[Congressional Bills 103th Congress]
[From the U.S. Government Publishing Office]
[S. 2129 Introduced in Senate (IS)]

103d CONGRESS
  2d Session
                                S. 2129

  To amend title 18, United States Code, to preserve personal privacy 
 with respect to medical records and health care-related information, 
                        and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                 May 18 (legislative day, May 16), 1994

  Mr. Leahy (for himself, Mr. Riegle, and Mr. Wofford) introduced the 
             following bill; which was read the first time

_______________________________________________________________________

                                 A BILL


 
  To amend title 18, United States Code, to preserve personal privacy 
 with respect to medical records and health care-related information, 
                        and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Health Care Privacy Protection 
Act''.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds as follows:
            (1) The right to privacy is a personal and fundamental 
        right protected by the Constitution of the United States.
            (2) The improper disclosure of personally identifiable 
        health care information may cause significant harm to a 
        person's interest in privacy, health care, and reputation and 
        may unfairly affect the ability of a person to obtain 
        employment, education, insurance, and credit.
            (3) The movement of people and health care-related 
        information across State lines, availability of access to and 
        exchange of health care-related information from automated data 
        banks and networks, and emergence of multistate health care 
        providers and payors create a need for uniform Federal law 
        governing the disclosure of health care information.
    (b) Purpose.--The purpose of this Act is to establish effective 
mechanisms to protect the privacy of persons with respect to personally 
identifiable health care information that is created or maintained as 
part of health treatment, enrollment, payment, or testing processes.

                     TITLE I--JUDICIAL PROCEEDINGS

SEC. 101. PRIVACY OF PERSONALLY IDENTIFIABLE HEALTH CARE INFORMATION.

    (a) Offense.--Part I of title 18, United States Code, is amended by 
inserting after chapter 84, the following new chapter:

     ``CHAPTER 84A--PRIVACY OF PERSONALLY IDENTIFIABLE HEALTH CARE 
                              INFORMATION

``Sec.
``1755. Wrongful disclosure of personally identifiable health care 
                            information.
``1756. Misuse of health security card or unique identifier.
``Sec. 1755. Wrongful disclosure of protected health information
    ``(a) Definitions.--
            ``(1) Protected health information.--The term ``protected 
        health information'' means any information, whether oral or 
        recorded in any form or medium, that--
                    ``(A)(i) is created or received by a health care 
                provider, health benefit plan, health oversight agency, 
                public health authority, or regional data center; or
                    ``(ii) is created or received by an employer 
                through the process of testing or screening applicants 
                or employees; and
                    ``(B) relates to the past, present, or future 
                physical or mental health or condition of an 
                individual, the provision of health care to an 
                individual or payment for the provision of health to an 
                individual and--
                    ``(i) identifies the individual; or
                            ``(ii) with respect to which there is a 
                        reasonable basis to believe that the 
                        information can be used to identify the 
                        individual.
            ``(2) Health care.--The term `health care'--
                    ``(A) means--
                            ``(i) a preventative, diagnostic, 
                        therapeutic rehabilitative, maintenance, or 
                        palliative care, counseling, service, or 
                        procedure--
                                    ``(I) with respect to the physical 
                                or mental condition of an individual; 
                                or
                                    ``(II) affecting the structure of 
                                function of the human body or any part 
                                of the human body; or
                            ``(ii) any sale or dispensing of a drug, 
                        device, equipment, or other item to an 
                        individual, or for the use of an individual, 
                        pursuant to a prescription; and
                    ``(B) does not include any item or service that is 
                not furnished for the purpose of examining, maintaining 
                or improving the health of an individual.
    ``(b) Offense.--A person who knowingly--
            ``(1) obtains protected health information relating to an 
        individual in violation of title II of the Health Care Privacy 
        Protection Act; or
            ``(2) discloses protected health information to another 
        person in violation of title II of the Health Care Privacy 
        Protection Act,
shall be punished as provided in subsection (c).
    ``(c) Penalties.--A person who violates subsection (b) shall--
            ``(1) be fined not more than $50,000, imprisoned not more 
        than 1 year, or both;
            ``(2) if the offense is committed under false pretenses, be 
        fined not more than $100,000, imprisoned not more than 5 years, 
        or both; and
            ``(3) if the offense is committed with intent to sell, 
        transfer, or use protected health information for commercial 
        advantage, personal gain, or malicious harm, fined not more 
        than $250,000, imprisoned not more than 10 years, or both.
``Sec. 1756. Misuse of health security card or unique identifier
    ``A person who--
            ``(1) requires the display of, requires the use of, or uses 
        a health security card that is issued under section 1001(b) of 
        the Health Security Act for any purpose other than a purpose 
        described in section 5105(a) of that Act; or
            ``(2) requires the disclosure of, requires the use of, or 
        uses a unique identifier number provided under section 5104 of 
        that Act for any purpose that is not authorized by the National 
        Health Board pursuant to that section,
shall be fined not more than $25,000, imprisoned not more than 2 years, 
or both.''.
    (b) Technical Amendment.--The part analysis for part I of title 18, 
United States Code, is amended by inserting after the item related to 
chapter 84, the following new item:

``84A. Privacy of personally identifiable health care          1755.''.
    information.

  TITLE II--LIMITATIONS ON DISCLOSURE OF PROTECTED HEALTH INFORMATION

SEC. 201. DEFINITIONS.

    In this title:
            (1) Health benefit plan.--The term ``health benefit plan'' 
        means a public or private entity or program that provides 
        payments for health care or that provides life insurance--
                    (A) including--
                            (i) a group health plan (as defined in 
                        section 607 of the Employee Retirement Income 
                        Security Act of 1974 (29 U.S.C. 1167)), 
                        employer self-insurance plan, or a multiple 
                        employer welfare arrangement (as defined in 
                        section 3 of that Act (29 U.S.C. 1002)) 
                        providing health benefits;
                            (ii) any other health insurance 
                        arrangement, including any arrangement 
                        consisting of a hospital or medical expense 
                        incurred policy or certificate, hospital or 
                        medical service plan contract, health 
                        maintenance organization subscriber contract; 
                        and
                            (iii) a life insurance plan;
                    (B) but not including--
                            (i) an individual who makes a payment on 
                        the individual's own behalf (or on behalf of 
                        any other individual) for health care or for 
                        deductibles, coinsurance, copayments, items, or 
                        services not covered under a health insurance 
                        arrangement;
                            (ii) a plan sponsor (as defined in section 
                        3 of the Employee Retirement Income Security 
                        Act of 1974 (29 U.S.C. 1002));
                            (iii) an employer of an employee covered 
                        under a multiple employer welfare arrangement;
                            (iv) an employee organization that sponsors 
                        a multiple employer welfare arrangement; or
                            (v) an organization, association, 
                        committee, joint board of trustees, or similar 
                        group of representatives of 2 or more employers 
                        described in clause (iii) or 2 or more employee 
                        organizations described in clause (iv).
            (2) Health care.--The term ``health care''--
                    (A) means--
                            (i) a preventative, diagnostic, 
                        therapeutic, rehabilitative, maintenance, or 
                        palliative care, counseling, service, or 
                        procedure--
                                    (I) with respect to the physical or 
                                mental condition of an individual; or
                                    (II) affecting the structure or 
                                function of the human body or any part 
                                of the human body; or
                            (ii) any sale or dispensing of a drug, 
                        device, equipment, or other item to an 
                        individual, or for the use of an individual, 
                        pursuant to a prescription; but
                    (B) does not include any item or service that is 
                not furnished for the purpose of examining, 
                maintaining, or improving the health of an individual.
            (3) Health care provider.--The term ``health care 
        provider'' means a person who is licensed, certified, 
        registered, or otherwise authorized by law to provide an item 
        or service that constitutes health care in the ordinary course 
        of business or practice of a profession.
            (4) Health information trustee.--The term ``health 
        information trustee'' means--
                    (A) a health care provider, health benefit plan, 
                health oversight agency, regional data center, or 
                employer, insofar as it creates, receives, maintains, 
                uses, or transmits protected health information; and
                    (B) any person who obtains protected health 
                information under section 207, 208, 209, 210, 211, 212, 
                or 215.
            (5) Health oversight agency.--The term ``health oversight 
        agency'' means a person that--
                    (A) performs or oversees the performance of an 
                assessment, evaluation, determination, or investigation 
                relating to the licensing, accreditation, or 
                certification of health care providers; or
                    (B)(i) performs or oversees the performance of an 
                assessment, evaluation, determination, or investigation 
                relating to the effectiveness of, compliance with, or 
                applicability of legal, fiscal, medical, or scientific 
                standards or aspects of performance related to the 
                delivery of, or payment for, health care or relating to 
                health care fraud or fraudulent claims for payment 
                regarding health; and
                    (ii) is a public agency, acting on behalf of a 
                public agency, acting pursuant to a requirement of a 
                public agency, or carrying out activities under a 
                Federal or State statute governing the assessment, 
                evaluation, determination, or investigation.
            (6) Health researcher.--The term ``health researcher'' 
        means a person who conducts a bio-medical, epidemiological, or 
        health services research project or a health statistics project 
        that has been approved by--
                    (A) an institutional review board for the 
                organization sponsoring the project;
                    (B) an institutional review board for each health 
                information trustee that maintains protected health 
                information intended to be used in the project; or
                    (C) an institutional review board established or 
                designated by the Secretary.
            (7) Institutional review board.--The term ``institutional 
        review board'' means--
                    (A) a board established in accordance with 
                regulations of the Secretary under section 491(a) of 
                the Public Health Service Act (42 U.S.C. 289);
                    (B) a similar board established by the Secretary 
                for the protection of human subjects in research 
                conducted by the Secretary; or
                    (C) a similar board established under regulations 
                of a Federal Government authority other than the 
                Secretary.
            (8) Law enforcement inquiry.--The term ``law enforcement 
        inquiry'' means an investigation or official proceeding 
        inquiring into whether there is a violation of, or failure to 
        comply with, any criminal or civil statute or any regulation, 
        rule, or order issued pursuant to such a statute.
            (9) Person.--The term ``person'' includes an authority of 
        the United States, a State, or a political subdivision of a 
        State.
            (10) Protected health information.--The term ``protected 
        health information'' means any information, whether oral or 
        recorded in any form or medium, that--
                    (A)(i) is created or received by a health care 
                provider, health benefit plan, health oversight agency, 
                public health authority, or regional data center; or
                    (ii) is created or received by an employer through 
                the process of testing or screening applicants or 
                employees; and
                    (B) relates to the past, present, or future 
                physical or mental health or condition of a person, the 
                provision of health care to a person, or payment for 
                the provision of health care to an individual and--
                            (i) identifies the individual; or
                            (ii) with respect to which there is a 
                        reasonable basis to believe that the 
                        information can be used to identify the 
                        individual.
            (11) Public health authority.--The term ``public health 
        authority'' means an authority or instrumentality of the United 
        States, a State, or a political subdivision of a State that is 
        (A) responsible for public health matters; and (B) engaged in 
        such activities as injury reporting, public health 
        surveillance, and public health investigation or intervention.
            (12) Regional date center.--The term ``regional data 
        center'' means--
                    (A) an entity established in accordance with the 
                Health Security Act and designated as such by the 
                Secretary;
                    (B) an entity that receives, maintains, uses, or 
                transmits information regarding health for payment, 
                statistical, or research purposes.
            (13) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (14) State.--The term ``State'' includes the District of 
        Columbia, Puerto Rico, the Virgin Islands, Guam, American 
        Samoa, and the Northern Mariana Islands.

SEC. 202. GENERAL LIMITATIONS ON DISCLOSURE.

    (a) In General.--
            (1) Disclosure within a trustee.--A health information 
        trustee may disclose protected health information to an 
        officer, employee, or agent of the trustee only for a purpose 
        that is compatible with and related to the purpose for which 
        the information--
                    (A) was collected; or
                    (B) was received by that trustee.
            (2) Disclosure outside a trustee.--A health information 
        trustee may disclose protected health information to a person 
        other than an officer, employee, or agent of the trustee only 
        for a purpose that is authorized under this Act.
            (3) Scope of disclosure.--
                    (A) In general.--Every disclosure of protected 
                health information by a health information trustee 
                shall be limited to the minimum amount of information 
                necessary to accomplish the purpose for which the 
                information is disclosed.
                    (B) Guidelines.--Not later than July 1, 1996, the 
                Attorney General, in consultation with the Secretary, 
                after notice and opportunity for public comment, shall 
                issue guidelines to implement subparagraph (A), which 
                shall take into account the technical capabilities of 
                the record systems used to maintain protected health 
                information and the costs of limiting disclosure.
            (4) Identification of disclosed information as protected 
        information.--Except with respect to protected health 
        information that is disclosed under section 217, and except as 
        provided in paragraph (5), a health information trustee may not 
        disclose protected health information unless such information 
        is clearly identified as protected health information that is 
        subject to this section.
            (5) Routine disclosures subject to written agreement.--A 
        health information trustee who routinely discloses protected 
        health information to a person may satisfy the identification 
        requirement in paragraph (4) through a written agreement 
        between the trustee and the person with respect to the 
        protected health information.
            (6) Agreement to limit disclosure.--A health information 
        trustee who receives protected health information from any 
        person pursuant to a written agreement to restrict disclosure 
        of the information to a greater extent than would otherwise be 
        required under this section shall comply with the terms of the 
        agreement, except in circumstances in which disclosure of the 
        information is required by law notwithstanding the agreement.
            (7) No general requirement to disclose.--Except as provided 
        in the section 217 relating to inspection, nothing in this 
        section shall be construed to require a health information 
        trustee to disclose protected health information not otherwise 
        required to be disclosed by law.
    (b) Disclosure by Officer, Employee, or Agent.--No officer, 
employee, or agent of a health information trustee may disclose 
protected health information, except insofar as the health information 
trustee is permitted to disclose such information for a purpose that is 
authorized under this Act.

SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH 
              INFORMATION.

    (a) Written Authorizations.--A health information trustee may 
disclose protected health information pursuant to an authorization 
executed by the individual who is the subject of the information, if 
each of the following requirements is met:
            (1) Writing.--The authorization is in writing, signed by 
        the individual who is the subject of the information, and dated 
        on the date of such signature.
            (2) Separate form.--The authorization is not on a form used 
        to authorize or facilitate the provision of, or payment for, 
        health care.
            (3) Trustee described.--The trustee is specifically named 
        or generically described in the authorization as authorized to 
        disclose such information.
            (4) Recipient described.--The person to whom the 
        information is to be disclosed is specifically named or 
        generically described in the authorization as a person to whom 
        such information may be disclosed.
            (5) Statement of intended disclosures.--The authorization 
        contains an acknowledgment that the individual who is the 
        subject of the information has received a statement of the 
        disclosures that the person to receive the protected health 
        information intends to make, which statement shall be in 
        writing, on a form that is distinct from the authorization for 
        disclosure, and which statement must be received by the 
        individual authorizing the disclosure on or before such 
        authorization is executed.
            (6) Information described.--The information to be disclosed 
        is described in the authorization.
            (7) Authorization timely received.--The authorization is 
        received by the trustee during a period described in subsection 
        (c)(1).
            (8) Disclosure timely made.--The disclosure occurs during a 
        period described in subsection (c)(2).
    (b) Authorizations Requested in Connection With Provision of Health 
Care.--
            (1) In general.--A health information trustee may not 
        request that an individual person provide to any other person 
        an authorization described in subsection (a) on a day on 
        which--
                    (A) the trustee provides health care to the 
                individual requested to provide the authorization; or
                    (B) in the case of a trustee that is a health 
                facility, the individual is admitted into the facility 
                as a resident or inpatient in order to receive health 
                care.
            (2) Exception.--Paragraph (1) does not apply if a health 
        information trustee requests that an individual provide an 
        authorization described in subsection (a) for the purpose of 
        assisting the individual in obtaining counseling or social 
        services from a person other than the trustee.
    (c) Time Limitations on Authorizations.--
            (1) Receipt by trustee.--For purposes of subsection (a)(7), 
        an authorization is timely received if it is received by the 
        trustee during--
                    (A) the 1-year period beginning on the date on 
                which the authorization is signed under subsection 
                (a)(1), if the authorization permits the disclosure of 
                protected health information to a person who provides 
                health counseling or social services to individuals; or
                    (B) the 30-day period beginning on the date on 
                which the authorization is signed under subsection 
                (a)(1), if the authorization permits the disclosure of 
                protected health information to a person other than a 
                person described in subparagraph (A).
            (2) Disclosure by trustee.--For purposes of subsection 
        (a)(8), a disclosure is timely made if it occurs before--
                    (A) the date or event (if any) specified in the 
                authorization upon which the authorization expires; and
                    (B) the expiration of the 6-month period beginning 
                on the date on which the trustee receives the 
                authorization.
    (d) Revocation or Amendment of Authorization.--
            (1) In general.--An individual may in writing revoke or 
        amend an authorization described in subsection (a), in whole or 
        in part, at any time, except when--
                    (A) disclosure of protected health information has 
                been authorized to permit validation of expenditures 
                for health care; or
                    (B) action has been taken in reliance on the 
                authorization.
            (2) Notice of revocation.--A health information trustee who 
        discloses protected health information pursuant to an 
        authorization that has been revoked shall not be subject to any 
        liability or penalty under this title if--
                    (A) the reliance was in good faith;
                    (B) the trustee had no notice of the revocation; 
                and
                    (C) the disclosure was otherwise in accordance with 
                the requirements of this title.
    (e) Model Authorizations.--Not later than July 1, 1996, the 
Attorney General, in consultation with the Secretary, after notice and 
opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in subsection (a) and 
model statements of intended disclosures of the type described in 
paragraph (a)(5).
    (f) Effect of Authorization on Privileges.--The execution by an 
individual of an authorization that meets the requirements of this 
section for the purpose of receiving health care or providing for the 
payment for health care shall not be construed to affect any privilege 
that the individual may have under common or statutory law in a court 
of a State or the United States.
    (g) Additional Requirements of Trustee.--A health information 
trustee may impose requirements for an authorization that are in 
addition to the requirements in this subsection.
    (h) Copy.--A health information trustee who discloses protected 
health information pursuant to an authorization under this section 
shall maintain a copy of the authorization as part of the information.
    (i) Rule of Construction.--This section shall not be construed--
            (1) to require a health information trustee to disclose 
        protected health information; or
            (2) to limit the right of a health information trustee to 
        charge a fee for the disclosure or reproduction of protected 
        health information.
    (j) Subpoenas.--If a health information trustee discloses protected 
health information pursuant to an authorization in order to comply with 
a subpoena, the authorization--
            (1) shall specifically authorize the disclosure for the 
        purpose of permitting the trustee to comply with the subpoena; 
        and
            (2) shall otherwise meet the requirements in this 
        subsection.

SEC. 204. TREATMENT AND PAYMENT.

    (a) In General.--(1) A health care provider, health benefit plan, 
employer, or person that receives protected health information under 
section 208 may disclose protected health information to a health care 
provider for the purpose of providing health care to an individual and 
the individual who is the subject of the information has not previously 
objected to the disclosure in writing.
    (2) A health care provider, health benefit plan, employer, regional 
data center or person that receives protected health information under 
section 208 may disclose protected health information to a health 
benefit plan for the purpose of providing for the payment for health 
care furnished to an individual.
    (3) A health care provider, or health benefit plan or person that 
receives protected health information under section 208 may disclose 
protected health information to a regional data center for the purpose 
of carrying out its functions.
    (b) Scope of Disclosure.--The disclosure of protected health 
information under this section shall be limited to the minimum amount 
necessary to accomplish the purpose for which the disclosure is 
authorized.

SEC. 205. OVERSIGHT.

    (a) In General.--A health information trustee may disclose 
protected health information to a health oversight agency for a purpose 
authorized by law.
    (b) Scope of Disclosure.--The disclosure of protected health 
information under this section shall be limited to the minimum amount 
necessary to accomplish the purpose for which the disclosure is 
authorized.
    (c) Use in Action Against Individuals.--Protected health 
information about an individual that is disclosed under this section 
may not be used in, or disclosed to any person for use in, any 
administrative, civil, or criminal action or investigation directed 
against the individual who is the subject of the information, except in 
an action or investigation arising out of and directly related to 
receipt of health care or payment for health care or an action 
involving a fraudulent claim related to health.

SEC. 206. NEXT OF KIN AND DIRECTORY INFORMATION.

    (a) Next of Kin.--A health care provider or person that receives 
protected health information under section 208 may disclose protected 
health information to the next of kin or legal representative (as 
defined under State law) of the individual who is the subject of the 
information or to an individual with whom that individual has a 
personal relationship if--
            (1) the individual who is the subject of the information 
        has not previously objected to the disclosure after being 
        notified of the right to object; and
            (2) the information disclosed relates to health care 
        currently being provided to that individual.
    (b) Directory Information.--A health care provider and a person 
receiving protected health information under section 208 may disclose 
information to any person if--
            (1) the information does not reveal specific information 
        about the physical or mental condition of the individual who is 
        the subject of the information or health care provided to that 
        person;
            (2) the individual who is the subject of the information 
        has not objected in writing to the disclosure after being 
        notified of the right to object; and
            (3) the information consists only of 1 or more of the 
        following items:
                    (A) The name of the individual who is the subject 
                of the information.
                    (B) If the individual who is the subject of the 
                information is receiving health care from a health care 
                provider on a premises controlled by the provider--
                            (i) the location of the individual on the 
                        premises; and
                            (ii) the general health status of the 
                        individual, described as critical, poor, fair, 
                        stable, or satisfactory or in terms denoting 
                        similar conditions.
    (c) Identification of Dead Person.--A health information trustee 
may disclose protected health information if necessary to assist in the 
identification of a dead person.

SEC. 207. PUBLIC HEALTH.

    (a) In General.--A health care provider, health benefit plan, 
public health authority, employer, or person that receives protected 
health information under section 208 may disclose protected health 
information to a public health authority or other person authorized by 
law for use in legally authorized--
            (1) disease or injury reporting;
            (2) public health surveillance; or
            (3) public health investigation or intervention.
    (b) Scope of Disclosure.--The disclosure of protected health 
information under this section shall be limited to the minimum amount 
necessary to accomplish the purpose for which the disclosure is 
authorized.

SEC. 208. EMERGENCY CIRCUMSTANCES.

    (a) In General.--A health care provider, health benefit plan, 
employer, or person that receives protected health information under 
section 208 may disclose protected health information in emergency 
circumstances when necessary to protect the health or safety of an 
individual from imminent harm.
    (b) Scope of Disclosure.--The disclosure of protected health 
information under this section shall be limited to the minimum amount 
necessary to accomplish the purpose for which the disclosure is 
authorized and shall be limited to persons who need the information to 
protect the health or safety of the individual.
    (c) Use in Action Against Individual.--Protected health information 
about an individual that is disclosed under this section may not be 
used in, or disclosed to any person for use in, any administrative, 
civil, or criminal action or investigation directed against the 
individual except when the use or disclosure is authorized by law for 
protection of the public health.

SEC. 209. JUDICIAL AND ADMINISTRATIVE PURPOSES.

    (a) In General.--A health care provider, health benefit plan, 
health oversight agency, employer, and person that receives protected 
health information under section 208 may disclose protected health 
information--
            (1) pursuant to the Federal Rules of Civil Procedure, the 
        Federal Rules of Criminal Procedure, or comparable rules of 
        other courts or administrative agencies in connection with 
        litigation or proceedings to which the individual who is the 
        subject of the information is a party and in which the 
        individual has placed the individual's physical or mental 
        condition in issue;
            (2) if ordered by a court in connection with an examination 
        of an individual; or
            (3) pursuant to a law requiring the reporting of specific 
        medical information to law enforcement authorities.
    (b) Scope of Disclosure.--The disclosure of protected health 
information under this section shall be limited to the minimum amount 
necessary to accomplish the purpose for which the disclosure is 
authorized.
    (c) Limit on Additional Disclosure.--A person that receives 
protected health information under this section may use the information 
and disclose such information only for the purpose for which it was 
received.

SEC. 210. HEALTH RESEARCH.

    (a) In General.--A health information trustee may disclose 
protected health information to a health researcher if the disclosure 
is for use in a health research project that has been determined by an 
institutional review board to be--
            (1) of sufficient importance to outweigh the intrusion into 
        the privacy of the individual who is the subject of the 
        information that would result from the disclosure; and
            (2) necessary for the effectiveness of the project.
    (b) Obligations of Recipient.--A person who receives protected 
health information pursuant to subsection (a)--
            (1) shall remove or destroy, at the earliest opportunity 
        consistent with the purposes of the project, information that 
        would enable an individual to be identified, unless--
                    (A) an institutional review board has determined 
                that there is a health or research justification for 
                retention of such identifiers; and
                    (B) there is an adequate plan to protect the 
                identifiers from disclosure that is inconsistent with 
                this section.
            (2) shall use protected health information solely for 
        purposes of the health research project for which disclosure 
        was authorized under this section.
    (c) Scope of Disclosure.--The disclosure of protected health 
information under this section shall be limited to the minimum amount 
necessary to accomplish the research purpose for which the disclosure 
is authorized.
    (d) Research Requiring Direct Contact.--Protected health 
information may not be disclosed to a health researcher for a research 
project that includes direct contact with an individual who is the 
subject of protected health information unless the individual who is 
the subject of the protected health information has been given notice 
by the health information trustee that such contact is possible and 
been given the opportunity to object to the disclosure and the 
individual has not objected.

SEC. 211. LAW ENFORCEMENT.

    (a) In General.--A health care provider, health benefit plan, 
health oversight agency, health researcher, employer, or other person 
that receives protected health information under section 208 may 
disclose protected health information to a law enforcement agency 
(other than a health oversight agency governed by section 205) if the 
information is requested for use--
            (1) in an investigation or prosecution of a health 
        information trustee;
            (2) in the identification or location of a victim, suspect, 
        fugitive, or witness in a law enforcement inquiry; or
            (3) in connection with the investigation of criminal 
        activity committed against the trustee or on premises 
        controlled by the trustee.
    (b) Certification.--When a law enforcement agency (other than a 
health oversight agency) requests a health information trustee disclose 
protected health information under this subsection, the law enforcement 
agency shall provide the trustee with a written certification that--
            (1) specifies the information requested;
            (2) states that the information is needed for a lawful 
        purpose under this section; and
            (3) is signed by a supervisory official of a rank 
        designated by the head of the agency.
    (c) Scope of Disclosure.--The disclosure of protected health 
information under this section shall be limited to the minimum amount 
necessary to accomplish the purpose for which the disclosure is 
authorized.
    (d) Restrictions on Additional Disclosure.--Protected health 
information about an individual that is disclosed to a law enforcement 
agency under this section--
            (1) may not be disclosed for, or used in, any 
        administrative, civil, or criminal action or investigation 
        against the individual, except in an action or investigation 
        arising out of and directly related to the action or 
        investigation for which the information was obtained; and
            (2) may not be otherwise used or disclosed by the law 
        enforcement agency, unless the use or disclosure is necessary 
        to fulfill the purpose for which the information was obtained 
        and is not otherwise prohibited by law.

SEC. 212. SUBPOENAS AND WARRANTS.

    (a) In General.--A health care provider, health benefit plan, 
health oversight agency, employer, or person that receives protected 
health information under section 208 may disclose protected health 
information under this section if the disclosure is pursuant to--
            (1) a subpoena issued under the authority of a grand jury, 
        and the trustee is provided a written certification by the 
        grand jury seeking the information that the grand jury has 
        complied with the applicable access provisions of section 213;
            (2) an administrative subpoena or a judicial subpoena or 
        warrant, and the trustee is provided a written certification by 
        the person seeking the information that the person has complied 
        with the applicable access provisions of section 213 or 214; or
            (3) an administrative subpoena or a judicial subpoena or 
        warrant, and the disclosure otherwise meets the conditions of 
        section 205, 207, 208, 209, or 211.
    (b) Restrictions on Additional Disclosure.--Protected health 
information about an individual that is received under--
            (1) subsection (a) may not be disclosed for, or used in, 
        any administrative, civil, or criminal action or investigation 
        against the individual, except in an action or investigation 
        arising out of and directly related to the inquiry for which 
        the information was obtained;
            (2) subsection (a)(2) may not be otherwise disclosed by the 
        recipient unless the disclosure is necessary to fulfill the 
        purpose for which the information was obtained; and
            (3) subsection (a)(3) may not be disclosed by the recipient 
        unless the recipient complies with the conditions and 
        restrictions on disclosure with which the recipient would have 
        been required to comply if the disclosure had been made under 
        section 205, 207, 208, 209, or 211.

SEC. 213. ACCESS PROCEDURES FOR LAW ENFORCEMENT SUBPOENAS AND WARRANTS.

    (a) Probable Cause Requirement.--A government authority may not 
obtain protected health information about a person under section 212(a) 
(1) or (2) for use in a law enforcement inquiry unless there is 
probable cause to believe that the information is relevant to a 
legitimate law enforcement inquiry being conducted by the government 
authority.
    (b) Warrants.--A government authority that obtains protected health 
information about an individual under circumstances described in 
subsection (a) and pursuant to a warrant shall, not later than 30 days 
after the date the warrant was executed, serve the individual with, or 
mail to the last known address of the individual, a notice that 
protected health information about the individual was so obtained.
    (c) Subpoenas.--Except as provided in subsection (d), a government 
authority may not obtain protected health information about an 
individual under circumstances described in subsection (a) and pursuant 
to a subpoena unless a copy of the subpoena has been served on the 
individual on or before the date of return of the subpoena, together 
with a notice of the individual's right to challenge the subpoena in 
accordance with section 214, and--
            (1) 30 days have passed from the date of service on the 
        individual and within that time period the individual has not 
        initiated a challenge in accordance with section 214; or
            (2) disclosure is ordered by a court after challenge under 
        section 214.
    (d) Application for Delay.--
            (1) In general.--A government authority may apply ex parte 
        and under seal to an appropriate court to delay (for an initial 
        period of not longer than 90 days) serving a copy of a subpoena 
        or notice required under subsection (b) or (c) with respect to 
        a law enforcement inquiry. The government authority may apply 
        to the court for extensions of the delay.
            (2) Reasons for delay.--An application for a delay, or 
        extension of a delay, under this subsection shall state, with 
        reasonable specificity, the reasons why the delay or extension 
        is being sought.
            (3) Ex parte order.--The court shall enter an ex parte 
        order delaying, or extending the delay of, notice and an order 
        prohibiting the disclosure of the request for or disclosure of 
        the protected health information and an order requiring the 
        disclosure of the protected health information if the court 
        finds that--
                    (A) the inquiry being conducted is within the 
                lawful jurisdiction of the government authority seeking 
                the protected health information;
                    (B) there is probable cause to believe that the 
                protected health information being sought is relevant 
                to a legitimate law enforcement inquiry;
                    (C) the government authority's need for the 
                information outweighs the privacy interest of the 
                individual who is the subject of the information; and
                    (D) there is reasonable ground to believe that 
                receipt of notice by the individual will result in--
                            (i) endangering the life or physical safety 
                        of any individual;
                            (ii) flight from prosecution;
                            (iii) destruction of or tampering with 
                        evidence or the information being sought; or
                            (iv) intimidation of potential witnesses.

SEC. 214. CHALLENGE PROCEDURES FOR LAW ENFORCEMENT SUBPOENAS.

    (a) Motion To Quash Subpoena.--Within 30 days after the date of 
service of a subpoena of a government authority seeking protected 
health information about an individual under section 212(a) (1) or (2), 
or notice that protected health information has been obtained by a 
government authority, the individual may file a motion to quash the 
subpoena--
            (1) in the case of a State judicial subpoena, in the court 
        which issued the subpoena;
            (2) in the case of a subpoena issued under the authority of 
        a State that is not a State judicial subpoena, in a court of 
        competent jurisdiction;
            (3) in the case of a subpoena issued under the authority of 
        a Federal court, in the United States district court for the 
        district in which the movant resides or in which the subpoena 
        was issued; or
            (4) in the case of any other subpoena issued under the 
        authority of the United States, in the United States district 
        court for the district in which the movant resides or in which 
        the subpoena was issued.
    (b) Copy.--A copy of the motion shall be served by the movant upon 
the government authority by registered or certified mail.
    (c) Proceedings.--The government authority may file with the court 
such papers, including affidavits and other sworn documents, as sustain 
the validity of the subpoena. The movant may file with the court reply 
papers in response to the authority's filing. The court, upon the 
request of the movant or the government authority or both, may proceed 
in camera. The court may conduct such proceedings as it deems 
appropriate to rule on the motion, but shall endeavor to expedite its 
determination.
    (d) Standard for Decision.--A court may deny a motion under 
subsection (a) if it finds there is probable cause to believe the 
protected health information being sought is relevant to a legitimate 
law enforcement inquiry being conducted by the government authority, 
unless the court finds the movant's privacy interest outweighs the 
government authority's need for the information. The movant shall have 
the burden of demonstrating that the individual's privacy interest 
outweighs the need established by the government authority for the 
information.
    (e) Specific Considerations With Respect to Privacy Interest.--In 
reaching its determination, the court shall consider--
            (1) the particular purpose for which the information was 
        collected;
            (2) the degree to which disclosure of the information will 
        embarrass, injure, or invade the privacy of the movant;
            (3) the effect of the disclosure on the movant's future 
        health care;
            (4) the importance of the inquiry being conducted by the 
        government authority, and the importance of the information to 
        that inquiry; and
            (5) any other factor deemed relevant by the court.
    (f) Attorney's Fees.--In the case of a motion brought under 
subsection (a) in which the movant substantially prevails, the court 
may assess against the government authority a reasonable attorney's fee 
and other litigation costs (including expert fees) reasonably incurred.
    (g) No Interlocutory Appeal.--A ruling denying a motion to quash 
under this section shall not be deemed to be a final order, and no 
interlocutory appeal may be taken therefrom by the movant. An appeal of 
such a ruling may be taken by the movant within such period of time as 
is provided by law as part of any appeal from a final order in any 
legal proceeding initiated against the movant arising out of or based 
upon the protected health information disclosed.

SEC. 215. ACCESS AND CHALLENGE PROCEDURES FOR SUBPOENAS OTHER THAN LAW 
              ENFORCEMENT SUBPOENAS.

    (a) In General.--A private party may not obtain protected health 
information from a health care provider, health benefit plan, employer, 
or person that receives protected health information under section 208 
pursuant to a subpoena unless--
            (1) a copy of the subpoena together with a notice of the 
        individual's right to challenge the subpoena by filing a motion 
        to quash under subsection (b), has been served upon the 
        individual identified by the information on or before the date 
        on which the subpoena was served; and
            (2)(A) 30 days have passed since the date of service, and 
        within that time period the individual has not filed a motion 
        under subsection (b); or
            (B) disclosure is ordered by a court under that subsection.
    (b) Motion To Quash.--Within 30 days after service of a subpoena 
seeking protected health information under subsection (a), the 
individual identified by the information may file in any court of 
competent jurisdiction a motion to quash the subpoena, with a copy 
served on the person seeking the information. The individual may oppose 
or seek to limit the subpoena on any ground that would be available if 
the individual were in sole possession of the information, including 
privacy and relevance.
    (c) Standard for Decision.--The court shall grant a motion under 
subsection (b) unless the respondent demonstrates that--
            (1) there is reasonable ground to believe the information 
        is relevant to a lawsuit or other judicial or administrative 
        proceeding; and
            (2) the need of the respondent for the information 
        outweighs the privacy interest of the movant.
    (d) Specific Considerations With Respect to Privacy Interest.--In 
determining under subsection (c) whether the need of the respondent for 
the information outweighs the privacy of the movant, the court shall 
consider--
            (1) the particular purpose for which the information was 
        collected;
            (2) the degree to which disclosure of the information would 
        embarrass, injure, or invade the privacy of the movant;
            (3) the effect of the disclosure on the movant's future 
        health care;
            (4) the importance of the information to the lawsuit or 
        proceeding; and
            (5) any other relevant factor.
    (e) Attorney's Fees.--In the case of a motion brought under 
subsection (b) in which the movant has substantially prevailed, the 
court may assess against the respondent a reasonable attorney's fee and 
other litigation costs and expenses (including expert's fees) 
reasonably incurred.

SEC. 216. SECURITY.

    (a) In General.--A health information trustee shall maintain 
reasonable and appropriate administrative, technical, and physical 
safeguards--
            (1) to ensure the integrity and confidentiality of 
        protected health information created or received by the 
        trustee; and
            (2) to protect against any anticipated threats or hazards 
        to the security or integrity of such information.
    (b) Specific Security Measures.--The security measures adopted by a 
health information trustee shall include the following:
            (1) officers, employees, and agents of the trustee who have 
        access to protected health information created by the trustee 
        shall be regularly trained in the requirements governing such 
        information;
            (2) complete, accurate, and readily available records shall 
        be maintained, if the maintenance of such records is 
        practicable, taking into account the technical capabilities of 
        the system used to maintain protected health information and 
        the costs of such maintenance; and
            (3) appropriate signs and warnings shall be posted to 
        advise of the need to secure protected health information.
    (c) Regulations.--The Secretary, in consultation with the Attorney 
General, shall promulgate regulations regarding security measures for 
protected health information.

SEC. 217. INSPECTION OF PROTECTED HEALTH INFORMATION.

    (a) Inspection of Protected Health Information.--
            (1) In general.--Except as provided in paragraph (2), a 
        health care provider or health benefit plan--
                    (A) shall permit an individual who is the subject 
                of protected health information to inspect any such 
                information that the provider or plan maintains;
                    (B) shall permit the individual to have a copy of 
                the information;
                    (C) shall permit a person who has been designated 
                in writing by the individual who is the subject of the 
                information to inspect, or to have a copy of, the 
                information on behalf of the individual or to accompany 
                the individual during the inspection; and
                    (D) may offer to explain or interpret information 
                that is inspected or copied under this subsection.
            (2) Exceptions.--A health care provider or health benefit 
        plan is not required by this section to permit inspection or 
        copying of protected health information if any of the following 
        conditions apply:
                    (A) Mental health treatment notes.--The information 
                consists of psychiatric, psychological, or mental 
                health treatment notes, and the provider or plan 
                determines, based on reasonable medical judgment, that 
                inspection or copying of the notes would cause 
                sufficient harm to the individual who is the subject of 
                the notes so as to outweigh the desirability of 
                permitting access, and the provider or plan has not 
                disclosed the notes to any person not directly engaged 
                in treating the individual, except with the 
                authorization of the individual or under compulsion of 
                law.
                    (B) Information about others.--The information 
                relates to an individual other than the individual 
                seeking to inspect or have a copy of the information 
                and the provider or plan determines, based on 
                reasonable medical judgment, that inspection or copying 
                of the information would cause sufficient harm to 1 or 
                both of the individuals so as to outweigh the 
                desirability of permitting access.
                    (C) Endangerment to life or safety.--The provider 
                or plan determines that disclosure of the information 
                could reasonably be expected to endanger the life or 
                physical safety of any individual.
                    (D) Confidential source.--The information 
                identifies or could reasonably lead to the 
                identification of a person (other than a health care 
                provider) who provided information under a promise of 
                confidentiality to a health care provider concerning 
                the individual who is the subject of the information.
                    (E) Administrative purposes.--The information--
                            (i) is used by the provider or plan solely 
                        for administrative purposes and not in the 
                        provision of health care to the individual who 
                        is the subject of the information; and
                            (ii) has not been disclosed by the provider 
                        or plan to any other person.
            (3) Inspection and copying of segregable portion.--A health 
        care provider or health benefit plan shall permit inspection 
        and copying under paragraph (1) of any reasonably segregable 
        portion of a record after deletion of any portion that is 
        exempt under paragraph (2).
            (4) Conditions.--A health care provider or health benefit 
        plan may--
                    (A) require a written request for the inspection 
                and copying of protected health information under this 
                subsection; and
                    (B) charge a reasonable fee (not greater than the 
                actual cost) for--
                            (i) permitting inspection of information 
                        under this subsection; and
                            (ii) providing a copy of protected health 
                        information under this subsection.
            (5) Statement of reasons for denial.--If a health care 
        provider or health benefit plan denies a request for inspection 
        or copying under this subsection, the provider or plan shall 
        provide the individual who made the request (or the 
        individual's designated representative) with a written 
        statement of the reasons for the denial.
            (6) Deadline.--A health care provider or health benefit 
        plan shall comply with or deny a request for inspection or 
        copying of protected health information under this subsection 
        within the 30-day period beginning on the date on which the 
        provider or plan receives the request.

SEC. 218. AMENDMENT OF PROTECTED HEALTH INFORMATION.

    (a) In General.--A health care provider or health benefit plan that 
is required to comply with this subsection shall, within the 45-day 
period beginning on the date on which the provider or plan receives 
from an individual a written request that the provider or plan correct 
or amend the information--
            (1) make the correction or amendment requested;
            (2) inform the individual of the correction or amendment 
        that has been made;
            (3) inform any regional data center to which the 
        uncorrected or unamended portion of the information was 
        previously disclosed, of the correction or amendment;
            (4) inform any person who is identified by the individual, 
        who is not an officer, employee or agent, of the provider or 
        plan, and to whom the uncorrected or unamended portion of the 
        information was previously disclosed, of the correction or 
        amendment that has been made.
    (b) Refusal To Correct.--If the provider or plan refuses to make 
the corrections, the provider or plan shall inform the individual of--
            (1) the reasons for the refusal of the provider or plan to 
        make the correction or amendment;
            (2) any procedures for further review of the refusal; and
            (3) the individual's right to file with the provider or 
        plan a concise statement setting forth the requested correction 
        or amendment and the individual's reasons for disagreeing with 
        the refusal of the provider or plan.
    (c) Bases for Request to Correct or Amend.--An individual may 
request correction or amendment of protected health information about 
the individual under paragraph (d) if the information is not timely, 
accurate, relevant to the system of records, or complete.
    (d) Statement of Disagreement.--After an individual has filed a 
statement of disagreement under paragraph (b)(3), the provider or plan, 
in any subsequent disclosure of the disputed portion of the 
information--
            (1) shall include a copy of the individual's statement; and
            (2) may include a concise statement of the reasons of the 
        provider or plan for not making the requested correction or 
        amendment.
    (e) Rule of Construction.--This subsection shall not be construed 
to require a health care provider or health benefit plan to conduct a 
formal, informal, or other hearing or proceeding concerning a request 
for a correction or amendment to protected health information the 
provider or plan maintains.
    (f) Correction.--For purposes of paragraph (2), a correction is 
deemed to have been made to protected health information when 
information that is not timely, accurate, relevant to the system of 
records, or complete is clearly marked as incorrect or when 
supplementary correct information is made part of the information.
    (g) Notice of Information Practices.--
            (1) Preparation of written notice.--A health care provider 
        or health benefit plan shall prepare a written notice of 
        information practices describing the following:
                    (A) Personal rights of an individual.--The rights 
                under this section of an individual who is the subject 
                of protected health information, including the right to 
                inspect and copy such information and the right to seek 
                amendments to such information, and the procedures for 
                authorizing disclosures of protected health information 
                and for revoking such authorizations.
                    (B) Procedures of provider or plan.--The procedures 
                established by the provider or plan for the exercise of 
                the rights of individuals about whom protected health 
                information is maintained.
                    (C) Authorized disclosures.--The disclosures of 
                protected health information that are authorized.
            (2) Dissemination of notice.--A health care provider or 
        health benefit plan--
                    (A) shall, upon request, provide any individual 
                with a copy of the notice of information practices 
                described in paragraph (1); and
                    (B) shall make reasonable efforts to inform 
                individuals in a clear and conspicuous manner of the 
                existence and availability of the notice.
            (3) Model notice.--Not later than July 1, 1996, the 
        Secretary, after consultation with the Attorney General and 
        after notice and opportunity for public comment, shall develop 
        and disseminate a model notice of information practices for use 
        by health care providers and health benefit plans under this 
        section.

SEC. 219. ACCOUNTING FOR DISCLOSURES.

    (a) In General.--A health care provider or health benefit plan that 
is required to comply with this subsection shall create and maintain, 
with respect to any protected health information disclosed, a record 
of--
            (1) the date and purpose of the disclosure;
            (2) the name of the person to whom the disclosure was made;
            (3) the address of the person to whom the disclosure was 
        made or the location to which the disclosure was made; and
            (4) the information disclosed, if the recording of the 
        information disclosed is practicable, taking into account the 
        technical capabilities of the system used to maintain the 
        record and the costs of such maintenance.
    (b) Disclosure Record Part of Information.--A record created and 
maintained under paragraph (a) shall be maintained as part of the 
protected health information to which the record pertains, except for 
requests from and disclosures to health oversight agencies.

SEC. 220. STANDARDS FOR ELECTRONIC DOCUMENTS AND COMMUNICATIONS.

    Not later than July 1, 1996, the Attorney General, in consultation 
with the Secretary and after notice and opportunity for public comment, 
shall promulgate standards with respect to the creation, transmission, 
receipt, and maintenance, in electronic form, of each written document 
required or authorized under this title. When a signature is required 
with respect to a written document under any other provision of this 
title, such standards shall provide for an electronic substitute that 
serves the functional equivalent of a signature.

SEC. 221. RIGHTS OF INCOMPETENTS.

    (a) Effect of Declaration of Incompetence.--Except as provided in 
section 222, if an individual has been declared to be incompetent by a 
court of competent jurisdiction, the rights of the individual under 
this section shall be exercised and discharged in the best interests of 
the individual through an authorized legal representative.
    (b) No Court Declaration.--Except as provided in section 222, if a 
health care provider determines that an individual, who has not been 
declared to be incompetent by a court of competent jurisdiction, 
suffers from a medical condition that prevents the individual from 
acting knowingly or effectively on the individual's own behalf, the 
right of the individual to authorize disclosure may be exercised and 
discharged in the best interest of the individual by the individual's 
next of kin.

SEC. 222. RIGHTS OF MINORS.

    (a) Individuals Who Are 18 or Legally Capable.--In the case of an 
individual--
            (1) who is 18 years of age or older, all rights of the 
        individual shall be exercised by the individual; or
            (2) who, acting alone, has the legal right, as determined 
        by State law, to apply for and obtain a type of medical 
        examination, care, or treatment and who has sought such 
        examination, care, or treatment, the individual shall exercise 
        all rights of an individual under this title with respect to 
        protected health information relating to such examination, 
        care, or treatment.
    (b) Individuals Under 18.--Except as provided in subsection (a)(2), 
in the case of an individual who is--
            (1) under 14 years of age, all the individual's rights 
        under this title shall be exercised through the parent or legal 
        guardian of the individual; or
            (2) 14, 15, 16, or 17 years of age, the rights of 
        inspection and amendment, and the right to authorize disclosure 
        of protected health information of the individual may be 
        exercised either by the individual or by the parent or legal 
        guardian of the individual.

SEC. 223. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.

    A health information trustee who makes a disclosure of protected 
health information about an individual that is permitted by this title 
shall not be liable to the individual for the disclosure under common 
law.

SEC. 224. NO LIABILITY FOR INSTITUTIONAL REVIEW BOARD DETERMINATIONS.

    If the members of an institutional review board make a 
determination in good faith that--
            (1) a health research project is of sufficient importance 
        to outweigh the intrusion into the privacy of an individual; 
        and
            (2) the effectiveness of the project requires use of 
        protected health information,
the members, the board, and the parent institution of the board shall 
not be liable to the individual as a result of the determination.

SEC. 225. GOOD FAITH RELIANCE ON CERTIFICATION.

    A health information trustee who relies in good faith on a 
certification by a government authority or other person and discloses 
protected health information about an individual in accordance with 
this title shall not be liable to the individual for such disclosure.

SEC. 226. CIVIL PENALTY.

    (a) Violation.--Any health information trustee who the Secretary 
determines has substantially failed to comply with this title shall be 
subject, in addition to any other penalties that may be prescribed by 
law, to a civil penalty of not more than $10,000 for each such 
violation.
    (b) Procedures for Imposition of Penalties.--Section 1128A of the 
Social Security Act (42 U.S.C. 1320a-7a), other than subsections (a) 
and (b) and the second sentence of subsection (f) of that section, 
shall apply to the imposition of a civil monetary penalty under this 
section in the same manner as such provisions apply with respect to the 
imposition of a penalty under section 1128A of that Act.

SEC. 227. CIVIL ACTION.

    (a) In General.--An individual who is aggrieved by conduct in 
violation of this title may bring a civil action to recover--
            (1) the greater of actual damages or liquidated damages of 
        $5,000;
            (2) punitive damages;
            (3) a reasonable attorney's fee and expenses of litigation;
            (4) costs of litigation; and
            (5) such preliminary and equitable relief as the court 
        determines to be appropriate.
    (b) Limitation.--No action may be commenced under this section more 
than 3 years after the date on which the violation was or should 
reasonably have been discovered.

SEC. 228. RELATIONSHIP TO OTHER LAWS.

    (a) State Law.--Except as provided in subsections (b), (c), and 
(d), this title preempts any State law to the extent that such law is 
inconsistent with this title.
    (b) Laws Relating to Public Health.--Nothing in this title is 
intended to preempt or operate to the exclusion of any State public 
health law that prevents or regulates disclosure of protected health 
information otherwise allowed under this Act.
    (c) Privileges.--Nothing in this title is intended to preempt or 
modify State common or statutory law to the extent such law concerns a 
privilege of a witness or person in a court of the State. This title 
does not supersede or modify Federal common or statutory law to the 
extent such law concerns a privilege of a witness or person in a court 
of the United States.
    (d) Certain Duties Under State or Federal Law.--This title shall 
not be construed to preempt, supersede, or modify the operation of--
            (1) any law that provides for the reporting of vital 
        statistics such as birth or death information;
            (2) any law requiring the reporting of abuse or neglect 
        information about any individual;
            (3) subpart II of part E of title XXVI of the Public Health 
        Service Act (relating to notifications of emergency response 
        employees of possible exposure to infectious diseases); or
            (4) any Federal law that prevents or regulates disclosure 
        of protected health information.

                                 <all>

S 2129 IS----2
S 2129 IS----3
S 2129 IS----4