[Congressional Bills 103th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4077 Introduced in House (IH)]
103d CONGRESS
2d Session
H. R. 4077
To establish a code of fair information practices for health
information, to amend section 552a of title 5, United States Code, and
for other purposes.
_______________________________________________________________________
IN THE HOUSE OF REPRESENTATIVES
March 17, 1994
Mr. Condit (for himself, Mr. Conyers, and Ms. Velazquez) introduced the
following bill; which was referred jointly to the Committees on
Government Operations, the Judiciary, and Energy and Commerce
_______________________________________________________________________
A BILL
To establish a code of fair information practices for health
information, to amend section 552a of title 5, United States Code, and
for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) Short Title.--This Act may be cited as the ``Fair Health
Information Practices Act of 1994''.
(b) Table of Contents.--The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
Sec. 2. Findings and purposes.
Sec. 3. Definitions.
TITLE I--FAIR INFORMATION PRACTICES FOR PROTECTED HEALTH INFORMATION
Subtitle A--Treatment of Protected Health Information
Sec. 101. Duties and authorities of health use trustees.
Sec. 102. Duties and authorities of public health trustees.
Sec. 103. Duties and authorities of special purpose trustees.
Sec. 104. Duties and authorities of affiliated persons.
Subtitle B--Duties and Authorities of Health Information Trustees
Part 1--Duties of Health Information Trustees
Sec. 111. Inspection of protected health information.
Sec. 112. Amendment of protected health information.
Sec. 113. Notice of information practices.
Sec. 114. Accounting for disclosures.
Sec. 115. Security.
Part 2--Use and Disclosure of Protected Health Information
Sec. 121. General limitations on use and disclosure.
Sec. 122. Authorizations for disclosure of protected health
information.
Sec. 123. Treatment, payment, and oversight.
Sec. 124. Next of kin and directory information.
Sec. 125. Public health.
Sec. 126. Emergency circumstances.
Sec. 127. Judicial, administrative, and other legal purposes.
Sec. 128. Health research.
Sec. 129. Law enforcement.
Sec. 130. Subpoenas, warrants, and search warrants.
Subtitle C--Access Procedures and Challenge Rights
Sec. 141. Access procedures for law enforcement subpoenas, warrants,
and search warrants.
Sec. 142. Challenge procedures for law enforcement subpoenas.
Sec. 143. Access and challenge procedures for other subpoenas.
Sec. 144. Construction of subtitle; suspension of statute of
limitations.
Sec. 145. Responsibilities of Secretary.
Subtitle D--Miscellaneous Provisions
Sec. 151. Debit and credit card transactions.
Sec. 152. Access to protected health information outside of the United
States.
Sec. 153. Standards for electronic documents and communications.
Sec. 154. Powers of attorney.
Sec. 155. Rights of incompetents.
Sec. 156. Rights of minors.
Subtitle E--Enforcement
Sec. 161. Civil actions.
Sec. 162. Civil money penalties.
Sec. 163. Alternative dispute resolution.
Sec. 164. Amendments to criminal law.
TITLE II--AMENDMENTS TO TITLE 5, UNITED STATES CODE
Sec. 201. Amendments to title 5, United States Code.
TITLE III--REGULATIONS; EFFECTIVE DATES; APPLICABILITY; AND
RELATIONSHIP TO OTHER LAWS
Sec. 301. Regulations.
Sec. 302. Effective dates.
Sec. 303. Applicability.
Sec. 304. Relationship to other laws.
SEC. 2. FINDINGS AND PURPOSES.
(a) Findings.--The Congress finds as follows:
(1) The right to privacy is a personal and fundamental
right protected by the Constitution of the United States.
(2) The improper use or disclosure of personally
identifiable health information about an individual may cause
significant harm to the interests of the individual in privacy
and health care, and may unfairly affect the ability of the
individual to obtain employment, education, insurance, credit,
and other necessities.
(3) Current legal protections for health information vary
from State to State and are inadequate to meet the need for
fair information practices standards.
(4) The movement of individuals and health information
across State lines, access to and exchange of health
information from automated data banks and networks, and the
emergence of multistate health care providers and payors create
a compelling need for uniform Federal law, rules, and
procedures governing the use, maintenance, and disclosure of
health information.
(5) Uniform rules governing the use, maintenance, and
disclosure of health information are an essential part of
health care reform, are necessary to support the
computerization of health information, and can reduce the cost
of providing health services by making the necessary transfer
of health information more efficient.
(6) An individual needs access to health information about
the individual as a matter of fairness, to enable the
individual to make informed decisions about health care, and to
correct inaccurate or incomplete information.
(b) Purposes.--The purposes of this Act are as follows:
(1) To define the rights of an individual with respect to
health information about the individual that is created or
maintained as part of the health treatment and payment process.
(2) To define the rights and responsibilities of a person
who creates or maintains individually identifiable health
information that originates or is used in the health treatment
or payment process.
(3) To establish effective mechanisms to enforce the rights
and responsibilities defined in this Act.
SEC. 3. DEFINITIONS.
(a) Definitions Relating to Protected Health Information.--For
purposes of this Act:
(1) Disclose.--The term ``disclose'', when used with
respect to protected health information, means to provide
access to the information, but only if such access is provided
by a health information trustee to a person other than--
(A) the trustee or an officer or employee of the
trustee;
(B) an affiliated person of the trustee; or
(C) the individual who is the subject of the
information.
(2) Disclosure.--The term ``disclosure'' means the act or
an instance of disclosing.
(3) Protected health information.--The term ``protected
health information'' means any information, whether oral or
recorded in any form or medium, that--
(A) is created or received by a health use trustee
or a public health trustee in a State; and
(B) relates to the past, present, or future
physical or mental health of an individual, the
provision of health care to an individual, or payment
for the provision of health care to an individual and--
(i) identifies the individual; or
(ii) with respect to which there is a
reasonable basis to believe that the
information can be used readily to identify the
individual.
(b) Definitions Relating to Health Information Trustees.--For
purposes of this Act:
(1) Health benefit plan.--The term ``health benefit plan''
means any public or private entity or program that provides
payments for health care--
(A) including--
(i) a group health plan (as defined in
section 607 of the Employee Retirement Income
Security Act of 1974) or a multiple employer
welfare arrangement (as defined in section
3(40) of such Act) providing health benefits;
and
(ii) any other health insurance
arrangement, including any arrangement
consisting of a hospital or medical expense
incurred policy or certificate, hospital or
medical service plan contract, or health
maintenance organization subscriber contract;
(B) but not including--
(i) an individual making payment on the
individual's own behalf (or on behalf of a
relative or other individual) for health care
or for deductibles, coinsurance, copayments,
items, or services not covered under a health
insurance arrangement;
(ii) a plan sponsor (as defined in section
3(16) of the Employee Retirement Income
Security Act of 1974);
(iii) an employer of an employee covered
under a multiple employer welfare arrangement;
(iv) an employee organization that sponsors
a multiple employer welfare arrangement; or
(v) an organization, association,
committee, joint board of trustees, or similar
group of representatives of 2 or more employers
described in clause (iii) or 2 or more employee
organizations described in clause (iv).
(2) Health care provider.--The term ``health care
provider'' means a person who is licensed, certified,
registered, or otherwise authorized by law to provide an item
or service that constitutes health care in the ordinary course
of business or practice of a profession.
(3) Health information trustee.--The term ``health
information trustee'' means a person who--
(A) creates or receives protected health
information that affects interstate commerce; and
(B) is a health use trustee, public health trustee,
or special purpose trustee.
(4) Health oversight agency.--The term ``health oversight
agency'' means a person--
(A) who performs or oversees the performance of an
assessment, evaluation, determination, or investigation
relating to the licensing, accreditation, or
certification of health care providers;
(B) who--
(i) enters into agreements with health
benefit plans that are offered to individuals
residing in a specific geographic region in
order to facilitate the enrollment of such
individuals in such plans; and
(ii) is a public agency, acting on behalf
of a public agency, acting pursuant to a
requirement of a public agency, or carrying out
activities under a State or Federal statute
regulating the agreements; or
(C) who--
(i) performs or oversees the performance of
an assessment, evaluation, determination, or
investigation relating to the effectiveness of,
compliance with, or applicability of, legal,
fiscal, medical, or scientific standards or
aspects of performance related to the delivery
of, or payment for, health care; and
(ii) is a public agency, acting on behalf
of a public agency, acting pursuant to a
requirement of a public agency, or carrying out
activities under a State or Federal statute
regulating the assessment, evaluation,
determination, or investigation.
(5) Health researcher.--The term ``health researcher''
means a person who conducts a health research project.
(6) Health use trustee.--The term ``health use trustee''
means a person who, with respect to protected health
information, receives, creates, uses, maintains, or transmits
such information while acting in whole or in part in the
capacity of--
(A) a health care provider, health benefit plan, or
health oversight agency; or
(B) an officer or employee of a person described in
subparagraph (A).
(7) Public health authority.--The term ``public health
authority'' means an authority of the United States, a State,
or a political subdivision of a State that--
(A) is responsible for public health matters; and
(B) is conducting--
(i) a disease or injury reporting program;
(ii) public health surveillance; or
(iii) a public health investigation.
(8) Public health trustee.--The term ``public health
trustee'' means a person who, with respect to protected health
information, receives, creates, uses, maintains, or transmits
such information while acting in whole or in part in the
capacity of--
(A) a health researcher;
(B) a public health authority; or
(C) an officer or employee of a person described in
subparagraph (A) or (B).
(9) Special purpose trustee.--The term ``special purpose
trustee'' means a person who, with respect to protected health
information--
(A) receives such information under section 126
(relating to emergency circumstances), 127 (relating to
judicial, administrative, and other legal purposes),
129 (relating to law enforcement), or 130 (relating to
subpoenas, warrants, and search warrants); or
(B) is acting in whole or in part in the capacity
of an officer or employee of a person described in
subparagraph (A) with respect to such information.
(c) Other Definitions.--For purposes of this Act:
(1) Affiliated person.--The term ``affiliated person''
means a person who--
(A) is not a health information trustee;
(B) is a contractor, subcontractor, affiliate, or
subsidiary of a person who is a health information
trustee; and
(C) pursuant to an agreement or other relationship
with such trustee, receives, creates, uses, maintains,
or transmits protected health information in order to
conduct a legitimate business activity of the trustee.
(2) Health care.--The term ``health care''--
(A) means--
(i) any preventive, diagnostic,
therapeutic, rehabilitative, maintenance, or
palliative care, counseling, service, or
procedure--
(I) with respect to the physical or
mental condition of an individual; or
(II) affecting the structure or
function of the human body or any part
of the human body, including banking of
blood, sperm, organs, or any other
tissue; or
(ii) any sale or dispensing of a drug,
device, equipment, or other item to an
individual, or for the use of an individual,
pursuant to a prescription; but
(B) does not include any item or service that is
not furnished for the purpose of maintaining or
improving the health of an individual.
(3) Health research project.--The term ``health research
project'' means a biomedical, epidemiological, or health
services research project, or a health statistics project, that
has been approved by--
(A) an institutional review board for the
organization sponsoring the project;
(B) an institutional review board for each health
information trustee that maintains protected health
information intended to be used in the project; or
(C) an institutional review board established or
designated by the Secretary.
(4) Institutional review board.--The term ``institutional
review board'' means--
(A) a board established in accordance with
regulations of the Secretary under section 491(a) of
the Public Health Service Act;
(B) a similar board established by the Secretary
for the protection of human subjects in research
conducted by the Secretary;
(C) a similar board established under regulations
of a Federal Government authority other than the
Secretary; or
(D) a similar board which meets such requirements
as the Secretary may specify.
(5) Law enforcement inquiry.--The term ``law enforcement
inquiry'' means a lawful investigation or official proceeding
inquiring into a specific violation of, or failure to comply
with, any criminal or civil statute or any regulation, rule, or
order issued pursuant to such a statute.
(6) Person.--The term ``person'' includes an authority of
the United States, a State, or a political subdivision of a
State.
(7) Secretary.--The term ``Secretary'' means the Secretary
of Health and Human Services.
(8) State.--The term ``State'' includes the District of
Columbia, Puerto Rico, the Virgin Islands, Guam, American
Samoa, and the Northern Mariana Islands.
TITLE I--FAIR INFORMATION PRACTICES FOR PROTECTED HEALTH INFORMATION
Subtitle A--Treatment of Protected Health Information
SEC. 101. DUTIES AND AUTHORITIES OF HEALTH USE TRUSTEES.
A health use trustee--
(1) shall comply with sections 111 (relating to
inspection), 112 (relating to amendment), 113 (relating to
notice of information practices), 114 (relating to accounting
for disclosures), and 115 (relating to security);
(2) may use protected health information if such use is in
accordance with section 121; and
(3) may disclose such information if such disclosure is in
accordance with section 121 and 1 or more of the following
sections:
(A) Section 122 (relating to authorizations).
(B) Section 123 (relating to treatment, payment,
and oversight).
(C) Section 124 (relating to next of kin and
directory information).
(D) Section 125 (relating to public health).
(E) Section 126 (relating to emergency
circumstances).
(F) Section 127 (relating to judicial,
administrative, and other legal purposes).
(G) Section 128 (relating to health research).
(H) Section 129 (relating to law enforcement).
(I) Section 130 (relating to subpoenas, warrants,
and search warrants).
SEC. 102. DUTIES AND AUTHORITIES OF PUBLIC HEALTH TRUSTEES.
(a) In General.--Except as provided in subsections (b) and (c), a
public health trustee--
(1) shall comply with sections 111 (relating to
inspection), 114 (relating to accounting for disclosures), and
115 (relating to security);
(2) may use protected health information if such use is in
accordance with section 121; and
(3) may disclose such information if--
(A) such disclosure is essential to fulfill a
public health purpose; or
(B) such disclosure is in accordance with section
121 and 1 or more of the following sections:
(i) Section 122 (relating to
authorizations).
(ii) Section 125 (relating to public
health).
(iii) Section 126 (relating to emergency
circumstances).
(iv) Section 128 (relating to health
research).
(v) Section 129 (relating to law
enforcement) (except section 129(a)(2)).
(b) Determinations by Public Health Trustees Specific to an
Individual.--A public health trustee who makes a decision concerning a
right, benefit, or privilege of a individual using protected health
information about the individual shall be considered to be a health use
trustee with respect to such information and is subject to section 101
(and not this section) with respect to such information.
(c) Overlap With Health Use Trustee.--A person who is a public
health trustee and a health use trustee with respect to the same
protected health information is subject to section 101 and is not
subject to this section with respect to such information.
SEC. 103. DUTIES AND AUTHORITIES OF SPECIAL PURPOSE TRUSTEES.
(a) In General.--A special purpose trustee--
(1) shall comply with sections 114 (relating to accounting
for disclosures) and 115 (relating to security);
(2) may use protected health information if such use is in
accordance with section 121; and
(3) may disclose such information if such disclosure is in
accordance with section 121 and one or more of the following
sections:
(A) Section 122 (relating to authorizations).
(B) Section 126 (relating to emergency
circumstances).
(C) Section 128 (relating to health research).
(D) Section 129 (relating to law enforcement).
(E) Section 130 (relating to subpoenas, warrants,
and search warrants).
(b) Overlap With Health Use and Public Health Trustees.--A person
who is a health use trustee and a special purpose trustee with respect
to the same protected health information is subject to section 101 and
is not subject to this section with respect to such information. A
person who is a public health trustee and a special purpose trustee
with respect to the same protected health information is subject to
section 102 and is not subject to this section with respect to such
information.
SEC. 104. DUTIES AND AUTHORITIES OF AFFILIATED PERSONS.
(a) Duties of Affiliated Persons.--
(1) In general.--An affiliated person is required to
fulfill any duty under this Act that--
(A) the health information trustee with whom the
person has an agreement or relationship described in
section 3(c)(1)(C) is required to fulfill; and
(B) the person has undertaken to fulfill pursuant
to such agreement or relationship.
(2) Construction of other subtitles.--With respect to a
duty described in paragraph (1) that an affiliated person is
required to fulfill, the person shall be considered a health
information trustee for purposes of this Act. The person shall
be subject to subtitle E (relating to enforcement) with respect
to any such duty that the person fails to fulfill.
(3) Effect on trustee.--An agreement or relationship
described in section 3(c)(1)(C) does not relieve a health
information trustee of any duty or liability under this Act.
(b) Authorities.--
(1) In general.--An affiliated person may exercise any
authority under this Act that the health information trustee
with whom the person has an agreement or relationship described
in section 3(c)(1)(C) may exercise and that the person has been
given pursuant to such agreement. With respect to any such
authority, the person shall be considered a health information
trustee for purposes of this Act. The person shall be subject
to subtitle E (relating to enforcement) with respect to any act
that exceeds such authority.
(2) Effect on trustee.--An agreement or relationship
described in section 3(c)(1)(C) does not affect the authority
of a health information trustee under this Act.
Subtitle B--Duties and Authorities of Health Information Trustees
PART 1--DUTIES OF HEALTH INFORMATION TRUSTEES
SEC. 111. INSPECTION OF PROTECTED HEALTH INFORMATION.
(a) In General.--Except as provided in subsection (b), a health
information trustee who is required by subtitle A to comply with this
section--
(1) shall permit an individual to inspect any protected
health information about the individual that the trustee
maintains;
(2) shall permit the individual to have a copy of the
information;
(3) shall permit a person who has been designated in
writing by the individual to inspect, or to have a copy of, the
information on behalf of the individual or to accompany the
individual during the inspection; and
(4) may offer to explain or interpret information that is
inspected or copied under this subsection.
(b) Exceptions.--A health information trustee is not required by
this section to permit inspection or copying of protected health
information if any of the following conditions apply:
(1) Mental health treatment notes.--The information
consists of psychiatric, psychological, or mental health
treatment notes, the trustee determines in the exercise of
reasonable medical judgment that inspection or copying of the
notes would cause sufficient harm to the individual who is the
subject of the notes so as to outweigh the desirability of
permitting access, and the trustee does not disclose the notes
to any person not directly engaged in treating the individual,
except with the authorization of the individual or under
compulsion of law.
(2) Information about others.--The information relates to
an individual other than the individual seeking to inspect or
have a copy of the information and the trustee determines in
the exercise of reasonable medical judgment that inspection or
copying of the information would cause sufficient harm to one
or both of the individuals so as to outweigh the desirability
of permitting access.
(3) Endangerment to life or safety.--Disclosure of the
information could reasonably be expected to endanger the life
or physical safety of an individual.
(4) Confidential source.--The information identifies or
could reasonably lead to the identification of an individual
(other than a health care provider) who provided information
under a promise of confidentiality to a health care provider
concerning the individual who is the subject of the
information.
(5) Administrative purposes.--The information--
(A) is used by the trustee solely for
administrative purposes and not in the provision of
health care to the individual who is the subject of the
information; and
(B) is not disclosed by the trustee to any person.
(6) Duplicative information.--The information duplicates
information available for inspection under subsection (a).
(7) Information compiled in anticipation of litigation.--
The information is compiled principally--
(A) in reasonable anticipation of a civil action or
proceeding; or
(B) for use in such an action or proceeding.
(c) Inspection and Copying of Segregable Portion.--A health
information trustee who is required by subtitle A to comply with this
section shall permit inspection and copying under subsection (a) of any
reasonably segregable portion of a record after deletion of any portion
that is exempt under subsection (b).
(d) Conditions.--A health information trustee may--
(1) require a written request for the inspection and
copying of protected health information under this section; and
(2) charge a reasonable fee (not greater than the actual
cost) for--
(A) permitting inspection of information under this
section; and
(B) providing a copy of protected health
information under this section.
(e) Statement of Reasons for Denial.--If a health information
trustee denies a request for inspection or copying under this section,
the trustee shall provide the individual who made the request (or the
individual's designated representative) with a written statement of the
reasons for the denial.
(f) Deadline.--A health information trustee shall comply with or
deny a request for inspection or copying of protected health
information under this section within the 30-day period beginning on
the date the trustee receives the request.
SEC. 112. AMENDMENT OF PROTECTED HEALTH INFORMATION.
(a) In General.--A health information trustee who is required by
subtitle A to comply with this section shall, within the 45-day period
beginning on the date the trustee receives from an individual about
whom the trustee maintains protected health information a written
request that the trustee correct or amend the information, either--
(1) make the correction or amendment requested, inform the
individual of the correction or amendment that has been made,
and inform any person who is identified by the individual, who
is not an employee of the trustee, and to whom the uncorrected
or unamended portion of the information was previously
disclosed of the correction or amendment that has been made; or
(2) inform the individual of--
(A) the reasons for the refusal of the trustee to
make the correction or amendment;
(B) any procedures for further review of the
refusal; and
(C) the individual's right to file with the trustee
a concise statement setting forth the requested
correction or amendment and the individual's reasons
for disagreeing with the refusal of the trustee.
(b) Bases for Request To Correct or Amend.--An individual may
request correction or amendment of protected health information about
the individual under subsection (a) if the information is not timely,
accurate, relevant, or complete.
(c) Statement of Disagreement.--After an individual has filed a
statement of disagreement under subsection (a)(2)(C), the trustee, in
any subsequent disclosure of the disputed portion of the information,
shall include a copy of the individual's statement and may include a
concise statement of the trustee's reasons for not making the requested
correction or amendment.
(d) Construction.--This section shall not be construed to require a
health information trustee to conduct a formal, informal, or other
hearing or proceeding concerning a request for a correction or
amendment to protected health information the trustee maintains.
(e) Correction.--For purposes of subsection (a), a correction is
deemed to have been made to protected health information where
information that is not timely, accurate, relevant, or complete is
clearly marked as incorrect or where supplementary correct information
is made part of the information.
SEC. 113. NOTICE OF INFORMATION PRACTICES.
(a) Preparation of Written Notice.--A health information trustee
who is required by subtitle A of this title to comply with this section
shall prepare a written notice of information practices describing the
following:
(1) Rights of individuals.--The rights under this title of
an individual who is the subject of protected health
information, including the right to inspect and copy such
information and the right to seek amendments to such
information, and the procedures for authorizing disclosures of
protected health information and for revoking such
authorizations.
(2) Procedures of trustee.--The procedures established by
the trustee for the exercise of such rights.
(3) Authorized disclosures.--The disclosures of protected
health information that are authorized under this Act.
(b) Dissemination of Notice.--A health information trustee who is
required by subtitle A to comply with this section--
(1) shall, upon request, provide any person with a copy of
the trustee's notice of information practices (described in
subsection (a)); and
(2) shall make reasonable efforts to inform persons in a
clear and conspicuous manner of the existence and availability
of such notice.
(c) Model Notice.--Not later than July 1, 1996, the Secretary,
after notice and opportunity for public comment, shall develop and
disseminate a model notice of information practices for use by health
information trustees under this section.
SEC. 114. ACCOUNTING FOR DISCLOSURES.
(a) In General.--A health information trustee who is required by
subtitle A to comply with this section shall create and maintain, with
respect to any protected health information the trustee discloses, a
record of--
(1) the date and purpose of the disclosure;
(2) the name of the person to whom the disclosure was made;
(3) the address of the person to whom the disclosure was
made or the location to which the disclosure was made; and
(4) the information disclosed, but only where the recording
of the information disclosed is practicable, taking into
account the technical capabilities of the system used to
maintain the record and the costs of such maintenance.
(b) Disclosure Record Part of Information.--A record created and
maintained under subsection (a) shall be maintained as part of the
protected health information to which the record pertains.
SEC. 115. SECURITY.
(a) In General.--A health information trustee who is required by
subtitle A to comply with this section shall maintain reasonable and
appropriate administrative, technical, and physical safeguards--
(1) to ensure the integrity and confidentiality of
protected health information created or received by the
trustee;
(2) to protect against any anticipated threats or hazards
to the security or integrity of, improper disclosures of, or
unauthorized uses of, such information; and
(3) otherwise ensure compliance with this Act by the
trustee and the officers and employees of the trustee.
(b) Specific Security Measures.--A health information trustee who
is required by subtitle A to comply with this section shall ensure
that--
(1) officers, employees, and affiliated persons of the
trustee who have access to protected health information created
or received by the trustee are regularly trained in the
requirements governing such information;
(2) audit trails are maintained, but only where the
maintenance of such trails is practicable, taking into account
the technical capabilities of the system used to maintain
protected health information and the costs of such maintenance;
and
(3) appropriate signs and warnings are posted to advise
persons described in paragraph (1) regarding the need to secure
protected health information.
PART 2--USE AND DISCLOSURE OF PROTECTED HEALTH INFORMATION
SEC. 121. GENERAL LIMITATIONS ON USE AND DISCLOSURE.
(a) Use.--A health information trustee may use protected health
information only for a purpose that is compatible with and related to
the purpose for which the information--
(1) was collected; or
(2) was received by the trustee.
(b) Disclosure.--A health information trustee may disclose
protected health information only for a purpose that is authorized
under this Act.
(c) Scope of Uses and Disclosures.--
(1) In general.--A use or disclosure of protected health
information by a health information trustee shall be limited,
when practicable, to the minimum amount of information
necessary to accomplish the purpose for which the information
is used or disclosed.
(2) Guidelines.--Not later than July 1, 1996, the
Secretary, after notice and opportunity for public comment,
shall issue guidelines to implement paragraph (1), which shall
take into account the technical capabilities of the record
systems used to maintain protected health information and the
costs of limiting use and disclosure.
(d) Identification of Disclosed Information as Protected
Information.--Except with respect to protected health information that
is disclosed under section 111 (relating to inspection) or 124
(relating to next of kin and directory information), and except as
provided in subsection (e), a health information trustee may disclose
protected health information only if such information is clearly
identified as protected health information that is subject to this Act.
(e) Routine Disclosures Subject to Written Agreement.--A health
information trustee who routinely discloses protected health
information to a person may satisfy the identification requirement in
subsection (d) through the conclusion of a written agreement between
the trustee and the person with respect to the identification of
protected health information.
(f) Agreement to Limit Use or Disclosure.--A health information
trustee who receives protected health information from any person
pursuant to a written agreement to restrict use or disclosure of the
information to a greater extent than would otherwise be required under
this Act shall comply with the terms of the agreement, except where use
or disclosure of the information in violation of the agreement is
required by law. A trustee who fails to comply with the preceding
sentence shall be subject to section 161 (relating to civil actions)
with respect to such failure.
(f) No General Requirement to Disclose.--Except as provided in
section 111, nothing in this Act shall be construed to require a health
information trustee to disclose protected health information not
otherwise required to be disclosed by law.
SEC. 122. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH
INFORMATION.
(a) Statement of Intended Uses and Disclosures.--
(1) In general.--A person who wishes to receive from a
health information trustee protected health information about
an individual pursuant to an authorization executed by the
individual shall supply the individual, in writing and on a
form that is distinct from the authorization, with a statement
of the uses for which the person intends the information and
the disclosures the person intends to make of the information.
Such statement shall be supplied on or before the date on which
the authorization is executed.
(2) Enforcement.--If the person uses or discloses the
information in a manner that is inconsistent with such
statement, the person shall be subject to section 161 (relating
to civil actions) with respect to such failure, except where
such use or disclosure is required by law.
(3) Model statements.--Not later than July 1, 1996, the
Secretary, after notice and opportunity for public comment,
shall develop and disseminate model statements of intended uses
and disclosures of the type described in paragraph (1).
(b) Written Authorizations.--A health information trustee who is
authorized by subtitle A to disclose protected health information under
this section may disclose such information pursuant to an authorization
executed by the individual who is the subject of the information, if
each of the following requirements is met:
(1) Writing.--The authorization is in writing, signed by
the individual, and dated on the date of such signature.
(2) Separate form.--The authorization is not on a form used
to authorize or facilitate the provision of, or payment for,
health care.
(3) Trustee described.--The trustee is specifically named
or generically described in the authorization as authorized to
disclose such information.
(4) Recipient described.--The person to whom the
information is to be disclosed is specifically named or
generically described in the authorization as a person to whom
such information may be disclosed.
(5) Statement of intended uses and disclosures received.--
The authorization contains an acknowledgment that the
individual has received a statement described in subsection (a)
from such person.
(6) Information described.--The information to be disclosed
is described in the authorization.
(7) Authorization timely received.--The authorization is
received by the trustee during a period described in subsection
(d)(1).
(8) Disclosure timely made.--The disclosure occurs during a
period described in subsection (d)(2).
(c) Authorizations Requested in Connection With Provision of Health
Care.--
(1) In general.--A health use trustee or a public health
trustee may not request that an individual provide to any
person an authorization described in subsection (b) on a day on
which--
(A) the trustee provides health care to the
individual; or
(B) in the case of a trustee that is a health
facility, the individual is admitted into the facility
as a resident or inpatient in order to receive health
care.
(2) Exception.--Paragraph (1) does not apply if a health
use trustee or a public health trustee requests that an
individual provide an authorization described in subsection (b)
for the purpose of assisting the individual in obtaining
counseling or social services from a person other than the
trustee.
(d) Time Limitations on Authorizations.--
(1) Receipt by trustee.--For purposes of subsection (b)(7),
an authorization is timely received if it is received by the
trustee during--
(A) the 1-year period beginning on the date that
the authorization is signed under subsection (b)(1), if
the authorization permits the disclosure of protected
health information to a health use trustee, public
health trustee, or person who provides counseling or
social services to individuals; or
(B) the 30-day period beginning on the date that
the authorization is signed under subsection (b)(1), if
the authorization permits the disclosure of protected
health information to a person other than a person
described in subparagraph (A).
(2) Disclosure by trustee.--For purposes of subsection
(b)(8), a disclosure is timely made if it occurs before--
(A) the date or event (if any) specified in the
authorization upon which the authorization expires; and
(B) the expiration of the 6-month period beginning
on the date the trustee receives the authorization.
(e) Revocation or Amendment of Authorization.--
(1) In general.--An individual in writing may revoke or
amend an authorization described in subsection (b), in whole or
in part, at any time, except when--
(A) disclosure of protected health information has
been authorized to permit validation of expenditures
for health care, or based on health condition, by a
government authority; or
(B) action has been taken in reliance on the
authorization.
(2) Notice of revocation.--A health information trustee who
discloses protected health information pursuant to an
authorization that has been revoked shall not be subject to any
liability or penalty under this Act if--
(A) the reliance was in good faith;
(B) the trustee had no notice of the revocation;
and
(C) the disclosure was otherwise in accordance with
the requirements of this Act.
(f) Effect of Authorization on Privileges.--The execution by an
individual of an authorization that meets the requirements of this
section for the purpose of receiving health care or providing for the
payment for health care shall not be construed as affecting any
privilege that the individual may have under common or statutory law in
a court of a State or the United States.
(g) Additional Requirements of Trustee.--A health information
trustee may impose requirements for an authorization that are in
addition to the requirements in this section.
(h) Copy.--A health information trustee who discloses protected
health information pursuant to an authorization under this section
shall maintain a copy of the authorization as part of the information.
(i) Construction.--This section shall not be construed--
(1) to require a health information trustee to disclose
protected health information; or
(2) to limit the right of a health information trustee to
charge a fee for the disclosure or reproduction of protected
health information.
(j) Subpoenas, Warrants, and Search Warrants.--If a health
information trustee discloses protected health information pursuant to
an authorization in order to comply with an administrative subpoena or
warrant or a judicial subpoena or search warrant, the authorization--
(1) shall specifically authorize the disclosure for the
purpose of permitting the trustee to comply with the subpoena,
warrant, or search warrant; and
(2) shall otherwise meet the requirements in this section.
SEC. 123. TREATMENT, PAYMENT, AND OVERSIGHT.
(a) In General.--A health information trustee who is authorized by
subtitle A to disclose protected health information under this section
may disclose such information to a health use trustee if the disclosure
is--
(1) for the purpose of providing health care to an
individual and the individual who is the subject of the
information has not previously objected to the disclosure in
writing;
(2) for the purpose of providing for the payment for health
care furnished to an individual; or
(3) for use by a health oversight agency for a purpose
authorized by law.
(b) Use in Action Against Individual.--Protected health information
about an individual that is disclosed under this section may not be
used in, or disclosed to any person for use in, any administrative,
civil, or criminal action or investigation directed against the
individual, except an action or investigation arising out of and
directly related to receipt of health care or payment for health care.
SEC. 124. NEXT OF KIN AND DIRECTORY INFORMATION.
(a) Next of Kin.--A health information trustee who is authorized by
subtitle A to disclose protected health information under this section
may disclose such information to the next of kin or legal
representative (as defined under State law) of the individual who is
the subject of the information, or to a person with whom the individual
has a personal relationship, if--
(1) the individual has not previously objected to the
disclosure;
(2) the disclosure is consistent with accepted medical
practice; and
(3) the information disclosed relates to the ongoing
provision of health care to the individual.
(b) Directory Information.--A health information trustee who is
authorized by subtitle A to disclose protected health information under
this section may disclose such information to any person, if--
(1) the information does not reveal specific information
about the physical or mental condition of the individual or
health care provided to the individual;
(2) the individual who is the subject of the information
has not objected in writing to the disclosure;
(3) the disclosure is consistent with accepted medical
practice; and
(4) the information consists only of 1 or more of the
following items:
(A) The name of the individual.
(B) If the individual is receiving health care from
a health care provider on a premises controlled by the
provider, the location of the individual on such
premises.
(C) If the individual is receiving health care from
a health care provider on a premises controlled by the
provider, the general health status of the individual,
described in terms of critical, poor, fair, stable,
satisfactory, or terms denoting similar conditions.
(c) Recipients.--A person to whom protected health information is
disclosed under this section shall not, by reason of such disclosure,
be subject to any requirement under this Act.
SEC. 125. PUBLIC HEALTH.
(a) In General.--A health information trustee who is authorized by
subtitle A to disclose protected health information under this section
may disclose such information to a public health trustee for use in
legally authorized--
(1) disease or injury reporting;
(2) public health surveillance; or
(3) public health investigation.
(b) Use in Action Against Individual.--Protected health information
about an individual that is disclosed under this section may not be
used in, or disclosed to any person for use in, any administrative,
civil, or criminal action or investigation directed against the
individual, except where the use or disclosure is authorized by law for
protection of the public health.
SEC. 126. EMERGENCY CIRCUMSTANCES.
A health information trustee who is authorized by subtitle A to
disclose protected health information under this section may disclose
such information to alleviate emergency circumstances affecting the
health or safety of an individual.
SEC. 127. JUDICIAL, ADMINISTRATIVE, AND OTHER LEGAL PURPOSES.
(a) In General.--A health information trustee who is authorized by
subtitle A to disclose protected health information under this section
may disclose such information--
(1) pursuant to the Federal Rules of Civil Procedure, the
Federal Rules of Criminal Procedure, or comparable rules of
other courts or administrative agencies in connection with
litigation or proceedings to which the individual who is the
subject of the information is a party and in which the
individual has placed the individual's physical or mental
condition in issue;
(2) pursuant to a law requiring the reporting of specific
medical information to law enforcement authorities;
(3) if the disclosure is of information described in
paragraph (2) and the trustee is operated by a Federal agency;
(4) if directed by a court in connection with a court-
ordered examination of an individual; or
(5) to assist in the identification of a dead individual.
(b) Written Statement.--A person seeking protected health
information about an individual maintained by health information
trustee under--
(1) subsection (a)(1) shall provide the trustee with a
written statement that the individual is a party to the
litigation or proceedings for which the information is sought;
or
(2) subsection (a)(5) shall provide the trustee with a
written statement that the information is sought to assist in
the identification of a dead individual.
(c) Use and Disclosure.--A person to whom protected health
information is disclosed under this section may use and disclose the
information only under a condition described in subsection (a).
SEC. 128. HEALTH RESEARCH.
(a) In General.--A health information trustee who is authorized by
subtitle A to disclose protected health information under this section
may disclose such information to a public health trustee if the
disclosure is for use in a health research project that has been
determined by an institutional review board to be--
(1) of sufficient importance so as to outweigh the
intrusion into the privacy of the individual who is the subject
of the information that would result from the disclosure; and
(2) reasonably impracticable to conduct without such
information.
(b) Obligations of Recipient.--A person who receives protected
health information pursuant to subsection (a) shall remove or destroy,
at the earliest opportunity consistent with the purposes of the
project, information that would enable 1 or more individuals to be
identified, unless an institutional review board has determined that
there is a health or research justification for retention of such
identifiers and there is an adequate plan to protect the identifiers
from use and disclosure that is inconsistent with this Act.
SEC. 129. LAW ENFORCEMENT.
(a) In General.--A health information trustee who is authorized by
subtitle A to disclose protected health information under this section
may disclose such information to a law enforcement agency (other than a
health oversight agency) if the information is--
(1) for use in an investigation or prosecution of a health
information trustee;
(2) to assist in the identification or location of a
suspect, fugitive, or witness in a law enforcement inquiry;
(3) in connection with criminal activity committed against
the trustee or an affiliated person of the trustee or on
premises controlled by the trustee; or
(4) needed to determine whether a crime has been committed
and the nature of any crime that may have been committed (other
than a crime that may have been committed by the individual who
is the subject of the information).
(b) Certification.--Where a law enforcement agency requests a
health information trustee to disclose protected health information
under this section, the agency shall provide the trustee with a written
certification that--
(1) is signed by a supervisory official of a rank
designated by the head of the agency;
(2) specifies the information requested; and
(3) states that the information is needed for a lawful
purpose under this section.
(c) Restrictions on Disclosure and Use.--Protected health
information about an individual that is disclosed by a health
information trustee to a law enforcement agency under this section--
(1) may not be disclosed for, or used in, any
administrative, civil, or criminal action or investigation
against the individual, except in an action or investigation
arising out of and directly related to the action or
investigation for which the information was obtained; and
(2) may not be otherwise used or disclosed by the agency,
unless the use or disclosure is necessary to fulfill the
purpose for which the information was obtained and is not
otherwise prohibited by law.
SEC. 130. SUBPOENAS, WARRANTS, AND SEARCH WARRANTS.
(a) In General.--A health information trustee who is authorized by
subtitle A to disclose protected health information under this section
may disclose such information if the disclosure is pursuant to any of
the following:
(1) A subpoena issued under the authority of a grand jury
and the trustee is provided a written certification by the
grand jury seeking the information that the grand jury has
complied with the applicable access provisions of section 141
or 143(a).
(2) An administrative subpoena or warrant or a judicial
subpoena or search warrant and the trustee is provided a
written certification by the person seeking the information
that the person has complied with the applicable access
provisions of section 141 or 143(a).
(3) An administrative subpoena or warrant or a judicial
subpoena or search warrant and the disclosure otherwise meets
the conditions of one of sections 123 through 129.
(b) Restrictions on Use and Disclosure.--Protected health
information about an individual that is disclosed by a health
information trustee under--
(1) subsection (a) may not be disclosed for, or used in,
any administrative, civil, or criminal action or investigation
against the individual, except in an action or investigation
arising out of and directly related to the inquiry for which
the information was obtained;
(2) subsection (a)(2) may not be otherwise used or
disclosed by the recipient unless the use or disclosure is
necessary to fulfill the purpose for which the information was
obtained; and
(3) subsection (a)(3) may not be used or disclosed by the
recipient unless the recipient complies with the conditions and
restrictions on use and disclosure with which the recipient
would have been required to comply if the disclosure by the
trustee had been made under the section referred to in
subsection (a)(3) the conditions of which were met by the
disclosure.
(c) Restrictions on Grand Juries.--Protected health information
that is disclosed by a health information trustee under subsection
(a)(1)--
(1) shall be returnable on a date when the grand jury is in
session and actually presented to the grand jury;
(2) shall be used only for the purpose of considering
whether to issue an indictment or report by that grand jury, or
for the purpose of prosecuting a crime for which that
indictment or report is issued, or for a purpose authorized by
rule 6(e) of the Federal Rules of Criminal Procedure or a
comparable State rule;
(3) shall be destroyed or returned to the trustee if not
used for one of the purposes specified in paragraph (2); and
(4) shall not be maintained, or a description of the
contents of such information shall not be maintained, by any
government authority other than in the sealed records of the
grand jury, unless such information has been used in the
prosecution of a crime for which the grand jury issued an
indictment or presentment or for a purpose authorized by rule
6(e) of the Federal Rules of Criminal Procedure or a comparable
State rule.
(d) Copy As Part of Protected Information.--A health information
trustee who discloses protected health information under this section
shall maintain a copy of the applicable subpoena, warrant, or search
warrant as part of the information.
(e) Construction.--Nothing in this section shall be construed as
authority for a health information trustee to refuse to comply with an
administrative subpoena or warrant or a judicial subpoena or search
warrant that meets the requirements of this Act.
Subtitle C--Access Procedures and Challenge Rights
SEC. 141. ACCESS PROCEDURES FOR LAW ENFORCEMENT SUBPOENAS, WARRANTS,
AND SEARCH WARRANTS.
(a) Probable Cause Requirement.--A government authority may not
obtain protected health information about an individual from a health
information trustee under paragraph (1) or (2) of section 130(a) for
use in a law enforcement inquiry unless there is probable cause to
believe that the information is relevant to a legitimate law
enforcement inquiry being conducted by the government authority.
(b) Warrants and Search Warrants.--A government authority that
obtains protected health information about an individual from a health
information trustee under circumstances described in subsection (a) and
pursuant to a warrant or search warrant shall, not later than 30 days
after the date the warrant was served on the trustee, serve the
individual with, or mail to the last known address of the individual, a
copy of the warrant.
(c) Subpoenas.--Except as provided in subsection (d), a government
authority may not obtain protected health information about an
individual from a health information trustee under circumstances
described in subsection (a) and pursuant to a subpoena unless a copy of
the subpoena has been served by hand delivery upon the individual, or
mailed to the last known address of the individual, on or before the
date on which the subpoena was served on the trustee, together with a
notice (published by the Secretary under section 145(1)) of the
individual's right to challenge the subpoena in accordance with section
142, and--
(1) 30 days have passed from the date of service, or 30
days have passed from the date of mailing, and within such time
period the individual has not initiated a challenge in
accordance with section 142; or
(2) disclosure is ordered by a court under section 142.
(d) Application for Delay.--
(1) In general.--A government authority may apply to an
appropriate court to delay (for an initial period of not longer
than 90 days) serving a copy of a subpoena and a notice
otherwise required under subsection (c) with respect to a law
enforcement inquiry. The government authority may apply to the
court for extensions of the delay.
(2) Reasons for delay.--An application for a delay, or
extension of a delay, under this subsection shall state, with
reasonable specificity, the reasons why the delay or extension
is being sought.
(3) Ex parte order.--The court shall enter an ex parte
order delaying, or extending the delay of, the notice and an
order prohibiting the trustee from revealing the request for,
or the disclosure of, the protected health information being
sought if the court finds that--
(A) the inquiry being conducted is within the
lawful jurisdiction of the government authority seeking
the protected health information;
(B) there is probable cause to believe that the
protected health information being sought is relevant
to a legitimate law enforcement inquiry being conducted
by the government authority;
(C) the government authority's need for the
information outweighs the privacy interest of the
individual who is the subject of the information; and
(D) there are reasonable grounds to believe that
receipt of a notice by the individual will result in--
(i) endangering the life or physical safety
of any individual;
(ii) flight from prosecution;
(iii) destruction of or tampering with
evidence or the information being sought; or
(iv) intimidation of potential witnesses.
(4) Service of application on individual.--Upon the
expiration of a period of delay of notice under this
subsection, the government authority shall serve upon the
individual, with the service of the subpoena and the notice, a
copy of any applications filed and approved under this
subsection.
SEC. 142. CHALLENGE PROCEDURES FOR LAW ENFORCEMENT SUBPOENAS.
(a) Motion to Quash Subpoena.--Within 30 days of the date of
service, or 30 days of the date of mailing, of a subpoena of a
government authority seeking protected health information about an
individual from a health information trustee under paragraph (1) or (2)
of section 130(a) (except a subpoena issued in compliance with the
provisions of section 143(a)), the individual may file (without filing
fee) a motion to quash the subpoena--
(1) in the case of a State judicial subpoena, in the court
which issued the subpoena;
(2) in the case of a subpoena issued under the authority of
a State that is not a State judicial subpoena, in a court of
competent jurisdiction;
(3) in the case of a subpoena issued under the authority of
a Federal court, in any court of the United States of competent
jurisdiction; or
(4) in the case of any other subpoena issued under the
authority of the United States, in--
(A) the United States district court for the
district in which the individual resides or in which
the subpoena was issued; or
(B) another United States district court of
competent jurisdiction.
(b) Copy.--A copy of the motion shall be served by the individual
upon the government authority by delivery of registered or certified
mail.
(c) Affidavits and Sworn Documents.--The government authority may
file with the court such affidavits and other sworn documents as
sustain the validity of the subpoena. The individual may file with the
court, within 5 days of the date of the authority's filing, affidavits
and sworn documents in response to the authority's filing. The court,
upon the request of the individual, the government authority, or both,
may proceed in camera.
(d) Proceedings and Decision on Motion.--The court may conduct such
proceedings as it deems appropriate to rule on the motion. All such
proceedings shall be completed, and the motion ruled on, within 10
calendar days of the date of the government authority's filing.
(e) Extension of Time Limits for Good Cause.--The court, for good
cause shown, may at any time in its discretion enlarge the time limits
established by subsections (c) and (d).
(f) Standard for Decision.--A court may deny an individual's timely
motion under subsection (a) if it finds that there is probable cause to
believe that the protected health information being sought is relevant
to a legitimate law enforcement inquiry being conducted by the
government authority, unless the court finds that the individual's
privacy interest outweighs the government authority's need for the
information. The individual shall have the burden of demonstrating that
the individual's privacy interest outweighs the need established by the
government authority for the information.
(g) Specific Considerations With Respect to Privacy Interest.--In
determining under subsection (f) whether an individual's privacy
interest outweighs the government authority's need for the information,
the court shall consider--
(1) the particular purpose for which the information was
collected by the trustee;
(2) the degree to which disclosure of the information will
embarrass, injure, or invade the privacy of the individual;
(3) the effect of the disclosure on the individual's future
health care;
(4) the importance of the inquiry being conducted by the
government authority, and the importance of the information to
that inquiry; and
(5) any other factor deemed relevant by the court.
(h) Attorney's Fees.--In the case of any motion brought under
subsection (a) in which the individual has substantially prevailed, the
court, in its discretion, may assess against a government authority a
reasonable attorney's fee and other litigation costs (including expert
fees) reasonably incurred.
(i) No Interlocutory Appeal.--A court ruling denying a motion to
quash under this section shall not be deemed a final order and no
interlocutory appeal may be taken therefrom by the individual. An
appeal of such a ruling may be taken by the individual within such
period of time as is provided by law as part of any appeal from a final
order in any legal proceeding initiated against the individual arising
out of or based upon the protect health information disclosed.
SEC. 143. ACCESS AND CHALLENGE PROCEDURES FOR OTHER SUBPOENAS.
(a) In General.--A person (other than a government authority under
section 141) may not obtain protected health information about an
individual from a health information trustee pursuant to a subpoena
under section 130(a)(2) unless--
(1) a copy of the subpoena has been served upon the
individual or mailed to the last known address of the
individual on or before the date on which the subpoena was
served on the trustee, together with a notice (published by the
Secretary under section 145(2)) of the individual's right to
challenge the subpoena, in accordance with subsection (b); and
(2) either--
(A) 30 days have passed from the date of service or
30 days have passed from the date of the mailing and
within such time period the individual has not
initiated a challenge in accordance with subsection
(b); or
(B) disclosure is ordered by a court under such
subsection.
(b) Motion to Quash.--Within 30 days of the date of service or 30
days of the date of mailing of a subpoena seeking protected health
information about an individual from a health information trustee under
subsection (a), the individual may file (without filing fee) in any
court of competent jurisdiction, a motion to quash the subpoena, with a
copy served on the person seeking the information. The individual may
oppose, or seek to limit, the subpoena on any grounds that would
otherwise be available if the individual were in possession of the
information.
(c) Standard for Decision.--The court shall grant an individual's
timely motion under subsection (b) if the person seeking the
information has not sustained the burden of demonstrating that--
(1) there are reasonable grounds to believe that the
information will be relevant to a lawsuit or other judicial or
administrative proceeding; and
(2) the need of the person for the information outweighs
the privacy interest of the individual.
(d) Specific Considerations With Respect to Privacy Interest.--In
determining under subsection (c) whether the need of the person for the
information outweighs the privacy interest of the individual, the court
shall consider--
(1) the particular purpose for which the information was
collected by the trustee;
(2) the degree to which disclosure of the information will
embarrass, injure, or invade the privacy of the individual;
(3) the effect of the disclosure on the individual's future
health care;
(4) the importance of the information to the lawsuit or
proceeding; and
(5) any other factor deemed relevant by the court.
(e) Attorney's Fees.--In the case of any motion brought under
subsection (b) by an individual against a person in which the
individual has substantially prevailed, the court, in its discretion,
may assess against the person a reasonable attorney's fee and other
litigation costs (including expert fees) reasonably incurred.
SEC. 144. CONSTRUCTION OF SUBTITLE; SUSPENSION OF STATUTE OF
LIMITATIONS.
(a) In General.--Nothing in this subtitle shall affect the right of
a health information trustee to challenge requests for protected health
information. Nothing in this subtitle shall entitle an individual who
is the subject of such information to assert the rights of a health
information trustee.
(b) Effect of Motion on Statute of Limitations.--If an individual
who is the subject of protected health information files a motion under
this Act which has the effect of delaying the access of a government
authority to such information, any applicable statute of limitations is
deemed to be tolled for the period beginning on the date such motion
was filed and ending on the date on which the motion is decided.
SEC. 145. RESPONSIBILITIES OF SECRETARY.
Not later than July 1, 1996, the Secretary, after notice and
opportunity for public comment, shall develop and disseminate a brief,
clear, and easily understood notice--
(1) for use under subsection (c) of section 141, detailing
the rights of an individual who wishes to challenge, under
section 142, the disclosure of protected health information
about the individual under such subsection; and
(2) for use under subsection (a) of section 143, detailing
the rights of an individual who wishes to challenge, under
subsection (b) of such section, the disclosure of protected
health information about the individual under such section.
Subtitle D--Miscellaneous Provisions
SEC. 151. DEBIT AND CREDIT CARD TRANSACTIONS.
(a) Payment for Health Care Through Debit or Credit Card.--If an
individual pays a health information trustee for health care by
presenting a debit or credit card or card number, the trustee may use
or disclose such protected health information about the individual as
is necessary for the processing of the debit or credit card transaction
or the billing or collection of amounts charged or debited to the
individual using the card or number.
(b) Transaction Processing By Card Issuers.--A person who is a
debit or credit card issuer or is otherwise directly involved in the
processing of credit or debit transactions or the billing or collection
of amounts charged or debited thereto may only use or disclose
protected health information about an individual--
(1) that has been disclosed in accordance with subsection
(a); and
(2) when necessary for--
(A) the billing or collection of amounts charged or
debited to the individual using a debit or credit card;
(B) the transfer of receivables, accounts, or
interest therein;
(C) the audit of the credit or debit card account
information;
(D) compliance with Federal, State, or local law;
and
(E) a properly authorized civil, criminal, or
regulatory investigation by Federal, State, or local
authorities.
SEC. 152. ACCESS TO PROTECTED HEALTH INFORMATION OUTSIDE OF THE UNITED
STATES.
(a) In General.--Except as provided in subsection (b),
notwithstanding the provisions of subtitle A and part 2 of subtitle B,
a health information trustee may not permit any person who is not in a
State to have access to protected health information about an
individual unless one or more of the following conditions exist:
(1) Specific authorization.--The individual has
specifically consented to the provision of such access outside
of the United States in an authorization that meets the
requirements of section 122.
(2) Equivalent information practices.--The provision of
such access is authorized under this Act and the Secretary has
determined that there are fair information practices for
protected health information in the country where the access
will be provided that are equivalent to the fair information
practices provided for by this Act.
(3) Access required by law.--The provision of such access
is required under--
(A) a Federal statute; or
(B) a treaty or other international agreement
applicable to the United States.
(b) Exceptions.--Subsection (a) does not apply where the provision
of access to protected health information--
(1) is to a foreign public health authority;
(2) is authorized under section 126; or
(3) is necessary for the purpose of providing for payment
for health care that has been provided to an individual.
SEC. 153. STANDARDS FOR ELECTRONIC DOCUMENTS AND COMMUNICATIONS.
(a) Standards.--Not later than July 1, 1996, the Secretary, after
notice and opportunity for public comment, shall promulgate standards
with respect to the creation, transmission, receipt, and maintenance,
in electronic form, of each written document required or authorized
under this Act. Where a signature is required with respect to a written
document under any other provision of this Act, such standards shall
provide for an electronic substitute that serves the functional
equivalent of a signature.
(b) Treatment of Complying Documents and Communications.--An
electronic document or communication that satisfies the standards
promulgated under subsection (a) with respect to such document or
communication shall be treated as satisfying the requirements of this
Act that apply to an equivalent written document.
SEC. 154. POWERS OF ATTORNEY.
In the case of an individual who has executed a power of attorney,
recognized under State law, authorizing a person to act as agent or
attorney for the individual for one or more purposes, the person may
exercise any right of the individual under this title that the person
is authorized to exercise by the power of attorney, if--
(1) any condition precedent to the exercise of such right
that is set forth in the power of attorney has been satisfied;
and
(2) the power of attorney specifically references or
describes the rights under this title that may be exercised by
the person.
SEC. 155. RIGHTS OF INCOMPETENTS.
(a) Effect of Declaration of Incompetence.--Except as provided in
section 154, if an individual has been declared to be incompetent by a
court of competent jurisdiction, the rights of the individual under
this title shall be exercised and discharged in the best interests of
the individual through an authorized legal representative of the
individual.
(b) No Court Declaration.--Except as provided in section 154, if a
health care provider determines that an individual, who has not been
declared to be incompetent by a court of competent jurisdiction,
suffers from a medical condition that prevents the individual from
acting knowingly or effectively on the individual's own behalf, the
right of the individual to authorize disclosure under section 122 may
be exercised and discharged in the best interest of the individual by
the individual's next of kin.
SEC. 156. RIGHTS OF MINORS.
(a) Individuals Who Are 18 or Legally Capable.--In the case of an
individual--
(1) who is 18 years of age or older, all rights of the
individual shall be exercised by the individual, except as
provided in sections 154 and 155; or
(2) who, acting alone, has the legal capacity to apply for
and obtain a type of medical examination, care, or treatment
and who has sought such examination, care, or treatment, the
individual shall exercise all rights of an individual under
this title with respect to protected health information
relating to such examination, care, or treatment.
(b) Individuals Under 18.--Except as provided in subsection (a)(2),
in the case of an individual who is--
(1) under 14 years of age, all the individual's rights
under this title shall be exercised through the parent or legal
guardian of the individual; or
(2) 14, 15, 16, or 17 years of age, the right of inspection
(under section 111), the right of amendment (under section
112), and the right to authorize disclosure of protected health
information (under section 122) of the individual may be
exercised either by the individual or by the parent or legal
guardian of the individual.
Subtitle E--Enforcement
SEC. 161. CIVIL ACTIONS.
(a) In General.--Any individual whose rights under this title have
been knowingly or negligently violated--
(1) by a health information trustee, or any other person,
who is not described in paragraph (2), (3), (4), or (5) may
maintain a civil action for actual damages and for equitable
relief against the health information trustee or other person;
(2) by an officer or employee of the United States while
the officer or employee was acting within the scope of the
office or employment may maintain a civil action for actual
damages and for equitable relief against the United States;
(3) by an officer or employee of any government authority
of a State that has waived its sovereign immunity to a claim
for damages resulting from a violation of this title while the
officer or employee was acting within the scope of the office
or employment may maintain a civil action for actual damages
and for equitable relief against the State government;
(4) by an officer or employee of a government of a State
that is not described in paragraph (3) may maintain a civil
action for actual damages and for equitable relief against the
officer or employee; or
(5) by an officer or employee of a government authority
while the officer or employee was not acting within the scope
of the office or employment may maintain a civil action for
actual damages and for equitable relief against the officer or
employee.
(b) Knowing Violations.--Any individual entitled to recover actual
damages under this section because of a knowing violation of a
provision of this title (other than subsection (c) or (d) of section
121) shall be entitled to recover the amount of the actual damages
demonstrated or $5000, whichever is greater.
(c) Actual Damages.--For purposes of this section, the term
``actual damages'' includes damages paid to compensate an individual
for nonpecuniary losses such as physical and mental injury as well as
damages paid to compensate for pecuniary losses.
(d) Punitive Damages; Attorney's Fees.--In any action brought under
this section in which the complainant has prevailed because of a
knowing violation of a provision of this title (other than subsection
(c) or (d) of section 121), the court may, in addition to any relief
awarded under subsections (a) and (b), award such punitive damages as
may be warranted. In such an action, the court, in its discretion, may
allow the prevailing party a reasonable attorney's fee (including
expert fees) as part of the costs, and the United States shall be
liable for costs the same as a private person.
(e) Inspection and Amendment.--If a health information trustee has
established a written internal procedure that allows an individual who
has been denied inspection or amendment of protected health information
to appeal the denial, the individual may not maintain a civil action in
connection with the denial until the earlier of--
(1) the date the appeal procedure has been exhausted; or
(2) 3 months after the date the original request for
inspection or amendment was made.
(f) No Liability for Permissible Disclosures.--A health information
trustee who makes a disclosure of protected health information about an
individual that is permitted by this title and not otherwise prohibited
by State or Federal statute shall not be liable to the individual for
the disclosure under common law.
(g) No Liability for Institutional Review Board Determinations.--If
the members of an institutional review board have in good faith
determined that a health research project is of sufficient importance
so as to outweigh the intrusion into the privacy of an individual
pursuant to section 128(a)(1), the members, the board, and the parent
institution of the board shall not be liable to the individual as a
result of such determination.
(h) Good Faith Reliance on Certification.--A health information
trustee who relies in good faith on a certification by a government
authority or other person and discloses protected health information
about an individual in accordance with this title shall not be liable
to the individual for such disclosure.
SEC. 162. CIVIL MONEY PENALTIES.
(a) Violation.--Any health information trustee who the Secretary
determines has substantially failed to comply with the provisions of
this Act shall be subject, in addition to any other penalties that may
be prescribed by law, to a civil money penalty of not more than $10,000
for each such violation.
(b) Procedures for Imposition of Penalties.--The provisions of
section 1128A of the Social Security Act (other than subsections (a)
and (b) and the second sentence of subsection (f)) shall apply to the
imposition of a civil monetary penalty under this section in the same
manner as such provisions apply with respect to the imposition of a
penalty under section 1128A of such Act.
SEC. 163. ALTERNATIVE DISPUTE RESOLUTION.
(a) In General.--The Secretary shall, by regulation, develop
alternative dispute resolution methods for use by individuals, health
information trustees, and other persons in resolving claims under
section 161.
(b) Methods.--The methods under subsection (a) shall include at
least the following:
(1) Arbitration.--The use of arbitration.
(2) Mediation.--The use of mediation.
(3) Early offers of settlement.--The use of a process under
which parties make early offers of settlement.
(c) Standards for Establishing Methods.--In developing alternative
dispute resolution methods under subsection (a), the Secretary shall
ensure that the methods promote the resolution of claims in a manner
that--
(1) is affordable for the parties involved;
(2) provides for timely resolution of claims;
(3) provides for the consistent and fair resolution of
claims; and
(4) provides for reasonably convenient access to dispute
resolution for individuals.
SEC. 164. AMENDMENTS TO CRIMINAL LAW.
(a) In General.--Title 18, United States Code, is amended by
inserting after chapter 89 the following:
``CHAPTER 90--PROTECTED HEALTH INFORMATION
``Sec.
``1831. Definitions.
``1832. Obtaining protected health information under false pretenses.
``1833. Monetary gain from obtaining protected health information under
false pretenses.
``1834. Knowing and unlawful obtaining of protected health information.
``1835. Monetary gain from knowing and unlawful obtaining of protected
health information.
``1836. Knowing and unlawful use or disclosure of protected health
information.
``1837. Monetary gain from knowing and unlawful sale, transfer, or use
of protected health information.
``Sec. 1831. Definitions
``As used in this chapter--
``(1) the term `health information trustee' has the meaning
given such term in section 3(b)(3) of the Fair Health
Information Practices Act of 1994; and
``(2) the term `protected health information has the
meaning given such term in section 3(a)(3) of such Act.
``Sec. 1832. Obtaining protected health information under false
pretenses
``Whoever under false pretenses--
``(1) requests or obtains protected health information from
a health information trustee; or
``(2) obtains from an individual an authorization for the
disclosure of protected health information about the individual
maintained by a health information trustee;
shall be fined under this title or imprisoned not more than 5 years, or
both.
``Sec. 1833. Monetary gain from obtaining protected health information
under false pretenses
``Whoever under false pretenses--
``(1) requests or obtains protected health information from
a health information trustee with the intent to sell, transfer,
or use such information for profit or monetary gain; or
``(2) obtains from an individual an authorization for the
disclosure of protected health information about the individual
maintained by a health information trustee with the intent to
sell, transfer, or use such authorization for profit or
monetary gain;
and knowingly sells, transfers, or uses such information or
authorization for profit or monetary gain shall be fined under this
title or imprisoned not more than 10 years, or both.
``Sec. 1834. Knowing and unlawful obtaining of protected health
information
``Whoever knowingly obtains protected health information from a
health information trustee in violation of the Fair Health Information
Practices Act of 1994, knowing that such obtaining is unlawful, shall
be fined under this title or imprisoned not more than 5 years, or both.
``Sec. 1835. Monetary gain from knowing and unlawful obtaining of
protected health information
``Whoever knowingly--
``(1) obtains protected health information from a health
information trustee in violation of the Fair Health Information
Practices Act of 1994, knowing that such obtaining is unlawful
and with the intent to sell, transfer, or use such information
for profit or monetary gain; and
``(2) knowingly sells, transfers, or uses such information
for profit or monetary gain;
shall be fined under this title or imprisoned not more than 10 years,
or both.
``Sec. 1836. Knowing and unlawful use or disclosure of protected health
information
``Whoever knowingly uses or discloses protected health information
in violation of the Fair Health Information Practices Act of 1994,
knowing that such use or disclosure is unlawful, shall be fined under
this title or imprisoned not more than 5 years, or both.
``Sec. 1837. Monetary gain from knowing and unlawful sale, transfer, or
use of protected health information
``Whoever knowingly sells, transfers, or uses protected health
information in violation of the Fair Health Information Practices Act
of 1994, knowing that such sale, transfer, or use is unlawful, shall be
fined under this title or imprisoned not more than 10 years, or
both.''.
(b) Clerical Amendment.--The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 89 the following:
``90. Protected health information.......................... 1831''.
TITLE II--AMENDMENTS TO TITLE 5, UNITED STATES CODE
SEC. 201. AMENDMENTS TO TITLE 5, UNITED STATES CODE.
(a) New Subsection.--Section 552a of title 5, United States Code,
is amended by adding at the end the following:
``(w) Medical Exemptions.--The head of an agency that is a health
information trustee (as defined in section 3(b)(3) of the Fair Health
Information Practices Act of 1994) shall promulgate rules, in
accordance with the requirements (including general notice) of
subsections (b)(1), (b)(2), (b)(3), (c), and (e) of section 553 of this
title, to exempt a system of records within the agency, to the extent
that the system of records contains protected health information (as
defined in section 3(a)(3) of such Act), from all provisions of this
section except subsections (e)(1), (e)(2), subparagraphs (A) through
(C) and (E) through (I) of subsection (e)(4), and subsections (e)(5),
(e)(6), (e)(9), (e)(12), (l), (m), (n), (o), (p), (q), (r), and (u).''.
(b) Repeal.--Section 552a(f)(3) of title 5, United States Code, is
amended by striking ``pertaining to him,'' and all that follows through
the semicolon and inserting ``pertaining to the individual;''.
TITLE III--REGULATIONS; EFFECTIVE DATES; APPLICABILITY; AND
RELATIONSHIP TO OTHER LAWS
SEC. 301. REGULATIONS.
Not later than July 1, 1996, the Secretary shall prescribe
regulations to carry out this Act.
SEC. 302. EFFECTIVE DATES.
(a) In General.--Except as provided in subsection (b), this Act,
and the amendments made by this Act, shall take effect on January 1,
1997.
(b) Provisions Effective Immediately.--Any provision of this Act
that imposes a duty on the Secretary shall take effect on the date of
the enactment of this Act.
SEC. 303. APPLICABILITY.
(a) Protected Health Information.--Except as provided in
subsections (b) and (c), the provisions of this Act shall apply to any
protected health information that exists in a State on or after January
1, 1997, regardless of whether the information existed or was disclosed
prior to such date.
(b) Special Purpose Trustees.--The provisions of this Act shall not
apply to any special purpose trustee, except with respect to protected
health information that is received by such a trustee on or after
January 1, 1997.
(c) Authorizations for Disclosures.--An authorization for the
disclosure of protected health information about an individual that is
executed by the individual before January 1, 1997, and is recognized
and valid under State law on December 31, 1996, shall remain valid and
shall not be subject to the requirements of section 122 until July 1,
1998, or the occurrence of the date or event (if any) specified in the
authorization upon which the authorization expires, whichever occurs
earlier.
SEC. 304. RELATIONSHIP TO OTHER LAWS.
(a) State Law.--Except as provided in subsections (b) and (c), this
Act shall prevent the establishment, continuing in effect, or
enforcement of State law to the extent such law is inconsistent with a
provision of this Act, but nothing in this Act shall be construed to
indicate an intent on the part of Congress to occupy the field in which
its provisions operate to the exclusion of the laws of any State on the
same subject matter.
(b) Privileges.--This Act does not preempt or modify State common
or statutory law to the extent such law concerns a privilege of a
witness or person in a court of the State. This Act does not supersede
or modify Federal common or statutory law to the extent such law
concerns a privilege of a witness or person in a court of the United
States.
(c) Certain Duties Under State or Federal Law.--This Act shall not
be construed to preempt, supersede, or modify the operation of--
(1) any law that provides for the reporting of vital
statistics such as birth or death information;
(2) any law requiring the reporting of abuse or neglect
information about any individual; or
(3) subpart II of part E of title XXVI of the Public Health
Service Act (relating to notifications of emergency response
employees of possible exposure to infectious diseases).
<all>
HR 4077 IH--2
HR 4077 IH--3
HR 4077 IH--4
HR 4077 IH--5