HR 2878 IH
106th CONGRESS
1st Session
H. R. 2878
To protect the privacy of health information in the age of genetic
and other new technologies, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
September 15, 1999
Mr. MCDERMOTT (for himself, Mr. STARK, Mr. RUSH, Mr. ROMERO-BARCELO, Mrs.
MINK of Hawaii, Mr. FROST, Mr. NADLER, Ms. SLAUGHTER, Mr. LEWIS of Georgia, Mr.
FRANK of Massachusetts, Mr. HINCHEY, and Mr. WEINER) introduced the following
bill; which was referred to the Committee on Commerce, and in addition to the
Committee on Government Reform, for a period to be subsequently determined by
the Speaker, in each case for consideration of such provisions as fall within
the jurisdiction of the committee concerned
A BILL
To protect the privacy of health information in the age of genetic
and other new technologies, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the `Medical Privacy in the Age
of New Technologies Act of 1999'.
(b) TABLE OF CONTENTS- The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings and purposes.
TITLE I--INDIVIDUALS' RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
Sec. 101. Inspection and copying of protected health information.
Sec. 102. Correction or amendment of protected health information.
Sec. 103. Notice of information practices.
Subtitle B--Establishment of Safeguards
Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
Sec. 113. Prohibition against retaliation.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
Sec. 201. General rules regarding use and disclosure.
Sec. 202. Authorizations for disclosure of protected health information
for treatment or payment.
Sec. 203. Authorizations for disclosure of protected health information
for purposes other than treatment or payment.
Sec. 204. Creation of nonidentifiable and coded information.
Sec. 205. Next of kin and directory information.
Sec. 206. Emergency circumstances.
Sec. 210. Health research.
Sec. 211. Judicial and administrative purposes.
Sec. 212. General requirements governing subpoenas.
Sec. 213. Additional requirements for law enforcement access.
TITLE III--SANCTIONS
Subtitle A--Civil Sanctions
Subtitle B--Criminal Sanctions
Sec. 311. Wrongful disclosure of protected health information.
TITLE IV--MISCELLANEOUS
Sec. 402. Relationship to other laws.
Sec. 403. Effective dates.
SEC. 2. FINDINGS AND PURPOSES.
(a) FINDINGS- The Congress finds as follows:
(1) Health information plays a vital role in every aspect of an
individual's life. It includes some of the most sensitive information
available about an individual.
(2) An individual's health information is currently accessible to many
people who do not need the information to provide health care to the
individual, often without the individual's knowledge or consent.
(3) Individuals will be deterred from using the health care system
unless they are assured that the confidentiality of their health information
will be respected.
(4) There exists little Federal protection of the confidentiality of an
individual's health information.
(5) While health information often is transferred across State lines,
protection of the confidentiality of health information varies greatly from
State to State, with little protection in some States.
(6) New technologies increase the importance of addressing new threats
to the confidentiality of health information. For example, technologies that
permit an individual's health information to be computerized increase the
possibility of unauthorized electronic access to the information.
Technologies that provide genetic information provide information not just
about an individual's current health but also about the individual's
potential future health and the health of the individual's relatives. This
creates potential new uses and abuses of genetic health information that
need to be addressed by legislation.
(7) The potential benefits from new genetic technologies will not be
realized if individuals cannot trust that their health information is safe
from unauthorized uses.
(b) PURPOSES- The purposes of this Act are as follows:
(1) To recognize that there is a right to privacy with respect to health
information, including genetic information, and that this right must be
protected accordingly.
(2) To ensure that an individual's interest in the privacy of their
health information cannot be overridden without meaningful notice and
informed consent, except in limited circumstances where there is a
compelling public interest.
(3) To provide individuals--
(A) access to health information of which they are the subject;
and
(B) the power to challenge the accuracy and completeness of, and amend
or correct, records containing such information.
(4) To establish a minimum Federal standard for the protection of health
information which will promote confidentiality while allowing efficient
transfer of health information between States.
(5) To help ensure the confidentiality of computerized or electronically
transferred health information.
(6) To restrict the gathering of aggregate health information for
financial gain or other purposes without each subject's knowledge or
consent.
(7) To establish strong and effective remedies for violations of this
Act.
SEC. 3. DEFINITIONS.
(1) ACCREDITING BODY- The term `accrediting body' means a body,
committee, organization, or institution that has been authorized by law, or
is recognized by a health care regulating authority, with respect to
accreditation, licensing, or credentialing of health care providers or
health care facilities.
(2) CODED HEALTH INFORMATION- The term `coded health information' means
any protected health information--
(A) in which all identifying information has been replaced by a unique
identifier, and where neither the remaining information nor the unique
identifier, on its face, identifies an individual;
(B) which cannot easily be used or manipulated in a manner that
reveals the identity of an individual; and
(C) which can only be linked or matched to other information in a
manner that reveals the identity of an individual by a person authorized
to carry out such functions under section 204.
(3) DISCLOSE- The term `disclose' when used with respect to protected
health information that is held by a health information trustee, means to
release, transfer, provide access to, or otherwise divulge the information
to any person other than an individual who is the subject of the
information. Such term includes the placement of protected health
information into a computerized data base, networked computer system, or any
other electronic or magnetic data system, that more than one person may
access by any means. Such term does not include oral communication between
an individual who is the subject of protected health information and a
health care provider delivering health care to such individual.
(4) ELECTRONIC- The term `electronic', when used with reference to
information, means--
(A) in electronic or magnetic form;
(B) in an optical storage form;
(D) computer-associated; or
(E) in some other form that--
(i) is appropriate for non-paper-based information processing or
storage; and
(ii) exists on the date of the enactment of this Act or is developed
subsequent to such date.
(5) HEALTH CARE- The term `health care' means--
(A) any sale or dispensing of a drug, device, equipment, or other item
to an individual, or for the use of an individual, pursuant to a
prescription; and
(B) any preventive, predictive, diagnostic, therapeutic,
rehabilitative, maintenance, or palliative care, counseling, service, or
procedure--
(i) with respect to the physical or mental condition of an
individual; or
(ii) affecting the structure or function of the human body or any
part of the human body, including individual cells and their
components.
(6) HEALTH CARE PROVIDER- The term `health care provider' means a person
who, with respect to a specific item of protected health information,
receives, creates, uses, maintains, or discloses the information while
acting in whole or in part in the capacity of--
(A) a person who is licensed, certified, registered, or otherwise
authorized by law to provide an item or service that constitutes health
care, in the ordinary course of business or practice of a profession;
or
(B) a Federal or State program that directly provides items or
services that constitute health care to beneficiaries.
(7) HEALTH INFORMATION TRUSTEE- The term `health information trustee'
means--
(A) a person who is a health care provider, health plan, health
oversight agency, public health authority, health researcher, employer,
insurer, school, institution of higher education, or insurance support
organization, insofar as the person creates, receives, obtains, maintains,
uses, or transmits protected health information; or
(B) any employee, agent, or contractor of a person described in
subparagraph (A), insofar as the employee, agent, or contractor creates,
receives, obtains, maintains, uses, or transmits protected health
information.
(8) HEALTH OVERSIGHT AGENCY- The term `health oversight agency' means a
person who--
(A) performs or oversees the performance of an assessment,
investigation, or prosecution relating to--
(i) compliance with legal or fiscal standards pertinent to health
care fraud, including fraudulent claims regarding health care, health
services or equipment, or related activities and items; or
(ii) the protection of individuals from harm, abuse, neglect, or
exploitation; and
(B) is a public agency, acting on behalf of a public agency, acting
pursuant to a requirement of a public agency, or carrying out activities
under a Federal or State law governing an assessment, investigation, or
prosecution described in subparagraph (A).
(9) HEALTH PLAN- The term `health plan' means any health insurance plan,
including any hospital or medical service plan, dental or other health
service plan or health maintenance organization plan, or other program
providing payment for health care, whether or not funded through the
purchase of insurance.
(10) HEALTH RESEARCHER- The term `health researcher' means a person who
conducts, using protected health information, a systematic investigation, or
research development, testing, or evaluation, to develop or contribute to
scientific or medical knowledge.
(11) INDIVIDUAL REPRESENTATIVE- The term `individual representative'
means any individual legally empowered to make decisions concerning the
provision of health care to an individual (where the individual lacks the
legal capacity under State law to make such decisions) or the administrator
or executor of the estate of a deceased individual.
(12) INSURANCE SUPPORT ORGANIZATION-
(A) IN GENERAL- Subject to subparagraph (B), the term `insurance
support organization' means any person who regularly engages, in whole or
in part, in the practice of assembling and providing information about
individuals to an insurer or health plan for insurance transactions,
including--
(i) the furnishing of consumer reports or investigative consumer
reports to an insurer or health plan for use in connection with an
insurance transaction; or
(ii) the collection of personal information from insurers, health
plans, or other insurance support organizations for the purpose of
detecting or preventing fraud or material misrepresentation in
connection with insurance underwriting or insurance claim
activity.
(B) PERSONS EXCLUDED- Such term does not include any person who is
treated as a health information trustee under any other provision of this
Act.
(13) LAW ENFORCEMENT INQUIRY- The term `law enforcement inquiry' means
an official law enforcement investigation or proceeding inquiring into a
violation of, or failure to comply with, any law.
(14) NONIDENTIFIABLE HEALTH INFORMATION- The term `nonidentifiable
health information' means information that would be protected health
information, except that--
(A) it is impossible to ascertain, based on the information, or on any
codes or identifiers related to the information, the identity of any
individual whose health or condition is the subject of the information;
and
(B) it cannot be linked or matched by a foreseeable method to any
other information that pertains to any such individual.
(15) PERSON- The term `person' means any of the following:
(C) A governmental subdivision, agency or authority.
(M) An individual representative.
(N) Any other legal entity.
(16) PROTECTED HEALTH INFORMATION- The term `protected health
information' means any information, including information derived from a
biological sample from the human body and demographic information about an
individual, whether oral or recorded in any form or medium, that--
(A) is created or received by a health information trustee or an
accrediting body;
(i) the past, present, or future physical or mental health,
predisposition, or condition of an individual, or individuals related by
blood to the individual;
(ii) the provision of health care to an individual; or
(iii) the past, present, or future payment for the provision of
health care to an individual; and
(C)(i) identifies such individual;
(ii) with respect to which there is a reasonable basis to believe that
the information can be used to identify such individual; or
(iii) could be linked or matched by a foreseeable method to any other
information which pertains to such individual.
(17) PROTECTED HEALTH INFORMATION SUBFILE- The term `protected health
information subfile' means any amount of protected health information which
is segregated pursuant to section 201(c).
(18) PUBLIC HEALTH AUTHORITY- The term `public health authority' means
an authority or instrumentality of the United States, a State, or a
political subdivision of a State that--
(A) is charged by statute with responsibility for public health
matters; and
(B) is engaged in such activities as injury reporting, public health
surveillance, and public health investigation or intervention.
(19) SECRETARY- The term `Secretary' means the Secretary of Health and
Human Services.
(20) STATE- The term `State' includes the District of Columbia, Puerto
Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana
Islands.
(21) WRITING- The term `writing' means writing in either a paper-based
or electronic form.
TITLE I--INDIVIDUALS' RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- Except as provided in subsections (b) and (h), a health
information trustee shall permit an individual who is the subject of protected
health information, or the individual's designee, to inspect and copy
protected health information concerning the individual, including records
created under section 102, that the trustee maintains. A health information
trustee may require an individual to reimburse the trustee for the reasonable
cost of such inspection and copying.
(1) IN GENERAL- A health care provider who is delivering, or has
delivered, health care to an individual who is the subject of protected
health information relating to such health care is not required by this
section to permit inspection or copying of the information, where such
inspection or copying reasonably could be expected to endanger the life or
physical or mental safety of any individual.
(2) ALTERNATIVE DISCLOSURE- In any case where a health care provider
determines that the provider, pursuant to paragraph (1), will not permit an
individual to inspect or copy protected health information, the provider may
permit inspection or copying by the individual's designee.
(c) DENIAL OF A REQUEST FOR INSPECTION OR COPYING- If a health information
trustee denies a request for inspection or copying under subsection (b), the
trustee shall inform the individual in writing of--
(1) the reasons for the denial of the request;
(2) any procedures for further review of the denial; and
(3) the individual's right to file with the trustee, if the individual
so wishes, a concise statement setting forth the request for inspection or
copying.
(d) STATEMENT REGARDING REQUEST- If an individual has filed a statement
under subsection (c)(3) setting forth the request, the health information
trustee in any subsequent disclosure of the portion of the information
requested shall include--
(1) a copy of the individual's statement; and
(2) a concise statement of the reasons for denying the request for
inspection or copying.
(e) RULE OF CONSTRUCTION- This section shall not be construed to require a
health information trustee to conduct a formal, informal, or other hearing or
proceeding concerning a request for inspection or copying of protected health
information.
(f) INSPECTION AND COPYING OF SEGREGABLE PORTION- A health information
trustee shall permit inspection and copying under subsection (a) of any
reasonably segregable portion of a record after deletion of any portion that
is exempt under subsection (b).
(g) DEADLINE- A health information trustee shall comply with or deny, in
accordance with subsection (c), a request for inspection or copying of
protected health information under this section within the 30-day period
beginning on the date on which the trustee receives the request.
(h) RULES GOVERNING AGENTS AND CONTRACTORS-
(1) IN GENERAL- A person acting in the capacity of an agent or
contractor of a health care provider, health plan, health oversight agency,
public health authority, health researcher, employer, insurer, school,
institution of higher education, or insurance support organization is not
responsible for providing for the inspection or copying of protected health
information under this section, except when the agent or contractor has been
notified by their principal that a request for inspection or copying has
been made to the principal under section (a) and has not been denied under
section (b).
(2) CODED HEALTH INFORMATION- In any case where a person acting in the
capacity of an agent or contractor of a health care provider, health plan,
health oversight agency, public health authority, health researcher,
employer, insurer, school, institution of higher education, or insurance
support organization is requested to provide for the inspection or copying
of coded health information under this section, the person shall inform the
individual making the request that the individual should contact a person
authorized under section 204 to link or match the coded health information
to reveal the identity of the individual who is the subject of the
information.
SEC. 102. CORRECTION OR AMENDMENT OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- Unless proceeding under subsection (b), and except as
provided in subsection (f), a health information trustee, within the 45-day
period beginning on the date on which the trustee receives from an individual
a written request to correct or amend protected health information about the
individual--
(1) shall make the correction or amendment requested;
(2) shall inform the individual of the correction or amendment that has
been made; and
(3) shall make reasonable efforts to inform any person who is identified
by the individual, and to whom the uncorrected or unamended portion of the
information was previously disclosed, of the correction or amendment that
has been made.
(b) REFUSAL TO CORRECT OR AMEND- If the health information trustee refuses
to make the correction or amendment, the trustee shall inform the individual,
within the 45-day period beginning on the date on which the trustee receives
the individual's request, of--
(1) the reasons for the refusal to make the correction or
amendment;
(2) any procedures for further review of the refusal; and
(3) the individual's right to file with the trustee, if the individual
so wishes, a concise statement setting forth the requested correction or
amendment and the individual's reasons for disagreeing with the
refusal.
(c) STATEMENT OF DISAGREEMENT- If an individual has filed a statement of
disagreement under subsection (b)(3), the health information trustee in any
subsequent disclosure of the disputed portion of the information--
(1) shall include a copy of the individual's statement; and
(2) shall include a concise statement of the reasons for not making the
requested correction or amendment.
(d) RULE OF CONSTRUCTION- This section shall not be construed to require a
health information trustee to conduct a formal, informal, or other hearing or
proceeding concerning a request for a correction or amendment to protected
health information.
(e) CORRECTION- For purposes of subsection (a), a correction is deemed to
have been made to protected health information when information that has been
disputed by an individual has been corrected, clearly marked as incorrect, or
supplemented by correct information.
(f) RULES GOVERNING AGENTS AND CONTRACTORS- A person acting in the
capacity of an agent or contractor of a health care provider, health plan,
health oversight agency, public health authority, health researcher, employer,
insurer, school, institution of higher education, or insurance support
organization is not authorized to make corrections or amendments to protected
health information received from their principal, except when the agent or
contractor has been asked by the principal to fulfill the principal's
obligations under this section.
SEC. 103. NOTICE OF INFORMATION PRACTICES.
(a) PREPARATION OF WRITTEN NOTICE- A health information trustee shall
prepare and provide, in accordance with subsection (b), a written notice
containing the following:
(1) INDIVIDUALS' RIGHTS- A description of the following rights of an
individual who is a subject of protected health information maintained by
the trustee:
(A) The right of the individual to request segregation of protected
health information, and to restrict the use of such information by
employees, agents, and contractors of the trustee, under section
201(c).
(B) The right of the individual to inspect, copy, amend, and correct
the protected health information under sections 101 and 102.
(C) The right of the individual to object to the disclosure of the
information to next of kin or in directory information under section
205.
(D) The circumstances under which the information may be used or
disclosed without an authorization executed by the individual.
(E) The right of the individual not to have employment or the receipt
of services conditioned upon the execution by the individual of an
authorization for disclosure or use for any purpose other than treatment
or payment.
(F) The procedures the individual must follow in order to exercise the
foregoing rights.
(2) TRUSTEE INFORMATION PRACTICES- A description of the trustee's health
information practices, including the safeguards and practices used to
protect such information.
(b) AVAILABILITY OF NOTICE TO SUBJECTS- A health information trustee shall
provide a copy of a notice prepared under this section to an individual who is
a subject of protected health information--
(1) along with any request for authorization to use or disclose the
information created pursuant to section 202 or 203 and presented by the
trustee to the individual for execution;
(2) at the first practicable opportunity after the trustee uses or
discloses the information without an authorization executed by the
individual;
(3) at the first practicable opportunity after a health information
trustee commences the collection of the information; or
(4) when the individual requests to inspect, copy, correct, or amend
their protected health information pursuant to section 101 or 102.
Subtitle B--Establishment of Safeguards
SEC. 111. ESTABLISHMENT OF SAFEGUARDS.
(a) IN GENERAL- A health information trustee shall establish and maintain
appropriate administrative, technical, and physical safeguards to ensure the
confidentiality, security, accuracy, and integrity of protected health
information created, received, obtained, maintained, used or transmitted by
the trustee.
(b) SAFEGUARDS FOR ELECTRONIC INFORMATION-
(1) APPLICATION AND CONSTRUCTION-
(A) APPLICATION- This subsection applies only with respect to
protected health information that is electronic.
(B) CONSTRUCTION- Nothing in this Act shall be construed to require
that protected health information be created, received, maintained, used,
or disclosed in electronic form.
(2) REQUIREMENTS FOR ELECTRONIC MAINTENANCE, USE, AND DISCLOSURE- The
Secretary shall develop, and by regulation impose on health information
trustees, requirements for the electronic maintenance, use, and disclosure
of protected health information. Such requirements shall include the
following:
(A) CONTROL OF ACCESS TO PROTECTED HEALTH INFORMATION-
(i) IN GENERAL- A health information trustee shall implement
controls with respect to access to electronic protected health
information. The trustee may grant a request by any person for access to
such information for use by the health information trustee, or for
disclosure to another
health information trustee, only after verifying that--
(I) the person making the request can prove their identity;
and
(II) the proposed use of the protected health information, or the
requested disclosure, is authorized under this Act.
(ii) AUTHENTICATION OF IDENTITY OF REQUESTERS- A health information
trustee shall use a method of verification to verify the identity of
persons requesting access to electronic protected health information. A
health information trustee who issues a device that verifies the
identity of a person making a request for information for purposes of
this clause shall instruct the person in the proper care and use of the
device and shall require the person to protect the device from misuse.
Any system used by a health information trustee to maintain verification
information collected under this clause shall prevent the disclosure of
such verification information to any person other than a person who is
specifically authorized to receive such information.
(B) ACCESS FOR USE BY HEALTH INFORMATION TRUSTEE- A health information
trustee shall limit the persons who may use protected health information
created or maintained by the trustee in electronic form to persons
specifically authorized by the trustee to use such information consistent
with this Act.
(C) DISCLOSURE TO OTHERS-
(i) PROTECTION OF REQUESTS FOR DISCLOSURE AND RESPONSES- A health
information trustee who requests, using electronic means, to receive
protected health information, or who responds, using electronic means,
to such a request, shall implement procedures to prevent the
interception of such request or response by persons who are not
authorized to intercept it.
(ii) IDENTIFICATION OF SUBJECT- A health information trustee who
receives, using electronic means, a request for protected health
information from another health information trustee may not provide such
information in response to the request unless the request contains
sufficient details to uniquely identify one individual who is the
subject of the request.
(i) ACCESS TO INFORMATION MAINTAINED BY OTHERS- A health information
trustee shall maintain an electronic record concerning each attempt that
is made by the trustee, whether authorized or unauthorized, successful
or unsuccessful, to access protected health information that is
maintained by any other health information trustee in electronic form.
The record shall include the identity of the specific individual
attempting to gain such access and information sufficient to identify
the information sought.
(ii) ACCESS TO INFORMATION MAINTAINED BY THE TRUSTEE- A health
information trustee shall maintain an electronic record concerning each
attempt that is made by the trustee, or by any other person, whether
authorized or unauthorized, successful or unsuccessful, to access
protected health information maintained by the trustee in electronic
form. The record shall include the identity of the specific individual
attempting to gain such access and information sufficient to identify
the information sought.
(3) REVIEW OF REQUIREMENTS- The Secretary from time to time shall review
the requirements developed and imposed under paragraph (2), to determine
whether technological advances or other factors make necessary changes to
the requirements. If the Secretary determines that such changes are
necessary, the Secretary shall make them.
SEC. 112. ACCOUNTING FOR DISCLOSURES.
(1) PERSONS NOT ACTING AS AGENTS OR CONTRACTORS- Except as provided in
paragraph (2), a health information trustee shall create and maintain, with
respect to any protected health information disclosure made by the trustee
that is not related to treatment, a record of the disclosure in accordance
with regulations promulgated by the Secretary.
(2) AGENTS AND CONTRACTORS- A person acting in the capacity of an agent
or contractor of a health care provider, health plan, health oversight
agency, public health authority, health researcher, employer, insurer,
school, institution of higher education, or insurance support organization
shall create and maintain, with respect to any protected health information
disclosure made by the person that is authorized under one of section 202,
203, 204, or 206 through 213, a record of the disclosure in accordance with
regulations promulgated by the Secretary.
(b) RECORD OF DISCLOSURE PART OF PROTECTED HEALTH INFORMATION- A record
created and maintained under subsection (a) shall be maintained as protected
health information for not less than 7 years.
SEC. 113. PROHIBITION AGAINST RETALIATION.
A health information trustee may not adversely affect another person,
directly or indirectly, because such person has exercised a right under this
Act, disclosed information relating to a possible violation of this Act, or
associated with, or assisted a person in the exercise of a right under this
Act.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.
(a) GENERAL RULE- A health information trustee may not use or disclose
protected health information except as authorized under this title.
(b) SCOPE OF USE AND DISCLOSURE-
(1) COMPATIBILITY WITH PURPOSE FOR OBTAINING INFORMATION- A health
information trustee may not use, or disclose to any person, protected health
information unless the use or disclosure is compatible with and directly
related to--
(A) the purposes for which the information was obtained by the health
information trustee; and
(B) in the case where an individual has executed an authorization, for
the specific purpose authorized by the individual.
(2) LIMITATION ON AMOUNT OF INFORMATION-
(i) IN GENERAL- Every use and disclosure of protected health
information by a health information trustee shall be limited to the
minimum amount of information necessary to accomplish the purpose for
which the information is used or disclosed.
(ii) NONIDENTIFIABLE INFORMATION- A health information trustee shall
use and disclose nonidentifiable health information, in lieu of
protected health information, to maximum extent possible, consistent
with the purpose for the use or disclosure.
(iii) CODED HEALTH INFORMATION- A health information trustee shall
use and disclose coded health information, in lieu of any other kind of
protected health information, to maximum extent possible, consistent
with the purpose for the use or disclosure.
(B) COLLECTION, CREATION, AND REQUESTS- A health information trustee
may not collect, create, or request the disclosure of, more protected
health information than is necessary to accomplish the purpose for which
the information is collected, created, or requested.
(c) SPECIAL RULES FOR PROTECTED HEALTH INFORMATION SUBFILES-
(1) SEGREGATION- A health information trustee shall, upon creating or
obtaining protected health information, comply with the request of a subject
of such information--
(A) to segregate any amount or type of protected health information;
and
(B) to maintain such protected health information as one or more
protected health information subfiles.
(A) IN GENERAL- Subject to subparagraph (B), a person, other than a
health care provider who is otherwise authorized to access or use
protected health information about an individual contained in a protected
health information subfile for purposes of delivering health care to the
individual, may not use or disclose any information that is in the
subfile, except as authorized under section 202, 203, or 206.
(B) EMPLOYEES, AGENTS, CONTRACTORS- A health information trustee, with
respect to a protected health information subfile created pursuant to
paragraph (1), shall limit use of the subfile to those employees,
contractors, or agents of the trustee, described by name or job title,
who, with respect to the subfile are authorized, pursuant to section 202
or 203, to use or obtain such information.
(C) INFORMATION ON EXISTENCE OF SUBFILES- A health information trustee
may not disclose information about the existence of a health information
subfile to any person who is not authorized to obtain, access, or use the
subfile.
(d) NO GENERAL REQUIREMENT TO DISCLOSE- Nothing in this title that permits
a disclosure of protected health information shall be construed to require
such disclosure.
(e) LIMITATIONS ON DISCLOSURE AND USE WITHIN A TRUSTEE-
(1) CONDITION OF TREATMENT OR PAYMENT- A health information trustee may
not condition delivery of health care, or payment for services, on the
receipt of an authorization described in section 202 or 203 that authorizes
the disclosure of protected health information to any employee, agent, or
contractor who does not perform a legitimate and necessary function with
respect to the purpose for which the information was obtained or
created.
(2) EMPLOYMENT- A health information trustee may not condition
employment on the receipt of an authorization described in section 202 or
203 that authorizes the disclosure of protected health information to any
employee, agent, or contractor who does not perform a legitimate and
necessary function with respect to the purpose for which the information was
obtained or created.
(f) IDENTIFICATION OF DISCLOSED INFORMATION AS PROTECTED INFORMATION-
Except as provided in this title, a health information trustee may not
disclose protected health information unless such information is clearly
identified as protected health information that is subject to this title.
(g) INFORMATION IDENTIFYING PROVIDERS- The Secretary shall issue
regulations protecting information identifying health care providers in order
to promote the availability of health care services.
(h) USE OF SOCIAL SECURITY NUMBER- A Social Security account number, or a
derivative of a Social Security account number, may not be used by a health
information trustee for any purpose relating to protected health information
or the use or disclosure of such information.
(i) MULTIPLE RECORDS- No person may aggregate, compile, link, or match
protected health information held by two or more different health information
trustees, or two or more protected health information subfiles pertaining to
an individual, without obtaining specific authorization under section 202 or
203 for such use.
(j) NO EFFECT OF AGENCY ON DUTY OR LIABILITY OF PRINCIPAL- An agreement or
relationship between a trustee and an agent or contractor does not relieve a
health information trustee of any duty or liability under this Act.
SEC. 202. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR
TREATMENT OR PAYMENT.
(a) WRITTEN AUTHORIZATIONS- A health information trustee may disclose
protected health information for purposes of treatment or payment pursuant to
an authorization executed by an individual who is the subject of the
information (or a person acting for the individual pursuant to State law) if
each of the following requirements is met:
(1) WRITING- The authorization is in written or electronic form, signed
or electronically authenticated by the individual, and dated.
(2) SEPARATE FORMS- Separate forms authorizing disclosures for treatment
and separate forms authorizing disclosures for payment processes are
provided to the individual.
(3) INFORMATION DESCRIBED- The information to be disclosed is specified,
or is described, in the authorization.
(4) TRUSTEE DESCRIBED- The trustee who is authorized to disclose such
information is specifically identified, or is described, in the
authorization.
(5) RECIPIENT DESCRIBED- The person to whom the information is to be
disclosed is specifically identified, or is described, in the
authorization.
(6) RIGHT TO REVOKE OR AMEND- The authorization contains an
acknowledgement that the individual who is executing the authorization has
the right to revoke or amend the authorization, subject to subsection
(b).
(7) PURPOSE DESCRIBED- The authorization describes in detail the purpose
for which the information will be used.
(8) STATEMENT OF INTENDED DISCLOSURES- The authorization contains an
acknowledgment that the individual who is executing the authorization has
read a statement of any disclosures of the protected health information that
the recipient intends to make.
(9) USE AND DISCLOSURE RESTRICTED- The authorization includes a
statement that the information will be used and disclosed solely for one or
more purposes specified in the authorization.
(10) EXPIRATION DATE SPECIFIED- The authorization specifies a date on
which, or event upon which, the authorization expires, which shall be no
later than one year after the date on which the authorization is
executed.
(b) Revocation or Amendment of Authorization-
(1) IN GENERAL- An authorization under subsection (a) shall be subject
to revocation and amendment at any time by the individual who executed the
authorization, except that--
(A) the revocation or amendment shall be in writing; and
(B) an authorization executed for the purpose of validation of
expenditures for health care that the individual has authorized to be
rendered may not be revoked.
(2) NOTICE OF REVOCATION- A health information trustee who discloses
protected health information pursuant to an authorization described in
subsection (a) that has been revoked shall not be subject to any liability
or penalty under this Act if the trustee has no actual or constructive
notice of the revocation at the time the trustee makes the disclosure.
(c) MODEL AUTHORIZATIONS- The Secretary, after providing notice and
opportunity for public comment, shall develop and disseminate model written
authorizations of the type described in subsection (a) and model statements of
intended disclosures of the type described in subsection (a)(7).
(d) COPY- A health information trustee who discloses protected health
information pursuant to an authorization under this section shall maintain a
copy of the authorization for not less than 7 years.
SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR
PURPOSES OTHER THAN TREATMENT OR PAYMENT.
(a) WRITTEN AUTHORIZATIONS- A health information trustee may disclose
protected health information for a purpose other than treatment or payment
pursuant to an authorization executed by an individual who is the subject of
the information (or a person acting for the individual pursuant to State law)
if each of the following requirements is met:
(1) GENERAL REQUIREMENTS- The requirements of paragraphs (1) through (7)
of section 202(a).
(2) STATEMENT OF INTENDED DISCLOSURES- The statement of intended
disclosure shall be in writing, and shall be received by the individual
authorizing the disclosure on or before the date the authorization is
executed.
(3) EXPIRATION DATE SPECIFIED- The authorization specifies a date on
which, or an event upon which, the authorization expires, which shall not
occur more than 1 year from the date of the execution of the
authorization.
(b) LIMITATION ON REQUESTS FOR AUTHORIZATIONS-
(1) CONDITION OF TREATMENT OR PAYMENT- A health information trustee may
not condition delivery of treatment, or payment for services, on the receipt
of an authorization described in subsection (a).
(2) EMPLOYMENT- A health information trustee may not adversely affect,
or condition, the employment of any person based on the agreement or
refusal of the person to execute or provide an authorization described in
subsection (a).
(c) REVOCATION OR AMENDMENT OF AUTHORIZATION-
(1) IN GENERAL- An individual may in writing revoke or amend an
authorization described in subsection (a).
(2) NOTICE OF REVOCATION- A health information trustee who discloses
protected health information pursuant to an authorization described in
subsection (a) that has been revoked shall not be subject to any liability
or penalty under this Act if the trustee has no actual or constructive
notice of the revocation at the time the trustee makes the disclosure.
(d) MODEL AUTHORIZATIONS- The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model written authorizations of
the type described in subsection (a) and model statements of the intended
disclosures of the type described in subsection (a)(2).
SEC. 204. CREATION OF NONIDENTIFIABLE AND CODED INFORMATION.
(a) CREATION OF NONIDENTIFIABLE INFORMATION- A health information trustee
may disclose protected health information about an individual to an employee,
agent, or contractor for the purpose of creating nonidentifiable health
information if--
(1) the individual is informed of the purpose for the creation of the
nonidentifiable information;
(2) the individual is given the option to prohibit any specific uses of
the nonidentifiable information, such as use of the information for
marketing purposes; and
(3) the health information trustee does not condition the delivery of
health care, payment for services, or employment, on the granting by the
individual of permission to create the nonidentifiable information.
(b) CREATION OF CODED HEALTH INFORMATION- A health care provider may
create coded health information, or disclose protected health information
about an individual to an employee, agent, or contractor for the purpose of
creating coded health information, if--
(1) the individual is informed of the purpose for the creation of the
coded information;
(2) the individual is informed of which persons will have the authority
to link or match the coded health information to reveal the identity of the
individual;
(3) the individual gives written authorization for a disclosure for this
purpose in accordance with subsections (a)(1) through (a)(3), (c), and (d)
of section 203;
(4) the health care provider does not condition the delivery of health
care, payment for services, employment, or the terms of employment on the
granting by the individual of permission to create the coded health
information; and
(5) agents and contractors who receive protected health information for
the purpose of creating coded health information use the information
exclusively for such purpose.
SEC. 205. NEXT OF KIN AND DIRECTORY INFORMATION.
(a) NEXT OF KIN- Except as provided in subsection (c), a health care
provider, or a person who receives protected health information under section
206, may disclose protected health information regarding an individual who is
an inpatient in a health care facility to the individual's next of kin, to an
individual representative of the individual, or to an individual with whom the
individual has a significant personal relationship if--
(1) the individual who is the subject of the information--
(A) has been notified of the individual's right to object at the time
of admission to the facility and has not objected to the disclosure;
or
(B) is in a physical or mental condition such that it would not be
possible to notify the individual of the right to object and there are no
prior indications that the individual would object; and
(2) the information relates to health care currently being provided to
the individual at the time of the disclosure.
(b) DIRECTORY INFORMATION-
(1) DISCLOSURE- Except as provided in subsection (c), a health
information trustee may disclose to any person protected health information
concerning an individual if the information is described in paragraph (2)
and the individual who is the subject of the information--
(A) has been notified of the individual's right to object and has not
objected to the disclosure; or
(B) is in a physical or mental condition such that it would not be
possible to notify the individual of the right to object and there are no
prior indications that the individual would object.
(2) INFORMATION DESCRIBED- The information referred to in paragraph (1)
is any one or more of the following:
(A) The name of the individual who is the subject of the
information.
(B) The general health status of the individual, described as
critical, poor, fair, stable, or satisfactory, or in terms denoting
similar conditions.
(C) The location of the individual, if on a premises controlled by a
health care provider.
(c) EXCEPTION- A health care provider may not disclose protected health
information without specific authorization pursuant to section 203--
(1) in the case of a disclosure under subsection (b), if disclosure of
the location of the individual would reveal specific information about the
physical or mental condition of the individual; or
(2) in the case of a disclosure under subsection (a) or (b), if the
provider has reason to believe that the disclosure could lead to physical,
mental, or emotional harm to the individual.
(1) IDENTIFICATION- A health information trustee may disclose protected
health information if necessary to assist in the identification of a
deceased individual.
(2) REGULATIONS- The Secretary shall develop and establish through
regulation a procedure for obtaining protected health information relating
to a deceased individual when there is no individual representative for such
individual.
SEC. 206. EMERGENCY CIRCUMSTANCES.
(a) DISCLOSURE WHEN SUBJECT OF INFORMATION IS IN DANGER- A health
information trustee who receives protected health information under this title
may disclose such protected health information to a health care provider or
emergency medical personnel, or use such information in emergency medical
circumstances, to the extent necessary to protect the health or safety of an
individual who is a subject of such information from serious imminent harm.
(b) DISCLOSURE WHEN ANOTHER INDIVIDUAL IS IN DANGER- A health information
trustee may disclose protected health information, to the extent necessary,
where such trustee determines that--
(1) there is an identifiable threat of serious injury or death to an
identifiable individual or group of individuals; and
(2) the disclosure of the information to the person is necessary to
prevent or significantly reduce the possibility of such threat.
SEC. 207. OVERSIGHT.
(a) IN GENERAL- A health information trustee, other than a public health
authority or a health researcher, may disclose protected health information
to--
(1) a health oversight agency for any function of the agency authorized
by law, if--
(A) there is probable cause to believe fraud has been
committed;
(B) the oversight agency is investigating the fraud;
(C) the oversight agency has obtained a subpoena for purposes of
obtaining the information; and
(D)(i) a subject of the information is believed to have committed the
fraud; or
(ii) the information is necessary to permit the agency to investigate
the fraud; or
(2) a health oversight agency charged by law to protect individuals from
harm, abuse, neglect, or exploitation, if the information is necessary to
investigate whether abuse, neglect, or exploitation of an individual has
occurred.
(b) USE OF CODED HEALTH INFORMATION- The health oversight agency shall
receive exclusively coded health information under subsection (a) whenever the
purpose of the agency may be accomplished using only such information.
(c) NOTICE TO SUBJECTS- In any case where an individual who is a subject
of protected health information disclosed under subsection (a) is not believed
to have committed fraud, the individual shall be notified, at the first
practical opportunity--
(1) that an investigation described in such subsection is being
conducted;
(2) of the reason why disclosure of the information is necessary;
and
(3) of all intended subsequent disclosures of the information that the
agency intends to make.
(d) USE IN ACTION AGAINST INDIVIDUALS-
(1) IN GENERAL- Subject to paragraph (2), protected health information
about an individual that is disclosed under this section may not be used in,
or disclosed to any person for use in, an administrative, civil, or criminal
action or investigation directed against the individual, unless the action
or investigation arises out of and is directly related to the purpose for
which the disclosure was authorized under subsection (a).
(2) SPECIAL RULE- A health oversight agency may not disclose protected
health information received by the agency under subsection (a)(2) for any
purpose other than protecting individuals from harm, abuse, neglect, or
exploitation.
(e) PUBLIC HEALTH AND HEALTH RESEARCH- A public health authority may
disclose protected health information to a health oversight agency only if
such information is necessary for use in an investigation of whether the
authority has committed fraud. A health researcher may disclose protected
health information to a health oversight agency only if such information is
necessary for use in an investigation of whether the researcher has committed
fraud.
SEC. 208. ACCREDITATION.
(a) IN GENERAL- A health information trustee may disclose protected health
information to an accrediting body for the exclusive purpose of permitting the
accrediting body to carry out accreditation, licensing, or credentialing
activities.
(b) USE OF CODED HEALTH INFORMATION- The accrediting body shall receive
exclusively coded health information under subsection (a) whenever the purpose
of the body may be accomplished using only such information.
(c) RESTRICTION ON USE AND DISCLOSURE- A person to whom protected health
information is disclosed under subsection (a) may not use or disclose the
information for any purpose other than the purpose for which the information
was disclosed to the person.
SEC. 209. PUBLIC HEALTH.
(a) DISCLOSURES BY PROVIDERS- A health care provider may disclose
protected health information about an individual to a public health authority
where--
(1) the information is disclosed for the purpose of permitting the
authority to ascertain the identity of such individual;
(2) there is a specific nexus between such individual's identity and a
threat of death or injury to any person; and
(3) knowledge of such individual's identity would allow the public
health authority to prevent or significantly reduce the possibility of
injury or death to any person.
(b) LIMITATION ON LIABILITY- A health information trustee shall not be
liable to any person for a disclosure of protected health information under
this section that is made based upon a good faith belief by the trustee of a
representation made by a public health authority that such disclosure
satisfies the requirements of subsection (a).
(c) LIMITATION ON USE AND DISCLOSURE BY PUBLIC HEALTH AUTHORITIES- A
public health authority may not use or disclose protected health information
for any purpose other than for public health reporting, surveillance,
protection, investigation, or intervention.
SEC. 210. HEALTH RESEARCH.
(a) IN GENERAL- A health information trustee may disclose protected health
information, other than coded health information, to a health researcher for
use in a research project engaged in by the health researcher, if an
institutional review board, using standards and procedures that are generally
consistent with the official written policy of the Secretary with respect to
research involving human subjects conducted, supported, or otherwise subject
to regulation by Federal departments and agencies, and this Act, determines
that the research project--
(1) requires use of the protected health information for the
effectiveness of the project and could not be carried out with either coded
or nonidentifiable health information; and
(2) has obtained an authorization for the disclosure executed by an
individual who is a subject of the information that--
(A) is consistent with the requirements of section 203; and
(B) in a case where the researcher foresees using or disclosing the
information for any purpose subsequent to the conclusion of the project,
specifically states--
(ii) that the individual has the right to limit such subsequent uses
or disclosures consistent with this Act.
(b) USE OF CODED OR NONIDENTIFIABLE HEALTH INFORMATION- A health
information trustee may disclose coded health information that is not
contained in a protected health information subfile, or nonidentifiable health
information, to a health researcher for use in a research project engaged in
by the health researcher upon approval of the proposed research by an
institutional review board, regardless of whether the researcher has obtained
an authorization for the disclosure consistent with the requirements of
section 203.
(c) ANONYMIZATION OF PREVIOUSLY STORED BIOLOGICAL SAMPLES- The Secretary
may develop interim guidelines for the use by a health researcher of
biological samples derived from a human body collected before the effective
date of this Act. Such guidelines shall address the requirements pertinent to
a health researcher who wishes to use stored biological samples derived from a
human body in nonidentifiable or coded form. Such guidelines shall authorize a
health researcher, for the purpose of facilitating future health research--
(1) to convert protected health information into nonidentifiable
information or coded health information, if such conversion is permitted in
a written authorization; or
(2) if no such authorization exists, to make such conversion after
publishing notice of the researcher's intent and providing individuals the
opportunity to prohibit the use of their biological samples for such
purpose.
(d) OBLIGATIONS OF RECIPIENT- A person who receives protected health
information pursuant to subsection (a)--
(1) shall remove or destroy, at the earliest opportunity consistent with
the purposes of the project, information that would enable an individual to
be identified, unless--
(A) an institutional review board has determined that there is a
health or research justification for retention of such identifiers;
and
(B) there is an adequate plan to protect the identifiers from
disclosure that is inconsistent with this section; and
(2) shall use the information solely for purposes of the health research
project for which disclosure was authorized by an institutional review board
under subsection (a).
SEC. 211. JUDICIAL AND ADMINISTRATIVE PURPOSES.
A health care provider, health plan, health oversight agency, employer,
school, institution of higher education, insurer, court, or a person who
receives protected health information pursuant to section 206 may disclose
protected health information about an individual--
(1) pursuant to the requirements governing subpoenas, warrants, and
court orders under sections 212 and 213, where such information has been
determined to be discoverable by a court under any applicable rules of civil
or criminal procedure;
(2) to a court, and to others as ordered by the court, if the
information is developed in response to a court-ordered physical or mental
examination;
(3) where the subject of such information has brought a claim for
medical malpractice against a health care provider and the information is
necessary for the defense of the claim; and
(4) to legal counsel for the person making the disclosure, where the
disclosure is necessary to ensure compliance with this Act or any other
legal requirement.
SEC. 212. GENERAL REQUIREMENTS GOVERNING SUBPOENAS.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, employer, school, institution of higher education, insurer, court, or
a person who receives protected health information pursuant to section 206 may
disclose protected health information to any person, other than a law
enforcement authority, under section 211(1), if the disclosure is pursuant to
a subpoena issued on behalf of a party to a lawsuit or other judicial or
administrative proceeding who has complied with subsection (b) or (c), and
subsection (d).
(b) REQUEST FOR ACCESS BY COUNSEL TO REVIEW PROTECTED HEALTH INFORMATION-
A person may have
access to protected health information under subsection (a), by means solely
of a review of the information by the person's counsel, acting in the capacity
of an officer of the court, and on premises of, and under the control of, the
court, if--
(1) the person has included in a subpoena a proffer of evidence
specifying with reasonable specificity the information to which access is
sought and the precise grounds for seeking such access for review;
(2) a copy of such subpoena for access to review, together with a notice
of the individual's right to challenge the subpoena under subsection (d),
has been served upon the individual on or before the date of return of the
subpoena;
(3)(A) 15 days have passed since the date of service on the individual,
and within that period the individual has not initiated a challenge in
accordance with subsection (d)(1); or
(B) such access is ordered by the court; and
(4) such counsel agrees not to copy such information, remove such
information from the court premises, or disclose the information to any
person other than the person permitted access under this subsection.
(c) REQUEST TO OBTAIN PROTECTED HEALTH INFORMATION FOR INTRODUCTION IN
COURT-
(1) REQUIREMENTS FOR OBTAINING INFORMATION- A person may obtain
protected health information about an individual pursuant to a subpoena, for
purposes of introducing such information as evidence in a court, only
if--
(A) counsel for the person has obtained access to the information
under subsection (b);
(B) a copy of the subpoena to obtain the information for introduction
in court, specifying the precise information sought and the precise
grounds for seeking introduction of the information as evidence in court,
together with a notice of the individual's right to challenge the subpoena
under subsection (d), has been served upon the individual on or before the
date of return of such subpoena; and
(C)(i) 15 days have passed since the date of service on the
individual, and within that time period the individual has not indicated a
challenge in accordance with subsection (d)(1); or
(ii) the information is ordered to be provided to the court.
(2) USE AND DISCLOSURE- A person who obtains protected health
information under paragraph (1) may use and disclose such information only
for the purpose of prosecuting or defending the lawsuit or other judicial or
administrative proceeding described in subsection (a).
(d) CHALLENGE PROCEDURES-
(1) MOTION TO QUASH SUBPOENA- After being served of a copy of a subpoena
seeking access for review by counsel of, or access to, protected health
information under subsection (b), or a subpoena seeking to obtain protected
health information for introduction as evidence in court, under subsection
(c), an individual who is a subject of such information may file in any
court of competent jurisdiction a motion to quash the subpoena.
(2) STANDARD FOR DECISION-
(A) IN GENERAL- The court shall grant a motion under paragraph (1)
unless the respondent demonstrates--
(i) by clear and convincing evidence that the information is
necessary in relation to the lawsuit or other judicial or administrative
proceeding with respect to which the information is sought,
including--
(I) a demonstration that use or disclosure of solely
nonidentifiable health information would be insufficient to accomplish
the purpose for which the information is sought; and
(II) if protected health information that is not coded health
information is sought, a demonstration that use or disclosure of coded
health information would be insufficient to accomplish the purpose for
which the information is sought; and
(ii) that the need of the respondent for the information outweighs
the privacy interest of the individual.
(B) CRITERIA FOR DECISION- In determining whether the need of the
respondent for the information outweighs the privacy interest of the
individual, the court shall consider--
(i) the particular purpose for which the information was
collected;
(ii) the invasion of the individual's privacy caused by the
disclosure;
(iii) the degree to which disclosure of the information would
embarrass, injure, or further invade, the privacy of the
individual;
(iv) the effect of the disclosure on the individual's future health
care;
(v) the importance of the information to the lawsuit or proceeding;
and
(vi) any other relevant factor.
(3) ATTORNEY'S FEES- In the case of a motion brought under paragraph (1)
in which the individual who brought the motion has prevailed in whole or in
part, the court may assess against the respondent a reasonable attorney's
fee and other litigation costs and expenses (including expert fees)
reasonably incurred.
(e) SEALING OF INFORMATION- Any portion of a record of a court that
contains protected health information disclosed under this section shall be
kept by the court under seal and used or disclosed only pursuant to an order
of the court consistent with this section.
SEC. 213. ADDITIONAL REQUIREMENTS FOR LAW ENFORCEMENT ACCESS.
(a) LAW ENFORCEMENT SUBPOENAS AND WARRANTS IN GENERAL- A health care
provider, health plan,
health oversight agency, employer, school, institution of higher education,
insurer, court, or a person who receives protected health information pursuant
to section 206 may disclose protected health information to a law enforcement
authority under section 211(1), if--
(1)(A) the disclosure is made pursuant to a subpoena for review under
section 212(b), a subpoena for purposes of introducing evidence in a court
under section 212(c), or both, issued under the authority of a grand jury or
a court; and
(B) the requirements of subsections (b) through (e) of section 212, and
subsections (b) and (c) of this section, are satisfied;
(2) the disclosure is made pursuant to a judicial warrant for search and
seizure and the requirements of subsection (d) are satisfied; or
(3)(A) the disclosure is made pursuant to a subpoena for purposes of
introducing evidence in a court under section 212(c), issued under the
authority of a grand jury or a court, and obtained pursuant to subsection
(d)(5) following the execution of a judicial warrant for search and seizure
under subsection (d); and
(B) the requirements of subsections (c) through (e) (other than
subsection (c)(1)(A)) of section 212, and subsections (b) and (c) of this
section, are satisfied.
(b) CLEAR AND CONVINCING REQUIREMENT- A law enforcement authority may not
obtain protected health information about an individual under subsection (a)
unless the authority demonstrates by clear and convincing evidence that the
information is necessary to a legitimate law enforcement inquiry into a
particular violation of criminal law being conducted by the authority.
(c) LIMITATION ON USE AND DISCLOSURE FOR OTHER LAW ENFORCEMENT INQUIRIES-
Protected health information about an individual that is disclosed under this
section may not be used in, or disclosed to any person for use in, any
administrative, civil, or criminal action or investigation directed against
the individual, unless the action or investigation arises out of, or is
directly related to, the law enforcement inquiry for which the information was
obtained.
(d) REQUIREMENTS FOR WARRANTS FOR SEARCH AND SEIZURE-
(1) LIMITED PURPOSE- A health care provider, health plan, health
oversight agency, employer, school, institution of higher education,
insurer, or a person who receives protected health information pursuant to
section 206 may disclose protected health information to a law enforcement
authority pursuant to a warrant for search and seizure, issued under the
authority of a court, for the exclusive purpose of permitting the authority
to secure the information described in the warrant for delivery to the
court.
(2) LIMITATION ON EXECUTION OF WARRANTS- In executing a warrant under
paragraph (1), a law enforcement authority shall engage in the most minimal
examination of protected health information that is necessary in order to
determine whether the information is or is not within the scope of the
warrant. The authority immediately shall place any such information that the
authority determines is within the scope of the warrant under seal, and
shall deliver such sealed information, without any further examination or
other use or disclosure, to the court. The authority may not use or disclose
for any purpose protected health information that the authority determines
is not within the scope of the warrant, but that is obtained or discovered
by the authority directly or indirectly through execution of the
warrant.
(3) NOTICE OF WARRANT- A law enforcement authority that obtains
protected health information about an individual pursuant to the execution
of a warrant under paragraph (2) shall, not later than 30 days after the
date of such execution, serve the individual with, or mail to the last known
address of the individual, a notice that protected health information about
the individual was obtained, together with a notice of the individual's
right to challenge the warrant under paragraph (4).
(4) CHALLENGE PROCEDURES FOR WARRANTS-
(A) MOTION TO QUASH- Within 15 days after the date of service of a
notice of execution of a warrant of a law enforcement authority seeking
protected health information about an individual under paragraph (3), the
individual (or any other person who was in possession of the information
and against whom the warrant was executed) may file in any court of
competent jurisdiction a motion to quash the warrant.
(B) STANDARD FOR DECISION- The court shall grant a motion under
subparagraph (A) unless the law enforcement authority demonstrates by
clear and convincing evidence that the protected health information is
necessary to a legitimate law enforcement inquiry being conducted by the
law enforcement authority and the government authority's need for the
information outweighs the privacy interest of the individual.
(C) ATTORNEY'S FEES- In the case of a motion brought under
subparagraph (A) in which the individual has prevailed, in whole or in
part, the court may assess against the law enforcement authority
reasonable attorney's fees and other litigation costs (including expert
fees) reasonably incurred.
(5) ACTION IN COURT ON INFORMATION DELIVERED- Upon termination of the
period described in paragraph (4)(A) (in a case where a motion to quash is
not filed under such paragraph), or upon the denial of a motion to quash
under such paragraph, the law enforcement authority may obtain protected
health information delivered to the court under this subsection solely
through a disclosure under subsection (a)(3).
(6) SEALING OF INFORMATION- Any protected health information that is
delivered to a court under this section shall be kept by the court under
seal and
used or disclosed only pursuant to an order of the court consistent with this
section.
TITLE III--SANCTIONS
Subtitle A--Civil Sanctions
SEC. 301. CIVIL PENALTY.
(a) VIOLATION- Any person who the Secretary determines has materially
failed to comply with this Act shall be subject, in addition to any other
penalties that may be prescribed by law, to--
(1) a civil penalty of not more than $25,000 for each such violation,
but not to exceed $150,000 in the aggregate for multiple violations in any
one year; and
(2) a civil penalty of not more than $500,000 and exclusion from
participation in the program under title XVIII of the Social Security Act,
the program under title XIX of such Act, and any other federally funded
health care program, if the Secretary finds that such violations have
occurred with such frequency as to constitute a general business
practice.
(b) PROCEDURES FOR IMPOSITION OF PENALTIES- Section 1128A of the Social
Security Act, other than subsections (a) and (b) and the second sentence of
subsection (f) of that section, shall apply to the imposition of a civil,
monetary, or exclusionary penalty under this section in the same manner as
such provisions apply with respect to the imposition of a penalty under
section 1128A of such Act.
SEC. 302. CIVIL ACTION.
(a) IN GENERAL- An individual who is aggrieved by conduct in violation of
this Act may bring a civil action to recover--
(1) such preliminary and equitable relief as the court determines to be
appropriate;
(B) liquidated damages of--
(i) $25,000, in the case of a material violation; or
(ii) $50,000, in the case of a violation that was willful or
resulted in profit or monetary gain; and
(b) ATTORNEY'S FEES- In the case of a civil action brought under
subsection (a) in which the individual has substantially prevailed, the court
may assess against the respondent a reasonable attorney's fee and other
litigation costs and expenses (including expert fees) reasonably incurred.
(c) LIMITATION- No action may be commenced under this section by an
individual more than 3 years after the date on which the violation was or
should reasonably have been discovered by the individual.
Subtitle B--Criminal Sanctions
SEC. 311. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.
(a) OFFENSE- Whoever knowingly--
(1) obtains protected health information relating to an individual in
violation of this Act;
(2) discloses protected health information to another person in
violation of this Act;
(3) coerces or attempts to coerce a health information trustee to
disclose protected health information in violation of this title; or
(4) without authorization pursuant to this Act, identifies or attempts
to identify an individual who is the subject of protected health information
that a health information trustee has converted into coded health
information,
shall be punished as provided in subsection (b).
(b) PENALTIES- A person referred to in subsection (a) shall be fined under
title 18, United States Code, imprisoned not more than 1 year, or both, except
that--
(1) if the offense is committed under false pretenses, the person shall
be fined under title 18, United States Code, imprisoned not more than 5
years, or excluded from participation in the program under title XVIII of
the Social Security Act, the program under title XIX of such Act, or any
other federally funded health care program, or any combination of such
penalties; and
(2) if the offense is committed with intent to sell, transfer, or use
protected health information for commercial advantage, personal gain, or
malicious harm, the person shall be fined under title 18, United States
Code, or imprisoned not more than 10 years, or excluded from participation
in the program under title XVIII of the Social Security Act, the program
under title XIX of such Act, or any other federally funded health care
program, or any combination of such penalties.
TITLE IV--MISCELLANEOUS
SEC. 401. REGULATIONS.
(1) CONSULTATION WITH ADVISORY GROUP- In promulgating regulations under
this Act, the Secretary shall appoint and consult an advisory group of
knowledgeable individuals.
(2) MEMBERSHIP- The advisory group shall consist of at least 7 but no
more than 12 individuals, including representatives of--
(A) health care providers;
(B) health care consumers;
(D) privacy advocates; and
(E) electronic security experts.
(3) RESPONSIBILITIES- The advisory group shall review all proposed rules
and regulations and submit recommendations to the Secretary. The advisory
group shall also assist the Secretary in establishing the standards for
compliance with rules and regulations, in developing an annual report to the
Congress on the status of the requirements set forth in this Act, their cost
impact, and any recommendations for modifications to this Act in order to
ensure efficient and confidential electronic interchange of protected health
information.
(b) CONSULTATION WITH OTHERS- In promulgating regulations under this Act,
the Secretary may consult--
(1) privacy, industry, health care professional, and consumer
groups;
(2) medical societies; and
(3) academic computer security and privacy experts.
SEC. 402. RELATIONSHIP TO OTHER LAWS.
(a) IN GENERAL- Nothing in this Act shall be construed to preempt any
provision of State law or any privilege, whether derived from statute or
common law, that--
(1) more completely protects the confidentiality or privacy of an
individual with respect to protected health information about the individual
than does this Act; or
(2) provides a greater right of access to protected health information
to a subject of the information than does this Act.
(b) CRIMINAL PENALTIES- A State may establish and enforce criminal
penalties with respect to a failure to comply with a provision of this Act.
(c) PRIVILEGES- This Act does not preempt or modify State common or
statutory law to the extent such law concerns a privilege of a witness or
person in a court of the State. This Act does not supersede or modify Federal
common or statutory law to the extent such law concerns a privilege of a
witness or person in a court of the United States and more completely protects
the confidentiality or privacy of an individual with respect to protected
health information about the individual than does this Act. The execution of
an authorization pursuant to section 202 or 203 may not be construed as a
waiver of any such privilege.
(d) CERTAIN DUTIES UNDER STATE OR FEDERAL LAW- This Act does not preempt,
supersede, or modify the operation of any of the following:
(1) Any law that provides for the reporting of vital statistics such as
birth or death information.
(2) Any law requiring the reporting of abuse or neglect information
about any individual.
(3) Any State law relating to public or mental health that prevents or
otherwise restricts disclosure of protected health information otherwise
permitted under this Act.
(4) Subpart II of part E of title XXVI of the Public Health Service Act
(relating to notifications of emergency response employees of possible
exposure to infectious diseases).
(5) Any Federal law or regulation governing confidentiality of alcohol
and drug patient records.
(6) The Americans With Disabilities Act of 1990.
(7) Any Federal or State statute that establishes a privilege for
records used in health professional peer review activities.
SEC. 403. EFFECTIVE DATES.
(a) IN GENERAL- Except as provided in subsection (b), this Act shall take
effect on the date that is 18 months after the date of the enactment of this
Act.
(b) PROVISIONS EFFECTIVE IMMEDIATELY- A provision of this Act shall take
effect on the date of the enactment of this Act if the provision imposes on
the Secretary a duty to develop, establish, or promulgate regulations,
guidelines, or model forms.
(c) DEADLINE FOR REGULATIONS- The Secretary shall promulgate regulations
implementing this Act not later than the date that is 12 months after the date
of the enactment of this Act.
SEC. 404. APPLICABILITY.
(a) PROTECTED HEALTH INFORMATION- Except as provided in subsection (b),
the provisions of this Act shall apply to any protected health information
that is received, created, used, maintained, or disclosed by a health
information trustee on or after the date that is 18 months after the date of
the enactment of this Act, regardless of whether the information existed or
was disclosed prior to such date.
(b) AUTHORIZATIONS FOR DISCLOSURES- An authorization for the disclosure of
protected health information about a protected individual that is executed by
the individual before the date that is 18 months after the date of the
enactment of this Act, and is recognized and valid under State law on the day
before such date, shall remain valid and shall not be subject to the
requirements of title II until the date that is 30 months after the date of
the enactment of this Act, or the occurrence of the date or event in the
authorization upon which the authorization expires, whichever occurs
earlier.
END