HR 1941 IH

To protect the privacy of personally identifiable health information.

May 25, 1999

Mr. CONDIT (for himself, Mr. WAXMAN, Mr. MARKEY, Mr. DINGELL, Mr. BROWN of Ohio, Mr. TURNER, Mr. LANTOS, Mr. CRAMER, Mr. WISE, Mr. OWENS, Mrs. TAUSCHER, Mr. TOWNS, Mr. SHOWS, Mr. KANJORSKI, Mrs. MINK of Hawaii, Mr. SANDERS, Mrs. MALONEY of New York, Ms. NORTON, Mr. FATTAH, Mr. CUMMINGS, Mr. KUCINICH, Mr. BLAGOJEVICH, Mr. DAVIS of Illinois, Mr. TIERNEY, Mr. ALLEN, Mr. FORD, Ms. SCHAKOWSKI, Mr. ROMERO-BARCELO, and Mr. STUPAK) introduced the following bill; which was referred to the Committee on Commerce, and in addition to the Committee on Government Reform, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

To protect the privacy of personally identifiable health information.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

(a) SHORT TITLE- This Act may be cited as the `Health Information Privacy Act'.

(b) TABLE OF CONTENTS- The table of contents for this Act is as follows:

Sec. 1. Short title; table of contents.

Sec. 2. Findings and purposes.

TITLE I--PROTECTION OF HEALTH INFORMATION

Sec. 101. Restrictions on uses.

Sec. 102. Restrictions on disclosure.

Sec. 103. Standards for authorizations for use and disclosure.

Sec. 104. Safeguards against misuse and prohibited disclosures.

TITLE II--RIGHTS OF PROTECTED INDIVIDUALS

Sec. 201. Right of access.

Sec. 202. Right of correction and amendment.

Sec. 203. Right to review disclosure history.

Sec. 204. Right to notice of information practices and opportunity to seek additional protections.

TITLE III--PERMISSIBLE DISCLOSURES OF PROTECTED HEALTH INFORMATION

Sec. 301. Provision of and payment for health care.

Sec. 302. Health oversight.

Sec. 303. Public health.

Sec. 304. Health research.

Sec. 305. Law enforcement.

Sec. 306. Judicial or administrative proceedings.

Sec. 307. Other disclosures.

Sec. 308. Redisclosures.

TITLE IV--MISCELLANEOUS PROVISIONS

Sec. 401. Specific classes of individuals.

Sec. 402. False pretenses.

Sec. 403. Obligations of affiliated persons.

Sec. 404. Prohibition of retaliation with respect to employment.

Sec. 405. Mental health and other especially sensitive information.

Sec. 406. Cessation of operations.

Sec. 407. Conforming amendments to Federal Privacy Act.

TITLE V--GENERAL PROVISIONS

Sec. 501. Authority of the Secretary.

Sec. 502. Enforcement.

Sec. 503. Relationship to other laws.

Sec. 504. Definitions.

Sec. 505. Effective date.

SEC. 2. FINDINGS AND PURPOSES.

(a) FINDINGS- The Congress finds as follows:

(1) The right to privacy is a personal and fundamental right protected by the Constitution of the United States.

(2) Individuals have a right to privacy regarding their individually identifiable health information.

(3) The improper use or disclosure of individually identifiable health information about an individual may cause significant harm to the interests of the individual in privacy and health care, and may unfairly affect the ability of the individual to obtain employment, education, insurance, credit, and other necessities.

(4) Current legal protections for health information vary from State to State and are inadequate to protect the privacy of an individual's health information and ensure fair information practices standards.

(5) The movement of individuals and health information across State lines, access to and exchange of health information from automated data banks and networks, and the emergence of multistate health care providers and payers create a compelling need for Federal law, rules, and procedures governing the use, maintenance, and disclosure of health information.

(6) Federal rules governing the use, maintenance, and disclosure of health information are an essential part of health care reform, are necessary to support the computerization of health information, and can reduce the cost of providing health services by making the necessary transfer of health information more efficient.

(7) An individual needs access to health information about the individual as a matter of fairness, to enable the individual to make informed decisions about health care, and to correct inaccurate or incomplete information.

(b) PURPOSES- The purposes of this Act are as follows:

(1) To protect the privacy of health information that reveals the identity of an individual.

(2) To define the rights and responsibilities of a person who creates or maintains individually identifiable health information that originates or is used in the health treatment or payment process.

(3) To define the rights of an individual with respect to health information about the individual that is created or maintained as part of the health treatment and payment process.

TITLE I--PROTECTION OF HEALTH INFORMATION

SEC. 101. RESTRICTIONS ON USES.

(a) IN GENERAL- Use of protected health information by health information custodians--

(1) shall protect the reasonable expectation of privacy of protected individuals; and

(2) shall be in accordance with fair information practices.

(b) MINIMUM REQUIREMENTS-

(1) LIMITATION ON USES- Unless otherwise authorized by a protected individual under section 103, a health information custodian may use protected health information only for the uses for which disclosure is authorized under title III.

(2) MINIMUM AMOUNT OF INFORMATION- A health information custodian shall limit use of protected health information to the minimum amount and duration necessary to accomplish the use.

SEC. 102. RESTRICTIONS ON DISCLOSURE.

(a) IN GENERAL- Disclosure of protected health information by a health information custodian shall protect the reasonable expectations of privacy of protected individuals.

(b) MINIMUM REQUIREMENTS-

(1) LIMITATION ON DISCLOSURES- A health information custodian may not disclose protected health information unless--

(A) the disclosure is authorized by the protected individual under section 103; or

(B) the disclosure is authorized under title III.

(2) MINIMUM AMOUNT OF INFORMATION- A health information custodian shall limit a disclosure of protected health information to the minimum amount of information necessary to accomplish the purpose for which the information is disclosed.

(c) NO REQUIREMENT TO DISCLOSE- Nothing in this Act shall be construed as requiring disclosure of protected health information that is not otherwise required to be disclosed by law.

SEC. 103. STANDARDS FOR AUTHORIZATIONS FOR USE AND DISCLOSURE.

(a) IN GENERAL- A health information custodian may use or disclose protected information pursuant to an authorization by a protected individual only if that authorization is based on informed consent by the protected individual.

(b) MINIMUM REQUIREMENTS-

(1) PROHIBITION ON CONDITIONING- A health information custodian may not, as a condition of providing or paying for health care, require a protected individual to execute an authorization for use or disclosure of protected health information.

(2) INFORMED CONSENT- For the purposes of subsection (a), an authorization shall not be considered to be based on informed consent unless, at a minimum, it satisfies the conditions in part II.D.1 of the Secretary's HIPAA recommendations (relating to `Disclosure with Patient Authorization: Authorization Content').

SEC. 104. SAFEGUARDS AGAINST MISUSE AND PROHIBITED DISCLOSURES.

(a) IN GENERAL- Health information custodians shall establish and implement safeguards against misuse and prohibited disclosure of protected health information.

(b) MINIMUM REQUIREMENTS- The safeguards under subsection (a) shall include reasonable and appropriate administrative, technical, and physical safeguards--

(1) to ensure that protected health information is used or disclosed only when necessary;

(2) to ensure the integrity and confidentiality of protected health information;

(3) to protect against any reasonably anticipated threats or hazards to the security or integrity of the information or unauthorized use or disclosure of the information; and

(4) otherwise to ensure compliance with this Act.

(c) MENTAL HEALTH AND OTHER ESPECIALLY SENSITIVE INFORMATION- In establishing and implementing the safeguards under subsection (a), a health information custodian shall consider providing additional protections for mental health and other especially sensitive protected health information, as appropriate.

(d) RELATIONSHIP TO SOCIAL SECURITY ACT ADMINISTRATIVE SIMPLIFICATION REQUIREMENTS- Any safeguard established under this section shall be consistent with the standards adopted by the Secretary under paragraph (1) of section 1173(d) of the Social Security Act (42 U.S.C. 1320d-2(d)) and the requirement in paragraph (2) of such section.

TITLE II--RIGHTS OF PROTECTED INDIVIDUALS

SEC. 201. RIGHT OF ACCESS.

(a) IN GENERAL- Protected individuals shall have the right to a reasonable opportunity to inspect and copy protected health information maintained by a health information custodian.

(b) MINIMUM REQUIREMENTS- Subject to section 405(b), a health information custodian, at a minimum, shall provide a protected individual at least as much opportunity to inspect and copy protected health information as was recommended by the Secretary in part II.C.2 of the Secretary's HIPAA recommendations (relating to `Patient Inspection and Copying of Records').

SEC. 202. RIGHT OF CORRECTION AND AMENDMENT.

(a) IN GENERAL- Protected individuals shall have the right to a reasonable opportunity to correct or amend protected health information maintained by a health information custodian.

(b) MINIMUM REQUIREMENTS- A health information custodian, at a minimum, shall provide a protected individual correction and amendment protections that are at least equivalent to those recommended by the Secretary in part II.C.3 of the Secretary's HIPAA recommendations (relating to `Patient Correction of Records').

SEC. 203. RIGHT TO REVIEW DISCLOSURE HISTORY.

(a) IN GENERAL- Protected individuals shall have the right to a reasonable opportunity to review a history of the disclosures of protected health information about the individual made by a health information custodian.

(b) MINIMUM REQUIREMENTS- A health information custodian, at a minimum, shall implement procedures that ensure a protected individual at least as much opportunity to review the individual's disclosure histories as was recommended by the Secretary in part II.C.4 of the Secretary's HIPAA recommendations (relating to `Disclosure History').

SEC. 204. RIGHT TO NOTICE OF INFORMATION PRACTICES AND OPPORTUNITY TO SEEK ADDITIONAL PROTECTIONS.

(a) IN GENERAL- Protected individuals shall have--

(1) the right to notice of the information practices of health information custodians; and

(2) a reasonable opportunity to seek limitations on the use and disclosure of protected health information in addition to the limitations provided in such practices.

(b) MINIMUM REQUIREMENTS-

(1) NOTICE AND OPPORTUNITY TO SEEK ADDITIONAL PROTECTIONS- To the maximum extent practicable, before obtaining protected health information from a protected individual, a health information custodian--

(A) shall provide the protected individual with a clear and conspicuous notice of the custodian's health information practices, which notice shall include, at a minimum, the explanation recommended in part II.C.1 of the Secretary's HIPAA recommendations (relating to `Explanation of Information Practices');

(B) shall provide the protected individual a reasonable opportunity to seek limitations on the use or disclosure of protected health information in addition to the limitations provided in such practices; and

(C) shall obtain a signed acknowledgment from the protected individual acknowledging that the notice required under subparagraph (A) has been provided to the protected individual and the individual has been informed of the opportunity to seek additional limitations required to be provided under subparagraph (B).

(2) OTHER HEALTH INFORMATION CUSTODIANS- A health information custodian who receives protected health information about a protected individual from a source other than the individual shall provide a notice of the custodian's health information practices that is consistent with paragraph (1)(A) to the individual upon request.

(c) COMPLIANCE- If a protected individual seeks limitations on the use or disclosure of protected health information in addition to the limitations described in a health information custodian's notice of health information practices, and the custodian agrees to provide such additional limitations, the custodian shall comply with such additional limitations, unless such compliance would violate another provision of law.

TITLE III--PERMISSIBLE DISCLOSURES OF PROTECTED HEALTH INFORMATION

SEC. 301. PROVISION OF AND PAYMENT FOR HEALTH CARE.

(a) IN GENERAL- A health information custodian, to the extent the Secretary determines appropriate, may disclose protected health information, without obtaining an authorization under section 103, for the purpose of providing health care to an individual or paying for health care provided to an individual, except as provided in subsection (c).

(b) CONSTRUCTION- For purposes of subsection (a), a disclosure of protected health information by a health information custodian for the purpose of rendering an employment decision, conducting a marketing activity, or conducting an insurance underwriting activity, shall not be considered a disclosure for the purpose of providing health care to an individual or paying for health care provided to an individual.

(c) SPECIAL RULE FOR PATIENTS PAYING FOR CARE- In the case of health care provided to an individual who pays for the care himself or herself, a health information custodian may not disclose to a health care payer, without obtaining an authorization under section 103, protected health information created or received in the course of providing such care.

SEC. 302. HEALTH OVERSIGHT.

(a) IN GENERAL- A health information custodian, to the extent the Secretary determines appropriate, may disclose protected health information for the purpose of health oversight, without obtaining an authorization under section 103.

(b) MINIMUM REQUIREMENTS- The Secretary--

(1) shall permit a health information custodian to disclose protected health information to Federal, State, and local agencies (or affiliated persons of such agencies) that are authorized by law to investigate, regulate, enforce laws relating to, or license, certify, or accredit persons engaged in, the provision of, or payment for, health care; and

(2) may permit a health information custodian to disclose protected health information to appropriate private organizations engaged in licensing, certification, or accreditation of health care providers.

SEC. 303. PUBLIC HEALTH.

A health information custodian, to the extent the Secretary determines appropriate, may disclose protected health information, without obtaining an authorization under section 103--

(1) to a public health authority for use in legally authorized disease or injury reporting, public health surveillance, or a public health investigation or intervention; or

(2) to a person who is otherwise authorized by law or a public health authority to receive the information for public health purposes.

SEC. 304. HEALTH RESEARCH.

(a) IN GENERAL- A health information custodian, to the extent the Secretary determines appropriate, may disclose protected health information for health research, without obtaining an authorization under section 103.

(b) MINIMUM REQUIREMENTS- A health information custodian may disclose protected health information without such an authorization only for uses that have been approved by an entity certified by the Secretary.

(c) REGULATIONS- The Secretary shall promulgate regulations that, at a minimum--

(1) require that, before approving a use of protected health information for purposes of subsection (b), a certified entity shall determine that--

(A) the importance of the health research outweighs the intrusion into the privacy of the protected individuals who are the subjects of the protected health information; and

(B) it would be impracticable to conduct the health research without using the protected health information;

(2) establish requirements for certifying entities that ensure that such entities--

(A) meet the requirements for institutional review boards established under section 491(a) of the Public Health Service Act with respect to information protection, use, and disclosure; and

(B) are qualified to assess and protect the confidentiality of protected health information; and

(3) require a person conducting health research to remove or destroy personal identifiers at the earliest opportunity consistent with the purpose of the research, unless a certified entity has determined that there is a health or research justification for retention of identifiers and the person has an adequate plan to protect the identifiers from improper use and disclosure.

SEC. 305. LAW ENFORCEMENT.

(a) IN GENERAL- A health information custodian may disclose protected health information to a law enforcement official for a law enforcement inquiry if the law enforcement official complies with the fourth amendment to the Constitution.

(b) CONSTRUCTION- For purposes of subsection (a), all protected health information shall be treated as if it were held in a home over which the protected individual has exclusive authority.

(c) RELATIONSHIP TO HEALTH OVERSIGHT ACTIVITIES- This section shall not apply to a disclosure of protected health information for purposes of health oversight.

SEC. 306. JUDICIAL OR ADMINISTRATIVE PROCEEDINGS.

(a) IN GENERAL- A health information custodian, to the extent the Secretary determines appropriate, may disclose protected health information, without obtaining an authorization under section 103, pursuant to--

(1) a judicial or administrative subpoena issued in a civil administrative or judicial adjudication; or

(2) a subpoena issued by a defendant in a criminal proceeding.

(b) MINIMUM REQUIREMENTS- A health information custodian may not disclose protected health information about a protected individual under this section, unless the individual has had--

(1) reasonable notice of the subpoena; and

(2) a reasonable opportunity to move the court, or other presiding official, to quash the subpoena on the basis that the individual's privacy interest outweighs the interest of the person seeking the information.

SEC. 307. OTHER DISCLOSURES.

A health information custodian, to the extent the Secretary determines appropriate, may disclose protected health information, without obtaining an authorization under section 103--

(1) where necessary to prevent or lessen a serious threat to the health or safety of an individual;

(2) to a next of kin;

(3) to individuals with close personal relationships with the protected individual;

(4) for purposes of directory information within a health care facility; and

(5) for State data systems.

SEC. 308. REDISCLOSURES.

(a) IN GENERAL- A health information custodian who receives protected health information through a disclosure under this title, to the extent the Secretary determines appropriate, may redisclose such information to carry out the purposes for which the information was disclosed to the custodian.

(b) PROHIBITION- Notwithstanding subsection (a), protected health information received by a health information custodian through a disclosure under this title may not be disclosed to any person for use in, or be used in, any administrative, civil, or criminal action or investigation directed against the protected individual who is the subject of the information, unless--

(1) the action or investigation arises out of and is directly related to the purpose for which the information was obtained by the custodian; or

(2) the use or disclosure is authorized--

(A) by law for the protection of the public health; or

(B) by an appropriate order of a court of competent jurisdiction, granted, after a hearing with notice to the health information custodian and to all other affected individuals, on the basis that there is--

(i) probable cause to believe that all other possible sources for the information have been exhausted; and

(ii) a specific and compelling public interest in disclosure or use that outweighs--

(I) the privacy interest of the protected individual;

(II) the effect of the disclosure on future provision of health care; and

(III) the effect of the disclosure on health research and health oversight functions.

TITLE IV--MISCELLANEOUS PROVISIONS

SEC. 401. SPECIFIC CLASSES OF INDIVIDUALS.

(a) MINORS- Individuals under the age of 18 shall have privacy protections regarding protected health information that are at least equivalent to those recommended in part II.F.4 of the Secretary's HIPAA recommendations (relating to `Minors').

(b) AGENTS AND ATTORNEYS-

(1) IN GENERAL- To the extent the Secretary determines appropriate, a person may exercise the rights of a protected individual under this Act, if--

(A) the person is authorized by law (other than on account of minority), or by an instrument recognized under law, to act for the protected individual; or

(B) the protected individual is not capable of exercising his or her rights under this Act and there has been no formal legal arrangement for others to exercise the rights.

(2) RELATIONSHIP TO RECOMMENDATIONS- The authority of such a person to exercise the rights of a protected individual shall be equivalent to the authority described in parts II.F.5 and II.F.6 of the Secretary's HIPAA recommendations (relating to `Powers of Attorney' and `Patients Unable to Make Choices for Themselves').

(c) DECEASED PERSONS- Deceased individuals shall have privacy protections regarding protected health information that are at least equivalent to those recommended by the Secretary in part II.F.1 of the Secretary's HIPAA recommendations (relating to `Deceased Persons').

SEC. 402. FALSE PRETENSES.

A person may not--

(1) obtain or disclose protected health information from a health information custodian or affiliated person under false pretenses; or

(2) knowingly disseminate protected health information obtained in violation of this Act.

SEC. 403. OBLIGATIONS OF AFFILIATED PERSONS.

An affiliated person shall be subject to the same requirements with respect to use and disclosure of protected health information as apply to the health information custodian with whom the affiliated person is affiliated, except that an affiliated person--

(1) is subject to the requirements of sections 201 and 202 only if the affiliated person maintains the individual's protected health information and the health information custodian does not maintain the individual's protected health information; and

(2) is subject to the requirements of section 203 only to the extent that the affiliated person makes a disclosure.

SEC. 404. PROHIBITION OF RETALIATION WITH RESPECT TO EMPLOYMENT.

A person may not subject an individual to retaliation, in regard to job application procedures, the hiring, advancement, or discharge of employees, employee compensation, job training, or other terms, conditions, and privileges of employment, for reporting to a governmental agency conditions that may constitute a violation of a requirement under this Act.

SEC. 405. MENTAL HEALTH AND OTHER ESPECIALLY SENSITIVE INFORMATION.

(a) ADDITIONAL LIMITATIONS- Not later than 1 year after the date of the enactment of this Act, the Secretary--

(1) shall consider, after consulting with physicians and other health care providers, patients, and other appropriate groups, additional limitations relating to access to, and use and disclosure of, mental health and other especially sensitive protected health information; and

(2) shall promulgate regulations to provide any such additional limitations as the Secretary determines to be appropriate.

(b) RIGHT OF ACCESS- For purposes of subsection (a)(2), the Secretary may limit an individual's access to his or her mental health information, if the information is not used by, or disclosed to, any person other than the health care provider who received or created the information.

(c) PSYCHOTHERAPIST-PATIENT PRIVILEGE- Nothing in this Act shall be construed to preempt, supersede, or modify the operation of the psychotherapist-patient privilege recognized by the Supreme Court in Jaffee v. Redmond, 518 U.S. 1 (1996).

SEC. 406. CESSATION OF OPERATIONS.

Not later than 1 year after the date of the enactment of this Act, the Secretary shall promulgate regulations that ensure that the reasonable expectation of privacy of protected individuals in protected health information is maintained when health information custodians cease operations.

SEC. 407. CONFORMING AMENDMENTS TO FEDERAL PRIVACY ACT.

(a) NEW SUBSECTION- Section 552a of title 5, United States Code, is amended by adding at the end the following:

`(w) MEDICAL EXEMPTIONS- The head of an agency that is a health information custodian (as defined in section 504 of the Health Information Privacy Act) shall promulgate rules, in accordance with the requirements (including general notice) of subsections (b)(1), (b)(2), (b)(3), (c), and (e) of section 553 of this title, to exempt a system of records within the agency, to the extent that the system of records contains protected health information (as defined in section 504 of such Act), from all provisions of this section except subsections (e)(1), (e)(2), subparagraphs (A) through (C) and (E) through (I) of subsection (e)(4), and subsections (e)(5), (e)(6), (e)(9), (e)(12), (l), (n), (o), (p), (q), (r), and (u).'.

(b) REPEAL-

(1) IN GENERAL- Section 552a(f)(3) of title 5, United States Code, as amended by this Act, is amended by striking `pertaining to him,' and all that follows through the semicolon and inserting `pertaining to the individual;'.

(2) EFFECTIVE DATE- The amendment made by paragraph (1) shall take effect 18 months after the date of the enactment of this Act.

TITLE V--GENERAL PROVISIONS

SEC. 501. AUTHORITY OF THE SECRETARY.

(a) REGULATIONS-

(1) IN GENERAL- Not later than 1 year after the date of the enactment of this Act, the Secretary shall promulgate such regulations as may be necessary to implement this Act, including regulations establishing recordkeeping or reporting requirements. Such regulations may provide greater protection of protected health information, or more rights to protected individuals regarding such information, than is provided by the minimum requirements set forth in this Act.

(2) PROTECTIONS FOR OTHER HEALTH INFORMATION- The Secretary may promulgate such regulations as may be necessary to protect the privacy of individually identifiable health information that is not protected health information.

(3) CONSULTATION- In promulgating regulations under this Act, the Secretary shall consult with elected State and local government officials.

(b) RESEARCH AND DEVELOPMENT- The Secretary may sponsor or carry out research and development activities related to the protection of the privacy of individually identifiable health information.

(c) PUBLIC AWARENESS AND TRAINING- The Secretary may sponsor or carry out activities to inform protected individuals of their rights under this Act or to inform other persons of their rights or responsibilities under this Act. The Secretary may also sponsor or carry out training to increase compliance with requirements under this Act.

(d) OTHER AUTHORITIES- The Secretary may hold hearings, administer oaths, require the testimony or deposition of witnesses, require the production of documents or the answering of interrogatories, or enter and inspect premises owned or controlled by health information custodians in order to ensure compliance with this Act or otherwise further the purposes of this Act.

SEC. 502. ENFORCEMENT.

(a) EQUITABLE RELIEF- The Secretary may bring an action in an appropriate court to enjoin a violation of a requirement under this Act or to obtain such other equitable relief as may be appropriate under the circumstances.

(b) CIVIL MONEY PENALTIES- Any person who the Secretary determines has failed to comply with a requirement under this Act shall be subject, in addition to any other penalties that may be prescribed by law, to a civil penalty of not more than $10,000 for each such failure. The provisions of section 1128A of the Social Security Act (other than subsections (a) and (b)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply with respect to the imposition of a penalty under section 1128A of such Act.

(c) CRIMINAL PENALTIES-

(1) IN GENERAL- Whoever knowingly violates a requirement under this Act shall be fined under title 18, United States Code, imprisoned for not more than 5 years, or both.

(2) MONETARY GAIN- Whoever knowingly violates a requirement under this Act, with the intent to sell, transfer, or use protected health information obtained through the violation for profit or monetary gain, shall be fined under title 18, United States Code, imprisoned for not more than 10 years, or both.

(d) CIVIL ACTIONS-

(1) IN GENERAL-

(A) INJUNCTION OR DAMAGES- A protected individual who is adversely affected by a person's violation of a requirement under this Act may bring an action--

(i) to enjoin the violation; or

(ii) in the case of a knowing or negligent violation, to recover from the person the greater of--

(I) the compensatory damages (including nonpecuniary damages) incurred by the protected individual as a result of the violation; or

(II) liquidated damages of $5,000 per action.

(B) COSTS AND ATTORNEY'S FEES- A protected individual bringing an action under subparagraph (A) may recover the costs of litigation and reasonable attorney's fees (including expert fees). The United States shall be liable for fees and costs under this subparagraph the same as a private person.

(C) PUNITIVE DAMAGES- In the case of a knowing violation, the person committing the violation may also be held liable for punitive damages.

(2) TIME FOR COMMENCING ACTION- An action under this subsection shall be commenced not later than 3 years after the date on which the violation was discovered or reasonably should have been discovered.

SEC. 503. RELATIONSHIP TO OTHER LAWS.

(a) IN GENERAL-

(1) FEDERAL, STATE, OR LOCAL LAWS- The requirements under this Act shall not preempt, supersede, or modify the operation of, any Federal, State, or local law that provides--

(A) greater protection of protected health information; or

(B) more rights to protected individuals regarding such information.

(2) PETITIONS-

(A) ADVISORY DETERMINATIONS- Any person may petition the Secretary for an advisory determination whether the operation of a particular Federal, State, or local law satisfies the standard in paragraph (1). Any person who acts in reliance on such advisory determination shall not be subject to any penalty or liability under section 502, except as provided in subparagraph (B).

(B) CONTRARY COURT DETERMINATION- If a Federal or State court has reached a determination whether the operation of a particular Federal, State, or local law satisfies the standard in paragraph (1), a person thereafter may not rely on an advisory determination under subparagraph (A) to the contrary.

(b) SPECIFIC LAWS- This Act shall not be construed to preempt, supersede, or modify the operation of, any of the following:

(1) Any law that provides for the reporting of vital statistics such as birth or death information.

(2) Any law that requires the reporting of abuse or neglect information about an individual or other information relating to violence against an individual.

(3) Subpart II of part E of title XXVI of the Public Health Service Act (relating to notifications of emergency response employees of possible exposure to infectious diseases).

(4) The Americans with Disabilities Act of 1990.

(5) Any law that establishes a privilege for records used in health professional peer review activities.

(6) Any law that requires the disclosure of protected health information, if the disclosure is permitted under this Act.

(c) DEPARTMENT OF VETERANS AFFAIRS- The limitations on use and disclosure of protected health information under this Act shall not be construed to prevent any exchange of such information within and among components of the Department of Veterans Affairs that determine eligibility for or entitlement to, or that provide, benefits under laws administered by the Secretary of Veterans Affairs.

(d) CONGRESS- Nothing in this Act shall be interpreted to affect the ability of the Congress, a committee of the Congress, or the Members of the Congress referred to in section 2954 of title 5, United States Code, to obtain such information as may be necessary for the fulfillment of the Congress', the committee's, or the Members' legislative or oversight functions.

(e) PRIVILEGES- A disclosure about a protected individual made under title III, or a protected individual's disclosure of protected health information for the purpose of obtaining, or paying for, health care, may not be construed as diminishing, waiving, or otherwise impairing any privilege that the protected individual has in a court of a State or the United States.

SEC. 504. DEFINITIONS.

For purposes of this Act:

(1) AFFILIATED PERSON- The term `affiliated person' means a person who--

(A) is not a health information custodian;

(B) is an agent or contractor of a health information custodian; and

(C) pursuant to an agreement with such custodian, receives, creates, uses, maintains, or discloses protected health information.

(2) DISCLOSE- The term `disclose', when used with respect to protected health information, means to provide access to the information to a person other than--

(A) the custodian or an officer or employee of the custodian;

(B) an affiliated person of the custodian; or

(C) a protected individual who is a subject of the information.

(3) DISCLOSURE- The term `disclosure' means the act or an instance of disclosing.

(4) HEALTH CARE- The term `health care' means--

(A) any preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure--

(i) with respect to the physical or mental condition, or functional status, of an individual; or

(ii) affecting the structure or function of the human body or any part of the human body, including banking of blood, sperm, organs, or any other tissue for administration to patients; or

(B) any sale or dispensing of a drug, device, equipment, or other item to an individual, or for the use of an individual, pursuant to a prescription.

(5) HEALTH CARE PAYER- The term `health care payer' means a person who pays for health care in the ordinary course of business.

(6) HEALTH CARE PROVIDER- The term `health care provider' means a person who provides health care in the ordinary course of business or practice of a profession, pursuant to license, certification, accreditation, or other legal authorization.

(7) HEALTH INFORMATION CUSTODIAN-

(A) IN GENERAL- The term `health information custodian' means a health care provider, a health care payer, or any other person who obtains protected health information as a result of a disclosure authorized under this Act.

(B) EXCEPTIONS- Such term does not include--

(i) an affiliated person;

(ii) an individual who obtains protected health information under paragraph (2), (3), or (4) of section 307; or

(iii) an individual who receives protected health information in a public health intervention because the individual's health is at risk.

(8) HEALTH RESEARCH- The term `health research' means a biomedical, epidemiological, or health services research or statistics project, or a research project on behavioral and social factors affecting health, that is designed to develop or contribute to generalizable scientific or clinical knowledge.

(9) LAW ENFORCEMENT INQUIRY- The term `law enforcement inquiry' means a lawful investigation or official proceeding inquiring into a violation of, or failure to comply with, any criminal or civil statute or any regulation, rule, or order issued pursuant to such a statute.

(10) PERSON- The term `person' includes an authority of the United States, a State, or a political subdivision of a State.

(11) PROTECTED HEALTH INFORMATION- The term `protected health information' means any information, whether oral or recorded in any form or medium, that--

(A) relates in any way to the past, present, or future physical or mental health or condition of a protected individual, the provision of health care to an individual, or payment for the provision of health care to an individual;

(B) is received or created by a health care provider in the ordinary course of business or practice of a profession or by a health care payer, or is obtained as a result of a disclosure authorized under this Act; and

(C) identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

(12) PROTECTED INDIVIDUAL- The term `protected individual' means an individual who is the subject of protected health information.

(13) SECRETARY- The term `Secretary' means the Secretary of Health and Human Services.

(14) SECRETARY'S HIPAA RECOMMENDATIONS- The term `Secretary's HIPAA recommendations' means the recommendations of the Secretary of Health and Human Services, pursuant to section 264 of the Health Insurance Portability and Accountability Act of 1996, entitled `Confidentiality of Individually-Identifiable Health Information' that were submitted to the Committee on Commerce and the Committee on Ways and Means of the House of Representatives and the Committee on Labor and Human Resources and the Committee on Finance of the Senate, on September 11, 1997.

(15) STATE- The term `State' includes the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

(16) USE- The term `use', when used with respect to protected health information that is held by a health information custodian, means--

(A) to use, or provide access to, the information in any manner that does not constitute a disclosure; or

(B) any act or instance of using, or providing access, described in subparagraph (A).

SEC. 505. EFFECTIVE DATE.

The requirements under this Act applicable to health information custodians and affiliated persons shall take effect 18 months after the date of the enactment of this Act.

END