S 2863 IS

106th CONGRESS

2d Session

S. 2863

To prohibit use or sharing of medical health records or information by financial institutions and their affiliates, and for other purposes.

IN THE SENATE OF THE UNITED STATES

July 13, 2000

Mr. SMITH of New Hampshire introduced the following bill; which was read twice and referred to the Committee on Banking, Housing, and Urban Affairs

A BILL

To prohibit use or sharing of medical health records or information by financial institutions and their affiliates, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Health Information Protection Act of 2000'.

SEC. 2. PROHIBITIONS ON SHARING OF HEALTH INFORMATION.

(a) IN GENERAL- Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended by adding at the end the following:

`(f) SHARING OF HEALTH INFORMATION PROHIBITED-

`(1) IN GENERAL- Notwithstanding subsection (a) or (b), and except as provided in paragraph (2)--

`(A) no financial institution or affiliate thereof may receive from, provide to, or otherwise share with any nonaffiliated third party any individually identifiable health information with respect to a consumer to perform services for or functions on behalf of the financial institution or affiliate, including marketing of its own products or services or of financial products or services offered under a joint agreement between 2 or more financial institutions; and

`(B) no financial institution or affiliate thereof may receive from, provide to, or otherwise share with any other affiliate any individually identifiable health information with respect to a consumer.

`(2) EXCEPTIONS-

`(A) PAYMENTS- Paragraph (1) does not preclude the sharing of information in connection with the collection of or payment of a medically related debt or insurance claim, limited to information about the specific item, service, procedure, or condition that is the subject of the debt or claim.

`(B) CONSENT-

`(i) IN GENERAL- Paragraph (1) does not apply if the financial institution or affiliate thereof that intends to share individually identifiable health information relating to a consumer--

`(I) has clearly and conspicuously requested in writing, in accordance with clause (ii), that the consumer consent to such sharing;

`(II) has obtained affirmative written consent from the consumer for such sharing, and such consent has not been withdrawn; and

`(III) requires the same health information about all consumers for the intended use of the information.

`(ii) FORMAT OF WRITTEN REQUEST- A request for consent under clause (i)(I)--

`(I) shall be contained in a separate form, intended only for that purpose;

`(II) shall specify that the consent is being sought to provide individually identifiable health information to an affiliate or a nonafilliated party, as the case may be; and

`(III) shall specify with whom and for what purpose the information will be shared.

`(iii) WITHDRAWAL OF CONSENT- A consumer that has given written consent to the sharing of individually identifiable health information under this subparagraph to any person may withdraw such consent in writing at any time. No person shall be in violation of this subsection for the lawful sharing of individually identifiable health information under this subparagraph before the date of receipt of a written withdrawal of consent under this clause.

`(C) VOLUNTARY INFORMATION- Nothing in this subsection precludes a consumer from

voluntarily providing individually identifiable health information to a life, health, or disability insurer that is an entity described in paragraph (1).

`(3) LIMITATION ON ADVERSE ACTION- A financial institution or affiliate thereof, that is not organized for the purpose of underwriting insurance products, subject to other applicable law, may not establish the terms of a financial transaction, make a decision to offer, provide, or continue to provide a product or service to a consumer, or otherwise take any adverse action with respect to the consumer--

`(A) based on individually identifiable health information; or

`(B) based on whether or not the consumer consents to the sharing of such information in response to a consent request under paragraph (2)(B).

`(4) LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION-

`(A) IN GENERAL- A financial institution, affiliate, or nonaffiliated third party that receives individually identifiable health information from a financial institution or affiliate in accordance with any exception in paragraph (2) shall not disclose such information to any other person unless such disclosure would be lawful if made directly to such other person by the financial institution or affiliate that provided the information.

`(B) DISCLOSURE UNDER EXCEPTION- Notwithstanding subparagraph (A), any person that receives individually identifiable health information from a financial institution or affiliate in accordance with any exception in paragraph (2) may also use or disclose such information only as permitted under that exception and this subsection.

`(5) EXISTING PROTECTIONS FOR HEALTH INFORMATION NOT AFFECTED- Nothing in this subsection shall be construed as--

`(A) modifying, limiting, or superseding standards governing the privacy and security of individually identifiable health information promulgated by the Secretary of Health and Human Services under section 264 of the Health Insurance Portability and Accountability Act of 1996, or the amendments made by section 262(a) of that Act; or

`(B) authorizing the use or disclosure of individually identifiable health information in a manner other than as permitted by other applicable law.

`(6) RELATION TO STATE LAWS-

`(A) IN GENERAL- This subsection shall not be construed as superseding, altering, or affecting the statutes, regulations, orders, or interpretations in effect in any State, except to the extent that such statutes, regulations, orders, or interpretations are inconsistent with the provisions of this subsection, and then only to the extent of the inconsistency.

`(B) GREATER PROTECTION UNDER STATE LAW- For purposes of this paragraph, a State statute, regulation, order, or interpretation is not inconsistent with the provisions of this subsection if the protection that such statute, regulation, order, or interpretation affords any person is greater than the protection provided under this subsection, as determined by the appropriate enforcement authority referred to in section 505, on its own motion or upon the petition of any interested party.

`(7) FEDERAL AND STATE ACTION- The Attorney General of the United States or the Attorney General of a State, or the State bank supervisor, as defined in section 3 of the Federal Deposit Insurance Act, as appropriate, may impose a fine of not more than $25,000 per record, per person, affiliate, or nonaffiliated person to which the record was distributed in violation of this subsection.'.

SEC. 3. DEFINITION OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.

Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended by adding at the end the following new paragraph:

`(12) INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION- The term `individually identifiable health information' means any information, including demographic information obtained from or about an individual, that is described in section 1171(6)(B) of the Social Security Act.'.

SEC. 4. EFFECTIVE DATE.

This Act and the amendments made by this Act shall become effective 90 days after the date of enactment of this Act.

END