[Congressional Bills 105th Congress]
[From the U.S. Government Publishing Office]
[H.R. 52 Introduced in House (IH)]







105th CONGRESS
  1st Session
                                 H. R. 52

     To establish a code of fair information practices for health 
information, to amend section 552a of title 5, United States Code, and 
                          for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             January 7, 1997

  Mr. Condit introduced the following bill; which was referred to the 
Committee on Commerce, and in addition to the Committees on Government 
      Reform and Oversight, and the Judiciary, for a period to be 
subsequently determined by the Speaker, in each case for consideration 
  of such provisions as fall within the jurisdiction of the committee 
                               concerned

_______________________________________________________________________

                                 A BILL


 
     To establish a code of fair information practices for health 
information, to amend section 552a of title 5, United States Code, and 
                          for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Fair Health 
Information Practices Act of 1997''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings and purposes.
Sec. 3. Definitions.
               TITLE I--FAIR HEALTH INFORMATION PRACTICES

           Subtitle A--Duties of Health Information Trustees

Sec. 101. Inspection of protected health information.
Sec. 102. Amendment of protected health information.
Sec. 103. Notice of information practices.
Sec. 104. Disclosure history.
Sec. 105. Security.
     Subtitle B--Use and Disclosure of Protected Health Information

Sec. 111. General limitations on use and disclosure.
Sec. 112. Authorizations for disclosure of protected health 
                            information.
Sec. 113. Treatment, payment, and oversight.
Sec. 114. Next of kin and directory information.
Sec. 115. Public health.
Sec. 116. Health research.
Sec. 117. Emergency circumstances.
Sec. 118. Judicial and administrative purposes.
Sec. 119. Law enforcement.
Sec. 120. Subpoenas, warrants, and search warrants.
           Subtitle C--Access Procedures and Challenge Rights

Sec. 131. Access procedures for law enforcement subpoenas, warrants, 
                            and search warrants.
Sec. 132. Challenge procedures for law enforcement subpoenas.
Sec. 133. Access and challenge procedures for other subpoenas.
Sec. 134. Construction of subtitle; suspension of statute of 
                            limitations.
Sec. 135. Responsibilities of Secretary.
                  Subtitle D--Miscellaneous Provisions

Sec. 141. Payment card and electronic payment transactions.
Sec. 142. Access to protected health information outside of the United 
                            States.
Sec. 143. Standards for electronic documents and communications.
Sec. 144. Duties and authorities of affiliated persons.
Sec. 145. Agents and attorneys.
Sec. 146. Minors.
Sec. 147. Maintenance of certain protected health information.
                        Subtitle E--Enforcement

Sec. 151. Civil actions.
Sec. 152. Civil money penalties.
Sec. 153. Alternative dispute resolution.
Sec. 154. Amendments to criminal law.
          TITLE II--AMENDMENTS TO TITLE 5, UNITED STATES CODE

Sec. 201. Amendments to title 5, United States Code.
   TITLE III--REGULATIONS, RESEARCH, AND EDUCATION; EFFECTIVE DATES; 
             APPLICABILITY; AND RELATIONSHIP TO OTHER LAWS

Sec. 301. Regulations; research and education.
Sec. 302. Effective dates.
Sec. 303. Applicability.
Sec. 304. Relationship to other laws.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds as follows:
            (1) The right to privacy is a personal and fundamental 
        right protected by the Constitution of the United States.
            (2) The improper use or disclosure of personally 
        identifiable health information about an individual may cause 
        significant harm to the interests of the individual in privacy 
        and health care, and may unfairly affect the ability of the 
        individual to obtain employment, education, insurance, credit, 
        and other necessities.
            (3) Current legal protections for health information vary 
        from State to State and are inadequate to meet the need for 
        fair information practices standards.
            (4) The movement of individuals and health information 
        across State lines, access to and exchange of health 
        information from automated data banks and networks, and the 
        emergence of multistate health care providers and payors create 
        a compelling need for uniform Federal law, rules, and 
        procedures governing the use, maintenance, and disclosure of 
        health information.
            (5) Uniform rules governing the use, maintenance, and 
        disclosure of health information are an essential part of 
        health care reform, are necessary to support the 
        computerization of health information, and can reduce the cost 
        of providing health services by making the necessary transfer 
        of health information more efficient.
            (6) An individual needs access to health information about 
        the individual as a matter of fairness, to enable the 
        individual to make informed decisions about health care, and to 
        correct inaccurate or incomplete information.
    (b) Purposes.--The purposes of this Act are as follows:
            (1) To define the rights of an individual with respect to 
        health information about the individual that is created or 
        maintained as part of the health treatment and payment process.
            (2) To define the rights and responsibilities of a person 
        who creates or maintains individually identifiable health 
        information that originates or is used in the health treatment 
        or payment process.
            (3) To establish effective mechanisms to enforce the rights 
        and responsibilities defined in this Act.

SEC. 3. DEFINITIONS.

    (a) Definitions Relating to Protected Health Information.--For 
purposes of this Act:
            (1) Disclose.--The term ``disclose'', when used with 
        respect to protected health information that is held by a 
        health information trustee, means to provide access to the 
        information, but only if such access is provided by the trustee 
        to a person other than--
                    (A) the trustee or an officer or employee of the 
                trustee;
                    (B) an affiliated person of the trustee; or
                    (C) a protected individual who is a subject of the 
                information.
            (2) Disclosure.--The term ``disclosure'' means the act or 
        an instance of disclosing.
            (3) Protected health information.--The term ``protected 
        health information'' means any information, whether oral or 
        recorded in any form or medium--
                    (A) that is created or received in a State by--
                            (i) a health care provider;
                            (ii) a health benefit plan sponsor;
                            (iii) a health oversight agency; or
                            (iv) a public health authority;
                    (B) that relates in any way to the past, present, 
                or future physical or mental health or condition or 
                functional status of a protected individual, the 
                provision of health care to a protected individual, or 
                payment for the provision of health care to a protected 
                individual; and
                    (C) that--
                            (i) identifies the individual; or
                            (ii) with respect to which there is a 
                        reasonable basis to believe that the 
                        information can be used to identify the 
                        individual.
            (4) Protected individual.--The term ``protected 
        individual'' means an individual who, with respect to a date--
                    (A) is living on the date; or
                    (B) has died within the 2-year period ending on the 
                date.
            (5) Use.--The term ``use'', when used with respect to 
        protected health information that is held by a health 
        information trustee, means--
                    (A) to use, or provide access to, the information 
                in any manner that does not constitute a disclosure; or
                    (B) any act or instance of using, or providing 
                access, described in subparagraph (A).
    (b) Definitions Relating to Health Information Trustees.--For 
purposes of this Act:
            (1) Carrier.--The term ``carrier'' means a licensed 
        insurance company, a hospital or medical service corporation 
        (including an existing Blue Cross or Blue Shield organization, 
        within the meaning of section 833(c)(2) of the Internal Revenue 
        Code of 1986), a health maintenance organization, or other 
        entity licensed or certified by a State to provide health 
        insurance or health benefits.
            (2) Health benefit plan.--The term ``health benefit plan'' 
        means--
                    (A) any contract of health insurance, including any 
                hospital or medical service policy or certificate, 
                hospital or medical service plan contract, or health 
                maintenance organization group contract, that is 
                provided by a carrier; and
                    (B) an employee welfare benefit plan or other 
                arrangement insofar as the plan or arrangement provides 
                health benefits and is funded in a manner other than 
                through the purchase of one or more policies or 
                contracts described in subparagraph (A).
            (3) Health benefit plan sponsor.--The term ``health benefit 
        plan sponsor'' means a person who, with respect to a specific 
        item of protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a carrier or other person providing a health 
                benefit plan, including any public entity that provides 
                payments for health care items and services under a 
                health benefit plan that are equivalent to payments 
                provided by a private person under such a plan; or
                    (B) an officer or employee of a person described in 
                subparagraph (A).
            (4) Health care provider.--The term ``health care 
        provider'' means a person who, with respect to a specific item 
        of protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a person who is licensed, certified, 
                registered, or otherwise authorized by law to provide 
                an item or service that constitutes health care in the 
                ordinary course of business or practice of a 
                profession;
                    (B) a Federal or State program that directly 
                provides items or services that constitute health care 
                to beneficiaries; or
                    (C) an officer or employee of a person described in 
                subparagraph (A) or (B).
            (5) Health information trustee.--The term ``health 
        information trustee'' means--
                    (A) a health care provider;
                    (B) a health oversight agency;
                    (C) a health benefit plan sponsor;
                    (D) a public health authority;
                    (E) a health researcher; or
                    (F) a person who, with respect to a specific item 
                of protected health information, is not described in 
                subparagraphs (A) through (E) but receives the 
                information--
                            (i) pursuant to--
                                    (I) section 117 (relating to 
                                emergency circumstances);
                                    (II) section 118 (relating to 
                                judicial and administrative purposes);
                                    (III) section 119 (relating to law 
                                enforcement); or
                                    (IV) section 120 (relating to 
                                subpoenas, warrants, and search 
                                warrants); or
                            (ii) while acting in whole or in part in 
                        the capacity of an officer or employee of a 
                        person described in clause (i).
            (6) Health oversight agency.--The term ``health oversight 
        agency'' means a person who, with respect to a specific item of 
        protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a person who performs or oversees the 
                performance of an assessment, evaluation, 
                determination, or investigation relating to the 
                licensing, accreditation, or certification of health 
                care providers;
                    (B) a person who--
                            (i) performs or oversees the performance of 
                        an audit, assessment, evaluation, 
                        determination, or investigation relating to the 
                        effectiveness of, compliance with, or 
                        applicability of, legal, fiscal, medical, or 
                        scientific standards or aspects of performance 
                        related to the delivery of, or payment for, 
                        health care; and
                            (ii) is a public agency, acting on behalf 
                        of a public agency, acting pursuant to a 
                        requirement of a public agency, or carrying out 
                        activities under a State or Federal statute 
                        regulating the assessment, evaluation, 
                        determination, or investigation; or
                    (C) an officer or employee of a person described in 
                subparagraph (A) or (B).
            (7) Health researcher.--The term ``health researcher'' 
        means a person who, with respect to a specific item of 
        protected health information, receives the information--
                    (A) pursuant to section 116 (relating to health 
                research); or
                    (B) while acting in whole or in part in the 
                capacity of an officer or employee of a person 
                described in subparagraph (A).
            (8) Public health authority.--The term ``public health 
        authority'' means a person who, with respect to a specific item 
        of protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) an authority of the United States, a State, or 
                a political subdivision of a State that is responsible 
                for public health matters;
                    (B) a person acting under the direction of such an 
                authority; or
                    (C) an officer or employee of a person described in 
                subparagraph (A) or (B).
    (c) Other Definitions.--For purposes of this Act:
            (1) Affiliated person.--The term ``affiliated person'' 
        means a person who--
                    (A) is not a health information trustee;
                    (B) is a contractor, subcontractor, associate, or 
                subsidiary of a person who is a health information 
                trustee; and
                    (C) pursuant to an agreement or other relationship 
                with such trustee, receives, creates, uses, maintains, 
                or discloses protected health information.
            (2) Approved health research project.--The term ``approved 
        health research project'' means a biomedical, epidemiological, 
        or health services research or statistics project, or a 
        research project on behavioral and social factors affecting 
        health, that has been approved by a certified institutional 
        review board.
            (3) Certified institutional review board.--The term 
        ``certified institutional review board'' means a board--
                    (A) established by an entity to review research 
                involving protected health information and the rights 
                of protected individuals conducted at or supported by 
                the entity;
                    (B) established in accordance with regulations of 
                the Secretary under section 116(d)(1); and
                    (C) certified by the Secretary under section 
                116(d)(2).
            (4) Health care.--The term ``health care''--
                    (A) means--
                            (i) any preventive, diagnostic, 
                        therapeutic, rehabilitative, maintenance, or 
                        palliative care, counseling, service, or 
                        procedure--
                                    (I) with respect to the physical or 
                                mental condition, or functional status, 
                                of an individual; or
                                    (II) affecting the structure or 
                                function of the human body or any part 
                                of the human body, including banking of 
                                blood, sperm, organs, or any other 
                                tissue; or
                            (ii) any sale or dispensing of a drug, 
                        device, equipment, or other item to an 
                        individual, or for the use of an individual, 
                        pursuant to a prescription; but
                    (B) does not include any item or service that is 
                not furnished for the purpose of maintaining or 
                improving the health of an individual.
            (5) Law enforcement inquiry.--The term ``law enforcement 
        inquiry'' means a lawful investigation or official proceeding 
        inquiring into a violation of, or failure to comply with, any 
        criminal or civil statute or any regulation, rule, or order 
        issued pursuant to such a statute.
            (6) Person.--The term ``person'' includes an authority of 
        the United States, a State, or a political subdivision of a 
        State.
            (7) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (8) State.--The term ``State'' includes the District of 
        Columbia, Puerto Rico, the Virgin Islands, Guam, American 
        Samoa, and the Northern Mariana Islands.

               TITLE I--FAIR HEALTH INFORMATION PRACTICES

           Subtitle A--Duties of Health Information Trustees

SEC. 101. INSPECTION OF PROTECTED HEALTH INFORMATION.

    (a) In General.--Except as provided in subsection (b), a health 
information trustee described in subsection (g)--
            (1) shall permit a protected individual to inspect any 
        protected health information about the individual that the 
        trustee maintains, any record with respect to such information 
        required under section 104, and any copy of an authorization 
        required under section 112 that pertains to such information;
            (2) shall provide the protected individual with a copy of 
        the information, upon request by the individual and subject to 
        any conditions imposed by the trustee under subsection (d), in 
        any form or format requested by the individual, if the 
        information is readily reproducible by the trustee in such form 
        or format;
            (3) shall permit a person who has been designated in 
        writing by the protected individual to inspect the information 
        on behalf of the individual or to accompany the individual 
        during the inspection; and
            (4) may offer to explain or interpret information that is 
        inspected or copied under this subsection.
    (b) Exceptions.--A health information trustee is not required by 
this section to permit inspection or copying of protected health 
information by a protected individual if any of the following 
conditions apply:
            (1) Information about others.--The information relates to 
        an individual, other than the protected individual or a health 
        care provider, and the trustee determines in the exercise of 
        reasonable professional judgment that inspection or copying of 
        the information would cause sufficient harm to one or both of 
        the individuals so as to outweigh the desirability of 
        permitting access.
            (2) Endangerment to life or safety.--Inspection or copying 
        of the information could reasonably be expected to endanger the 
        life or physical safety of an individual.
            (3) Confidential source.--The information identifies or 
        could reasonably lead to the identification of an individual 
        (other than a health care provider) who provided information 
        under a promise of confidentiality to a health care provider 
concerning a protected individual who is a subject of the information.
            (4) Administrative purposes.--The information--
                    (A) is used by the trustee solely for 
                administrative purposes and not in the provision of 
                health care to a protected individual who is a subject 
                of the information; and
                    (B) is not disclosed by the trustee to any person.
            (5) Duplicative information.--The information duplicates 
        information available for inspection under subsection (a).
            (6) Information compiled in anticipation of litigation.--
        The information is compiled principally--
                    (A) in anticipation of a civil, criminal, or 
                administrative action or proceeding; or
                    (B) for use in such an action or proceeding.
    (c) Inspection and Copying of Segregable Portion.--A health 
information trustee shall permit inspection and copying under 
subsection (a) of any reasonably segregable portion of a record after 
deletion of any portion that is exempt under subsection (b).
    (d) Conditions.--A health information trustee may--
            (1) require a written request for the inspection and 
        copying of protected health information under this section; and
            (2) charge a reasonable cost-based fee for--
                    (A) permitting inspection of information under this 
                section; and
                    (B) providing a copy of protected health 
                information under this section.
    (e) Statement of Reasons for Denial.--If a health information 
trustee denies in whole or in part a request for inspection or copying 
under this section, the trustee shall provide the protected individual 
who made the request with a written statement of the reasons for the 
denial.
    (f) Deadline.--A health information trustee shall comply with or 
deny a request for inspection or copying of protected health 
information under this section within the 30-day period beginning on 
the date the trustee receives the request.
    (g) Applicability.--This section applies to a health information 
trustee who is--
            (1) a health benefit plan sponsor;
            (2) a health care provider;
            (3) a health oversight agency; or
            (4) a public health authority.

SEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.

    (a) In General.--A health information trustee described in 
subsection (f) shall, within the 45-day period beginning on the date 
the trustee receives from a protected individual about whom the trustee 
maintains protected health information a written request that the 
trustee correct or amend the information, complete the duties described 
in one of the following paragraphs:
            (1) Correction or amendment and notification.--The trustee 
        shall--
                    (A) make the correction or amendment requested;
                    (B) inform the protected individual of the 
                amendment or correction that has been made;
                    (C) make reasonable efforts to inform any person 
                who is identified by the protected individual, who is 
                not an employee of the trustee, and to whom the 
                uncorrected or unamended portion of the information was 
                previously disclosed of the correction or amendment 
                that has been made; and
                    (D) at the request of the individual, make 
                reasonable efforts to inform any known source of the 
                uncorrected or unamended portion of the information 
                about the correction or amendment that has been made.
            (2) Reasons for refusal and review procedures.--The trustee 
        shall inform the protected individual of--
                    (A) the reasons for the refusal of the trustee to 
                make the correction or amendment;
                    (B) any procedures for further review of the 
                refusal; and
                    (C) the individual's right to file with the trustee 
                a concise statement setting forth the requested 
                correction or amendment and the individual's reasons 
                for disagreeing with the refusal of the trustee.
    (b) Standards for Correction or Amendment.--A trustee shall correct 
or amend protected health information in accordance with a request made 
under subsection (a) if the trustee determines that the information is 
not accurate, relevant, timely, or complete for the purposes for which 
the information may be used or disclosed by the trustee.
    (c) Statement of Disagreement.--After a protected individual has 
filed a statement of disagreement under subsection (a)(2)(C), the 
trustee, in any subsequent disclosure of the disputed portion of the 
information, shall include a copy of the individual's statement and may 
include a concise statement of the trustee's reasons for not making the 
requested correction or amendment.
    (d) Construction.--This section may not be construed to require a 
health information trustee to conduct a hearing or proceeding 
concerning a request for a correction or amendment to protected health 
information the trustee maintains.
    (e) Correction.--For purposes of subsection (a), a correction is 
deemed to have been made to protected health information when--
            (1) information that is not timely, accurate, relevant, or 
        complete is clearly marked as incorrect; or
            (2) supplementary correct information is made part of the 
        information and adequately cross-referenced.
    (f) Applicability.--This section applies to a health information 
trustee who is--
            (1) a health benefit plan sponsor;
            (2) a health care provider;
            (3) a health oversight agency; or
            (4) a public health authority.

SEC. 103. NOTICE OF INFORMATION PRACTICES.

    (a) Preparation of Notice.--A health information trustee described 
in subsection (d) shall prepare a written notice of information 
practices describing the following:
            (1) The rights under this Act of a protected individual who 
        is the subject of protected health information, including the 
        right to inspect and copy such information and the right to 
        seek amendments to such information, and the procedures for 
        authorizing disclosures of protected health information and for 
        revoking such authorizations.
            (2) The procedures established by the trustee for the 
        exercise of such rights.
            (3) The uses and disclosures of protected health 
        information that are authorized under this Act.
    (b) Dissemination of Notice.--A health information trustee--
            (1) shall, upon request, provide any person with a copy of 
        the trustee's notice of information practices (described in 
        subsection (a)); and
            (2) shall make reasonable efforts to inform persons in a 
        clear and conspicuous manner of the existence and availability 
        of such notice.
    (c) Model Notices.--Not later than July 1, 1999, the Secretary, 
after notice and opportunity for public comment, shall develop and 
disseminate model notices of information practices for use by health 
information trustees under this section.
    (d) Applicability.--This section applies to a health information 
trustee who is--
            (1) a health benefit plan sponsor;
            (2) a health care provider; or
            (3) a health oversight agency.

SEC. 104. DISCLOSURE HISTORY.

    (a) In General.--Except as provided in subsection (b) and section 
114, each health information trustee shall create and maintain, with 
respect to any protected health information the trustee discloses, a 
record of--
            (1) the date and purpose of the disclosure;
            (2) the name of the person to whom the disclosure was made;
            (3) the address of the person to whom the disclosure was 
        made or the location to which the disclosure was made; and
            (4) where practicable, a description of the information 
        disclosed.
    (b) Regulations.--Not later than July 1, 1999, the Secretary shall 
promulgate regulations that exempt a health information trustee from 
maintaining a record under subsection (a) with respect protected health 
information disclosed by the trustee for purposes of peer review, 
licensing, certification, accreditation, and similar activities.

SEC. 105. SECURITY.

    (a) In General.--Each health information trustee who receives or 
creates protected health information that is subject to this Act shall 
maintain reasonable and appropriate administrative, technical, and 
physical safeguards--
            (1) to ensure the integrity and confidentiality of the 
        information;
            (2) to protect against any reasonably anticipated--
                    (A) threats or hazards to the security or integrity 
                of the information; and
                    (B) unauthorized uses or disclosures of the 
                information; and
            (3) otherwise ensure compliance with this Act by the 
        trustee and the officers and employees of the trustee.
    (b) Guidelines.--Not later than July 1, 1999, the Secretary, after 
notice and opportunity for public comment, shall develop and 
disseminate guidelines for the implementation of this section. The 
guidelines shall take into account--
            (1) the technical capabilities of record systems used to 
        maintain protected health information;
            (2) the costs of security measures;
            (3) the need for training persons who have access to 
        protected health information; and
            (4) the value of audit trails in computerized record 
        systems.

     Subtitle B--Use and Disclosure of Protected Health Information

SEC. 111. GENERAL LIMITATIONS ON USE AND DISCLOSURE.

    (a) Use.--Except as otherwise provided under this Act, a health 
information trustee may use protected health information only for a 
purpose--
            (1) that is compatible with and directly related to the 
        purpose for which the information--
                    (A) was collected; or
                    (B) was received by the trustee; or
            (2) for which the trustee is authorized to disclose the 
        information under this Act.
    (b) Disclosure.--A health information trustee may disclose 
protected health information only as authorized under this Act.
    (c) Scope of Uses and Disclosures.--
            (1) In general.--A use or disclosure of protected health 
        information by a health information trustee shall be limited, 
        when practicable, to the minimum amount of information 
        necessary to accomplish the purpose for which the information 
        is used or disclosed.
            (2) Guidelines.--Not later than July 1, 1999, the 
        Secretary, after notice and opportunity for public comment, 
        shall issue guidelines to implement paragraph (1), which shall 
        take into account the technical capabilities of the record 
        systems used to maintain protected health information and the 
        costs of limiting use and disclosure.
    (d) Identification of Disclosed Information as Protected 
Information.--Except with respect to protected health information that 
is disclosed under section 114 (relating to next of kin and directory 
information), a health information trustee may disclose protected 
health information only if the recipient has been notified that the 
information is protected health information that is subject to this 
Act.
    (e) Agreement to Limit Use or Disclosure.--A health information 
trustee who receives protected health information from any person 
pursuant to a written agreement to restrict use or disclosure of the 
information to a greater extent than otherwise would be required under 
this Act shall comply with the terms of the agreement, except where use 
or disclosure of the information in violation of the agreement is 
required by law. A trustee who fails to comply with the preceding 
sentence shall be subject to section 151 (relating to civil actions) 
with respect to such failure.
    (f) No General Requirement to Disclose.--Nothing in this Act shall 
be construed to require a health information trustee to disclose 
protected health information not otherwise required to be disclosed by 
law.

SEC. 112. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH 
              INFORMATION.

    (a) Written Authorizations.--A health information trustee may 
disclose protected health information pursuant to an authorization 
executed by the protected individual who is the subject of the 
information, if each of the following requirements is satisfied:
            (1) Writing.--The authorization is in writing, signed by 
        the individual, and dated on the date of such signature.
            (2) Separate form.--The authorization is not on a form used 
        to authorize or facilitate the provision of, or payment for, 
        health care.
            (3) Trustee described.--The trustee is specifically named 
        or generically described in the authorization as authorized to 
        disclose such information.
            (4) Recipient described.--The person to whom the 
        information is to be disclosed is specifically named or 
        generically described in the authorization as a person to whom 
        such information may be disclosed.
            (5) Statement of intended uses and disclosures received.--
        The authorization contains an acknowledgment that the 
        individual has received a statement described in subsection (b) 
        from such person.
            (6) Information described.--The information to be disclosed 
        is described in the authorization.
            (7) Authorization timely received.--The authorization is 
        received by the trustee during a period described in subsection 
        (c)(1).
            (8) Disclosure timely made.--The disclosure occurs during a 
        period described in subsection (c)(2).
    (b) Statement of Intended Uses and Disclosures.--
            (1) In general.--A person who wishes to receive from a 
        health information trustee protected health information about a 
        protected individual pursuant to an authorization executed by 
        the individual shall supply the individual, in writing and on a 
        form that is distinct from the authorization, with a statement 
        of the uses for which the person intends the information and 
        the disclosures the person intends to make of the information. 
        Such statement shall be supplied before the authorization is 
        executed.
            (2) Enforcement.--If the person uses or discloses the 
        information in a manner that is inconsistent with such 
        statement, the person shall be subject to section 151 (relating 
        to civil actions) with respect to such failure, except where 
        such use or disclosure is required by law.
            (3) Model statements.--Not later than July 1, 1999, the 
        Secretary, after notice and opportunity for public comment, 
        shall develop and disseminate model statements of intended uses 
        and disclosures of the type described in paragraph (1).
    (c) Time Limitations on Authorizations.--
            (1) Receipt by trustee.--For purposes of subsection (a)(7), 
        an authorization is timely received if it is received by the 
        trustee during--
                    (A) the 1-year period beginning on the date that 
                the authorization is signed under subsection (a)(1), if 
                the authorization permits the disclosure of protected 
                health information to--
                            (i) a health benefit plan sponsor;
                            (ii) a health care provider;
                            (iii) a health oversight agency;
                            (iv) a public health authority;
                            (v) a health researcher; or
                            (vi) a person who provides counseling or 
                        social services to individuals; or
                    (B) the 30-day period beginning on the date that 
                the authorization is signed under subsection (a)(1), if 
                the authorization permits the disclosure of protected 
                health information to a person other than a person 
                described in subparagraph (A).
            (2) Disclosure by trustee.--For purposes of subsection 
        (a)(8), a disclosure is timely made if it occurs before--
                    (A) the date or event (if any) specified in the 
                authorization upon which the authorization expires; and
                    (B) the expiration of the 6-month period beginning 
                on the date the trustee receives the authorization.
    (d) Revocation or Amendment of Authorization.--
            (1) In general.--A protected individual in writing may 
        revoke or amend an authorization described in subsection (a), 
        in whole or in part, at any time, except insofar as--
                    (A) disclosure of protected health information has 
                been authorized to permit validation of expenditures 
                based on health condition by a government authority; or
                    (B) action has been taken in reliance on the 
                authorization.
            (2) Notice of revocation.--A health information trustee who 
        discloses protected health information in reliance on an 
        authorization that has been revoked shall not be subject to any 
        liability or penalty under this Act if--
                    (A) the reliance was in good faith;
                    (B) the trustee had no notice of the revocation; 
                and
                    (C) the disclosure was otherwise in accordance with 
                the requirements of this section.
    (e) Additional Requirements of Trustee.--A health information 
trustee may impose requirements for an authorization that are in 
addition to the requirements in this section.
    (f) Copy.--A health information trustee who discloses protected 
health information pursuant to an authorization under this section 
shall maintain a copy of the authorization.
    (g) Construction.--This section may not be construed--
            (1) to require a health information trustee to disclose 
        protected health information; or
            (2) to limit the right of a health information trustee to 
        charge a fee for the disclosure or reproduction of protected 
        health information.
    (h) Subpoenas, Warrants, and Search Warrants.--If a health 
information trustee discloses protected health information pursuant to 
an authorization in order to comply with an administrative subpoena or 
warrant or a judicial subpoena or search warrant, the authorization--
            (1) shall specifically authorize the disclosure for the 
        purpose of permitting the trustee to comply with the subpoena, 
        warrant, or search warrant; and
            (2) shall otherwise meet the requirements in this section.

SEC. 113. TREATMENT, PAYMENT, AND OVERSIGHT.

    (a) Disclosures by Plans, Providers, and Oversight Agencies.--A 
health information trustee described in subsection (d) may disclose 
protected health information to a health benefit plan sponsor, health 
care provider, or health oversight agency if the disclosure is--
            (1) for the purpose of providing health care and a 
        protected individual who is a subject of the information has 
        not previously objected to the disclosure in writing;
            (2) for the purpose of providing for the payment for health 
        care furnished to an individual; or
            (3) for use by a health oversight agency for a purpose that 
        is described in subparagraph (A) or (B)(i) of section 3(b)(6).
    (b) Disclosures by Certain Other Trustees.--A health information 
trustee may disclose protected health information to a health care 
provider if--
            (1) the disclosure is for the purpose described in 
        subsection (a)(1); and
            (2) the trustee--
                    (A) is a public health authority;
                    (B) received protected health information pursuant 
                to section 117 (relating to emergency circumstances); 
                or
                    (C) is an officer or employee of a trustee 
                described in subparagraph (B).
    (c) Use in Action Against Individual.--A person who receives 
protected health information about a protected individual through a 
disclosure under this section may not use or disclose the information 
in any administrative, civil, or criminal action or investigation 
directed against the individual, except an action or investigation 
arising out of and related to receipt of health care or payment for 
health care.
    (d) Applicability.--A health information trustee referred to in 
subsection (a) is any of the following:
            (1) A health benefit plan sponsor.
            (2) A health care provider.
            (3) A health oversight agency.

SEC. 114. NEXT OF KIN AND DIRECTORY INFORMATION.

    (a) Next of Kin.--A health information trustee who is a health care 
provider, who received protected health information pursuant to section 
117 (relating to emergency circumstances), or who is an officer or 
employee of such a recipient may orally disclose protected health 
information about a protected individual to the next of kin of the 
individual (as defined under State law), or to a person with whom the 
individual has a close personal relationship, if--
            (1) the trustee has no reason to believe that the 
        individual would consider the information especially sensitive;
            (2) the individual has not previously objected to the 
        disclosure;
            (3) the disclosure is consistent with good medical or other 
        professional practice; and
            (4) the information disclosed is limited to information 
        about health care that is being provided to the individual at 
        or about the time of the disclosure.
    (b) Directory Information.--
            (1) In general.--A health information trustee who is a 
        health care provider, who received protected health information 
        pursuant to section 117 (relating to emergency circumstances), 
        or who is an officer or employee of such a recipient may 
        disclose to any person the information described in paragraph 
        (2) if--
                    (A) a protected individual who is a subject of the 
                information has not objected in writing to the 
                disclosure;
                    (B) the disclosure is otherwise consistent with 
                good medical and other professional practice; and
                    (C) the information does not reveal specific 
                information about the physical or mental condition or 
                functional status of a protected individual or about 
                the health care provided to a protected individual.
            (2) Information described.--The information referred to in 
        paragraph (1) is the following:
                    (A) The name of an individual receiving health care 
                from a health care provider on a premises controlled by 
                the provider.
                    (B) The location of the individual on such 
                premises.
                    (C) The general health status of the individual, 
                described in terms of critical, poor, fair, stable, 
                satisfactory, or terms denoting similar conditions.
    (c) No Disclosure Record Required.--A health information trustee 
who discloses protected health information under this section is not 
required to create and maintain a record of the disclosure under 
section 104.
    (d) Recipients.--A person to whom protected health information is 
disclosed under this section shall not, by reason of such disclosure, 
be subject to any requirement under this Act.

SEC. 115. PUBLIC HEALTH.

    (a) In General.--A health information trustee who is a health care 
provider or a public health authority may disclose protected health 
information to--
            (1) a public health authority for use in legally 
        authorized--
                    (A) disease or injury reporting;
                    (B) public health surveillance; or
                    (C) public health investigation or intervention; or
            (2) an individual who is authorized by law to receive the 
        information in a public health intervention.
    (b) Use in Action Against Individual.--A public health authority 
who receives protected health information about a protected individual 
through a disclosure under this section may not use or disclose the 
information in any administrative, civil, or criminal action or 
investigation directed against the individual, except where the use or 
disclosure is authorized by law for protection of the public health.
    (c) Individual Recipients.--An individual to whom protected health 
information is disclosed under subsection (a)(2) shall not, by reason 
of such disclosure, be subject to any requirement under this Act.

SEC. 116. HEALTH RESEARCH.

    (a) In General.--A health information trustee described in 
subsection (c) may disclose protected health information to a person 
if--
            (1) the person is conducting an approved health research 
        project;
            (2) the information is to be used in the project; and
            (3) the project has been determined by a certified 
        institutional review board to be--
                    (A) of sufficient importance so as to outweigh the 
                intrusion into the privacy of the protected individual 
                who is the subject of the information that would result 
                from the disclosure; and
                    (B) impracticable to conduct without the 
                information.
    (b) Limitations on Use and Disclosure; Obligations of Recipient.--A 
health researcher who receives protected health information about a 
protected individual pursuant to subsection (a)--
            (1) may use the information solely for purposes of an 
        approved health research project;
            (2) may not use or disclose the information in any 
        administrative, civil, or criminal action or investigation 
        directed against the individual; and
            (3) shall remove or destroy, at the earliest opportunity 
        consistent with the purposes of the approved health research 
        project in connection with which the disclosure was made, 
        information that would enable an individual to be identified, 
        unless a certified institutional review board has determined 
        that there is a health or research justification for retention 
        of such identifiers and there is an adequate plan to protect 
        the identifiers from use and disclosure that is inconsistent 
        with this Act.
    (c) Applicability.--A health information trustee referred to in 
subsection (a) is any health information trustee other than a person 
who, with respect to the specific protected health information to be 
disclosed under such subsection, received the information--
            (1) pursuant to--
                    (A) section 118 (relating to judicial and 
                administrative purposes);
                    (B) paragraph (1), (2), (3), or (4) of section 
                119(a) (relating to law enforcement); or
                    (C) section 120 (relating to subpoenas, warrants, 
                and search warrants); or
            (2) while acting in whole or in part in the capacity of an 
        officer or employee of a person described in paragraph (1).
    (d) Requirements for Institutional Review Boards.--
            (1) Regulations.--Not later than July 1, 1999, the 
        Secretary, after opportunity for notice and comment, shall 
        promulgate regulations establishing requirements for certified 
        institutional review boards under this Act. The regulations 
        shall be based on regulations promulgated under section 491(a) 
        of the Public Health Service Act and shall ensure that 
        certified institutional review boards are qualified to assess 
        and protect the confidentiality of research subjects.
            (2) Certification.--The Secretary shall certify that an 
        institutional review board satisfies the requirements of the 
        regulations promulgated under paragraph (1).

SEC. 117. EMERGENCY CIRCUMSTANCES.

    (a) In General.--A health information trustee may disclose 
protected health information if the trustee believes, on reasonable 
grounds, that the disclosure is necessary to prevent or lessen a 
serious and imminent threat to the health or safety of an individual.
    (b) Use in Action Against Individual.--A person who receives 
protected health information about a protected individual through a 
disclosure under this section may not use or disclose the information 
in any administrative, civil, or criminal action or investigation 
directed against the individual, except an action or investigation 
arising out of and related to receipt of health care or payment for 
health care.

SEC. 118. JUDICIAL AND ADMINISTRATIVE PURPOSES.

    (a) In General.--A health information trustee described in 
subsection (d) may disclose protected health information--
            (1) pursuant to the Federal Rules of Civil Procedure, the 
        Federal Rules of Criminal Procedure, or comparable rules of 
        other courts or administrative agencies in connection with 
        litigation or proceedings to which a protected individual who 
        is a subject of the information is a party and in which the 
        individual has placed the individual's physical or mental 
        condition or functional status in issue;
            (2) if directed by a court in connection with a court-
        ordered examination of an individual; or
            (3) to assist in the identification of a dead individual.
    (b) Written Statement.--A person seeking protected health 
information about a protected individual held by health information 
trustee under--
            (1) subsection (a)(1)--
                    (A) shall notify the protected individual or the 
                attorney of the protected individual of the request for 
                the information;
                    (B) shall provide the trustee with a signed 
                document attesting--
                            (i) that the protected individual is a 
                        party to the litigation or proceedings for 
                        which the information is sought;
                            (ii) that the individual has placed the 
                        individual's physical or mental condition or 
                        functional status in issue; and
                            (iii) the date on which the protected 
                        individual or the attorney of the protected 
                        individual was notified under subparagraph (A); 
                        and
                    (C) shall not accept any requested protected health 
                information from the trustee until the termination of 
the 10-day period beginning on the date notice was given under 
subparagraph (A); or
            (2) subsection (a)(3) shall provide the trustee with a 
        written statement that the information is sought to assist in 
        the identification of a dead individual.
    (c) Use and Disclosure.--A person to whom protected health 
information is disclosed under this section may use and disclose the 
information only to accomplish the purpose for which the disclosure was 
made.
    (d) Applicability.--A health information trustee referred to in 
subsection (a) is any of the following:
            (1) A health benefit plan sponsor.
            (2) A health care provider.
            (3) A health oversight agency.
            (4) A person who, with respect to the specific protected 
        health information to be disclosed under such subsection, 
        received the information--
                    (A) pursuant to--
                            (i) section 117 (relating to emergency 
                        circumstances); or
                            (ii) section 120 (relating to subpoenas, 
                        warrants, and search warrants); or
                    (B) while acting in whole or in part in the 
                capacity of an officer or employee of a person 
                described in subparagraph (A).

SEC. 119. LAW ENFORCEMENT.

    (a) In General.--A health information trustee may disclose 
protected health information to a law enforcement agency, other than a 
health oversight agency--
            (1) if the information is disclosed for use in an 
        investigation or prosecution of a health information trustee;
            (2) in connection with criminal activity committed against 
        the trustee or an affiliated person of the trustee or on 
        premises controlled by the trustee; or
            (3) if the information is needed to determine whether a 
        crime has been committed and the nature of any crime that may 
        have been committed (other than a crime that may have been 
        committed by the protected individual who is the subject of the 
        information).
    (b) Additional Authority of Certain Trustees.--A health information 
trustee who is not a public health authority or a health researcher may 
disclose protected health information to a law enforcement agency 
(other than a health oversight agency)--
            (1) to assist in the identification or location of a 
        victim, fugitive, or witness in a law enforcement inquiry;
            (2) pursuant to a law requiring the reporting of specific 
        health care information to law enforcement authorities; or
            (3) if the information is specific health information 
        described in paragraph (2) and the trustee is operated by a 
        Federal agency;
    (c) Certification.--Where a law enforcement agency requests a 
health information trustee to disclose protected health information 
under subsection (a) or (b)(1), the agency shall provide the trustee 
with a written certification that--
            (1) is signed by a supervisory official of a rank 
        designated by the head of the agency;
            (2) specifies the information requested; and
            (3) states that the information is needed for a lawful 
        purpose under this section.
    (d) Restrictions on Disclosure and Use.--A person who receives 
protected health information about a protected individual through a 
disclosure under this section may not use or disclose the information--
            (1) in any administrative, civil, or criminal action or 
        investigation directed against the individual, except an action 
        or investigation arising out of and directly related to the 
        action or investigation for which the information was obtained; 
        and
            (2) otherwise unless the use or disclosure is necessary to 
        fulfill the purpose for which the information was obtained and 
        is not prohibited by any other provision of law.

SEC. 120. SUBPOENAS, WARRANTS, AND SEARCH WARRANTS.

    (a) In General.--A health information trustee described in 
subsection (g) may disclose protected health information if the 
disclosure is pursuant to any of the following:
            (1) A subpoena issued under the authority of a grand jury 
        and the trustee is provided a written certification by the 
        grand jury that the grand jury has complied with the applicable 
        access provisions of section 131.
            (2) An administrative subpoena or warrant or a judicial 
        subpoena or search warrant and the trustee is provided a 
        written certification by the person seeking the information 
        that the person has complied with the applicable access 
        provisions of section 131 or 133(a).
            (3) An administrative subpoena or warrant or a judicial 
        subpoena or search warrant and the disclosure otherwise meets 
        the conditions of one of sections 113 through 119.
    (b) Authority of All Trustees.--Any health information trustee may 
disclose protected health information if the disclosure is pursuant to 
subsection (a)(3).
    (c) Restrictions on Use and Disclosure.--Protected health 
information about a protected individual that is disclosed by a health 
information trustee pursuant to--
            (1) subsection (a)(2) may not be otherwise used or 
        disclosed by the recipient unless the use or disclosure is 
        necessary to fulfill the purpose for which the information was 
        obtained; and
            (2) subsection (a)(3) may not be used or disclosed by the 
        recipient unless the recipient complies with the conditions and 
        restrictions on use and disclosure with which the recipient 
        would have been required to comply if the disclosure by the 
        trustee had been made under the section referred to in 
        subsection (a)(3) the conditions of which were met by the 
        disclosure.
    (d) Restrictions on Grand Juries.--Protected health information 
that is disclosed by a health information trustee under subsection 
(a)(1)--
            (1) shall be returnable on a date when the grand jury is in 
        session and actually presented to the grand jury;
            (2) shall be used only for the purpose of considering 
        whether to issue an indictment or report by that grand jury, or 
        for the purpose of prosecuting a crime for which that 
        indictment or report is issued, or for a purpose authorized by 
        rule 6(e) of the Federal Rules of Criminal Procedure or a 
        comparable State rule;
            (3) shall be destroyed or returned to the trustee if not 
        used for one of the purposes specified in paragraph (2); and
            (4) shall not be maintained, or a description of the 
        contents of such information shall not be maintained, by any 
        government authority other than in the sealed records of the 
        grand jury, unless such information has been used in the 
        prosecution of a crime for which the grand jury issued an 
        indictment or presentment or for a purpose authorized by rule 
        6(e) of the Federal Rules of Criminal Procedure or a comparable 
        State rule.
    (e) Use in Action Against Individual.--A person who receives 
protected health information about a protected individual through a 
disclosure under this section may not use or disclose the information 
in any administrative, civil, or criminal action or investigation 
directed against the individual, except an action or investigation 
arising out of and directly related to the inquiry for which the 
information was obtained;
    (f) Construction.--Nothing in this section shall be construed as 
authority for a health information trustee to refuse to comply with a 
valid administrative subpoena or warrant or a valid judicial subpoena 
or search warrant that meets the requirements of this Act.
    (g) Applicability.--A health information trustee referred to in 
subsection (a) is any trustee other than the following:
            (1) A public health authority.
            (2) A health researcher.

           Subtitle C--Access Procedures and Challenge Rights

SEC. 131. ACCESS PROCEDURES FOR LAW ENFORCEMENT SUBPOENAS, WARRANTS, 
              AND SEARCH WARRANTS.

    (a) Probable Cause Requirement.--A government authority may not 
obtain protected health information about a protected individual from a 
health information trustee under paragraph (1) or (2) of section 120(a) 
for use in a law enforcement inquiry unless there is probable cause to 
believe that the information is relevant to a legitimate law 
enforcement inquiry being conducted by the government authority.
    (b) Warrants and Search Warrants.--A government authority that 
obtains protected health information about a protected individual from 
a health information trustee under circumstances described in 
subsection (a) and pursuant to a warrant or search warrant shall, not 
later than 30 days after the date the warrant was served on the 
trustee, serve the individual with, or mail to the last known address 
of the individual, a copy of the warrant.
    (c) Subpoenas.--Except as provided in subsection (d), a government 
authority may not obtain protected health information about a protected 
individual from a health information trustee under circumstances 
described in subsection (a) and pursuant to a subpoena unless a copy of 
the subpoena has been served by hand delivery upon the individual, or 
mailed to the last known address of the individual, on or before the 
date on which the subpoena was served on the trustee, together with a 
notice (published by the Secretary under section 135(1)) of the 
individual's right to challenge the subpoena in accordance with section 
132, and--
            (1) 30 days have passed from the date of service, or 30 
        days have passed from the date of mailing, and within such time 
        period the individual has not initiated a challenge in 
        accordance with section 132; or
            (2) disclosure is ordered by a court under section 132.
    (d) Application for Delay.--
            (1) In general.--A government authority may apply to an 
        appropriate court to delay (for an initial period of not longer 
        than 90 days) serving a copy of a subpoena and a notice 
        otherwise required under subsection (c) with respect to a law 
        enforcement inquiry. The government authority may apply to the 
        court for extensions of the delay.
            (2) Reasons for delay.--An application for a delay, or 
        extension of a delay, under this subsection shall state, with 
        reasonable specificity, the reasons why the delay or extension 
        is being sought.
            (3) Ex parte order.--The court shall enter an ex parte 
        order delaying, or extending the delay of, the notice and an 
        order prohibiting the trustee from revealing the request for, 
        or the disclosure of, the protected health information being 
        sought if the court finds that--
                    (A) the inquiry being conducted is within the 
                lawful jurisdiction of the government authority seeking 
                the protected health information;
                    (B) there is probable cause to believe that the 
                protected health information being sought is relevant 
                to a legitimate law enforcement inquiry being conducted 
                by the government authority;
                    (C) the government authority's need for the 
                information outweighs the privacy interest of the 
                protected individual who is the subject of the 
                information; and
                    (D) there are reasonable grounds to believe that 
                receipt of a notice by the individual will result in--
                            (i) endangering the life or physical safety 
                        of any individual;
                            (ii) flight from prosecution;
                            (iii) destruction of or tampering with 
                        evidence or the information being sought; or
                            (iv) intimidation of potential witnesses.
            (4) Service of application on individual.--Upon the 
        expiration of a period of delay of notice under this 
        subsection, the government authority shall serve upon the 
        individual, with the service of the subpoena and the notice, a 
        copy of any applications filed and approved under this 
        subsection.

SEC. 132. CHALLENGE PROCEDURES FOR LAW ENFORCEMENT SUBPOENAS.

    (a) Motion to Quash Subpoena.--Within 30 days of the date of 
service, or 30 days of the date of mailing, of a subpoena of a 
government authority seeking protected health information about a 
protected individual from a health information trustee under paragraph 
(1) or (2) of section 120(a) (except a subpoena to which section 133 
applies), the individual may file (without filing fee) a motion to 
quash the subpoena--
            (1) in the case of a State judicial subpoena, in the court 
        which issued the subpoena;
            (2) in the case of a subpoena issued under the authority of 
        a State that is not a State judicial subpoena, in a court of 
        competent jurisdiction;
            (3) in the case of a subpoena issued under the authority of 
        a Federal court, in any court of the United States of competent 
        jurisdiction; or
            (4) in the case of any other subpoena issued under the 
        authority of the United States, in--
                    (A) the United States district court for the 
                district in which the individual resides or in which 
                the subpoena was issued; or
                    (B) another United States district court of 
                competent jurisdiction.
    (b) Copy.--A copy of the motion shall be served by the individual 
upon the government authority by delivery of registered or certified 
mail.
    (c) Affidavits and Sworn Documents.--The government authority may 
file with the court such affidavits and other sworn documents as 
sustain the validity of the subpoena. The individual may file with the 
court, within 5 days of the date of the authority's filing, affidavits 
and sworn documents in response to the authority's filing. The court, 
upon the request of the individual, the government authority, or both, 
may proceed in camera.
    (d) Proceedings and Decision on Motion.--The court may conduct such 
proceedings as it deems appropriate to rule on the motion. All such 
proceedings shall be completed, and the motion ruled on, within 10 
calendar days of the date of the government authority's filing.
    (e) Extension of Time Limits for Good Cause.--The court, for good 
cause shown, may at any time in its discretion enlarge the time limits 
established by subsections (c) and (d).
    (f) Standard for Decision.--A court may deny a motion under 
subsection (a) if it finds that there is probable cause to believe that 
the protected health information being sought is relevant to a 
legitimate law enforcement inquiry being conducted by the government 
authority, unless the court finds that the individual's privacy 
interest outweighs the government authority's need for the information. 
The individual shall have the burden of demonstrating that the 
individual's privacy interest outweighs the need established by the 
government authority for the information.
    (g) Specific Considerations With Respect to Privacy Interest.--In 
determining under subsection (f) whether an individual's privacy 
interest outweighs the government authority's need for the information, 
the court shall consider--
            (1) the particular purpose for which the information was 
        collected by the trustee;
            (2) the degree to which disclosure of the information will 
        embarrass, injure, or invade the privacy of the individual;
            (3) the effect of the disclosure on the individual's future 
        health care;
            (4) the importance of the inquiry being conducted by the 
        government authority, and the importance of the information to 
        that inquiry; and
            (5) any other factor deemed relevant by the court.
    (h) Attorney's Fees.--In the case of any motion brought under 
subsection (a) in which the individual has substantially prevailed, the 
court, in its discretion, may assess against a government authority a 
reasonable attorney's fee and other litigation costs (including expert 
fees) reasonably incurred.
    (i) No Interlocutory Appeal.--A court ruling denying a motion to 
quash under this section shall not be deemed a final order and no 
interlocutory appeal may be taken therefrom by the individual. An 
appeal of such a ruling may be taken by the individual within such 
period of time as is provided by law as part of any appeal from a final 
order in any legal proceeding initiated against the individual arising 
out of or based upon the protected health information disclosed.

SEC. 133. ACCESS AND CHALLENGE PROCEDURES FOR OTHER SUBPOENAS.

    (a) In General.--A person (other than a government authority 
seeking protected health information under circumstances described in 
section 131(a)) may not obtain protected health information about a 
protected individual from a health information trustee pursuant to a 
subpoena under section 120(a)(2) unless--
            (1) a copy of the subpoena has been served upon the 
        individual or mailed to the last known address of the 
        individual on or before the date on which the subpoena was 
        served on the trustee, together with a notice (published by the 
        Secretary under section 135(2)) of the individual's right to 
        challenge the subpoena, in accordance with subsection (b); and
            (2) either--
                    (A) 30 days have passed from the date of service or 
                30 days have passed from the date of the mailing and 
                within such time period the individual has not 
                initiated a challenge in accordance with subsection 
                (b); or
                    (B) disclosure is ordered by a court under such 
                subsection.
    (b) Motion to Quash.--Within 30 days of the date of service or 30 
days of the date of mailing of a subpoena seeking protected health 
information about a protected individual from a health information 
trustee under subsection (a), the individual may file (without filing 
fee) in any court of competent jurisdiction, a motion to quash the 
subpoena, with a copy served on the person seeking the information. The 
individual may oppose, or seek to limit, the subpoena on any grounds 
that would otherwise be available if the individual were in possession 
of the information.
    (c) Standard for Decision.--The court shall grant an individual's 
motion under subsection (b) if the person seeking the information has 
not sustained the burden of demonstrating that--
            (1) there are reasonable grounds to believe that the 
        information will be relevant to a lawsuit or other judicial or 
        administrative proceeding; and
            (2) the need of the person for the information outweighs 
        the privacy interest of the individual.
    (d) Specific Considerations With Respect to Privacy Interest.--In 
determining under subsection (c) whether the need of the person for the 
information outweighs the privacy interest of the individual, the court 
shall consider--
            (1) the particular purpose for which the information was 
        collected by the trustee;
            (2) the degree to which disclosure of the information will 
        embarrass, injure, or invade the privacy of the individual;
            (3) the effect of the disclosure on the individual's future 
        health care;
            (4) the importance of the information to the lawsuit or 
        proceeding; and
            (5) any other factor deemed relevant by the court.
    (e) Attorney's Fees.--In the case of any motion brought under 
subsection (b) by an individual against a person in which the 
individual has substantially prevailed, the court, in its discretion, 
may assess against the person a reasonable attorney's fee and other 
litigation costs (including expert fees) reasonably incurred.

SEC. 134. CONSTRUCTION OF SUBTITLE; SUSPENSION OF STATUTE OF 
              LIMITATIONS.

    (a) In General.--Nothing in this subtitle shall affect the right of 
a health information trustee to challenge a request for protected 
health information. Nothing in this subtitle shall entitle a protected 
individual to assert the rights of a health information trustee.
    (b) Effect of Motion on Statute of Limitations.--If an individual 
who is the subject of protected health information files a motion under 
this subtitle which has the effect of delaying the access of a 
government authority to such information, the period beginning on the 
date such motion was filed and ending on the date on which the motion 
is decided shall be excluded in computing any period of limitations 
within which the government authority may commence any civil or 
criminal action in connection with which the access is sought.

SEC. 135. RESPONSIBILITIES OF SECRETARY.

    Not later than July 1, 1999, the Secretary, after notice and 
opportunity for public comment, shall develop and disseminate brief, 
clear, and easily understood model notices--
            (1) for use under subsection (c) of section 131, detailing 
        the rights of a protected individual who wishes to challenge, 
        under section 132, the disclosure of protected health 
        information about the individual under such subsection; and
            (2) for use under subsection (a) of section 133, detailing 
        the rights of a protected individual who wishes to challenge, 
        under subsection (b) of such section, the disclosure of 
        protected health information about the individual under such 
        section.

                  Subtitle D--Miscellaneous Provisions

SEC. 141. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTIONS.

    (a) Payment for Health Care Through Card or Electronic Means.--If a 
protected individual pays a health information trustee for health care 
by presenting a debit, credit, or other payment card or account number, 
or by any other electronic payment means, the trustee may disclose to a 
person described in subsection (b) only such protected health 
information about the individual as is necessary for the processing of 
the payment transaction or the billing or collection of amounts charged 
to, debited from, or otherwise paid by, the individual using the card, 
number, or other electronic payment means.
    (b) Transaction Processing.--A person who is a debit, credit, or 
other payment card issuer, is otherwise directly involved in the 
processing of payment transactions involving such cards or other 
electronic payment transactions, or is otherwise directly involved in 
the billing or collection of amounts paid through such means, may only 
use or disclose protected health information about a protected 
individual that has been disclosed in accordance with subsection (a) 
when necessary for--
            (1) the authorization, settlement, billing or collection of 
        amounts charged to, debited from, or otherwise paid by, the 
        individual using a debit, credit, or other payment card or 
        account number, or by other electronic payment means;
            (2) the transfer of receivables, accounts, or interest 
        therein;
            (3) the audit of the credit, debit, or other payment card 
        account information;
            (4) compliance with Federal, State, or local law; or
            (5) a properly authorized civil, criminal, or regulatory 
        investigation by Federal, State, or local authorities.

SEC. 142. ACCESS TO PROTECTED HEALTH INFORMATION OUTSIDE OF THE UNITED 
              STATES.

    (a) In General.--Notwithstanding the provisions of subtitle B, and 
except as provided in subsection (b), a health information trustee may 
not permit any person who is not in a State to have access to protected 
health information about a protected individual unless one or more of 
the following conditions exist:
            (1) Specific authorization.--The individual has 
        specifically consented to the provision of such access outside 
        of the United States in an authorization that meets the 
        requirements of section 112.
            (2) Equivalent protection.--The provision of such access is 
        authorized under this Act and the Secretary has determined that 
        there are fair information practices for protected health 
        information in the jurisdiction where the access will be 
        provided that provide protections for individuals and protected 
        health information that are equivalent to the protections 
        provided for by this Act.
            (3) Access required by law.--The provision of such access 
        is required under--
                    (A) a Federal statute; or
                    (B) a treaty or other international agreement 
                applicable to the United States.
    (b) Exceptions.--Subsection (a) does not apply where the provision 
of access to protected health information--
            (1) is to a foreign public health authority;
            (2) is authorized under section 114 (relating to next of 
        kin and directory information), 116 (relating to health 
        research), or 117 (relating to emergency circumstances); or
            (3) is necessary for the purpose of providing for payment 
        for health care that has been provided to an individual.

SEC. 143. STANDARDS FOR ELECTRONIC DOCUMENTS AND COMMUNICATIONS.

    (a) Standards.--Not later than July 1, 1999, the Secretary, after 
notice and opportunity for public comment and in consultation with 
appropriate private standard-setting organizations and other interested 
parties, shall establish standards with respect to the 
creation, transmission, receipt, and maintenance, in electronic and 
magnetic form, of each type of written document specifically required 
or authorized under this Act. Where a signature is required under any 
other provision of this Act, such standards shall provide for an 
electronic or magnetic substitute that serves the functional equivalent 
of a signature.
    (b) Treatment of Complying Documents and Communications.--An 
electronic or magnetic document or communication that satisfies the 
standards established under subsection (a) with respect to such 
document or communication shall be treated as satisfying the 
requirements of this Act that apply to an equivalent written document.

SEC. 144. DUTIES AND AUTHORITIES OF AFFILIATED PERSONS.

    (a) Requirements on Trustees.--
            (1) Provision of information.--A health information trustee 
        may provide protected health information to a person who, with 
        respect to the trustee, is an affiliated person and may permit 
        the affiliated person to use such information, only for the 
        purpose of conducting, supporting, or facilitating an activity 
        that the trustee is authorized to undertake.
            (2) Notice to affiliated person.--A health information 
        trustee shall notify a person who, with respect to the trustee, 
        is an affiliated person of any duties under this Act that the 
        affiliated person is required to fulfill and of any authorities 
        under this Act that the affiliated person is authorized to 
        exercise.
    (b) Duties of Affiliated Persons.--
            (1) In general.--An affiliated person shall fulfill any 
        duty under this Act that--
                    (A) the health information trustee with whom the 
                person has an agreement or relationship described in 
                section 3(c)(1)(C) is required to fulfill; and
                    (B) the person has undertaken to fulfill pursuant 
                to such agreement or relationship.
            (2) Construction of other subtitles.--With respect to a 
        duty described in paragraph (1) that an affiliated person is 
        required to fulfill, the person shall be considered a health 
        information trustee for purposes of this Act. The person shall 
        be subject to subtitle E (relating to enforcement) with respect 
        to any such duty that the person fails to fulfill.
            (3) Effect on trustee.--An agreement or relationship with 
        an affiliated person does not relieve a health information 
        trustee of any duty or liability under this Act.
    (b) Authorities of Affiliated Persons.--
            (1) In general.--An affiliated person may only exercise an 
        authority under this Act that the health information trustee 
        with whom the person is affiliated may exercise and that the 
        person has been given by the trustee pursuant to an agreement 
        or relationship described in section 3(c)(1)(C). With respect 
        to any such authority, the person shall be considered a health 
        information trustee for purposes of this Act. The person shall 
        be subject to subtitle E (relating to enforcement) with respect 
        to any act that exceeds such authority.
            (2) Effect on trustee.--An agreement or relationship with 
        an affiliated person does not affect the authority of a health 
        information trustee under this Act.

SEC. 145. AGENTS AND ATTORNEYS.

    (a) In General.--Except as provided in subsections (b) and (c), a 
person who is authorized by law (on grounds other than an individual's 
minority), or by an instrument recognized under law, to act as an 
agent, attorney, proxy, or other legal representative for a protected 
individual or the estate of a protected individual, or otherwise to 
exercise the rights of the individual or estate, may, to the extent 
authorized, exercise and discharge the rights of the individual or 
estate under this Act.
    (b) Health Care Power of Attorney.--A person who is authorized by 
law (on grounds other than an individual's minority), or by an 
instrument recognized under law, to make decisions about the provision 
of health care to an individual who is incapacitated may exercise and 
discharge the rights of the individual under this Act to the extent 
necessary to effectuate the terms or purposes of the grant of 
authority.
    (c) No Court Declaration.--If a health care provider determines 
that an individual, who has not been declared to be legally 
incompetent, suffers from a medical condition that prevents the 
individual from acting knowingly or effectively on the individual's own 
behalf, the right of the individual to authorize disclosure under 
section 112 may be exercised and discharged in the best interest of the 
individual by--
            (1) a person described in subsection (b) with respect to 
        the individual;
            (2) a person described in subsection (a) with respect to 
        the individual, but only if a person described in paragraph (1) 
        cannot be contacted after a reasonable effort;
            (3) the next of kin of the individual, but only if a person 
        described in paragraph (1) or (2) cannot be contacted after a 
        reasonable effort; or
            (4) the health care provider, but only if a person 
        described in paragraph (1), (2), or (3) cannot be contacted 
        after a reasonable effort.

SEC. 146. MINORS.

    (a) Individuals Who Are 18 or Legally Capable.--In the case of an 
individual--
            (1) who is 18 years of age or older, all rights of the 
        individual shall be exercised by the individual, except as 
        provided in section 145; or
            (2) who, acting alone, has the legal capacity to apply for 
        and obtain health care and has sought such care, the individual 
        shall exercise all rights of an individual under this Act with 
        respect to protected health information relating to such care.
    (b) Individuals Under 18.--Except as provided in subsection (a)(2), 
in the case of an individual who is--
            (1) under 14 years of age, all the individual's rights 
        under this Act shall be exercised through the parent or legal 
        guardian of the individual; or
            (2) 14, 15, 16, or 17 years of age, the right of inspection 
        (under section 101), the right of amendment (under section 
        102), and the right to authorize disclosure of protected health 
        information (under section 112) of the individual may be 
        exercised either by the individual or by the parent or legal 
        guardian of the individual.

SEC. 147. MAINTENANCE OF CERTAIN PROTECTED HEALTH INFORMATION.

    (a) In General.--A State shall establish a process under which the 
protected health information described in subsection (b) that is 
maintained by a person described in subsection (c) is delivered to, and 
maintained by, the State or an individual or entity designated by the 
State.
    (b) Information Described.--The protected health information 
referred to in subsection (a) is protected health information that--
            (1) is recorded in any form or medium;
            (2) is created by--
                    (A) a health care provider; or
                    (B) a health benefit plan sponsor that provides 
                benefits in the form of items and services to enrollees 
                and not in the form of reimbursement for items and 
                services; and
            (3) relates in any way to the past, present, or future 
        physical or mental health or condition or functional status of 
        a protected individual or the provision of health care to a 
        protected individual.
    (c) Persons Described.--A person referred to in subsection (a) is 
any of the following:
            (1) A health care facility previously located in the State 
        that has closed.
            (2) A professional practice previously operated by a health 
        care provider in the State that has closed.
            (3) A health benefit plan sponsor that--
                    (A) previously provided benefits in the form of 
                items and services to enrollees in the State; and
                    (B) has ceased to do business.

                        Subtitle E--Enforcement

SEC. 151. CIVIL ACTIONS.

    (a) In General.--Any individual whose right under this Act has been 
knowingly or negligently violated--
            (1) by a health information trustee, or any other person, 
        who is not described in paragraph (2), (3), (4), or (5) may 
        maintain a civil action for actual damages and for equitable 
        relief against the health information trustee or other person;
            (2) by an officer or employee of the United States while 
        the officer or employee was acting within the scope of the 
        office or employment may maintain a civil action for actual 
        damages and for equitable relief against the United States;
            (3) by an officer or employee of any government authority 
        of a State that has waived its sovereign immunity to a claim 
        for damages resulting from a violation of this Act while the 
        officer or employee was acting within the scope of the office 
        or employment may maintain a civil action for actual damages 
        and for equitable relief against the State government;
            (4) by an officer or employee of a government of a State 
        that is not described in paragraph (3) may maintain a civil 
        action for actual damages and for equitable relief against the 
        officer or employee; or
            (5) by an officer or employee of a government authority 
        while the officer or employee was not acting within the scope 
        of the office or employment may maintain a civil action for 
        actual damages and for equitable relief against the officer or 
        employee.
    (b) Knowing Violations.--Any individual entitled to recover actual 
damages under this section because of a knowing violation of a 
provision of this Act (other than subsection (c) or (d) of section 111) 
shall be entitled to recover the amount of the actual damages 
demonstrated or $5000, whichever is greater.
    (c) Actual Damages.--For purposes of this section, the term 
``actual damages'' includes damages paid to compensate an individual 
for nonpecuniary losses such as physical and mental injury as well as 
damages paid to compensate for pecuniary losses.
    (d) Punitive Damages; Attorney's Fees.--In any action brought under 
this section in which the complainant has prevailed because of a 
knowing violation of a provision of this Act (other than subsection (c) 
or (d) of section 111), the court may, in addition to any relief 
awarded under subsections (a) and (b), award such punitive damages as 
may be warranted. In such an action, the court, in its discretion, may 
allow the prevailing party a reasonable attorney's fee (including 
expert fees) as part of the costs, and the United States shall be 
liable for costs the same as a private person.
    (e) Limitation.--A civil action under this section may not be 
commenced more than 2 years after the date on which the aggrieved 
individual discovered the violation or the date on which the aggrieved 
individual had a reasonable opportunity to discover the violation, 
whichever occurs first.
    (f) Inspection and Amendment.--If a health information trustee has 
established a formal internal procedure that allows an individual who 
has been denied inspection or amendment of protected health information 
to appeal the denial, the individual may not maintain a civil action in 
connection with the denial until the earlier of--
            (1) the date the appeal procedure has been exhausted; or
            (2) the date that is 4 months after the date on which the 
        appeal procedure was initiated.
    (g) No Liability for Permissible Disclosures.--A health information 
trustee who makes a disclosure of protected health information about a 
protected individual that is permitted by this Act and not otherwise 
prohibited by State or Federal statute shall not be liable to the 
individual for the disclosure under common law.
    (h) No Liability for Institutional Review Board Determinations.--If 
the members of a certified institutional review board have in good 
faith determined that an approved health research project is of 
sufficient importance so as to outweigh the intrusion into the privacy 
of an individual pursuant to section 116(a)(1), the members, the board, 
and the parent institution of the board shall not be liable to the 
individual as a result of such determination.
    (i) Good Faith Reliance on Certification.--A health information 
trustee who relies in good faith on a certification by a government 
authority or other person and discloses protected health information 
about an individual in accordance with this Act shall not be liable to 
the individual for such disclosure.

SEC. 152. CIVIL MONEY PENALTIES.

    (a) Violation.--Any health information trustee who the Secretary 
determines has demonstrated a pattern or practice of failure to comply 
with the provisions of this Act shall be subject, in addition to any 
other penalties that may be prescribed by law, to a civil money penalty 
of not more than $10,000 for each such failure. In determining the 
amount of any penalty to be assessed under the procedures established 
under subsection (b), the Secretary shall take into account the 
previous record of compliance of the person being assessed with the 
applicable requirements of this Act and the gravity of the violation.
    (b) Procedures for Imposition of Penalties.--The provisions of 
section 1128A of the Social Security Act (other than subsections (a) 
and (b)) shall apply to the imposition of a civil monetary penalty 
under this section in the same manner as such provisions apply with 
respect to the imposition of a penalty under section 1128A of such Act.

SEC. 153. ALTERNATIVE DISPUTE RESOLUTION.

    (a) In General.--Not later than July 1, 1999, the Secretary shall, 
by regulation, develop alternative dispute resolution methods for use 
by individuals, health information trustees, and other persons in 
resolving claims under section 151.
    (b) Effect on Initiation of Civil Actions.--
            (1) In general.--Subject to paragraph (2), the regulations 
        established under subsection (a) may provide that an individual 
        alleging that a right of the individual under this Act has been 
        violated shall pursue at least one alternative dispute 
        resolution method developed under such subsection as a 
        condition precedent to commencing a civil action under section 
        151.
            (2) Limitation.--Such regulations may not require an 
        individual to refrain from commencing a civil action to pursue 
        one or more alternative dispute resolution method for a period 
        that is greater than 6 months.
            (3) Suspension of statute of limitations.--The regulations 
        established by the Secretary under subsection (a) may provide 
        that a period in which an individual described in paragraph (1) 
        pursues (as defined by the Secretary) an alternative dispute 
        resolution method under this section shall be excluded in 
        computing the period of limitations under section 151(e).
    (c) Methods.--The methods under subsection (a) shall include at 
least the following:
            (1) Arbitration.--The use of arbitration.
            (2) Mediation.--The use of mediation.
            (3) Early offers of settlement.--The use of a process under 
        which parties make early offers of settlement.
    (d) Standards for Establishing Methods.--In developing alternative 
dispute resolution methods under subsection (a), the Secretary shall 
ensure that the methods promote the resolution of claims in a manner 
that--
            (1) is affordable for the parties involved;
            (2) provides for timely and fair resolution of claims; and
            (3) provides for reasonably convenient access to dispute 
        resolution for individuals.

SEC. 154. AMENDMENTS TO CRIMINAL LAW.

    (a) In General.--Title 18, United States Code, is amended by 
inserting after chapter 73 the following:

          ``CHAPTER 74--OBTAINING PROTECTED HEALTH INFORMATION

``Sec.
``1531. Definitions.
``1532. Obtaining protected health information under false pretenses.
``1533. Monetary gain from obtaining protected health information under 
                            false pretenses.
``1534. Knowing and unlawful obtaining of protected health information.
``1535. Monetary gain from knowing and unlawful obtaining of protected 
                            health information.
``1536. Knowing and unlawful use or disclosure of protected health 
                            information.
``1537. Monetary gain from knowing and unlawful sale, transfer, or use 
                            of protected health information.
``Sec. 1531. Definitions
    ``As used in this chapter--
            ``(1) the term `health information trustee' has the meaning 
        given such term in section 3(b)(5) of the Fair Health 
        Information Practices Act of 1997;
            ``(2) the term `protected health information' has the 
        meaning given such term in section 3(a)(3) of such Act; and
            ``(3) the term `protected individual' has the meaning given 
        such term in section 3(a)(4) of such Act.
``Sec. 1532. Obtaining protected health information under false 
              pretenses
    ``Whoever under false pretenses--
            ``(1) requests or obtains protected health information from 
        a health information trustee; or
            ``(2) obtains from a protected individual an authorization 
        for the disclosure of protected health information about the 
        individual maintained by a health information trustee;
shall be fined under this title or imprisoned not more than 5 years, or 
both.
``Sec. 1533. Monetary gain from obtaining protected health information 
              under false pretenses
    ``Whoever under false pretenses--
            ``(1) requests or obtains protected health information from 
        a health information trustee with the intent to sell, transfer, 
        or use such information for profit or monetary gain; or
            ``(2) obtains from a protected individual an authorization 
        for the disclosure of protected health information about the 
        individual maintained by a health information trustee with the 
        intent to sell, transfer, or use such authorization for profit 
        or monetary gain;
and knowingly sells, transfers, or uses such information or 
authorization for profit or monetary gain shall be fined under this 
title or imprisoned not more than 10 years, or both.
``Sec. 1534. Knowing and unlawful obtaining of protected health 
              information
    ``Whoever knowingly obtains protected health information from a 
health information trustee in violation of the Fair Health Information 
Practices Act of 1997, knowing that such obtaining is unlawful, shall 
be fined under this title or imprisoned not more than 5 years, or both.
``Sec. 1535. Monetary gain from knowing and unlawful obtaining of 
              protected health information
    ``Whoever knowingly--
            ``(1) obtains protected health information from a health 
        information trustee in violation of the Fair Health Information 
        Practices Act of 1997, knowing that such obtaining is unlawful 
        and with the intent to sell, transfer, or use such information 
        for profit or monetary gain; and
            ``(2) knowingly sells, transfers, or uses such information 
        for profit or monetary gain;
shall be fined under this title or imprisoned not more than 10 years, 
or both.
``Sec. 1536. Knowing and unlawful use or disclosure of protected health 
              information
    ``Whoever knowingly uses or discloses protected health information 
in violation of the Fair Health Information Practices Act of 1997, 
knowing that such use or disclosure is unlawful, shall be fined under 
this title or imprisoned not more than 5 years, or both.
``Sec. 1537. Monetary gain from knowing and unlawful sale, transfer, or 
              use of protected health information
    ``Whoever knowingly sells, transfers, or uses protected health 
information in violation of the Fair Health Information Practices Act 
of 1997, knowing that such sale, transfer, or use is unlawful, shall be 
fined under this title or imprisoned not more than 10 years, or 
both.''.
    (b) Clerical Amendment.--The table of chapters for part I of title 
18, United States Code, is amended by inserting after the item relating 
to chapter 73 the following:

``74. Obtaining protected health information................    1531''.

          TITLE II--AMENDMENTS TO TITLE 5, UNITED STATES CODE

SEC. 201. AMENDMENTS TO TITLE 5, UNITED STATES CODE.

    (a) New Subsection.--Section 552a of title 5, United States Code, 
is amended by adding at the end the following:

    ``(w) Medical Exemptions.--The head of an agency that is a health 
information trustee (as defined in section 3(b)(5) of the Fair Health 
Information Practices Act of 1997) shall promulgate rules, in 
accordance with the requirements (including general notice) of 
subsections (b)(1), (b)(2), (b)(3), (c), and (e) of section 553 of this 
title, to exempt a system of records within the agency, to the extent 
that the system of records contains protected health information (as 
defined in section 3(a)(3) of such Act), from all provisions of this 
section except subsections (e)(1), (e)(2), subparagraphs (A) through 
(C) and (E) through (I) of subsection (e)(4), and subsections (e)(5), 
(e)(6), (e)(9), (e)(12), (l), (n), (o), (p), (q), (r), and (u).''.
    (b) Repeal.--Section 552a(f)(3) of title 5, United States Code, is 
amended by striking ``pertaining to him,'' and all that follows through 
the semicolon and inserting ``pertaining to the individual;''.

   TITLE III--REGULATIONS, RESEARCH, AND EDUCATION; EFFECTIVE DATES; 
             APPLICABILITY; AND RELATIONSHIP TO OTHER LAWS

SEC. 301. REGULATIONS; RESEARCH AND EDUCATION.

    (a) Regulations.--Not later than July 1, 1999, the Secretary shall 
prescribe regulations to carry out this Act.
    (b) Research and Technical Support.--The Secretary may sponsor--
            (1) research relating to the privacy and security of 
        protected health information;
            (2) the development of consent forms governing disclosure 
        of such information; and
            (3) the development of technology to implement standards 
        regarding such information.
    (c) Education.--The Secretary shall establish education and 
awareness programs--
            (1) to foster adequate security practices by health 
        information trustees;
            (2) to train personnel of health information trustees 
        respecting the duties of such personnel with respect to 
        protected health information; and
            (3) to inform individuals and employers who purchase health 
        care respecting their rights with respect to such information.
    (d) Office of Information Privacy.--
            (1) Establishment.--There is established in the Department 
        of Health and Human Services, within the Office of the 
        Secretary, an Office of Information Privacy. The Office of 
        Information Privacy shall be headed by a Director, who shall 
        also be the Privacy Adviser of the Department of Health and 
        Human Services. The Director shall be the principal adviser to 
        the Secretary on the effect of the use and disclosure of 
        personally-identifiable information on the privacy of 
        individuals.
            (2) Duties.--The Director of the Office of Information 
        Privacy shall--
                    (A) monitor and participate in the development of 
                regulations under this Act;
                    (B) monitor the implementation of this Act within 
                the Department of Health and Human Services;
                    (C) advise the Secretary of the effects of current 
                activities and proposed statutory, regulatory, 
                administrative, and budgetary actions on the 
                information privacy of individuals;
                    (D) monitor the implementation within the 
                Department of Health and Human Services of laws and 
                policies affecting the confidentiality of personally-
                identifiable health information or other personally-
                identifiable information;
                    (E) advise the Secretary on the implications for 
                privacy of automated systems for the collection, 
                storage, analysis, or transfer of personally-
                identifiable health information or other personally-
                identifiable information;
                    (F) engage in, or commission, research and 
                technical studies on the implications of policies and 
                practices for information privacy promulgated by the 
                Secretary;
                    (G) serve as a point of contact within the 
                Department of Health and Human Services for persons, 
                such as other agencies of the Federal Government, 
                States, foreign governments, international 
                organizations, privacy and consumer advocacy 
                organizations, businesses, nonprofit organizations, and 
                individuals, interested in the effects on privacy of 
                the collection, maintenance, use, and disclosure of 
                personally-identifiable health information or other 
                personally-identifiable information; and
                    (H) report from time to time to the Secretary, the 
                Congress, and the public on privacy matters.

SEC. 302. EFFECTIVE DATES.

    (a) In General.--Except as provided in subsection (b), this Act, 
and the amendments made by this Act, shall take effect on January 1, 
2000.
    (b) Provisions Effective Immediately.--
            (1) In general.--A provision of this Act shall take effect 
        on the date of the enactment of this Act if the provision--
                    (A) imposes a duty on the Secretary to develop, 
                establish, or promulgate regulations, guidelines, 
                notices, statements, or education and awareness 
                programs; or
                    (B) authorizes the Secretary to sponsor research or 
                the development of forms or technology.
            (2) Office of information privacy.--Section 301(d) 
        (relating to the Office of Information Privacy) shall take 
        effect on the date of the enactment of this Act.

SEC. 303. APPLICABILITY.

    (a) Protected Health Information.--Except as provided in 
subsections (b) and (c), the provisions of this Act shall apply to any 
protected health information that is received, created, used, 
maintained, or disclosed by a health information trustee in a State on 
or after January 1, 2000, regardless of whether the information existed 
or was disclosed prior to such date.
    (b) Exception.--
            (1) In general.--The provisions of this Act shall not apply 
        to a trustee described in paragraph (2), except with respect to 
        protected health information that is received by the trustee on 
        or after January 1, 2000.
            (2) Applicability.--A trustee referred to in paragraph (1) 
        is--
                    (A) a health researcher; or
                    (B) a person who, with respect to specific 
                protected health information, received the 
                information--
                            (i) pursuant to--
                                    (I) section 117 (relating to 
                                emergency circumstances);
                                    (II) section 118 (relating to 
                                judicial and administrative purposes);
                                    (III) section 119 (relating to law 
                                enforcement); or
                                    (IV) section 120 (relating to 
                                subpoenas, warrants, and search 
                                warrants); or
                            (ii) while acting in whole or in part in 
                        the capacity of an officer or employee of a 
                        person described in clause (i).
    (c) Authorizations for Disclosures.--An authorization for the 
disclosure of protected health information about a protected individual 
that is executed by the individual before January 1, 2000, and is 
recognized and valid under State law on December 31, 1999, shall remain 
valid and shall not be subject to the requirements of section 112 until 
January 1, 2001, or the occurrence of the date or event (if any) 
specified in the authorization upon which the authorization expires, 
whichever occurs earlier.

SEC. 304. RELATIONSHIP TO OTHER LAWS.

    (a) State Law.--Except as otherwise provided in subsections (b), 
(c), (d), (e), and (g), a State may not establish, continue in effect, 
or enforce any State law to the extent that the law is inconsistent 
with, or imposes additional requirements with respect to, any of the 
following:
            (1) A duty of a health information trustee under this Act.
            (2) An authority of a health information trustee under this 
        Act to disclose protected health information.
            (3) A provision of subtitle C (relating to access 
        procedures and challenge rights), subtitle D (miscellaneous 
        provisions), or subtitle E (relating to enforcement).
    (b) Laws Relating to Public Health and Mental Health.--This Act 
does not preempt, supersede, or modify the operation of any State law 
regarding public health or mental health to the extent that the law 
prohibits or regulates a disclosure of protected health information 
that is permitted under this Act.
    (c) Criminal Penalties.--A State may establish and enforce criminal 
penalties with respect to a failure to comply with a provision of this 
Act.
    (d) Requirements on State Agencies.--A State may establish, 
continue in effect, and enforce any State law to the extent that the 
law imposes on a judicial, legislative, or executive agency of the 
State a requirement, limitation, or procedure with respect to the use 
or disclosure of protected health information that is in addition to 
the requirements, limitations, and procedures imposed under this Act.
    (e) Privileges.--A privilege that a person has under law in a court 
of a State or the United States or under the rules of any agency of a 
State or the United States may not be diminished, waived, or otherwise 
affected by--
            (1) the execution by a protected individual of an 
        authorization for disclosure of protected health information 
        under this Act, if the authorization is executed for the 
        purpose of receiving health care or providing for the payment 
        for health care; or
            (2) any provision of this Act that authorizes the 
        disclosure of protected health information for the purpose of 
        receiving health care or providing for the payment for health 
        care.
    (f) Department of Veterans Affairs.--The limitations on use and 
disclosure of protected health information under this Act shall not be 
construed to prevent any exchange of such information within and among 
components of the Department of Veterans Affairs that determine 
eligibility for or entitlement to, or that provide, benefits under laws 
administered by the Secretary of Veterans Affairs.
    (g) Certain Duties Under State or Federal Law.--This Act shall not 
be construed to preempt, supersede, or modify the operation of any of 
the following:
            (1) Any law that provides for the reporting of vital 
        statistics such as birth or death information.
            (2) Any law requiring the reporting of abuse or neglect 
        information about any individual.
            (3) Subpart II of part E of title XXVI of the Public Health 
        Service Act (relating to notifications of emergency response 
        employees of possible exposure to infectious diseases).
            (4) The Americans with Disabilities Act of 1990.
            (5) Any Federal or State statute that establishes a 
        privilege for records used in health professional peer review 
        activities.
    (h) Secretarial Authority.--
            (1) Secretary of health and human services.--A provision of 
        this Act does not preempt, supersede, or modify the operation 
        of section 543 of the Public Health Service Act, except to the 
        extent that the Secretary of Health and Human Services 
        determines through regulations promulgated by such Secretary 
        that the provision provides greater protection for protected 
        health information, and the rights of protected individuals, 
        than is provided under such section 543.
            (2) Secretary of veterans affairs.--A provision of this Act 
        does not preempt, supersede, or modify the operation of section 
        7332 of title 38, United States Code, except to the extent that 
        the Secretary of Veterans Affairs determines through 
        regulations promulgated by such Secretary that the provision 
        provides greater protection for protected health information, 
        and the rights of protected individuals, than is provided under 
        such section 7332.
                                 <all>