[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2878 Introduced in House (IH)]







106th CONGRESS
  1st Session
                                H. R. 2878

To protect the privacy of health information in the age of genetic and 
            other new technologies, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 15, 1999

 Mr. McDermott (for himself, Mr. Stark, Mr. Rush, Mr. Romero-Barcelo, 
Mrs. Mink of Hawaii, Mr. Frost, Mr. Nadler, Ms. Slaughter, Mr. Lewis of 
   Georgia, Mr. Frank of Massachusetts, Mr. Hinchey, and Mr. Weiner) 
 introduced the following bill; which was referred to the Committee on 
Commerce, and in addition to the Committee on Government Reform, for a 
 period to be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
To protect the privacy of health information in the age of genetic and 
            other new technologies, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Medical Privacy in 
the Age of New Technologies Act of 1999''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings and purposes.
Sec. 3. Definitions.
                      TITLE I--INDIVIDUALS' RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

Sec. 101. Inspection and copying of protected health information.
Sec. 102. Correction or amendment of protected health information.
Sec. 103. Notice of information practices.
                Subtitle B--Establishment of Safeguards

Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
Sec. 113. Prohibition against retaliation.
              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

Sec. 201. General rules regarding use and disclosure.
Sec. 202. Authorizations for disclosure of protected health information 
                            for treatment or payment.
Sec. 203. Authorizations for disclosure of protected health information 
                            for purposes other than treatment or 
                            payment.
Sec. 204. Creation of nonidentifiable and coded information.
Sec. 205. Next of kin and directory information.
Sec. 206. Emergency circumstances.
Sec. 207. Oversight.
Sec. 208. Accreditation.
Sec. 209. Public health.
Sec. 210. Health research.
Sec. 211. Judicial and administrative purposes.
Sec. 212. General requirements governing subpoenas.
Sec. 213. Additional requirements for law enforcement access.
                          TITLE III--SANCTIONS

                      Subtitle A--Civil Sanctions

Sec. 301. Civil penalty.
Sec. 302. Civil action.
                     Subtitle B--Criminal Sanctions

Sec. 311. Wrongful disclosure of protected health information.
                        TITLE IV--MISCELLANEOUS

Sec. 401. Regulations.
Sec. 402. Relationship to other laws.
Sec. 403. Effective dates.
Sec. 404. Applicability.

SEC. 2. FINDINGS AND PURPOSES.

    (a) Findings.--The Congress finds as follows:
            (1) Health information plays a vital role in every aspect 
        of an individual's life. It includes some of the most sensitive 
        information available about an individual.
            (2) An individual's health information is currently 
        accessible to many people who do not need the information to 
        provide health care to the individual, often without the 
        individual's knowledge or consent.
            (3) Individuals will be deterred from using the health care 
        system unless they are assured that the confidentiality of 
        their health information will be respected.
            (4) There exists little Federal protection of the 
        confidentiality of an individual's health information.
            (5) While health information often is transferred across 
        State lines, protection of the confidentiality of health 
        information varies greatly from State to State, with little 
        protection in some States.
            (6) New technologies increase the importance of addressing 
        new threats to the confidentiality of health information. For 
        example, technologies that permit an individual's health 
        information to be computerized increase the possibility of 
        unauthorized electronic access to the information. Technologies 
        that provide genetic information provide information not just 
        about an individual's current health but also about the 
        individual's potential future health and the health of the 
        individual's relatives. This creates potential new uses and 
        abuses of genetic health information that need to be addressed 
        by legislation.
            (7) The potential benefits from new genetic technologies 
        will not be realized if individuals cannot trust that their 
        health information is safe from unauthorized uses.
    (b) Purposes.--The purposes of this Act are as follows:
            (1) To recognize that there is a right to privacy with 
        respect to health information, including genetic information, 
        and that this right must be protected accordingly.
            (2) To ensure that an individual's interest in the privacy 
        of their health information cannot be overridden without 
        meaningful notice and informed consent, except in limited 
        circumstances where there is a compelling public interest.
            (3) To provide individuals--
                    (A) access to health information of which they are 
                the subject; and
                    (B) the power to challenge the accuracy and 
                completeness of, and amend or correct, records 
                containing such information.
            (4) To establish a minimum Federal standard for the 
        protection of health information which will promote 
        confidentiality while allowing efficient transfer of health 
        information between States.
            (5) To help ensure the confidentiality of computerized or 
        electronically transferred health information.
            (6) To restrict the gathering of aggregate health 
        information for financial gain or other purposes without each 
        subject's knowledge or consent.
            (7) To establish strong and effective remedies for 
        violations of this Act.

SEC. 3. DEFINITIONS.

    As used in this Act:
            (1) Accrediting body.--The term ``accrediting body'' means 
        a body, committee, organization, or institution that has been 
        authorized by law, or is recognized by a health care regulating 
        authority, with respect to accreditation, licensing, or 
        credentialing of health care providers or health care 
        facilities.
            (2) Coded health information.--The term ``coded health 
        information'' means any protected health information--
                    (A) in which all identifying information has been 
                replaced by a unique identifier, and where neither the 
                remaining information nor the unique identifier, on its 
                face, identifies an individual;
                    (B) which cannot easily be used or manipulated in a 
                manner that reveals the identity of an individual; and
                    (C) which can only be linked or matched to other 
                information in a manner that reveals the identity of an 
                individual by a person authorized to carry out such 
                functions under section 204.
            (3) Disclose.--The term ``disclose'' when used with respect 
        to protected health information that is held by a health 
        information trustee, means to release, transfer, provide access 
        to, or otherwise divulge the information to any person other 
        than an individual who is the subject of the information. Such 
        term includes the placement of protected health information 
        into a computerized data base, networked computer system, or 
        any other electronic or magnetic data system, that more than 
        one person may access by any means. Such term does not include 
        oral communication between an individual who is the subject of 
        protected health information and a health care provider 
        delivering health care to such individual.
            (4) Electronic.--The term ``electronic'', when used with 
        reference to information, means--
                    (A) in electronic or magnetic form;
                    (B) in an optical storage form;
                    (C) computer-based;
                    (D) computer-associated; or
                    (E) in some other form that--
                            (i) is appropriate for non-paper-based 
                        information processing or storage; and
                            (ii) exists on the date of the enactment of 
                        this Act or is developed subsequent to such 
                        date.
            (5) Health care.--The term ``health care'' means--
                    (A) any sale or dispensing of a drug, device, 
                equipment, or other item to an individual, or for the 
                use of an individual, pursuant to a prescription; and
                    (B) any preventive, predictive, diagnostic, 
                therapeutic, rehabilitative, maintenance, or palliative 
                care, counseling, service, or procedure--
                            (i) with respect to the physical or mental 
                        condition of an individual; or
                            (ii) affecting the structure or function of 
                        the human body or any part of the human body, 
                        including individual cells and their 
                        components.
            (6) Health care provider.--The term ``health care 
        provider'' means a person who, with respect to a specific item 
        of protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a person who is licensed, certified, 
                registered, or otherwise authorized by law to provide 
                an item or service that constitutes health care, in the 
                ordinary course of business or practice of a 
                profession; or
                    (B) a Federal or State program that directly 
                provides items or services that constitute health care 
                to beneficiaries.
            (7) Health information trustee.--The term ``health 
        information trustee'' means--
                    (A) a person who is a health care provider, health 
                plan, health oversight agency, public health authority, 
                health researcher, employer, insurer, school, 
                institution of higher education, or insurance support 
                organization, insofar as the person creates, receives, 
                obtains, maintains, uses, or transmits protected health 
                information; or
                    (B) any employee, agent, or contractor of a person 
                described in subparagraph (A), insofar as the employee, 
                agent, or contractor creates, receives, obtains, 
                maintains, uses, or transmits protected health 
                information.
            (8) Health oversight agency.--The term ``health oversight 
        agency'' means a person who--
                    (A) performs or oversees the performance of an 
                assessment, investigation, or prosecution relating to--
                            (i) compliance with legal or fiscal 
                        standards pertinent to health care fraud, 
                        including fraudulent claims regarding health 
                        care, health services or equipment, or related 
                        activities and items; or
                            (ii) the protection of individuals from 
                        harm, abuse, neglect, or exploitation; and
                    (B) is a public agency, acting on behalf of a 
                public agency, acting pursuant to a requirement of a 
                public agency, or carrying out activities under a 
                Federal or State law governing an assessment, 
                investigation, or prosecution described in subparagraph 
                (A).
            (9) Health plan.--The term ``health plan'' means any health 
        insurance plan, including any hospital or medical service plan, 
        dental or other health service plan or health maintenance 
        organization plan, or other program providing payment for 
        health care, whether or not funded through the purchase of 
        insurance.
            (10) Health researcher.--The term ``health researcher'' 
        means a person who conducts, using protected health 
        information, a systematic investigation, or research 
        development, testing, or evaluation, to develop or contribute 
        to scientific or medical knowledge.
            (11) Individual representative.--The term ``individual 
        representative'' means any individual legally empowered to make 
        decisions concerning the provision of health care to an 
        individual (where the individual lacks the legal capacity under 
        State law to make such decisions) or the administrator or 
        executor of the estate of a deceased individual.
            (12) Insurance support organization.--
                    (A) In general.--Subject to subparagraph (B), the 
                term ``insurance support organization'' means any 
                person who regularly engages, in whole or in part, in 
                the practice of assembling and providing information 
                about individuals to an insurer or health plan for 
                insurance transactions, including--
                            (i) the furnishing of consumer reports or 
                        investigative consumer reports to an insurer or 
                        health plan for use in connection with an 
                        insurance transaction; or
                            (ii) the collection of personal information 
                        from insurers, health plans, or other insurance 
                        support organizations for the purpose of 
                        detecting or preventing fraud or material 
                        misrepresentation in connection with insurance 
                        underwriting or insurance claim activity.
                    (B) Persons excluded.--Such term does not include 
                any person who is treated as a health information 
                trustee under any other provision of this Act.
            (13) Law enforcement inquiry.--The term ``law enforcement 
        inquiry'' means an official law enforcement investigation or 
        proceeding inquiring into a violation of, or failure to comply 
        with, any law.
            (14) Nonidentifiable health information.--The term 
        ``nonidentifiable health information'' means information that 
        would be protected health information, except that--
                    (A) it is impossible to ascertain, based on the 
                information, or on any codes or identifiers related to 
                the information, the identity of any individual whose 
                health or condition is the subject of the information; 
                and
                    (B) it cannot be linked or matched by a foreseeable 
                method to any other information that pertains to any 
                such individual.
            (15) Person.--The term ``person'' means any of the 
        following:
                    (A) An individual.
                    (B) A government.
                    (C) A governmental subdivision, agency or 
                authority.
                    (D) A corporation.
                    (E) A company.
                    (F) An association.
                    (G) A firm.
                    (H) A partnership.
                    (I) A society.
                    (J) An estate.
                    (K) A trust.
                    (L) A joint venture.
                    (M) An individual representative.
                    (N) Any other legal entity.
            (16) Protected health information.--The term ``protected 
        health information'' means any information, including 
        information derived from a biological sample from the human 
        body and demographic information about an individual, whether 
        oral or recorded in any form or medium, that--
                    (A) is created or received by a health information 
                trustee or an accrediting body;
                    (B) relates to--
                            (i) the past, present, or future physical 
                        or mental health, predisposition, or condition 
                        of an individual, or individuals related by 
                        blood to the individual;
                            (ii) the provision of health care to an 
                        individual; or
                            (iii) the past, present, or future payment 
                        for the provision of health care to an 
                        individual; and
                    (C)(i) identifies such individual;
                    (ii) with respect to which there is a reasonable 
                basis to believe that the information can be used to 
                identify such individual; or
                    (iii) could be linked or matched by a foreseeable 
                method to any other information which pertains to such 
                individual.
            (17) Protected health information subfile.--The term 
        ``protected health information subfile'' means any amount of 
        protected health information which is segregated pursuant to 
        section 201(c).
            (18) Public health authority.--The term ``public health 
        authority'' means an authority or instrumentality of the United 
        States, a State, or a political subdivision of a State that--
                    (A) is charged by statute with responsibility for 
                public health matters; and
                    (B) is engaged in such activities as injury 
                reporting, public health surveillance, and public 
                health investigation or intervention.
            (19) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (20) State.--The term ``State'' includes the District of 
        Columbia, Puerto Rico, the Virgin Islands, Guam, American 
        Samoa, and the Northern Mariana Islands.
            (21) Writing.--The term ``writing'' means writing in either 
        a paper-based or electronic form.

                      TITLE I--INDIVIDUALS' RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.

    (a) In General.--Except as provided in subsections (b) and (h), a 
health information trustee shall permit an individual who is the 
subject of protected health information, or the individual's designee, 
to inspect and copy protected health information concerning the 
individual, including records created under section 102, that the 
trustee maintains. A health information trustee may require an 
individual to reimburse the trustee for the reasonable cost of such 
inspection and copying.
    (b) Exception.--
            (1) In general.--A health care provider who is delivering, 
        or has delivered, health care to an individual who is the 
        subject of protected health information relating to such health 
        care is not required by this section to permit inspection or 
        copying of the information, where such inspection or copying 
        reasonably could be expected to endanger the life or physical 
        or mental safety of any individual.
            (2) Alternative disclosure.--In any case where a health 
        care provider determines that the provider, pursuant to 
        paragraph (1), will not permit an individual to inspect or copy 
        protected health information, the provider may permit 
        inspection or copying by the individual's designee.
    (c) Denial of a Request for Inspection or Copying.--If a health 
information trustee denies a request for inspection or copying under 
subsection (b), the trustee shall inform the individual in writing of--
            (1) the reasons for the denial of the request;
            (2) any procedures for further review of the denial; and
            (3) the individual's right to file with the trustee, if the 
        individual so wishes, a concise statement setting forth the 
        request for inspection or copying.
    (d) Statement Regarding Request.--If an individual has filed a 
statement under subsection (c)(3) setting forth the request, the health 
information trustee in any subsequent disclosure of the portion of the 
information requested shall include--
            (1) a copy of the individual's statement; and
            (2) a concise statement of the reasons for denying the 
        request for inspection or copying.
    (e) Rule of Construction.--This section shall not be construed to 
require a health information trustee to conduct a formal, informal, or 
other hearing or proceeding concerning a request for inspection or 
copying of protected health information.
    (f) Inspection and Copying of Segregable Portion.--A health 
information trustee shall permit inspection and copying under 
subsection (a) of any reasonably segregable portion of a record after 
deletion of any portion that is exempt under subsection (b).
    (g) Deadline.--A health information trustee shall comply with or 
deny, in accordance with subsection (c), a request for inspection or 
copying of protected health information under this section within the 
30-day period beginning on the date on which the trustee receives the 
request.
    (h) Rules Governing Agents and Contractors.--
            (1) In general.--A person acting in the capacity of an 
        agent or contractor of a health care provider, health plan, 
        health oversight agency, public health authority, health 
        researcher, employer, insurer, school, institution of higher 
        education, or insurance support organization is not responsible 
        for providing for the inspection or copying of protected health 
        information under this section, except when the agent or 
        contractor has been notified by their principal that a request 
        for inspection or copying has been made to the principal under 
        section (a) and has not been denied under section (b).
            (2) Coded health information.--In any case where a person 
        acting in the capacity of an agent or contractor of a health 
        care provider, health plan, health oversight agency, public 
        health authority, health researcher, employer, insurer, school, 
        institution of higher education, or insurance support 
        organization is requested to provide for the inspection or 
        copying of coded health information under this section, the 
        person shall inform the individual making the request that the 
        individual should contact a person authorized under section 204 
        to link or match the coded health information to reveal the 
        identity of the individual who is the subject of the 
        information.

SEC. 102. CORRECTION OR AMENDMENT OF PROTECTED HEALTH INFORMATION.

    (a) In General.--Unless proceeding under subsection (b), and except 
as provided in subsection (f), a health information trustee, within the 
45-day period beginning on the date on which the trustee receives from 
an individual a written request to correct or amend protected health 
information about the individual--
            (1) shall make the correction or amendment requested;
            (2) shall inform the individual of the correction or 
        amendment that has been made; and
            (3) shall make reasonable efforts to inform any person who 
        is identified by the individual, and to whom the uncorrected or 
        unamended portion of the information was previously disclosed, 
        of the correction or amendment that has been made.
    (b) Refusal To Correct or Amend.--If the health information trustee 
refuses to make the correction or amendment, the trustee shall inform 
the individual, within the 45-day period beginning on the date on which 
the trustee receives the individual's request, of--
            (1) the reasons for the refusal to make the correction or 
        amendment;
            (2) any procedures for further review of the refusal; and
            (3) the individual's right to file with the trustee, if the 
        individual so wishes, a concise statement setting forth the 
        requested correction or amendment and the individual's reasons 
        for disagreeing with the refusal.
    (c) Statement of Disagreement.--If an individual has filed a 
statement of disagreement under subsection (b)(3), the health 
information trustee in any subsequent disclosure of the disputed 
portion of the information--
            (1) shall include a copy of the individual's statement; and
            (2) shall include a concise statement of the reasons for 
        not making the requested correction or amendment.
    (d) Rule of Construction.--This section shall not be construed to 
require a health information trustee to conduct a formal, informal, or 
other hearing or proceeding concerning a request for a correction or 
amendment to protected health information.
    (e) Correction.--For purposes of subsection (a), a correction is 
deemed to have been made to protected health information when 
information that has been disputed by an individual has been corrected, 
clearly marked as incorrect, or supplemented by correct information.
    (f) Rules Governing Agents and Contractors.--A person acting in the 
capacity of an agent or contractor of a health care provider, health 
plan, health oversight agency, public health authority, health 
researcher, employer, insurer, school, institution of higher education, 
or insurance support organization is not authorized to make corrections 
or amendments to protected health information received from their 
principal, except when the agent or contractor has been asked by the 
principal to fulfill the principal's obligations under this section.

SEC. 103. NOTICE OF INFORMATION PRACTICES.

    (a) Preparation of Written Notice.--A health information trustee 
shall prepare and provide, in accordance with subsection (b), a written 
notice containing the following:
            (1) Individuals' rights.--A description of the following 
        rights of an individual who is a subject of protected health 
        information maintained by the trustee:
                    (A) The right of the individual to request 
                segregation of protected health information, and to 
                restrict the use of such information by employees, 
                agents, and contractors of the trustee, under section 
                201(c).
                    (B) The right of the individual to inspect, copy, 
                amend, and correct the protected health information 
                under sections 101 and 102.
                    (C) The right of the individual to object to the 
                disclosure of the information to next of kin or in 
                directory information under section 205.
                    (D) The circumstances under which the information 
                may be used or disclosed without an authorization 
                executed by the individual.
                    (E) The right of the individual not to have 
                employment or the receipt of services conditioned upon 
                the execution by the individual of an authorization for 
                disclosure or use for any purpose other than treatment 
                or payment.
                    (F) The procedures the individual must follow in 
                order to exercise the foregoing rights.
            (2) Trustee information practices.--A description of the 
        trustee's health information practices, including the 
        safeguards and practices used to protect such information.
    (b) Availability of Notice to Subjects.--A health information 
trustee shall provide a copy of a notice prepared under this section to 
an individual who is a subject of protected health information--
            (1) along with any request for authorization to use or 
        disclose the information created pursuant to section 202 or 203 
        and presented by the trustee to the individual for execution;
            (2) at the first practicable opportunity after the trustee 
        uses or discloses the information without an authorization 
        executed by the individual;
            (3) at the first practicable opportunity after a health 
        information trustee commences the collection of the 
        information; or
            (4) when the individual requests to inspect, copy, correct, 
        or amend their protected health information pursuant to section 
        101 or 102.

                Subtitle B--Establishment of Safeguards

SEC. 111. ESTABLISHMENT OF SAFEGUARDS.

    (a) In General.--A health information trustee shall establish and 
maintain appropriate administrative, technical, and physical safeguards 
to ensure the confidentiality, security, accuracy, and integrity of 
protected health information created, received, obtained, maintained, 
used or transmitted by the trustee.
    (b) Safeguards for Electronic Information.--
            (1) Application and construction.--
                    (A) Application.--This subsection applies only with 
                respect to protected health information that is 
                electronic.
                    (B) Construction.--Nothing in this Act shall be 
                construed to require that protected health information 
                be created, received, maintained, used, or disclosed in 
                electronic form.
            (2) Requirements for electronic maintenance, use, and 
        disclosure.--The Secretary shall develop, and by regulation 
        impose on health information trustees, requirements for the 
        electronic maintenance, use, and disclosure of protected health 
        information. Such requirements shall include the following:
                    (A) Control of access to protected health 
                information.--
                            (i) In general.--A health information 
                        trustee shall implement controls with respect 
                        to access to electronic protected health 
                        information. The trustee may grant a request by 
                        any person for access to such information for 
                        use by the health information trustee, or for 
                        disclosure to another health information 
trustee, only after verifying that--
                                    (I) the person making the request 
                                can prove their identity; and
                                    (II) the proposed use of the 
                                protected health information, or the 
                                requested disclosure, is authorized 
                                under this Act.
                            (ii) Authentication of identity of 
                        requesters.--A health information trustee shall 
                        use a method of verification to verify the 
                        identity of persons requesting access to 
                        electronic protected health information. A 
                        health information trustee who issues a device 
                        that verifies the identity of a person making a 
                        request for information for purposes of this 
                        clause shall instruct the person in the proper 
                        care and use of the device and shall require 
                        the person to protect the device from misuse. 
                        Any system used by a health information trustee 
                        to maintain verification information collected 
                        under this clause shall prevent the disclosure 
                        of such verification information to any person 
                        other than a person who is specifically 
                        authorized to receive such information.
                    (B) Access for use by health information trustee.--
                A health information trustee shall limit the persons 
                who may use protected health information created or 
                maintained by the trustee in electronic form to persons 
                specifically authorized by the trustee to use such 
                information consistent with this Act.
                    (C) Disclosure to others.--
                            (i) Protection of requests for disclosure 
                        and responses.--A health information trustee 
                        who requests, using electronic means, to 
                        receive protected health information, or who 
                        responds, using electronic means, to such a 
                        request, shall implement procedures to prevent 
                        the interception of such request or response by 
                        persons who are not authorized to intercept it.
                            (ii) Identification of subject.--A health 
                        information trustee who receives, using 
                        electronic means, a request for protected 
                        health information from another health 
                        information trustee may not provide such 
                        information in response to the request unless 
                        the request contains sufficient details to 
                        uniquely identify one individual who is the 
                        subject of the request.
                    (D) Audit trail.--
                            (i) Access to information maintained by 
                        others.--A health information trustee shall 
                        maintain an electronic record concerning each 
                        attempt that is made by the trustee, whether 
                        authorized or unauthorized, successful or 
                        unsuccessful, to access protected health 
                        information that is maintained by any other 
                        health information trustee in electronic form. 
                        The record shall include the identity of the 
                        specific individual attempting to gain such 
                        access and information sufficient to identify 
                        the information sought.
                            (ii) Access to information maintained by 
                        the trustee.--A health information trustee 
                        shall maintain an electronic record concerning 
                        each attempt that is made by the trustee, or by 
                        any other person, whether authorized or 
                        unauthorized, successful or unsuccessful, to 
                        access protected health information maintained 
                        by the trustee in electronic form. The record 
                        shall include the identity of the specific 
                        individual attempting to gain such access and 
                        information sufficient to identify the 
                        information sought.
            (3) Review of requirements.--The Secretary from time to 
        time shall review the requirements developed and imposed under 
        paragraph (2), to determine whether technological advances or 
        other factors make necessary changes to the requirements. If 
        the Secretary determines that such changes are necessary, the 
        Secretary shall make them.

SEC. 112. ACCOUNTING FOR DISCLOSURES.

    (a) In General.--
            (1) Persons not acting as agents or contractors.--Except as 
        provided in paragraph (2), a health information trustee shall 
        create and maintain, with respect to any protected health 
        information disclosure made by the trustee that is not related 
        to treatment, a record of the disclosure in accordance with 
        regulations promulgated by the Secretary.
            (2) Agents and contractors.--A person acting in the 
        capacity of an agent or contractor of a health care provider, 
        health plan, health oversight agency, public health authority, 
        health researcher, employer, insurer, school, institution of 
        higher education, or insurance support organization shall 
        create and maintain, with respect to any protected health 
        information disclosure made by the person that is authorized 
        under one of section 202, 203, 204, or 206 through 213, a 
        record of the disclosure in accordance with regulations 
        promulgated by the Secretary.
    (b) Record of Disclosure Part of Protected Health Information.--A 
record created and maintained under subsection (a) shall be maintained 
as protected health information for not less than 7 years.

SEC. 113. PROHIBITION AGAINST RETALIATION.

    A health information trustee may not adversely affect another 
person, directly or indirectly, because such person has exercised a 
right under this Act, disclosed information relating to a possible 
violation of this Act, or associated with, or assisted a person in the 
exercise of a right under this Act.

              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.

    (a) General Rule.--A health information trustee may not use or 
disclose protected health information except as authorized under this 
title.
    (b) Scope of Use and Disclosure.--
            (1) Compatibility with purpose for obtaining information.--
        A health information trustee may not use, or disclose to any 
        person, protected health information unless the use or 
        disclosure is compatible with and directly related to--
                    (A) the purposes for which the information was 
                obtained by the health information trustee; and
                    (B) in the case where an individual has executed an 
                authorization, for the specific purpose authorized by 
                the individual.
            (2) Limitation on amount of information.--
                    (A) Use and disclosure.--
                            (i) In general.--Every use and disclosure 
                        of protected health information by a health 
                        information trustee shall be limited to the 
                        minimum amount of information necessary to 
                        accomplish the purpose for which the 
                        information is used or disclosed.
                            (ii) Nonidentifiable information.--A health 
                        information trustee shall use and disclose 
                        nonidentifiable health information, in lieu of 
                        protected health information, to maximum extent 
                        possible, consistent with the purpose for the 
                        use or disclosure.
                            (iii) Coded health information.--A health 
                        information trustee shall use and disclose 
                        coded health information, in lieu of any other 
                        kind of protected health information, to 
                        maximum extent possible, consistent with the 
                        purpose for the use or disclosure.
                    (B) Collection, creation, and requests.--A health 
                information trustee may not collect, create, or request 
                the disclosure of, more protected health information 
                than is necessary to accomplish the purpose for which 
                the information is collected, created, or requested.
    (c) Special Rules for Protected Health Information Subfiles.--
            (1) Segregation.--A health information trustee shall, upon 
        creating or obtaining protected health information, comply with 
        the request of a subject of such information--
                    (A) to segregate any amount or type of protected 
                health information; and
                    (B) to maintain such protected health information 
                as one or more protected health information subfiles.
            (2) Disclosure and use.--
                    (A) In general.--Subject to subparagraph (B), a 
                person, other than a health care provider who is 
                otherwise authorized to access or use protected health 
                information about an individual contained in a 
                protected health information subfile for purposes of 
                delivering health care to the individual, may not use 
                or disclose any information that is in the subfile, 
                except as authorized under section 202, 203, or 206.
                    (B) Employees, agents, contractors.--A health 
                information trustee, with respect to a protected health 
                information subfile created pursuant to paragraph (1), 
                shall limit use of the subfile to those employees, 
                contractors, or agents of the trustee, described by 
                name or job title, who, with respect to the subfile are 
                authorized, pursuant to section 202 or 203, to use or 
                obtain such information.
                    (C) Information on existence of subfiles.--A health 
                information trustee may not disclose information about 
                the existence of a health information subfile to any 
                person who is not authorized to obtain, access, or use 
                the subfile.
    (d) No General Requirement To Disclose.--Nothing in this title that 
permits a disclosure of protected health information shall be construed 
to require such disclosure.
    (e) Limitations on Disclosure and Use Within a Trustee.--
            (1) Condition of treatment or payment.--A health 
        information trustee may not condition delivery of health care, 
        or payment for services, on the receipt of an authorization 
        described in section 202 or 203 that authorizes the disclosure 
        of protected health information to any employee, agent, or 
        contractor who does not perform a legitimate and necessary 
        function with respect to the purpose for which the information 
        was obtained or created.
            (2) Employment.--A health information trustee may not 
        condition employment on the receipt of an authorization 
        described in section 202 or 203 that authorizes the disclosure 
        of protected health information to any employee, agent, or 
        contractor who does not perform a legitimate and necessary 
        function with respect to the purpose for which the information 
        was obtained or created.
    (f) Identification of Disclosed Information as Protected 
Information.--Except as provided in this title, a health information 
trustee may not disclose protected health information unless such 
information is clearly identified as protected health information that 
is subject to this title.
    (g) Information Identifying Providers.--The Secretary shall issue 
regulations protecting information identifying health care providers in 
order to promote the availability of health care services.
    (h) Use of Social Security Number.--A Social Security account 
number, or a derivative of a Social Security account number, may not be 
used by a health information trustee for any purpose relating to 
protected health information or the use or disclosure of such 
information.
    (i) Multiple Records.--No person may aggregate, compile, link, or 
match protected health information held by two or more different health 
information trustees, or two or more protected health information 
subfiles pertaining to an individual, without obtaining specific 
authorization under section 202 or 203 for such use.
    (j) No Effect of Agency on Duty or Liability of Principal.--An 
agreement or relationship between a trustee and an agent or contractor 
does not relieve a health information trustee of any duty or liability 
under this Act.

SEC. 202. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION 
              FOR TREATMENT OR PAYMENT.

    (a) Written Authorizations.--A health information trustee may 
disclose protected health information for purposes of treatment or 
payment pursuant to an authorization executed by an individual who is 
the subject of the information (or a person acting for the individual 
pursuant to State law) if each of the following requirements is met:
            (1) Writing.--The authorization is in written or electronic 
        form, signed or electronically authenticated by the individual, 
        and dated.
            (2) Separate forms.--Separate forms authorizing disclosures 
        for treatment and separate forms authorizing disclosures for 
        payment processes are provided to the individual.
            (3) Information described.--The information to be disclosed 
        is specified, or is described, in the authorization.
            (4) Trustee described.--The trustee who is authorized to 
        disclose such information is specifically identified, or is 
        described, in the authorization.
            (5) Recipient described.--The person to whom the 
        information is to be disclosed is specifically identified, or 
        is described, in the authorization.
            (6) Right to revoke or amend.--The authorization contains 
        an acknowledgement that the individual who is executing the 
        authorization has the right to revoke or amend the 
        authorization, subject to subsection (b).
            (7) Purpose described.--The authorization describes in 
        detail the purpose for which the information will be used.
            (8) Statement of intended disclosures.--The authorization 
        contains an acknowledgment that the individual who is executing 
        the authorization has read a statement of any disclosures of 
        the protected health information that the recipient intends to 
        make.
            (9) Use and disclosure restricted.--The authorization 
        includes a statement that the information will be used and 
        disclosed solely for one or more purposes specified in the 
        authorization.
            (10) Expiration date specified.--The authorization 
        specifies a date on which, or event upon which, the 
        authorization expires, which shall be no later than one year 
        after the date on which the authorization is executed.
    (b) Revocation or Amendment of Authorization.--
            (1) In general.--An authorization under subsection (a) 
        shall be subject to revocation and amendment at any time by the 
        individual who executed the authorization, except that--
                    (A) the revocation or amendment shall be in 
                writing; and
                    (B) an authorization executed for the purpose of 
                validation of expenditures for health care that the 
                individual has authorized to be rendered may not be 
                revoked.
            (2) Notice of revocation.--A health information trustee who 
        discloses protected health information pursuant to an 
        authorization described in subsection (a) that has been revoked 
        shall not be subject to any liability or penalty under this Act 
        if the trustee has no actual or constructive notice of the 
        revocation at the time the trustee makes the disclosure.
    (c) Model Authorizations.--The Secretary, after providing notice 
and opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in subsection (a) and 
model statements of intended disclosures of the type described in 
subsection (a)(7).
    (d) Copy.--A health information trustee who discloses protected 
health information pursuant to an authorization under this section 
shall maintain a copy of the authorization for not less than 7 years.

SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION 
              FOR PURPOSES OTHER THAN TREATMENT OR PAYMENT.

    (a) Written Authorizations.--A health information trustee may 
disclose protected health information for a purpose other than 
treatment or payment pursuant to an authorization executed by an 
individual who is the subject of the information (or a person acting 
for the individual pursuant to State law) if each of the following 
requirements is met:
            (1) General requirements.--The requirements of paragraphs 
        (1) through (7) of section 202(a).
            (2) Statement of intended disclosures.--The statement of 
        intended disclosure shall be in writing, and shall be received 
        by the individual authorizing the disclosure on or before the 
        date the authorization is executed.
            (3) Expiration date specified.--The authorization specifies 
        a date on which, or an event upon which, the authorization 
        expires, which shall not occur more than 1 year from the date 
        of the execution of the authorization.
    (b) Limitation on Requests for Authorizations.--
            (1) Condition of treatment or payment.--A health 
        information trustee may not condition delivery of treatment, or 
        payment for services, on the receipt of an authorization 
        described in subsection (a).
            (2) Employment.--A health information trustee may not 
        adversely affect, or condition, the employment of any person 
        based on the agreement or refusal of the person to execute or 
provide an authorization described in subsection (a).
    (c) Revocation or Amendment of Authorization.--
            (1) In general.--An individual may in writing revoke or 
        amend an authorization described in subsection (a).
            (2) Notice of revocation.--A health information trustee who 
        discloses protected health information pursuant to an 
        authorization described in subsection (a) that has been revoked 
        shall not be subject to any liability or penalty under this Act 
        if the trustee has no actual or constructive notice of the 
        revocation at the time the trustee makes the disclosure.
    (d) Model Authorizations.--The Secretary, after notice and 
opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in subsection (a) and 
model statements of the intended disclosures of the type described in 
subsection (a)(2).

SEC. 204. CREATION OF NONIDENTIFIABLE AND CODED INFORMATION.

    (a) Creation of Nonidentifiable Information.--A health information 
trustee may disclose protected health information about an individual 
to an employee, agent, or contractor for the purpose of creating 
nonidentifiable health information if--
            (1) the individual is informed of the purpose for the 
        creation of the nonidentifiable information;
            (2) the individual is given the option to prohibit any 
        specific uses of the nonidentifiable information, such as use 
        of the information for marketing purposes; and
            (3) the health information trustee does not condition the 
        delivery of health care, payment for services, or employment, 
        on the granting by the individual of permission to create the 
        nonidentifiable information.
    (b) Creation of Coded Health Information.--A health care provider 
may create coded health information, or disclose protected health 
information about an individual to an employee, agent, or contractor 
for the purpose of creating coded health information, if--
            (1) the individual is informed of the purpose for the 
        creation of the coded information;
            (2) the individual is informed of which persons will have 
        the authority to link or match the coded health information to 
        reveal the identity of the individual;
            (3) the individual gives written authorization for a 
        disclosure for this purpose in accordance with subsections 
        (a)(1) through (a)(3), (c), and (d) of section 203;
            (4) the health care provider does not condition the 
        delivery of health care, payment for services, employment, or 
        the terms of employment on the granting by the individual of 
        permission to create the coded health information; and
            (5) agents and contractors who receive protected health 
        information for the purpose of creating coded health 
        information use the information exclusively for such purpose.

SEC. 205. NEXT OF KIN AND DIRECTORY INFORMATION.

    (a) Next of Kin.--Except as provided in subsection (c), a health 
care provider, or a person who receives protected health information 
under section 206, may disclose protected health information regarding 
an individual who is an inpatient in a health care facility to the 
individual's next of kin, to an individual representative of the 
individual, or to an individual with whom the individual has a 
significant personal relationship if--
            (1) the individual who is the subject of the information--
                    (A) has been notified of the individual's right to 
                object at the time of admission to the facility and has 
                not objected to the disclosure; or
                    (B) is in a physical or mental condition such that 
                it would not be possible to notify the individual of 
                the right to object and there are no prior indications 
                that the individual would object; and
            (2) the information relates to health care currently being 
        provided to the individual at the time of the disclosure.
    (b) Directory Information.--
            (1) Disclosure.--Except as provided in subsection (c), a 
        health information trustee may disclose to any person protected 
        health information concerning an individual if the information 
        is described in paragraph (2) and the individual who is the 
        subject of the information--
                    (A) has been notified of the individual's right to 
                object and has not objected to the disclosure; or
                    (B) is in a physical or mental condition such that 
                it would not be possible to notify the individual of 
                the right to object and there are no prior indications 
                that the individual would object.
            (2) Information described.--The information referred to in 
        paragraph (1) is any one or more of the following:
                    (A) The name of the individual who is the subject 
                of the information.
                    (B) The general health status of the individual, 
                described as critical, poor, fair, stable, or 
                satisfactory, or in terms denoting similar conditions.
                    (C) The location of the individual, if on a 
                premises controlled by a health care provider.
    (c) Exception.--A health care provider may not disclose protected 
health information without specific authorization pursuant to section 
203--
            (1) in the case of a disclosure under subsection (b), if 
        disclosure of the location of the individual would reveal 
        specific information about the physical or mental condition of 
        the individual; or
            (2) in the case of a disclosure under subsection (a) or 
        (b), if the provider has reason to believe that the disclosure 
        could lead to physical, mental, or emotional harm to the 
        individual.
    (d) Deceased Individual.--
            (1) Identification.--A health information trustee may 
        disclose protected health information if necessary to assist in 
        the identification of a deceased individual.
            (2) Regulations.--The Secretary shall develop and establish 
        through regulation a procedure for obtaining protected health 
        information relating to a deceased individual when there is no 
        individual representative for such individual.

SEC. 206. EMERGENCY CIRCUMSTANCES.

    (a) Disclosure When Subject of Information Is in Danger.--A health 
information trustee who receives protected health information under 
this title may disclose such protected health information to a health 
care provider or emergency medical personnel, or use such information 
in emergency medical circumstances, to the extent necessary to protect 
the health or safety of an individual who is a subject of such 
information from serious imminent harm.
    (b) Disclosure When Another Individual Is in Danger.--A health 
information trustee may disclose protected health information, to the 
extent necessary, where such trustee determines that--
            (1) there is an identifiable threat of serious injury or 
        death to an identifiable individual or group of individuals; 
        and
            (2) the disclosure of the information to the person is 
        necessary to prevent or significantly reduce the possibility of 
        such threat.

SEC. 207. OVERSIGHT.

    (a) In General.--A health information trustee, other than a public 
health authority or a health researcher, may disclose protected health 
information to--
            (1) a health oversight agency for any function of the 
        agency authorized by law, if--
                    (A) there is probable cause to believe fraud has 
                been committed;
                    (B) the oversight agency is investigating the 
                fraud;
                    (C) the oversight agency has obtained a subpoena 
                for purposes of obtaining the information; and
                    (D)(i) a subject of the information is believed to 
                have committed the fraud; or
                    (ii) the information is necessary to permit the 
                agency to investigate the fraud; or
            (2) a health oversight agency charged by law to protect 
        individuals from harm, abuse, neglect, or exploitation, if the 
        information is necessary to investigate whether abuse, neglect, 
        or exploitation of an individual has occurred.
    (b) Use of Coded Health Information.--The health oversight agency 
shall receive exclusively coded health information under subsection (a) 
whenever the purpose of the agency may be accomplished using only such 
information.
    (c) Notice to Subjects.--In any case where an individual who is a 
subject of protected health information disclosed under subsection (a) 
is not believed to have committed fraud, the individual shall be 
notified, at the first practical opportunity--
            (1) that an investigation described in such subsection is 
        being conducted;
            (2) of the reason why disclosure of the information is 
        necessary; and
            (3) of all intended subsequent disclosures of the 
        information that the agency intends to make.
    (d) Use in Action Against Individuals.--
            (1) In general.--Subject to paragraph (2), protected health 
        information about an individual that is disclosed under this 
        section may not be used in, or disclosed to any person for use 
        in, an administrative, civil, or criminal action or 
        investigation directed against the individual, unless the 
        action or investigation arises out of and is directly related 
        to the purpose for which the disclosure was authorized under 
        subsection (a).
            (2) Special rule.--A health oversight agency may not 
        disclose protected health information received by the agency 
        under subsection (a)(2) for any purpose other than protecting 
        individuals from harm, abuse, neglect, or exploitation.
    (e) Public Health and Health Research.--A public health authority 
may disclose protected health information to a health oversight agency 
only if such information is necessary for use in an investigation of 
whether the authority has committed fraud. A health researcher may 
disclose protected health information to a health oversight agency only 
if such information is necessary for use in an investigation of whether 
the researcher has committed fraud.

SEC. 208. ACCREDITATION.

    (a) In General.--A health information trustee may disclose 
protected health information to an accrediting body for the exclusive 
purpose of permitting the accrediting body to carry out accreditation, 
licensing, or credentialing activities.
    (b) Use of Coded Health Information.--The accrediting body shall 
receive exclusively coded health information under subsection (a) 
whenever the purpose of the body may be accomplished using only such 
information.
    (c) Restriction on Use and Disclosure.--A person to whom protected 
health information is disclosed under subsection (a) may not use or 
disclose the information for any purpose other than the purpose for 
which the information was disclosed to the person.

SEC. 209. PUBLIC HEALTH.

    (a) Disclosures by Providers.--A health care provider may disclose 
protected health information about an individual to a public health 
authority where--
            (1) the information is disclosed for the purpose of 
        permitting the authority to ascertain the identity of such 
        individual;
            (2) there is a specific nexus between such individual's 
        identity and a threat of death or injury to any person; and
            (3) knowledge of such individual's identity would allow the 
        public health authority to prevent or significantly reduce the 
        possibility of injury or death to any person.
    (b) Limitation on Liability.--A health information trustee shall 
not be liable to any person for a disclosure of protected health 
information under this section that is made based upon a good faith 
belief by the trustee of a representation made by a public health 
authority that such disclosure satisfies the requirements of subsection 
(a).
    (c) Limitation on Use and Disclosure by Public Health 
Authorities.--A public health authority may not use or disclose 
protected health information for any purpose other than for public 
health reporting, surveillance, protection, investigation, or 
intervention.

SEC. 210. HEALTH RESEARCH.

    (a) In General.--A health information trustee may disclose 
protected health information, other than coded health information, to a 
health researcher for use in a research project engaged in by the 
health researcher, if an institutional review board, using standards 
and procedures that are generally consistent with the official written 
policy of the Secretary with respect to research involving human 
subjects conducted, supported, or otherwise subject to regulation by 
Federal departments and agencies, and this Act, determines that the 
research project--
            (1) requires use of the protected health information for 
        the effectiveness of the project and could not be carried out 
        with either coded or nonidentifiable health information; and
            (2) has obtained an authorization for the disclosure 
        executed by an individual who is a subject of the information 
        that--
                    (A) is consistent with the requirements of section 
                203; and
                    (B) in a case where the researcher foresees using 
                or disclosing the information for any purpose 
                subsequent to the conclusion of the project, 
                specifically states--
                            (i) such intent; and
                            (ii) that the individual has the right to 
                        limit such subsequent uses or disclosures 
                        consistent with this Act.
    (b) Use of Coded or Nonidentifiable Health Information.--A health 
information trustee may disclose coded health information that is not 
contained in a protected health information subfile, or nonidentifiable 
health information, to a health researcher for use in a research 
project engaged in by the health researcher upon approval of the 
proposed research by an institutional review board, regardless of 
whether the researcher has obtained an authorization for the disclosure 
consistent with the requirements of section 203.
    (c) Anonymization of Previously Stored Biological Samples.--The 
Secretary may develop interim guidelines for the use by a health 
researcher of biological samples derived from a human body collected 
before the effective date of this Act. Such guidelines shall address 
the requirements pertinent to a health researcher who wishes to use 
stored biological samples derived from a human body in nonidentifiable 
or coded form. Such guidelines shall authorize a health researcher, for 
the purpose of facilitating future health research--
            (1) to convert protected health information into 
        nonidentifiable information or coded health information, if 
        such conversion is permitted in a written authorization; or
            (2) if no such authorization exists, to make such 
        conversion after publishing notice of the researcher's intent 
        and providing individuals the opportunity to prohibit the use 
        of their biological samples for such purpose.
    (d) Obligations of Recipient.--A person who receives protected 
health information pursuant to subsection (a)--
            (1) shall remove or destroy, at the earliest opportunity 
        consistent with the purposes of the project, information that 
        would enable an individual to be identified, unless--
                    (A) an institutional review board has determined 
                that there is a health or research justification for 
                retention of such identifiers; and
                    (B) there is an adequate plan to protect the 
                identifiers from disclosure that is inconsistent with 
                this section; and
            (2) shall use the information solely for purposes of the 
        health research project for which disclosure was authorized by 
        an institutional review board under subsection (a).

SEC. 211. JUDICIAL AND ADMINISTRATIVE PURPOSES.

    A health care provider, health plan, health oversight agency, 
employer, school, institution of higher education, insurer, court, or a 
person who receives protected health information pursuant to section 
206 may disclose protected health information about an individual--
            (1) pursuant to the requirements governing subpoenas, 
        warrants, and court orders under sections 212 and 213, where 
        such information has been determined to be discoverable by a 
        court under any applicable rules of civil or criminal 
        procedure;
            (2) to a court, and to others as ordered by the court, if 
        the information is developed in response to a court-ordered 
        physical or mental examination;
            (3) where the subject of such information has brought a 
        claim for medical malpractice against a health care provider 
        and the information is necessary for the defense of the claim; 
        and
            (4) to legal counsel for the person making the disclosure, 
        where the disclosure is necessary to ensure compliance with 
        this Act or any other legal requirement.

SEC. 212. GENERAL REQUIREMENTS GOVERNING SUBPOENAS.

    (a) In General.--A health care provider, health plan, health 
oversight agency, employer, school, institution of higher education, 
insurer, court, or a person who receives protected health information 
pursuant to section 206 may disclose protected health information to 
any person, other than a law enforcement authority, under section 
211(1), if the disclosure is pursuant to a subpoena issued on behalf of 
a party to a lawsuit or other judicial or administrative proceeding who 
has complied with subsection (b) or (c), and subsection (d).
    (b) Request for Access by Counsel To Review Protected Health 
Information.--A person may have access to protected health information 
under subsection (a), by means solely of a review of the information by 
the person's counsel, acting in the capacity of an officer of the 
court, and on premises of, and under the control of, the court, if--
            (1) the person has included in a subpoena a proffer of 
        evidence specifying with reasonable specificity the information 
        to which access is sought and the precise grounds for seeking 
        such access for review;
            (2) a copy of such subpoena for access to review, together 
        with a notice of the individual's right to challenge the 
        subpoena under subsection (d), has been served upon the 
        individual on or before the date of return of the subpoena;
            (3)(A) 15 days have passed since the date of service on the 
        individual, and within that period the individual has not 
        initiated a challenge in accordance with subsection (d)(1); or
            (B) such access is ordered by the court; and
            (4) such counsel agrees not to copy such information, 
        remove such information from the court premises, or disclose 
        the information to any person other than the person permitted 
        access under this subsection.
    (c) Request To Obtain Protected Health Information for Introduction 
in Court.--
            (1) Requirements for obtaining information.--A person may 
        obtain protected health information about an individual 
        pursuant to a subpoena, for purposes of introducing such 
        information as evidence in a court, only if--
                    (A) counsel for the person has obtained access to 
                the information under subsection (b);
                    (B) a copy of the subpoena to obtain the 
                information for introduction in court, specifying the 
                precise information sought and the precise grounds for 
                seeking introduction of the information as evidence in 
                court, together with a notice of the individual's right 
                to challenge the subpoena under subsection (d), has 
                been served upon the individual on or before the date 
                of return of such subpoena; and
                    (C)(i) 15 days have passed since the date of 
                service on the individual, and within that time period 
                the individual has not indicated a challenge in 
                accordance with subsection (d)(1); or
                    (ii) the information is ordered to be provided to 
                the court.
            (2) Use and disclosure.--A person who obtains protected 
        health information under paragraph (1) may use and disclose 
        such information only for the purpose of prosecuting or 
        defending the lawsuit or other judicial or administrative 
        proceeding described in subsection (a).
    (d) Challenge Procedures.--
            (1) Motion to quash subpoena.--After being served of a copy 
        of a subpoena seeking access for review by counsel of, or 
        access to, protected health information under subsection (b), 
        or a subpoena seeking to obtain protected health information 
        for introduction as evidence in court, under subsection (c), an 
        individual who is a subject of such information may file in any 
        court of competent jurisdiction a motion to quash the subpoena.
            (2) Standard for decision.--
                    (A) In general.--The court shall grant a motion 
                under paragraph (1) unless the respondent 
                demonstrates--
                            (i) by clear and convincing evidence that 
                        the information is necessary in relation to the 
                        lawsuit or other judicial or administrative 
                        proceeding with respect to which the 
                        information is sought, including--
                                    (I) a demonstration that use or 
                                disclosure of solely nonidentifiable 
                                health information would be 
                                insufficient to accomplish the purpose 
                                for which the information is sought; 
                                and
                                    (II) if protected health 
                                information that is not coded health 
                                information is sought, a demonstration 
                                that use or disclosure of coded health 
                                information would be insufficient to 
                                accomplish the purpose for which the 
                                information is sought; and
                            (ii) that the need of the respondent for 
                        the information outweighs the privacy interest 
                        of the individual.
                    (B) Criteria for decision.--In determining whether 
                the need of the respondent for the information 
                outweighs the privacy interest of the individual, the 
                court shall consider--
                            (i) the particular purpose for which the 
                        information was collected;
                            (ii) the invasion of the individual's 
                        privacy caused by the disclosure;
                            (iii) the degree to which disclosure of the 
                        information would embarrass, injure, or further 
                        invade, the privacy of the individual;
                            (iv) the effect of the disclosure on the 
                        individual's future health care;
                            (v) the importance of the information to 
                        the lawsuit or proceeding; and
                            (vi) any other relevant factor.
            (3) Attorney's fees.--In the case of a motion brought under 
        paragraph (1) in which the individual who brought the motion 
        has prevailed in whole or in part, the court may assess against 
        the respondent a reasonable attorney's fee and other litigation 
        costs and expenses (including expert fees) reasonably incurred.
    (e) Sealing of Information.--Any portion of a record of a court 
that contains protected health information disclosed under this section 
shall be kept by the court under seal and used or disclosed only 
pursuant to an order of the court consistent with this section.

SEC. 213. ADDITIONAL REQUIREMENTS FOR LAW ENFORCEMENT ACCESS.

    (a) Law Enforcement Subpoenas and Warrants in General.--A health 
care provider, health plan, health oversight agency, employer, school, 
institution of higher education, insurer, court, or a person who 
receives protected health information pursuant to section 206 may 
disclose protected health information to a law enforcement authority 
under section 211(1), if--
            (1)(A) the disclosure is made pursuant to a subpoena for 
        review under section 212(b), a subpoena for purposes of 
        introducing evidence in a court under section 212(c), or both, 
        issued under the authority of a grand jury or a court; and
            (B) the requirements of subsections (b) through (e) of 
        section 212, and subsections (b) and (c) of this section, are 
        satisfied;
            (2) the disclosure is made pursuant to a judicial warrant 
        for search and seizure and the requirements of subsection (d) 
        are satisfied; or
            (3)(A) the disclosure is made pursuant to a subpoena for 
        purposes of introducing evidence in a court under section 
        212(c), issued under the authority of a grand jury or a court, 
        and obtained pursuant to subsection (d)(5) following the 
        execution of a judicial warrant for search and seizure under 
        subsection (d); and
            (B) the requirements of subsections (c) through (e) (other 
        than subsection (c)(1)(A)) of section 212, and subsections (b) 
        and (c) of this section, are satisfied.
    (b) Clear and Convincing Requirement.--A law enforcement authority 
may not obtain protected health information about an individual under 
subsection (a) unless the authority demonstrates by clear and 
convincing evidence that the information is necessary to a legitimate 
law enforcement inquiry into a particular violation of criminal law 
being conducted by the authority.
    (c) Limitation on Use and Disclosure for Other Law Enforcement 
Inquiries.--Protected health information about an individual that is 
disclosed under this section may not be used in, or disclosed to any 
person for use in, any administrative, civil, or criminal action or 
investigation directed against the individual, unless the action or 
investigation arises out of, or is directly related to, the law 
enforcement inquiry for which the information was obtained.
    (d) Requirements for Warrants for Search and Seizure.--
            (1) Limited purpose.--A health care provider, health plan, 
        health oversight agency, employer, school, institution of 
        higher education, insurer, or a person who receives protected 
        health information pursuant to section 206 may disclose 
        protected health information to a law enforcement authority 
        pursuant to a warrant for search and seizure, issued under the 
        authority of a court, for the exclusive purpose of permitting 
        the authority to secure the information described in the 
        warrant for delivery to the court.
            (2) Limitation on execution of warrants.--In executing a 
        warrant under paragraph (1), a law enforcement authority shall 
        engage in the most minimal examination of protected health 
        information that is necessary in order to determine whether the 
        information is or is not within the scope of the warrant. The 
        authority immediately shall place any such information that the 
        authority determines is within the scope of the warrant under 
        seal, and shall deliver such sealed information, without any 
        further examination or other use or disclosure, to the court. 
        The authority may not use or disclose for any purpose protected 
        health information that the authority determines is not within 
        the scope of the warrant, but that is obtained or discovered by 
        the authority directly or indirectly through execution of the 
        warrant.
            (3) Notice of warrant.--A law enforcement authority that 
        obtains protected health information about an individual 
        pursuant to the execution of a warrant under paragraph (2) 
        shall, not later than 30 days after the date of such execution, 
        serve the individual with, or mail to the last known address of 
        the individual, a notice that protected health information 
        about the individual was obtained, together with a notice of 
        the individual's right to challenge the warrant under paragraph 
        (4).
            (4) Challenge procedures for warrants.--
                    (A) Motion to quash.--Within 15 days after the date 
                of service of a notice of execution of a warrant of a 
                law enforcement authority seeking protected health 
                information about an individual under paragraph (3), 
                the individual (or any other person who was in 
                possession of the information and against whom the 
                warrant was executed) may file in any court of 
                competent jurisdiction a motion to quash the warrant.
                    (B) Standard for decision.--The court shall grant a 
                motion under subparagraph (A) unless the law 
                enforcement authority demonstrates by clear and 
                convincing evidence that the protected health 
                information is necessary to a legitimate law 
                enforcement inquiry being conducted by the law 
                enforcement authority and the government authority's 
                need for the information outweighs the privacy interest 
                of the individual.
                    (C) Attorney's fees.--In the case of a motion 
                brought under subparagraph (A) in which the individual 
                has prevailed, in whole or in part, the court may 
                assess against the law enforcement authority reasonable 
                attorney's fees and other litigation costs (including 
                expert fees) reasonably incurred.
            (5) Action in court on information delivered.--Upon 
        termination of the period described in paragraph (4)(A) (in a 
        case where a motion to quash is not filed under such 
        paragraph), or upon the denial of a motion to quash under such 
        paragraph, the law enforcement authority may obtain protected 
        health information delivered to the court under this subsection 
        solely through a disclosure under subsection (a)(3).
            (6) Sealing of information.--Any protected health 
        information that is delivered to a court under this section 
        shall be kept by the court under seal and used or disclosed 
only pursuant to an order of the court consistent with this section.

                          TITLE III--SANCTIONS

                      Subtitle A--Civil Sanctions

SEC. 301. CIVIL PENALTY.

    (a) Violation.--Any person who the Secretary determines has 
materially failed to comply with this Act shall be subject, in addition 
to any other penalties that may be prescribed by law, to--
            (1) a civil penalty of not more than $25,000 for each such 
        violation, but not to exceed $150,000 in the aggregate for 
        multiple violations in any one year; and
            (2) a civil penalty of not more than $500,000 and exclusion 
        from participation in the program under title XVIII of the 
        Social Security Act, the program under title XIX of such Act, 
        and any other federally funded health care program, if the 
        Secretary finds that such violations have occurred with such 
        frequency as to constitute a general business practice.
    (b) Procedures for Imposition of Penalties.--Section 1128A of the 
Social Security Act, other than subsections (a) and (b) and the second 
sentence of subsection (f) of that section, shall apply to the 
imposition of a civil, monetary, or exclusionary penalty under this 
section in the same manner as such provisions apply with respect to the 
imposition of a penalty under section 1128A of such Act.

SEC. 302. CIVIL ACTION.

    (a) In General.--An individual who is aggrieved by conduct in 
violation of this Act may bring a civil action to recover--
            (1) such preliminary and equitable relief as the court 
        determines to be appropriate;
            (2) the greater of--
                    (A) actual damages; and
                    (B) liquidated damages of--
                            (i) $25,000, in the case of a material 
                        violation; or
                            (ii) $50,000, in the case of a violation 
                        that was willful or resulted in profit or 
                        monetary gain; and
            (3) punitive damages.
    (b) Attorney's Fees.--In the case of a civil action brought under 
subsection (a) in which the individual has substantially prevailed, the 
court may assess against the respondent a reasonable attorney's fee and 
other litigation costs and expenses (including expert fees) reasonably 
incurred.
    (c) Limitation.--No action may be commenced under this section by 
an individual more than 3 years after the date on which the violation 
was or should reasonably have been discovered by the individual.

                     Subtitle B--Criminal Sanctions

SEC. 311. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.

    (a) Offense.--Whoever knowingly--
            (1) obtains protected health information relating to an 
        individual in violation of this Act;
            (2) discloses protected health information to another 
        person in violation of this Act;
            (3) coerces or attempts to coerce a health information 
        trustee to disclose protected health information in violation 
        of this title; or
            (4) without authorization pursuant to this Act, identifies 
        or attempts to identify an individual who is the subject of 
        protected health information that a health information trustee 
        has converted into coded health information,
shall be punished as provided in subsection (b).
    (b) Penalties.--A person referred to in subsection (a) shall be 
fined under title 18, United States Code, imprisoned not more than 1 
year, or both, except that--
            (1) if the offense is committed under false pretenses, the 
        person shall be fined under title 18, United States Code, 
        imprisoned not more than 5 years, or excluded from 
        participation in the program under title XVIII of the Social 
        Security Act, the program under title XIX of such Act, or any 
        other federally funded health care program, or any combination 
        of such penalties; and
            (2) if the offense is committed with intent to sell, 
        transfer, or use protected health information for commercial 
        advantage, personal gain, or malicious harm, the person shall 
        be fined under title 18, United States Code, or imprisoned not 
        more than 10 years, or excluded from participation in the 
        program under title XVIII of the Social Security Act, the 
        program under title XIX of such Act, or any other federally 
        funded health care program, or any combination of such 
        penalties.

                        TITLE IV--MISCELLANEOUS

SEC. 401. REGULATIONS.

    (a) Promulgation.--
            (1) Consultation with advisory group.--In promulgating 
        regulations under this Act, the Secretary shall appoint and 
        consult an advisory group of knowledgeable individuals.
            (2) Membership.--The advisory group shall consist of at 
        least 7 but no more than 12 individuals, including 
        representatives of--
                    (A) health care providers;
                    (B) health care consumers;
                    (C) health plans;
                    (D) privacy advocates; and
                    (E) electronic security experts.
            (3) Responsibilities.--The advisory group shall review all 
        proposed rules and regulations and submit recommendations to 
        the Secretary. The advisory group shall also assist the 
        Secretary in establishing the standards for compliance with 
        rules and regulations, in developing an annual report to the 
        Congress on the status of the requirements set forth in this 
        Act, their cost impact, and any recommendations for 
        modifications to this Act in order to ensure efficient and 
        confidential electronic interchange of protected health 
        information.
    (b) Consultation With Others.--In promulgating regulations under 
this Act, the Secretary may consult--
            (1) privacy, industry, health care professional, and 
        consumer groups;
            (2) medical societies; and
            (3) academic computer security and privacy experts.

SEC. 402. RELATIONSHIP TO OTHER LAWS.

    (a) In General.--Nothing in this Act shall be construed to preempt 
any provision of State law or any privilege, whether derived from 
statute or common law, that--
            (1) more completely protects the confidentiality or privacy 
        of an individual with respect to protected health information 
        about the individual than does this Act; or
            (2) provides a greater right of access to protected health 
        information to a subject of the information than does this Act.
    (b) Criminal Penalties.--A State may establish and enforce criminal 
penalties with respect to a failure to comply with a provision of this 
Act.
    (c) Privileges.--This Act does not preempt or modify State common 
or statutory law to the extent such law concerns a privilege of a 
witness or person in a court of the State. This Act does not supersede 
or modify Federal common or statutory law to the extent such law 
concerns a privilege of a witness or person in a court of the United 
States and more completely protects the confidentiality or privacy of 
an individual with respect to protected health information about the 
individual than does this Act. The execution of an authorization 
pursuant to section 202 or 203 may not be construed as a waiver of any 
such privilege.
    (d) Certain Duties Under State or Federal Law.--This Act does not 
preempt, supersede, or modify the operation of any of the following:
            (1) Any law that provides for the reporting of vital 
        statistics such as birth or death information.
            (2) Any law requiring the reporting of abuse or neglect 
        information about any individual.
            (3) Any State law relating to public or mental health that 
        prevents or otherwise restricts disclosure of protected health 
        information otherwise permitted under this Act.
            (4) Subpart II of part E of title XXVI of the Public Health 
        Service Act (relating to notifications of emergency response 
        employees of possible exposure to infectious diseases).
            (5) Any Federal law or regulation governing confidentiality 
        of alcohol and drug patient records.
            (6) The Americans With Disabilities Act of 1990.
            (7) Any Federal or State statute that establishes a 
        privilege for records used in health professional peer review 
        activities.

SEC. 403. EFFECTIVE DATES.

    (a) In General.--Except as provided in subsection (b), this Act 
shall take effect on the date that is 18 months after the date of the 
enactment of this Act.
    (b) Provisions Effective Immediately.--A provision of this Act 
shall take effect on the date of the enactment of this Act if the 
provision imposes on the Secretary a duty to develop, establish, or 
promulgate regulations, guidelines, or model forms.
    (c) Deadline for Regulations.--The Secretary shall promulgate 
regulations implementing this Act not later than the date that is 12 
months after the date of the enactment of this Act.

SEC. 404. APPLICABILITY.

    (a) Protected Health Information.--Except as provided in subsection 
(b), the provisions of this Act shall apply to any protected health 
information that is received, created, used, maintained, or disclosed 
by a health information trustee on or after the date that is 18 months 
after the date of the enactment of this Act, regardless of whether the 
information existed or was disclosed prior to such date.
    (b) Authorizations for Disclosures.--An authorization for the 
disclosure of protected health information about a protected individual 
that is executed by the individual before the date that is 18 months 
after the date of the enactment of this Act, and is recognized and 
valid under State law on the day before such date, shall remain valid 
and shall not be subject to the requirements of title II until the date 
that is 30 months after the date of the enactment of this Act, or the 
occurrence of the date or event in the authorization upon which the 
authorization expires, whichever occurs earlier.
                                 <all>