[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1057 Introduced in House (IH)]







106th CONGRESS
  1st Session
                                H. R. 1057

To provide individuals with access to health information of which they 
  are a subject, ensure personal privacy with respect to health-care-
     related information, impose criminal and civil penalties for 
 unauthorized use of protected health information, to provide for the 
   strong enforcement of these rights, and to protect States' rights.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             March 10, 1999

  Mr. Markey (for himself, Mr. McDermott, Mr. Frost, Ms. Kaptur, Mr. 
Moakley, Ms. Roybal-Allard, Mr. Nadler, Mr. Frank of Massachusetts, Mr. 
Crowley, Mr. Green of Texas, Mr. McGovern, Mr. Luther, Mr. Sanders, Mr. 
Mascara, Mr. Brown of California, Mr. Romero-Barcelo, Mr. Delahunt, Mr. 
   DeFazio, Mr. Capuano, Mr. Stark, Mr. Strickland, and Ms. Lofgren) 
 introduced the following bill; which was referred to the Committee on 
  Commerce, and in addition to the Committee on the Judiciary, for a 
 period to be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
To provide individuals with access to health information of which they 
  are a subject, ensure personal privacy with respect to health-care-
     related information, impose criminal and civil penalties for 
 unauthorized use of protected health information, to provide for the 
   strong enforcement of these rights, and to protect States' rights.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Medical 
Information Privacy and Security Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Purposes.
Sec. 4. Definitions.
                      TITLE I--INDIVIDUALS' RIGHTS

 Subtitle A--Access to Protected Health Information by Subjects of the 
                              Information

Sec. 101. Inspection and copying of protected health information.
Sec. 102. Supplements to protected health information.
Sec. 103. Notice of privacy practices.
                Subtitle B--Establishment of Safeguards

Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

Sec. 201. General rules regarding use and disclosure.
Sec. 202. Authorizations for disclosure of protected health information 
                            for treatment and payment.
Sec. 203. Authorizations for disclosure of protected health information 
                            other than for treatment or payment.
Sec. 204. Emergency circumstances.
Sec. 205. Public health.
Sec. 206. Protection and advocacy agencies.
Sec. 207. Oversight.
Sec. 208. Disclosure for law enforcement purposes.
Sec. 209. Next of kin and directory information.
Sec. 210. Health research.
Sec. 211. Judicial and administrative purposes.
Sec. 212. Individual representatives.
Sec. 213. Prohibition against retaliation.
 TITLE III--OFFICE OF HEALTH INFORMATION PRIVACY OF THE DEPARTMENT OF 
                       HEALTH AND HUMAN SERVICES

                        Subtitle A--Designation

Sec. 301. Designation.
                        Subtitle B--Enforcement

                     CHAPTER 1--Criminal Provisions

Sec. 311. Wrongful disclosure of protected health information.
Sec. 312. Debarment for crimes.
                       CHAPTER 2--Civil Sanctions

Sec. 321. Civil penalty.
Sec. 322. Procedures for imposition of penalties.
Sec. 323. Civil action by individuals.
                        TITLE IV--MISCELLANEOUS

Sec. 401. Relationship to other laws.
Sec. 402. Effective date.

SEC. 2. FINDINGS.

    The Congress finds as follows:
            (1) Individuals have a right of privacy with respect to 
        their protected health information and records.
            (2) With respect to information about medical care and 
        health status, the traditional right of confidentiality 
        (between a health care provider and a patient) is at risk.
            (3) An erosion of the right of privacy may reduce the 
        willingness of patients to confide in physicians and other 
        practitioners and may inhibit patients from seeking care.
            (4) An individual's privacy right means that the 
        individual's consent is needed to disclose his or her protected 
        health information and that the individual has a right of 
        access to that health information.
            (5) Any disclosure of protected health information should 
        be limited to that information or portion of the medical record 
        necessary to fulfill the immediate and specific purpose of the 
        disclosure.
            (6) Health research often depends on access to both 
        identifiable and de-identified patient health information and 
        health research is critically important to the health and well-
        being of all people in the United States.
            (7) The Supreme Court found in Jaffee v. Redmond (116 S.Ct. 
        1923 (1996)) that there is an imperative need for confidence 
        and trust between a psychotherapist and a patient and that such 
        trust can only be established by an assurance of 
        confidentiality. This assurance serves the public interest by 
        facilitating the provision of appropriate treatment for 
        individuals.
            (8) Section 264 of the Health Insurance Portability and 
        Accountability Act of 1996 (42 U.S.C. 1320d-2 note) establishes 
        a deadline that Congress enact legislation, before August 21, 
        1999, to protect the privacy of protected health information.

SEC. 3. PURPOSES.

    The purposes of this Act are as follows:
            (1) To recognize that there is a right to privacy with 
        respect to health information, including genetic information, 
        and that this right must be protected.
            (2) To create incentives to turn protected health 
        information into de-identified health information, where 
        appropriate.
            (3) To designate an Office of Health Information Privacy 
        within the Department of Health and Human Services to protect 
        that right of privacy.
            (4) To provide individuals with--
                    (A) access to health information of which they are 
                the subject; and
                    (B) the opportunity to challenge the accuracy and 
                completeness of such information by being able to file 
                supplements to such information.
            (5) To provide individuals with the right to limit the use 
        and disclosure of protected health information.
            (6) To establish strong and effective mechanisms to protect 
        against the unauthorized and inappropriate use of protected 
        health information.
            (7) To invoke the sweep of congressional powers, including 
        the power to enforce the 14th amendment, to regulate commerce, 
        and to abrogate the immunity of the States under the 11th 
        amendment, in order to address violations of the rights of 
        individuals to privacy, to provide individuals with access to 
        their health information, and to prevent unauthorized use of 
        protected health information that is genetic information.
            (8) To establish strong and effective remedies for 
        violations of this Act.
            (9) To protect the rights of States.

SEC. 4. DEFINITIONS.

    In this Act:
            (1) Administrative billing information.--The term 
        ``administrative billing information'' means any of the 
        following forms of protected health information:
                    (A) Date of service, policy, patient identifiers, 
                and practitioner or facility identifiers.
                    (B) Diagnostic codes, in accordance with medicare 
                billing codes, for which treatment is being rendered or 
                requested.
                    (C) Complexity of service codes, indicating 
                duration of treatment.
                    (D) Total billed charges.
            (2) Agent.--The term ``agent'' means a person who 
        represents and acts for another person (a principal) under a 
        contract or relationship of agency, or whose function is to 
        bring about, modify, affect, accept performance of, or 
        terminate, contractual obligations between the principal and a 
        third person. With respect to an employer, the term includes 
        the employees of the employer.
            (3) De-identified health information.--
                    (A) In general.--The term ``de-identified health 
                information'' means any protected health information, 
                with respect to which--
                            (i) all personal identifiers, or other 
                        information that may be used by itself or in 
                        combination with other information which may be 
                        available to re-identify the subject of the 
                        information, have been removed; and
                            (ii) a good faith effort to evaluate the 
                        risks of re-identification of the subject of 
                        such information in the context in which it 
                        will be used or disclosed, has been made.
                    (B) Examples.--The term includes aggregate 
                statistics, redacted health information, information in 
                which random or fictitious alternatives have been 
                substituted for personally identifiable information, 
                and information in which personally identifiable 
                information has been encrypted and the decryption key 
                is maintained by a person otherwise authorized to have 
                access to such protected health information in an 
                identifiable format.
            (4) Disclose.--The term ``disclose'' means to release, 
        publish, share, transfer, transmit, disseminate, show, permit 
        access to, re-identify, or otherwise divulge protected health 
        information to any person other than the individual who is the 
        subject of such information. The term includes the initial 
        disclosure and any subsequent redisclosure of protected health 
        information.
            (5) Decryption key.--The term ``decryption key'' means the 
        variable information used in or produced by a mathematical 
        formula, code, or algorithm, or any component thereof, used to 
        encrypt or decrypt wire or electronic communications or 
        electronically stored information.
            (6) Employer.--The term ``employer'' means a person engaged 
        in business affecting commerce who has employees.
            (7) Encryption.--The term ``encryption'' means the 
        scrambling of electronic or wire communications or 
        electronically stored information using mathematical formulas 
        or algorithms sufficient to preserve the confidentiality, 
        integrity, and authenticity of such communications or 
        information.
            (8) Health care.--The term ``health care'' means--
                    (A) preventive, diagnostic, therapeutic, 
                rehabilitative, maintenance, or palliative care, 
                including appropriate assistance with disease or 
                symptom management and maintenance, counseling, 
                service, or procedure--
                            (i) with respect to the physical or mental 
                        condition of an individual; or
                            (ii) affecting the structure or function of 
                        the human body or any part of the human body, 
                        including the banking of blood, sperm, organs, 
                        or any other tissue; and
                    (B) any sale or dispensing of a drug, device, 
                equipment, or other health care related item to an 
                individual, or for the use of an individual, pursuant 
                to a prescription.
            (9) Health care provider.--The term ``health care 
        provider'' means a person who, with respect to a specific item 
        of protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a person who is licensed, certified, 
                registered, or otherwise authorized by Federal or State 
                law to provide an item or service that constitutes 
                health care in the ordinary course of business, or 
                practice of a profession;
                    (B) a Federal or State program that directly 
                provides items or services that constitute health care 
                to beneficiaries; or
                    (C) an officer or employee or agent of a person 
                described in subparagraph (A) or (B) who is engaged in 
                the provision of health care or who uses health 
                information.
            (10) Health or life insurer.--The term ``health or life 
        insurer'' means a health insurance issuer (as defined in 
        section 9805(b)(2) of the Internal Revenue Code of 1986) or a 
        life insurance company (as defined in section 816 of such Code) 
        and includes the employees and agents of such a person.
            (11) Health oversight agency.--The term ``health oversight 
        agency''--
                    (A) means a person who--
                            (i) performs or oversees the performance of 
                        an assessment, investigation, or prosecution 
                        relating to compliance with legal or fiscal 
                        standards relating to health care fraud or 
                        fraudulent claims regarding health care, health 
                        services or equipment, or related activities 
                        and items; and
                            (ii) is a public executive branch agency, 
                        acting on behalf of a public executive branch 
                        agency, acting pursuant to a requirement of a 
                        public executive branch agency, or carrying out 
                        activities under a Federal or State law 
                        governing an assessment, evaluation, 
                        determination, investigation, or prosecution 
                        described in clause (i); and
                    (B) includes the employees and agents of such a 
                person.
            (12) Health plan.--The term ``health plan'' means any 
        health insurance plan, including any hospital or medical 
        service plan, dental or other health service plan or health 
        maintenance organization plan, or other program providing or 
        arranging for the provision of health benefits, whether or not 
        funded through the purchase of insurance. The term includes 
        employee welfare benefit plans and group plans (as defined in 
        sections 3 and 607 of the Employee Retirement Income Security 
        Act of 1974 (29 U.S.C. 1002 and 1167)).
            (13) Health researcher.--The term ``health researcher'' 
        means a person who, with respect to a specific item of 
        protected health information, receives the information--
                    (A) pursuant to section 210 (relating to health 
                research); or
                    (B) while acting in whole or in part in the 
                capacity of an officer, employee, or agent of a person 
                who receives the information pursuant to such section.
            (14) Law enforcement inquiry.--The term ``law enforcement 
        inquiry'' means a lawful executive branch investigation or 
        official proceeding inquiring into a violation of, or failure 
        to comply with, any criminal or civil statute or any 
        regulation, rule, or order issued pursuant to such a statute.
            (15) Office of health information privacy.--The term 
        ``Office of Health Information Privacy'' means the Office of 
        Health Information Privacy designated under section 301.
            (16) Person.--The term ``person'' means a government, 
        governmental subdivision of an executive branch agency or 
        authority; corporation; company; association; firm; 
        partnership; society; estate; trust; joint venture; individual; 
        individual representative; tribal government; and any other 
        legal entity.
            (17) Protected health information.--
                    (A) In general.--The term ``protected health 
                information'' means any information, including genetic 
                information, demographic information, and tissue 
                samples collected from an individual, whether oral or 
                recorded in any form or medium, that--
                            (i) is created or received by a health care 
                        provider, health researcher, health plan, 
                        health oversight agency, public health 
                        authority, employer, health or life insurer, 
                        school or university; and
                            (ii)(I) relates to the past, present, or 
                        future physical or mental health or condition 
                        of an individual (including individual cells 
                        and their components), the provision of health 
                        care to an individual, or the past, present, or 
                        future payment for the provision of health care 
                        to an individual; and
                            (II)(aa) identifies an individual; or
                            (bb) with respect to which there is a 
                        reasonable basis to believe that the 
                        information can be used to identify an 
                        individual; and
                    (B) Decryption key.--The term ``protected health 
                information'' includes any information described in 
                paragraph (5).
            (18) Public health authority.--The term ``public health 
        authority'' means an authority or instrumentality of the United 
        States, a tribal government, a State, or a political 
        subdivision of a State that is--
                    (A) primarily responsible for public health 
                matters; and
                    (B) primarily engaged in activities such as injury 
                reporting, public health surveillance, and public 
                health investigation or intervention.
            (19) Re-identify.--The term ``re-identify'', when used with 
        respect to de-identified health information, means an attempt, 
        successful or otherwise, to ascertain--
                    (A) the identity of the individual who is the 
                subject of such information; or
                    (B) the decryption key with respect to the 
                information (when undertaken with knowledge that such 
                key would allow for the identification of the 
individual who is the subject of such information).
            (20) School or university.--The term ``school or 
        university'' means an institution or place for instruction or 
        education, including an elementary school, secondary school, or 
        institution of higher learning, a college, or an assemblage of 
        colleges united under one corporate organization or government.
            (21) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (22) State.--The term ``State'' includes the District of 
        Columbia, Puerto Rico, the Virgin Islands, Guam, American 
        Samoa, and the Northern Mariana Islands.
            (23) To the maximum extent practicable.--The term ``to the 
        maximum extent practicable'' means the level of compliance that 
        a reasonable person would deem technologically feasible so long 
        as such feasibility is periodically evaluated in light of 
        scientific advances.
            (24) Writing.--The term ``writing'' means writing in either 
        a paper-based or computer-based form, including electronic and 
        digital signatures.

                      TITLE I--INDIVIDUALS' RIGHTS

 Subtitle A--Access to Protected Health Information by Subjects of the 
                              Information

SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.

    (a) Right of Individual.--
            (1) In general.--A health care provider, health plan, 
        employer, health or life insurer, school, or university, or a 
        person acting as the agent of any such person, shall permit an 
        individual who is the subject of protected health information, 
        or the individual's designee, to inspect and copy protected 
        health information concerning the individual, including records 
        created under sections 102, 112, 202, 203, 208, and 211, that 
        such person maintains.
            (2) Procedures and fees.--A person described in paragraph 
        (1) may set forth appropriate procedures to be followed for 
        inspection and copying under such paragraph and may require an 
        individual to pay fees associated with such inspection and 
        copying in an amount that is not in excess of the actual costs 
        of providing such copying. Such fees may not be assessed where 
        such an assessment would have the effect of inhibiting an 
        individual from gaining access to the information described in 
        paragraph (1).
    (b) Deadline.--A person described in subsection (a)(1) shall comply 
with a request for inspection or copying of protected health 
information under this section not later than 15 business days after 
the date on which the person receives the request.
    (c) Rules Governing Agents.--A person acting as the agent of a 
person described in subsection (a) shall provide for the inspection and 
copying of protected health information if--
            (1) the protected health information is retained by the 
        agent; and
            (2) the agent has been asked by the person involved to 
        fulfill the requirements of this section.
    (d) Special Rule Relating to Ongoing Clinical Trials.--With respect 
to protected health information that is created as part of an 
individual's participation in an ongoing clinical trial, access to the 
information shall be provided consistent with the individual's 
agreement to participate in the clinical trial.

SEC. 102. SUPPLEMENTS TO PROTECTED HEALTH INFORMATION.

    (a) In General.--Not later than 45 days after the date on which a 
health care provider, health plan, employer, health or life insurer, 
school, or university, or a person acting as the agent of any such 
person, receives from an individual a request in writing to supplement 
protected health information concerning the individual, such person--
            (1) shall add the supplement requested to the information;
            (2) shall inform the individual that the supplement has 
        been made; and
            (3) shall make reasonable efforts to inform any person to 
        whom the portion of the unsupplemented information was 
        previously disclosed, of any substantive supplement that has 
        been made.
    (b) Refusal To Supplement.--If a person described in subsection (a) 
declines to make the supplement requested under such subsection, the 
person shall inform the individual in writing of--
            (1) the reasons for declining to make the supplement;
            (2) any procedures for further review of the declining of 
        such supplement; and
            (3) the individual's right to file with the person a 
        concise statement setting forth the requested supplement and 
        the individual's reasons for disagreeing with the declining 
        person and the individual's right to include a copy of this 
refusal in his or her health record.
    (c) Statement of Disagreement.--If an individual has filed with a 
person a statement of disagreement under subsection (b)(3), the person, 
in any subsequent disclosure of the disputed portion of the 
information--
            (1) shall include, at the individual's request, a copy of 
        the individual's statement; and
            (2) may include a concise statement of the reasons for not 
        making the requested supplement.
    (d) Rules Governing Agents.--A person acting as the agent of a 
person described in subsection (a) shall not be required to make a 
supplement to protected health information, except where--
            (1) the protected health information is retained by the 
        agent; and
            (2) the agent has been asked by such person to fulfill the 
        requirements of this section.

SEC. 103. NOTICE OF PRIVACY PRACTICES.

    (a) Preparation of Written Notice.--A health care provider, health 
plan, health oversight agency, public health authority, employer, 
health or life insurer, school, or university, or a person acting as 
the agent of any such person, shall prepare a written notice of the 
privacy practices of the person that provides information with respect 
to the following:
            (1) The procedures for an individual to authorize 
        disclosures of protected health information, and to object to, 
        modify, and revoke such authorizations.
            (2) The right of an individual to inspect, copy, and 
        supplement the protected health information.
            (3) The right of an individual not to have employment or 
        the receipt of services conditioned upon the execution by the 
        individual of an authorization for disclosure.
            (4) A description of the categories or types of employees, 
        by general category or by general job description, who have 
        access to or use of protected health information within the 
        person.
            (5) A simple, concise description of any information 
        systems used to store or transmit protected health information, 
        including a description of any linkages made with other 
        electronic systems or databases outside the person.
            (6) The right of the individual to request segregation of 
        protected health information, and to restrict the use of such 
        information by employees, agents, and contractors of a person.
            (7) The circumstances under which the information may be 
        used or disclosed without an authorization executed by the 
        individual.
            (8) A statement that an individual may elect to pay for 
        health care from the individual's own funds and information on 
        the right of such an individual to elect for identifying 
        information not to be disclosed to anyone other than health 
        care providers, unless such disclosure is required by mandatory 
        reporting requirements or other similar information collection 
        duties required by law.
    (b) Provision and Posting of Written Notice.--
            (1) Provision.--A person described in subsection (a) shall 
        provide a copy of the written notice of privacy practices 
        required under such subsection--
                    (A) at the time an authorization is sought for 
                disclosure of protected health information; and
                    (B) upon the request of an individual.
            (2) Posting.--A person described in subsection (a) shall 
        post, in a clear and conspicuous manner, a brief summary of the 
        privacy practices of the person.
    (c) Model Notice.--The director of the Office of Health Information 
Privacy, after notice and opportunity for public comment, shall develop 
and disseminate model notices of privacy practices, and model summary 
notices for posting, for use under this section. Use of such a model 
notice shall be deemed to satisfy the requirements of this section.

                Subtitle B--Establishment of Safeguards

SEC. 111. ESTABLISHMENT OF SAFEGUARDS.

    (a) In General.--A health care provider, health plan, health 
oversight agency, public health authority, employer, health researcher, 
law enforcement official, health or life insurer, school, or 
university, or a person acting as the agent of any such person, shall 
establish and maintain appropriate administrative, organizational, 
technical, and physical safeguards and procedures to ensure the 
confidentiality, security, accuracy, and integrity of protected health 
information created, received, obtained, maintained, used, transmitted, 
or disposed of by such person.
    (b) Factors To Be Considered.--The policies and safeguards under 
subsection (a) shall ensure that--
            (1) protected health information is used or disclosed only 
        when necessary;
            (2) the categories of personnel who will have access to 
        protected health information are identified; and
            (3) the feasibility of limiting access to protected health 
        information is considered.
    (c) Model Guidelines.--The Secretary, in consultation with the 
Director of the Office of Health Information Privacy appointed under 
section 301, after notice and opportunity for public comment, shall 
develop and disseminate model guidelines for the establishment of 
safeguards and procedures for use under this section, such as, where 
appropriate, individual authentication of uses of computer systems, 
access controls, audit trails, encryption, physical security, 
protection of remote access points and protection of external 
electronic communications, periodic security assessments, incident 
reports, and sanctions. The director shall update and disseminate the 
guidelines, as appropriate, to take advantage of new technologies.

SEC. 112. ACCOUNTING FOR DISCLOSURES.

    (a) In General.--A health care provider, health plan, health 
oversight agency, public health authority, employer, health researcher, 
law enforcement official, health or life insurer, school, or 
university, or a person acting as the agent of any such person, shall 
establish and maintain, with respect to any protected health 
information disclosure that is not related to payment or treatment, a 
record of the disclosure in accordance with regulations issued by the 
Secretary in consultation with the director of the Office of Health 
Information Privacy.
    (b) Maintenance of Record.--A record established under subsection 
(a) shall be maintained for not less than 7 years.
    (c) Electronic Records.--A health care provider, health plan, 
health oversight agency, public health authority, employer, health 
researcher, law enforcement official, health or life insurer, school, 
or university, or a person acting as the agent of any such person, 
shall, to the maximum extent practicable, maintain an accessible 
electronic record concerning each access, or attempt to access, whether 
authorized or unauthorized, successful or unsuccessful, protected 
health information maintained by such person in electronic form. The 
record shall include the identity of the specific individual accessing 
or attempting to gain such access (or a way to identify that individual 
or information helpful in determining the identity of such individual), 
information sufficient to identify the protected health information 
sought or accessed, and other appropriate information.

              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.

    (a) Prohibition.--
            (1) General rule.--A health care provider, health plan, 
        health oversight agency, public health authority, employer, 
        health researcher, law enforcement official, health or life 
        insurer, school, or university may not disclose or use 
        protected health information except as authorized under this 
        Act.
            (2) Rule of construction.--Disclosure of de-identified 
        health information shall not be construed as a disclosure of 
        protected health information.
    (b) Scope of Disclosure.--
            (1) In general.--A disclosure of protected health 
        information under this title shall be limited to the minimum 
        amount of information necessary to accomplish the purpose for 
        which the disclosure is made.
            (2) Determination.--The determination as to what 
        constitutes the minimum disclosure possible for purposes of 
        paragraph (1) shall be made by a health care provider.
    (c) Use or Disclosure for Purpose Only.--A recipient of information 
pursuant to this title may use or disclose such information solely to 
carry out the purpose for which the information was disclosed.
    (d) No General Requirement To Disclose.--Nothing in this title 
permitting the disclosure of protected health information shall be 
construed to require such disclosure.
    (e) Identification of Disclosed Information as Protected Health 
Information.--Protected health information disclosed pursuant to this 
title shall be clearly identified as protected health information that 
is subject to this Act.
    (f) Disclosure by Agents.--An agent of a person described in 
subsection (a)(1), who receives protected health information from the 
person while acting within the scope of the agency, shall be subject to 
this title to the same extent as the person and for the duration of the 
period in which the agent holds the information.
    (g) Creation of De-Identified Information.--Notwithstanding 
subsection (c), but subject to the other provisions of this section, a 
person described in subsection (a)(1) may disclose protected health 
information to an employee or other agent of the person for purposes of 
creating de-identified information.
    (h) Unauthorized Use or Disclosure of the Decryption Key.--The 
unauthorized disclosure of a decryption key shall be deemed to be a 
disclosure of protected health information. The unauthorized use of a 
decryption key or de-identified health information in order to identify 
an individual is deemed to be disclosure of protected health 
information.
    (i) No Waiver.--Except as provided in this Act, an authorization to 
disclose personally identifiable health information executed by an 
individual pursuant to section 202 or 203 shall not be construed as a 
waiver of any rights that the individual has under other Federal or 
State laws, the rules of evidence, or common law.
    (j) Definitions.--For purposes of this title:
            (1) Investigative or law enforcement officer.--The term 
        ``investigative or law enforcement officer'' means any officer 
        of the United States or of a State or political subdivision 
        thereof, who is empowered by law to conduct investigations of, 
        or to make arrests for, criminal offenses, and any attorney 
        authorized by law to prosecute or participate in the 
        prosecution of such offenses.
            (2) Segregate.--The term ``segregate'' means to place a 
        designated subset of an individuals protected health 
        information in a location or computer file that is separate 
        from the location or computer file used to store protected 
        health information and where access to or use of any 
        information so segregated may be effectively limited to those 
        persons who are authorized by the individual to access or use 
        such information.
            (3) Signed.--The term ``signed'' refers to both signatures 
        in ink and electronic signatures, and the term ``written'' 
        refers to both paper and computerized formats.

SEC. 202. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION 
              FOR TREATMENT AND PAYMENT.

    (a) Requirements Relating to Employers, Health Plans, Health or 
Life Insurers, Uninsured Individuals, and Providers.--
            (1) In general.--To satisfy the requirement under section 
        201(a)(1), an employer, health plan, health or life insurer, or 
        health care provider that seeks to disclose protected health 
        information in connection with treatment or payment shall 
        obtain an authorization that satisfies the requirements of this 
        section. The authorization may be a single authorization.
            (2) Employers.--Every employer offering a health plan to 
        its employees shall, at the time of an employee's enrollment in 
        the health plan, obtain a signed, written authorization that is 
        a legal, informed authorization that satisfies the requirements 
        of subsection (b) concerning the use and disclosure of 
        protected health information for treatment or payment with 
        respect to each individual who is eligible to receive care 
        under the health plan.
            (3) Health plans, health or life insurers.--Every health 
        plan or health or life insurer offering enrollment to 
        individual or nonemployer groups shall, at the time of 
        enrollment in the plan or insurance, obtain a signed, written 
        authorization that is a legal, informed authorization that 
        satisfies the requirements of subsection (b) concerning the use 
        and disclosure of protected health information with respect to 
        each individual who is eligible to receive care under the plan 
        or insurance.
            (4) Uninsured.--An originating provider providing health 
        care in other than a network plan setting, or providing health 
        care to an uninsured individual, shall obtain a signed, written 
        authorization that satisfies the requirements of subsection (b) 
        to use protected health information in providing health care or 
        arranging for health care from other providers or seeking 
        payment for the provision of health care services.
            (5) Providers.--
                    (A) In general.--Every health care provider 
                providing health care to an individual who has not 
                given the appropriate authorization under this section 
                shall, at the time of providing such care, obtain a 
                signed, written authorization that is a legal, informed 
                authorization, that satisfies the requirements of 
                subsection (b), concerning the use and disclosure of 
                protected health information with respect to such 
                individual.
                    (B) Rule of construction.--Subparagraph (A) shall 
                not be construed to preclude the provision of health 
                care to an individual who has not given appropriate 
                authorization prior to receipt of such care if--
                            (i) the health care provider involved 
                        determines that such care is essential; and
                            (ii) the individual can reasonably be 
                        expected to sign an authorization for such care 
                        when appropriate.
    (b) Requirements for Individual Authorization.--To satisfy the 
requirements of this subsection, an authorization to disclose protected 
health information--
            (1) shall identify, by general job description or other 
        functional description, persons authorized to disclose the 
        information;
            (2) shall describe the nature of the information to be 
        disclosed;
            (3) shall identify, by general job description or other 
        functional description, persons to whom the information is to 
        be disclosed, including individuals employed by, or operating 
        within, an entity to which information is authorized to be 
        disclosed;
            (4) shall describe the purpose of the disclosures;
            (5) shall permit the executing individual to indicate that 
        a particular individual listed on the authorization is not 
        authorized to receive protected health information concerning 
        the individual, except as provided for in subsection (c)(3);
            (6) shall provide the means by which an individual may 
        indicate that some of the individual's protected health 
        information should be segregated and to what persons such 
        segregated information may be disclosed;
            (7) shall be subject to revocation by the individual and 
        indicate that the authorization is valid until revocation by 
        the individual or until an event or date specified; and
            (8)(A) shall be--
                    (i) in writing, dated, and signed by the 
                individual; or
                    (ii) in electronic form, dated and authenticated by 
                the individual using an authentication method approved 
                by the Secretary; and
            (B) shall not have been revoked under subparagraph (A).
    (c) Limitation on Authorizations.--
            (1) In general.--Subject to paragraphs (2) and (3), a 
        person described in subsection (a) who seeks an authorization 
        under such subsection may not condition the delivery of 
        treatment or payment for services on the receipt of such an 
        authorization.
            (2) Right to require self payment.--If an individual has 
        refused to provide an authorization for disclosure of 
        administrative billing information to a person and such 
        authorization is necessary for a health care provider to 
        receive payment for services delivered, the health care 
        provider may require the individual to pay from their own funds 
        for the services.
            (3) Right of health care provider to require authorization 
        for treatment purposes.--If a health care provider that is 
        seeking an authorization for disclosure of an individual's 
        protected health information believes that the disclosure of 
        such information is necessary so as not to endanger the health 
        or treatment of the individual, the health care provider may 
        condition the provision of services upon the execution of the 
        authorization by the individual.
    (d) Model Authorizations.--The Secretary, after notice and 
opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in this section and model 
statements of the limitations on authorizations. Any authorization 
obtained on a model authorization form under section 202 developed by 
the Secretary pursuant to the preceding sentence shall be deemed to 
satisfy the requirements of this section.
    (e) Segregation of Files.--A person described in subsection (a)(1) 
shall comply, to the maximum extent practicable, with the request of an 
individual who is the subject of protected health information--
            (1) to segregate any type or amount of protected health 
        information, other than administrative billing information, 
        held by the entity; and
            (2) to limit the use or disclosure of the segregated health 
        information within the entity to those persons specifically 
        designated by the subject of the protected health information.
    (f) Revocation of Authorization.--
            (1) In general.--An individual may in writing revoke or 
        amend an authorization under this section at any time, unless 
        the disclosure that is the subject of the authorization is 
        required to effectuate payment for health care that has been 
        provided to the individual.
            (2) Health plans.--With respect to a health plan, the 
        authorization of an individual is deemed to be revoked at the 
        time of the cancellation or non-renewal of enrollment in the 
        health plan, except as may be necessary to complete plan 
        administration and payment requirements related to the 
        individual's period of enrollment.
            (3) Actions.--An individual may not maintain an action 
        against a person for disclosure of personally identifiable 
        health information--
                    (A) if the disclosure was made based on a good 
                faith reliance on the individual's authorization under 
                this section at the time disclosure was made;
                    (B) in a case in which the authorization is 
                revoked, if the disclosing person had no actual or 
                constructive notice of the revocation; or
                    (C) if the disclosure was for the purpose of 
                protecting another individual from imminent physical 
                harm, and is authorized under section 204.
    (g) Record of Individual's Authorizations and Revocations.--Each 
person collecting or storing personally identifiable health information 
shall maintain a record for a period of 7 years of each authorization 
of an individual and any revocation thereof, and such record shall 
become part of the personally identifiable health information 
concerning such individual.
    (h) Rule of Construction.--Authorizations for the disclosure of 
protected health information for treatment or payment shall not 
authorize the disclosure of such information by an individual with the 
intent to sell, transfer, or use protected health information for 
commercial advantage other than the revenues directly derived from the 
provision of health care to that individual. For such disclosures, a 
separate authorization that satisfies the requirements of section 203 
is required.

SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION 
              OTHER THAN FOR TREATMENT OR PAYMENT.

    (a) In General.--To satisfy the requirement under section 
201(a)(1), a health care provider, health plan, health oversight 
agency, public health authority, employer, health researcher, law 
enforcement official, health or life insurer, school, or university 
that seeks to disclose protected health information for a purpose other 
than treatment or payment may obtain an authorization that satisfies 
the requirements of subsections (b) and (g) of section 202. Such an 
authorization under this section shall be separate from an 
authorization provided under section 202.
    (b) Limitation on Authorizations.--
            (1) In general.--A person subject to section 202 may not 
        condition the delivery of treatment, or payment for services, 
        on the receipt of an authorization described in this section.
            (2) Requirement for separate authorization.--A person 
        subject to section 202 may not disclose protected health 
        information to any employees or agents who are responsible for 
        making employment, work assignment, or other personnel 
        decisions with respect to the subject of the information 
without a separate authorization permitting such a disclosure.
    (c) Model Authorizations.--The Secretary, after notice and 
opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in subsection (a). Any 
authorization obtained on a model authorization form under this section 
developed by the Secretary shall be deemed to meet the authorization 
requirements of this section.
    (d) Requirement To Release Protected Health Information to Coroners 
and Medical Examiners.--
            (1) In general.--When a Coroner or Medical Examiner or 
        their duly appointed deputies seek protected health information 
        for the purpose of inquiry into and determination of, the 
        cause, manner, and circumstances of an individual's death, the 
        health care provider, health plan, health oversight agency, 
        public health authority, employer, health researcher, law 
        enforcement officer, health or life insurer, school or 
        university involved shall provide that individual's protected 
        health information to the Coroner or Medical Examiner or to the 
        duly appointed deputies without undue delay.
            (2) Production of additional information.--If a Coroner or 
        Medical Examiner or their duly appointed deputies receives 
        health information from an entity referred to in paragraph (1), 
        such health information shall remain as protected health 
        information unless the health information is attached to or 
        otherwise made a part of a Coroner's or Medical Examiner's 
        official report, in which case it shall no longer be protected.
            (3) Exemption.--Health information attached to or otherwise 
        made a part of a Coroner's or Medical Examiner's official 
        report, shall be exempt from the provisions of this Act except 
        as provided for in this subsection.
            (4) Reimbursement.--A Coroner or Medical Examiner may 
        require a person to reimburse their Office for the reasonable 
        costs associated with such inspection or copying.
    (e) Revocation or Amendment of Authorization.--An individual may, 
in writing, revoke or amend an authorization under this section at any 
time.
    (f) Actions.--An individual may not maintain an action against a 
person for disclosure of protected health information--
            (1) if the disclosure was made based on a good faith 
        reliance on the individual's authorization under this section 
        at the time disclosure was made;
            (2) in a case in which the authorization is revoked, if the 
        disclosing person had no actual or constructive notice of the 
        revocation; or
            (3) if the disclosure was for the purpose of protecting 
        another individual from imminent physical harm, and is 
        authorized under section 204.

SEC. 204. EMERGENCY CIRCUMSTANCES.

    (a) General Rule.--In the event of a threat of imminent physical or 
mental harm to the subject of protected health information, any person 
may, in order to allay or remedy such threat, disclose protected health 
information about such subject to a health care practitioner, health 
care facility, law enforcement authority, or emergency medical 
personnel.
    (b) Harm to Others.--Any person may disclose protected health 
information about the subject of the information where--
            (1) such subject has made an identifiable threat of serious 
        injury or death with respect to an identifiable individual or 
        group of individuals;
            (2) the subject has the ability to carry out such threat; 
        and
            (3) the release of such information is necessary to prevent 
        or significantly reduce the possibility of such threat being 
        carried out.

SEC. 205. PUBLIC HEALTH.

    (a) In General.--A health care provider, health plan, public health 
authority, employer, health or life insurer, law enforcement official, 
school, or university may disclose protected health information to a 
public health authority or other person authorized by public health law 
when receipt of such information by the authority or other person--
            (1) relates directly to a specified public health purpose;
            (2) is reasonably likely to achieve such purpose; and
            (3) is intended for a purpose that cannot be achieved 
        through the receipt or use of de-identified health information.
    (b) Public Health Purpose Defined.--For purposes of subsection (a), 
the term ``public health purpose'' means a population-based activity or 
individual effort, authorized by law, aimed at the prevention of 
injury, disease, or premature mortality, or the promotion of health, in 
a community, including--
            (1) assessing the health needs and status of the community 
        through public health surveillance and epidemiological 
        research;
            (2) developing public health policy;
            (3) responding to public health needs and emergencies; and
            (4) any other activities or efforts authorized by law.

SEC. 206. PROTECTION AND ADVOCACY AGENCIES.

    Any person who creates protected health information or receives 
protected health information under this title may disclose that 
information to a protection and advocacy agency established under part 
C of title I of the Developmental Disabilities Assistance and Bill of 
Rights Act (42 U.S.C. 6041 et seq.) or under the Protection and 
Advocacy for Mentally Ill Individuals Act of 1986 (42 U.S.C. 10801 et 
seq.) when such agency can establish that there is probable cause to 
believe that an individual who is the subject of the protected health 
information is vulnerable to abuse and neglect by an entity providing 
health or social services to the individual.

SEC. 207. OVERSIGHT.

    (a) In General.--A health care provider, health plan, employer, law 
enforcement official, health or life insurer, public health authority, 
health researcher, school or university may disclose protected health 
information to a health oversight agency to enable the agency to 
perform a health oversight function authorized by law, if--
            (1) the purpose for which the disclosure is to be made 
        cannot reasonably be accomplished without protected health 
        information;
            (2) the purpose for which the disclosure is to be made is 
        of sufficient importance to warrant the effect on, or the risk 
        to, the privacy of the individuals that additional exposure of 
        the information might bring; and
            (3) there is a reasonable probability that the purpose of 
        the disclosure will be accomplished.
    (b) Use and Maintenance of Protected Health Information.--A health 
oversight agency that receives protected health information under this 
section--
            (1) shall rely upon a method to scramble or otherwise 
        safeguard, to the maximum extent practicable, the identity of 
        the subject of the protected health information in all work 
        papers and all documents summarizing the health oversight 
        activity;
            (2) shall maintain in its records only such information 
        about an individual as is relevant and necessary to accomplish 
        the purpose for which the protected health information was 
        obtained;
            (3) shall maintain such information securely and limit 
        access to such information to those persons with a legitimate 
        need for access to carry out the purpose for which the records 
        were obtained; and
            (4) shall remove or destroy the information that allows 
        subjects of protected health information to be identified at 
        the earliest time at which removal or destruction can be 
        accomplished, consistent with the purpose of the health 
        oversight activity.
    (c) Use of Protected Health Information in Judicial Proceedings.--
            (1) In general.-- The disclosure and use of protected 
        health information in any judicial, administrative, court, or 
        other public, proceeding or investigation relating to a health 
        oversight activity shall be undertaken in such a manner as to 
        preserve the confidentiality and privacy of individuals who are 
        the subject of the information, unless disclosure is required 
        by the nature of the proceedings.
            (2) Limiting disclosure.--Whenever disclosure of the 
        identity of the subject of protected health information is 
        required by the nature of the proceedings, or it is 
        impracticable to redact the identity of such individual, the 
        agency shall request that the presiding judicial or 
        administrative officer enter an order limiting the disclosure 
        of the identity of the subject to the extent possible, 
        including the redacting of the protected health information 
        from publicly disclosed or filed pleadings or records.
    (d) Authorization by a Supervisor.--For purposes of this section, 
the individual with authority to authorize the oversight function 
involved shall provide to the disclosing person described in subsection 
(a) a statement that the protected health information is being sought 
for a legally authorized oversight function.
    (e) Use in Action Against Individuals.--Protected health 
information about an individual that is disclosed under this section 
may not be used in, or disclosed to any person for use in, an 
administrative, civil, or criminal action or investigation directed 
against the individual, unless the action or investigation arises out 
of and is directly related to--
            (1) the receipt of health care or payment for health care;
            (2) a fraudulent claim related to health; or
            (3) oversight of a public health authority or a health 
        researcher.

SEC. 208. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.

    (a) Law Enforcement Access to Protected Health Information.--A 
health care provider, health researcher, health plan, health oversight 
agency, employer, health or life insurer, school, university, a person 
acting as the agent of any such person, or a person who receives 
protected health information pursuant to section 204, may disclose 
protected health information to an investigative or law enforcement 
officer pursuant to a warrant issued under the Federal Rules of 
Criminal Procedure, an equivalent State warrant, a grand jury subpoena, 
or a court order under limitations set forth in subsection (b).
    (b) Requirements for Court Orders for Access to Protected Health 
Information.--A court order for the disclosure of protected health 
information under subsection (a) may be issued by any court that is a 
court of competent jurisdiction and shall issue only if the 
investigative or law enforcement officer submits a written application 
upon oath or equivalent affirmation demonstrating that there is 
probable cause to believe that--
            (1) the protected health information sought is relevant and 
        material to an ongoing criminal investigation, except in the 
        case of a State government authority, such a court order shall 
        not issue if prohibited by the law of such State;
            (2) the investigative or evidentiary needs of the 
        investigative or law enforcement officer cannot reasonably be 
        satisfied by de-identified health information or by any other 
        information; and
            (3) the law enforcement need for the information outweighs 
        the privacy interest of the individual to whom the information 
        pertains.
    (c) Motions To Quash or Modify.--A court issuing an order pursuant 
to this section, on a motion made promptly by the health care provider, 
health researcher, health plan, health oversight agency, employer, 
health or life insurer, school, university, a person acting as the 
agent of any such person, or a person who receives protected health 
information pursuant to section 204, may quash or modify such order if 
the court finds that information or records requested are unreasonably 
voluminous or if compliance with such order otherwise would cause an 
unreasonable burden on such persons.
    (d) Notice.--
            (1) In general.--Except as provided in paragraph (2), no 
        order for the disclosure of protected health information about 
        an individual may be issued by a court under this section 
        unless prior notice of the application for the order has been 
        served on the individual and the individual has been afforded 
        an opportunity to oppose the issuance of the order.
            (2) Notice not required.--An order for the disclosure of 
        protected health information about an individual may be issued 
        without prior notice to the individual if the court finds that 
        notice would be impractical because--
                    (A) the name and address of the individual are 
                unknown; or
                    (B) notice would risk destruction or unavailability 
                of the evidence.
    (e) Conditions.--Upon the granting of an order for disclosure of 
protected health information under this section, the court shall impose 
appropriate safeguards to ensure the confidentiality of such 
information and to protect against unauthorized or improper use or 
disclosure.
    (f) Limitation on Use and Disclosure for Other Law Enforcement 
Inquiries.--Protected health information about an individual that is 
disclosed under this section may not be used in, or disclosed to any 
person for use in, any administrative, civil, or criminal action or 
investigation directed against the individual, unless the action or 
investigation arises out of, or is directly related to, the law 
enforcement inquiry for which the information was obtained.
    (g) Destruction or Return of Information.--When the matter or need 
for which protected health information was disclosed to an 
investigative or law enforcement officer or grand jury has concluded, 
including any derivative matters arising from such matter or need, the 
law enforcement agency or grand jury shall either destroy the protected 
health information, or return it to the person from whom it was 
obtained.
    (h) Redactions.--To the extent practicable, and consistent with the 
requirements of due process, a law enforcement agency shall redact 
personally identifying information from protected health information 
prior to the public disclosure of such protected information in a 
judicial or administrative proceeding.
    (i) Exception.--This section shall not be construed to limit or 
restrict the ability of law enforcement authorities to gain information 
while in hot pursuit of a suspect or if other exigent circumstances 
exist.

SEC. 209. NEXT OF KIN AND DIRECTORY INFORMATION.

    (a) Next of Kin.--A health care provider, or a person who receives 
protected health information under section 204, may disclose protected 
health information about health care services provided to an individual 
to the individual's next of kin, or to another person whom the 
individual has identified, if at the time of the treatment of the 
individual--
            (1) the individual--
                    (A) has been notified of the individual's right to 
                object to such disclosure and the individual has not 
                objected to the disclosure; or
                    (B) is in a physical or mental condition such that 
                the individual is not capable of objecting, and there 
                are no prior indications that the individual would 
                object; and
            (2) the information disclosed relates to health care 
        services currently being provided to that individual.
    (b) Directory Information.--
            (1) Disclosure.--
                    (A) In general.--Except as provided in paragraph 
                (2), with respect to an individual who is admitted as 
                an inpatient to a health care facility, a person 
                described in subsection (a) may disclose information 
                described in subparagraph (B) about the individual to 
                any person if, at the time of the admission, the 
                individual--
                            (i) has been notified of the individual's 
                        right to object and has not objected to the 
                        disclosure; or
                            (ii) is in a physical or mental condition 
                        such that the individual is not capable of 
                        objecting and there are no prior indications 
                        that the individual would object.
                    (B) Information.--Information described in this 
                subparagraph is information that consists only of 1 or 
                more of the following items:
                            (i) The name of the individual who is the 
                        subject of the information.
                            (ii) The general health status of the 
                        individual, described as critical, poor, fair, 
                        stable, or satisfactory or in terms denoting 
                        similar conditions.
                            (iii) The location of the individual within 
                        the health care facility to which the 
                        individual is admitted.
            (2) Exception.--Paragraph (1)(B)(iii) shall not apply if 
        disclosure of the location of the individual would reveal 
        specific information about the physical or mental condition of 
        the individual, unless the individual expressly authorizes such 
        disclosure.
    (c) Directory or Next-of-Kin Information.--A disclosure may not be 
made under this section if the disclosing person described in 
subsection (a) has reason to believe that the disclosure of directory 
or next-of-kin information could lead to the physical or mental harm of 
the individual, unless the individual expressly authorizes such 
disclosure.

SEC. 210. HEALTH RESEARCH.

    (a) Regulations.--
            (1) In general.--The requirements and protections provided 
        for under part 46 of title 45, Code of Federal Regulations (as 
        in effect on the date of enactment of this Act), shall apply to 
        all health research.
            (2) Effective date.--Paragraph (1) shall not take effect 
        until the Secretary has promulgated final regulations to 
        implement such paragraph.
    (b) Evaluation.--Not later than 24 months after the date of 
enactment of this Act, the Secretary shall prepare and submit to 
Congress detailed recommendations on whether written informed consent 
should be required, and if so, under what circumstances, before 
protected health information can be used for health research.
    (c) Recommendations.--The recommendations required to be submitted 
under subsection (b) shall include--
            (1) a detailed explanation of current institutional review 
        board practices, including the extent to which the privacy of 
        individuals is taken into account as a factor before allowing 
        waivers and under what circumstances informed consent is being 
        waived;
            (2) a summary of how technology could be used to strip 
        identifying data for the purposes of research;
            (3) an analysis of the risks and benefits of requiring 
        informed consent versus the waiver of informed consent;
            (4) an analysis of the risks and benefits of using 
        protected health information for research purposes other than 
        the health research project for which such information was 
        obtained; and
            (5) an analysis of the risks and benefits of allowing 
        individuals to consent or to use consent, at the time of 
        receiving medical treatment, to the possible future use of 
        records of medical treatments for research studies.
    (d) Consultation.--In carrying out this section, the Secretary 
shall consult with individuals who have distinguished themselves in the 
fields of health research, privacy, related technology, consumer 
interests in health information, health data standards, and the 
provision of health services.
    (e) Congressional Notice.--Not later than 6 months after the date 
on which the Secretary submits to Congress the recommendations required 
under subsection (b), the Secretary shall propose to implement such 
recommendations through regulations promulgated on the record after 
opportunity for a hearing, and shall advise the Congress of such 
proposal.
    (f) Other Requirements.--
            (1) Obligations of the recipient.--A person who receives 
        protected health information pursuant to this section shall 
        remove or destroy, at the earliest opportunity consistent with 
        the purposes of the project involved, information that would 
        enable an individual to be identified, unless--
                    (A) an institutional review board has determined 
                that there is a health or research justification for 
                the retention of such identifiers; and
                    (B) there is an adequate plan to protect the 
                identifiers from disclosure consistent with this 
                section; and
            (2) Periodic review and technical assistance.--
                    (A) Institutional review board.--Any institutional 
                review board that authorizes research under this 
                section shall provide the Secretary with the names and 
                addresses of the institutional review board members.
                    (B) Technical assistance.--The Secretary may 
                provide technical assistance to institutional review 
                boards described in this subsection.
                    (C) Monitoring.--The Secretary shall periodically 
                monitor institutional review boards described in this 
                subsection.
                    (D) Reports.--Not later than 3 years after the date 
                of enactment of this Act, the Secretary shall report to 
                Congress regarding the activities of institutional 
                review boards described in this subsection.
    (g) Limitation.--Nothing in this section shall be construed to 
permit protected health information that is received by a researcher 
under this section to be accessed for purposes other than research or 
as authorized by the individual.

SEC. 211. JUDICIAL AND ADMINISTRATIVE PURPOSES.

    (a) In General.--A health care provider, health plan, health 
oversight agency, employer, insurer, health or life insurer, school or 
university, a person acting as the agent of any such person, or a 
person who receives protected health information under section 204, may 
disclose protected health information--
            (1) pursuant to the standards and procedures established in 
        the Federal Rules of Civil Procedure or comparable rules of 
        other courts or administrative agencies, in connection with 
        litigation or proceedings to which an individual who is the 
        subject of the information is a party and in which the 
        individual has placed his or her physical or mental condition 
        at issue;
            (2) to a court, and to others ordered by the court, if in 
        response to a court order issued by a court of competent 
        jurisdiction in accordance with subsections (b) and (c); or
            (3) if necessary to present to a court an application 
        regarding the provision of treatment of an individual or the 
        appointment of a guardian.
    (b) Court Orders for Access to Protected Health Information.--A 
court order for the disclosure of protected health information under 
subsection (a) may be issued only if the person seeking disclosure 
submits a written application upon oath or equivalent affirmation 
demonstrating by clear and convincing evidence that--
            (1) the protected health information sought is necessary 
        for the adjudication of a material fact in dispute in a civil 
        proceeding;
            (2) the adjudicative need cannot be reasonably satisfied by 
        de-identified health information or by any other information; 
        and
            (3) the need for the information outweighs the privacy 
        interest of the individual to whom the information pertains.
    (c) Notice.--
            (1) In general.--Except as provided in paragraph (2), no 
        order for the disclosure of protected health information about 
        an individual may be issued by a court unless notice of the 
        application for the order has been served on the individual and 
        the individual has been afforded an opportunity to oppose the 
        issuance of the order.
            (2) Notice not required.--An order for the disclosure of 
        protected health information about an individual may be issued 
        without notice to the individual if the court finds, by clear 
        and convincing evidence, that notice would be impractical 
        because--
                    (A) the name and address of the individual are 
                unknown; or
                    (B) notice would risk destruction or unavailability 
                of the evidence.
    (d) Obligations of Recipient.--A person seeking protected health 
information pursuant to subsection (a)(1)--
            (1) shall notify the individual or the individual's 
        attorney of the request for the information;
            (2) shall provide the health care provider, health plan, 
        health oversight agency, employer, insurer, health or life 
        insurer, school or university, agent, or other person involved 
        with a signed document attesting--
                    (A) that the individual has placed his or her 
                physical or mental condition at issue in litigation or 
                proceedings in which the individual is a party; and
                    (B) the date on which the individual or the 
                individual's attorney was notified under paragraph (1); 
                and
            (3) shall not accept any requested protected health 
        information from the health care provider, health plan, health 
        oversight agency, employer, insurer, health or life insurer, 
        school or university, agent, or person until the termination of 
        the 10-day period beginning on the date notice was given under 
        paragraph (1).

SEC. 212. INDIVIDUAL REPRESENTATIVES.

    (a) In General.--Except as provided in subsections (b) and (c), a 
person who is authorized by law (based on grounds other than an 
individual's status as a minor), or by an instrument recognized under 
law, to act as an agent, attorney, proxy, or other legal representative 
of a individual, may, to the extent so authorized, exercise and 
discharge the rights of the individual under this Act.
    (b) Health Care Power of Attorney.--A person who is authorized by 
law (based on grounds other than being a minor), or by an instrument 
recognized under law, to make decisions about the provision of health 
care to an individual who is incapacitated, may exercise and discharge 
the rights of the individual under this Act to the extent necessary to 
effectuate the terms or purposes of the grant of authority.
    (c) No Court Declaration.--If a physician or other health care 
provider determines that an individual, who has not been declared to be 
legally incompetent, suffers from a medical condition that prevents the 
individual from acting knowingly or effectively on the individual's own 
behalf, the right of the individual to authorize disclosure under this 
Act may be exercised and discharged in the best interest of the 
individual by--
            (1) a person described in subsection (b) with respect to 
        the individual;
            (2) a person described in subsection (a) with respect to 
        the individual, but only if a person described in paragraph (1) 
        cannot be contacted after a reasonable effort;
            (3) the next of kin of the individual, but only if a person 
        described in paragraph (1) or (2) cannot be contacted after a 
        reasonable effort; or
            (4) the health care provider, but only if a person 
        described in paragraph (1), (2), or (3) cannot be contacted 
        after a reasonable effort.
    (d) Rights of Minors.--
            (1) Individuals who are 18 or legally capable.--In the case 
        of an individual--
                    (A) who is 18 years of age or older, all rights of 
                the individual under this Act shall be exercised by the 
                individual; or
                    (B) who, acting alone, can obtain a type of health 
                care without violating any applicable law, and who has 
                sought such care, the individual shall exercise all 
                rights of an individual under this Act with respect to 
                protected health information relating to such health 
                care.
            (2) Individuals under 18.--Except as provided in paragraph 
        (1)(B), in the case of an individual who is--
                    (A) under 14 years of age, all of the individual's 
                rights under this Act shall be exercised through the 
                parent or legal guardian; or
                    (B) 14 through 17 years of age, the rights of 
                inspection and supplementation, and the right to 
                authorize use and disclosure of protected health 
                information of the individual shall be exercised by the 
                individual, or by the parent or legal guardian of the 
                individual.
    (e) Deceased Individuals.--
            (1) Application of act.--The provisions of this Act shall 
        continue to apply to protected health information concerning a 
        deceased individual.
            (2) Exercise of rights on behalf of a deceased 
        individual.--A person who is authorized by law or by an 
        instrument recognized under law, to act as an executor of the 
        estate of a deceased individual, or otherwise to exercise the 
        rights of the deceased individual, may, to the extent so 
        authorized, exercise and discharge the rights of such deceased 
        individual under this Act. If no such designee has been 
        authorized, the rights of the deceased individual may be 
        exercised as provided for in subsection (c).
            (3) Identification of deceased individual.--A person 
        described in section 209(a) may disclose protected health 
        information if such disclosure is necessary to assist in the 
        identification of a deceased individual.

SEC. 213. PROHIBITION AGAINST RETALIATION.

    A health care provider, health researcher, health plan, health 
oversight agency, employer, health or life insurer, school or 
university, person acting as an agent of any such person, or person who 
receives protected health information under section 204 may not 
adversely affect another person, directly or indirectly, because such 
person has exercised a right under this Act, disclosed information 
relating to a possible violation of this Act, or associated with, or 
assisted, a person in the exercise of a right under this Act.

 TITLE III--OFFICE OF HEALTH INFORMATION PRIVACY OF THE DEPARTMENT OF 
                       HEALTH AND HUMAN SERVICES

                        Subtitle A--Designation

SEC. 301. DESIGNATION.

    (a) In General.--The Secretary shall designate an office within the 
Department of Health and Human Services to be known as the Office of 
Health Information Privacy. The Office shall be headed by a Director, 
who shall be appointed by the Secretary.
    (b) Duties.--The Director of the Office of Health Information 
Privacy shall--
            (1) receive and investigate complaints of alleged 
        violations of this Act;
            (2) provide for the conduct of audits where appropriate;
            (3) provide guidance to the Secretary in the implementation 
        of this Act;
            (4) prepare and submit the report described in subsection 
        (c);
            (5) consult with, and provide recommendation to, the 
        Secretary concerning improvements in the privacy and security 
        of protected health information and concerning medical privacy 
        research needs; and
            (6) carry out any other activities determined appropriate 
        by the Secretary.
    (c) Report on Compliance.--Not later than January 1 of the first 
calendar year beginning more than 1 year after the establishment of the 
Office under subsection (a), and every January 1 thereafter, the 
Director of the Office of Health Information Privacy shall prepare and 
submit to Congress a report concerning the number of complaints of 
alleged violations of this Act that are received during the year for 
which the report is being prepared. Such report shall describe the 
complaints and any remedial action taken concerning such complaints.

                        Subtitle B--Enforcement

                     CHAPTER 1--CRIMINAL PROVISIONS

SEC. 311. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.

    (a) In General.--Part I of title 18, United States Code, is amended 
by adding at the end the following:

   ``CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION

        ``Sec.
        ``2801. Wrongful disclosure of protected health information.
``Sec. 2801. Wrongful disclosure of protected health information
    ``(a) Offense.--The penalties described in subsection (b) shall 
apply to a person that knowingly and intentionally--
            ``(1) obtains or attempts to obtain protected health 
        information relating to an individual in violation of title II 
        of the Medical Information Privacy and Security Act; or
            ``(2) discloses or attempts to disclose protected health 
        information to another person in violation of title II of the 
        Medical Information Privacy and Security Act.
    ``(b) Penalties.--A person described in subsection (a) shall--
            ``(1) be fined not more than $50,000, imprisoned not more 
        than 1 year, or both;
            ``(2) if the offense is committed under false pretenses, be 
        fined not more than $250,000, imprisoned not more than 5 years, 
        or any combination of such penalties; or
            ``(3) if the offense is committed with the intent to sell, 
        transfer, or use protected health information for commercial 
        advantage, personal gain, or malicious harm, be fined not more 
        than $500,000, imprisoned not more than 10 years, excluded from 
        participation in any Federally funded health care programs, or 
        any combination of such penalties.
    ``(c) Subsequent Offenses.--In the case of a person described in 
subsection (a), the maximum penalties described in subsection (b) shall 
be doubled for every subsequent conviction for an offense arising out 
of a violation or violations related to a set of circumstances that are 
different from those involved in the previous violation or set of 
related violations described in such subsection (a).''.
    (b) Clerical Amendment.--The table of chapters for part I of title 
18, United States Code, is amended by inserting after the item relating 
to chapter 123 the following new item:

``124. Wrongful disclosure of protected health information..    2801''.

SEC. 312. DEBARMENT FOR CRIMES.

    (a) Purpose.--The purpose of this section is to promote the 
prevention and deterrence of instances of intentional criminal actions 
which violate criminal laws which are designed to protect the privacy 
of protected health information in a manner consistent with this Act.
    (b) Debarment.--Not later than 270 days after the date of enactment 
of this Act, the Attorney General, in consultation with the Secretary, 
shall promulgate regulations and establish procedures to permit the 
debarment of health care providers, health researchers, health or life 
insurers, employers, or schools or universities from receiving benefits 
under any Federal health programs or other Federal procurement program 
if the managers or officers of such persons are found guilty of 
violating section 2801 of title 18, United States Code, have civil 
penalties imposed against such officers or managers under section 321 
in connection with the illegal disclosure of protected health 
information, or are found guilty of making a false statement or 
obstructing justice related to attempting to conceal or concealing such 
illegal disclosure. Such regulations shall take into account the need 
for continuity of medical care and may provide for a delay of any 
debarment imposed under this section to take into account the medical 
needs of patients.
    (c) Consultation.--Before publishing a proposed rule to implement 
subsection (b), the Attorney General shall consult with State law 
enforcement officials, health care providers, patient privacy rights' 
advocates, and other appropriate persons, to gain additional 
information regarding the debarment of entities under subsection (b) 
and the best methods to ensure the continuity of medical care.
    (d) Report.--The Attorney General shall annually prepare and submit 
to the Committee on the Judiciary of the House of Representatives and 
the Committee on the Judiciary of the Senate a report concerning the 
activities and debarment actions taken by the Attorney General under 
this section.
    (e) Assistance To Prevent Criminal Violations.--The Attorney 
General, in cooperation with any other appropriate individual, 
organization, or agency, may provide advice, training, technical 
assistance, and guidance regarding ways to reduce the incidence of 
improper disclosure of protected health information.
    (f) Relationship to Other Authorities.--A debarment imposed under 
this section shall not reduce or diminish the authority of a Federal, 
State, or local governmental agency or court to penalize, imprison, 
fine, suspend, debar, or take other adverse action against a person, in 
a civil, criminal, or administrative proceeding.

                       CHAPTER 2--CIVIL SANCTIONS

SEC. 321. CIVIL PENALTY.

    (a) Violation.--A health care provider, health researcher, health 
plan, health oversight agency, public health agency, law enforcement 
agency, employer, health or life insurer, school, or university, or a 
person acting as the agent of any such person, who the Secretary, in 
consultation with the Attorney General, determines has substantially 
and materially failed to comply with this Act shall be subject, in 
addition to any other penalties that may be prescribed by law--
            (1) in a case in which the violation relates to title I, to 
        a civil penalty of not more than $500 for each such violation, 
        but not to exceed $5000 in the aggregate for multiple 
        violations;
            (2) in a case in which the violation relates to title II, 
        to a civil penalty of not more than $10,000 for each such 
        violation, but not to exceed $50,000 in the aggregate for 
        multiple violations; or
            (3) in a case in which the Secretary finds that such 
        violations have occurred with such frequency as to constitute a 
        general business practice, to a civil penalty of not more than 
        $100,000.
    (b) Procedures for Imposition of Penalties.--Section 1128A of the 
Social Security Act (42 U.S.C. 1320a-7a), other than subsections (a) 
and (b) and the second sentence of subsection (f) of that section, 
shall apply to the imposition of a civil, monetary, or exclusionary 
penalty under this section in the same manner as such provisions apply 
with respect to the imposition of a penalty under section 1128A of such 
Act.

SEC. 322. PROCEDURES FOR IMPOSITION OF PENALTIES.

    (a) Initiation of Proceedings.--
            (1) In general.--The Secretary, in consultation with the 
        Attorney General, may initiate a proceeding to determine 
        whether to impose a civil money penalty under section 321. The 
        Secretary may not initiate an action under this section with 
        respect to any violation described in section 321 after the 
        expiration of the 6-year period beginning on the date on which 
        such violation was alleged to have occurred. The Secretary may 
        initiate an action under this section by serving notice of the 
        action in any manner authorized by Rule 4 of the Federal Rules 
        of Civil Procedure.
            (2) Notice and opportunity for hearing.--The Secretary 
        shall not make a determination adverse to any person under 
        paragraph (1) until the person has been given written notice 
        and an opportunity for the determination to be made on the 
        record after a hearing at which the person is entitled to be 
        represented by counsel, to present witnesses, and to cross-
        examine witnesses against the person.
            (3) Estoppel.--In a proceeding under paragraph (1) that--
                    (A) is against a person who has been convicted 
                (whether upon a verdict after trial or upon a plea of 
                guilty or nolo contendere) of a crime under section 
                2801 of title 18, United States Code; and
                    (B) involves the same conduct as in the criminal 
                action;
        the person is estopped from denying the essential elements of 
        the criminal offense.
            (4) Sanctions for failure to comply.--The official 
        conducting a hearing under this section may sanction a person, 
        including any party or attorney, for failing to comply with an 
        order or procedure, failing to defend an action, or other 
        misconduct as would interfere with the speedy, orderly, or fair 
        conduct of the hearing. Such sanction shall reasonably relate 
        to the severity and nature of the failure or misconduct. Such 
        sanction may include--
                    (A) in the case of refusal to provide or permit 
                discovery, drawing negative factual inferences or 
                treating such refusal as an admission by deeming the 
                matter, or certain facts, to be established;
                    (B) prohibiting a party from introducing certain 
                evidence or otherwise supporting a particular claim or 
                defense;
                    (C) striking pleadings, in whole or in part;
                    (D) staying the proceedings;
                    (E) dismissal of the action;
                    (F) entering a default judgment;
                    (G) ordering the party or attorney to pay 
                attorneys' fees and other costs caused by the failure 
                or misconduct; and
                    (H) refusing to consider any motion or other action 
                which is not filed in a timely manner.
    (b) Scope of Penalty.--In determining the amount or scope of any 
penalty imposed pursuant to section 321, the Secretary shall take into 
account--
            (1) the nature of claims and the circumstances under which 
        they were presented;
            (2) the degree of culpability, history of prior offenses, 
        and financial condition of the person against whom the claim is 
        brought; and
            (3) such other matters as justice may require.
    (c) Review of Determination.--
            (1) In general.--Any person adversely affected by a 
        determination of the Secretary under this section may obtain a 
        review of such determination in the United States Court of 
        Appeals for the circuit in which the person resides, or in 
        which the claim was presented, by filing in such court (within 
        60 days following the date the person is notified of the 
        determination of the Secretary a written petition requesting 
        that the determination be modified or set aside.
            (2) Filing of record.--A copy of the petition filed under 
        paragraph (1) shall be forthwith transmitted by the clerk of 
        the court to the Secretary, and thereupon the Secretary shall 
        file in the Court the record in the proceeding as provided in 
        section 2112 of title 28, United States Code. Upon such filing, 
        the court shall have jurisdiction of the proceeding and of the 
        question determined therein, and shall have the power to make 
        and enter upon the pleadings, testimony, and proceedings set 
        forth in such record a decree affirming, modifying, remanding 
        for further consideration, or setting aside, in whole or in 
        part, the determination of the Secretary and enforcing the same 
        to the extent that such order is affirmed or modified.
            (3) Consideration of objections.--No objection that has not 
        been raised before the Secretary with respect to a 
        determination described in paragraph (1) shall be considered by 
        the court, unless the failure or neglect to raise such 
        objection shall be excused because of extraordinary 
        circumstances.
            (4) Findings.--The findings of the Secretary with respect 
        to questions of fact in an action under this subsection, if 
        supported by substantial evidence on the record considered as a 
        whole, shall be conclusive. If any party shall apply to the 
        court for leave to adduce additional evidence and shall show to 
        the satisfaction of the court that such additional evidence is 
        material and that there were reasonable grounds for the failure 
        to adduce such evidence in the hearing before the Secretary, 
        the court may order such additional evidence to be taken before 
        the Secretary and to be made a part of the record. The 
        Secretary may modify findings as to the facts, or make new 
        findings, by reason of additional evidence so taken and filed, 
        and shall file with the court such modified or new findings, 
        and such findings with respect to questions of fact, if 
        supported by substantial evidence on the record considered as a 
        whole, and the recommendations of the Secretary, if any, for 
        the modification or setting aside of the original order, shall 
        be conclusive.
            (5) Exclusive jurisdiction.--Upon the filing of the record 
        with the court under paragraph (2), the jurisdiction of the 
        court shall be exclusive and its judgment and decree shall be 
        final, except that the same shall be subject to review by the 
        Supreme Court of the United States, as provided for in section 
        1254 of title 28, United States Code.
    (d) Recovery of Penalties.--
            (1) In general.--Civil money penalties imposed under this 
        chapter may be compromised by the Secretary and may be 
        recovered in a civil action in the name of the United States 
        brought in United States district court for the district where 
        the claim was presented, or where the claimant resides, as 
        determined by the Secretary. Amounts recovered under this 
        section shall be paid to the Secretary and deposited as 
        miscellaneous receipts of the Treasury of the United States.
            (2) Deduction from amounts owing.--The amount of any 
        penalty, when finally determined under this section, or the 
        amount agreed upon in compromise under paragraph (1), may be 
        deducted from any sum then or later owing by the United States 
        or a State to the person against whom the penalty has been 
        assessed.
    (e) Determination Final.--A determination by the Secretary to 
impose a penalty under section 321 shall be final upon the expiration 
of the 60-day period referred to in subsection (c)(1). Matters that 
were raised or that could have been raised in a hearing before the 
Secretary or in an appeal pursuant to subsection (c) may not be raised 
as a defense to a civil action by the United States to collect a 
penalty under section 321.
    (f) Subpoena Authority.--
            (1) In general.--For the purpose of any hearing, 
        investigation, or other proceeding authorized or directed under 
        this section, or relative to any other matter within the 
        jurisdiction of the Secretary hereunder, the Secretary shall 
        have the power to issue subpoenas requiring the attendance and 
        testimony of witnesses and the production of any evidence that 
        relates to any matter under investigation or in question. Such 
        attendance of witnesses and production of evidence at the 
        designated place of such hearing, investigation, or other 
        proceeding may be required from any place in the United States 
        or in any Territory or possession thereof.
            (2) Service.--Subpoenas of the Secretary under paragraph 
        (1) shall be served by anyone authorized by the Secretary by 
        delivering a copy thereof to the individual named therein.
            (3) Proof of service.--A verified return by the individual 
        serving the subpoena under this subsection setting forth the 
        manner of service shall be proof of service.
            (4) Fees.--Witnesses subpoenaed under this subsection shall 
        be paid the same fees and mileage as are paid witnesses in the 
        district court of the United States.
            (5) Refusal to obey.--In case of contumacy by, or refusal 
        to obey a subpoena duly served upon, any person, any district 
        court of the United States for the judicial district in which 
        such person charged with contumacy or refusal to obey is found 
        or resides or transacts business, upon application by the 
        Secretary, shall have jurisdiction to issue an order requiring 
        such person to appear and give testimony, or to appear and 
        produce evidence, or both. Any failure to obey such order of 
        the court may be punished by the court as contempt thereof.
    (g) Injunctive Relief.--Whenever the Secretary has reason to 
believe that any person has engaged, is engaging, or is about to engage 
in any activity which makes the person subject to a civil monetary 
penalty under section 321, the Secretary may bring an action in an 
appropriate district court of the United States (or, if applicable, a 
United States court of any territory) to enjoin such activity, or to 
enjoin the person from concealing, removing, encumbering, or disposing 
of assets which may be required in order to pay a civil monetary 
penalty if any such penalty were to be imposed or to seek other 
appropriate relief.
    (h) Agency.--A principal is jointly and severally liable with the 
principal's agent for penalties under section 321 for the actions of 
the principal's agent acting within the scope of the agency.

SEC. 323. CIVIL ACTION BY INDIVIDUALS.

    (a) In General.--Any individual whose rights under this Act have 
been knowingly or negligently violated may bring a civil action to 
recover--
            (1) such preliminary and equitable relief as the court 
        determines to be appropriate; and
            (2) the greater of compensatory damages or liquidated 
        damages of $5,000.
    (b) Punitive Damages.--In any action brought under this section in 
which the individual has prevailed because of a knowing violation of a 
provision of this Act, the court may, in addition to any relief awarded 
under subsection (a), award such punitive damages as may be warranted.
    (c) Attorney's Fees.--In the case of a civil action brought under 
subsection (a) in which the individual has substantially prevailed, the 
court may assess against the respondent a reasonable attorney's fee and 
other litigation costs and expenses (including expert fees) reasonably 
incurred.
    (d) Limitation.--No action may be commenced under this section more 
than 3 years after the date on which the violation was or should 
reasonably have been discovered.
    (e) Agency.--A principal is jointly and severally liable with the 
principal's agent for damages under this section for the actions of the 
principal's agent acting within the scope of the agency.
    (f) Additional Remedies.--The equitable relief or damages that may 
be available under this section shall be in additional to any other 
lawful remedy or award available.

                        TITLE IV--MISCELLANEOUS

SEC. 401. RELATIONSHIP TO OTHER LAWS.

    (a) Federal and State Laws.--Nothing in this Act shall be construed 
as preempting, superseding, or repealing, explicitly or implicitly, 
other Federal or State laws or regulations relating to protected health 
information or relating to an individual's access to protected health 
information or health care services, if such laws or regulations 
provide protections for the rights of individuals to the privacy of, 
and access to, their health information that are greater than those 
provided for in this Act.
    (b) Privileges.--Nothing in this Act shall be construed to preempt 
or modify any provisions of State statutory or common law to the extent 
that such law concerns a privilege of a witness or person in a court of 
that State. This Act shall not be construed to supersede or modify any 
provision of Federal statutory or common law to the extent such law 
concerns a privilege of a witness or person in a court of the United 
States. Authorizations pursuant to section 202 shall not be construed 
as a waiver of any such privilege.
    (c) Certain Duties Under Law.--Nothing in this Act shall be 
construed to preempt, supersede, or modify the operation of any State 
law that--
            (1) provides for the reporting of vital statistics such as 
        birth or death information;
            (2) requires the reporting of abuse or neglect information 
        about any individual;
            (3) regulates the disclosure or reporting of information 
        concerning an individual's mental health; or
            (4) governs a minor's rights to access protected health 
        information or health care services.
    (d) Federal Privacy Act.--
            (1) Medical exemptions.--Section 552a of title 5, United 
        States Code, is amended by adding at the end the following:
    ``(w) Certain Protected Health Information.--The head of an agency 
that is a health care provider, health plan, health oversight agency, 
employer, insurer, health or life insurer, school or university, or 
person who receives protected health information under section 204 of 
the Medical Information Privacy and Security Act shall promulgate 
rules, in accordance with the requirements (including general notice) 
of subsections (b)(1), (b)(2), (b)(3), (c), (e) of section 553 of this 
title, to exempt a system of records within the agency, to the extent 
that the system of records contains protected health information (as 
defined in section 4 of such Act), from all provisions of this section 
except subsections (b)(6), (d), (e)(1), (e)(2), subparagraphs (A) 
through (C) and (E) through (I) of subsection (e)(4), and subsections 
(e)(5), (e)(6), (e)(9), (e)(12), (l), (n), (o), (p), (r), and (u).''.
            (2) Technical amendment.--Section 552a(f)(3) of title 5, 
        United States Code, is amended by striking ``pertaining to 
        him,'' and all that follows through the semicolon and inserting 
        ``pertaining to the individual.''
    (e) Constitution.--Nothing in this Act shall be construed to alter, 
diminish, or otherwise weaken existing legal standards under the 
Constitution regarding the confidentiality of protected health 
information.

SEC. 402. EFFECTIVE DATE.

    (a) Effective Date.--Unless specifically provided for otherwise, 
this Act shall take effect on the date that is 12 months after the date 
of the promulgation of the regulations required under subsection (b), 
or 30 months after the date of enactment of this Act, whichever is 
earlier.
    (b) Regulations.--Not later than 12 months after the date of 
enactment of this Act, or as specifically provided for otherwise, the 
Secretary shall promulgate regulations implementing this Act.
                                 <all>