an appeal
pursuant to subsection (c) may not be raised as a defense to a civil action by
the United States to collect a penalty under section 321.
(1) IN GENERAL- For the purpose of any hearing, investigation, or other
proceeding authorized or directed under this section, or relative to any
other matter within the jurisdiction of the Secretary hereunder, the
Secretary shall have the power to issue subpoenas requiring the attendance
and testimony of witnesses and the production of any evidence that relates
to any matter under investigation or in question. Such attendance of
witnesses and production of evidence at the designated place of such
hearing, investigation, or other proceeding may be required from any place
in the United States or in any Territory or possession thereof.
(2) SERVICE- Subpoenas of the Secretary under paragraph (1) shall be
served by anyone authorized by the Secretary by delivering a copy thereof to
the individual named therein.
(3) PROOF OF SERVICE- A verified return by the individual serving the
subpoena under this subsection setting forth the manner of service shall be
proof of service.
(4) FEES- Witnesses subpoenaed under this subsection shall be paid the
same fees and mileage as are paid witnesses in the district court of the
United States.
(5) REFUSAL TO OBEY- In case of contumacy by, or refusal to obey a
subpoena duly served upon, any person, any district court of the United
States for the judicial district in which such person charged with contumacy
or refusal to obey is found or resides or transacts business, upon
application by the Secretary, shall have jurisdiction to issue an order
requiring such person to appear and give testimony, or to appear and produce
evidence, or both. Any failure to obey such order of the court may be
punished by the court as contempt thereof.
(g) INJUNCTIVE RELIEF- Whenever the Secretary has reason to believe that
any person has engaged, is engaging, or is about to engage in any activity
which makes the person subject to a civil monetary penalty under section 321,
the Secretary may bring an action in an appropriate district court of the
United States (or, if applicable, a United States court of any territory) to
enjoin such activity, or to enjoin the person from concealing, removing,
encumbering, or disposing of assets which may be required in order to pay a
civil monetary penalty if any such penalty were to be imposed or to seek other
appropriate relief.
(h) AGENCY- A principal is jointly and severally liable with the
principal's agent for penalties under section 321 for the actions of the
principal's agent acting within the scope of the agency.
SEC. 323. CIVIL ACTION BY INDIVIDUALS.
(a) IN GENERAL- Any individual whose rights under this Act have been
knowingly or negligently violated may bring a civil action to recover--
(1) such preliminary and equitable relief as the court determines to be
appropriate; and
(2) the greater of compensatory damages or liquidated damages of
$5,000.
(b) PUNITIVE DAMAGES- In any action brought under this section in which
the individual has prevailed because of a knowing violation of a provision of
this Act, the court may, in addition to any relief awarded under subsection
(a), award such punitive damages as may be warranted.
(c) ATTORNEY'S FEES- In the case of a civil action brought under
subsection (a) in which the individual has substantially prevailed, the court
may assess against the respondent a reasonable attorney's fee and other
litigation costs and expenses (including expert fees) reasonably incurred.
(d) LIMITATION- No action may be commenced under this section more than 3
years after the date on which the violation was or should reasonably have been
discovered.
(e) AGENCY- A principal is jointly and severally liable with the
principal's agent for damages under this section for the actions of the
principal's agent acting within the scope of the agency.
(f) ADDITIONAL REMEDIES- The equitable relief or damages that may be
available under this section shall be in additional to any other lawful remedy
or award available.
TITLE IV--MISCELLANEOUS
SEC. 401. RELATIONSHIP TO OTHER LAWS.
(a) FEDERAL AND STATE LAWS- Nothing in this Act shall be construed as
preempting, superseding, or repealing, explicitly or implicitly, other Federal
or State laws or regulations relating to protected health information or
relating to an individual's access to protected health information or health
care services, if such laws or regulations provide protections for the rights
of individuals to the privacy of, and access to, their health information that
are greater than those provided for in this Act.
(b) PRIVILEGES- Nothing in this Act shall be construed to preempt or
modify any provisions of State statutory or common law to the extent that such
law concerns a privilege of a witness or person in a court of that State. This
Act shall not be construed to supersede or modify any provision of Federal
statutory or common law to the extent such law concerns a privilege of a
witness or person in a court of the United States. Authorizations pursuant to
section 202 shall not be construed as a waiver of any such privilege.
(c) CERTAIN DUTIES UNDER LAW- Nothing in this Act shall be construed to
preempt, supersede, or modify the operation of any State law that--
(1) provides for the reporting of vital statistics such as birth or
death information;
(2) requires the reporting of abuse or neglect information about any
individual;
(3) regulates the disclosure or reporting of information concerning an
individual's mental health; or
(4) governs a minor's rights to access protected health information or
health care services.
(1) MEDICAL EXEMPTIONS- Section 552a of title 5, United States Code, is
amended by adding at the end the following:
`(w) CERTAIN PROTECTED HEALTH INFORMATION- The head of an agency that is a
health care provider, health plan, health oversight agency, employer, insurer,
health or life insurer, school or university, or person who receives protected
health information under section 204 of the Medical Information Privacy and
Security Act shall promulgate rules, in accordance with the requirements
(including general notice) of subsections (b)(1), (b)(2), (b)(3), (c), (e) of
section 553 of this title, to exempt a system of records within the agency, to
the extent that the system of records contains protected health information
(as defined in section 4 of such Act), from all provisions of this section
except subsections (b)(6), (d), (e)(1), (e)(2), subparagraphs (A) through (C)
and (E) through (I) of subsection (e)(4), and subsections (e)(5), (e)(6),
(e)(9), (e)(12), (l), (n), (o), (p), (r), and (u).'.
(2) TECHNICAL AMENDMENT- Section 552a(f)(3) of title 5, United States
Code, is amended by striking `pertaining to him,' and all that follows
through the semicolon and inserting `pertaining to the individual.'
(e) CONSTITUTION- Nothing in this Act shall be construed to alter,
diminish, or otherwise weaken existing legal standards under the Constitution
regarding the confidentiality of protected health information.
SEC. 402. EFFECTIVE DATE.
(a) EFFECTIVE DATE- Unless specifically provided for otherwise, this Act
shall take effect on the date that is 12 months after the date of the
promulgation of the regulations required under subsection (b), or 30 months
after the date of enactment of this Act, whichever is earlier.
(b) REGULATIONS- Not later than 12 months after the date of enactment of
this Act, or as specifically provided for otherwise, the Secretary shall
promulgate regulations implementing this Act.
END