[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4585 Introduced in House (IH)]







106th CONGRESS
  2d Session
                                H. R. 4585

 To strengthen consumers' control over the use and disclosure of their 
 health information by financial institutions, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                              June 6, 2000

  Mr. Leach introduced the following bill; which was referred to the 
  Committee on Banking and Financial Services, and in addition to the 
 Committee on Commerce, for a period to be subsequently determined by 
the Speaker, in each case for consideration of such provisions as fall 
           within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
 To strengthen consumers' control over the use and disclosure of their 
 health information by financial institutions, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Medical Financial Privacy Protection 
Act''.

SEC. 2. USE AND DISCLOSURE OF HEALTH INFORMATION BY FINANCIAL 
              INSTITUTIONS.

    (a) In General.--Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 
6801 et seq.) is amended by inserting after section 502 the following:

``SEC. 502A. SPECIAL RULES FOR HEALTH INFORMATION.

    ``(a) Rules for Disclosure.--
            ``(1) General rule requiring affirmative consent for 
        disclosure.--
                    ``(A) In general.--A financial institution may not 
                disclose any individually identifiable health 
                information pertaining to a consumer to an affiliate or 
                a nonaffiliated third party unless the financial 
                institution--
                            ``(i) has provided to the consumer a clear 
                        and conspicuous notice in writing, in 
                        electronic form, or in another form permitted 
                        by the regulations implementing this subtitle, 
                        of the categories of such information that may 
                        be disclosed and the categories of affiliates 
                        or nonaffiliated third parties to whom the 
                        financial institution discloses such 
                        information;
                            ``(ii) has clearly and conspicuously 
                        requested in writing, in electronic form, or in 
                        another form permitted by the regulations 
                        implementing this subtitle, that the consumer 
                        affirmatively consent to such disclosure; and
                            ``(iii) has obtained from the consumer such 
                        affirmative consent and such consent has not 
                        been withdrawn.
                    ``(B) Withdrawal of consent.--Any withdrawal of 
                consent is subject to the rights of any financial 
                institution that acted in reliance on the consent prior 
                to its withdrawal.
            ``(2) Disclosure of information about personal spending 
        habits.--
                    ``(A) In general.--If a financial institution 
                provides a service to a consumer through which the 
                consumer makes or receives payments or transfers by 
                check, debit card, credit card, or other similar 
                instrument, the financial institution may not disclose 
                any information described in subparagraph (B) 
                pertaining to the consumer to an affiliate or a 
                nonaffiliated third party unless the financial 
                institution has satisfied the requirements of clauses 
                (i), (ii), and (iii) of paragraph (1)(A) with respect 
                to the disclosure.
                    ``(B) Information described.--The information 
                described in this paragraph is--
                            ``(i) an individualized list of a 
                        consumer's transactions or an individualized 
                        description of a consumer's interests, 
                        preferences, or other characteristics; or
                            ``(ii) any such list or description 
                        constructed in response to an inquiry about a 
                        specific, named individual;
                if the list or description is derived from individually 
                identifiable health information collected in the course 
                of providing a service described in subparagraph (A) to 
                the consumer.
            ``(3) Disclosure of aggregate lists.--A financial 
        institution may not disclose any aggregate list of consumers 
        containing or derived from individually identifiable health 
        information to an affiliate or a nonaffiliated third party 
        unless the financial institution has satisfied, for each 
        consumer on the list, the requirements of clauses (i), (ii), 
        and (iii) of paragraph (1)(A) with respect to the disclosure.
            ``(4) Exceptions to disclosure limitations.--This section 
        shall not restrict a financial institution from disclosing 
        individually identifiable health information--
                    ``(A) for a purpose described in paragraph (1), 
                (2), (3), (5), (7), or (8) of section 502(e);
                    ``(B) in order to facilitate customer service, such 
                as maintenance and operation of consolidated customer 
                call centers or the use of consolidated customer 
                account statements; or
                    ``(C) to the institution's attorneys, accountants, 
                and auditors.
            ``(5) Limits on redisclosure and reuse of information.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), an affiliate or a nonaffiliated third 
                party that receives individually identifiable health 
                information from a financial institution under this 
                section shall not disclose such information to any 
                other person, unless such disclosure would be lawful if 
                made directly to such other person by the financial 
                institution.
                    ``(B) Disclosure under an exception.--
                Notwithstanding subparagraph (A), any person that 
                receives individually identifiable health information 
                from a financial institution in accordance with one of 
                the exceptions in paragraph (4) may use or disclose 
                such information only--
                            ``(i) as permitted under that exception; or
                            ``(ii) under another exception in such 
                        paragraph to carry out the purpose for which 
                        the information was disclosed by the financial 
                        institution.
            ``(6) Construction.--Except as provided in paragraph 
        (4)(A), this section applies in lieu of subsections (b), (c), 
        and (e) of section 502 to a disclosure by a financial 
        institution of individually identifiable health information.
    ``(b) Rules for Receipt and Use.--
            ``(1) In general.--In deciding whether, or on what terms, 
        to offer, provide, or continue to provide a loan or credit to a 
        consumer, a financial institution shall not request to receive 
        individually identifiable health information about the consumer 
        from an affiliate or nonaffiliated third party, or use, 
        evaluate, or otherwise consider any such information, unless 
        the financial institution--
                    ``(A) has clearly and conspicuously requested in 
                writing, in electronic form, or in another form 
                permitted by the regulations implementing this 
                subtitle, that the consumer affirmatively consent to 
                such receipt and use; and
                    ``(B) has obtained from the consumer such 
                affirmative consent and such consent has not been 
                withdrawn.
            ``(2) Restraint on information requests.--In deciding 
        whether, or on what terms, to offer, provide, or continue to 
        provide a loan or credit to a consumer, a financial institution 
        shall not request the consent described in paragraph (1)(A) to 
        receive individually identifiable health information available 
        from an affiliate, if the financial institution would not 
        otherwise normally receive the same or substantially similar 
        information from a nonaffiliated third party if that third 
        party were the only person able to provide the information.
    ``(c) Consumer Rights To Access and Correct Information.--
            ``(1) Access.--
                    ``(A) In general.--Upon the request of a consumer, 
                a financial institution shall make available to the 
                consumer individually identifiable health information 
                about the consumer that is within the possession of the 
                financial institution.
                    ``(B) Exceptions.--Notwithstanding subparagraph 
                (A), a financial institution--
                            ``(i) shall not be required to disclose to 
                        a consumer any confidential commercial 
                        information, such as an algorithm used to 
                        derive credit scores or other risk scores or 
                        predictors;
                            ``(ii) shall not be required to create new 
                        records in order to comply with the consumer's 
                        request;
                            ``(iii) shall not be required to disclose 
                        to a consumer any information assembled by the 
                        financial institution, in a particular matter, 
                        as part of the financial institution's efforts 
                        to comply with laws preventing fraud, money 
                        laundering, or other unlawful conduct; and
                            ``(iv) shall not disclose any information 
                        required to be kept confidential by any other 
                        Federal law.
            ``(2) Correction.--
                    ``(A) Opportunity to dispute.--A financial 
                institution shall provide a consumer the opportunity to 
                dispute the accuracy of any individually identifiable 
                health information disclosed to the consumer pursuant 
                to paragraph (1), and to present evidence thereon.
                    ``(B) Amendment, correction, or deletion.--A 
                financial institution--
                            ``(i) shall amend, correct, or delete 
                        material information identified by a consumer 
                        that is materially incomplete or inaccurate; or
                            ``(ii) shall notify the consumer of--
                                    ``(I) its refusal to make such 
                                amendment, correction, deletion;
                                    ``(II) the reasons for the refusal; 
                                and
                                    ``(III) the identity of the person 
                                who created the information and shall 
                                refer the consumer to that person for 
                                purposes of amending or correcting the 
                                information or filing with it a concise 
                                statement of what the consumer believes 
                                to be the correct information.
            ``(3) Coordination and consultation.--In prescribing 
        regulations implementing this subsection, the Federal agencies 
        specified in section 504(a) shall consult with one another to 
        ensure that the regulations--
                    ``(A) impose consistent requirements on the 
                financial institutions under their respective 
                jurisdictions;
                    ``(B) take into account conditions under which 
                financial institutions do business both in the United 
                States and in other countries; and
                    ``(C) are consistent with the principle of 
                technology neutrality.
            ``(4) Charges for disclosures.--A financial institution may 
        impose a reasonable charge for making a disclosure under this 
        subsection, which charge shall be disclosed to the consumer 
        before making the disclosure.
    ``(d) Special Requirement To Protect Mental Health Information.--In 
any case in which this section requires a person to obtain a consumer's 
affirmative consent to a receipt, use, or disclosure of individually 
identifiable health information, the person shall obtain a separate and 
specific consent with respect to any information pertaining to the 
mental health or mental condition of an individual.
    ``(e) Relationship to Other Laws.--Nothing in this section shall be 
construed as--
            ``(1) modifying, limiting, or superseding standards 
        promulgated by the Secretary of Health and Human Services 
        under--
                    ``(A) part C of title XI of the Social Security Act 
                (42 U.S.C. 1320d et seq.); or
                    ``(B) section 264(c) of the Health Insurance 
                Portability and Accountability Act of 1996 (Public Law 
                104-191; 110 Stat. 2033); or
            ``(2) authorizing the use or disclosure of individually 
        identifiable health information in a manner other than as 
        permitted by other applicable law.''.
    (b) Definition of Individually Identifiable Health Information.--
Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended 
by adding at the end the following:
            ``(12) Individually identifiable health information.--The 
        term `individually identifiable health information' means any 
        information, including demographic information obtained from or 
        about an individual, that is described in section 1171(6)(B) of 
        the Social Security Act (42 U.S.C. 1320d(6)(B)).''.
    (c) Clerical Amendment.--The table of contents for the Gramm-Leach-
Bliley Act is amended by inserting after the item relating to section 
502 the following:

``Sec. 502A. Special rules for health information.''.

SEC. 3. REGULATIONS; EFFECTIVE DATE.

    (a) Regulations.--
            (1) Regulatory authority.--Section 504(a) of the Gramm-
        Leach-Bliley Act (15 U.S.C. 6804(a)) shall apply to the 
        issuance of regulations to carry out the amendments made by 
        this Act in the same manner as such section applies to the 
        issuance of other regulations to carry out subtitle A of title 
        V of the Gramm-Leach-Bliley Act, except as provided in 
        paragraph (4).
            (2) Authority to grant exceptions.--The regulations issued 
        to carry out the amendments made by this Act may include such 
        additional exceptions to the provisions of section 502A of the 
        Gramm-Leach-Bliley Act, as inserted by section 2, as are deemed 
        consistent with the purposes of subtitle A of title V of such 
        Act, except as provided in paragraph (3)(B).
            (3) Special protections for mental health information.--
                    (A) In general.--The regulations issued to carry 
                out the amendments made by this Act shall, where 
                appropriate, include special policies and procedures to 
                protect the confidentiality of individually 
                identifiable health information relating to the mental 
                health or mental condition of an individual.
                    (B) Authority to grant exceptions.--The regulations 
                issued to carry out the amendments made by this Act may 
                not include any exception to the provisions of section 
                502A of the Gramm-Leach-Bliley Act, as inserted by 
                section 2, that diminishes the protection afforded by 
                such section to the confidentiality of individually 
                identifiable health information relating to the mental 
                health or mental condition of an individual.
            (4) Deadline.--Regulations to carry out the amendments made 
        by this Act shall be issued in final form not later than 6 
        months after the date of the enactment of this Act.
    (b) Effective Date.--The amendments made by this Act shall take 
effect 6 months after the date on which regulations are required to be 
issued under subsection (a)(4), except to the extent that a later date 
is specified in such regulations.
                                 <all>