S 1360 IS
104th CONGRESS
1st Session
S. 1360
To ensure personal privacy with respect to medical records and health
care-related information, and for other purposes.
IN THE SENATE OF THE UNITED STATES
October 24, 1995
Mr. BENNETT (for himself, Mr. DOLE, Mr. LEAHY, Mrs. KASSEBAUM, Mr.
KENNEDY, Mr. FRIST, Mr. SIMON, Mr. HATCH, Mr. GREGG, Mr. STEVENS, Mr. JEFFORDS,
Mr. KOHL, Mr. DASCHLE, and Mr. FEINGOLD) introduced the following bill; which
was read twice and referred to the Committee on Labor and Human Resources
A BILL
To ensure personal privacy with respect to medical records and health
care-related information, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United
States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the `Medical Records
Confidentiality Act of 1995'.
(b) TABLE OF CONTENTS- The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
Sec. 101. Inspection and copying of protected health information.
Sec. 102. Correction or amendment of protected health information.
Sec. 103. Notice of information practices.
Subtitle B--Establishment of Safeguards
Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
Sec. 201. General rules regarding use and disclosure.
Sec. 202. Authorizations for disclosure of protected health information
for treatment or payment.
Sec. 203. Authorizations for disclosure of protected health information,
other than for treatment or payment.
Sec. 204. Health information services.
Sec. 205. Next of kin and directory information.
Sec. 206. Emergency circumstances.
Sec. 209. Health research.
Sec. 210. Judicial and administrative purposes.
Sec. 211. Non-law enforcement subpoenas.
Sec. 212. Law enforcement.
Sec. 213. Standards for electronic disclosures.
TITLE III--SANCTIONS
Subtitle A--Civil Sanctions
Subtitle B--Criminal Sanctions
Sec. 311. Wrongful disclosure of protected health information.
TITLE IV--MISCELLANEOUS
Sec. 401. Relationship to other laws.
Sec. 402. No liability for permissible disclosures.
Sec. 403. Effective date.
SEC. 2. PURPOSE.
The purpose of this Act is to--
(1) establish strong and effective mechanisms to protect the privacy of
persons with respect to personally identifiable health care information that
is created or maintained as part of health treatment, diagnosis, enrollment,
payment, testing, or research processes;
(2) promote the efficiency and security of the health information
infrastructure so that members of the health care community may more
effectively exchange and transfer health information in a manner that will
ensure the confidentiality of personally identifiable health information;
and
(3) establish strong and effective remedies for violations of this
Act.
SEC. 3. DEFINITIONS.
(1) CERTIFIED HEALTH INFORMATION SERVICE- The term `certified health
information service' means a health information service that receives
personally identifiable health information for the purpose of creating
nonidentifiable health information and has been certified by the Secretary
pursuant to section 204(b).
(2) CERTIFIED INSTITUTIONAL REVIEW BOARD- The term `certified
institutional review board' means an institutional review board that has
been certified by the Secretary pursuant to section 209(d).
(3) DISCLOSE- The term `disclose' means to release, transfer, or
otherwise divulge protected health information to any person other than the
individual who is the subject of such information.
(4) HEALTH CARE- The term `health care' means--
(A)(i) preventive, diagnostic, therapeutic, rehabilitative,
maintenance, or palliative care, counseling, service, or
procedure--
(I) with respect to the physical or mental condition of an
individual; or
(II) affecting the structure or function of the human body or any
part of the human body; or
(ii) any sale or dispensing of a drug, device, equipment, or other
item to an individual, or for the use of an individual, pursuant to a
prescription.
(5) HEALTH CARE PROVIDER- The term `health care provider' means a person
who, with respect to a specific item of protected health information,
receives, creates, uses, maintains, or discloses the information while
acting in whole or in part in the capacity of--
(A) a person who is licensed, certified, registered, or otherwise
authorized by law to provide an item or service that constitutes health
care, in the ordinary course of business or practice of a
profession;
(B) a Federal or State program that directly provides items or
services that constitute health care to beneficiaries; or
(C) an officer or employee of a person described in subparagraph (A)
or (B).
(6) HEALTH INFORMATION SERVICE- The term `health information service'
means a person that--
(A) uses protected health information to provide services to health
information trustees for purposes authorized under the Act;
(B) facilitates the transfer and exchange of protected health
information between health information trustees;
(C) processes protected health information into standard format for
transfer and exchanges between health information trustees;
(D) facilitates authorized access to protected health information;
or
(E) transforms protected health information into nonidentifiable
health information.
(7) Health information trustee-
(A) IN GENERAL- The term `health information trustee' means--
(i) a health care provider, health plan, health oversight agency,
health researcher, public health authority, employer, insurer, school or
university, or health information service insofar as it creates,
receives, obtains, maintains, uses, or transmits protected health
information;
(ii) any person who obtains protected health information under
sections 206, 207, 208, 209, 210, 211, or 212; or
(iii) any employee, agent, or contractor of a person covered under
clause (i) or (ii) insofar as such employee, agent, or contractor
creates, receives, obtains, maintains, uses, or transmits protected
health information.
(B) DUTIES AND RESPONSIBILITIES- The duties and responsibilities of a
health information trustee shall be negotiated between the trustee and any
agent or contractor of the trustee.
(8) HEALTH OVERSIGHT AGENCY- The term `health oversight agency' means a
person who--
(A) performs or oversees the performance of an assessment, evaluation,
determination, or investigation relating to the licensing, accreditation,
or certification of health care providers; or
(B)(i) performs or oversees the performance of an assessment,
evaluation, determination, investigation, or prosecution relating to
compliance with legal, fiscal, medical, or scientific standards relating
to--
(I) the delivery of or payment for, health care, health services or
equipment, or health research; or
(II) health care fraud or fraudulent claims regarding health care,
health services or equipment, or related activities and items;
and
(ii) is a public agency, acting on behalf of a public agency, acting
pursuant to a requirement of a public agency, or carrying out activities
under a Federal or State law governing the assessment, evaluation,
determination, investigation, or prosecution described in clause
(i).
(9) HEALTH PLAN- The term `health plan' means any health insurance plan,
including any hospital or medical service plan, dental or other health
service plan or health maintenance organization plan, or other program
providing health benefits, whether or not funded through the purchase of
insurance.
(10) HEALTH RESEARCHER- The term `health researcher' means a person who,
with respect to a specific item of protected health information, receives
the information--
(A) pursuant to section 209 (relating to health research); or
(B) while acting in whole or in part in the capacity of an officer or
employee of a person described in subparagraph (A).
(11) INDIVIDUAL REPRESENTATIVE- The term `individual representative'
means any individual legally empowered to make decisions concerning the
provision of health care to an individual (where the individual lacks the
legal capacity under State law to make such decisions) or the administrator
or executor of the estate of a deceased individual.
(12) LAW ENFORCEMENT INQUIRY- The term `law enforcement inquiry' means a
lawful investigation or official proceeding inquiring into a violation of,
or failure to comply with, any criminal or civil statute or any regulation,
rule, or order issued pursuant to such a statute.
(13) PERSON- The term `person' means a government, governmental
subdivision, agency or authority; corporation; company; association; firm;
partnership; society; estate; trust; joint venture; individual; individual
representative; and any other legal entity.
(14) PROTECTED HEALTH INFORMATION- The term `protected health
information' means any information, including demographic information
collected from an individual, whether oral or recorded in any form or
medium, that--
(A) is created or received by a health information trustee;
and
(B)(i) relates to the past, present, or future physical or mental
health or condition of an individual, the provision of health care to an
individual, or the past, present, or future payment for the provision of
health care to an individual; and
(ii)(I) identifies an individual; or
(II) with respect to which there is a reasonable basis to believe that
the information can be used to identify an individual.
(15) PUBLIC HEALTH AUTHORITY- The term `public health authority' means
an authority or instrumentality of the United States, a State, or a
political subdivision of a State that is--
(A) responsible for public health matters; and
(B) engaged in such activities as injury reporting, public health,
surveillance, and public health investigation or intervention.
(16) SECRETARY- The term `Secretary' means the Secretary of Health and
Human Services.
(17) STATE- The term `State' includes the District of Columbia, Puerto
Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana
Islands.
(18) WRITING- The term `writing' means writing in either a paper-based
or computer-based form, including electronic signatures.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects of the
Information
SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- Except as provided in subsection (b), a health information
trustee shall permit an individual who is the subject of protected health
information or the individual's designee, to inspect and copy protected health
information concerning the individual, including records created under section
102 that the trustee maintains. A health information trustee may require an
individual to reimburse the trustee for the cost of such inspection and
copying.
(b) EXCEPTIONS- A health information trustee is not required by this
section to permit inspection or copying of protected health information if any
of the following conditions are met:
(1) ENDANGERMENT TO LIFE OR SAFETY- The trustee determines that
disclosure of the information could reasonably be expected to endanger the
life or physical safety of any individual.
(2) CONFIDENTIAL SOURCE- The information identifies or could reasonably
lead to the identification of a person who provided information under a
promise of confidentiality to a health care provider concerning the
individual who is the subject of the information.
(3) ADMINISTRATIVE PURPOSES- The information--
(A) is used by the trustee solely for administrative purposes and not
in the provision of health care or the administration of benefits to the
individual who is the subject of the information; and
(B) has not been disclosed by the health information trustee to any
other person.
(c) INSPECTION AND COPYING OF SEGREGABLE PORTION- A health information
trustee shall permit inspection and copying under subsection (a) of any
reasonably segregable portion of a record after deletion of any portion that
is exempt under subsection (b).
(d) DEADLINE- A health information trustee shall comply with or deny (with
a statement of the reasons for such denial) a request for inspection or
copying of protected health information under this section within the 30-day
period beginning on the date on which the trustee receives the request.
SEC. 102. CORRECTION OR AMENDMENT OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- A health information trustee shall within the 45-day
period beginning on the date on which the trustee receives from an individual
a written request to correct or amend information--
(1) make the correction or amendment requested;
(2) inform the individual of the correction or amendment that has been
made; and
(3) make reasonable efforts to inform any person who is identified by
the individual, who is not an officer, employer, or agent of the trustee,
and to whom the uncorrected or unamended portion of the information was
previously disclosed, of the correction or amendment that has been
made.
(b) REFUSAL TO CORRECT OR AMEND- If the health information trustee refuses
to make the correction or amendment, the trustee shall inform the individual
of--
(1) the reasons for the refusal to make the correction or
amendment;
(2) any procedures for further review of the refusal; and
(3) the individual's right to file with the trustee a concise statement
setting forth the requested correction or amendment and the individual's
reasons for disagreeing with the refusal.
(c) STATEMENT OF DISAGREEMENT- After an individual has filed a statement
of disagreement under subsection (b)(3), the health information trustee in any
subsequent disclosure of the disputed portion of the information--
(1) shall include a copy of the individual's statement; and
(2) may include a concise statement of the reasons for not making the
requested correction or amendment.
(d) RULE OF CONSTRUCTION- This section shall not be construed to require a
health information trustee to conduct a formal, informal, or other hearing or
proceeding concerning a request for a correction or amendment to protected
health information.
(e) CORRECTION- For purposes of subsection (a), a correction is deemed to
have been made to protected health information when information that has been
disputed by an individual has been corrected, clearly marked as incorrect, or
supplemented by correct information.
SEC. 103. NOTICE OF INFORMATION PRACTICES.
(a) PREPARATION OF WRITTEN NOTICE- A health information trustee other than
a health information service shall provide, in a clear and conspicuous manner,
written notice of the trustee's information practices, including a description
of the trustee's health information practices, including notice of individual
rights with respect to protected health information.
(b) MODEL NOTICE- The Secretary, after notice and opportunity for public
comment, shall develop and disseminate model notices of information practices
for use under this section.
Subtitle B--Establishment of Safeguards
SEC. 111. ESTABLISHMENT OF SAFEGUARDS.
(a) IN GENERAL- A health information trustee shall establish and maintain
appropriate administrative, technical, and physical safeguards to ensure the
confidentiality, security, accuracy, and integrity of protected health
information created, received, obtained, maintained, used or transmitted by
the trustee.
(A) IN GENERAL- In promulgating regulations under this Act, the
Secretary shall follow the procedures authorized under sections 581
through 590 of title 5, United States Code.
(i) DETERMINATION BY THE SECRETARY- If the Secretary determines that
a negotiated rulemaking committee shall not be established as permitted
by section 583 of title 5, United States Code, the Secretary shall
appoint and consult with an advisory group of knowledgeable
individuals.
(ii) MEMBERSHIP- The advisory group shall consist of at least 7 but
no more than 12 individuals including representatives of--
(I) health care professionals and health care
entities;
(II) health care consumers;
(III) third party payors/administrators; and
(iii) RESPONSIBILITIES- The advisory group shall review all proposed
rules and regulations and submit recommendations to the Secretary. The
advisory group shall also assist the Secretary in establishing the
standards for compliance with rules and regulations, in developing an
annual report to the Congress on the status of the requirements set
forth in this Act, their cost impact, and any recommendations for
modifications in order to ensure efficient and confidential electronic
data interchange of individually identifiable health care
information.
(2) CONSULTATION- The Secretary may promulgate regulations in
consultation with privacy, industry, and consumer groups.
SEC. 112. ACCOUNTING FOR DISCLOSURES.
(a) IN GENERAL- A health information trustee shall create and maintain,
with respect to any protected health information disclosure that is not
related to treatment, a record of the disclosure in accordance with
regulations issued by the Secretary.
(b) RECORD OF DISCLOSURE PART OF PROTECTED HEALTH INFORMATION- A record
created and maintained under subsection (a) shall be maintained as protected
health information for not less than 7 years.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.
(a) GENERAL RULE- A health information trustee may not disclose protected
health information except as authorized under this title.
(1) COMPATIBILITY TO PURPOSE- Protected health information may not be
used or disclosed to any person unless the use or disclosure is compatible
with and related to the purposes for which the information was
obtained.
(2) LIMITATION ON INFORMATION- Every disclosure of protected health
information by a health information trustee shall be limited to the minimum
amount of information necessary to accomplish the purpose for which the
information is disclosed.
(c) NO GENERAL REQUIREMENT TO DISCLOSE- Nothing in this title that permits
a disclosure of health information shall be construed to require such
disclosure.
(d) IDENTIFICATION OF DISCLOSED INFORMATION AS PROTECTED INFORMATION-
Except as provided in this title, a health information trustee may not
disclose protected health information unless such information is clearly
identified as protected health information that is subject to this title.
(e) INFORMATION IN WHICH PROVIDERS ARE IDENTIFIED- The Secretary shall
issue regulations protecting information identifying providers in order to
promote the availability of health care services.
SEC. 202. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR
TREATMENT OR PAYMENT.
(a) WRITTEN AUTHORIZATIONS- A health information trustee may disclose
protected health information for purposes of treatment or payment pursuant to
an authorization executed by the individual who is the subject of the
information (or a person acting for the individual pursuant to State law) if
each of the following requirements is met:
(1) WRITING- The authorization is in writing or electronically
authenticated, signed by the individual who is the subject of the
information, and dated.
(2) SEPARATE FORM- Separate forms authorizing disclosures for treatment
and payment processes are provided to the individual.
(3) INFORMATION DESCRIBED- The information to be disclosed is specified,
or is described in the authorization.
(4) TRUSTEE DESCRIBED- The trustee who is authorized to disclose such
information is specifically identified, or is described in the
authorization.
(5) RECIPIENT DESCRIBED- The person to whom the information is to be
disclosed is specifically identified, or is described in the
authorization.
(6) RIGHT TO REVOKE OR AMEND- The authorization contains an
acknowledgement that the individual who is the subject of the information
has the right to revoke or amend the authorization.
(7) STATEMENT OF INTENDED DISCLOSURES- The authorization contains an
acknowledgment that the individual who is the subject of the information has
read a statement of the disclosures that the person who receives the
protected health information intends to make.
(8) INFORMATION RESTRICTED- The authorization includes a proviso that
the information will be disclosed solely for a purpose that is compatible
with and related to the purposes for which the information was collected or
received by the trustee.
(9) EXPIRATION DATE SPECIFIED- The authorization specifies a date or
event at which the authorization expires.
(b) Revocation or Amendment of Authorization-
(1) IN GENERAL- The authorization contains an acknowledgment that the
individual may in writing revoke or amend an authorization described in
subsection (a), at any time, except that with respect to disclosure of
protected health information to permit validation of expenditures for health
care that has previously been authorized the authorization may not be
revoked.
(2) NOTICE OF REVOCATION- A health information trustee who discloses
protected health information pursuant to an authorization described in
subsection (a) that has been revoked shall not be subject to any liability
or penalty under this Act if the trustee had no actual or constructive
notice of the revocation.
(c) MODEL AUTHORIZATIONS- The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model written authorizations of
the type described in subsection (a) and model statements of intended
disclosures of the type described in subsection (a)(6).
(d) COPY- A health information trustee who discloses protected health
information pursuant to an authorization under this section shall maintain a
copy of the authorization.
SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION,
OTHER THAN FOR TREATMENT OR PAYMENT.
(a) WRITTEN AUTHORIZATIONS- A health information trustee may disclose
protected health information pursuant to an authorization executed by the
individual who is the subject of the information if the following conditions
are met:
(1) GENERAL REQUIREMENTS- The requirements of section 202(a) (1) through
(6) are met.
(2) STATEMENT OF INTENDED DISCLOSURES- The statement of intended
disclosure shall be in writing, on a form that is separate from the
authorization for disclosure, and shall be received by the individual
authorizing the disclosure on or before the date the authorization is
executed.
(3) AUTHORIZATION NOT REQUESTED IN CONNECTION WITH PROVISION OF HEALTH
CARE- The authorization is not requested on a day on which the trustee
provides health care to the individual requested to provide the
authorization.
(4) EXPIRATION DATE SPECIFIED- The authorization specifies a date or
event upon which the authorization expires, which shall not exceed 1 year
from the date of the execution of the authorization.
(b) LIMITATION ON AUTHORIZATIONS- A health information trustee may not
condition delivery of treatment or payment for services on the receipt of an
authorization described in subsection (a).
(c) REVOCATION OR AMENDMENT OF AUTHORIZATION-
(1) IN GENERAL- An individual may in writing revoke or amend an
authorization described in subsection (a).
(2) NOTICE OF REVOCATION- A health information trustee who discloses
protected health information pursuant to an authorization that has been
revoked shall not be subject to any liability or penalty under this title if
the trustee had no actual or constructive notice of the revocation.
(d) MODEL AUTHORIZATIONS- The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model written authorizations of
the type described in subsection (a) and model statements of the intended
disclosures of the type described in subsection (a)(2).
(e) AUTHORIZATION NOT REQUIRED- This section does not apply to sections
204, 205, 206, 207, 208, 209, 210, 211, and 212.
SEC. 204. CREATION OF NONIDENTIFIABLE INFORMATION.
(a) CREATION OF NONIDENTIFIABLE INFORMATION- A health information trustee
may disclose protected health information to a certified health information
service for the purpose of creating nonidentifiable health information.
(b) Certification of Health Information Services-
(1) REGULATIONS- The Secretary, after notice and opportunity for public
comment, shall issue regulations establishing certification requirements for
health information services under this title. Such regulations shall include
requirements that the health information service establish and maintain
appropriate administrative, technical, and physical safeguards to ensure the
confidentiality, security, accuracy, and integrity of protected health
information.
(2) CERTIFICATION- The Secretary shall certify a health information
service that meets the certification requirements established by the
Secretary under paragraph (1).
SEC. 205. NEXT OF KIN AND DIRECTORY INFORMATION.
(a) NEXT OF KIN- A health care provider, or a person who receives
protected health information under section 206, may disclose protected health
information regarding an individual to the individual's next of kin, to an
individual representative of the individual, or to an individual with whom
that individual has a significant personal relationship if--
(1) the individual who is the subject of the information--
(A) has been notified of the individual's right to object and has not
objected to the disclosure;
(B) is not competent to be notified about the right to object;
or
(C) exigent circumstances exist such that it would not be practicable
to notify the individual of the right to object; and
(2) the information disclosed relates to health care currently being
provided to that individual.
(b) Directory Information-
(1) DISCLOSURE- Except as provided in paragraph (2), a health
information trustee may disclose the information described in subparagraph
(B) to any person if--
(A) the individual who is the subject of the information--
(i) has been notified of the individual's right to object and has
not objected to the disclosure;
(ii) is not competent to be notified about the right to object;
or
(iii) exigent circumstances exist such that it would not be
practicable to notify the individual of the right to object;
and
(B) the information consists only of 1 or more of the following
items:
(i) the name of the individual who is the subject of the
information;
(ii) the general health status of the individual, described as
critical, poor, fair, stable, or satisfactory or in terms denoting
similar conditions; and
(iii) the location of the individual on premises controlled by a
provider.
(2) EXCEPTION- If disclosure of the location of the individual reveals
specific information about the physical or mental condition of the
individual, the individual must expressly authorize such disclosure.
(1) IDENTIFICATION- A health information trustee may disclose protected
health information if necessary to assist in the identification of a
deceased individual.
(2) REGULATIONS- The Secretary shall develop and establish through
regulation a procedure for obtaining protected health information relating
to a deceased individual when there is no individual representative for such
individual.
SEC. 206. EMERGENCY CIRCUMSTANCES.
Any person who receives protected health information under this title may
disclose protected health information in emergency circumstances when
necessary to protect the health or safety of an individual from serious,
imminent harm.
SEC. 207. OVERSIGHT.
(a) IN GENERAL- A health information trustee may disclose protected health
information to a health oversight agency for an oversight function authorized
by law.
(b) USE IN ACTION AGAINST INDIVIDUALS- Protected health information about
an individual that is disclosed under this section may not be used in, or
disclosed to any person for use in, an administrative, civil, or criminal
action or investigation directed against the individual unless the action or
investigation arises out of and is directly related to--
(1) receipt of health care or payment for health care; or
(2) an action involving a fraudulent claim related to health.
SEC. 208. PUBLIC HEALTH.
A health care provider, health plan, health researcher, public health
authority, employer, insurer, school or university, or certified health
information network service, or person who receives protected health
information under section 206, may disclose protected health information to a
public health authority or other person authorized by law for use in a legally
authorized--
(1) disease or injury report;
(2) public health surveillance; or
(3) public health investigation or intervention.
SEC. 209. HEALTH RESEARCH.
(a) IN GENERAL- A health information trustee may disclose protected health
information to a health researcher if a certified institutional review board
determines that the research project engaged in by the health researcher--
(1) requires use of the protected health information for the
effectiveness of the project; and
(2) is of sufficient importance to outweigh the intrusion into the
privacy of the individual who is the subject of the information that would
result from the disclosure.
(b) OBLIGATIONS OF RECIPIENT- A person who receives protected health
information pursuant to subsection (a)--
(1) shall remove or destroy, at the earliest opportunity consistent with
the purposes of the project, information that would enable an individual to
be identified, unless--
(A) a certified institutional review board has determined that there
is a health or research justification for retention of such identifiers;
and
(B) there is an adequate plan to protect the identifiers from
disclosure that is inconsistent with this section; and
(2) shall use protected health information solely for purposes of the
health research project for which disclosure was authorized by a certified
institutional review board under subsection (a).
(c) SPECIAL RULE FOR RESEARCHERS OTHER THAN ACADEMIC CENTERS OR HEALTH
CARE FACILITIES- If a health researcher is not located in an academic center,
a health care facility or public health agency, the determinations required by
a certified institutional review board shall be approved by the Secretary
before the determination is issued.
(d) CERTIFICATION OF INSTITUTIONAL REVIEW BOARDS-
(1) REGULATIONS- The Secretary, after notice and opportunity for public
comment, shall issue regulations establishing certification requirements for
institutional review boards under this title. Such regulations shall be
based on regulations issued under section 491(a) of the Public Health
Service Act. The regulations shall ensure that institutional review boards
certified under this paragraph have the qualifications to assess and protect
the confidentiality of research subjects.
(2) CERTIFICATION- The Secretary shall certify an institutional review
board that meets the certification requirements established by the Secretary
under paragraph (1).
SEC. 210. JUDICIAL AND ADMINISTRATIVE PURPOSES.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, employer, school, university, insurer, or person who receives
protected health information under section 206, may disclose protected health
information--
(1) pursuant to the Federal Rules of Civil Procedure, the Federal Rules
of Criminal Procedure, or comparable rules of other courts or administrative
agencies, in connection with litigation or proceedings to which the
individual who is the subject of the information is a party and in which the
individual has placed his or her physical or mental condition at
issue;
(2) to a court, and to others ordered by the court, if the protected
health information is developed in response to a court-ordered physical or
mental examination; or
(3) pursuant to a law requiring the reporting of specific medical
information to law enforcement authorities.
(b) OBLIGATIONS OF RECIPIENT- A person seeking protected health
information pursuant to subsection (a)--
(1) shall notify the individual or the individual's attorney of the
request for the information;
(2) shall provide the health information trustee with a signed document
attesting--
(A) that the individual has placed his or her physical or mental
condition at issue in litigation or proceedings in which the individual is
a party; and
(B) the date on which the individual or the individual's attorney was
notified under paragraph (1); and
(3) shall not accept any requested protected health information from the
trustee until the termination of the 10-day period beginning on the date
notice was given under paragraph (1).
SEC. 211. NON-LAW ENFORCEMENT SUBPOENAS.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, employer, insurer, school or university, or person who receives
protected health information under section 206, may disclose protected health
information under this section if the disclosure is pursuant to a subpoena
issued on behalf of a party who has complied with the access provisions of
subsection (b).
(b) ACCESS PROCEDURES- A person may not obtain protected health
information about an individual pursuant to a subpoena unless--
(1) a copy of the subpoena together with a notice of the individual's
right to challenge the subpoena in accordance with subsection (c), has been
served upon the individual on or before the date of return of the subpoena;
and--
(2)(A) 15 days have passed since the date of service on the individual,
and within that time period the individual has not indicated a challenge in
accordance with subsection (c)(1); or
(B) disclosure is ordered by a court under subsection (c)(2).
(c) Challenge Procedures-
(1) MOTION TO QUASH SUBPOENA- After service of a copy of the subpoena
seeking protected health information under subsection (b), the individual
who is the subject of the protected health information may file in any court
of competent jurisdiction a motion to quash the subpoena.
(2) Standard for decision-
(A) IN GENERAL- The court shall grant a motion under paragraph (1)
unless the respondent demonstrates that--
(i) there is reasonable ground to believe the information is
relevant to a lawsuit or other judicial or administrative proceeding;
and
(ii) the need of the respondent for the information outweighs the
privacy interest of the individual.
(B) CRITERIA FOR DECISION- In determining whether the need of the
respondent for the information outweighs the privacy interest of the
individual, the court shall consider--
(i) the particular purpose for which the information was
collected;
(ii) the degree to which disclosure of the information would
embarrass, injure, or invade the privacy of the individual;
(iii) the effect of the disclosure on the individual's future health
care;
(iv) the importance of the information to the lawsuit or proceeding;
and
(v) any other relevant factor.
(3) ATTORNEY'S FEES- In the case of a motion brought under paragraph (1)
in which the individual has substantially prevailed, the court may assess
against the respondent a reasonable attorney's fee and other litigation
costs and expenses (including expert fees) reasonably incurred.
SEC. 212. LAW ENFORCEMENT.
(a) Government Subpoenas and Warrants-
(1) IN GENERAL- A health information trustee shall disclose protected
health information under this section if the disclosure is pursuant
to--
(A) a subpoena issued under the authority of a grand jury; or
(B) an administrative subpoena or summons or a judicial subpoena or
warrant,
which meets the conditions of paragraph (2).
(2) PROBABLE CAUSE REQUIREMENT- A government authority may not obtain
protected health information about an individual under paragraph (1) for use
in a law enforcement inquiry unless there is probable cause to believe that
the information is relevant to a legitimate law enforcement inquiry being
conducted by the government authority.
(3) WARRANTS- A government authority that obtains protected health
information about an individual pursuant to a warrant shall, not later than
30 days after the date the warrant was executed, serve the individual with,
or mail to the last known address of the individual, a notice that protected
health information about the individual was obtained, together with a notice
of the individual's right to challenge the warrant.
(4) SUBPOENA OR SUMMONS- Except as provided in paragraph (5), a
government authority may not obtain protected health information about an
individual pursuant to a subpoena or summons unless a copy of the subpoena
or summons has been served on the individual, if the identity of the
individual is known, on or before the date of the return of the subpoena or
summons, together with notice of the individual's right to challenge the
subpoena or summons. If the identity of the individual is not known at the
time the subpoena or summons is served, the individual shall be served not
later than 30 days thereafter, with notice that protected health information
about the individual was obtained together with notice of the individual's
right to challenge the subpoena or summons.
(5) Application for delay-
(A) IN GENERAL- A government authority may apply ex parte and under
seal to an appropriate court to delay (for an initial period of not longer
than 90 days) service of the notice regarding execution of the warrant as
required under paragraph (3) or a copy of the subpoena as required under
paragraph (4). The government authority may apply to the court for
extensions of the delay.
(B) EX PARTE ORDER- The court shall enter an ex parte order delaying
or extending the delay of notice, an order prohibiting the disclosure of
the request for, or the disclosure of, the protected health information,
and an order requiring the disclosure of the protected health information
if the court finds that--
(i) the inquiry being conducted is within the lawful jurisdiction of
the government authority seeking the protected health
information;
(ii) there is probable cause to believe that the protected health
information being sought is relevant to a legitimate law enforcement
inquiry;
(iii) the government authority's need for the information outweighs
the privacy interest of the individual who is the subject of the
information; and
(iv) there is reasonable ground to believe that receipt of notice by
the individual will result in--
(I) endangering the life or physical safety of any
individual;
(II) flight from prosecution;
(III) destruction of or tampering with evidence or the information
being sought;
(IV) intimidation of potential witnesses; or
(V) disclosure of the existence or nature of a confidential law
enforcement investigation or grand jury investigation that is likely
to seriously jeopardize such investigation.
(6) INFORMATION IN RESPONSE TO LAW ENFORCEMENT INQUIRY- Protected health
information about an individual that is disclosed under this section may not
be used in, or disclosed to any person for use in any administrative, civil
or criminal action or investigation directed against the individual unless
the action or investigation arises out of or is directly related to the law
enforcement inquiry for which the information was obtained.
(b) Challenge Procedures for Law Enforcement Warrants, Subpoenas, and
Summonses-
(1) MOTION TO QUASH- Within 15 days after the date of service of a
notice of execution of a warrant or a copy of a subpoena or summons, of a
government authority seeking protected health information about an
individual under subsection (a), the individual may file a motion to
quash.
(2) STANDARD FOR DECISION- The court shall grant a motion under
paragraph (1) unless the government demonstrates there is probable cause to
believe the protected health information is relevant to a legitimate law
enforcement inquiry being conducted by the government authority and the
government authority's need for the information outweighs the privacy
interest of the individual.
(3) ATTORNEY'S FEES- In the case of a motion brought under paragraph (1)
in which the individual has substantially prevailed, the court may assess
against the government authority reasonable attorney's fees and other
litigation costs (including expert fees) reasonably incurred.
(4) NO INTERLOCUTORY APPEAL- A ruling denying a motion to quash under
this section shall not be deemed to be a final order, and no interlocutory
appeal may be taken therefrom by the individual.
(c) EXCEPTIONS- A health information trustee may disclose protected health
information to a law enforcement agency if the information is requested for
use--
(1) in an investigation or prosecution of a health information
trustee;
(2) in the identification of a victim or witness in a law enforcement
inquiry; or
(3) in connection with the investigation of criminal activity committed
against the trustee or on premises controlled by the trustee.
SEC. 213. STANDARDS FOR ELECTRONIC DISCLOSURES.
The Secretary shall promulgate standards for disclosing, authorizing and
authenticating protected health information in electronic form in accordance
with this title.
TITLE III--SANCTIONS
Subtitle A--Civil Sanctions
SEC. 301. CIVIL PENALTY.
(a) VIOLATION- Any health information trustee who the Secretary determines
has substantially and materially failed to comply with this Act shall be
subject, in addition to any other penalties that may be prescribed by law,
to--
(1) a civil penalty of not more than $10,000 for each such violation,
but not to exceed $50,000 in the aggregate for multiple violations;
and
(2) a civil penalty of not more than $250,000 or exclusion from
participation in medicare and medicaid, or any other federally funded health
care programs, if the Secretary finds that such violations have occurred
with such frequency as to constitute a general business practice.
(b) PROCEDURES FOR IMPOSITION OF PENALTIES- Section 1128A of the Social
Security Act, other than subsections (a) and (b) and the second sentence of
subsection (f) of that section, shall apply to the imposition of a civil,
monetary, or exclusionary penalty under this section in the same manner as
such provisions apply with respect to the imposition of a penalty under
section 1128A of such Act.
SEC. 302. CIVIL ACTION.
(a) IN GENERAL- An individual who is aggrieved by conduct in violation of
this title may bring a civil action to recover--
(1) such preliminary and equitable relief as the court determines to be
appropriate;
(2) the greater of actual damages or liquidated damages of $5,000;
and
(b) ATTORNEY'S FEES- In the case of a civil action brought under
subsection (a) in which the individual has substantially prevailed, the court
may assess against the respondent a reasonable attorney's fee and other
litigation costs and expenses (including expert fees) reasonably incurred.
(c) LIMITATION- No action may be commenced under this section more than 3
years after the date on which the violation was or should reasonably have been
discovered.
Subtitle B--Criminal Sanctions
SEC. 311. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.
(a) OFFENSE- A person who knowingly--
(1) obtains protected health information relating to an individual in
violation of this title; or
(2) discloses protected health information to another person in
violation of this title, shall be punished as provided in subsection
(b).
(b) PENALTIES- A person described in subsection (a) shall--
(1) be fined not more than $50,000, imprisoned not more than 1 year, or
both;
(2) if the offense is committed under false pretenses, be fined not more
than $250,000, imprisoned not more than 5 years, excluded from participation
in medicare and medicaid, or any other federally funded health care
programs, or any combination of such penalties; and
(3) if the offense is committed with intent to sell, transfer, or use
protected health information for commercial advantage, personal gain, or
malicious harm, be fined not more than $500,000, imprisoned not more than 10
years, excluded from participation in medicare and medicaid, or any other
federally funded health care programs, or any combination of such
penalties.
TITLE IV--MISCELLANEOUS
SEC. 401. RELATIONSHIP TO OTHER LAWS.
(a) STATE LAW- Except as provided in subsections (b), (c), and (d), this
Act preempts State law.
(b) PRIVILEGES- Nothing in this title shall be construed to preempt or
modify State common or statutory law to the extent such law concerns a
privilege of a witness or person in a court of the State. This title shall not
be construed to supersede or modify Federal common or statutory law to the
extent such law concerns a privilege of a witness or person in a court of the
United States. Authorizations pursuant to sections 202 and 203 shall not be
construed as a waiver of any such privilege.
(c) CERTAIN DUTIES UNDER STATE OR FEDERAL LAW- Nothing in this title shall
be construed to preempt, supersede, or modify the operation of--
(1) any law that provides for the reporting of vital statistics such as
birth or death information;
(2) any law requiring the reporting of abuse or neglect information
about any individual;
(3) any State law relating to public or mental health that prevents or
otherwise restricts disclosure of protected health information otherwise
allowed under this title;
(4) any law that governs a minor's rights to access protected health
information;
(5) subpart II of part E of title XXVI of the Public Health Service Act
(relating to notifications of emergency response employees of possible
exposure to infectious diseases);
(6) any Federal law or regulation governing confidentiality of alcohol
and drug patient records;
(7) the Americans With Disabilities Act of 1990; or
(8) any Federal or State statute that establishes a privilege for
records used in health professional peer review activities.
SEC. 402. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.
A health information trustee who makes a disclosure of protected health
information about an individual that is permitted by this title shall not be
liable to the individual for such disclosure under common law.
SEC. 403. EFFECTIVE DATE.
(a) EFFECTIVE DATE- This Act shall take effect 12 months after the date of
enactment of this Act.
(b) REGULATIONS- The Secretary shall promulgate regulations implementing
this Act not later than 6 months after the date of enactment of this Act.
END