[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 2863 Introduced in Senate (IS)]







106th CONGRESS
  2d Session
                                S. 2863

To prohibit use or sharing of medical health records or information by 
  financial institutions and their affiliates, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             July 13, 2000

  Mr. Smith of New Hampshire introduced the following bill; which was 
read twice and referred to the Committee on Banking, Housing, and Urban 
                                Affairs

_______________________________________________________________________

                                 A BILL


 
To prohibit use or sharing of medical health records or information by 
  financial institutions and their affiliates, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Health Information Protection Act of 
2000''.

SEC. 2. PROHIBITIONS ON SHARING OF HEALTH INFORMATION.

    (a) In General.--Section 502 of the Gramm-Leach-Bliley Act (15 
U.S.C. 6802) is amended by adding at the end the following:
    ``(f) Sharing of Health Information Prohibited.--
            ``(1) In general.--Notwithstanding subsection (a) or (b), 
        and except as provided in paragraph (2)--
                    ``(A) no financial institution or affiliate thereof 
                may receive from, provide to, or otherwise share with 
                any nonaffiliated third party any individually 
                identifiable health information with respect to a 
                consumer to perform services for or functions on behalf 
                of the financial institution or affiliate, including 
                marketing of its own products or services or of 
                financial products or services offered under a joint 
                agreement between 2 or more financial institutions; and
                    ``(B) no financial institution or affiliate thereof 
                may receive from, provide to, or otherwise share with 
                any other affiliate any individually identifiable 
                health information with respect to a consumer.
            ``(2) Exceptions.--
                    ``(A) Payments.--Paragraph (1) does not preclude 
                the sharing of information in connection with the 
                collection of or payment of a medically related debt or 
                insurance claim, limited to information about the 
                specific item, service, procedure, or condition that is 
                the subject of the debt or claim.
                    ``(B) Consent.--
                            ``(i) In general.--Paragraph (1) does not 
                        apply if the financial institution or affiliate 
                        thereof that intends to share individually 
                        identifiable health information relating to a 
                        consumer--
                                    ``(I) has clearly and conspicuously 
                                requested in writing, in accordance 
                                with clause (ii), that the consumer 
                                consent to such sharing;
                                    ``(II) has obtained affirmative 
                                written consent from the consumer for 
                                such sharing, and such consent has not 
                                been withdrawn; and
                                    ``(III) requires the same health 
                                information about all consumers for the 
                                intended use of the information.
                            ``(ii) Format of written request.--A 
                        request for consent under clause (i)(I)--
                                    ``(I) shall be contained in a 
                                separate form, intended only for that 
                                purpose;
                                    ``(II) shall specify that the 
                                consent is being sought to provide 
                                individually identifiable health 
                                information to an affiliate or a 
                                nonafilliated party, as the case may 
                                be; and
                                    ``(III) shall specify with whom and 
                                for what purpose the information will 
                                be shared.
                            ``(iii) Withdrawal of consent.--A consumer 
                        that has given written consent to the sharing 
                        of individually identifiable health information 
                        under this subparagraph to any person may 
                        withdraw such consent in writing at any time. 
                        No person shall be in violation of this 
                        subsection for the lawful sharing of 
                        individually identifiable health information 
                        under this subparagraph before the date of 
                        receipt of a written withdrawal of consent 
                        under this clause.
                    ``(C) Voluntary information.--Nothing in this 
                subsection precludes a consumer from voluntarily 
providing individually identifiable health information to a life, 
health, or disability insurer that is an entity described in paragraph 
(1).
            ``(3) Limitation on adverse action.--A financial 
        institution or affiliate thereof, that is not organized for the 
        purpose of underwriting insurance products, subject to other 
        applicable law, may not establish the terms of a financial 
        transaction, make a decision to offer, provide, or continue to 
        provide a product or service to a consumer, or otherwise take 
        any adverse action with respect to the consumer--
                    ``(A) based on individually identifiable health 
                information; or
                    ``(B) based on whether or not the consumer consents 
                to the sharing of such information in response to a 
                consent request under paragraph (2)(B).
            ``(4) Limits on redisclosure and reuse of information.--
                    ``(A) In general.--A financial institution, 
                affiliate, or nonaffiliated third party that receives 
                individually identifiable health information from a 
                financial institution or affiliate in accordance with 
                any exception in paragraph (2) shall not disclose such 
                information to any other person unless such disclosure 
                would be lawful if made directly to such other person 
                by the financial institution or affiliate that provided 
                the information.
                    ``(B) Disclosure under exception.--Notwithstanding 
                subparagraph (A), any person that receives individually 
                identifiable health information from a financial 
                institution or affiliate in accordance with any 
                exception in paragraph (2) may also use or disclose 
                such information only as permitted under that exception 
                and this subsection.
            ``(5) Existing protections for health information not 
        affected.--Nothing in this subsection shall be construed as--
                    ``(A) modifying, limiting, or superseding standards 
                governing the privacy and security of individually 
                identifiable health information promulgated by the 
                Secretary of Health and Human Services under section 
                264 of the Health Insurance Portability and 
                Accountability Act of 1996, or the amendments made by 
                section 262(a) of that Act; or
                    ``(B) authorizing the use or disclosure of 
                individually identifiable health information in a 
                manner other than as permitted by other applicable law.
            ``(6) Relation to state laws.--
                    ``(A) In general.--This subsection shall not be 
                construed as superseding, altering, or affecting the 
                statutes, regulations, orders, or interpretations in 
                effect in any State, except to the extent that such 
                statutes, regulations, orders, or interpretations are 
                inconsistent with the provisions of this subsection, 
                and then only to the extent of the inconsistency.
                    ``(B) Greater protection under state law.--For 
                purposes of this paragraph, a State statute, 
                regulation, order, or interpretation is not 
                inconsistent with the provisions of this subsection if 
                the protection that such statute, regulation, order, or 
                interpretation affords any person is greater than the 
                protection provided under this subsection, as 
                determined by the appropriate enforcement authority 
                referred to in section 505, on its own motion or upon 
                the petition of any interested party.
            ``(7) Federal and state action.--The Attorney General of 
        the United States or the Attorney General of a State, or the 
        State bank supervisor, as defined in section 3 of the Federal 
        Deposit Insurance Act, as appropriate, may impose a fine of not 
        more than $25,000 per record, per person, affiliate, or 
        nonaffiliated person to which the record was distributed in 
        violation of this subsection.''.

SEC. 3. DEFINITION OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.

    Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is 
amended by adding at the end the following new paragraph:
            ``(12) Individually identifiable health information.--The 
        term `individually identifiable health information' means any 
        information, including demographic information obtained from or 
        about an individual, that is described in section 1171(6)(B) of 
        the Social Security Act.''.

SEC. 4. EFFECTIVE DATE.

    This Act and the amendments made by this Act shall become effective 
90 days after the date of enactment of this Act.
                                 <all>