[Congressional Bills 104th Congress]
[From the U.S. Government Publishing Office]
[S. 1360 Introduced in Senate (IS)]

  1st Session
                                S. 1360

 To ensure personal privacy with respect to medical records and health 
           care-related information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            October 24, 1995

Mr. Bennett (for himself, Mr. Dole, Mr. Leahy, Mrs. Kassebaum, Mr. 
        Kennedy, Mr. Frist, Mr. Simon, Mr. Hatch, Mr. Gregg, Mr. 
        Stevens, Mr. Jeffords, Mr. Kohl, Mr. Daschle, and Mr. Feingold) 
        introduced the following bill; which was read twice and 
        referred to the Committee on Labor and Human Resources

_______________________________________________________________________

                                 A BILL


 
 To ensure personal privacy with respect to medical records and health 
           care-related information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Medical Records 
Confidentiality Act of 1995''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Purpose.
Sec. 3. Definitions.
                      TITLE I--INDIVIDUAL'S RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

Sec. 101. Inspection and copying of protected health information.
Sec. 102. Correction or amendment of protected health information.
Sec. 103. Notice of information practices.
                Subtitle B--Establishment of Safeguards

Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

Sec. 201. General rules regarding use and disclosure.
Sec. 202. Authorizations for disclosure of protected health information 
                            for treatment or payment.
Sec. 203. Authorizations for disclosure of protected health 
                            information, other than for treatment or 
                            payment.
Sec. 204. Health information services.
Sec. 205. Next of kin and directory information.
Sec. 206. Emergency circumstances.
Sec. 207. Oversight.
Sec. 208. Public health.
Sec. 209. Health research.
Sec. 210. Judicial and administrative purposes.
Sec. 211. Non-law enforcement subpoenas.
Sec. 212. Law enforcement.
Sec. 213. Standards for electronic disclosures.
                          TITLE III--SANCTIONS

                      Subtitle A--Civil Sanctions

Sec. 301. Civil penalty.
Sec. 302. Civil action.
                     Subtitle B--Criminal Sanctions

Sec. 311. Wrongful disclosure of protected health information.
                        TITLE IV--MISCELLANEOUS

Sec. 401. Relationship to other laws.
Sec. 402. No liability for permissible disclosures.
Sec. 403. Effective date.

SEC. 2. PURPOSE.

    The purpose of this Act is to--
            (1) establish strong and effective mechanisms to protect 
        the privacy of persons with respect to personally identifiable 
        health care information that is created or maintained as part 
        of health treatment, diagnosis, enrollment, payment, testing, 
        or research processes;
            (2) promote the efficiency and security of the health 
        information infrastructure so that members of the health care 
        community may more effectively exchange and transfer health 
        information in a manner that will ensure the confidentiality of 
        personally identifiable health information; and
            (3) establish strong and effective remedies for violations 
        of this Act.

SEC. 3. DEFINITIONS.

    As used in this Act:
            (1) Certified health information service.--The term 
        ``certified health information service'' means a health 
        information service that receives personally identifiable 
        health information for the purpose of creating nonidentifiable 
        health information and has been certified by the Secretary 
        pursuant to section 204(b).
            (2) Certified institutional review board.--The term 
        ``certified institutional review board'' means an institutional 
        review board that has been certified by the Secretary pursuant 
        to section 209(d).
            (3) Disclose.--The term ``disclose'' means to release, 
        transfer, or otherwise divulge protected health information to 
        any person other than the individual who is the subject of such 
        information.
            (4) Health care.--The term ``health care'' means--
                    (A)(i) preventive, diagnostic, therapeutic, 
                rehabilitative, maintenance, or palliative care, 
                counseling, service, or procedure--
                            (I) with respect to the physical or mental 
                        condition of an individual; or
                            (II) affecting the structure or function of 
                        the human body or any part of the human body; 
                        or
                    (ii) any sale or dispensing of a drug, device, 
                equipment, or other item to an individual, or for the 
                use of an individual, pursuant to a prescription.
            (5) Health care provider.--The term ``health care 
        provider'' means a person who, with respect to a specific item 
        of protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a person who is licensed, certified, 
                registered, or otherwise authorized by law to provide 
                an item or service that constitutes health care, in the 
                ordinary course of business or practice of a 
                profession;
                    (B) a Federal or State program that directly 
                provides items or services that constitute health care 
                to beneficiaries; or
                    (C) an officer or employee of a person described in 
                subparagraph (A) or (B).
            (6) Health information service.--The term ``health 
        information service'' means a person that--
                    (A) uses protected health information to provide 
                services to health information trustees for purposes 
                authorized under the Act;
                    (B) facilitates the transfer and exchange of 
                protected health information between health information 
                trustees;
                    (C) processes protected health information into 
                standard format for transfer and exchanges between 
                health information trustees;
                    (D) facilitates authorized access to protected 
                health information; or
                    (E) transforms protected health information into 
                nonidentifiable health information.
            (7) Health information trustee.--
                    (A) In general.--The term ``health information 
                trustee'' means--
                            (i) a health care provider, health plan, 
                        health oversight agency, health researcher, 
                        public health authority, employer, insurer, 
                        school or university, or health information 
                        service insofar as it creates, receives, 
                        obtains, maintains, uses, or transmits 
                        protected health information;
                            (ii) any person who obtains protected 
                        health information under sections 206, 207, 
                        208, 209, 210, 211, or 212; or
                            (iii) any employee, agent, or contractor of 
                        a person covered under clause (i) or (ii) 
                        insofar as such employee, agent, or contractor 
                        creates, receives, obtains, maintains, uses, or 
                        transmits protected health information.
                    (B) Duties and responsibilities.--The duties and 
                responsibilities of a health information trustee shall 
                be negotiated between the trustee and any agent or 
                contractor of the trustee.
            (8) Health oversight agency.--The term ``health oversight 
        agency'' means a person who--
                    (A) performs or oversees the performance of an 
                assessment, evaluation, determination, or investigation 
                relating to the licensing, accreditation, or 
                certification of health care providers; or
                    (B)(i) performs or oversees the performance of an 
                assessment, evaluation, determination, investigation, 
                or prosecution relating to compliance with legal, 
                fiscal, medical, or scientific standards relating to--
                            (I) the delivery of or payment for, health 
                        care, health services or equipment, or health 
                        research; or
                            (II) health care fraud or fraudulent claims 
                        regarding health care, health services or 
                        equipment, or related activities and items; and
                    (ii) is a public agency, acting on behalf of a 
                public agency, acting pursuant to a requirement of a 
                public agency, or carrying out activities under a 
                Federal or State law governing the assessment, 
                evaluation, determination, investigation, or 
                prosecution described in clause (i).
            (9) Health plan.--The term ``health plan'' means any health 
        insurance plan, including any hospital or medical service plan, 
        dental or other health service plan or health maintenance 
        organization plan, or other program providing health benefits, 
        whether or not funded through the purchase of insurance.
            (10) Health researcher.--The term ``health researcher'' 
        means a person who, with respect to a specific item of 
        protected health information, receives the information--
                    (A) pursuant to section 209 (relating to health 
                research); or
                    (B) while acting in whole or in part in the 
                capacity of an officer or employee of a person 
                described in subparagraph (A).
            (11) Individual representative.--The term ``individual 
        representative'' means any individual legally empowered to make 
        decisions concerning the provision of health care to an 
        individual (where the individual lacks the legal capacity under 
        State law to make such decisions) or the administrator or 
        executor of the estate of a deceased individual.
            (12) Law enforcement inquiry.--The term ``law enforcement 
        inquiry'' means a lawful investigation or official proceeding 
        inquiring into a violation of, or failure to comply with, any 
        criminal or civil statute or any regulation, rule, or order 
        issued pursuant to such a statute.
            (13) Person.--The term ``person'' means a government, 
        governmental subdivision, agency or authority; corporation; 
        company; association; firm; partnership; society; estate; 
        trust; joint venture; individual; individual representative; 
        and any other legal entity.
            (14) Protected health information.--The term ``protected 
        health information'' means any information, including 
        demographic information collected from an individual, whether 
        oral or recorded in any form or medium, that--
                    (A) is created or received by a health information 
                trustee; and
                    (B)(i) relates to the past, present, or future 
                physical or mental health or condition of an 
                individual, the provision of health care to an 
                individual, or the past, present, or future payment for 
                the provision of health care to an individual; and
                    (ii)(I) identifies an individual; or
                    (II) with respect to which there is a reasonable 
                basis to believe that the information can be used to 
                identify an individual.
            (15) Public health authority.--The term ``public health 
        authority'' means an authority or instrumentality of the United 
        States, a State, or a political subdivision of a State that 
        is--
                    (A) responsible for public health matters; and
                    (B) engaged in such activities as injury reporting, 
                public health, surveillance, and public health 
                investigation or intervention.
            (16) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (17) State.--The term ``State'' includes the District of 
        Columbia, Puerto Rico, the Virgin Islands, Guam, American 
        Samoa, and the Northern Mariana Islands.
            (18) Writing.--The term ``writing'' means writing in either 
        a paper-based or computer-based form, including electronic 
        signatures.

                      TITLE I--INDIVIDUAL'S RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.

    (a) In General.--Except as provided in subsection (b), a health 
information trustee shall permit an individual who is the subject of 
protected health information or the individual's designee, to inspect 
and copy protected health information concerning the individual, 
including records created under section 102 that the trustee maintains. 
A health information trustee may require an individual to reimburse the 
trustee for the cost of such inspection and copying.
    (b) Exceptions.--A health information trustee is not required by 
this section to permit inspection or copying of protected health 
information if any of the following conditions are met:
            (1) Endangerment to life or safety.--The trustee determines 
        that disclosure of the information could reasonably be expected 
        to endanger the life or physical safety of any individual.
            (2) Confidential source.--The information identifies or 
        could reasonably lead to the identification of a person who 
        provided information under a promise of confidentiality to a 
        health care provider concerning the individual who is the 
        subject of the information.
            (3) Administrative purposes.--The information--
                    (A) is used by the trustee solely for 
                administrative purposes and not in the provision of 
                health care or the administration of benefits to the 
                individual who is the subject of the information; and
                    (B) has not been disclosed by the health 
                information trustee to any other person.
    (c) Inspection and Copying of Segregable Portion.--A health 
information trustee shall permit inspection and copying under 
subsection (a) of any reasonably segregable portion of a record after 
deletion of any portion that is exempt under subsection (b).
    (d) Deadline.--A health information trustee shall comply with or 
deny (with a statement of the reasons for such denial) a request for 
inspection or copying of protected health information under this 
section within the 30-day period beginning on the date on which the 
trustee receives the request.

SEC. 102. CORRECTION OR AMENDMENT OF PROTECTED HEALTH INFORMATION.

    (a) In General.--A health information trustee shall within the 45-
day period beginning on the date on which the trustee receives from an 
individual a written request to correct or amend information--
            (1) make the correction or amendment requested;
            (2) inform the individual of the correction or amendment 
        that has been made; and
            (3) make reasonable efforts to inform any person who is 
        identified by the individual, who is not an officer, employer, 
        or agent of the trustee, and to whom the uncorrected or 
        unamended portion of the information was previously disclosed, 
        of the correction or amendment that has been made.
    (b) Refusal To Correct or Amend.--If the health information trustee 
refuses to make the correction or amendment, the trustee shall inform 
the individual of--
            (1) the reasons for the refusal to make the correction or 
        amendment;
            (2) any procedures for further review of the refusal; and
            (3) the individual's right to file with the trustee a 
        concise statement setting forth the requested correction or 
        amendment and the individual's reasons for disagreeing with the 
        refusal.
    (c) Statement of Disagreement.--After an individual has filed a 
statement of disagreement under subsection (b)(3), the health 
information trustee in any subsequent disclosure of the disputed 
portion of the information--
            (1) shall include a copy of the individual's statement; and
            (2) may include a concise statement of the reasons for not 
        making the requested correction or amendment.
    (d) Rule of Construction.--This section shall not be construed to 
require a health information trustee to conduct a formal, informal, or 
other hearing or proceeding concerning a request for a correction or 
amendment to protected health information.
    (e) Correction.--For purposes of subsection (a), a correction is 
deemed to have been made to protected health information when 
information that has been disputed by an individual has been corrected, 
clearly marked as incorrect, or supplemented by correct information.

SEC. 103. NOTICE OF INFORMATION PRACTICES.

    (a) Preparation of Written Notice.--A health information trustee 
other than a health information service shall provide, in a clear and 
conspicuous manner, written notice of the trustee's information 
practices, including a description of the trustee's health information 
practices, including notice of individual rights with respect to 
protected health information.
    (b) Model Notice.--The Secretary, after notice and opportunity for 
public comment, shall develop and disseminate model notices of 
information practices for use under this section.

                Subtitle B--Establishment of Safeguards

SEC. 111. ESTABLISHMENT OF SAFEGUARDS.

    (a) In General.--A health information trustee shall establish and 
maintain appropriate administrative, technical, and physical safeguards 
to ensure the confidentiality, security, accuracy, and integrity of 
protected health information created, received, obtained, maintained, 
used or transmitted by the trustee.
    (b) Regulations.--
            (1) Promulgation.--
                    (A) In general.--In promulgating regulations under 
                this Act, the Secretary shall follow the procedures 
                authorized under sections 581 through 590 of title 5, 
                United States Code.
                    (B) Advisory group.--
                            (i) Determination by the Secretary.--If the 
                        Secretary determines that a negotiated 
                        rulemaking committee shall not be established 
                        as permitted by section 583 of title 5, United 
                        States Code, the Secretary shall appoint and 
                        consult with an advisory group of knowledgeable 
                        individuals.
                            (ii) Membership.--The advisory group shall 
                        consist of at least 7 but no more than 12 
                        individuals including representatives of--
                                    (I) health care professionals and 
                                health care entities;
                                    (II) health care consumers;
                                    (III) third party payors/
                                administrators; and
                                    (IV) privacy advocates.
                            (iii) Responsibilities.--The advisory group 
                        shall review all proposed rules and regulations 
                        and submit recommendations to the Secretary. 
                        The advisory group shall also assist the 
                        Secretary in establishing the standards for 
                        compliance with rules and regulations, in 
                        developing an annual report to the Congress on 
                        the status of the requirements set forth in 
                        this Act, their cost impact, and any 
                        recommendations for modifications in order to 
                        ensure efficient and confidential electronic 
                        data interchange of individually identifiable 
                        health care information.
            (2) Consultation.--The Secretary may promulgate regulations 
        in consultation with privacy, industry, and consumer groups.

SEC. 112. ACCOUNTING FOR DISCLOSURES.

    (a) In General.--A health information trustee shall create and 
maintain, with respect to any protected health information disclosure 
that is not related to treatment, a record of the disclosure in 
accordance with regulations issued by the Secretary.
    (b) Record of Disclosure Part of Protected Health Information.--A 
record created and maintained under subsection (a) shall be maintained 
as protected health information for not less than 7 years.

              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.

    (a) General Rule.--A health information trustee may not disclose 
protected health information except as authorized under this title.
    (b) Scope of Disclosure.--
            (1) Compatibility to purpose.--Protected health information 
        may not be used or disclosed to any person unless the use or 
        disclosure is compatible with and related to the purposes for 
        which the information was obtained.
            (2) Limitation on information.--Every disclosure of 
        protected health information by a health information trustee 
        shall be limited to the minimum amount of information necessary 
        to accomplish the purpose for which the information is 
        disclosed.
    (c) No General Requirement To Disclose.--Nothing in this title that 
permits a disclosure of health information shall be construed to 
require such disclosure.
    (d) Identification of Disclosed Information as Protected 
Information.--Except as provided in this title, a health information 
trustee may not disclose protected health information unless such 
information is clearly identified as protected health information that 
is subject to this title.
    (e) Information in Which Providers Are Identified.--The Secretary 
shall issue regulations protecting information identifying providers in 
order to promote the availability of health care services.

SEC. 202. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION 
              FOR TREATMENT OR PAYMENT.

    (a) Written Authorizations.--A health information trustee may 
disclose protected health information for purposes of treatment or 
payment pursuant to an authorization executed by the individual who is 
the subject of the information (or a person acting for the individual 
pursuant to State law) if each of the following requirements is met:
            (1) Writing.--The authorization is in writing or 
        electronically authenticated, signed by the individual who is 
        the subject of the information, and dated.
            (2) Separate form.--Separate forms authorizing disclosures 
        for treatment and payment processes are provided to the 
        individual.
            (3) Information described.--The information to be disclosed 
        is specified, or is described in the authorization.
            (4) Trustee described.--The trustee who is authorized to 
        disclose such information is specifically identified, or is 
        described in the authorization.
            (5) Recipient described.--The person to whom the 
        information is to be disclosed is specifically identified, or 
        is described in the authorization.
            (6) Right to revoke or amend.--The authorization contains 
        an acknowledgement that the individual who is the subject of 
        the information has the right to revoke or amend the 
        authorization.
            (7) Statement of intended disclosures.--The authorization 
        contains an acknowledgment that the individual who is the 
        subject of the information has read a statement of the 
        disclosures that the person who receives the protected health 
        information intends to make.
            (8) Information restricted.--The authorization includes a 
        proviso that the information will be disclosed solely for a 
        purpose that is compatible with and related to the purposes for 
        which the information was collected or received by the trustee.
            (9) Expiration date specified.--The authorization specifies 
        a date or event at which the authorization expires.
    (b) Revocation or Amendment of Authorization.--
            (1) In general.--The authorization contains an 
        acknowledgment that the individual may in writing revoke or 
        amend an authorization described in subsection (a), at any 
        time, except that with respect to disclosure of protected 
        health information to permit validation of expenditures for 
        health care that has previously been authorized the 
        authorization may not be revoked.
            (2) Notice of revocation.--A health information trustee who 
        discloses protected health information pursuant to an 
        authorization described in subsection (a) that has been revoked 
        shall not be subject to any liability or penalty under this Act 
        if the trustee had no actual or constructive notice of the 
        revocation.
    (c) Model Authorizations.--The Secretary, after notice and 
opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in subsection (a) and 
model statements of intended disclosures of the type described in 
subsection (a)(6).
    (d) Copy.--A health information trustee who discloses protected 
health information pursuant to an authorization under this section 
shall maintain a copy of the authorization.

SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH 
              INFORMATION, OTHER THAN FOR TREATMENT OR PAYMENT.

    (a) Written Authorizations.--A health information trustee may 
disclose protected health information pursuant to an authorization 
executed by the individual who is the subject of the information if the 
following conditions are met:
            (1) General requirements.--The requirements of section 
        202(a) (1) through (6) are met.
            (2) Statement of intended disclosures.--The statement of 
        intended disclosure shall be in writing, on a form that is 
        separate from the authorization for disclosure, and shall be 
        received by the individual authorizing the disclosure on or 
        before the date the authorization is executed.
            (3) Authorization not requested in connection with 
        provision of health care.--The authorization is not requested 
        on a day on which the trustee provides health care to the 
        individual requested to provide the authorization.
            (4) Expiration date specified.--The authorization specifies 
        a date or event upon which the authorization expires, which 
        shall not exceed 1 year from the date of the execution of the 
        authorization.
    (b) Limitation on Authorizations.--A health information trustee may 
not condition delivery of treatment or payment for services on the 
receipt of an authorization described in subsection (a).
    (c) Revocation or Amendment of Authorization.--
            (1) In general.--An individual may in writing revoke or 
        amend an authorization described in subsection (a).
            (2) Notice of revocation.--A health information trustee who 
        discloses protected health information pursuant to an 
        authorization that has been revoked shall not be subject to any 
        liability or penalty under this title if the trustee had no 
        actual or constructive notice of the revocation.
    (d) Model Authorizations.--The Secretary, after notice and 
opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in subsection (a) and 
model statements of the intended disclosures of the type described in 
subsection (a)(2).
    (e) Authorization Not Required.--This section does not apply to 
sections 204, 205, 206, 207, 208, 209, 210, 211, and 212.

SEC. 204. CREATION OF NONIDENTIFIABLE INFORMATION.

    (a) Creation of Nonidentifiable Information.--A health information 
trustee may disclose protected health information to a certified health 
information service for the purpose of creating nonidentifiable health 
information.
    (b) Certification of Health Information Services.--
            (1) Regulations.--The Secretary, after notice and 
        opportunity for public comment, shall issue regulations 
        establishing certification requirements for health information 
        services under this title. Such regulations shall include 
        requirements that the health information service establish and 
        maintain appropriate administrative, technical, and physical 
        safeguards to ensure the confidentiality, security, accuracy, 
        and integrity of protected health information.
            (2) Certification.--The Secretary shall certify a health 
        information service that meets the certification requirements 
        established by the Secretary under paragraph (1).

SEC. 205. NEXT OF KIN AND DIRECTORY INFORMATION.

    (a) Next of Kin.--A health care provider, or a person who receives 
protected health information under section 206, may disclose protected 
health information regarding an individual to the individual's next of 
kin, to an individual representative of the individual, or to an 
individual with whom that individual has a significant personal 
relationship if--
            (1) the individual who is the subject of the information--
                    (A) has been notified of the individual's right to 
                object and has not objected to the disclosure;
                    (B) is not competent to be notified about the right 
                to object; or
                    (C) exigent circumstances exist such that it would 
                not be practicable to notify the individual of the 
                right to object; and
            (2) the information disclosed relates to health care 
        currently being provided to that individual.
    (b) Directory Information.--
            (1) Disclosure.--Except as provided in paragraph (2), a 
        health information trustee may disclose the information 
        described in subparagraph (B) to any person if--
                    (A) the individual who is the subject of the 
                information--
                            (i) has been notified of the individual's 
                        right to object and has not objected to the 
                        disclosure;
                            (ii) is not competent to be notified about 
                        the right to object; or
                            (iii) exigent circumstances exist such that 
                        it would not be practicable to notify the 
                        individual of the right to object; and
                    (B) the information consists only of 1 or more of 
                the following items:
                            (i) the name of the individual who is the 
                        subject of the information;
                            (ii) the general health status of the 
                        individual, described as critical, poor, fair, 
                        stable, or satisfactory or in terms denoting 
                        similar conditions; and
                            (iii) the location of the individual on 
                        premises controlled by a provider.
            (2) Exception.--If disclosure of the location of the 
        individual reveals specific information about the physical or 
        mental condition of the individual, the individual must 
        expressly authorize such disclosure.
    (c) Deceased Individual.--
            (1) Identification.--A health information trustee may 
        disclose protected health information if necessary to assist in 
        the identification of a deceased individual.
            (2) Regulations.--The Secretary shall develop and establish 
        through regulation a procedure for obtaining protected health 
        information relating to a deceased individual when there is no 
        individual representative for such individual.

SEC. 206. EMERGENCY CIRCUMSTANCES.

    Any person who receives protected health information under this 
title may disclose protected health information in emergency 
circumstances when necessary to protect the health or safety of an 
individual from serious, imminent harm.

SEC. 207. OVERSIGHT.

    (a) In General.--A health information trustee may disclose 
protected health information to a health oversight agency for an 
oversight function authorized by law.
    (b) Use in Action Against Individuals.--Protected health 
information about an individual that is disclosed under this section 
may not be used in, or disclosed to any person for use in, an 
administrative, civil, or criminal action or investigation directed 
against the individual unless the action or investigation arises out of 
and is directly related to--
            (1) receipt of health care or payment for health care; or
            (2) an action involving a fraudulent claim related to 
        health.

SEC. 208. PUBLIC HEALTH.

    A health care provider, health plan, health researcher, public 
health authority, employer, insurer, school or university, or certified 
health information network service, or person who receives protected 
health information under section 206, may disclose protected health 
information to a public health authority or other person authorized by 
law for use in a legally authorized--
            (1) disease or injury report;
            (2) public health surveillance; or
            (3) public health investigation or intervention.

SEC. 209. HEALTH RESEARCH.

    (a) In General.--A health information trustee may disclose 
protected health information to a health researcher if a certified 
institutional review board determines that the research project engaged 
in by the health researcher--
            (1) requires use of the protected health information for 
        the effectiveness of the project; and
            (2) is of sufficient importance to outweigh the intrusion 
        into the privacy of the individual who is the subject of the 
        information that would result from the disclosure.
    (b) Obligations of Recipient.--A person who receives protected 
health information pursuant to subsection (a)--
            (1) shall remove or destroy, at the earliest opportunity 
        consistent with the purposes of the project, information that 
        would enable an individual to be identified, unless--
                    (A) a certified institutional review board has 
                determined that there is a health or research 
                justification for retention of such identifiers; and
                    (B) there is an adequate plan to protect the 
                identifiers from disclosure that is inconsistent with 
                this section; and
            (2) shall use protected health information solely for 
        purposes of the health research project for which disclosure 
        was authorized by a certified institutional review board under 
        subsection (a).
    (c) Special Rule for Researchers Other Than Academic Centers or 
Health Care Facilities.--If a health researcher is not located in an 
academic center, a health care facility or public health agency, the 
determinations required by a certified institutional review board shall 
be approved by the Secretary before the determination is issued.
    (d) Certification of Institutional Review Boards.--
            (1) Regulations.--The Secretary, after notice and 
        opportunity for public comment, shall issue regulations 
        establishing certification requirements for institutional 
        review boards under this title. Such regulations shall be based 
        on regulations issued under section 491(a) of the Public Health 
        Service Act. The regulations shall ensure that institutional 
        review boards certified under this paragraph have the 
        qualifications to assess and protect the confidentiality of 
        research subjects.
            (2) Certification.--The Secretary shall certify an 
        institutional review board that meets the certification 
        requirements established by the Secretary under paragraph (1).

SEC. 210. JUDICIAL AND ADMINISTRATIVE PURPOSES.

    (a) In General.--A health care provider, health plan, health 
oversight agency, employer, school, university, insurer, or person who 
receives protected health information under section 206, may disclose 
protected health information--
            (1) pursuant to the Federal Rules of Civil Procedure, the 
        Federal Rules of Criminal Procedure, or comparable rules of 
        other courts or administrative agencies, in connection with 
        litigation or proceedings to which the individual who is the 
        subject of the information is a party and in which the 
        individual has placed his or her physical or mental condition 
        at issue;
            (2) to a court, and to others ordered by the court, if the 
        protected health information is developed in response to a 
        court-ordered physical or mental examination; or
            (3) pursuant to a law requiring the reporting of specific 
        medical information to law enforcement authorities.
    (b) Obligations of Recipient.--A person seeking protected health 
information pursuant to subsection (a)--
            (1) shall notify the individual or the individual's 
        attorney of the request for the information;
            (2) shall provide the health information trustee with a 
        signed document attesting--
                    (A) that the individual has placed his or her 
                physical or mental condition at issue in litigation or 
                proceedings in which the individual is a party; and
                    (B) the date on which the individual or the 
                individual's attorney was notified under paragraph (1); 
                and
            (3) shall not accept any requested protected health 
        information from the trustee until the termination of the 10-
        day period beginning on the date notice was given under 
        paragraph (1).

SEC. 211. NON-LAW ENFORCEMENT SUBPOENAS.

    (a) In General.--A health care provider, health plan, health 
oversight agency, employer, insurer, school or university, or person 
who receives protected health information under section 206, may 
disclose protected health information under this section if the 
disclosure is pursuant to a subpoena issued on behalf of a party who 
has complied with the access provisions of subsection (b).
    (b) Access Procedures.--A person may not obtain protected health 
information about an individual pursuant to a subpoena unless--
            (1) a copy of the subpoena together with a notice of the 
        individual's right to challenge the subpoena in accordance with 
        subsection (c), has been served upon the individual on or 
        before the date of return of the subpoena; and--
            (2)(A) 15 days have passed since the date of service on the 
        individual, and within that time period the individual has not 
        indicated a challenge in accordance with subsection (c)(1); or
            (B) disclosure is ordered by a court under subsection 
        (c)(2).
    (c) Challenge Procedures.--
            (1) Motion to quash subpoena.--After service of a copy of 
        the subpoena seeking protected health information under 
        subsection (b), the individual who is the subject of the 
        protected health information may file in any court of competent 
        jurisdiction a motion to quash the subpoena.
            (2) Standard for decision.--
                    (A) In general.--The court shall grant a motion 
                under paragraph (1) unless the respondent demonstrates 
                that--
                            (i) there is reasonable ground to believe 
                        the information is relevant to a lawsuit or 
                        other judicial or administrative proceeding; 
                        and
                            (ii) the need of the respondent for the 
                        information outweighs the privacy interest of 
                        the individual.
                    (B) Criteria for decision.--In determining whether 
                the need of the respondent for the information 
                outweighs the privacy interest of the individual, the 
                court shall consider--
                            (i) the particular purpose for which the 
                        information was collected;
                            (ii) the degree to which disclosure of the 
                        information would embarrass, injure, or invade 
                        the privacy of the individual;
                            (iii) the effect of the disclosure on the 
                        individual's future health care;
                            (iv) the importance of the information to 
                        the lawsuit or proceeding; and
                            (v) any other relevant factor.
            (3) Attorney's fees.--In the case of a motion brought under 
        paragraph (1) in which the individual has substantially 
        prevailed, the court may assess against the respondent a 
        reasonable attorney's fee and other litigation costs and 
        expenses (including expert fees) reasonably incurred.

SEC. 212. LAW ENFORCEMENT.

    (a) Government Subpoenas and Warrants.--
            (1) In general.--A health information trustee shall 
        disclose protected health information under this section if the 
        disclosure is pursuant to--
                    (A) a subpoena issued under the authority of a 
                grand jury; or
                    (B) an administrative subpoena or summons or a 
                judicial subpoena or warrant,
        which meets the conditions of paragraph (2).
            (2) Probable cause requirement.--A government authority may 
        not obtain protected health information about an individual 
        under paragraph (1) for use in a law enforcement inquiry unless 
        there is probable cause to believe that the information is 
        relevant to a legitimate law enforcement inquiry being 
        conducted by the government authority.
            (3) Warrants.--A government authority that obtains 
        protected health information about an individual pursuant to a 
        warrant shall, not later than 30 days after the date the 
        warrant was executed, serve the individual with, or mail to the 
        last known address of the individual, a notice that protected 
        health information about the individual was obtained, together 
        with a notice of the individual's right to challenge the 
        warrant.
            (4) Subpoena or summons.--Except as provided in paragraph 
        (5), a government authority may not obtain protected health 
        information about an individual pursuant to a subpoena or 
        summons unless a copy of the subpoena or summons has been 
        served on the individual, if the identity of the individual is 
        known, on or before the date of the return of the subpoena or 
        summons, together with notice of the individual's right to 
        challenge the subpoena or summons. If the identity of the 
        individual is not known at the time the subpoena or summons is 
        served, the individual shall be served not later than 30 days 
        thereafter, with notice that protected health information about 
        the individual was obtained together with notice of the 
        individual's right to challenge the subpoena or summons.
            (5) Application for delay.--
                    (A) In general.--A government authority may apply 
                ex parte and under seal to an appropriate court to 
                delay (for an initial period of not longer than 90 
                days) service of the notice regarding execution of the 
                warrant as required under paragraph (3) or a copy of 
                the subpoena as required under paragraph (4). The 
                government authority may apply to the court for 
                extensions of the delay.
                    (B) Ex parte order.--The court shall enter an ex 
                parte order delaying or extending the delay of notice, 
                an order prohibiting the disclosure of the request for, 
                or the disclosure of, the protected health information, 
                and an order requiring the disclosure of the protected 
                health information if the court finds that--
                            (i) the inquiry being conducted is within 
                        the lawful jurisdiction of the government 
                        authority seeking the protected health 
                        information;
                            (ii) there is probable cause to believe 
                        that the protected health information being 
                        sought is relevant to a legitimate law 
                        enforcement inquiry;
                            (iii) the government authority's need for 
                        the information outweighs the privacy interest 
                        of the individual who is the subject of the 
                        information; and
                            (iv) there is reasonable ground to believe 
                        that receipt of notice by the individual will 
                        result in--
                                    (I) endangering the life or 
                                physical safety of any individual;
                                    (II) flight from prosecution;
                                    (III) destruction of or tampering 
                                with evidence or the information being 
                                sought;
                                    (IV) intimidation of potential 
                                witnesses; or
                                    (V) disclosure of the existence or 
                                nature of a confidential law 
                                enforcement investigation or grand jury 
                                investigation that is likely to 
                                seriously jeopardize such 
                                investigation.
            (6) Information in response to law enforcement inquiry.--
        Protected health information about an individual that is 
        disclosed under this section may not be used in, or disclosed 
        to any person for use in any administrative, civil or criminal 
        action or investigation directed against the individual unless 
        the action or investigation arises out of or is directly 
        related to the law enforcement inquiry for which the 
        information was obtained.
    (b) Challenge Procedures for Law Enforcement Warrants, Subpoenas, 
and Summonses.--
            (1) Motion to quash.--Within 15 days after the date of 
        service of a notice of execution of a warrant or a copy of a 
        subpoena or summons, of a government authority seeking 
        protected health information about an individual under 
        subsection (a), the individual may file a motion to quash.
            (2) Standard for decision.--The court shall grant a motion 
        under paragraph (1) unless the government demonstrates there is 
        probable cause to believe the protected health information is 
        relevant to a legitimate law enforcement inquiry being 
        conducted by the government authority and the government 
        authority's need for the information outweighs the privacy 
        interest of the individual.
            (3) Attorney's fees.--In the case of a motion brought under 
        paragraph (1) in which the individual has substantially 
        prevailed, the court may assess against the government 
        authority reasonable attorney's fees and other litigation costs 
        (including expert fees) reasonably incurred.
            (4) No interlocutory appeal.--A ruling denying a motion to 
        quash under this section shall not be deemed to be a final 
        order, and no interlocutory appeal may be taken therefrom by 
        the individual.
    (c) Exceptions.--A health information trustee may disclose 
protected health information to a law enforcement agency if the 
information is requested for use--
            (1) in an investigation or prosecution of a health 
        information trustee;
            (2) in the identification of a victim or witness in a law 
        enforcement inquiry; or
            (3) in connection with the investigation of criminal 
        activity committed against the trustee or on premises 
        controlled by the trustee.

SEC. 213. STANDARDS FOR ELECTRONIC DISCLOSURES.

    The Secretary shall promulgate standards for disclosing, 
authorizing and authenticating protected health information in 
electronic form in accordance with this title.

                          TITLE III--SANCTIONS

                      Subtitle A--Civil Sanctions

SEC. 301. CIVIL PENALTY.

    (a) Violation.--Any health information trustee who the Secretary 
determines has substantially and materially failed to comply with this 
Act shall be subject, in addition to any other penalties that may be 
prescribed by law, to--
            (1) a civil penalty of not more than $10,000 for each such 
        violation, but not to exceed $50,000 in the aggregate for 
        multiple violations; and
            (2) a civil penalty of not more than $250,000 or exclusion 
        from participation in medicare and medicaid, or any other 
        federally funded health care programs, if the Secretary finds 
        that such violations have occurred with such frequency as to 
        constitute a general business practice.
    (b) Procedures for Imposition of Penalties.--Section 1128A of the 
Social Security Act, other than subsections (a) and (b) and the second 
sentence of subsection (f) of that section, shall apply to the 
imposition of a civil, monetary, or exclusionary penalty under this 
section in the same manner as such provisions apply with respect to the 
imposition of a penalty under section 1128A of such Act.

SEC. 302. CIVIL ACTION.

    (a) In General.--An individual who is aggrieved by conduct in 
violation of this title may bring a civil action to recover--
            (1) such preliminary and equitable relief as the court 
        determines to be appropriate;
            (2) the greater of actual damages or liquidated damages of 
        $5,000; and
            (3) punitive damages.
    (b) Attorney's Fees.--In the case of a civil action brought under 
subsection (a) in which the individual has substantially prevailed, the 
court may assess against the respondent a reasonable attorney's fee and 
other litigation costs and expenses (including expert fees) reasonably 
incurred.
    (c) Limitation.--No action may be commenced under this section more 
than 3 years after the date on which the violation was or should 
reasonably have been discovered.

                     Subtitle B--Criminal Sanctions

SEC. 311. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.

    (a) Offense.--A person who knowingly--
            (1) obtains protected health information relating to an 
        individual in violation of this title; or
            (2) discloses protected health information to another 
        person in violation of this title, shall be punished as 
        provided in subsection (b).
    (b) Penalties.--A person described in subsection (a) shall--
            (1) be fined not more than $50,000, imprisoned not more 
        than 1 year, or both;
            (2) if the offense is committed under false pretenses, be 
        fined not more than $250,000, imprisoned not more than 5 years, 
        excluded from participation in medicare and medicaid, or any 
        other federally funded health care programs, or any combination 
        of such penalties; and
            (3) if the offense is committed with intent to sell, 
        transfer, or use protected health information for commercial 
        advantage, personal gain, or malicious harm, be fined not more 
        than $500,000, imprisoned not more than 10 years, excluded from 
        participation in medicare and medicaid, or any other federally 
        funded health care programs, or any combination of such 
        penalties.

                        TITLE IV--MISCELLANEOUS

SEC. 401. RELATIONSHIP TO OTHER LAWS.

    (a) State Law.--Except as provided in subsections (b), (c), and 
(d), this Act preempts State law.
    (b) Privileges.--Nothing in this title shall be construed to 
preempt or modify State common or statutory law to the extent such law 
concerns a privilege of a witness or person in a court of the State. 
This title shall not be construed to supersede or modify Federal common 
or statutory law to the extent such law concerns a privilege of a 
witness or person in a court of the United States. Authorizations 
pursuant to sections 202 and 203 shall not be construed as a waiver of 
any such privilege.
    (c) Certain Duties Under State or Federal Law.--Nothing in this 
title shall be construed to preempt, supersede, or modify the operation 
of--
            (1) any law that provides for the reporting of vital 
        statistics such as birth or death information;
            (2) any law requiring the reporting of abuse or neglect 
        information about any individual;
            (3) any State law relating to public or mental health that 
        prevents or otherwise restricts disclosure of protected health 
        information otherwise allowed under this title;
            (4) any law that governs a minor's rights to access 
        protected health information;
            (5) subpart II of part E of title XXVI of the Public Health 
        Service Act (relating to notifications of emergency response 
        employees of possible exposure to infectious diseases);
            (6) any Federal law or regulation governing confidentiality 
        of alcohol and drug patient records;
            (7) the Americans With Disabilities Act of 1990; or
            (8) any Federal or State statute that establishes a 
        privilege for records used in health professional peer review 
        activities.

SEC. 402. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.

    A health information trustee who makes a disclosure of protected 
health information about an individual that is permitted by this title 
shall not be liable to the individual for such disclosure under common 
law.

SEC. 403. EFFECTIVE DATE.

    (a) Effective Date.--This Act shall take effect 12 months after the 
date of enactment of this Act.
    (b) Regulations.--The Secretary shall promulgate regulations 
implementing this Act not later than 6 months after the date of 
enactment of this Act.
                                 <all>
S 1360 IS----2
S 1360 IS----3
S 1360 IS----4