[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1941 Introduced in House (IH)]







106th CONGRESS
  1st Session
                                H. R. 1941

 To protect the privacy of personally identifiable health information.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              May 25, 1999

Mr. Condit (for himself, Mr. Waxman, Mr. Markey, Mr. Dingell, Mr. Brown 
of Ohio, Mr. Turner, Mr. Lantos, Mr. Cramer, Mr. Wise, Mr. Owens, Mrs. 
Tauscher, Mr. Towns, Mr. Shows, Mr. Kanjorski, Mrs. Mink of Hawaii, Mr. 
    Sanders, Mrs. Maloney of New York, Ms. Norton, Mr. Fattah, Mr. 
  Cummings, Mr. Kucinich, Mr. Blagojevich, Mr. Davis of Illinois, Mr. 
 Tierney, Mr. Allen, Mr. Ford, Ms. Schakowski, Mr. Romero-Barcelo, and 
 Mr. Stupak) introduced the following bill; which was referred to the 
 Committee on Commerce, and in addition to the Committee on Government 
 Reform, for a period to be subsequently determined by the Speaker, in 
   each case for consideration of such provisions as fall within the 
                jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
 To protect the privacy of personally identifiable health information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Health Information 
Privacy Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings and purposes.
               TITLE I--PROTECTION OF HEALTH INFORMATION

Sec. 101. Restrictions on uses.
Sec. 102. Restrictions on disclosure.
Sec. 103. Standards for authorizations for use and disclosure.
Sec. 104. Safeguards against misuse and prohibited disclosures.
               TITLE II--RIGHTS OF PROTECTED INDIVIDUALS

Sec. 201. Right of access.
Sec. 202. Right of correction and amendment.
Sec. 203. Right to review disclosure history.
Sec. 204. Right to notice of information practices and opportunity to 
                            seek additional protections.
   TITLE III--PERMISSIBLE DISCLOSURES OF PROTECTED HEALTH INFORMATION

Sec. 301. Provision of and payment for health care.
Sec. 302. Health oversight.
Sec. 303. Public health.
Sec. 304. Health research.
Sec. 305. Law enforcement.
Sec. 306. Judicial or administrative proceedings.
Sec. 307. Other disclosures.
Sec. 308. Redisclosures.
                   TITLE IV--MISCELLANEOUS PROVISIONS

Sec. 401. Specific classes of individuals.
Sec. 402. False pretenses.
Sec. 403. Obligations of affiliated persons.
Sec. 404. Prohibition of retaliation with respect to employment.
Sec. 405. Mental health and other especially sensitive information.
Sec. 406. Cessation of operations.
Sec. 407. Conforming amendments to Federal Privacy Act.
                      TITLE V--GENERAL PROVISIONS

Sec. 501. Authority of the Secretary.
Sec. 502. Enforcement.
Sec. 503. Relationship to other laws.
Sec. 504. Definitions.
Sec. 505. Effective date.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds as follows:
            (1) The right to privacy is a personal and fundamental 
        right protected by the Constitution of the United States.
            (2) Individuals have a right to privacy regarding their 
        individually identifiable health information.
            (3) The improper use or disclosure of individually 
        identifiable health information about an individual may cause 
        significant harm to the interests of the individual in privacy 
        and health care, and may unfairly affect the ability of the 
        individual to obtain employment, education, insurance, credit, 
        and other necessities.
            (4) Current legal protections for health information vary 
        from State to State and are inadequate to protect the privacy 
        of an individual's health information and ensure fair 
        information practices standards.
            (5) The movement of individuals and health information 
        across State lines, access to and exchange of health 
        information from automated data banks and networks, and the 
        emergence of multistate health care providers and payers create 
        a compelling need for Federal law, rules, and procedures 
        governing the use, maintenance, and disclosure of health 
        information.
            (6) Federal rules governing the use, maintenance, and 
        disclosure of health information are an essential part of 
        health care reform, are necessary to support the 
        computerization of health information, and can reduce the cost 
        of providing health services by making the necessary transfer 
        of health information more efficient.
            (7) An individual needs access to health information about 
        the individual as a matter of fairness, to enable the 
        individual to make informed decisions about health care, and to 
        correct inaccurate or incomplete information.
    (b) Purposes.--The purposes of this Act are as follows:
            (1) To protect the privacy of health information that 
        reveals the identity of an individual.
            (2) To define the rights and responsibilities of a person 
        who creates or maintains individually identifiable health 
        information that originates or is used in the health treatment 
        or payment process.
            (3) To define the rights of an individual with respect to 
        health information about the individual that is created or 
        maintained as part of the health treatment and payment process.

               TITLE I--PROTECTION OF HEALTH INFORMATION

SEC. 101. RESTRICTIONS ON USES.

    (a) In General.--Use of protected health information by health 
information custodians--
            (1) shall protect the reasonable expectation of privacy of 
        protected individuals; and
            (2) shall be in accordance with fair information practices.
    (b) Minimum Requirements.--
            (1) Limitation on uses.--Unless otherwise authorized by a 
        protected individual under section 103, a health information 
        custodian may use protected health information only for the 
        uses for which disclosure is authorized under title III.
            (2) Minimum amount of information.--A health information 
        custodian shall limit use of protected health information to 
        the minimum amount and duration necessary to accomplish the 
        use.

SEC. 102. RESTRICTIONS ON DISCLOSURE.

    (a) In General.--Disclosure of protected health information by a 
health information custodian shall protect the reasonable expectations 
of privacy of protected individuals.
    (b) Minimum Requirements.--
            (1) Limitation on disclosures.--A health information 
        custodian may not disclose protected health information 
        unless--
                    (A) the disclosure is authorized by the protected 
                individual under section 103; or
                    (B) the disclosure is authorized under title III.
            (2) Minimum amount of information.--A health information 
        custodian shall limit a disclosure of protected health 
        information to the minimum amount of information necessary to 
        accomplish the purpose for which the information is disclosed.
    (c) No Requirement To Disclose.--Nothing in this Act shall be 
construed as requiring disclosure of protected health information that 
is not otherwise required to be disclosed by law.

SEC. 103. STANDARDS FOR AUTHORIZATIONS FOR USE AND DISCLOSURE.

    (a) In General.--A health information custodian may use or disclose 
protected information pursuant to an authorization by a protected 
individual only if that authorization is based on informed consent by 
the protected individual.
    (b) Minimum Requirements.--
            (1) Prohibition on conditioning.--A health information 
        custodian may not, as a condition of providing or paying for 
        health care, require a protected individual to execute an 
        authorization for use or disclosure of protected health 
        information.
            (2) Informed consent.--For the purposes of subsection (a), 
        an authorization shall not be considered to be based on 
        informed consent unless, at a minimum, it satisfies the 
        conditions in part II.D.1 of the Secretary's HIPAA 
        recommendations (relating to ``Disclosure with Patient 
        Authorization: Authorization Content'').

SEC. 104. SAFEGUARDS AGAINST MISUSE AND PROHIBITED DISCLOSURES.

    (a) In General.--Health information custodians shall establish and 
implement safeguards against misuse and prohibited disclosure of 
protected health information.
    (b) Minimum Requirements.--The safeguards under subsection (a) 
shall include reasonable and appropriate administrative, technical, and 
physical safeguards--
            (1) to ensure that protected health information is used or 
        disclosed only when necessary;
            (2) to ensure the integrity and confidentiality of 
        protected health information;
            (3) to protect against any reasonably anticipated threats 
        or hazards to the security or integrity of the information or 
        unauthorized use or disclosure of the information; and
            (4) otherwise to ensure compliance with this Act.
    (c) Mental Health and Other Especially Sensitive Information.--In 
establishing and implementing the safeguards under subsection (a), a 
health information custodian shall consider providing additional 
protections for mental health and other especially sensitive protected 
health information, as appropriate.
    (d) Relationship to Social Security Act Administrative 
Simplification Requirements.--Any safeguard established under this 
section shall be consistent with the standards adopted by the Secretary 
under paragraph (1) of section 1173(d) of the Social Security Act (42 
U.S.C. 1320d-2(d)) and the requirement in paragraph (2) of such 
section.

               TITLE II--RIGHTS OF PROTECTED INDIVIDUALS

SEC. 201. RIGHT OF ACCESS.

    (a) In General.--Protected individuals shall have the right to a 
reasonable opportunity to inspect and copy protected health information 
maintained by a health information custodian.
    (b) Minimum Requirements.--Subject to section 405(b), a health 
information custodian, at a minimum, shall provide a protected 
individual at least as much opportunity to inspect and copy protected 
health information as was recommended by the Secretary in part II.C.2 
of the Secretary's HIPAA recommendations (relating to ``Patient 
Inspection and Copying of Records'').

SEC. 202. RIGHT OF CORRECTION AND AMENDMENT.

    (a) In General.--Protected individuals shall have the right to a 
reasonable opportunity to correct or amend protected health information 
maintained by a health information custodian.
    (b) Minimum Requirements.--A health information custodian, at a 
minimum, shall provide a protected individual correction and amendment 
protections that are at least equivalent to those recommended by the 
Secretary in part II.C.3 of the Secretary's HIPAA recommendations 
(relating to ``Patient Correction of Records'').

SEC. 203. RIGHT TO REVIEW DISCLOSURE HISTORY.

    (a) In General.--Protected individuals shall have the right to a 
reasonable opportunity to review a history of the disclosures of 
protected health information about the individual made by a health 
information custodian.
    (b) Minimum Requirements.--A health information custodian, at a 
minimum, shall implement procedures that ensure a protected individual 
at least as much opportunity to review the individual's disclosure 
histories as was recommended by the Secretary in part II.C.4 of the 
Secretary's HIPAA recommendations (relating to ``Disclosure History'').

SEC. 204. RIGHT TO NOTICE OF INFORMATION PRACTICES AND OPPORTUNITY TO 
              SEEK ADDITIONAL PROTECTIONS.

    (a) In General.--Protected individuals shall have--
            (1) the right to notice of the information practices of 
        health information custodians; and
            (2) a reasonable opportunity to seek limitations on the use 
        and disclosure of protected health information in addition to 
        the limitations provided in such practices.
    (b) Minimum Requirements.--
            (1) Notice and opportunity to seek additional 
        protections.--To the maximum extent practicable, before 
        obtaining protected health information from a protected 
        individual, a health information custodian--
                    (A) shall provide the protected individual with a 
                clear and conspicuous notice of the custodian's health 
                information practices, which notice shall include, at a 
                minimum, the explanation recommended in part II.C.1 of 
                the Secretary's HIPAA recommendations (relating to 
                ``Explanation of Information Practices'');
                    (B) shall provide the protected individual a 
                reasonable opportunity to seek limitations on the use 
                or disclosure of protected health information in 
                addition to the limitations provided in such practices; 
                and
                    (C) shall obtain a signed acknowledgment from the 
                protected individual acknowledging that the notice 
                required under subparagraph (A) has been provided to 
                the protected individual and the individual has been 
                informed of the opportunity to seek additional 
                limitations required to be provided under subparagraph 
                (B).
            (2) Other health information custodians.--A health 
        information custodian who receives protected health information 
        about a protected individual from a source other than the 
        individual shall provide a notice of the custodian's health 
        information practices that is consistent with paragraph (1)(A) 
        to the individual upon request.
    (c) Compliance.--If a protected individual seeks limitations on the 
use or disclosure of protected health information in addition to the 
limitations described in a health information custodian's notice of 
health information practices, and the custodian agrees to provide such 
additional limitations, the custodian shall comply with such additional 
limitations, unless such compliance would violate another provision of 
law.

   TITLE III--PERMISSIBLE DISCLOSURES OF PROTECTED HEALTH INFORMATION

SEC. 301. PROVISION OF AND PAYMENT FOR HEALTH CARE.

    (a) In General.--A health information custodian, to the extent the 
Secretary determines appropriate, may disclose protected health 
information, without obtaining an authorization under section 103, for 
the purpose of providing health care to an individual or paying for 
health care provided to an individual, except as provided in subsection 
(c).
    (b) Construction.--For purposes of subsection (a), a disclosure of 
protected health information by a health information custodian for the 
purpose of rendering an employment decision, conducting a marketing 
activity, or conducting an insurance underwriting activity, shall not 
be considered a disclosure for the purpose of providing health care to 
an individual or paying for health care provided to an individual.
    (c) Special Rule for Patients Paying for Care.--In the case of 
health care provided to an individual who pays for the care himself or 
herself, a health information custodian may not disclose to a health 
care payer, without obtaining an authorization under section 103, 
protected health information created or received in the course of 
providing such care.

SEC. 302. HEALTH OVERSIGHT.

    (a) In General.--A health information custodian, to the extent the 
Secretary determines appropriate, may disclose protected health 
information for the purpose of health oversight, without obtaining an 
authorization under section 103.
    (b) Minimum Requirements.--The Secretary--
            (1) shall permit a health information custodian to disclose 
        protected health information to Federal, State, and local 
        agencies (or affiliated persons of such agencies) that are 
        authorized by law to investigate, regulate, enforce laws 
        relating to, or license, certify, or accredit persons engaged 
        in, the provision of, or payment for, health care; and
            (2) may permit a health information custodian to disclose 
        protected health information to appropriate private 
        organizations engaged in licensing, certification, or 
        accreditation of health care providers.

SEC. 303. PUBLIC HEALTH.

    A health information custodian, to the extent the Secretary 
determines appropriate, may disclose protected health information, 
without obtaining an authorization under section 103--
            (1) to a public health authority for use in legally 
        authorized disease or injury reporting, public health 
        surveillance, or a public health investigation or intervention; 
        or
            (2) to a person who is otherwise authorized by law or a 
        public health authority to receive the information for public 
        health purposes.

SEC. 304. HEALTH RESEARCH.

    (a) In General.--A health information custodian, to the extent the 
Secretary determines appropriate, may disclose protected health 
information for health research, without obtaining an authorization 
under section 103.
    (b) Minimum Requirements.--A health information custodian may 
disclose protected health information without such an authorization 
only for uses that have been approved by an entity certified by the 
Secretary.
    (c) Regulations.--The Secretary shall promulgate regulations that, 
at a minimum--
            (1) require that, before approving a use of protected 
        health information for purposes of subsection (b), a certified 
        entity shall determine that--
                    (A) the importance of the health research outweighs 
                the intrusion into the privacy of the protected 
                individuals who are the subjects of the protected 
                health information; and
                    (B) it would be impracticable to conduct the health 
                research without using the protected health 
                information;
            (2) establish requirements for certifying entities that 
        ensure that such entities--
                    (A) meet the requirements for institutional review 
                boards established under section 491(a) of the Public 
                Health Service Act with respect to information 
                protection, use, and disclosure; and
                    (B) are qualified to assess and protect the 
                confidentiality of protected health information; and
            (3) require a person conducting health research to remove 
        or destroy personal identifiers at the earliest opportunity 
        consistent with the purpose of the research, unless a certified 
        entity has determined that there is a health or research 
        justification for retention of identifiers and the person has 
        an adequate plan to protect the identifiers from improper use 
        and disclosure.

SEC. 305. LAW ENFORCEMENT.

    (a) In General.--A health information custodian may disclose 
protected health information to a law enforcement official for a law 
enforcement inquiry if the law enforcement official complies with the 
fourth amendment to the Constitution.
    (b) Construction.--For purposes of subsection (a), all protected 
health information shall be treated as if it were held in a home over 
which the protected individual has exclusive authority.
    (c) Relationship to Health Oversight Activities.--This section 
shall not apply to a disclosure of protected health information for 
purposes of health oversight.

SEC. 306. JUDICIAL OR ADMINISTRATIVE PROCEEDINGS.

    (a) In General.--A health information custodian, to the extent the 
Secretary determines appropriate, may disclose protected health 
information, without obtaining an authorization under section 103, 
pursuant to--
            (1) a judicial or administrative subpoena issued in a civil 
        administrative or judicial adjudication; or
            (2) a subpoena issued by a defendant in a criminal 
        proceeding.
    (b) Minimum Requirements.--A health information custodian may not 
disclose protected health information about a protected individual 
under this section, unless the individual has had--
            (1) reasonable notice of the subpoena; and
            (2) a reasonable opportunity to move the court, or other 
        presiding official, to quash the subpoena on the basis that the 
        individual's privacy interest outweighs the interest of the 
        person seeking the information.

SEC. 307. OTHER DISCLOSURES.

    A health information custodian, to the extent the Secretary 
determines appropriate, may disclose protected health information, 
without obtaining an authorization under section 103--
            (1) where necessary to prevent or lessen a serious threat 
        to the health or safety of an individual;
            (2) to a next of kin;
            (3) to individuals with close personal relationships with 
        the protected individual;
            (4) for purposes of directory information within a health 
        care facility; and
            (5) for State data systems.

SEC. 308. REDISCLOSURES.

    (a) In General.--A health information custodian who receives 
protected health information through a disclosure under this title, to 
the extent the Secretary determines appropriate, may redisclose such 
information to carry out the purposes for which the information was 
disclosed to the custodian.
    (b) Prohibition.--Notwithstanding subsection (a), protected health 
information received by a health information custodian through a 
disclosure under this title may not be disclosed to any person for use 
in, or be used in, any administrative, civil, or criminal action or 
investigation directed against the protected individual who is the 
subject of the information, unless--
            (1) the action or investigation arises out of and is 
        directly related to the purpose for which the information was 
        obtained by the custodian; or
            (2) the use or disclosure is authorized--
                    (A) by law for the protection of the public health; 
                or
                    (B) by an appropriate order of a court of competent 
                jurisdiction, granted, after a hearing with notice to 
                the health information custodian and to all other 
                affected individuals, on the basis that there is--
                            (i) probable cause to believe that all 
                        other possible sources for the information have 
                        been exhausted; and
                            (ii) a specific and compelling public 
                        interest in disclosure or use that outweighs--
                                    (I) the privacy interest of the 
                                protected individual;
                                    (II) the effect of the disclosure 
                                on future provision of health care; and
                                    (III) the effect of the disclosure 
                                on health research and health oversight 
                                functions.

                   TITLE IV--MISCELLANEOUS PROVISIONS

SEC. 401. SPECIFIC CLASSES OF INDIVIDUALS.

    (a) Minors.--Individuals under the age of 18 shall have privacy 
protections regarding protected health information that are at least 
equivalent to those recommended in part II.F.4 of the Secretary's HIPAA 
recommendations (relating to ``Minors'').
    (b) Agents and Attorneys.--
            (1) In general.--To the extent the Secretary determines 
        appropriate, a person may exercise the rights of a protected 
        individual under this Act, if--
                    (A) the person is authorized by law (other than on 
                account of minority), or by an instrument recognized 
                under law, to act for the protected individual; or
                    (B) the protected individual is not capable of 
                exercising his or her rights under this Act and there 
                has been no formal legal arrangement for others to 
                exercise the rights.
            (2) Relationship to recommendations.--The authority of such 
        a person to exercise the rights of a protected individual shall 
        be equivalent to the authority described in parts II.F.5 and 
        II.F.6 of the Secretary's HIPAA recommendations (relating to 
        ``Powers of Attorney'' and ``Patients Unable to Make Choices 
        for Themselves'').
    (c) Deceased Persons.--Deceased individuals shall have privacy 
protections regarding protected health information that are at least 
equivalent to those recommended by the Secretary in part II.F.1 of the 
Secretary's HIPAA recommendations (relating to ``Deceased Persons'').

SEC. 402. FALSE PRETENSES.

    A person may not--
            (1) obtain or disclose protected health information from a 
        health information custodian or affiliated person under false 
        pretenses; or
            (2) knowingly disseminate protected health information 
        obtained in violation of this Act.

SEC. 403. OBLIGATIONS OF AFFILIATED PERSONS.

    An affiliated person shall be subject to the same requirements with 
respect to use and disclosure of protected health information as apply 
to the health information custodian with whom the affiliated person is 
affiliated, except that an affiliated person--
            (1) is subject to the requirements of sections 201 and 202 
        only if the affiliated person maintains the individual's 
        protected health information and the health information 
        custodian does not maintain the individual's protected health 
        information; and
            (2) is subject to the requirements of section 203 only to 
        the extent that the affiliated person makes a disclosure.

SEC. 404. PROHIBITION OF RETALIATION WITH RESPECT TO EMPLOYMENT.

    A person may not subject an individual to retaliation, in regard to 
job application procedures, the hiring, advancement, or discharge of 
employees, employee compensation, job training, or other terms, 
conditions, and privileges of employment, for reporting to a 
governmental agency conditions that may constitute a violation of a 
requirement under this Act.

SEC. 405. MENTAL HEALTH AND OTHER ESPECIALLY SENSITIVE INFORMATION.

    (a) Additional Limitations.--Not later than 1 year after the date 
of the enactment of this Act, the Secretary--
            (1) shall consider, after consulting with physicians and 
        other health care providers, patients, and other appropriate 
        groups, additional limitations relating to access to, and use 
        and disclosure of, mental health and other especially sensitive 
        protected health information; and
            (2) shall promulgate regulations to provide any such 
        additional limitations as the Secretary determines to be 
        appropriate.
    (b) Right of Access.--For purposes of subsection (a)(2), the 
Secretary may limit an individual's access to his or her mental health 
information, if the information is not used by, or disclosed to, any 
person other than the health care provider who received or created the 
information.
    (c) Psychotherapist-Patient Privilege.--Nothing in this Act shall 
be construed to preempt, supersede, or modify the operation of the 
psychotherapist-patient privilege recognized by the Supreme Court in 
Jaffee v. Redmond, 518 U.S. 1 (1996).

SEC. 406. CESSATION OF OPERATIONS.

    Not later than 1 year after the date of the enactment of this Act, 
the Secretary shall promulgate regulations that ensure that the 
reasonable expectation of privacy of protected individuals in protected 
health information is maintained when health information custodians 
cease operations.

SEC. 407. CONFORMING AMENDMENTS TO FEDERAL PRIVACY ACT.

    (a) New Subsection.--Section 552a of title 5, United States Code, 
is amended by adding at the end the following:
    ``(w) Medical Exemptions.--The head of an agency that is a health 
information custodian (as defined in section 504 of the Health 
Information Privacy Act) shall promulgate rules, in accordance with the 
requirements (including general notice) of subsections (b)(1), (b)(2), 
(b)(3), (c), and (e) of section 553 of this title, to exempt a system 
of records within the agency, to the extent that the system of records 
contains protected health information (as defined in section 504 of 
such Act), from all provisions of this section except subsections 
(e)(1), (e)(2), subparagraphs (A) through (C) and (E) through (I) of 
subsection (e)(4), and subsections (e)(5), (e)(6), (e)(9), (e)(12), 
(l), (n), (o), (p), (q), (r), and (u).''.
    (b) Repeal.--
            (1) In general.--Section 552a(f)(3) of title 5, United 
        States Code, as amended by this Act, is amended by striking 
        ``pertaining to him,'' and all that follows through the 
        semicolon and inserting ``pertaining to the individual;''.
            (2) Effective date.--The amendment made by paragraph (1) 
        shall take effect 18 months after the date of the enactment of 
        this Act.

                      TITLE V--GENERAL PROVISIONS

SEC. 501. AUTHORITY OF THE SECRETARY.

    (a) Regulations.--
            (1) In general.--Not later than 1 year after the date of 
        the enactment of this Act, the Secretary shall promulgate such 
        regulations as may be necessary to implement this Act, 
        including regulations establishing recordkeeping or reporting 
        requirements. Such regulations may provide greater protection 
        of protected health information, or more rights to protected 
        individuals regarding such information, than is provided by the 
        minimum requirements set forth in this Act.
            (2) Protections for other health information.--The 
        Secretary may promulgate such regulations as may be necessary 
        to protect the privacy of individually identifiable health 
        information that is not protected health information.
            (3) Consultation.--In promulgating regulations under this 
        Act, the Secretary shall consult with elected State and local 
        government officials.
    (b) Research and Development.--The Secretary may sponsor or carry 
out research and development activities related to the protection of 
the privacy of individually identifiable health information.
    (c) Public Awareness and Training.--The Secretary may sponsor or 
carry out activities to inform protected individuals of their rights 
under this Act or to inform other persons of their rights or 
responsibilities under this Act. The Secretary may also sponsor or 
carry out training to increase compliance with requirements under this 
Act.
    (d) Other Authorities.--The Secretary may hold hearings, administer 
oaths, require the testimony or deposition of witnesses, require the 
production of documents or the answering of interrogatories, or enter 
and inspect premises owned or controlled by health information 
custodians in order to ensure compliance with this Act or otherwise 
further the purposes of this Act.

SEC. 502. ENFORCEMENT.

    (a) Equitable Relief.--The Secretary may bring an action in an 
appropriate court to enjoin a violation of a requirement under this Act 
or to obtain such other equitable relief as may be appropriate under 
the circumstances.
    (b) Civil Money Penalties.--Any person who the Secretary determines 
has failed to comply with a requirement under this Act shall be 
subject, in addition to any other penalties that may be prescribed by 
law, to a civil penalty of not more than $10,000 for each such failure. 
The provisions of section 1128A of the Social Security Act (other than 
subsections (a) and (b)) shall apply to the imposition of a civil money 
penalty under this subsection in the same manner as such provisions 
apply with respect to the imposition of a penalty under section 1128A 
of such Act.
    (c) Criminal Penalties.--
            (1) In general.--Whoever knowingly violates a requirement 
        under this Act shall be fined under title 18, United States 
        Code, imprisoned for not more than 5 years, or both.
            (2) Monetary gain.--Whoever knowingly violates a 
        requirement under this Act, with the intent to sell, transfer, 
        or use protected health information obtained through the 
        violation for profit or monetary gain, shall be fined under 
        title 18, United States Code, imprisoned for not more than 10 
        years, or both.
    (d) Civil Actions.--
            (1) In general.--
                    (A) Injunction or damages.--A protected individual 
                who is adversely affected by a person's violation of a 
                requirement under this Act may bring an action--
                            (i) to enjoin the violation; or
                            (ii) in the case of a knowing or negligent 
                        violation, to recover from the person the 
                        greater of--
                                    (I) the compensatory damages 
                                (including nonpecuniary damages) 
                                incurred by the protected individual as 
                                a result of the violation; or
                                    (II) liquidated damages of $5,000 
                                per action.
                    (B) Costs and attorney's fees.--A protected 
                individual bringing an action under subparagraph (A) 
                may recover the costs of litigation and reasonable 
                attorney's fees (including expert fees). The United 
                States shall be liable for fees and costs under this 
                subparagraph the same as a private person.
                    (C) Punitive damages.--In the case of a knowing 
                violation, the person committing the violation may also 
                be held liable for punitive damages.
            (2) Time for commencing action.--An action under this 
        subsection shall be commenced not later than 3 years after the 
        date on which the violation was discovered or reasonably should 
        have been discovered.

SEC. 503. RELATIONSHIP TO OTHER LAWS.

    (a) In General.--
            (1) Federal, state, or local laws.--The requirements under 
        this Act shall not preempt, supersede, or modify the operation 
        of, any Federal, State, or local law that provides--
                    (A) greater protection of protected health 
                information; or
                    (B) more rights to protected individuals regarding 
                such information.
            (2) Petitions.--
                    (A) Advisory determinations.--Any person may 
                petition the Secretary for an advisory determination 
                whether the operation of a particular Federal, State, 
                or local law satisfies the standard in paragraph (1). 
                Any person who acts in reliance on such advisory 
                determination shall not be subject to any penalty or 
                liability under section 502, except as provided in 
                subparagraph (B).
                    (B) Contrary court determination.--If a Federal or 
                State court has reached a determination whether the 
                operation of a particular Federal, State, or local law 
                satisfies the standard in paragraph (1), a person 
                thereafter may not rely on an advisory determination 
                under subparagraph (A) to the contrary.
    (b) Specific Laws.--This Act shall not be construed to preempt, 
supersede, or modify the operation of, any of the following:
            (1) Any law that provides for the reporting of vital 
        statistics such as birth or death information.
            (2) Any law that requires the reporting of abuse or neglect 
        information about an individual or other information relating 
        to violence against an individual.
            (3) Subpart II of part E of title XXVI of the Public Health 
        Service Act (relating to notifications of emergency response 
        employees of possible exposure to infectious diseases).
            (4) The Americans with Disabilities Act of 1990.
            (5) Any law that establishes a privilege for records used 
        in health professional peer review activities.
            (6) Any law that requires the disclosure of protected 
        health information, if the disclosure is permitted under this 
        Act.
    (c) Department of Veterans Affairs.--The limitations on use and 
disclosure of protected health information under this Act shall not be 
construed to prevent any exchange of such information within and among 
components of the Department of Veterans Affairs that determine 
eligibility for or entitlement to, or that provide, benefits under laws 
administered by the Secretary of Veterans Affairs.
    (d) Congress.--Nothing in this Act shall be interpreted to affect 
the ability of the Congress, a committee of the Congress, or the 
Members of the Congress referred to in section 2954 of title 5, United 
States Code, to obtain such information as may be necessary for the 
fulfillment of the Congress', the committee's, or the Members' 
legislative or oversight functions.
    (e) Privileges.--A disclosure about a protected individual made 
under title III, or a protected individual's disclosure of protected 
health information for the purpose of obtaining, or paying for, health 
care, may not be construed as diminishing, waiving, or otherwise 
impairing any privilege that the protected individual has in a court of 
a State or the United States.

SEC. 504. DEFINITIONS.

    For purposes of this Act:
            (1) Affiliated person.--The term ``affiliated person'' 
        means a person who--
                    (A) is not a health information custodian;
                    (B) is an agent or contractor of a health 
                information custodian; and
                    (C) pursuant to an agreement with such custodian, 
                receives, creates, uses, maintains, or discloses 
                protected health information.
            (2) Disclose.--The term ``disclose'', when used with 
        respect to protected health information, means to provide 
        access to the information to a person other than--
                    (A) the custodian or an officer or employee of the 
                custodian;
                    (B) an affiliated person of the custodian; or
                    (C) a protected individual who is a subject of the 
                information.
            (3) Disclosure.--The term ``disclosure'' means the act or 
        an instance of disclosing.
            (4) Health care.--The term ``health care'' means--
                    (A) any preventive, diagnostic, therapeutic, 
                rehabilitative, maintenance, or palliative care, 
                counseling, service, or procedure--
                            (i) with respect to the physical or mental 
                        condition, or functional status, of an 
                        individual; or
                            (ii) affecting the structure or function of 
                        the human body or any part of the human body, 
                        including banking of blood, sperm, organs, or 
                        any other tissue for administration to 
                        patients; or
                    (B) any sale or dispensing of a drug, device, 
                equipment, or other item to an individual, or for the 
                use of an individual, pursuant to a prescription.
            (5) Health care payer.--The term ``health care payer'' 
        means a person who pays for health care in the ordinary course 
        of business.
            (6) Health care provider.--The term ``health care 
        provider'' means a person who provides health care in the 
        ordinary course of business or practice of a profession, 
        pursuant to license, certification, accreditation, or other 
        legal authorization.
            (7) Health information custodian.--
                    (A) In general.--The term ``health information 
                custodian'' means a health care provider, a health care 
                payer, or any other person who obtains protected health 
                information as a result of a disclosure authorized 
                under this Act.
                    (B) Exceptions.--Such term does not include--
                            (i) an affiliated person;
                            (ii) an individual who obtains protected 
                        health information under paragraph (2), (3), or 
                        (4) of section 307; or
                            (iii) an individual who receives protected 
                        health information in a public health 
                        intervention because the individual's health is 
                        at risk.
            (8) Health research.--The term ``health research'' means a 
        biomedical, epidemiological, or health services research or 
        statistics project, or a research project on behavioral and 
        social factors affecting health, that is designed to develop or 
        contribute to generalizable scientific or clinical knowledge.
            (9) Law enforcement inquiry.--The term ``law enforcement 
        inquiry'' means a lawful investigation or official proceeding 
        inquiring into a violation of, or failure to comply with, any 
        criminal or civil statute or any regulation, rule, or order 
        issued pursuant to such a statute.
            (10) Person.--The term ``person'' includes an authority of 
        the United States, a State, or a political subdivision of a 
        State.
            (11) Protected health information.--The term ``protected 
        health information'' means any information, whether oral or 
        recorded in any form or medium, that--
                    (A) relates in any way to the past, present, or 
                future physical or mental health or condition of a 
                protected individual, the provision of health care to 
                an individual, or payment for the provision of health 
                care to an individual;
                    (B) is received or created by a health care 
                provider in the ordinary course of business or practice 
                of a profession or by a health care payer, or is 
                obtained as a result of a disclosure authorized under 
                this Act; and
                    (C) identifies the individual, or with respect to 
                which there is a reasonable basis to believe that the 
                information can be used to identify the individual.
            (12) Protected individual.--The term ``protected 
        individual'' means an individual who is the subject of 
        protected health information.
            (13) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (14) Secretary's hipaa recommendations.--The term 
        ``Secretary's HIPAA recommendations'' means the recommendations 
        of the Secretary of Health and Human Services, pursuant to 
        section 264 of the Health Insurance Portability and 
        Accountability Act of 1996, entitled ``Confidentiality of 
        Individually-Identifiable Health Information'' that were 
        submitted to the Committee on Commerce and the Committee on 
        Ways and Means of the House of Representatives and the 
        Committee on Labor and Human Resources and the Committee on 
        Finance of the Senate, on September 11, 1997.
            (15) State.--The term ``State'' includes the District of 
        Columbia, Puerto Rico, the Virgin Islands, Guam, American 
        Samoa, and the Northern Mariana Islands.
            (16) Use.--The term ``use'', when used with respect to 
        protected health information that is held by a health 
        information custodian, means--
                    (A) to use, or provide access to, the information 
                in any manner that does not constitute a disclosure; or
                    (B) any act or instance of using, or providing 
                access, described in subparagraph (A).

SEC. 505. EFFECTIVE DATE.

    The requirements under this Act applicable to health information 
custodians and affiliated persons shall take effect 18 months after the 
date of the enactment of this Act.
                                 <all>