HR 1941 IH
106th CONGRESS
1st Session
H. R. 1941
To protect the privacy of personally identifiable health
information.
IN THE HOUSE OF REPRESENTATIVES
May 25, 1999
Mr. CONDIT (for himself, Mr. WAXMAN, Mr. MARKEY, Mr. DINGELL, Mr. BROWN of
Ohio, Mr. TURNER, Mr. LANTOS, Mr. CRAMER, Mr. WISE, Mr. OWENS, Mrs. TAUSCHER,
Mr. TOWNS, Mr. SHOWS, Mr. KANJORSKI, Mrs. MINK of Hawaii, Mr. SANDERS, Mrs.
MALONEY of New York, Ms. NORTON, Mr. FATTAH, Mr. CUMMINGS, Mr. KUCINICH, Mr.
BLAGOJEVICH, Mr. DAVIS of Illinois, Mr. TIERNEY, Mr. ALLEN, Mr. FORD, Ms.
SCHAKOWSKI, Mr. ROMERO-BARCELO, and Mr. STUPAK) introduced the following bill;
which was referred to the Committee on Commerce, and in addition to the
Committee on Government Reform, for a period to be subsequently determined by
the Speaker, in each case for consideration of such provisions as fall within
the jurisdiction of the committee concerned
A BILL
To protect the privacy of personally identifiable health
information.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the `Health Information Privacy
Act'.
(b) TABLE OF CONTENTS- The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings and purposes.
TITLE I--PROTECTION OF HEALTH INFORMATION
Sec. 101. Restrictions on uses.
Sec. 102. Restrictions on disclosure.
Sec. 103. Standards for authorizations for use and disclosure.
Sec. 104. Safeguards against misuse and prohibited disclosures.
TITLE II--RIGHTS OF PROTECTED INDIVIDUALS
Sec. 201. Right of access.
Sec. 202. Right of correction and amendment.
Sec. 203. Right to review disclosure history.
Sec. 204. Right to notice of information practices and opportunity to
seek additional protections.
TITLE III--PERMISSIBLE DISCLOSURES OF PROTECTED HEALTH INFORMATION
Sec. 301. Provision of and payment for health care.
Sec. 302. Health oversight.
Sec. 304. Health research.
Sec. 305. Law enforcement.
Sec. 306. Judicial or administrative proceedings.
Sec. 307. Other disclosures.
TITLE IV--MISCELLANEOUS PROVISIONS
Sec. 401. Specific classes of individuals.
Sec. 402. False pretenses.
Sec. 403. Obligations of affiliated persons.
Sec. 404. Prohibition of retaliation with respect to employment.
Sec. 405. Mental health and other especially sensitive
information.
Sec. 406. Cessation of operations.
Sec. 407. Conforming amendments to Federal Privacy Act.
TITLE V--GENERAL PROVISIONS
Sec. 501. Authority of the Secretary.
Sec. 503. Relationship to other laws.
Sec. 505. Effective date.
SEC. 2. FINDINGS AND PURPOSES.
(a) FINDINGS- The Congress finds as follows:
(1) The right to privacy is a personal and fundamental right protected
by the Constitution of the United States.
(2) Individuals have a right to privacy regarding their individually
identifiable health information.
(3) The improper use or disclosure of individually identifiable health
information about an individual may cause significant harm to the interests
of the individual in privacy and health care, and may unfairly affect the
ability of the individual to obtain employment, education, insurance,
credit, and other necessities.
(4) Current legal protections for health information vary from State to
State and are inadequate to protect the privacy of an individual's health
information and ensure fair information practices standards.
(5) The movement of individuals and health information across State
lines, access to and exchange of health information from automated data
banks and networks, and the emergence of multistate health care providers
and payers create a compelling need for Federal law, rules, and procedures
governing the use, maintenance, and disclosure of health information.
(6) Federal rules governing the use, maintenance, and disclosure of
health information are an essential part of health care reform, are
necessary to support the computerization of health information, and can
reduce the cost of providing health services by making the necessary
transfer of health information more efficient.
(7) An individual needs access to health information about the
individual as a matter of fairness, to enable the individual to make
informed decisions about health care, and to correct inaccurate or
incomplete information.
(b) PURPOSES- The purposes of this Act are as follows:
(1) To protect the privacy of health information that reveals the
identity of an individual.
(2) To define the rights and responsibilities of a person who creates or
maintains individually identifiable health information that originates or is
used in the health treatment or payment process.
(3) To define the rights of an individual with respect to health
information about the individual that is created or maintained as part of
the health treatment and payment process.
TITLE I--PROTECTION OF HEALTH INFORMATION
SEC. 101. RESTRICTIONS ON USES.
(a) IN GENERAL- Use of protected health information by health information
custodians--
(1) shall protect the reasonable expectation of privacy of protected
individuals; and
(2) shall be in accordance with fair information practices.
(b) MINIMUM REQUIREMENTS-
(1) LIMITATION ON USES- Unless otherwise authorized by a protected
individual under section 103, a health information custodian may use
protected health information only for the uses for which disclosure is
authorized under title III.
(2) MINIMUM AMOUNT OF INFORMATION- A health information custodian shall
limit use of protected health information to the minimum amount and duration
necessary to accomplish the use.
SEC. 102. RESTRICTIONS ON DISCLOSURE.
(a) IN GENERAL- Disclosure of protected health information by a health
information custodian shall protect the reasonable expectations of privacy of
protected individuals.
(b) MINIMUM REQUIREMENTS-
(1) LIMITATION ON DISCLOSURES- A health information custodian may not
disclose protected health information unless--
(A) the disclosure is authorized by the protected individual under
section 103; or
(B) the disclosure is authorized under title III.
(2) MINIMUM AMOUNT OF INFORMATION- A health information custodian shall
limit a disclosure of protected health information to the minimum amount of
information necessary to accomplish the purpose for which the information is
disclosed.
(c) NO REQUIREMENT TO DISCLOSE- Nothing in this Act shall be construed as
requiring disclosure of protected health information that is not otherwise
required to be disclosed by law.
SEC. 103. STANDARDS FOR AUTHORIZATIONS FOR USE AND DISCLOSURE.
(a) IN GENERAL- A health information custodian may use or disclose
protected information pursuant to an authorization by a protected individual
only if that authorization is based on informed consent by the protected
individual.
(b) MINIMUM REQUIREMENTS-
(1) PROHIBITION ON CONDITIONING- A health information custodian may not,
as a condition of providing or paying for health care, require a protected
individual to execute an authorization for use or disclosure of protected
health information.
(2) INFORMED CONSENT- For the purposes of subsection (a), an
authorization shall not be considered to be based on informed consent
unless, at a minimum, it satisfies the conditions in part II.D.1 of the
Secretary's HIPAA recommendations (relating to `Disclosure with Patient
Authorization: Authorization Content').
SEC. 104. SAFEGUARDS AGAINST MISUSE AND PROHIBITED DISCLOSURES.
(a) IN GENERAL- Health information custodians shall establish and
implement safeguards against misuse and prohibited disclosure of protected
health information.
(b) MINIMUM REQUIREMENTS- The safeguards under subsection (a) shall
include reasonable and appropriate administrative, technical, and physical
safeguards--
(1) to ensure that protected health information is used or disclosed
only when necessary;
(2) to ensure the integrity and confidentiality of protected health
information;
(3) to protect against any reasonably anticipated threats or hazards to
the security or integrity of the information or unauthorized use or
disclosure of the information; and
(4) otherwise to ensure compliance with this Act.
(c) MENTAL HEALTH AND OTHER ESPECIALLY SENSITIVE INFORMATION- In
establishing and implementing the safeguards under subsection (a), a health
information custodian shall consider providing additional protections for
mental health and other especially sensitive protected health information, as
appropriate.
(d) RELATIONSHIP TO SOCIAL SECURITY ACT ADMINISTRATIVE SIMPLIFICATION
REQUIREMENTS- Any safeguard established under this section shall be consistent
with the standards adopted by the Secretary under paragraph (1) of section
1173(d) of the Social Security Act (42 U.S.C. 1320d-2(d)) and the requirement
in paragraph (2) of such section.
TITLE II--RIGHTS OF PROTECTED INDIVIDUALS
SEC. 201. RIGHT OF ACCESS.
(a) IN GENERAL- Protected individuals shall have the right to a reasonable
opportunity to inspect and copy protected health information maintained by a
health information custodian.
(b) MINIMUM REQUIREMENTS- Subject to section 405(b), a health information
custodian, at a minimum, shall provide a protected individual at least as much
opportunity to inspect and copy protected health information as was
recommended by the Secretary in part II.C.2 of the Secretary's HIPAA
recommendations (relating to `Patient Inspection and Copying of Records').
SEC. 202. RIGHT OF CORRECTION AND AMENDMENT.
(a) IN GENERAL- Protected individuals shall have the right to a reasonable
opportunity to correct or amend protected health information maintained by a
health information custodian.
(b) MINIMUM REQUIREMENTS- A health information custodian, at a minimum,
shall provide a protected individual correction and amendment protections that
are at least equivalent to those recommended by the Secretary in part II.C.3
of the Secretary's HIPAA recommendations (relating to `Patient Correction of
Records').
SEC. 203. RIGHT TO REVIEW DISCLOSURE HISTORY.
(a) IN GENERAL- Protected individuals shall have the right to a reasonable
opportunity to review a history of the disclosures of protected health
information about the individual made by a health information custodian.
(b) MINIMUM REQUIREMENTS- A health information custodian, at a minimum,
shall implement procedures that ensure a protected individual at least as much
opportunity to review the individual's disclosure histories as was recommended
by the Secretary in part II.C.4 of the Secretary's HIPAA recommendations
(relating to `Disclosure History').
SEC. 204. RIGHT TO NOTICE OF INFORMATION PRACTICES AND OPPORTUNITY TO SEEK
ADDITIONAL PROTECTIONS.
(a) IN GENERAL- Protected individuals shall have--
(1) the right to notice of the information practices of health
information custodians; and
(2) a reasonable opportunity to seek limitations on the use and
disclosure of protected health information in addition to the limitations
provided in such practices.
(b) MINIMUM REQUIREMENTS-
(1) NOTICE AND OPPORTUNITY TO SEEK ADDITIONAL PROTECTIONS- To the
maximum extent practicable, before obtaining protected health information
from a protected individual, a health information custodian--
(A) shall provide the protected individual with a clear and
conspicuous notice of the custodian's health information practices, which
notice shall include, at a minimum, the explanation recommended in part
II.C.1 of the Secretary's HIPAA recommendations (relating to `Explanation
of Information Practices');
(B) shall provide the protected individual a reasonable opportunity to
seek limitations on the use or disclosure of protected health information
in addition to the limitations provided in such practices; and
(C) shall obtain a signed acknowledgment from the protected individual
acknowledging that the notice required under subparagraph (A) has been
provided to the protected individual and the individual has been informed
of the opportunity to seek additional limitations required to be provided
under subparagraph (B).
(2) OTHER HEALTH INFORMATION CUSTODIANS- A health information custodian
who receives protected health information about a protected individual from
a source other than the individual shall provide a notice of the custodian's
health information practices that is consistent with paragraph (1)(A) to the
individual upon request.
(c) COMPLIANCE- If a protected individual seeks limitations on the use or
disclosure of protected health information in addition to the limitations
described in a health information custodian's notice of health information
practices, and the custodian agrees to provide such additional limitations,
the custodian shall comply with such additional limitations, unless such
compliance would violate another provision of law.
TITLE III--PERMISSIBLE DISCLOSURES OF PROTECTED HEALTH
INFORMATION
SEC. 301. PROVISION OF AND PAYMENT FOR HEALTH CARE.
(a) IN GENERAL- A health information custodian, to the extent the
Secretary determines appropriate, may disclose protected health information,
without obtaining an authorization under section 103, for the purpose of
providing health care to an individual or paying for health care provided to
an individual, except as provided in subsection (c).
(b) CONSTRUCTION- For purposes of subsection (a), a disclosure of
protected health information by a health information custodian for the purpose
of rendering an employment decision, conducting a marketing activity, or
conducting an insurance underwriting activity, shall not be considered a
disclosure for the purpose of providing health care to an individual or paying
for health care provided to an individual.
(c) SPECIAL RULE FOR PATIENTS PAYING FOR CARE- In the case of health care
provided to an individual who pays for the care himself or herself, a health
information custodian may not disclose to a health care payer, without
obtaining an authorization under section 103, protected health information
created or received in the course of providing such care.
SEC. 302. HEALTH OVERSIGHT.
(a) IN GENERAL- A health information custodian, to the extent the
Secretary determines appropriate, may disclose protected health information
for the purpose of health oversight, without obtaining an authorization under
section 103.
(b) MINIMUM REQUIREMENTS- The Secretary--
(1) shall permit a health information custodian to disclose protected
health information to Federal, State, and local agencies (or affiliated
persons of such agencies) that are authorized by law to investigate,
regulate, enforce laws relating to, or license, certify, or accredit persons
engaged in, the provision of, or payment for, health care; and
(2) may permit a health information custodian to disclose protected
health information to appropriate private organizations engaged in
licensing, certification, or accreditation of health care providers.
SEC. 303. PUBLIC HEALTH.
A health information custodian, to the extent the Secretary determines
appropriate, may disclose protected health information, without obtaining an
authorization under section 103--
(1) to a public health authority for use in legally authorized disease
or injury reporting, public health surveillance, or a public health
investigation or intervention; or
(2) to a person who is otherwise authorized by law or a public health
authority to receive the information for public health purposes.
SEC. 304. HEALTH RESEARCH.
(a) IN GENERAL- A health information custodian, to the extent the
Secretary determines appropriate, may disclose protected health information
for health research, without obtaining an authorization under section 103.
(b) MINIMUM REQUIREMENTS- A health information custodian may disclose
protected health information without such an authorization only for uses that
have been approved by an entity certified by the Secretary.
(c) REGULATIONS- The Secretary shall promulgate regulations that, at a
minimum--
(1) require that, before approving a use of protected health information
for purposes of subsection (b), a certified entity shall determine
that--
(A) the importance of the health research outweighs the intrusion into
the privacy of the protected individuals who are the subjects of the
protected health information; and
(B) it would be impracticable to conduct the health research without
using the protected health information;
(2) establish requirements for certifying entities that ensure that such
entities--
(A) meet the requirements for institutional review boards established
under section 491(a) of the Public Health Service Act with respect to
information protection, use, and disclosure; and
(B) are qualified to assess and protect the confidentiality of
protected health information; and
(3) require a person conducting health research to remove or destroy
personal identifiers at the earliest opportunity consistent with the purpose
of the research, unless a certified entity has determined that there is a
health or research justification for retention of identifiers and the person
has an adequate plan to protect the identifiers from improper use and
disclosure.
SEC. 305. LAW ENFORCEMENT.
(a) IN GENERAL- A health information custodian may disclose protected
health information to a law enforcement official for a law enforcement inquiry
if the law enforcement official complies with the fourth amendment to the
Constitution.
(b) CONSTRUCTION- For purposes of subsection (a), all protected health
information shall be treated as if it were held in a home over which the
protected individual has exclusive authority.
(c) RELATIONSHIP TO HEALTH OVERSIGHT ACTIVITIES- This section shall not
apply to a disclosure of protected health information for purposes of health
oversight.
SEC. 306. JUDICIAL OR ADMINISTRATIVE PROCEEDINGS.
(a) IN GENERAL- A health information custodian, to the extent the
Secretary determines appropriate, may disclose protected health information,
without obtaining an authorization under section 103, pursuant to--
(1) a judicial or administrative subpoena issued in a civil
administrative or judicial adjudication; or
(2) a subpoena issued by a defendant in a criminal proceeding.
(b) MINIMUM REQUIREMENTS- A health information custodian may not disclose
protected health information about a protected individual under this section,
unless the individual has had--
(1) reasonable notice of the subpoena; and
(2) a reasonable opportunity to move the court, or other presiding
official, to quash the subpoena on the basis that the individual's privacy
interest outweighs the interest of the person seeking the information.
SEC. 307. OTHER DISCLOSURES.
A health information custodian, to the extent the Secretary determines
appropriate, may disclose protected health information, without obtaining an
authorization under section 103--
(1) where necessary to prevent or lessen a serious threat to the health
or safety of an individual;
(3) to individuals with close personal relationships with the protected
individual;
(4) for purposes of directory information within a health care facility;
and
(5) for State data systems.
SEC. 308. REDISCLOSURES.
(a) IN GENERAL- A health information custodian who receives protected
health information through a disclosure under this title, to the extent the
Secretary determines appropriate, may redisclose such information to carry out
the purposes for which the information was disclosed to the custodian.
(b) PROHIBITION- Notwithstanding subsection (a), protected health
information received by a health information custodian through a disclosure
under this title may not be disclosed to any person for use in, or be used in,
any administrative, civil, or criminal action or investigation directed
against the protected individual who is the subject of the information,
unless--
(1) the action or investigation arises out of and is directly related to
the purpose for which the information was obtained by the custodian;
or
(2) the use or disclosure is authorized--
(A) by law for the protection of the public health; or
(B) by an appropriate order of a court of competent jurisdiction,
granted, after a hearing with notice to the health information custodian
and to all other affected individuals, on the basis that there
is--
(i) probable cause to believe that all other possible sources for
the information have been exhausted; and
(ii) a specific and compelling public interest in disclosure or use
that outweighs--
(I) the privacy interest of the protected
individual;
(II) the effect of the disclosure on future provision of health
care; and
(III) the effect of the disclosure on health research and health
oversight functions.
TITLE IV--MISCELLANEOUS PROVISIONS
SEC. 401. SPECIFIC CLASSES OF INDIVIDUALS.
(a) MINORS- Individuals under the age of 18 shall have privacy protections
regarding protected health information that are at least equivalent to those
recommended in part II.F.4 of the Secretary's HIPAA recommendations (relating
to `Minors').
(b) AGENTS AND ATTORNEYS-
(1) IN GENERAL- To the extent the Secretary determines appropriate, a
person may exercise the rights of a protected individual under this Act,
if--
(A) the person is authorized by law (other than on account of
minority), or by an instrument recognized under law, to act for the
protected individual; or
(B) the protected individual is not capable of exercising his or her
rights under this Act and there has been no formal legal arrangement for
others to exercise the rights.
(2) RELATIONSHIP TO RECOMMENDATIONS- The authority of such a person to
exercise the rights of a protected individual shall be equivalent to the
authority described in parts II.F.5 and II.F.6 of the Secretary's HIPAA
recommendations (relating to `Powers of Attorney' and `Patients Unable to
Make Choices for Themselves').
(c) DECEASED PERSONS- Deceased individuals shall have privacy protections
regarding protected health information that are at least equivalent to those
recommended by the Secretary in part II.F.1 of the Secretary's HIPAA
recommendations (relating to `Deceased Persons').
SEC. 402. FALSE PRETENSES.
(1) obtain or disclose protected health information from a health
information custodian or affiliated person under false pretenses; or
(2) knowingly disseminate protected health information obtained in
violation of this Act.
SEC. 403. OBLIGATIONS OF AFFILIATED PERSONS.
An affiliated person shall be subject to the same requirements with
respect to use and disclosure of protected health information as apply to the
health information custodian with whom the affiliated person is affiliated,
except that an affiliated person--
(1) is subject to the requirements of sections 201 and 202 only if the
affiliated person maintains the individual's protected health information
and the health information custodian does not maintain the individual's
protected health information; and
(2) is subject to the requirements of section 203 only to the extent
that the affiliated person makes a disclosure.
SEC. 404. PROHIBITION OF RETALIATION WITH RESPECT TO EMPLOYMENT.
A person may not subject an individual to retaliation, in regard to job
application procedures, the hiring, advancement, or discharge of employees,
employee compensation, job training, or other terms, conditions, and
privileges of employment, for reporting to a governmental agency conditions
that may constitute a violation of a requirement under this Act.
SEC. 405. MENTAL HEALTH AND OTHER ESPECIALLY SENSITIVE INFORMATION.
(a) ADDITIONAL LIMITATIONS- Not later than 1 year after the date of the
enactment of this Act, the Secretary--
(1) shall consider, after consulting with physicians and other health
care providers, patients, and other appropriate groups, additional
limitations relating to access to, and use and disclosure of, mental health
and other especially sensitive protected health information; and
(2) shall promulgate regulations to provide any such additional
limitations as the Secretary determines to be appropriate.
(b) RIGHT OF ACCESS- For purposes of subsection (a)(2), the Secretary may
limit an individual's access to his or her mental health information, if the
information is not used by, or disclosed to, any person other than the health
care provider who received or created the information.
(c) PSYCHOTHERAPIST-PATIENT PRIVILEGE- Nothing in this Act shall be
construed to preempt, supersede, or modify the operation of the
psychotherapist-patient privilege recognized by the Supreme Court in Jaffee v.
Redmond, 518 U.S. 1 (1996).
SEC. 406. CESSATION OF OPERATIONS.
Not later than 1 year after the date of the enactment of this Act, the
Secretary shall promulgate regulations that ensure that the reasonable
expectation of privacy of protected individuals in protected health
information is maintained when health information custodians cease
operations.
SEC. 407. CONFORMING AMENDMENTS TO FEDERAL PRIVACY ACT.
(a) NEW SUBSECTION- Section 552a of title 5, United States Code, is
amended by adding at the end the following:
`(w) MEDICAL EXEMPTIONS- The head of an agency that is a health
information custodian (as defined in section 504 of the Health Information
Privacy Act) shall promulgate rules, in accordance with the requirements
(including general notice) of subsections (b)(1), (b)(2), (b)(3), (c), and (e)
of section 553 of this title, to exempt a system of records within the agency,
to the extent that the system of records contains protected health information
(as defined in section 504 of such Act), from all provisions of this section
except subsections (e)(1), (e)(2), subparagraphs (A) through (C) and (E)
through (I) of subsection (e)(4), and subsections (e)(5), (e)(6), (e)(9),
(e)(12), (l), (n), (o), (p), (q), (r), and (u).'.
(1) IN GENERAL- Section 552a(f)(3) of title 5, United States Code, as
amended by this Act, is amended by striking `pertaining to him,' and all
that follows through the semicolon and inserting `pertaining to the
individual;'.
(2) EFFECTIVE DATE- The amendment made by paragraph (1) shall take
effect 18 months after the date of the enactment of this Act.
TITLE V--GENERAL PROVISIONS
SEC. 501. AUTHORITY OF THE SECRETARY.
(1) IN GENERAL- Not later than 1 year after the date of the enactment of
this Act, the Secretary shall promulgate such regulations as may be
necessary to implement this Act, including regulations establishing
recordkeeping or reporting requirements. Such regulations may provide
greater protection of protected health information, or more rights to
protected individuals regarding such information, than is provided by the
minimum requirements set forth in this Act.
(2) PROTECTIONS FOR OTHER HEALTH INFORMATION- The Secretary may
promulgate such regulations as may be necessary to protect the privacy of
individually identifiable health information that is not protected health
information.
(3) CONSULTATION- In promulgating regulations under this Act, the
Secretary shall consult with elected State and local government
officials.
(b) RESEARCH AND DEVELOPMENT- The Secretary may sponsor or carry out
research and development activities related to the protection of the privacy
of individually identifiable health information.
(c) PUBLIC AWARENESS AND TRAINING- The Secretary may sponsor or carry out
activities to inform protected individuals of their rights under this Act or
to inform other persons of their rights or responsibilities under this Act.
The Secretary may also sponsor or carry out training to increase compliance
with requirements under this Act.
(d) OTHER AUTHORITIES- The Secretary may hold hearings, administer oaths,
require the testimony or deposition of witnesses, require the production of
documents or the answering of interrogatories, or enter and inspect premises
owned or controlled by health information custodians in order to ensure
compliance with this Act or otherwise further the purposes of this Act.
SEC. 502. ENFORCEMENT.
(a) EQUITABLE RELIEF- The Secretary may bring an action in an appropriate
court to enjoin a violation of a requirement under this Act or to obtain such
other equitable relief as may be appropriate under the circumstances.
(b) CIVIL MONEY PENALTIES- Any person who the Secretary determines has
failed to comply with a requirement under this Act shall be subject, in
addition to any other penalties that may be prescribed by law, to a civil
penalty of not more than $10,000 for each such failure. The provisions of
section 1128A of the Social Security Act (other than subsections (a) and (b))
shall apply to the imposition of a civil money penalty under this subsection
in the same manner as such provisions apply with respect to the imposition of
a penalty under section 1128A of such Act.
(1) IN GENERAL- Whoever knowingly violates a requirement under this Act
shall be fined under title 18, United States Code, imprisoned for not more
than 5 years, or both.
(2) MONETARY GAIN- Whoever knowingly violates a requirement under this
Act, with the intent to sell, transfer, or use protected health information
obtained through the violation for profit or monetary gain, shall be fined
under title 18, United States Code, imprisoned for not more than 10 years,
or both.
(A) INJUNCTION OR DAMAGES- A protected individual who is adversely
affected by a person's violation of a requirement under this Act may bring
an action--
(i) to enjoin the violation; or
(ii) in the case of a knowing or negligent violation, to recover
from the person the greater of--
(I) the compensatory damages (including nonpecuniary damages)
incurred by the protected individual as a result of the violation;
or
(II) liquidated damages of $5,000 per action.
(B) COSTS AND ATTORNEY'S FEES- A protected individual bringing an
action under subparagraph (A) may recover the costs of litigation and
reasonable attorney's fees (including expert fees). The United States
shall be liable for fees and costs under this subparagraph the same as a
private person.
(C) PUNITIVE DAMAGES- In the case of a knowing violation, the person
committing the violation may also be held liable for punitive
damages.
(2) TIME FOR COMMENCING ACTION- An action under this subsection shall be
commenced not later than 3 years after the date on which the violation was
discovered or reasonably should have been discovered.
SEC. 503. RELATIONSHIP TO OTHER LAWS.
(1) FEDERAL, STATE, OR LOCAL LAWS- The requirements under this Act shall
not preempt, supersede, or modify the operation of, any Federal, State, or
local law that provides--
(A) greater protection of protected health information; or
(B) more rights to protected individuals regarding such
information.
(A) ADVISORY DETERMINATIONS- Any person may petition the Secretary for
an advisory determination whether the operation of a particular Federal,
State, or local law satisfies the standard in paragraph (1). Any person
who acts in reliance on such advisory determination shall not be subject
to any penalty or liability under section 502, except as provided in
subparagraph (B).
(B) CONTRARY COURT DETERMINATION- If a Federal or State court has
reached a determination whether the operation of a particular Federal,
State, or local law satisfies the standard in paragraph (1), a person
thereafter may not rely on an advisory determination under subparagraph
(A) to the contrary.
(b) SPECIFIC LAWS- This Act shall not be construed to preempt, supersede,
or modify the operation of, any of the following:
(1) Any law that provides for the reporting of vital statistics such as
birth or death information.
(2) Any law that requires the reporting of abuse or neglect information
about an individual or other information relating to violence against an
individual.
(3) Subpart II of part E of title XXVI of the Public Health Service Act
(relating to notifications of emergency response employees of possible
exposure to infectious diseases).
(4) The Americans with Disabilities Act of 1990.
(5) Any law that establishes a privilege for records used in health
professional peer review activities.
(6) Any law that requires the disclosure of protected health
information, if the disclosure is permitted under this Act.
(c) DEPARTMENT OF VETERANS AFFAIRS- The limitations on use and disclosure
of protected health information under this Act shall not be construed to
prevent any exchange of such information within and among components of the
Department of Veterans Affairs that determine eligibility for or entitlement
to, or that provide, benefits under laws administered by the Secretary of
Veterans Affairs.
(d) CONGRESS- Nothing in this Act shall be interpreted to affect the
ability of the Congress, a committee of the Congress, or the Members of the
Congress referred to in section 2954 of title 5, United States Code, to obtain
such information as may be necessary for the fulfillment of the Congress', the
committee's, or the Members' legislative or oversight functions.
(e) PRIVILEGES- A disclosure about a protected individual made under title
III, or a protected individual's disclosure of protected health information
for the purpose of obtaining, or paying for, health care, may not be construed
as diminishing, waiving, or otherwise impairing any privilege that the
protected individual has in a court of a State or the United States.
SEC. 504. DEFINITIONS.
For purposes of this Act:
(1) AFFILIATED PERSON- The term `affiliated person' means a person
who--
(A) is not a health information custodian;
(B) is an agent or contractor of a health information custodian;
and
(C) pursuant to an agreement with such custodian, receives, creates,
uses, maintains, or discloses protected health information.
(2) DISCLOSE- The term `disclose', when used with respect to protected
health information, means to provide access to the information to a person
other than--
(A) the custodian or an officer or employee of the custodian;
(B) an affiliated person of the custodian; or
(C) a protected individual who is a subject of the
information.
(3) DISCLOSURE- The term `disclosure' means the act or an instance of
disclosing.
(4) HEALTH CARE- The term `health care' means--
(A) any preventive, diagnostic, therapeutic, rehabilitative,
maintenance, or palliative care, counseling, service, or
procedure--
(i) with respect to the physical or mental condition, or functional
status, of an individual; or
(ii) affecting the structure or function of the human body or any
part of the human body, including banking of blood, sperm, organs, or
any other tissue for administration to patients; or
(B) any sale or dispensing of a drug, device, equipment, or other item
to an individual, or for the use of an individual, pursuant to a
prescription.
(5) HEALTH CARE PAYER- The term `health care payer' means a person who
pays for health care in the ordinary course of business.
(6) HEALTH CARE PROVIDER- The term `health care provider' means a person
who provides health care in the ordinary course of business or practice of a
profession, pursuant to license, certification, accreditation, or other
legal authorization.
(7) HEALTH INFORMATION CUSTODIAN-
(A) IN GENERAL- The term `health information custodian' means a health
care provider, a health care payer, or any other person who obtains
protected health information as a result of a disclosure authorized under
this Act.
(B) EXCEPTIONS- Such term does not include--
(i) an affiliated person;
(ii) an individual who obtains protected health information under
paragraph (2), (3), or (4) of section 307; or
(iii) an individual who receives protected health information in a
public health intervention because the individual's health is at
risk.
(8) HEALTH RESEARCH- The term `health research' means a biomedical,
epidemiological, or health services research or statistics project, or a
research project on behavioral and social factors affecting health, that is
designed to develop or contribute to generalizable scientific or clinical
knowledge.
(9) LAW ENFORCEMENT INQUIRY- The term `law enforcement inquiry' means a
lawful investigation or official proceeding inquiring into a violation of,
or failure to comply with, any criminal or civil statute or any regulation,
rule, or order issued pursuant to such a statute.
(10) PERSON- The term `person' includes an authority of the United
States, a State, or a political subdivision of a State.
(11) PROTECTED HEALTH INFORMATION- The term `protected health
information' means any information, whether oral or recorded in any form or
medium, that--
(A) relates in any way to the past, present, or future physical or
mental health or condition of a protected individual, the provision of
health care to an individual, or payment for the provision of health care
to an individual;
(B) is received or created by a health care provider in the ordinary
course of business or practice of a profession or by a health care payer,
or is obtained as a result of a disclosure authorized under this Act;
and
(C) identifies the individual, or with respect to which there is a
reasonable basis to believe that the information can be used to identify
the individual.
(12) PROTECTED INDIVIDUAL- The term `protected individual' means an
individual who is the subject of protected health information.
(13) SECRETARY- The term `Secretary' means the Secretary of Health and
Human Services.
(14) SECRETARY'S HIPAA RECOMMENDATIONS- The term `Secretary's HIPAA
recommendations' means the recommendations of the Secretary of Health and
Human Services, pursuant to section 264 of the Health Insurance Portability
and Accountability Act of 1996, entitled `Confidentiality of
Individually-Identifiable Health Information' that were submitted to the
Committee on Commerce and the Committee on Ways and Means of the House of
Representatives and the Committee on Labor and Human Resources and the
Committee on Finance of the Senate, on September 11, 1997.
(15) STATE- The term `State' includes the District of Columbia, Puerto
Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana
Islands.
(16) USE- The term `use', when used with respect to protected health
information that is held by a health information custodian, means--
(A) to use, or provide access to, the information in any manner that
does not constitute a disclosure; or
(B) any act or instance of using, or providing access, described in
subparagraph (A).
SEC. 505. EFFECTIVE DATE.
The requirements under this Act applicable to health information
custodians and affiliated persons shall take effect 18 months after the date
of the enactment of this Act.
END