[Congressional Bills 105th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3900 Introduced in House (IH)]







105th CONGRESS
  2d Session
                                H. R. 3900

 To establish Federal penalties for prohibited uses and disclosures of 
 individually identifiable health information, to establish a right in 
an individual to inspect and copy their own health information, and for 
                            other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              May 19, 1998

  Mr. Shays (for himself and Mr. Barrett of Wisconsin) introduced the 
following bill; which was referred to the Committee on Commerce, and in 
addition to the Committees on Ways and Means, and Government Reform and 
 Oversight, for a period to be subsequently determined by the Speaker, 
 in each case for consideration of such provisions as fall within the 
                jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
 To establish Federal penalties for prohibited uses and disclosures of 
 individually identifiable health information, to establish a right in 
an individual to inspect and copy their own health information, and for 
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Consumer Health 
and Research Technology (CHART) Protection Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
              TITLE I--RESTRICTIONS ON USE AND DISCLOSURE

Sec. 101. General prohibitions and exceptions.
Sec. 102. Special rules for anonymized information.
Sec. 103. General requirements for authorization of disclosure of 
                            information.
Sec. 104. Disclosure in civil proceedings.
Sec. 105. Disclosure for criminal law enforcement purposes.
Sec. 106. Disclosures for archival research.
                     TITLE II--INDIVIDUALS' RIGHTS

Sec. 201. Inspection and copying of health information.
Sec. 202. Amendment of individually identifiable health information.
Sec. 203. Notice of confidentiality practices.
                         TITLE III--ENFORCEMENT

Sec. 301. Criminal penalties.
Sec. 302. Civil action.
Sec. 303. Program exclusions.
                      TITLE IV--GENERAL PROVISIONS

Sec. 401. Standards for electronic disclosures.
Sec. 402. Authorized representatives.
Sec. 403. Relationship to other laws.
Sec. 404. Reports analyzing impact of Act.
Sec. 405. Effective date.
Sec. 406. Definitions.

              TITLE I--RESTRICTIONS ON USE AND DISCLOSURE

SEC. 101. GENERAL PROHIBITIONS AND EXCEPTIONS.

    Except as otherwise provided in this Act, and subject to the 
following exceptions, the following prohibited actions and inactions on 
the part of a person shall be considered a violation of this Act:
            (1) Disclosure in absence of, or inconsistent with, 
        authorization.--
                    (A) In general.--Subject to the exceptions 
                described in subparagraph (B)--
                            (i) a negligent or intentional disclosure 
                        of individually identifiable health information 
                        without an authorization with respect to the 
                        information that satisfies the requirements of 
                        section 103, is prohibited, unless the 
                        disclosure is governed by section 104 or 105; 
                        and
                            (ii) a negligent or intentional disclosure 
                        of individually identifiable health 
                        information, by a person granted authority 
                        under an authorization with respect to the 
                        information that satisfies the requirements of 
                        section 103, that is inconsistent with the 
                        provisions of the authorization, is prohibited.
                    (B) Exceptions.--A disclosure otherwise prohibited 
                under subparagraph (A) is not prohibited when--
                            (i) made by an individual whose health or 
                        health care is the subject of the information 
                        (or an authorized representative of such an 
                        individual, pursuant to section 402);
                            (ii) made for the purpose of providing, or 
                        facilitating the provision of, health care to 
                        an individual described in clause (i);
                            (iii) made for the purpose of facilitating 
                        payment activities related to health care 
                        provided to an individual described in clause 
                        (i);
                            (iv) made pursuant to a specific 
                        affirmative authorization, or a requirement, 
                        under State or Federal law, for use in legally 
                        authorized--
                                    (I) reporting of abuse, domestic 
                                violence, or neglect information about 
                                any individual;
                                    (II) disease or injury reporting 
                                about any individual;
                                    (III) public health surveillance, 
                                such as birth and death reporting;
                                    (IV) public health investigation or 
                                intervention;
                                    (V) management audits, financial 
                                audits, or program monitoring and 
                                evaluation; or
                                    (VI) licensure, certification, 
                                accreditation, utilization review, 
                                quality assurance activities, 
benchmarking, or outcomes management and assessment;
                            (v) made pursuant to an authorization 
                        granted in a contract providing health care 
                        benefits for an individual described in clause 
                        (i), for the purpose of licensure, 
                        certification, accreditation, utilization 
                        review, quality assurance activities, 
                        benchmarking, or outcomes management and 
                        assessment;
                            (vi) made to a health researcher--
                                    (I) in accordance with a research 
                                protocol approved by an institutional 
                                review board; or
                                    (II) in accordance with section 
                                106(a); or
                            (vii) made to a party to, or potential 
                        party to, a merger or acquisition of a 
                        commercial enterprise, in anticipation of, or 
                        upon, the merger or acquisition.
            (2) Failure to provide for reasonable protections against 
        prohibited disclosures.--
                    (A) In general.--Subject to the exception described 
                in subparagraph (B), a negligent or intentional failure 
                to provide for reasonable protections against 
                disclosures of individually identifiable health 
                information that are prohibited under this Act is 
                prohibited, including--
                            (i) a failure to establish and enforce 
                        reasonable and appropriate administrative, 
                        technical, and physical safeguards--
                                    (I) to ensure the confidentiality 
                                of individually identifiable health 
                                information; and
                                    (II) to protect against--
                                            (aa) any reasonably 
                                        anticipated threats or hazards 
                                        to the security or integrity of 
                                        such information; and
                                            (bb) unauthorized uses or 
                                        disclosures of the information;
                            (ii) a failure to establish procedures for 
                        determining a response to a subpoena, warrant, 
                        court order, or other request from a government 
                        authority for disclosure of such information; 
                        and
                            (iii) a failure to provide for secure 
                        destruction of such information, where 
                        destruction of the information is desired.
                    (B) Exception.--A failure described in subparagraph 
                (A) is not prohibited when it is by an individual whose 
                health or health care is the subject of the information 
                (or an authorized representative of such an individual, 
                pursuant to section 402).
            (3) Failure to implement written policies for compliance.--
                    (A) In general.--Subject to the exception described 
                in subparagraph (B), with respect to a person whose 
                employees, agents, or contractors come in contact with 
                individually identifiable health information in the 
                course of their employment, agency, or contract 
                execution, a negligent or intentional failure to 
                establish and implement written policies concerning 
                compliance with this Act is prohibited, including--
                            (i) a failure to establish procedures for 
                        monitoring access to individually identifiable 
                        health information;
                            (ii) a failure to establish rules limiting 
                        access to such information to persons whose 
                        duties require such access; and
                            (iii) a failure to provide for the 
                        enforcement of such policies.
                    (B) Exception.--A failure described in subparagraph 
                (A) is not prohibited when it is by an individual whose 
                health or health care is the subject of the information 
                (or an authorized representative of such an individual, 
                pursuant to section 402).
            (4) Failure to enter into written agreement with business 
        associates respecting compliance.--A negligent or intentional 
        failure to enter into a written agreement with an agent, 
        contractor, or other person to whom individually identifiable 
        health information is disclosed for a business purpose (such as 
        persons who encode or encrypt information, data management 
        contractors, and utilization review and accreditation 
        organizations), prior to such disclosure, specifying the 
        limitations on their use and retention of such information and 
        informing them of their responsibilities under this Act, is 
        prohibited.
            (5) Compliance with research requirements.--A negligent or 
        intentional action is prohibited where it consists of--
                    (A) a disclosure for health research purposes of 
                individually identifiable health information that--
                            (i) has not been approved by an 
                        institutional review board; or
                            (ii) does not satisfy the requirements of 
                        section 106; or
                    (B) a use or disclosure of individually 
                identifiable health information in violation of--
                            (i) a research protocol approved by an 
                        institutional review board or any other 
                        requirement or condition concerning such use or 
                        disclosure established by such a review board; 
                        or
                            (ii) any requirement or condition 
                        concerning such use or disclosure established 
                        by a person making, or approving, a disclosure 
                        under section 106.
            (6) Anonymized information.--A use of anonymized 
        information, or an encryption key or coding system used to 
        anonymize information, in violation of section 102, is 
        prohibited.
            (7) Civil proceeding.--A negligent or intentional 
        disclosure of individually identifiable health information 
        pursuant to a subpoena or discovery request related to a civil 
        proceeding, in violation of section 104, is prohibited.
            (8) Criminal proceeding.--A negligent or intentional 
        disclosure of individually identifiable health information for 
        a criminal law enforcement purpose, in violation of section 
        105, or a negligent or intentional use of information obtained 
        pursuant to such section in violation of the section, is 
        prohibited.
            (9) Sale or commercial publication.--
                    (A) In general.--Subject to the exceptions 
                described in subparagraph (B), an intentional 
                disclosure of individually identifiable health 
                information that constitutes a sale or commercial 
                publication of the information, is prohibited.
                    (B) Exceptions.--A disclosure otherwise prohibited 
                under subparagraph (A) is not prohibited when--
                            (i) the disclosure is made by an individual 
                        whose health or health care is the subject of 
                        the information (or an authorized 
                        representative of such an individual, pursuant 
                        to section 402); or
                            (ii) the disclosure is made to a person 
                        having a written authorization permitting the 
                        disclosure that satisfies the requirements of 
                        section 103.
            (10) Fraud or misrepresentation.--Use of fraud, duress, 
        deceit, or misrepresentation to obtain access to individually 
        identifiable health information is prohibited.

SEC. 102. SPECIAL RULES FOR ANONYMIZED INFORMATION.

    (a) Definition.--For purposes of this Act, the term ``anonymized 
information'' means individually identifiable health information from 
which personal identifiers and means of directly contacting any subject 
of the information (including name, address, and social security 
number), have been removed, encrypted, or replaced with a code, in a 
manner such that the identity of any such subject is not apparent from 
the facts contained in the information, but may, in the case of 
encrypted or coded information, be determined by a person with access 
to the encryption key or coding system. Such term does not include any 
such encryption key or coding system.
    (b) Use.--
            (1) In general.--Subject to paragraph (2), a person may use 
        anonymized information, or an encryption key or coding system 
        described in subsection (c)(2), for any lawful purpose, if the 
        person, in such use, does not--
                    (A) attempt to identify any individual with respect 
                to whom information has been removed, encrypted, or 
                replaced with a code; or
                    (B) intentionally use the anonymized information, 
                the key, or the coding system in any way that results 
                in the identification of any such individual.
            (2) Exceptions.--A use otherwise prohibited under paragraph 
        (1) is not prohibited when any of the following circumstances 
        apply:
                    (A) The use is by an individual whose health or 
                health care is the subject of the information (or an 
                authorized representative of such an individual, 
                pursuant to section 402).
                    (B) The use is by a person having an authorization 
                permitting the use that satisfies the requirements of 
                section 103.
                    (C) The use is for the purpose of providing, or 
                facilitating the provision of, health care to an 
                individual described in subparagraph (A).
                    (D) The use is for the purpose of facilitating 
                payment activities related to health care provided to 
                an individual described in subparagraph (A).
                    (E) The use is pursuant to a specific affirmative 
                authorization, or a requirement, under State or Federal 
                law, for legally authorized--
                            (i) disease or injury reporting;
                            (ii) public health surveillance, such as 
                        birth and death reporting, and reporting 
                        incidents of abuse, domestic violence, or 
                        neglect;
                            (iii) public health investigation or 
                        intervention;
                            (iv) management audits, financial audits, 
                        or program monitoring and evaluation; or
                            (v) licensure, certification, 
                        accreditation, utilization review, quality 
                        assurance activities, benchmarking, or outcomes 
                        management and assessment.
                    (F) The use is pursuant to an authorization granted 
                in a contract providing health care benefits for an 
                individual described in subparagraph (A), for the 
                purpose of licensure, certification, accreditation, 
                utilization review, quality assurance activities, 
benchmarking, or outcomes management and assessment.
                    (G) The use is by a health researcher and is--
                            (i) in accordance with a research protocol 
                        approved by an institutional review board and 
                        any other requirement or condition concerning 
                        such use established by such a review board; or
                            (ii) in accordance with any requirement or 
                        condition concerning such use established by a 
                        person making, or approving, a disclosure under 
                        section 106.
                    (H) The use is by a party to, or potential party 
                to, a merger or acquisition of a commercial enterprise, 
                in anticipation of, or upon, the merger or acquisition.
    (c) Disclosure.--
            (1) Anonymized information.--For purposes of this Act, 
        disclosure of anonymized information shall not be considered 
        disclosure of individually identifiable health information, 
        unless it is disclosed with an encryption key or coding system 
        described in paragraph (2) in manner such that the combined 
        information satisfies the requirements of section 406(8).
            (2) Encryption key or code.--For purposes of this Act, 
        disclosure of an encryption key or coding system that is used 
        to determine the identity of any individual with respect to 
        whom information has been removed, encrypted, or replaced with 
        a code, in order to create anonymized information, shall not be 
        considered disclosure of individually identifiable health 
        information, unless it is disclosed with anonymized information 
        in manner such that the combined information satisfies the 
        requirements of section 406(8).
    (d) Decoded Information.--Formerly anonymized information that has 
been manipulated to reveal a part of the information that had been 
removed, encrypted, or replaced with a code in order to render it 
anonymized information is individually identifiable health information 
and is subject, beginning on the date of such manipulation, to all of 
the requirements of this part relating to individually identifiable 
information.

SEC. 103. GENERAL REQUIREMENTS FOR AUTHORIZATION OF DISCLOSURE OF 
              INFORMATION.

    (a) In General.--For purposes of section 101, an authorization 
satisfies the requirements of this section if it--
            (1) is in writing;
            (2) is executed by an individual whose health or health 
        care is the subject of the information (or an authorized 
        representative of such an individual, pursuant to section 402); 
        and
            (3) satisfies the requirements of subsection (b).
    (b) Requirements.--An authorization satisfies the requirements in 
this subsection if--
            (1) it includes the following:
                    (A) a general statement of the purposes for which 
                the individually identifiable health information 
                disclosed pursuant to the authorization may be used;
                    (B) a general description of the persons who are 
                authorized to use such information;
                    (C) a valid signature of an individual whose health 
                or health care is the subject of the information (or an 
                authorized representative of such individual);
                    (D) the date of the signature;
                    (E) an expiration date upon which the authorization 
                is no longer valid; and
                    (F) reasonable procedures permitting such 
                individual or representative to revoke the 
                authorization; and
            (2) in a case in which the purposes under paragraph (1)(A) 
        include health research, the provisions of the authorization 
        that relate to such research--
                    (A) include each of the elements described in 
                paragraph (1);
                    (B) are set out separately from the remaining 
                provisions and are independent from them; and
                    (C) are subject to separate revocation procedures, 
                the use of which does not per se effect a revocation of 
                the remaining provisions.
    (c) Effect of Good Faith Reliance on Authorization.--A person shall 
not be liable, or subject to punishment under State or Federal law, for 
a disclosure of individually identifiable health information, where the 
disclosure--
            (1) was made in good faith reliance on an authorization 
        executed by the individual that satisfies the requirements of 
        this section; and
            (2) was consistent with the provisions of the 
        authorization.

SEC. 104. DISCLOSURE IN CIVIL PROCEEDINGS.

    (a) In General.--A person may not disclose individually 
identifiable health information for use in a civil law enforcement 
investigation, a civil administrative action, or a civil action brought 
in Federal or State court, in the absence of--
            (1) an otherwise valid discovery request, an administrative 
        subpoena or summons, or a judicial subpoena; and
            (2) an order issued by the presiding judge or official upon 
        a determination that the need for the information of the person 
        requesting the disclosure substantially outweighs the privacy 
        interest of each individual whose health or health care is the 
        subject of the information.
    (b) Construction.--This section shall not be construed to supersede 
any ground that may otherwise apply under Federal or State law for an 
objection to the disclosure of individually identifiable health 
information in any civil action.

SEC. 105. DISCLOSURE FOR CRIMINAL LAW ENFORCEMENT PURPOSES.

    (a) In General.--A person may not disclose individually 
identifiable health information for a criminal law enforcement 
purpose--
            (1) in the absence of--
                    (A) a subpoena issued under the authority of a 
                grand jury;
                    (B) an administrative subpoena or summons or a 
                judicial subpoena or warrant; or
                    (C) a request otherwise authorized by law from a 
                law enforcement agency; and
            (2) in the case of a disclosure under subparagraph (B) or 
        (C) of paragraph (1), in the absence of a court order issued 
        upon a determination that the need for the information of the 
        person requesting the disclosure substantially outweighs the 
        privacy interest of each individual whose health or health care 
        is the subject of the information.
    (b) Destruction or Return of Information.--When the proceeding for 
which individually identifiable health information was disclosed is 
concluded, including any derivative matters arising from such 
proceeding, the person to whom the disclosure was made shall either 
destroy the individually identifiable health information, or return it 
to the person from whom it was obtained.
    (c) Redactions.--To the extent practicable, and consistent with the 
requirements of due process, a criminal law enforcement agency shall 
redact personally identifying information from individually 
identifiable health information prior to the public disclosure of such 
information in a judicial or administrative proceeding.
    (d) Use of Information.--Individually identifiable health 
information obtained by a criminal law enforcement agency pursuant to 
this section may only be used for purposes of a legitimate criminal law 
enforcement activity.

SEC. 106. DISCLOSURES FOR ARCHIVAL RESEARCH.

    (a) In General.--A person described in subsection (b) may disclose 
individually identifiable health information, that was previously 
created or collected by the person and maintained by the person in an 
archive or other repository, to a health researcher pursuant to this 
subsection, if--
            (1) the disclosure is made for the purpose of permitting 
        the health researcher to carry out health research that 
        involves analysis of the information;
            (2) the disclosure has been reviewed and approved, by a 
        board, committee, or other group formally designated by the 
        person to review requests for such information, in accordance 
        with written standards for confidentiality that specify 
        permissible and impermissible uses of such information for 
        health research;
            (3) the person enters into a written agreement with the 
        health researcher that is consistent with this Act and 
        specifies the permissible and impermissible future uses and 
        disclosures of the information;
            (4) the person provides notice to the health researcher 
        that any future use or disclosure of the information that is 
        prohibited under this Act or the agreement described in 
        paragraph (3) may provide a basis for a civil action against 
        the researcher or may result in other adverse consequences for 
        the researcher; and
            (5) the person maintains a permanent record documenting the 
        scope and substance of the disclosure.
    (b) Persons Described.--A person described in this subsection is 
any of the following:
            (1) A health care provider.
            (2) A health plan.
            (3) A public health authority.
            (4) An employer.
            (5) A health or life insurer.
            (6) A school or university.

                     TITLE II--INDIVIDUALS' RIGHTS

SEC. 201. INSPECTION AND COPYING OF HEALTH INFORMATION.

    (a) In General.--Subject to subsections (b) and (c), a person who 
is a health care provider, health plan, employer, health or life 
insurer, school, or university shall permit an individual who is the 
subject of individually identifiable health information, or the 
individual's designee, to inspect and copy individually identifiable 
health information concerning the individual, including records created 
under section 202, that the person maintains. The person may set forth 
appropriate procedures to be followed for such inspection and copying 
and may require an individual to pay reasonable fees associated with 
such inspection and copying and may require an individual to provide 
written authorization of a provider designated by such individual 
through which the requested information will be made available.
    (b) Effect of Other Law.--
            (1) Disclosure prohibited by other law.--A person described 
        in subsection (a) may not permit the inspection or copying of 
        individually identifiable health information under such 
        subsection, if such inspection or copying is prohibited by any 
        provision of law other than this Act.
            (2) Disclosure limited by other law.--A person described in 
        subsection (a) shall limit the inspection or copying of 
        individually identifiable health information under such 
        subsection to the extent required by, and consistent with, any 
        limitation on such inspection or copying in any provision of 
        law other than this Act that is applicable to the person.
    (c) Additional Exceptions.--A person described in subsection (a) is 
not required to permit the inspection or copying of individually 
identifiable health information if any of the following exceptions 
apply:
            (1) Endangerment to life or safety.--The person determines 
        that the disclosure of the information could reasonably be 
        expected to endanger the life or physical safety of any 
        individual.
            (2) Confidential source.--The information identifies, or 
        could reasonably lead to the identification of, a person who 
        provided information under a promise of confidentiality to a 
        health care provider or life insurer concerning the individual 
        who is the subject of the information.
            (3) Information compiled in anticipation of litigation.--
        The information is compiled principally--
                    (A) in the anticipation of a civil, criminal, or 
                administrative action or proceeding; or
                    (B) for use in such action or proceeding.
            (4) Research purposes.--The information was collected for 
        or during a clinical trial monitored by an institutional review 
        board in which the individual was a participant.
    (d) Denial of a Request for Inspection or Copying.--If a person 
described in subsection (a) denies an individual's request for 
inspection or copying pursuant to subsection (b) or (c), the person 
shall inform the individual of--
            (1) the reasons for the denial of the request for 
        inspection or copying;
            (2) any procedures for further review of the denial; and
            (3) the individual's right to file with the person a 
        concise statement setting forth the request for inspection or 
        copying.
    (e) Statement Regarding Request.--If an individual has filed a 
statement under subsection (d)(3), the person, in any subsequent 
disclosure of the portion of the information requested under subsection 
(a), shall include--
            (1) a notation that such individual has filed a request for 
        inspection and that such request was denied; and
            (2) a concise statement of the reasons for denying the 
        request for inspection or copying.
    (f) Deadline.--A person described in subsection (a) shall comply 
with or deny, in accordance with subsection (d), a request for 
inspection or copying of individually identifiable health information 
under this section not later than 45 days after the date on which the 
person receives the request.
    (g) Rules Governing Agents.--An agent of a person described in 
subsection (a) shall not be required to provide for the inspection and 
copying of individually identifiable health information, except where--
            (1) the individually identifiable health information is 
        retained by the agent; and
            (2) the agent has been asked by the person to fulfill the 
        requirements of this section.
    (h) Rule of Construction.--This section shall not be construed to 
require a person described in subsection (a) to conduct a formal, 
informal, or other hearing or proceeding concerning a request for 
inspection or copying of individually identifiable health information.

SEC. 202. AMENDMENT OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.

    (a) In General.--Not later than 45 days after the date on which a 
person who is a health care provider, health plan, employer, health or 
life insurer, school, or university receives from an individual who is 
a subject of individually identifiable health information a request in 
writing to amend the information, the person--
            (1) shall make the amendment requested;
            (2) shall inform the individual of the amendment that has 
        been made; and
            (3) shall make reasonable efforts to inform any person who 
        is identified by the individual, who is not an officer, 
        employer, or agent of the entity, and to whom the unamended 
        portion of the information was disclosed during the preceding 
        year, of any nontechnical amendment that has been made.
    (b) Refusal To Amend.--If a person described in subsection (a) 
refuses to make an amendment requested by an individual under such 
subsection, the person shall inform the individual of--
            (1) the reasons for the refusal to make the amendment;
            (2) any procedures for further review of the refusal; and
            (3) the individual's right to file with the person a 
        concise statement setting forth the requested amendment and the 
        individual's reasons for disagreeing with the refusal.
    (c) Statement of Disagreement.--If an individual has filed a 
statement of disagreement with a person under subsection (b)(3), the 
person, in any subsequent disclosure of the disputed portion of the 
information--
            (1) shall include a notation that such individual has filed 
        a statement of disagreement; and
            (2) may include a concise statement of the reasons for not 
        making the requested amendment.
    (d) Rules Governing Agents.--The agent of a person described in 
subsection (a) shall not be required to make amendments to individually 
identifiable health information, except where--
            (1) the information is retained by the agent; and
            (2) the agent has been asked by such person to fulfill the 
        requirements of this section.
    (e) Repeated Requests for Amendments.--If a person described in 
subsection (a) receives a duplicative request for an amendment of 
information as provided for in such subsection and a statement of 
disagreement with respect to the request has been filed pursuant to 
subsection (c), the person shall inform the individual of such filing 
and shall not be required to carry out the procedures required under 
this section.
    (f) Rule of Construction.--This section shall not be construed--
            (1) to require a person described in subsection (a) to 
        conduct a formal, informal, or other hearing or proceeding 
        concerning a request for an amendment to individually 
        identifiable health information;
            (2) to require a person described in subsection (a) to make 
        an amendment with which the person disagrees; or
            (3) to require the alteration of any arrangement, written 
        agreement, or obligation with respect to the delivery of, or 
        payment for, health care.

SEC. 203. NOTICE OF CONFIDENTIALITY PRACTICES.

    (a) Preparation of Written Notice.--A health care provider, health 
plan, health oversight agency, public health authority, employer, 
health or life insurer, health researcher, school, or university shall 
post or provide, in writing and in a clear and conspicuous manner, 
notice of the person's confidentiality practices, that shall include--
            (1) a description of an individual's rights with respect to 
        individually identifiable health information;
            (2) the uses and disclosures of individually identifiable 
        health information authorized under this Act;
            (3) the procedures established by the person for 
        authorizing disclosures of individually identifiable health 
        information and for revoking such authorizations;
            (4) the procedures established by the person for the 
        exercise of the individual's rights; and
            (5) the procedures established by the person for providing 
        copies of the notice.
    (b) Model Notice.--The Secretary, after notice and opportunity for 
public comment, shall develop and disseminate model notices of 
confidentiality practices, for use under this section. Use of the model 
notice developed by the Secretary shall serve as a complete defense in 
any civil action to an allegation that a violation of this section has 
occurred.

                         TITLE III--ENFORCEMENT

SEC. 301. CRIMINAL PENALTIES.

    (a) Offense.--A person who knowingly and in violation of this Act 
obtains individually identifiable health information, uses such 
information, or discloses such information to another person, knowing 
that such obtaining, use, or disclosure is unlawful, shall be punished 
as provided in subsection (b).
    (b) Penalties.--A person described in subsection (a) shall--
            (1) be fined not more than $50,000, imprisoned not more 
        than 1 year, or both;
            (2) if the offense is committed under false pretenses, be 
        fined not more than $100,000, imprisoned not more than 5 years, 
        or both; and
            (3) if the offense is committed with intent to sell, 
        transfer, or use individually identifiable health information 
        for commercial advantage, personal gain, or malicious harm, be 
        fined not more than $250,000, imprisoned not more than 10 
        years, or both.

SEC. 302. CIVIL ACTION.

    (a) In General.--Any individual whose rights under this Act have 
been knowingly or negligently violated may bring a civil action to 
recover such preliminary and equitable relief as the court determines 
to be appropriate.
    (b) Attorney's Fees.--In the case of a civil action brought under 
subsection (a) in which the plaintiff has substantially prevailed, the 
court may assess against the respondent a reasonable attorney's fee and 
other litigation costs and expenses (including expert fees) reasonably 
incurred.
    (c) Limitation.--No action may be commenced under this subsection 
by an individual more than 2 years after the date on which the 
violation was, or should reasonably have been, discovered by the 
individual.
    (d) No Liability for Permissible Disclosures.--A person who makes a 
disclosure of individually identifiable health information about an 
individual that is permitted under this Act shall not be liable to the 
individual for such disclosure under common law.

SEC. 303. PROGRAM EXCLUSIONS.

    (a) Exclusion From Participation in Federal and State Health Care 
Programs.--Section 1128(b) of the Social Security Act (42 U.S.C. 1320a-
7(b)) is amended by adding at the end the following:
            ``(16) Failure lawfully to treat individually identifiable 
        health information.--Any individual or entity that the 
        Secretary determines has failed substantially to comply with a 
        provision of the Consumer Health and Research Technology 
        (CHART) Protection Act.''.
    (b) Exclusion of Providers From Participation in Federal Employees 
Health Benefits Program.--Section 8902a(b) of title 5, United States 
Code, is amended by adding at the end the following:
            ``(6) Any provider that the Secretary of Health and Human 
        Services has determined has failed substantially to comply with 
        a provision of the Consumer Health and Research Technology 
        (CHART) Protection Act.''.

                      TITLE IV--GENERAL PROVISIONS

SEC. 401. STANDARDS FOR ELECTRONIC DISCLOSURES.

    The National Committee on Vital and Health Statistics, in 
consultation with the National Science Foundation, shall promulgate 
standards for disclosing, authorizing the use and disclosure of, and 
authenticating, individually identifiable health information in 
electronic form, in a manner consistent with this Act.

SEC. 402. AUTHORIZED REPRESENTATIVES.

    (a) In General.--Except as provided in subsections (b) and (c), a 
person who is authorized by law, or by an instrument recognized under 
law, to act as an agent, attorney, proxy, or other legal representative 
for an individual, otherwise to exercise the rights of the individual, 
may, to the extent so authorized, exercise and discharge the rights of 
the individual under this Act.
    (b) Health Care Power of Attorney.--A person who is not described 
in subsection (a), but is authorized by law or by an instrument 
recognized under law to make decisions about the provision of health 
care to an individual who is incapacitated, may exercise and discharge 
the rights of the individual under this Act, to the extent necessary to 
effectuate the terms or purposes of the grant of authority.
    (c) No Court Declaration.--If a health care provider determines 
that an individual, who has not been declared to be legally 
incompetent, suffers from a medical condition that prevents the 
individual from acting knowingly or effectively on the individual's own 
behalf, the right of the individual to authorize disclosure under this 
Act may be exercised and discharged in the best interest of the 
individual by--
            (1) a person described in subsection (b) with respect to 
        the individual;
            (2) a person described in subsection (a) with respect to 
        the individual, but only if a person described in paragraph (1) 
        cannot be contacted after a reasonable effort;
            (3) the next of kin of the individual, but only if a person 
        described in paragraph (1) or (2) cannot be contacted after a 
        reasonable effort; or
            (4) the health care provider, but only if a person 
        described in paragraph (1), (2), or (3) cannot be contacted 
        after a reasonable effort.
    (d) Application to Deceased Individuals.--The provisions of this 
Act shall continue to apply to individually identifiable health 
information concerning a deceased individual for a period of 2 years 
following the death of that individual.
    (e) Exercise of Rights on Behalf of a Deceased Individual.--A 
person who is authorized by law or by an instrument recognized under 
law, to act as an executor of the estate of a deceased individual, or 
otherwise to exercise the rights of the deceased individual, may, to 
the extent so authorized, exercise and discharge the rights of such 
deceased individual under this Act for a period of 2 years following 
the death of that individual. If no such designee has been authorized, 
the rights of the deceased individual may be exercised as provided for 
in subsection (c).

SEC. 403. RELATIONSHIP TO OTHER LAWS.

    (a) In General.--
            (1) State law.--Except as provided in subsections (b) 
        through (f), the provisions of this Act shall preempt any State 
        law that directly relates to matters covered by this Act.
            (2) Federal law.--This Act shall not be construed as 
        repealing, explicitly or implicitly, other Federal laws or 
        regulations relating to individually identifiable health 
        information or relating to an individual's access to health 
        care services.
    (b) Privileges.--This Act does not preempt or modify State common 
or statutory law to the extent such law concerns a privilege of a 
witness or person in a court of the State. This Act does not supersede 
or modify Federal common or statutory law to the extent such law 
concerns a privilege of a witness or person in a court of the United 
States. The execution of an authorization pursuant to section 103 may 
not be construed as a waiver of any such privilege.
    (c) Certain Duties Under Law.--Nothing in this Act shall be 
construed to preempt, supersede, or modify the operation of any State 
law that--
            (1) provides for the reporting of vital statistics such as 
        birth or death information;
            (2) requires the reporting of abuse, domestic violence, or 
        neglect information about any individual;
            (3) regulates information concerning an individual's mental 
        health or communicable disease status; or
            (4) governs a minor's rights to access individually 
        identifiable health information or health care services.
    (d) Relationship to Clinical Research and Reports.--This Act shall 
not apply to individually identifiable health information that is 
created, received, maintained, used, disclosed, or transmitted by any 
person in connection with--
            (1) any activity conducted pursuant to an investigational 
        new drug exemption, or for which approval of an institutional 
        review board is required by the Food and Drug Administration; 
        or
            (2) any record required to be maintained or report required 
        to be filed by the Food and Drug Administration.
    (e) Federal Privacy Act.--
            (1) Medical exemptions.--Sections 552a of title 5, United 
        States Code, is amended by adding at the end the following:
    ``(w) Medical Exemptions.--The head of an agency that is subject to 
the Consumer Health and Research Technology (CHART) Protection Act 
shall promulgate rules, in accordance with the requirements (including 
general notice) of subsections (b)(1), (b)(2), (b)(3), (c), and (e) of 
section 553 of this title, to exempt a system of records within the 
agency, to the extent that the system of records contains individually 
identifiable health information (as defined in section 406 of such 
Act), from all provisions of this section except subsections (b)(6), 
(d), (e)(1), (e)(2), subparagraphs (A) and (C) and (E) through (I) of 
subsection (e)(4), and subsections (e)(5), (e)(6), (e)(9), (e)(12), 
(l), (n), (o), (p), (r), and (u).''.
            (2) Technical amendment.--Section 552a(f)(3) of title 5, 
        United States Code, is amended by striking ``pertaining to 
        him,'' and all that follows through the semicolon and inserting 
        ``pertaining to the individual;''.
    (f) Application to Certain Federal Agencies.--
            (1) Department of defense.--
                    (A) Exceptions.--The Secretary of Defense may, by 
                regulation, establish exceptions to the requirements of 
                this Act to the extent such Secretary determines that 
                disclosure of individually identifiable health 
                information relating to members of the Armed Forces 
                from systems of records operated by the Department of 
                Defense is necessary under circumstances different from 
                those permitted under this Act for the proper conduct 
                of national defense functions by members of the Armed 
                Forces.
                    (B) Application to civilian employees.--The 
                Secretary of Defense may, by regulation, establish for 
                civilian employees of the Department of Defense and 
                employees of Department of Defense contractors, 
                limitations on the right of such persons to revoke or 
                amend authorizations for disclosures under section 103 
                when such authorizations were provided by such 
                employees as a condition of employment and the 
                disclosure is determined necessary by the Secretary of 
                Defense to the proper conduct of national defense 
                functions by such employees.
            (2) Department of transportation.--
                    (A) Exceptions.--The Secretary of Transportation 
                may, with respect to members of the Coast Guard, 
                exercise the same powers as the Secretary of Defense 
                may exercise under paragraph (1)(A).
                    (B) Application to civilian employees.--The 
                Secretary of Transportation may, with respect to 
                civilian employees of the Coast Guard and Coast Guard 
                contractors, exercise the same powers as the Secretary 
of Defense may exercise under paragraph (1)(B).
            (3) Department of veterans affairs.--The limitations on use 
        and disclosure of individually identifiable health information 
        under this Act shall not be construed to prevent any exchange 
        of such information within and among components of the 
        Department of Veterans Affairs that determine eligibility for 
        or entitlement to, or that provide, benefits under laws 
        administered by the Secretary of Veteran Affairs.

SEC. 404. REPORTS ANALYZING IMPACT OF ACT.

    (a) Efforts To Combat Fraud and Abuse.--Beginning not later than 12 
months after the effective date in section 405(a), the Inspector 
General of the Department of Health and Human Services shall submit to 
the Committee on Ways and Means and the Committee on Government Reform 
and Oversight of the House of Representatives and the Committee on 
Commerce, Science, and Transportation and the Committee on Finance of 
the Senate an annual report containing the results of an annual study. 
The study shall analyze whether this Act has had an adverse effect on 
efforts to combat fraud and abuse undertaken under title XVIII, XIX, or 
XXI of the Social Security Act.
    (b) Health Research.--Beginning not later than 12 months after the 
effective date in section 405(a), the Secretary, in consultation with 
the National Research Council of the National Academy of Sciences and 
the Institute of Medicine, shall submit to the Congress an annual 
report containing the results of an annual study. The study shall 
analyze the effect of this Act on the quality and efficacy of health 
research.
    (c) Administrative Simplification.--Not later than 12 months after 
the effective date in section 405(a), the Comptroller General of the 
United States shall submit to the Congress a report containing the 
results of a study. The study shall analyze the effect of this Act on 
the implementation of subtitle F of title II of the Health Insurance 
Portability and Accountability Act of 1996 and part C of title XI of 
the Social Security Act.

SEC. 405. EFFECTIVE DATE.

    (a) In General.--Except as provided in subsection (b), this Act 
shall take effect on the date that is 18 months after the date of the 
enactment of this Act.
    (b) Provisions Effective Immediately.--A provision of this Act 
shall take effect on the date of the enactment of this Act if the 
provision authorizes or requires the Secretary of Defense, the 
Secretary of Transportation, or the Secretary of Health and Human 
Services to develop, establish, or promulgate regulations or model 
notices.
    (c) Deadline for Regulations.--The Secretary shall promulgate 
regulations implementing this Act not later than the date that is 12 
months after the date of the enactment of this Act.

SEC. 406. DEFINITIONS.

    As used in this Act:
            (1) Employer.--The term ``employer'' has the meaning given 
        such term under section 3(5) of the Employee Retirement Income 
        Security Act of 1974 (29 U.S.C. 1002(5)), except that such term 
        shall include only employers of two or more employees.
            (2) Health care.--The term ``health care'' means--
                    (A) preventive, diagnostic, therapeutic, 
                rehabilitative, maintenance, or palliative care, 
                including appropriate assistance with disease or 
                symptom management and maintenance, counseling, 
                service, or procedure--
                            (i) with respect to the physical or mental 
                        condition of an individual; or
                            (ii) affecting the structure or function of 
                        the human body or any part of the human body, 
                        including the banking of blood, sperm, organs, 
                        or any other tissue; and
                    (B) any sale or dispensing of a drug, device, 
                equipment, or other health care related item to an 
                individual, or for the use of an individual, pursuant 
                to a prescription.
            (3) Health care provider.--The term ``health care 
        provider'' means a person, who with respect to a specific item 
        of individually identifiable health information, receives, 
        creates, uses, maintains, or discloses the information while 
        acting in whole or in part in the capacity of--
                    (A) a person who is licensed, certified, 
                registered, or otherwise authorized by Federal or State 
                law to provide an item or service that constitutes 
                health care in the ordinary course of business, or 
                practice of a profession;
                    (B) a Federal, State, employer-sponsored or other 
                privately sponsored program that directly provides 
                items or services that constitute health care to 
                beneficiaries; or
                    (C) an officer or employee of a person described in 
                subparagraph (A) or (B).
            (4) Health or life insurer.--The term ``health or life 
        insurer'' means a health insurance issuer as defined in section 
        9805(b)(2) of the Internal Revenue Code of 1986 or a life 
        insurance company as defined in section 816 of such Code.
            (5) Health oversight agency.--The term ``health oversight 
        agency'' means a person who, with respect to a specific item of 
        individually identifiable health information, receives, 
        creates, uses, maintains, or discloses the information while 
        acting in whole or in part in the capacity of--
                    (A) a person who performs or oversees the 
                performance of an assessment, evaluation, 
                determination, or investigation, relating to the 
                licensing, accreditation, or credentialing of health 
                care providers; or
                    (B) a person who--
                            (i) performs or oversees the performance of 
                        an audit, assessment, evaluation, 
                        determination, or investigation relating to the 
                        effectiveness of, compliance with, or 
                        applicability of, legal, fiscal, medical, or 
                        scientific standards or aspects of performance 
                        related to the delivery of, or payment 
                        activities related to, health care; and
                            (ii) is a public agency, acting on behalf 
                        of a public agency, acting pursuant to a 
requirement of a public agency, or carrying out activities under a 
Federal or State law governing the assessment, evaluation, 
determination, investigation, or prosecution described in subparagraph 
(A).
            (6) Health plan.--The term ``health plan'' means any health 
        insurance plan, including any hospital or medical service plan, 
        dental or other health service plan, health maintenance 
        organization plan, plan offered by a provider-sponsored 
        organization (as defined in section 1855(d) of the Social 
        Security Act (42 U.S.C. 1395w-25(d))), or other program 
        providing or arranging for the provision of health benefits, 
        whether or not funded through the purchase of insurance.
            (7) Health researcher.--The term ``health researcher'' 
        means a person, or an officer, employee, or agent of a person, 
        who receives individually identifiable health information as 
        part of a research project that involves data with respect to 
        human subjects.
            (8) Individually identifiable health information.--The term 
        ``individually identifiable health information'' means any 
        information, including demographic information, collected from 
        an individual, whether oral or recorded in any form or medium, 
        that--
                    (A) is created or received by a health care 
                provider, health plan, health oversight agency, public 
                health authority, employer, health or life insurer, 
                school or university; and
                    (B)(i) relates to the past, present, or future 
                physical or mental health or condition of an individual 
                (including individual cells and their components), the 
                provision of health care to an individual, or the past, 
                present, or future payment activities related to the 
                provision of health care to an individual; and
                    (ii)(I) identifies an individual;
                    (II) contains personal identifiers that provide a 
                direct means of identifying the individual; or
                    (III) has been provided in an encrypted format that 
                does not directly identify an individual, but that 
                provides a method for decrypting the information.
            (9) Institutional review board.--The term ``institutional 
        review board'' means an entity established to review proposed 
        health research with respect to potential risks to human 
        subjects pursuant to Federal regulations adopted under section 
        1802(b) of the Public Health Service Act (42 U.S.C. 300v-1(b)).
            (10) Payment activities.--The term ``payment activities''--
                    (A) means activities undertaken--
                            (i) by, or on behalf of, a health plan to 
                        determine its responsibility for coverage under 
                        the plan; or
                            (ii) by a health care provider to obtain 
                        payment for items or services provided to an 
                        individual, provided under a health plan or 
                        provided based on a determination by the health 
                        plan of responsibility for coverage under the 
                        plan; and
                    (B) includes the following activities, when 
                performed in a manner consistent with subparagraph (A):
                            (i) Billing, claims management, medical 
                        data processing, practice management, or other 
                        administrative services and actual payment.
                            (ii) Determinations of coverage or 
                        adjudication of health benefit claims and 
                        subrogation claims.
                            (iii) Review of health care services with 
                        respect to medical necessity, coverage under a 
                        health plan, appropriateness of care, or 
                        justification of charges.
            (11) Person.--The term ``person'' means a natural person, a 
        government, governmental subdivision, agency or authority, a 
        company, corporation, estate, firm, trust, partnership, 
        association, joint venture, society, joint stock company, or 
        any other legal entity.
            (12) Public health authority.--The term ``public health 
        authority'' means an authority or instrumentality of the United 
        States, a tribal government, a State, or a political 
        subdivision of a State that is--
                    (A) primarily responsible for public health 
                matters; and
                    (B) primarily engaged in activities such as injury 
                reporting, public health surveillance, and public 
                health investigation or intervention.
            (13) Quality assurance activities.--The term ``quality 
        assurance activities'' means a formal methodology and set of 
        activities designed to assess the quality of health care 
        services provided to an individual. The term includes formal 
        review of care, problem identification, corrective actions 
        taken to remedy any deficiencies, and evaluation of actions 
        taken. The term also includes activities undertaken by a 
        quality control and peer review organization (as defined in 
        section 1152 of the Social Security Act (42 U.S.C. 1320c-1)).
            (14) School or university.--The term ``school or 
        university'' means an institution or place accredited or 
        licensed for purposes of providing instruction or education, 
        including an elementary school, secondary school, or 
        institution of higher learning, a college, or an assemblage of 
        colleges united under one corporate organization or government.
            (15) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (16) State.--The term ``State'' includes the District of 
        Columbia, Puerto Rico, the Virgin Islands, Guam, American 
        Samoa, and the Northern Mariana Islands.
            (17) Writing.--The term ``writing'' means writing in either 
        a paper-based or computer-based form, including electronic 
        signatures.
                                 <all>