Del.icio.us
Digg
StumbleUpon
Facebook
Reddit
Newsvine
co.mments
HR 5442 IH
To provide individuals with access to health information of which they are a subject, to ensure personal privacy, security, and confidentiality with respect to health related information in promoting the development of a nationwide interoperable health information infrastructure, to impose criminal and civil penalties for unauthorized use of personal health information, to provide for the strong enforcement of these rights, to protect States' rights, and for other purposes.
February 14, 2008
Mr. MARKEY (for himself, Mr. EMANUEL, and Mrs. CAPPS) introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committees on Ways and Means, Education and Labor, and Financial Services, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
To provide individuals with access to health information of which they are a subject, to ensure personal privacy, security, and confidentiality with respect to health related information in promoting the development of a nationwide interoperable health information infrastructure, to impose criminal and civil penalties for unauthorized use of personal health information, to provide for the strong enforcement of these rights, to protect States' rights, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
(a) Short Title- This Act may be cited as the `Technologies for Restoring Users' Security and Trust in Health Information Act of 2008' or as the `TRUST in Health Information Act of 2008'.
(b) Table of Contents- The table of contents of this Act is as follows:
Sec. 1. Short title.
Sec. 2. Findings; purposes.
TITLE I--HEALTH INFORMATION PRIVACY AND SECURITY
Sec. 100. Summary of privacy rights and security obligations.
Subtitle A--Access to and Accuracy of Personal Health Information
Sec. 101. Inspection and copying of personal health information.
Sec. 102. Modifications to personal health information.
Subtitle B--Security of Personal Health Information
Sec. 111. Notice of privacy practices.
Sec. 112. Establishment of safeguards.
Sec. 113. Notification in the case of breach.
Sec. 114. Transparency.
Sec. 115. Risk management.
Sec. 116. Accounting for disclosures and use.
Subtitle C--Use and Disclosure of Personal Health Information
Chapter 1--General Restrictions
Sec. 121. General rules regarding use and disclosure.
Sec. 122. Informed consent for disclosure of personal health information for treatment and payment.
Sec. 123. Informed consent and authorization for disclosure of personal health information other than for treatment or payment.
Chapter 2--Exceptions
Sec. 131. Disclosure for law enforcement, national security, and intelligence purposes.
Sec. 132. Disclosure for public health purposes.
Sec. 133. Reporting of abuse and neglect to protection and advocacy agencies.
Sec. 134. Disclosure to next of kin and directory information.
Chapter 3--Special Circumstances
Sec. 141. Emergency circumstances.
Sec. 142. Health research.
Sec. 143. Health oversight functions.
Sec. 144. Individual representatives.
Subtitle D--Enforcement
Sec. 151. In general.
Sec. 152. Enforcement by State attorneys general.
Subtitle E--Miscellaneous
Sec. 161. Office of Health Information Privacy.
Sec. 162. Protection for whistleblowers.
Sec. 163. Demonstration grant for individuals with limited English language proficiency or limited health literacy.
Sec. 164. Relationship to other laws.
Sec. 165. Effective date.
Subtitle F--General Definitions
Sec. 171. General definitions.
TITLE II--PROMOTION OF HEALTH INFORMATION TECHNOLOGY
Subtitle A--Improving the Interoperability of Health Information Technology
Sec. 201. Office of the National Coordinator of Health Information Technology.
Sec. 202. Partnership for Health Care Improvement.
Sec. 203. American Health Information Community policies.
Sec. 204. Research access to health care data and reporting on performance.
Subtitle B--Facilitating the Widespread Adoption of Interoperable Health Information Technology
Sec. 211. Facilitating the widespread adoption of interoperable health information technology.
Sec. 212. Demonstration program to integrate information technology into clinical education.
Sec. 213. Qualified health information technology system defined.
Subtitle C--Improving the Quality of Health Care
Sec. 221. Fostering development and use of health care quality measures.
Sec. 222. Adoption and use of quality measures; reporting.
Subtitle D--Miscellaneous Provisions
Sec. 231. Health Information Technology Resource Center.
Sec. 232. Facilitating the provision of telehealth services across State lines.
Subtitle E--Definitions
Sec. 241. Definitions.
TITLE III--ADDITIONAL PROVISIONS
Sec. 301. Federal purchasing and data collection by CMS and other Federal agencies.
Sec. 302. Ensuring health care providers participating in the medicare program may maintain health information in electronic form.
SEC. 2. FINDINGS; PURPOSES.
(a) Findings- Congress finds the following:
(1) Americans are deeply concerned about the privacy and security of their personal information, including their health records.
(2) In October 2007, a Harris Interactive Poll commissioned by the Institute of Medicine found that 58 percent of respondents indicated they do not believe Federal and State laws and organizational practices offer sufficient protection of personal health information.
(3) In February 2007, the Markle Foundation reported that 80 percent of individuals surveyed were very concerned about identity theft or fraud and 77 percent were very concerned that their medical information would be used for marketing purposes.
(4) Concerns about the privacy and security of personal health information are fueled by the escalating number of breaches of personal information that have occurred in recent years and numerous reports of the inadequacy of the security of electronic networks.
(5) According to the Privacy Rights Clearinghouse, more than 216,000,000 data records belonging to U.S. residents have been exposed to potential misuse as a result of security breaches since January 2005.
(6) A nationwide interoperable health information infrastructure can strengthen privacy, security, and confidentiality safeguards, protecting patients' personal health information while also improving health care quality, safety, and affordability.
(7) In order for individuals, health care providers, and health care payers to achieve the benefits associated with such infrastructure, strong data privacy, security, and confidentiality standards must be developed, adopted, and incorporated into the health information technology infrastructure.
(8) While Executive Order 13335 regarding interoperable health information technology issued on April 27, 2004, called for widespread adoption of interoperable electronic health records within 10 years, established the position of National Coordinator of Health Information Technology, and stipulated that the plan for the nationwide implementation of interoperable health information technology should address privacy and security issues, adequate progress has not been made to ensure that a strong data privacy, security, and confidentiality approach will guide the development of this nationwide infrastructure beginning in its initial stages and continuing throughout its formulation.
(9) According to a February 1, 2007, report of the Government Accountability Office (GAO), the Department of Health and Human Services and its Office of the National Coordinator of Health Information Technology have not yet defined an overall approach for integrating privacy-related initiatives the Department has undertaken in the area of health information technology or addressing key privacy principles, nor has the Department defined milestones for integrating the results of these activities while it has moved forward with development of standards for a national electronic health information system.
(10) All Americans have a right to privacy, security, and confidentiality with respect to the electronic disclosure of their personal health information, and the nationwide implementation of interoperable health information technology should abide by, and be consistent with, this right.
(11) Without adequate privacy, security, and confidentiality standards, individuals will be more likely to avoid or delay medical treatment or withhold pertinent information from their health providers, potentially resulting in lost productivity, increased morbidity rates, and increased costs to the health care system.
(12) As stipulated by the Secretary of Health and Human Services in the Final Rule for Standards for Privacy of Individually Identifiable Health Information (45 C.F.R. parts 160 and 164), the standards contained in the Final Rule are intended to establish a floor of privacy protection and are not designed to serve as `best practices' for the use or disclosure of personal health information.
(13) To guide the development, implementation, and operation of an interoperable nationwide health information technology infrastructure, Congress should establish specific minimum standards for the use and disclosure of individuals' personal health information and direct the Department of Health and Human Services to promulgate regulations relating to personal health information that are consistent with individuals' right to privacy, security, and confidentiality with respect to the electronic use or disclosure of their personal health information, the public interest, and the purposes of this Act.
(b) Purpose- The purposes of this Act are as follows:
(1) To recognize that individuals have a right to privacy, confidentiality, and security with respect to health information, including genetic information, and that those fundamental rights are rooted in the Nation's history and medical ethics and must be protected.
(2) To ensure that individuals are able to exercise their right to health information privacy by requiring their consent for the use and disclosure of their identifiable health information unless otherwise required by law.
(3) To encourage the development of a nationwide interoperable health information technology infrastructure that protects individuals' privacy, confidentiality, and security with respect to their health information while also improving health care quality, promoting data accuracy, reducing medical errors, and increasing the efficiency of care.
(4) To create incentives to turn personal health information into de-identified health information (as defined in section 171(5)), where appropriate.
(5) To designate an Office of Health Information Privacy within the Department of Health and Human Services to protect individuals' right of privacy.
(6) To provide individuals with--
(A) access to health information of which they are the subject;
(B) the opportunity to challenge the accuracy and completeness of such information by being able to file modifications to or request the deletion of such information; and
(C) the right to limit the use and disclosure of personal health information.
(7) To establish strong and effective mechanisms to protect against the unauthorized and inappropriate use of personal health information and ensure that these mechanisms safeguard this information wherever it may reside.
(8) To provide notice to individuals of breaches of their personal health information.
(9) To invoke the sweep of congressional powers, including the power to enforce the 14th Amendment to the Constitution, to regulate commerce, and to abrogate the immunity of the States under the 11th Amendment to the Constitution, in order to address violations of the rights of individuals to privacy, to provide individuals with access to their health information, and to prevent the unauthorized use of personal health information that is genetic information.
(10) To establish strong and effective remedies for violations of this Act.
(11) To protect the rights of States.
TITLE I--HEALTH INFORMATION PRIVACY AND SECURITY
SEC. 100. SUMMARY OF PRIVACY RIGHTS AND SECURITY OBLIGATIONS.
(a) Privacy Rights- In order to provide individuals who are the subject of personal health information with privacy, security, and control in the use and disclosure of such information, such individuals are provided the following rights under this title:
(1) The right to not have their personal health information disclosed without their informed consent unless otherwise required by law, pursuant to subtitle C.
(2) The right to inspect and copy their personal health information, pursuant to section 101.
(3) The right to correct, supplement, or remove their personal information held by a person, pursuant to section 102.
(4) The right to prohibit access by certain categories of persons to particularly sensitive personal health information about individuals, such as information relating to mental health, domestic violence, sexually transmitted diseases, and infection with the human immunodeficiency virus (HIV), pursuant to section 122.
(5) The right to receive notification of actual or suspected security breaches of their personal health information, pursuant to section 113.
(6) The right to receive an accounting of all electronic disclosures of their personal health information upon request, pursuant to section 116.
(b) Security Obligations- A person that discloses, uses, or receives an individual's personal health information has obligations under this title, including the following:
(1) The obligation to expressly recognize the right to privacy and security of such individual with respect to the use and disclosure of such information under subtitle B.
(2) The obligation to permit individuals who are the subject of such personal health information to inspect and copy the personal health information concerning the individual pursuant to section 101.
(3) The obligation to provide written notification to an individual of the person's privacy practices pursuant to section 111.
(4) The obligation to promptly notify individuals of an actual or suspected security breach of their personal health information pursuant to section 113.
(5) The obligation to establish and maintain appropriate administrative, organizational, technical and physical safeguards to ensure the privacy, confidentiality, security, accuracy, and integrity of personal health information that is accessed, maintained, modified, recorded, stored, destroyed, or otherwise used or disclosed by such person pursuant to section 112.
(6) The obligation to make publicly available on the Internet a list, including contact information, of each data partner with which the person has entered into a contract or relationship to provide services involving personal health information pursuant to section 114.
(7) The obligation to obtain an individual's informed consent or authorization before using or disclosing an individual's personal health information pursuant to chapter 1 of subtitle C.
(8) The obligation to establish and update risk management processes to protect against vulnerabilities to the privacy and security of individual's personal health information pursuant to sections 112 and 114.
(9) The obligation to establish and maintain a record of each disclosure of an individual's personal health information pursuant to section 116.
(10) The obligation to provide individuals with concise, comprehensive, and explicit information if seeking to use or disclose their personal health information for marketing purposes and receive a separate authorization from an individual before using or disclosing the information for that purpose pursuant to section 123.
Subtitle A--Access to and Accuracy of Personal Health Information
SEC. 101. INSPECTION AND COPYING OF PERSONAL HEALTH INFORMATION.
(a) Right of Individual-
(1) IN GENERAL- A health information person (as defined in section 171(13)) shall permit an individual who is the subject of personal health information (as defined in section 171(23)) that the person holds, uses, or discloses, or the individual's designee, to inspect and copy the personal health information concerning the individual.
(2) PROCEDURES AND FEES- A health information person may establish appropriate procedures to be followed for inspection and copying under paragraph (1) and may require an individual to pay reasonable fees associated with such inspection and copying in an amount that is not in excess of the actual costs of providing such copying. Such fees may not be assessed where such an assessment would have the effect of inhibiting an individual from gaining access to the information described in paragraph (1).
(b) Deadline- A health information person shall comply with a request for inspection or copying of personal health information under this section not later than--
(1) 15 business days after the date on which the person receives the request, if such request requires the inspection, copying, or sending of printed materials; or
(2) 5 business days after the date on which the person receives the request, or sooner if the Secretary determines appropriate, if such request requires only the inspection, copying, or sending of electronic or other digital materials.
(c) Rules Governing Agents- A person that is the agent, officer, or employee of a health information person shall provide for the inspection and copying of personal health information if--
(1) the personal health information is retained by the person; and
(2) the person has been asked by the health information person to fulfill the requirements of this section.
(d) Special Rule Relating to Ongoing Clinical Trials- With respect to personal health information that is created as part of an individual's voluntary participation in an ongoing clinical trial, access to the information shall be provided within 15 business days after the date on which the health information person receives the request or consistent with the individual's agreement to participate in the clinical trial, whichever is sooner.
SEC. 102. MODIFICATIONS TO PERSONAL HEALTH INFORMATION.
(a) In General- Not later than 15 business days, or earlier if the Secretary determines appropriate, after the date on which a health information person receives from an individual a request in writing to supplement, correct, amend, segregate, or remove personal health information that the person holds, uses, or discloses concerning the individual, such person--
(1) shall, subject to subsections (b) and (c), modify the information, by adding the requested supplement, correction, or amendment to the information, or by removing any information that has been requested to be destroyed;
(2) shall inform the individual that the modification has been made; and
(3) shall make reasonable efforts to inform any person to which the portion of the unmodified information was previously disclosed, of any substantive modification that has been made.
(b) Refusal To Modify- If a health information person declines to make the modification requested under subsection (a) within 15 business days after receipt of such request, such person shall inform the individual in writing of--
(1) the reasons for declining to make the modification;
(2) any procedures for further review of the declining of such modification; and
(3) the individual's right to file with the person a concise statement setting forth the requested modification and the individual's reasons for disagreeing with the declining person and the individual's right to include a copy of this refusal in the health record set (as defined in section 171(17)) concerning the individual.
(c) Statement of Disagreement- If an individual has filed with a health information person a statement of disagreement under subsection (b)(3), the person, in any subsequent disclosure of the disputed portion of the information--
(1) shall include, at the individual's request, a copy of the individual's statement in the individual's health record set; and
(2) may include a concise statement of the reasons for not making the requested modification.
(d) Rules Governing Agents- A person that is the agent of a health information person shall only be required to make a modification to personal health information where--
(1) the personal health information is retained, distributed, used, or maintained by the agent; and
(2) the agent has been asked by such person to fulfill the requirements of this section.
Subtitle B--Security of Personal Health Information
SEC. 111. NOTICE OF PRIVACY PRACTICES.
(a) Preparation of Written Notice- A health information person shall prepare a written notice of the privacy practices of such person, including information with respect to the following:
(1) The express right of an individual to privacy, security, and confidentiality with respect to the disclosure of such individual's personal health information.
(2) The procedures for an individual to exercise that right by authorizing disclosures of personal health information, and to object to, modify, and revoke such authorizations.
(3) The right of an individual to inspect, copy, and modify that individual's personal health information.
(4) The right of an individual not to have employment or the receipt of services or choice of health plan conditioned upon the execution by the individual of an authorization for disclosure, except as permitted by section 122(c).
(5) A description of--
(A) the categories or types of employees, by general category or by general job description, who have access to or use of personal health information regarding the individual;
(B) the right of the individual to limit access to or use of his or her personal health information by employees, agents, and contractors of the person; and
(C) the procedures for effecting such limitations.
(6) A simple, concise description of any information systems used to store or transmit personal health information, including a description of any linkages made with other networks, systems, or databases outside the person's direct control.
(7) The circumstances under which the information will be, lawfully and actually, used or disclosed without an authorization executed by the individual.
(8) A statement that, if an individual elects to pay for health care from the individual's own funds, that individual may elect for personal health information, including any identifying information, not to be disclosed to anyone other than designated health care providers, unless such disclosure is required by mandatory reporting requirements or other similar information collection duties required by law.
(9) The right of the individual to have continued maintenance, distribution, or storage of that individual's personal health information not conditioned upon whether that individual amends or revokes an authorization for disclosure, or requests a modification of personal health information.
(10) The right of and procedures for an individual to request that personal health information be transferred to a third party person without unreasonable delay.
(11) The right to prompt notification of an actual or suspected security breach of personal health information, and how such breaches will be remedied by the person.
(12) The right of an individual to inspect and obtain a copy of records of authorized and unauthorized disclosures as well as attempted and actual access and use by an authorized or unauthorized person.
(13) The right of an individual to exercise nondisclosure and nonuse rights with respect to their personal health information, including the right to opt out of any local, regional, or nationwide health information network or system that is used by the person.
(b) Provision and Posting of Written Notice-
(1) PROVISION- A health information person shall provide in writing a copy of the notice of privacy practices required under subsection (a)--
(A) at the first contact between the individual and the person; and
(B) upon the request of an individual.
(2) POSTING- A health information person shall post, in a clear and conspicuous manner, a brief summary of the privacy practices of the person.
(c) Model Notice- The Secretary, in consultation with the Director of the Office of Health Information Privacy, after notice and opportunity for public comment, shall develop and disseminate model notices of privacy practices, and model summary notices for posting for use under this section. Use of such model notice shall be deemed to satisfy the requirements of this section.
SEC. 112. ESTABLISHMENT OF SAFEGUARDS.
(a) In General- A health information person shall--
(1) establish and maintain appropriate administrative, organizational, technical, and physical safeguards and procedures to ensure the privacy, confidentiality, security, accuracy, and integrity of personal health information that is accessed, maintained, retained, modified, recorded, stored, destroyed, or otherwise held, used, or disclosed by such person; and
(2) employ an individual whose responsibilities include the management of the person's information security.
(b) Factors To Be Considered- The policies and safeguards established under subsection (a) shall ensure that--
(1) personal health information is used or disclosed only with informed consent (as defined in section 171(19));
(2) the categories of personnel who will, with the informed consent of the individual, have access to personal health information are identified;
(3) the feasibility of limiting access to personal health information is considered;
(4) the privacy, security, and confidentiality of personal health information is maintained;
(5) personal health information is protected against any reasonably anticipated vulnerabilities to the privacy, security, or integrity of such information; and
(6) personal health information is protected against unauthorized access, use, or misuse of such information.
(c) Model Guidelines- The Secretary, in consultation with the Director of the Office of Health Information Privacy appointed under section 161, after notice and opportunity for public comment, in accordance with the requirements of chapter 5 of title 5, United States Code, shall develop and disseminate model guidelines for the establishment of safeguards and procedures for use under this section, such as, where appropriate, individual authentication of uses of computer systems, access controls, audit trails, encryption or any additional security methodology or technology other than encryption which renders data in electronic form unreadable or indecipherable, physical security, protection of remote access points and protection of external electronic communications, periodic security assessments, incident reports, and sanctions. The Secretary, in consultation with the Director, shall update and disseminate the guidelines, as appropriate, to take advantage of new technologies, so as to ensure that the guidelines emphasize the need for stringent privacy, security, and confidentiality safeguards and procedures.
(d) Review and Updating of Safeguards- Persons subject to this title shall monitor, evaluate, and adjust, as appropriate, all safeguards and procedures, concomitant with relevant changes in technology, the sensitivity of personally identifiable information, internal or external threats to personally identifiable information, and any changes in the contracts or business of the person. For the purpose of reviewing and updating safeguards, the Secretary may provide technical assistance to health information persons, as appropriate.
SEC. 113. NOTIFICATION IN THE CASE OF BREACH.
(a) In General- A health information person that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses personal health information shall, following the discovery of a security breach (as defined in section 171(28)) of such information, notify each individual whose personal health information has been, or is reasonably believed to have been, accessed, or acquired during such breach.
(b) Obligation of Owner or Licensee-
(1) NOTICE TO OWNER OR LICENSEE- Any person engaged in interstate commerce, that uses, accesses, transmits, stores, disposes of, or collects personal health information that the person does not own or license shall notify the owner or licensee of the information following the discovery of a security breach involving such information.
(2) NOTICE BY OWNER, LICENSEE, OR OTHER DESIGNATED THIRD PARTY- Nothing in this subtitle shall be construed to prevent or abrogate an agreement between a person required to give notice under this section and a designated third party, including an owner or licensee of the personal health information subject to the security breach, to provide the notifications required under subsection (a).
(3) PERSON RELIEVED FROM GIVING NOTICE- A person obligated to give notice under subsection (a) shall be relieved of such obligation if an owner or licensee of the personal health information subject to the security breach, or other designated third party, provides such notification.
(c) Timeliness of Notification-
(1) IN GENERAL- All notifications required under this section shall be made within 15 business days, or earlier if the Secretary determines appropriate, following the discovery by the person of a security breach.
(2) BURDEN OF PROOF- The person required to provide notification under this section shall have the burden of demonstrating that all notifications were made as required under this subtitle, including evidence demonstrating the necessity of any delay.
(d) Methods of Notice- A person described in subsection (a) shall provide to an individual the following forms of notice in the case of a security breach:
(1) INDIVIDUAL NOTICE- Notice required under this section shall be provided in such form as the individual selects, including--
(A) written notification to the last known home mailing address of the individual in the records of the person;
(B) telephone notice to the individual personally; or
(C) e-mail notice, if the individual has consented to receive such notice and the notice is consistent with the provisions permitting electronic transmission of notices under section 101 of the Electronic Signatures in Global and National Commerce Act (
(2) MEDIA NOTICE- Notice shall be provided to prominent media outlets serving a State or jurisdiction, if the personal health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, acquired by an unauthorized person.
(3) NOTICE TO SECRETARY- Notice shall be provided to the Secretary for health information persons that have lost, stolen, disclosed, or used in an unauthorized manner or for an unauthorized purpose the personal health information of a significant number of individuals.
(e) Content of Notification- Regardless of the method by which notice is provided to individuals under this section, notice of a security breach shall include, to the extent possible--
(1) a description of the personal health information that has been, or is reasonably believed to have been, accessed, disclosed, or otherwise used by an unauthorized person;
(2) a toll-free number that the individual may use to contact the person described in subsection (a) to learn what types of personal health information the person maintained about that individual; and
(3) toll-free contact telephone numbers and addresses for major credit reporting agencies.
(f) Delay of Notification Authorized for Law Enforcement Purposes-
(1) IN GENERAL- If a Federal law enforcement agency determines that the notification required under this section would impede a criminal investigation or cause damage to national security, such notification shall be delayed upon written notice from the Federal law enforcement agency to the person that experienced the breach.
(2) EXTENDED DELAY OF NOTIFICATION- If the notification required under subsection (a) is delayed pursuant to paragraph (1), a person shall give notice not later than 30 days after such law enforcement delay was invoked unless a Federal law enforcement agency provides written notification that further delay is necessary.
SEC. 114. TRANSPARENCY.
(a) Public List of Data Partners-
(1) IN GENERAL- A health information person shall establish a list of data partners (as defined in paragraph (2)) with which such person has entered into a contract or relationship for the purposes of providing services involving any personal health information held, used, or disclosed by the person. Such list and the contact information for each partner shall be made publicly accessible on the Internet.
(2) DATA PARTNER DEFINED- In paragraph (1), the term `data partner' means a data bank, data warehouse, information clearinghouse, record locator system, or other business entity, which for monetary fees, dues, or on a cooperative nonprofit basis, engages in the practice of accessing, collecting, maintaining, modifying, storing, recording, transmitting, destroying, or otherwise using or disclosing the personal health information of individuals. Any person maintaining personal health information for the purposes of making such information available to the individual or the health care provider, including persons furnishing free or paid personal health records, electronic health records, electronic medical records, and related products and services, shall be deemed to be a data partner subject to the requirements of this title.
(b) Subcontracting and Outsourcing Overseas- In the event a health information person contracts with service providers not subject to this title, including service providers operating in a foreign country, such person shall--
(1) take reasonable steps to select and retain third party service providers capable of maintaining appropriate safeguards for the security, privacy, and integrity of personal health information;
(2) require by contract that such service providers implement and maintain appropriate measures designed to meet the requirements applicable to health information persons under this title;
(3) be held liable for any violation of this title by an overseas service provider or other provider not subject to this title; and
(4) in the case of a service provider operating in a foreign country, obtain the informed consent of the individual involved prior to outsourcing such individual's personal health information to such provider.
(c) List of Persons- The Secretary shall maintain a public list identifying health information persons that have lost, stolen, disclosed, or used in an unauthorized manner or for an unauthorized purpose the personal health information of 1,000 or more individuals. The list shall include how many individuals were affected by such action and be displayed on the Web site of the Department of Health and Human Services.
SEC. 115. RISK MANAGEMENT.
(a) In General- Each health information person shall establish risk management and control processes to protect against anticipated vulnerabilities to the privacy, security, and integrity of personal health information that the person accesses, holds, uses, or discloses.
(b) Risk Assessment- A health information person shall perform annual risk assessments of procedures, systems, or networks involved in the creation, accessing, maintenance, retention, modification, recording, storage, distribution, destruction, or other use or disclosure of personal health information. Such risk assessment shall include--
(1) identifying reasonably foreseeable internal and external vulnerabilities that could result in inaccuracy or in unauthorized access, disclosure, use, or modification of personal health information, or of systems containing personal health information;
(2) assessing the likelihood of and potential damage from inaccuracy or from unauthorized access, disclosure, use, or modification of personal health information;
(3) assessing the sufficiency of policies, technologies, and safeguards in place to enable compliance with individuals' informed consent to the access, disclosure, use, or modification of their personal health information and minimize and control risks from unauthorized access, disclosure, use, or modification of individuals' personal health information; and
(4) assessing the vulnerability of personal health information during destruction and disposal of such information, including through the disposal or retirement of hardware.
(c) Risk Management- A health information person shall establish risk management and control procedures designed to control risks such as those identified in subsection (b). Such procedures shall include--
(1) a means for the detection and recording of actual or attempted, unauthorized, fraudulent, or otherwise unlawful access, disclosure, transmission, modification, use, or loss of personal health information;
(2) procedures for ensuring the secure disposal of personal health information;
(3) a means for limiting physical access to hardware, software, data storage technology, servers, systems, or networks by unauthorized persons in order to minimize the risk of information disclosure, modification, transmission, access, use, or loss;
(4) providing appropriate risk management and control training for employees; and
(5) carrying out annual testing of such risk management and control procedures.
SEC. 116. ACCOUNTING FOR DISCLOSURES AND USE.
(a) In General- A health information person shall establish and maintain, with respect to any personal health information disclosure, a record of each disclosure in accordance with regulations promulgated by the Secretary in consultation with the Director of the Office of Health Information Privacy. Such record shall include the purpose of any disclosure and the identity of the specific individual executing the disclosure, as well as the person to which such information is disclosed.
(b) Maintenance of Record- A record established under subsection (a) shall be maintained for not less than 6 years.
(c) Electronic Records- A health information person shall, to the maximum extent practicable, maintain an accessible electronic record concerning each access, use, or disclosure, whether authorized or unauthorized and whether successful or unsuccessful, of personal health information maintained by such person in electronic form. The record shall include the identities of the specific individuals (or a way to identify such individuals, or information helpful in determining the identities of such individuals) who access or seek to gain access to, use or seek to use, or disclose or seek to disclose, information sufficient to identify the personal health information sought or accessed, and other appropriate information.
(d) Access to Records- A health information person shall permit an individual who is the subject of personal health information, or the individual's designee, to inspect and copy the records created in subsections (a) and (c).
Subtitle C--Use and Disclosure of Personal Health Information
CHAPTER 1--GENERAL RESTRICTIONS
SEC. 121. GENERAL RULES REGARDING USE AND DISCLOSURE.
(a) Prohibition-
(1) GENERAL RULE- A person may not disclose, access, or use personal health information except as authorized under this title.
(2) RULE OF CONSTRUCTION- Disclosure or use of health information that meets the standards of being de-identified health information shall not be construed as a disclosure or use of personal health information.
(b) Scope of Disclosure or Use-
(1) IN GENERAL- A disclosure or use of personal health information under this subtitle shall be limited to the minimum amount of information necessary to accomplish the purpose for which the disclosure or use is made, such as the individual's name and address, date of service, place of service, type of service, cost of service, and diagnosis.
(2) DETERMINATION- The determination as to what constitutes the minimum disclosure or use possible for purposes of paragraph (1) shall be made by the individual or entity holding the information. The minimum necessary standard is intended to be consistent with, and not override, professional judgment and standards.
(c) Use or Disclosure for Purpose Only-
(1) IN GENERAL- An authorized recipient (as defined in paragraph (2)) of information pursuant to this subtitle may use or disclose such information solely to carry out the purpose for which the information was disclosed, except as provided in section 143.
(2) AUTHORIZED RECIPIENT DEFINED- In paragraph (1), the term `authorized recipient' means a person granted the authority by an individual, in accordance with this title, to access, maintain, retain, modify, record, store, destroy, or otherwise use the individual's personal health information through an authorized disclosure.
(d) No General Requirement To Disclose- Nothing in this subtitle permitting the disclosure of personal health information shall be construed to require such disclosure.
(e) Identification of Disclosed Information as Personal Health Information- Personal health information disclosed or used pursuant to this subtitle shall be clearly identified and labeled as personal health information that is subject to this title.
(f) Disclosure or Use by Agents- An agent, employee, or affiliate of a health information person that accesses, seeks to access, obtains, discloses, uses, or receives personal health information from such person, shall be subject to this subtitle to the same extent as the person.
(g) Disclosure or Use by Others- A person receiving personal health information initially held by a person described in subsection (f) shall be subject to this subtitle to the same extent as the person described in subsection (f).
(h) Creation of De-Identified Information- Notwithstanding subsection (c), but subject to the other provisions of this section, a person described in subsection (f) may disclose personal health information to an employee or other agent of the person for purposes of creating de-identified information.
(i) Unauthorized Use or Disclosure of the Decryption Key- The unauthorized disclosure of a decryption key (as defined in section 171(7)) or other secondary or tertiary means for accessing personal health information shall be deemed for purposes of this subtitle to be a disclosure of personal health information. The unauthorized use of a decryption key (or other secondary or tertiary means for accessing personal health information) or de-identified health information in order to identify an individual is deemed for purposes of this subtitle to be disclosure of personal health information.
(j) No Waiver- Except as provided in this title, an informed consent or other authorization to disclose or use personally identifiable health information executed by an individual pursuant to this subtitle shall not be construed as a waiver of any rights that the individual has under other Federal or State laws, the rules of evidence, or common law.
(k) Opt-in to Network Sharing-
(1) IN GENERAL- Before a health information person may share personal health information, through disclosure, access, use, or otherwise, with a health information network or system, the individual must opt in to the sharing of such information with such network or system.
(2) HEALTH INFORMATION NETWORK OR SYSTEM DEFINED- In this subsection, the term `health information network or system' means an interoperable health information infrastructure consisting of health information systems and other networks that connect providers, consumers, and others involved in supporting health and health care.
(l) Disposal of Data- To prevent the unauthorized disclosure or use of personal health information, such information, when disposed of, shall be de-identified, destroyed, or expunged from any electronic, paper, or other files and documents maintained by authorized persons to make such information permanently unreadable and undecipherable.
(m) Obligations of Unauthorized Recipients- A person that obtains, accesses, or receives personal health information and that is an unauthorized recipient of such information may not access, maintain, retain, modify, record, store, destroy, or otherwise use or disclose such information for any purposes, and use or disclosure of personal health information under such circumstances shall be deemed for purposes of this subtitle an unauthorized disclosure of personal health information, unless the disclosure is for the purpose of informing the Secretary, law enforcement authorities, or Congress of the person's unauthorized receipt of the personal health information.
SEC. 122. INFORMED CONSENT FOR DISCLOSURE OF PERSONAL HEALTH INFORMATION FOR TREATMENT AND PAYMENT.
(a) Requirements Relating to Employers, Health Plans, Health or Life Insurers, Uninsured and Self-Pay Individuals, and Providers-
(1) IN GENERAL- An employer, health plan, health or life insurer, or health care provider that seeks to disclose personal health information in connection with treatment or payment shall obtain informed consent (as defined in section 171(19)) from the subject of such personal health information that satisfies the requirements of this section. A single consent may authorize multiple disclosures.
(2) HEALTH PLANS, HEALTH OR LIFE INSURERS- Every health plan or health or life insurer offering enrollment to individual or nonemployer groups shall, at the time of enrollment in the plan or insurance, obtain an informed consent for the use and disclosure of personal health information with respect to each individual who is eligible to receive care or benefits under the plan or insurance.
(3) UNINSURED AND SELF-PAY- An originating provider that provides health care in other than a network plan setting, or provides health care to an uninsured individual, shall obtain an informed consent for access to or use of personal health information in providing health care or arranging for health care from other providers or seeking payment for the provision of health care services.
(4) PROVIDERS- Every health care provider that provides health care to an individual that has not been given the appropriate prior consent under this section, shall at the time of providing such care, or at such time as is practicable if services are necessary prior to the opportunity to obtain consent, obtain an informed consent for the use and disclosure of personal health information with respect to such individual.
(b) Requirements for Individual Informed Consent- To satisfy the requirements of this subsection, an informed consent from an individual to disclose the individual's personal health information shall--
(1) identify, by general job description or other functional description and by geographic location, those persons that are authorized to disclose the information, including entities employed by a person authorized to disclose the information;
(2) describe the specific nature of the information to be disclosed;
(3) identify, by general job description or other functional description and by geographic location, those persons to which the information will be disclosed, including entities employed by a person to which information is authorized to be disclosed;
(4) describe the purpose of the disclosures;
(5) permit the executing individual to indicate that a particular person or class of persons (a group of persons with similar roles or functions) listed on the informed consent is not authorized to receive personal health information concerning the individual, except as provided for in subsection (c)(3);
(6) provide the means by which an individual may indicate that some of the individual's personal health information should be segregated and to what persons or classes of persons such segregated information may be disclosed;
(7) be subject to revocation by the individual and indicate that the informed consent is valid until revocation by the individual or until an event or date specified;
(8)(A) be in writing, dated, and signed by the individual; and
(B) not have been revoked under subsection (f);
(9) describe the procedure by which an individual can amend an informed consent previously obtained by a person;
(10) describe the extent to which the authorized person will share information with sub-contracted persons, and the geographic location of sub-contracted persons, including those operating or located overseas, except that the authorized person shall obtain the informed consent of the individual involved prior to outsourcing such individual's personal health information to a sub-contracted person operating or located overseas; and
(11) describe the nature and probability of harm to the individual resulting from the informed consent for use or disclosure, consistent with the principle of informed consent.
(c) Limitation on Informed Consent-
(1) IN GENERAL- Subject to paragraphs (2) and (3), a health information person that seeks informed consent under this subtitle may not condition the delivery of treatment or payment for services on the receipt of such an informed consent.
(2) RIGHT TO REQUIRE SELF-PAYMENT-
(A) IN GENERAL- If an individual has refused to provide an informed consent for disclosure of administrative billing information (as defined in subparagraph (B)) to a person and such informed consent is necessary for a health care provider to receive payment for services delivered, the health care provider may require the individual to pay from their own funds for the services.
(B) ADMINISTRATIVE BILLING INFORMATION- In subparagraph (A), the term `administrative billing information' means any of the following forms of personal health information:
(i) Date of service, policy, patient identifiers, and practitioner or facility identifiers.
(ii) Diagnostic codes, in accordance with medicare billing codes, for which treatment is being rendered or requested.
(iii) Complexity of service codes, indicating duration of treatment.
(iv) Total billed charges.
(3) RIGHT OF HEALTH CARE PROVIDER TO REQUIRE INFORMED CONSENT FOR TREATMENT PURPOSES- If a health care provider that is seeking an informed consent for disclosure of an individual's personal health information believes that the disclosure of such information is necessary so as not to endanger the health or treatment of the individual, and if the withholding of services will not endanger the life of the individual, the health care provider may condition the provision of services upon the individual's execution of an informed consent to disclose personal health information to the minimum extent necessary.
(4) INFORMED CONSENTS FOR PAYMENT UNDER CERTAIN CIRCUMSTANCES- If an individual is in a physical or mental condition such that the individual is not capable of authorizing the disclosure of personal health information and no other arrangements have been made to pay for the health care services being rendered to the patient, such information may be disclosed to a governmental authority to the extent necessary to determine the individual's eligibility for, and to obtain, payment under a governmental program for health care services provided to the patient. The information may also be disclosed to another provider of health care or health care service plan as necessary to assist the other provider or health care service plan in obtaining payment for health care services rendered by that provider of health care or health care service plan to the patient.
(d) Model Informed Consent- The Secretary, in consultation with the Director of the Office of Health Information Privacy, after notice and opportunity for public comment in accordance with section 553 of title 5, United States Code, shall develop and disseminate model written informed consents of the type described in this section, which represent informed consent from the subject of such personal health information that satisfies the requirements of this section, and model statements of the limitations on informed consents. Any informed consent obtained on a model informed consent form under this section developed by the Secretary pursuant to the preceding sentence shall be deemed to satisfy the requirements for an informed consent under this section.
(e) Segregation of Files- A health information person shall comply with the request of an individual who is the subject of personal health information--
(1) to hide, mask, or mark separate any type or amount of personal health information held by the person; and
(2) to limit the use or disclosure of the segregated health information within the person to those specifically designated by the subject of the personal health information.
(f) Revocation of Informed Consent-
(1) IN GENERAL- An individual may revoke or amend in writing an informed consent under this section at any time, unless the disclosure that is the subject of the consent is required to effectuate payment for health care that has been provided to the individual and for which the individual has declined or refused to pay from the individual's own funds.
(2) HEALTH PLAN- With respect to a health plan, the informed consent of an individual is deemed to be revoked at the time of the cancellation or non-renewal of enrollment in the health plan, except as may be necessary to complete plan administration and payment requirements related to the individual's period of enrollment.
(g) Record of Individual's Informed Consents and Revocations- Each person accessing, maintaining, retaining, modifying, recording, storing, destroying, or otherwise using personally identifiable or personal health information for purposes of treatment or payment shall maintain a record for a period of 6 years of each informed consent by an individual and any revocation thereof, and such record shall become part of the individual's health record set.
SEC. 123. INFORMED CONSENT AND AUTHORIZATION FOR DISCLOSURE OF PERSONAL HEALTH INFORMATION OTHER THAN FOR TREATMENT OR PAYMENT.
(a) In General- A health information person that seeks to disclose personal health information for a purpose other than treatment or payment shall obtain informed consent. Such consent under this section shall be separate from an informed consent provided under section 122.
(b) Limitation on Authorizations- A person subject to section 122 may not condition the delivery of treatment, or payment for services, on the receipt of an informed consent or authorization described in this section.
(c) Model Informed Consents and Authorizations- The Secretary, in consultation with the Director of the Office of Health Information Privacy, after notice and opportunity for public comment in accordance with section 553 of title 5, United States Code, shall develop and disseminate model informed consents of the type described in subsection (a) and written authorizations of the type described in subsections (d) and (e). Any consent or authorization obtained on a respective model form shall be deemed to meet the requirements under the respective subsection.
(d) Requirement of Separate, Additional Authorization for Personnel Decisions- A health information person subject to section 122 may not disclose personal health information to any employees or agents who are responsible for making employment, work assignment, or other personnel decisions with respect to the subject of the information without a separate, additional written authorization permitting such a disclosure.
(e) Requirement of Separate, Additional Authorization for Marketing-
(1) IN GENERAL- A health information person may not disclose personal health information for marketing purposes without a separate, additional written authorization permitting such a disclosure.
(2) REQUIREMENTS- In the case of a disclosure of personal health information for marketing purposes, a separate authorization required by paragraph (1), to be valid, shall--
(A) state that one purpose of the disclosure is for `marketing';
(B) state that the purpose of the use or disclosure involved is marketing;
(C) describe the specific marketing uses and disclosures authorized, including whether the personal health information involved--
(i) may be used for purposes internal to the person;
(ii) may be disclosed to, and used by, a business associate of the person; and
(iii) may be disclosed to, and used by, any person or entity other than a business associate of the person; and
(D) state that the use or disclosure of personal health information for marketing will directly result in remuneration to the person from a third party, in any case in which a person expects, or reasonably should expect, that such remuneration will occur.
(3) MARKETING DEFINED-
(A) IN GENERAL- In this subsection, the term `marketing' is a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service in return for direct or indirect compensation.
(B) EXCLUSIONS-
(i) IN GENERAL- Subject to clause (ii), such term excludes the following exceptions:
(I) Communications made by person for the purpose of describing the entities participating in a provider network or health plan network, and communications made by a person for the purpose of describing if and the extent to which a product or service, or payment for a product or service, is provided by the person or included in a benefit plan.
(II) Communications tailored to the circumstances of a particular individual, made by a health care provider to an individual as part of the treatment of the individual, and for the purpose of furthering the treatment of that individual.
(III) Communications tailored to the circumstances of a particular individual and made by a health care provider or health plan to an individual in the course of managing or coordinating the treatment of that individual or for the purpose of directing or recommending to that individual alternative treatments, therapies, providers, or settings of care.
(ii) EXCEPTION- Clause (i) shall not apply, and a communication shall be considered marketing, if a person receives direct or indirect remuneration from a third party for making a written communication otherwise described in subclause (I), (II), or (III) of such clause.
(f) Requirement To Release Personal Health Information to Coroners and Medical Examiners-
(1) IN GENERAL- When a coroner or medical examiner or their duly appointed deputies seek personal health information for the purpose of inquiry into and determination of, the cause, manner, and circumstances of an individual's death, the health information person shall provide that individual's personal health information to the coroner or medical examiner or to the duly appointed deputies without undue delay or consent by the deceased individual's representative.
(2) PRODUCTION OF ADDITIONAL INFORMATION- If a coroner or medical examiner or their duly appointed deputies receives health information from a person referred to in paragraph (1), such health information shall remain as personal health information unless the health information is attached to or otherwise made a part of a coroner's or medical examiner's official report, in which case it shall no longer be protected.
(3) EXEMPTION- Health information attached to or otherwise made a part of a coroner's or medical examiner's official report shall be exempt from the provisions of this title except as provided for in this subsection.
(4) REIMBURSEMENT- A person referred to in paragraph (1) may request reimbursement from a coroner or medical examiner for the reasonable costs associated with inspection or copying of personal health information maintained, retained, or stored by such person.
(g) Revocation or Amendment of Consent or Authorization- An individual may revoke or amend in writing an informed consent or authorization under this section at any time.
(h) Actions- It shall not be a violation of this title with respect to the disclosure of personal health information--
(1) if the disclosure was made based on a good faith reliance on the individual's informed consent or authorization under this section at the time disclosure was made;
(2) in a case in which the consent or authorization is revoked, if the disclosing person had no actual or constructive notice of the revocation; or
(3) if the disclosure was for the purpose of protecting another individual from imminent physical harm and is authorized under section 141.
(i) Record of Consents, Authorizations, and Revocations- Each person accessing, maintaining, retaining, modifying, recording, storing, destroying, or otherwise using personally identifiable or personal health information for purposes other than treatment or payment shall maintain a record for a period of 6 years of each informed consent and authorization by an individual and any revocation thereof, and such record shall become part of the individual's health record set.
CHAPTER 2--EXCEPTIONS
SEC. 131. DISCLOSURE FOR LAW ENFORCEMENT, NATIONAL SECURITY, AND INTELLIGENCE PURPOSES.
(a) Access to Personal Health Information for Law Enforcement, National Security, and Intelligence Activities- A health information person, or a person who receives personal health information pursuant to section 131, may disclose personal health information to--
(1) an investigative or law enforcement officer (as defined in subsection (k)) pursuant to a warrant issued under the Federal Rules of Criminal Procedure, an equivalent State warrant, a grand jury subpoena, civil subpoena, civil investigative demand, or a court order under limitations set forth in subsection (b); and
(2) an authorized Federal official for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (
(b) Limitation on Use and Disclosure for National Security, Intelligence, and Other Law Enforcement Inquiries-
(1) IN GENERAL- Personal health information about an individual that is disclosed under this section may not be used in, or disclosed to any entity for use in, any administrative, civil, or criminal action or investigation directed against the individual, unless the action or investigation arises out of, or is directly related to, the law enforcement, national security, or intelligence inquiry for which the information was obtained.
(2) LAW ENFORCEMENT INQUIRY DEFINED- In paragraph (1), the term `law enforcement inquiry' means a lawful executive branch investigation or official proceeding inquiring into a violation of, or failure to comply with, any criminal or civil statute or any regulation, rule, or order issued pursuant to such a statute.
(c) Redactions- To the maximum extent practicable, and consistent with the requirements of due process, a law enforcement agency shall redact personally identifying information from personal health information prior to the public disclosure of such protected information in a judicial or administrative proceeding.
(d) Exception- This section shall not be construed to limit or restrict the ability of law enforcement authorities to gain information while in hot pursuit of a suspect or if other exigent circumstances exist.
(e) Investigative or Law Enforcement Officer Defined- In this section, the term `investigative or law enforcement officer' means any officer of the United States or of a State or political subdivision thereof, who is empowered by law to conduct investigations of, or to make arrests for, civil or criminal offenses, and any attorney authorized by law to prosecute or participate in the prosecution of such offenses.
SEC. 132. DISCLOSURE FOR PUBLIC HEALTH PURPOSES.
(a) In General- A health information person may disclose personal health information to a public health authority (as defined in section 171(24)) or other entity authorized by public health law, when receipt of such information by the authority or other entity--
(1) relates directly to a specified public health purpose;
(2) is reasonably likely to achieve such purpose; and
(3) is intended for a purpose that cannot be achieved through the receipt or use of de-identified health information.
(b) Public Health Protection Defined- For purposes of subsection (a), the term `public health purpose' means a population-based activity or individual effort, authorized by law, the purpose of which is the prevention of injury, disease, or premature mortality, or the promotion of health, in a community, including--
(1) assessing the health needs and status of the community through public health surveillance and epidemiological research;
(2) implementing public health policy;
(3) responding to public health needs and emergencies; and
(4) any other activities or efforts authorized by law.
(c) Limitations- The purpose of the disclosure described in subsection (a) shall be of significant importance such that it warrants the potential effect on, or risk to, the privacy of individuals that the additional exposure of personal health information might bring. Any infringement on the right to privacy under this section shall use the least intrusive means that are tailored to minimize intrusion on the right to privacy.
SEC. 133. REPORTING OF ABUSE AND NEGLECT TO PROTECTION AND ADVOCACY AGENCIES.
Any health information person may disclose personal health information to a protection and advocacy agency established under part C of title I of the Developmental Disabilities Assistance and Bill of Rights Act (
SEC. 134. DISCLOSURE TO NEXT OF KIN AND DIRECTORY INFORMATION.
(a) Next of Kin- A health care provider, or a person that receives personal health information under section 141, may disclose personal health information about health care services provided to an individual to the individual's next of kin, or to another entity that the individual has identified, if at the time of the treatment of the individual--
(1) the individual--
(A) has been notified of the individual's right to object to such disclosure and the individual has not objected to the disclosure; or
(B) is in a physical or mental condition such that the individual is not capable of objecting, and there are no prior indications that the individual would object; and
(2) the information disclosed is relevant to health care services currently being provided to that individual.
(b) Directory Information-
(1) DISCLOSURE-
(A) IN GENERAL- Except as provided in paragraph (2), with respect to an individual who is admitted as an inpatient to a health care facility, a person described in subsection (a) may disclose information described in subparagraph (B) about the individual to any entity if, at the time of the admission, the individual--
(i) has been notified of the individual's right to object and has not objected to the disclosure; or
(ii) is in a physical or mental condition such that the individual is not capable of objecting and there are no prior indications that the individual would object.
(B) INFORMATION- Information described in this subparagraph is information that consists only of 1 or more of the following items:
(i) The name of the individual who is the subject of the information.
(ii) The general health status of the individual, described as critical, poor, fair, stable, or satisfactory or in terms denoting similar conditions.
(iii) The location of the individual within the health care facility to which the individual is admitted.
(2) EXCEPTION- Paragraph (1)(B)(iii) shall not apply if disclosure of the location of the individual would reveal specific information about the physical or mental condition of the individual, unless the individual expressly authorizes such disclosure.
(c) Directory or Next-of-Kin Information- A disclosure may not be made under this section if the disclosing person described in subsection (a) has reason to believe that the disclosure of directory or next-of-kin information could lead to the physical or mental harm of the individual, unless the individual expressly authorizes such disclosure.
CHAPTER 3--SPECIAL CIRCUMSTANCES
SEC. 141. EMERGENCY CIRCUMSTANCES.
(a) General Rule- In the event of a threat of imminent physical or mental harm to the subject of personal health information, any person may, in order to allay or remedy such threat, disclose personal health information about such subject to a health care provider, health care facility, law enforcement authority, or emergency medical personnel, to the minimum extent necessary and only if determined appropriate by a health care provider.
(b) Harm to Others- Any person may disclose personal health information about the subject of the information where--
(1) such subject has made an identifiable threat of serious injury or death with respect to an identifiable individual or group of individuals;
(2) the subject has the ability to carry out such threat; and
(3) the release of such information is necessary to prevent or significantly reduce the possibility of such threat being carried out.
SEC. 142. HEALTH RESEARCH.
(a) Regulations-
(1) IN GENERAL- The requirements and protections provided for under part 46 of title 45, Code of Federal Regulations (as in effect on the date of enactment of this Act), shall apply to all health research.
(2) EFFECTIVE DATE- Paragraph (1) shall not take effect until the Secretary has promulgated final regulations to implement such paragraph.
(b) Evaluation- Not later than 24 months after the date of the enactment of this Act, the Secretary shall prepare and submit to Congress detailed recommendations on whether informed consent should be required, and if so, under what circumstances, before personal health information can be used for health research.
(c) Recommendations- The recommendations required to be submitted under subsection (b) shall include--
(1) a detailed explanation of current institutional review board practices, including the extent to which the privacy of individuals is taken into account as a factor before allowing waivers and under what circumstances informed consent is being waived;
(2) a list of all known breaches of health information privacy over the past 5 years in research projects approved by an institutional review board;
(3) a summary of how technology that both facilitates research and preserves privacy could be used to obtain informed consent and strip identifying data for the purpose of research;
(4) an analysis of State and Federal laws, medical ethics, and ethics in the performance of health research that examines requirements for the receipt of informed consent; and
(5) an analysis of the risks and benefits of allowing individuals to consent or to refuse to consent, at the time of receiving medical treatment, to the possible future use of records of medical treatments for research studies.
(d) Consultation- In carrying out this section, the Secretary shall consult with individuals who have distinguished themselves in the fields of health research, privacy, related technology including electronic consent management tools, consumer interests in health information, health data standards, and the provision of health services.
(e) Congressional Notice- Not later than 6 months after the date on which the Secretary submits to Congress the recommendations required under subsection (b), the Secretary shall propose to implement such recommendations through regulations promulgated on the record after opportunity for a hearing, and shall advise the Congress of such proposal.
(f) Other Requirements-
(1) OBLIGATIONS OF THE RECIPIENT- A person who receives personal health information pursuant to this section shall remove or destroy, at the earliest opportunity consistent with the purposes of the project involved, information that would enable an individual to be identified, unless--
(A) an institutional review board has determined that there is a health or research justification for the retention of such identifiers;
(B) an institutional review board has, to the maximum extent practicable, attempted to contact the individual to whom the identifiers relate;
(C) upon being contacted pursuant to subparagraph (B), the individual does not object to the retention of such identifiers; and
(D) there is an adequate plan to protect the identifiers from disclosure consistent with this section.
(2) PERIODIC REVIEW AND TECHNICAL ASSISTANCE-
(A) INSTITUTIONAL REVIEW BOARD- Any institutional review board that authorizes research under this section shall provide the Secretary with the names and addresses of the institutional review board members.
(B) TECHNICAL ASSISTANCE- The Secretary shall provide technical assistance to institutional review boards described in this subsection.
(C) MONITORING- The Secretary shall periodically monitor institutional review boards described in this subsection, including with respect to the privacy, security, and confidentiality practices of such boards.
(D) REPORTS- Not later than 3 years after the date of enactment of this Act, the Secretary shall report to Congress regarding the activities of institutional review boards described in this subsection.
(g) Limitation- Nothing in this section shall be construed to permit personal health information that is received by a researcher under this section to be accessed for purposes other than research or as authorized by the individual that is the subject of such personal health information.
SEC. 143. HEALTH OVERSIGHT FUNCTIONS.
(a) In General- A health information person may disclose personal health information to a health oversight agency (as defined in section 171(16)) to enable the agency to perform a health oversight function authorized by law, if--
(1) the purpose for which the disclosure is to be made cannot reasonably be accomplished without personal health information;
(2) the purpose for which the disclosure is to be made is of sufficient importance to warrant the effect on, or the risk to, the privacy of the individuals that additional exposure of the information might bring; and
(3) there is a reasonable probability that the purpose of the disclosure will be accomplished.
(b) Use and Maintenance of Personal Health Information- A health oversight agency that receives personal health information under subsection (a)--
(1) shall, to the maximum extent practicable, obtain the informed consent of the individual to whom the personal health information relates before using or disclosing the information;
(2) shall secure personal health information in all work papers and all documents summarizing the health oversight activity through technological, administrative, and physical safeguards including cryptographic-key based encryption;
(3) shall maintain in its records only such information about an individual as is relevant and necessary to accomplish the purpose for which the personal health information was obtained;
(4) using appropriate encryption measures, shall maintain such information securely and limit access to such information to those persons with a legitimate need for access to carry out the purpose for which the records were obtained; and
(5) shall remove or destroy the information that allows subjects of personal health information to be identified at the earliest time at which removal or destruction can be accomplished, consistent with the purpose of the health oversight activity.
(c) Authorization by a Supervisor- For purposes of this section, the individual with authority to authorize the oversight function involved shall provide to the disclosing person described in subsection (a) a statement that the personal health information is being sought for a legally authorized oversight function.
SEC. 144. INDIVIDUAL REPRESENTATIVES.
(a) In General- Except as provided in subsections (b) and (c), a person who is authorized by law (based on grounds other than an individual's status as a minor), or by an instrument recognized under law, to act as an agent, attorney, proxy, or other legal representative of an individual, may, to the extent so authorized, exercise and discharge the rights of the individual under this title.
(b) Health Care Power of Attorney- A person who is authorized by law (based on grounds other than being a minor), or by an instrument recognized under law, to make decisions about the provision of health care to an individual who is incapacitated, may exercise and discharge the rights of the individual under this title to the extent necessary to effectuate the terms or purposes of the grant of authority.
(c) Individuals Suffering From Certain Medical Conditions- If a physician or other health care provider determines that an individual, who has not been declared to be legally incompetent, suffers from a medical condition that prevents the individual from acting knowingly or effectively on the individual's own behalf, the right of the individual to access or amend the health information and to authorize disclosure under this title may be exercised and discharged in the best interest of the individual by--
(1) a person described in subsection (b) with respect to the individual;
(2) a person described in subsection (a) with respect to the individual, but only if a person described in paragraph (1) cannot be contacted after a reasonable effort or if there is no individual who fits the description in paragraph (1);
(3) the next of kin of the individual, but only if a person described in paragraph (1) or (2) cannot be contacted after a reasonable effort; or
(4) the health care provider, but only if a person described in paragraph (1), (2), or (3) cannot be contacted after a reasonable effort.
(d) Rights of Minors-
(1) INDIVIDUALS WHO ARE 18 OR LEGALLY CAPABLE- In the case of an individual--
(A) who is 18 years of age or older, all rights of the individual under this title shall be exercised by the individual; or
(B) who, acting alone, can consent to health care without violating any applicable law, and who has sought such care, the individual shall exercise all rights of an individual under this title with respect to personal health information relating to such health care.
(2) INDIVIDUALS UNDER 18- Except as provided in paragraph (1)(B), in the case of an individual who is--
(A) under 14 years of age, all of the individual's rights under this title shall be exercised through the parent or legal guardian; or
(B) 14 through 17 years of age, the rights of inspection, supplementation, and modification, and the right to authorize use and disclosure of personal health information of the individual shall be exercised by--
(i) the individual where no parent or legal guardian exists;
(ii) the parent or legal guardian of the individual; or
(iii) the individual if the parent or legal guardian determined that the individual has the sole right the control their health information.
(e) Deceased Individuals-
(1) APPLICATION OF ACT- The provisions of this title shall continue to apply to personal health information concerning a deceased individual.
(2) EXERCISE OF RIGHTS ON BEHALF OF A DECEASED INDIVIDUAL- A person who is authorized by law or by an instrument recognized under law, to act as an executor or administrator of the estate of a deceased individual, or otherwise to exercise the rights of the deceased individual, may, to the extent so authorized, exercise and discharge the rights of such deceased individual under this title. If no such designee has been authorized, the rights of the deceased individual may be exercised as provided for in subsection (c).
(3) IDENTIFICATION OF DECEASED INDIVIDUAL- A person described in section 136(a) may disclose personal health information if such disclosure is necessary to assist in the identification of a deceased individual.
Subtitle D--Enforcement
SEC. 151. IN GENERAL.
(a) Civil Penalty- A health information person who the Secretary, in consultation with the Attorney General, determines has substantially and materially failed to comply with this title shall be subject, in addition to any other penalties that may be prescribed by law--
(1) in a case in which the violation relates to subtitle A, B, or C, to a civil penalty of not more than $500 for each such violation, but not to exceed $5,000 in the aggregate for multiple violations;
(2) in a case in which the violation relates to subtitle A, B, or C, to a civil penalty of not more than $10,000 for each such violation, but not to exceed $50,000 in the aggregate for multiple violations; or
(3) in a case in which such violations have occurred with such frequency as to constitute a general business practice, to a civil penalty of not more than $100,000.
(b) Civil Action by Individuals-
(1) IN GENERAL- Any individual whose rights under subtitle A, B, or C have been knowingly or negligently violated may bring a civil action to recover--
(A) such preliminary and equitable relief as the court determines to be appropriate; and
(B) the greater of compensatory damages or liquidated damages of $5,000.
(2) ADDITIONAL REMEDIES- The equitable relief or damages that may be available under this section shall be in addition to any other lawful remedy or award that may be available.
SEC. 152. ENFORCEMENT BY STATE ATTORNEYS GENERAL.
(a) Civil Actions- In any case in which the attorney general of a State or any State or local law enforcement agency authorized by the State attorney general or by State law to prosecute violations of consumer protection laws, has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by the engagement of a person in a practice that is prohibited under subtitle A, B, or C, the State or local law enforcement agency on behalf of the residents of the agency's jurisdiction, may bring a civil action on behalf of the residents of the State or jurisdiction in a district court of the United States of appropriate jurisdiction to--
(1) enjoin that act or practice;
(2) enforce compliance with the respective subtitle; or
(3) obtain civil penalties in an amount calculated by multiplying the number of violations by an amount not greater than $11,000.
For purposes of civil penalties under this subsection, each day that a person is in violation of the requirements of subtitle A, B, or C shall be treated as a separate violation, up to a maximum civil penalty of $5,000,000.
(b) Rule of Construction- For purposes of bringing any civil action under subsection (a), nothing in this subtitle regarding notification shall be construed to prevent an attorney general of a State from exercising the powers conferred on such attorney general by the laws of that State to--
(1) conduct investigations;
(2) administer oaths or affirmations; or
(3) compel the attendance of witnesses or the production of documentary and other evidence.
(c) Venue; Service of Process-
(1) VENUE- Any action brought under subsection (a) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.
(2) SERVICE OF PROCESS- In an action brought under subsection (a), process may be served in any district in which the defendant--
(A) is an inhabitant; or
(B) may be found.
Subtitle E--Miscellaneous
SEC. 161. OFFICE OF HEALTH INFORMATION PRIVACY.
(a) In General- The Secretary shall designate an office within the Department of Health and Human Services to be known as the Office of Health Information Privacy (referred to in this section as the `Office'). The Office shall be headed by a Director, who shall be appointed by the Secretary.
(b) Duties- The Director of the Office shall--
(1) receive and investigate complaints of alleged violations of this title;
(2) provide for the conduct of audits where appropriate;
(3) provide guidance to the Secretary on the implementation of this Act;
(4) provide guidance to health care providers and other relevant individuals concerning the manner in which to interpret and implement the privacy protections under this title (and the regulations promulgated under this title);
(5) prepare and submit the report described in subsection (c);
(6) consult with, and provide recommendation to, the Secretary concerning improvements in the privacy and security of personal health information and concerning medical privacy research needs; and
(7) carry out any other activities determined appropriate by the Secretary.
(c) Standards for Certification-
(1) ESTABLISHMENT- Not later than 12 months after the date of enactment of this Act, the Secretary, in consultation with the Director of the Office and the Director of the Office of Civil Rights, shall establish and implement standards for health information technology products, including qualified health information technology systems (as defined in section 213), used to access, disclose, maintain, store, distribute, transmit, amend, or dispose of personal health information in a manner that protects the individual's right to privacy, confidentiality, and security relating to that information.
(2) STAKEHOLDER PARTICIPATION- In establishing the standards under paragraph (1), the Secretary shall ensure the participation of various stakeholders, including patients and consumer advocates, privacy advocates, experts in information technology and information systems, and experts in health care. The Secretary shall ensure that these advocates and experts are equally represented, such that the stakeholder process does not result in the experts in information technology, information systems, and health care being disproportionately represented compared to advocates for the interests of consumers and privacy proponents.
(d) Report on Compliance- Not later than January 1 of the first calendar year beginning more than 1 year after the establishment of the Office under subsection (a), and every January 1 thereafter, the Secretary, in consultation with the Director of the Office, shall prepare and submit to Congress a report concerning the number of complaints of alleged violations of subtitle A that are received during the year for which the report is being prepared. Such report shall describe the complaints and any remedial action taken concerning such complaints and shall be made available to the public on the Internet website of the Department of Health and Human Services.
SEC. 162. PROTECTION FOR WHISTLEBLOWERS.
(a) Prohibition Against Discrimination- A health information person may not--
(1) discharge, demote, suspend, threaten, harass, retaliate against, or in any other manner discriminate or cause any employer to discriminate against an employee in the terms and conditions of employment because of--
(A) the refusal of the employee to engage in a violation of this title; or
(B) any lawful act the employee has committed or is about to commit, or which the health information person perceives the employee to have committed, to provide information or cause information to be provided, including in the course of the employee's routine job duties, to the individual's employer or to a State or Federal official relating to an actual or suspected violation of this title by any person, including an employer or an employee of an employer; or
(2) adversely affect another person, directly or indirectly, because such person has exercised a right under this title, disclosed information relating to a possible violation of subtitle A, B, or C or this section, or associated with, or assisted, an individual in the exercise of a right under this title.
(b) Enforcement Actions-
(1) IN GENERAL-
(A) COMPLAINT WITH SECRETARY OF LABOR- Any employee or former employee who alleges a violation of subsection (a) may seek relief under subsection (c), by filing a complaint with the Secretary of Labor.
(B) APPELLATE REVIEW IN CASE OF FINAL ORDER- Unless an employee brings an action in district court under subparagraph (C), any person adversely affected or aggrieved by a final order of the Secretary of Labor with respect to a complaint filed under subparagraph (A) may obtain review of the order in the United States court of appeals for the circuit in which the violation, with respect to which the order was issued, allegedly occurred or the circuit in which the complainant resided on the date of such violation. The petition for review must be filed not later than 60 days after the date of the issuance of the final order. The review shall conform to chapter 7 of title 5, United States Code. The commencement of proceedings under this subparagraph shall not, unless ordered by the co
Rating Filter: 5
Comments
No Comments
Add A Comment