[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 578 Introduced in Senate (IS)]







106th CONGRESS
  1st Session
                                 S. 578

 To ensure confidentiality with respect to medical records and health 
           care-related information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 10, 1999

Mr. Jeffords (for himself and Mr. Dodd) introduced the following bill; 
     which was read twice and referred to the Committee on Health, 
                     Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
 To ensure confidentiality with respect to medical records and health 
           care-related information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Health Care 
Personal Information Nondisclosure Act of 1999'' or the ``Health Care 
PIN Act''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Purposes.
Sec. 4. Definitions.
                      TITLE I--INDIVIDUAL'S RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

Sec. 101. Inspection and copying of protected health information.
Sec. 102. Amendment of protected health information.
Sec. 103. Notice of confidentiality practices.
                Subtitle B--Establishment of Safeguards

Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

Sec. 201. General rules regarding use and disclosure.
Sec. 202. Procurement of authorizations for disclosure of protected 
                            health information for treatment, payment, 
                            and health care operations.
Sec. 203. Authorizations for disclosure of protected health information 
                            other than for treatment, payment, or 
                            health care operations.
Sec. 204. Next of kin and directory information.
Sec. 205. Emergency circumstances.
Sec. 206. Oversight.
Sec. 207. Public health.
Sec. 208. Health research.
Sec. 209. Disclosure in civil, judicial, and administrative procedures.
Sec. 210. Disclosure for law enforcement purposes.
Sec. 211. Disclosures for postmarketing adverse experience reporting 
                            for human drug and licensed biological 
                            products.
Sec. 212. Payment card and electronic payment transaction.
Sec. 213. Standards for electronic disclosures.
Sec. 214. Individual representatives.
Sec. 215. Limited liability for law enforcement officers.
Sec. 216. No liability for permissible disclosures.
                          TITLE III--SANCTIONS

                    Subtitle A--Criminal Provisions

Sec. 301. Wrongful disclosure of protected health information.
Sec. 302. Debarment for crimes.
                      Subtitle B--Civil Sanctions

Sec. 311. Civil penalty.
Sec. 312. Procedures for imposition of penalties.
Sec. 313. Report on use of existing enforcement mechanisms.
Sec. 314. Civil action by individuals.
                        TITLE IV--MISCELLANEOUS

Sec. 401. Relationship to other laws.
Sec. 402. Effective date.

SEC. 2. FINDINGS.

    The Congress finds that--
            (1) individuals have a right of confidentiality with 
        respect to their personal health information and records;
            (2) with respect to information about medical care and 
        health status, the traditional right of confidentiality is at 
        risk;
            (3) an erosion of the right of confidentiality may reduce 
        the willingness of patients to confide in physicians and other 
        practitioners, thus jeopardizing quality health care;
            (4) an individual's confidentiality right means that an 
        individual's consent is needed to disclose his or her protected 
        health information, except in rare and limited circumstances 
        required by the public interest;
            (5) any disclosure of protected health information should 
        be limited to that information or portion of the medical record 
        necessary to fulfill the purpose of the disclosure;
            (6) incentives need to be created to use nonidentifiable 
        health information where appropriate;
            (7) the availability of timely and accurate personal health 
        data for the delivery of health care services throughout the 
        Nation is needed;
            (8) personal health care data may be essential for selected 
        types of medical research;
            (9) public health uses of personal health data are critical 
        to both personal health as well as public health; and
            (10) confidentiality of an individual's health information 
        must be assured without jeopardizing the pursuit of clinical 
        and epidemiological research undertaken to improve health care 
        and health outcomes and to assure the quality and efficiency of 
        health care.

SEC. 3. PURPOSES.

    The purpose of this Act is to--
            (1) establish strong and effective mechanisms to protect 
        against the unauthorized and inappropriate use of protected 
        health information that is created or maintained as part of 
        health care treatment, diagnosis, enrollment, payment, plan 
        administration, testing, or research processes;
            (2) promote the efficiency and security of the health 
        information infrastructure so that members of the health care 
        community may more effectively exchange and transfer health 
        information in a manner that will ensure the confidentiality of 
        protected health information without impeding the delivery of 
high quality health care;
            (3) create incentives to turn personal health information 
        into nonidentifiable health information for oversight, health 
        research, public health, law enforcement, judicial, and 
        administrative purposes, where appropriate; and
            (4) establish strong and effective remedies for violations 
        of this Act.

SEC. 4. DEFINITIONS.

    As used in this Act:
            (1) Accrediting body.--The term ``accrediting body'' means 
        a national body, committee, organization, or institution (such 
        as the Joint Commission on Accreditation of Health Care 
        Organizations or the National Committee for Quality Assurance) 
        that has been authorized by law or is recognized by a health 
        care regulating authority as an accrediting entity or any other 
        entity that has been similarly authorized or recognized by law 
        to perform specific accreditation, licensing or credentialing 
        activities.
            (2) Agent.--The term ``agent'' means a person who 
        represents and acts for another under the contract or relation 
        of agency, or whose function is to bring about, modify, affect, 
        accept performance of, or terminate contractual obligations 
        between the principal and a third person, including a 
        contractor.
            (3) Anonymous link.--
                    (A) In general.--The term ``anonymous link'' means 
                a number assigned to nonidentifiable health information 
                which, by itself, contains no information about an 
                individual, but which, under specific, controlled 
                conditions, can be used to link to additional health 
                information about the same individual which may be used 
                to identify that individual.
                    (B) Disclosure.--Any subsequent disclosure of an 
                anonymous link with any information which, together 
                with information previously disclosed with the same 
                link might reasonably be used to identify an 
                individual, shall be considered to be a disclosure of 
                protected health information. Such a disclosure shall 
                convert any previously disclosed, nonidentifiable 
                information with the same link into protected health 
                information.
            (4) Common rule.--The term ``common rule'' means the 
        Federal policy for the protection of human subjects from 
        research risks originally published as 56 Federal Register 
        28.012 (et seq.) (June 18, 1991) as adopted and implemented by 
        a Federal department or agency.
            (5) Disclose.--The term ``disclose'' means to release, 
        transfer, provide access to, or otherwise divulge protected 
        health information to any person other than the individual who 
        is the subject of such information. Such term includes the 
        initial disclosure and any subsequent disclosures of protected 
        health information.
            (6) Employer.--The term ``employer'' has the meaning given 
        such term under section 3(5) of the Employee Retirement Income 
        Security Act of 1974 (29 U.S.C. 1002(5)), except that such term 
        shall include only employers of two or more employees.
            (7) Health care.--The term ``health care'' means--
                    (A) preventive, diagnostic, therapeutic, 
                rehabilitative, maintenance, or palliative care, 
                including appropriate assistance with disease or 
                symptom management and maintenance, counseling, 
                service, or procedure--
                            (i) with respect to the physical or mental 
                        condition of an individual; or
                            (ii) affecting the structure or function of 
                        the human body or any part of the human body, 
                        including the banking of blood, sperm, organs, 
                        or any other tissue; or
                    (B) pursuant to a prescription or medical order any 
                sale or dispensing of a drug, device, equipment, or 
                other health care related item to an individual, or for 
                the use of an individual.
            (8) Health care operations.--The term ``health care 
        operations'' means services provided by or on behalf of a 
        health plan or health care provider for the purpose of carrying 
        out the management functions of a health care provider or 
        health plan, or implementing the terms of a contract for health 
        plan benefits. Such term means--
                    (A) conducting quality assurance activities or 
                outcomes assessments;
                    (B) reviewing the competence or qualifications of 
                health care professionals;
                    (C) performing accreditation, licensing, or 
                credentialing activities;
                    (D) analysis of health plan claims or health care 
                records data;
                    (E) evaluating health plan and provider 
                performance;
                    (F) carrying out utilization review, 
                precertification or preauthorization of services;
                    (G) underwriting or experience rating of health 
                plans;
                    (H) conducting or arranging for auditing services; 
                or
                    (I) such other services as the Secretary determines 
                appropriate.
            (9) Health care provider.--The term ``health care 
        provider'' means a person, who with respect to a specific item 
        of protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a person who is licensed, certified, 
                registered, or otherwise authorized by Federal or State 
                law to provide an item or service that constitutes 
                health care in the ordinary course of business, or 
                practice of a profession;
                    (B) a Federal, State, or employer sponsored program 
                that directly provides items or services that 
                constitute health care to beneficiaries; or
                    (C) an officer, employee, or agent of a person 
                described in subparagraph (A) or (B) that is engaged in 
                the provision of health care.
            (10) Health or life insurer.--The term ``health or life 
        insurer'' means a health insurance issuer as defined in section 
        9805(b)(2) of the Internal Revenue Code of 1986 or a life 
        insurance company as defined in section 816 of such Code.
            (11) Health oversight agency.--The term ``health oversight 
        agency'' means a person who, with respect to a specific item of 
        protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a person who performs or oversees the 
                performance of an assessment, evaluation, 
                determination, or investigation, relating to the 
                licensing, accreditation, or credentialing of health 
                care providers; or
                    (B) a person who--
                            (i) performs or oversees the performance of 
                        an audit, assessment, evaluation, 
                        determination, or investigation relating to the 
                        effectiveness of, compliance with, or 
                        applicability of, legal, fiscal, medical, or 
                        scientific standards or aspects of performance 
                        related to the delivery of, or payment for, 
                        health care; and
                            (ii) is a public agency, acting on behalf 
                        of a public agency, acting pursuant to a 
                        requirement of a public agency, or carrying out 
                        activities under a Federal or State law 
                        governing the assessment, evaluation, 
                        determination, investigation, or prosecution 
                        described in subparagraph (A).
            (12) Health plan.--The term ``health plan'' means any 
        health insurance plan, including any hospital or medical 
        service plan, dental or other health service plan or health 
        maintenance organization plan, provider sponsored organization, 
        or other program providing or arranging for the provision of 
        health benefits. Such term includes employee welfare benefits 
        plans and group health plans as defined in sections 3 and 607 
        of the Employee Retirement Income Security Act of 1974 (29 
        U.S.C. 1002 and 1167).
            (13) Health researcher.--The term ``health researcher'' 
        means a person, or an officer, employee or independent 
        contractor of a person, who receives protected health 
        information as part of a systematic investigation, testing or 
        evaluation designed to develop or contribute to generalized 
        scientific and clinical knowledge.
            (14) Individual representative.--The term ``individual 
        representative'' means a person who is authorized by law (based 
        on grounds other than the individual being a minor), or by an 
        instrument recognized under law, to act as an agent, attorney, 
        proxy, or other legal representative of a protected individual. 
        Such term includes a health care power of attorney.
            (15) Institutional review board.--The term ``institutional 
        review board'' means a review panel, that is generally 
        associated with a particular university or other research 
        institution, that is responsible for implementing Federal human 
        subject protection requirements for research conducted at or 
        supported by the university or institution involved.
            (16) Law enforcement inquiry.--The term ``law enforcement 
        inquiry'' means a lawful investigation conducted by an 
        appropriate government agency or official inquiring into a 
        violation of, or failure to comply with, any criminal or civil 
        statute or any regulation, rule, or order issued pursuant to 
        such a statute.
            (17) Network plan.--The term ``network plan'' means health 
        care coverage provided under a health plan under which the 
        financing and delivery of health care are provided, in whole or 
        in part, through a defined set of health care providers under 
        contract with the health plan.
            (18) Nonidentifiable health information.--The term 
        ``nonidentifiable health information'' means any information 
        that would otherwise be protected health information except 
        that such information does not directly reveal the identity of 
        the individual whose health or health care is the subject of 
        the information and there is no reasonable basis to believe 
        that such information could be used, either alone or with other 
        information that is, or should reasonably be known to be, 
        available to predictable recipients of such information, to 
        reveal the identity of that individual.
            (19) Originating provider.--The term ``originating 
        provider'' means a health care provider who creates or 
        originates medical information that is or that becomes 
        protected health information.
            (20) Payment.--The term ``payment'' means--
                    (A) the activities undertaken by--
                            (i) or on behalf of a health plan to 
                        determine its responsibility for coverage under 
                        the plan and the actual payment under such 
                        plan; and
                            (ii) a health care provider to obtain 
                        payment for items or services provided under a 
                        health plan or provided based on a 
                        determination by the health plan of 
                        responsibility for coverage under the plan; and
                    (B) activities undertaken as described in 
                subparagraph (A) including--
                            (i) billing, claims management, medical 
                        data processing or other administrative 
                        services;
                            (ii) determinations of coverage or 
                        adjudication of health benefit claims; and
                            (iii) review of health care services with 
                        respect to medical necessity, coverage under a 
                        health plan, appropriateness of care, or 
                        justification of charges.
            (21) Person.--The term ``person'' means a government, 
        governmental subdivision, agency or authority; corporation; 
        company; association; firm; partnership; society; estate; 
        trust; joint venture; individual; individual representative; 
        tribal government; and any other legal entity.
            (22) Protected health information.--The term ``protected 
        health information'' means any information (including 
        demographic information) whether or not recorded in any form or 
        medium--
                    (A) that relates to the past, present or future--
                            (i) physical or mental health or condition 
                        of an individual (including the condition or 
                        other attributes of individual cells or their 
                        components);
                            (ii) provision of health care to an 
                        individual; or
                            (iii) payment for the provision of health 
                        care to an individual;
                    (B) that is created or received by a health care 
                provider, health plan, health researcher, health 
                oversight agency, public health authority, employer, 
                law enforcement official, health or life insurer, 
                school or university; and
                    (C) that is not nonidentifiable health information.
            (23) Public health authority.--The term ``public health 
        authority'' means an authority or instrumentality of the United 
        States, a tribal government, a State, or a political 
        subdivision of a State that is--
                    (A) primarily responsible for public health 
                matters; and
                    (B) primarily engaged in activities such as injury 
                reporting, public health surveillance, and public 
                health investigation or intervention.
            (24) School or university.--The term ``school or 
        university'' means an institution or place for instruction or 
        education, including an elementary school, secondary school, or 
        institution of higher learning, a college, or an assemblage of 
        colleges united under one corporate organization or government.
            (25) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (26) State.--The term ``State'' includes the District of 
        Columbia, Puerto Rico, the Virgin Islands, Guam, American 
        Samoa, and the Northern Mariana Islands.
            (27) Treatment.--The term ``treatment'' means the provision 
        of health care by, or the coordination of health care among, 
        health care providers, or the referral of a patient from one 
        provider to another, or coordination of health care or other 
        services among health care providers and third parties 
        authorized by the health plan or the plan member.
            (28) Writing.--The term ``writing'' means writing in either 
        a paper-based or computer-based form, including electronic 
        signatures.

                      TITLE I--INDIVIDUAL'S RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.

    (a) In General.--At the request of an individual and except as 
provided in subsection (b), a health care provider, health plan, 
employer, health or life insurer, school, or university shall permit an 
individual who is the subject of protected health information or the 
individual's designee, to inspect and copy protected health information 
concerning the individual, including records created under sections 102 
and 112, that such entity maintains. The entity may set forth 
appropriate procedures to be followed for such inspection or copying 
and may require an individual to pay reasonable costs associated with 
such inspection or copying.
    (b) Exceptions.--Unless ordered by a court of competent 
jurisdiction, an entity described in subsection (a) is not required to 
permit the inspection or copying of protected health information if any 
of the following conditions are met:
            (1) Endangerment to life or safety.--The entity determines 
        that the disclosure of the information could reasonably be 
        expected to endanger the life or physical safety of, or cause 
        substantial mental harm to, the individual who is the subject 
        of the record.
            (2) Confidential source.--The information identifies, or 
        could reasonably lead to the identification of, a person who 
        provided information under a promise of confidentiality 
        concerning the individual who is the subject of the 
        information.
            (3) Information compiled in anticipation of litigation.--
        The information is compiled principally--
                    (A) in the reasonable anticipation of a civil, 
                criminal, or administrative action or proceeding; or
                    (B) for use in such action or proceeding.
            (4) Research purposes.--The information was collected for a 
        research project monitored by an institutional review board, 
        such project is not complete, and the researcher reasonably 
        believes that access would harm the conduct of the research or 
        invalidate or undermine the validity of the research.
    (c) Denial of a Request for Inspection or Copying.--If an entity 
described in subsection (a) denies a request for inspection or copying 
pursuant to subsection (b), the entity shall inform the individual in 
writing of--
            (1) the reasons for the denial of the request for 
        inspection or copying;
            (2) any procedures for further review of the denial; and
            (3) the individual's right to file with the entity a 
        concise statement setting forth the request for inspection or 
        copying.
    (d) Statement Regarding Request.--If an individual has filed a 
statement under subsection (c)(3), the entity in any subsequent 
disclosure of the portion of the information requested under subsection 
(a) shall include--
            (1) a copy of the individual's statement; and
            (2) a concise statement of the reasons for denying the 
        request for inspection or copying.
    (e) Inspection and Copying of Segregable Portion.--An entity 
described in subsection (a) shall permit the inspection and copying 
under subsection (a) of any reasonably segregable portion of a record 
after deletion of any portion that is exempt under subsection (b).
    (f) Deadline.--
            (1) In general.--Except as provided in paragraph (2), an 
        entity described in subsection (a) shall comply with or deny, 
        in accordance with subsection (c), a request for inspection or 
        copying of protected health information under this section not 
        later than 30 days after the date on which the entity receives 
        the request.
            (2) Off premises.--In the case of a request described in 
        paragraph (1), if the information involved is in paper form, 
        located off the premises of the entity involved, and not 
        readily available, the entity shall have 60 days to comply with 
        or deny such request.
    (g) Rules Governing Agents.--An agent of an entity described in 
subsection (a) shall not be required to provide for the inspection and 
copying of protected health information, except where--
            (1) the protected health information is retained by the 
        agent; and
            (2) the agent has received in writing a request from the 
        entity involved to fulfill the requirements of this section;
at which time such information shall be provided to the requesting 
entity. Such requesting entity shall comply with subsection (f) with 
respect to any such information.
    (h) Rule of Construction.--This section shall not be construed to 
require an entity described in subsection (a) to conduct a formal, 
informal, or other hearing or proceeding concerning a request for 
inspection or copying of protected health information.

SEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.

    (a) Requirements.--
            (1) In general.--Except as provided in subsections (b) and 
        (e), not later than 45 days after the date on which a health 
        care provider, health plan, employer, health or life insurer, 
        school, or university receives from an individual a request in 
        writing to amend information that meets the requirements of 
        paragraph (2), such entity shall--
                    (A) make the amendment requested;
                    (B) inform the individual of the amendment that has 
                been made; and
                    (C) make reasonable efforts to inform any person to 
                whom the unamended portion of the information was 
                previously disclosed, of any nontechnical amendment 
                that has been made.
            (2) Information.--The requirements of this paragraph are 
        that--
                    (A) the information that is the subject of the 
                request is in fact inaccurate; and
                    (B) the entity receiving the request created the 
                information that is at issue.
    (b) Refusal to Amend.--If an entity described in subsection (a) 
refuses to make the amendment requested under such subsection, the 
entity shall inform the individual in writing of--
            (1) the reasons for the refusal to make the amendment;
            (2) any procedures for further review of the refusal; and
            (3) the individual's right to file with the entity a 
        concise statement setting forth the requested amendment and the 
        individual's reasons for disagreeing with the refusal.
    (c) Statement of Disagreement.--If an individual has filed a 
statement of disagreement under subsection (b)(3), the entity involved, 
in any subsequent disclosure of the disputed portion of the 
information--
            (1) shall include a copy of the individual's statement; and
            (2) may include a concise statement of the reasons for not 
        making the requested amendment.
    (d) Rules Governing Agents.--The agent of an entity described in 
subsection (a) shall not be required to make amendments to protected 
health information, except where--
            (1) the protected health information is retained by the 
        agent; and
            (2) the agent has been asked by such entity to fulfill the 
        requirements of this section.
If the agent is required to comply with this section as provided for in 
paragraph (2), such agent shall be subject to the 45-day deadline 
described in subsection (a).
    (e) Extension for Paper Records Off Premises.--In the case of a 
request described in subsection (a), if the information involved is in 
paper form, located off the premises of the entity involved, and not 
readily available, the entity shall have 60 days to comply with or deny 
such request.
    (f) Repeated Requests for Amendments.--If an entity described in 
subsection (a) receives a request for an amendment of information as 
provided for in such subsection and a statement of disagreement has 
been filed pursuant to subsection (c), the entity shall inform the 
individual of such filing and shall not be required to carry out the 
procedures required under this section.
    (g) Rules of Construction.--This section shall not be construed 
to--
            (1) require that an entity described in subsection (a) 
        conduct a formal, informal, or other hearing or proceeding 
        concerning a request for an amendment to protected health 
        information;
            (2) require a provider to amend an individual's record as 
        to the type, duration, or quality of treatment the individual 
        believes he or she should have been provided; or
            (3) require any deletion or alteration of the original 
        information.

SEC. 103. NOTICE OF CONFIDENTIALITY PRACTICES.

    (a) Preparation of Written Notice.--A health care provider, health 
plan, health oversight agency, public health authority, employer, 
health or life insurer, health researcher, school, or university shall 
post or provide, in writing and in a clear and conspicuous manner, 
notice of the entity's confidentiality practices, that shall include--
            (1) a description of an individual's rights with respect to 
        protected health information;
            (2) the uses and disclosures of protected health 
        information authorized under this Act;
            (3) the procedures for authorizing disclosures of protected 
        health information and for revoking such authorizations;
            (4) the procedures established by the entity for the 
        exercise of the individual's rights; and
            (5) the right to obtain a copy of the notice of the 
        confidentiality practices required under this Act.
    (b) Model Notice.--The Secretary, after notice and opportunity for 
public comment, shall develop and disseminate model notices of 
confidentiality practices. Use of the model notice shall serve as an 
absolute defense against claims of receiving inappropriate notice.

                Subtitle B--Establishment of Safeguards

SEC. 111. ESTABLISHMENT OF SAFEGUARDS.

    (a) In General.--A health care provider, health plan, health 
oversight agency, public health authority, employer, health or life 
insurer, health researcher, law enforcement official, school, or 
university shall establish and maintain appropriate administrative, 
technical, and physical safeguards to protect the confidentiality, 
security, accuracy, and integrity of protected health information 
created, received, obtained, maintained, used, transmitted, or disposed 
of by such entity.
    (b) Regulations.--The Secretary shall have the authority to 
promulgate regulations for the implementation of subsection (a).
    (c) Rule of Construction.--Safeguards to protect the security of 
protected health information under subsection (a) shall include the 
implementation of policies or procedures to consider whether protected 
health information is essential for a use or disclosure undertaken by 
an entity described in such subsection.

SEC. 112. ACCOUNTING FOR DISCLOSURES.

    (a) In General.--
            (1) Health related entities.--Except as provided in 
        paragraph (3), a health care provider, health plan, health 
        oversight agency, public health authority, employer, health or 
        life insurer, health researcher, law enforcement official, 
        school, or university shall establish and maintain, with 
        respect to any protected health information disclosure, a 
        record of such disclosure in accordance with regulations issued 
        by the Secretary.
            (2) Agent.--Except as provided in paragraph (3), an agent 
        shall maintain a record of its disclosures made pursuant to 
        sections 205 through 212.
            (3) Exception.--A record of disclosures under this 
        subsection is not required with respect to disclosures made to 
        officers or employees of the entity that maintains the record 
        involved who, in the performance of their duties, have a need 
        for the protected health information.
    (b) Record of Disclosure.--A record established under subsection 
(a) shall be maintained for not less than 7 years.

              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.

    (a) Prohibition.--
            (1) General rule.--A health care provider, health plan, 
        health oversight agency, public health authority, employer, 
        health or life insurer, health researcher, law enforcement 
        official, school, or university may not disclose protected 
        health information except as authorized under this title.
            (2) Rule of construction.--Disclosure of health information 
        in the form of nonidentifiable health information shall not be 
        construed as a disclosure of protected health information.
    (b) Use or Disclosure of Protected Health Information Within an 
Entity.--
            (1) In general.--An entity described in subsection (a) may 
        use protected health information or disclose such information 
        within the entity if such use or disclosure is made pursuant to 
        an authorization under section 202 or 203 and consistent with 
        the limitations under subsection (d) on the scope of 
        disclosure.
            (2) Agents.--Disclosure to agents of an entity described in 
        subsection (a) shall be considered as a disclosure within an 
        entity.
    (c) Disclosure by Agents.--An agent who receives protected health 
information from an entity described in subsection (a) shall be subject 
to all rules of disclosure and safeguard requirements under this title.
    (d) Scope of Disclosure.--Every disclosure of protected health 
information by an entity under this title shall be limited to the 
information necessary to accomplish the purpose for which the 
information is disclosed.
    (e) No General Requirement to Disclose.--Nothing in this title 
permitting the disclosure of protected health information shall be 
construed to require such disclosure.
    (f) Identification of Disclosed Information as Protected 
Information.--Except as otherwise provided in this title, protected 
health information may not be disclosed unless such information is 
clearly identified as protected health information that is subject to 
this Act.
    (g) Creation of Nonidentifiable Information.--An entity described 
in subsection (a) may disclose protected health information to an 
employee or agent of the entity for purposes of creating 
nonidentifiable information, if the entity prohibits the employee or 
agent of the entity from using or disclosing the protected health 
information for purposes other than the sole purpose of creating 
nonidentifiable information as specified by the entity.
    (h) Deemed Disclosures of Protected Health Information.--
            (1) In general.--Any individual or entity who manipulates a 
        nonidentifiable database in order to identify an individual 
        shall be deemed to have disclosed protected health information.
            (2) Disclosure or transmission of an anonymous link.--The 
        disclosure or transmission of an anonymous link with any 
        information which, together with information previously 
        disclosed with the same link, might reasonably be used to 
        identify an individual, shall be deemed to be a disclosure of 
        protected health information. Such a disclosure shall have the 
        effect of converting any previously disclosed, nonidentifiable 
        information with the same link into the protected health 
        information.

SEC. 202. PROCUREMENT OF AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED 
              HEALTH INFORMATION FOR TREATMENT, PAYMENT, AND HEALTH 
              CARE OPERATIONS.

    (a) Requirements Relating to Employers, Health Plans, Uninsured 
Individuals, and Providers.--
            (1) In general.--To meet the requirements relating to the 
        authorized disclosure of protected health information under 
        section 201, an authorization form must be secured for each 
        individual in connection with treatment, payment and health 
        care operations.
            (2) Consolidated authorization.--A single authorization may 
        be secured for each individual in connection with treatment, 
        payment, and health care operations.
            (3) Employers.--Every employer offering a health plan to 
        its employees shall, at the time of, and as a condition of 
        enrollment in the health plan, obtain a signed, written 
        authorization that is a legal, informed authorization 
        concerning the use and disclosure of protected health 
        information for treatment, payment, and health care operations 
        with respect to each individual who is eligible to receive care 
        under the health plan.
            (4) Health plans.--Every health plan offering enrollment to 
        individual or non-employer groups shall, at the time of, and as 
        a condition of enrollment in the health plan, obtain a signed, 
        written authorization that is a legal, informed authorization 
        concerning the use and disclosure of protected health 
        information for treatment, payment, and health care operations 
        with respect to each individual who is eligible to receive care 
        under the plan.
            (5) Uninsured.--An originating provider providing health 
        care to an uninsured individual, shall obtain a signed, written 
        authorization that is a legal, informed authorization 
        concerning the use and disclosure of protected health 
        information, in providing health care or arranging for health 
        care from other providers or seeking payment for the provision 
        of health care services.
            (6) Providers.--Every health care provider providing health 
        care to an individual who has not given an authorization under 
        paragraph (3), (4), or (5), shall, at the time of providing 
        such care, obtain a signed, written authorization concerning 
        the use and disclosure of protected health information for 
        treatment, payment, and health care operations with respect to 
        such individual. Nothing in this section shall be construed to 
        require that a health care provider secure an authorization in 
        addition to an authorization secured under paragraph (3), (4), 
        or (5).
    (b) Requirements for Individual Authorization.--To be valid, an 
authorization to disclose protected health information shall--
            (1) identify the individual involved;
            (2) describe the nature of the health care information to 
        be disclosed;
            (3) identify the type of person to whom the information is 
        to be disclosed;
            (4) describe the purpose of the disclosure, including 
        whether the information may be used for disease management or 
        medication compliance;
            (5) be subject to revocation by the individual and indicate 
        that the authorization is valid until revocation by the 
        individual; and
            (6)(A) be either--
                    (i) in writing, dated, and signed by the 
                individual; or
                    (ii) in electronic form, dated and authenticated by 
                the individual using a unique identifier; and
            (B) not have been revoked under paragraph (c).
    (c) Revocation of Authorization.--
            (1) In general.--An individual may revoke in writing an 
        authorization under this section at any time, unless the 
        disclosure that is the subject of the authorization is required 
        to effectuate payment for health care that has been provided to 
        the individual for which the individual has not agreed to 
        assume personal financial responsibility.
            (2) Exception for self-payment.--An individual may revoke a 
        prior authorization for payment or health care operations 
        described in paragraphs (1) through (6) of subsection (a) prior 
        to a single or series of encounters with a health care provider 
        if such individual has agreed to assume personal financial 
        responsibility for the treatment.
            (3) Health plans.--With respect to a health plan, the 
        authorization of an individual is deemed to be revoked at the 
        time of the cancellation or non-renewal of enrollment in the 
        health plan, except as may be necessary to complete health care 
        operations and payment requirements related to the individual's 
        period of enrollment.
            (4) Actions.--An individual may not maintain an action 
        against a person for disclosure of protected health information 
        made in good faith reliance on the individual's authorization 
        at the time disclosure was made.
    (d) Record of Individual's Authorizations and Revocations.--
            (1) In general.--Each person collecting or storing 
        protected health information shall maintain a record for a 
        period of 7 years of each authorization of an individual and 
        revocation thereof.
            (2) Rule of construction.--Records of authorizations and 
        revocations maintained under paragraph (1) shall not be 
        construed to be protected health information under this Act.
    (e) No Waiver.-- Except as provided for in this Act, an 
authorization to disclose protected health information by an individual 
shall not be construed as a waiver of any rights that the individual 
has under other Federal or State laws, the rules of evidence, or common 
law.
    (f) Rule of Construction.--Authorizations for the disclosure of 
protected health information for treatment, payment, and health care 
operations shall not authorize the disclosure of such information by an 
individual with the intent to sell, transfer, or use protected health 
information for the purpose of marketing a product or service. For such 
disclosures a separate authorization is required under section 203.

SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION 
              OTHER THAN FOR TREATMENT, PAYMENT, OR HEALTH CARE 
              OPERATIONS.

    (a) Written Authorizations.--A health care provider, health plan, 
health oversight agency, health researcher, public health authority, 
law enforcement official, employer, health or life insurer, school, or 
university may disclose protected health information, for purposes 
other than those authorized under section 202, pursuant to an 
authorization executed by the individual who is the subject of the 
information that meets the requirements of section 202(b). Such an 
authorization shall be separate from an authorization provided under 
section 202.
    (b) Limitation on Authorizations.--An entity described in section 
202 may not condition the delivery of treatment or payment for services 
on the receipt of an authorization described in this section.
    (c) Revocation or Amendment of Authorization.--
            (1) In general.--An individual may in writing revoke or 
        amend an authorization described in subsection (a).
            (2) Notice of revocation.--An entity described in 
        subsection (a) that discloses protected health information 
        pursuant to an authorization that has been revoked under 
        paragraph (1) shall not be subject to any liability or penalty 
        under this title if that entity had no actual or constructive 
        notice of the revocation.
    (d) Requirement To Release Protected Health Information to Coroners 
and Medical Examiners.--
            (1) In general.--When a Coroner or Medical Examiner or 
        their duly appointed deputies seek protected health information 
        for the purpose of inquiry into and determination of, the 
        cause, manner, and circumstances of a death, the health care 
        provider, health plan, health oversight agency, public health 
        authority, employer, health or life insurer, health researcher, 
        law enforcement official, school, or university involved shall 
        provide the protected health information to the Coroner or 
        Medical Examiner or to the duly appointed deputies without 
        undue delay.
            (2) Production of additional information.--If a Coroner or 
        Medical Examiner or their duly appointed deputies receives 
        health information from an entity referred to in paragraph (1), 
        such health information shall remain as protected health 
        information unless the health information is attached to or 
        otherwise made a part of a Coroner's or Medical Examiner's 
        official report, in which case it shall no longer be protected.
            (3) Exemption.--Health information attached to or otherwise 
        made a part of a Coroner's or Medical Examiner's official 
        report, shall be exempt from the provisions of this Act except 
        as provided for in this subsection.
            (4) Reimbursement.--A Coroner or Medical Examiner may 
        require a person to reimburse their Office for the reasonable 
        costs associated with such inspection or copying.
    (e) Disclosure for Purpose Only.--A recipient of information 
pursuant to an authorization under this section may use or disclose 
such information solely to carry out the purpose for which the 
information was authorized for release.
    (f) Model Authorizations.--The Secretary, after notice and 
opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in subsection (a). Any 
authorization obtained on a model authorization form developed by the 
Secretary shall be deemed to meet the authorization requirements of 
this section.

SEC. 204. NEXT OF KIN AND DIRECTORY INFORMATION.

    (a) Next of Kin.--A health care provider, or a person who receives 
protected health information under section 205, may disclose protected 
health information regarding an individual to the individual's next of 
kin, an individual's representative, or to another person whom the 
individual has identified, if--
            (1) the individual who is the subject of the information--
                    (A) has been notified of the individual's right to 
                object to such disclosure and the individual has not 
                objected to the disclosure; or
                    (B) is in a physical or mental condition such that 
                the individual is not capable of objecting, and there 
                are no prior indications that the individual would 
                object;
            (2) the information disclosed relates to health care 
        currently being provided to that individual; or
            (3) the disclosure of the protected health information is 
        consistent with good medical or professional practice.
    (b) Directory Information.--
            (1) Disclosure.--
                    (A) In general.--Except as provided in paragraph 
                (2), an entity described in subsection (a) may disclose 
                the information described in subparagraph (B) to any 
                person if the individual who is the subject of the 
                information--
                            (i) has been notified of the individual's 
                        right to object and the individual has not 
                        objected to the disclosure; or
                            (ii) is in a physical or mental condition 
                        such that the individual is not capable of 
                        objecting, the individual's next of kin has not 
                        objected, and there are no prior indications 
                        that the individual would object.
                    (B) Information.--Information described in this 
                subparagraph is information that consists only of 1 or 
                more of the following items:
                            (i) The name of the individual who is the 
                        subject of the information.
                            (ii) The general health status of the 
                        individual, described as critical, poor, fair, 
                        stable, or satisfactory or in terms denoting 
                        similar conditions.
                            (iii) The location of the individual on 
                        premises controlled by a provider.
            (2) Exception.--
                    (A) Location.--Paragraph (1)(B)(iii) shall not 
                apply if disclosure of the location of the individual 
                would reveal specific information about the physical or 
                mental condition of the individual, unless the 
                individual expressly authorizes such disclosure.
                    (B) Directory or next of kin information.--A 
                disclosure may not be made under this section if the 
                health care provider involved has reason to believe 
                that the disclosure of directory or next of kin 
                information could lead to the physical or mental harm 
                of the individual, unless the individual expressly 
                authorizes such disclosure.
    (c) Identification of Deceased Individual.--An entity described in 
subsection (a) may disclose protected health information if such 
disclosure is necessary to assist in the identification or safe 
handling of a deceased individual.
    (d) Rights of Minors.--
            (1) Individuals who are 18 or legally capable.--In the case 
        of an individual--
                    (A) who is 18 years of age or older, all rights of 
                the individual under this title shall be exercised by 
                the individual; or
                    (B) who, acting alone, can obtain a type of health 
                care without violating any applicable Federal or State 
                law, and who has sought such care, the individual shall 
                exercise all rights of the individual under this title 
                with respect to protected health information relating 
                to such health care.
            (2) Individuals under 18.--Except as provided in paragraph 
        (1)(B), in the case of an individual who is--
                    (A) under 14 years of age, all of the individual's 
                rights under this title shall be exercised through the 
                parent or legal guardian; or
                    (B) at least 14 but under 18 years of age, the 
                rights of inspection and amendment, and the right to 
                authorize use and disclosure of protected health 
                information of the individual shall be exercised by the 
                individual, or by the parent or legal guardian of the 
                individual.

SEC. 205. EMERGENCY CIRCUMSTANCES.

    Any person who creates or receives protected health information 
under this title may disclose protected health information in emergency 
circumstances when necessary to protect the health or safety of the 
individual who is the subject of such information from serious, 
imminent harm. No disclosure made in the good faith belief that the 
disclosure was necessary to protect the health or safety or an 
individual from serious, imminent harm shall be in violation of, or 
punishable under, this Act.

SEC. 206. OVERSIGHT.

    (a) In General.--A health care provider, health plan, employer, 
health or life insurer, law enforcement official, school, or university 
may disclose protected health information to a health oversight agency 
for purposes of an oversight function authorized by law.
    (b) Public Health and Health Research.--A public health authority 
or health researcher may disclose protected health information to a 
health oversight agency for purposes of an oversight function of the 
public health authority or health researcher authorized by law.
    (c) Authorization by a Supervisor.--For purposes of this section, 
the individual with authority to authorize the oversight function 
involved shall provide to the entity described in subsection (a) or (b) 
a statement that the protected health information is being sought for a 
legally authorized oversight function.
    (d) Use in Action Against Individuals.--Protected health 
information about an individual that is disclosed under this section 
may not be used in, or disclosed to any person for use in, an 
administrative, civil, or criminal action or investigation directed 
against the individual unless the action or investigation arises out of 
and is directly related to--
            (1) the receipt of health care or payment for health care;
            (2) an action involving a fraudulent claim related to 
        health; or
            (3) an action involving oversight of a public health 
        authority or a health researcher.

SEC. 207. PUBLIC HEALTH.

    A health care provider, health plan, public health authority, 
employer, health or life insurer, law enforcement official, school, or 
university may disclose protected health information to a public health 
authority or other person authorized by law for use in a legally 
authorized--
            (1) disease or injury report;
            (2) public health surveillance; or
            (3) public health investigation or intervention.

SEC. 208. HEALTH RESEARCH.

    (a) In General.--A health care provider, health plan, public health 
authority, employer, health or life insurer, school, or university may 
disclose protected health information to a health researcher if--
            (1) the research involves human subjects conducted or 
        supported by any Federal department or agency and the 
        researcher complies with the common rule;
            (2) the research is a clinical investigation involving 
        human subjects and the researcher follows the regulations of 
        the Food and Drug Administration governing confidentiality 
        procedures; or
            (3) the research is not subject to the Federal Policy for 
        the Protection of Human Subjects.
    (b) Periodic Review and Technical Assistance of Institutional 
Review Boards Involved With the Federal Policy for Protection of Human 
Subjects.--
            (1) Institutional review board.--Any institutional review 
        board that authorizes research under this section pursuant to 
        the common rule shall keep records of the names and addresses 
        of all members who participate in such authorizations for 
        possible review or audit.
            (2) Technical assistance.--The Secretary may provide 
        technical assistance to institutional review boards described 
        in this section.
            (3) Monitoring.--The Secretary shall periodically monitor 
        institutional review boards described in this section.
            (4) Reports.--Not later than 3 years after the date of 
        enactment of this Act, the Secretary shall report to Congress 
        regarding the activities of institutional review boards 
        described in this section.
    (c) Review of the Common Rule by the Secretary.--The Secretary 
shall review the requirements of the common rule pertaining to the 
privacy of protected health information and shall promulgate any 
amendments to the common rule that may be necessary to ensure the 
confidentiality of such information.
    (d) Recommendations With Respect to Privacy.--
            (1) In general.--Not later than the date that is 12 months 
        after the date of the enactment of this Act, the Secretary 
        shall submit to the Committee on Labor and Human Resources of 
        the Senate detailed recommendations on standards with respect 
        to the privacy of individually identifiable health information 
        in research described in subsection (a)(3).
            (2) Rule of construction.--In formulating the 
        recommendations under paragraph (1), the Secretary shall 
        consider the findings of the National Bioethics Advisory 
        Commission and the results of the General Accounting Office 
        report authorized by section 402.
            (3) Regulations.--If legislation governing standards with 
        respect to the privacy of individually identifiable health 
        information transmitted in connection with research described 
        in subsection (a)(3) is not enacted by the date that is 24 
        months after the date of the enactment of this Act, the 
        Secretary shall promulgate final regulations containing such 
        standards not later than the date that is 30 months after the 
        date of the enactment of this Act.

SEC. 209. DISCLOSURE IN CIVIL, JUDICIAL, AND ADMINISTRATIVE PROCEDURES.

    (a) In General.--A health care provider, health plan, public health 
authority, employer, health or life insurer, law enforcement official, 
school, or university may disclose protected health information 
pursuant to a discovery request or subpoena in a civil action brought 
in a Federal or State court or a request or subpoena related to a 
Federal or State administrative proceeding, but only if the disclosure 
is made pursuant to a court order as provided for in subsection (b).
    (b) Court Orders.--
            (1) Standard for issuance.--In considering a request for a 
        court order regarding the disclosure of protected health 
        information under subsection (a), the court shall issue such 
        order if the court determines that without the disclosure of 
        such information, the person requesting the order would be 
        impaired from establishing a claim or defense.
            (2) Requirements.--An order issued under paragraph (1) 
        shall--
                    (A) provide that the protected health information 
                involved is subject to court protection;
                    (B) specify to whom the information may be 
                disclosed;
                    (C) specify that such information may not otherwise 
                be disclosed or used; and
                    (D) meet any other requirements that the court 
                determines are needed to protect the confidentiality of 
                the information.
    (c) Applicability.--This section shall not apply in a case in which 
the protected health information sought under such discovery request or 
subpoena--
            (1) is nonidentifiable health information;
            (2) is related to a party to the litigation whose medical 
        condition is at issue; or
            (3) could be disclosed under any of sections 202 through 
        208, 210, and 212.
    (d) Effect of Section.--This section shall not be construed to 
supersede any grounds that may apply under Federal or State law for 
objecting to turning over the protected health information.

SEC. 210. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.

    (a) In General.--A health care provider, health plan, health 
oversight agency, employer, health or life insurer, school, university, 
or person who receives protected health information pursuant to 
sections 203 through 208, may disclose protected health information 
under this section, except to a health oversight agency governed by 
section 206, if the disclosure is pursuant to--
            (1) a subpoena issued under the authority of a grand jury;
            (2) an administrative subpoena or summons or judicial 
        subpoena or warrant; or
            (3) a Federal or State law requiring the reporting of 
        specific medical information to law enforcement authorities.
    (b) Probable Cause.--A subpoena or summons for a disclosure under 
paragraph (1) or (2) of subsection (a) shall only be issued if the law 
enforcement agency involved shows that there is probable cause to 
believe that the information is relevant to a legitimate law 
enforcement inquiry.
    (c) Destruction or Return of Information.--When the matter or need 
for which protected health information was disclosed to a law 
enforcement agency or grand jury under subsection (a) has concluded, 
including any derivative matters arising from such matter or need, the 
law enforcement agency or grand jury shall either destroy the protected 
health information, or return it to the person from whom it was 
obtained.
    (d) Redactions.--To the extent practicable, and consistent with the 
requirements of due process, a law enforcement agency shall redact 
personally identifying information from protected health information 
prior to the public disclosure of such protected information in a 
judicial or administrative proceeding.
    (e) Use of Information.--Protected health information obtained by a 
law enforcement agency pursuant to this section may only be used for 
purposes of a legitimate law enforcement activity.
    (f) Exclusion of Evidence.--If protected health information is 
obtained without meeting the requirements of paragraphs (1), (2), and 
(3) of subsection (a), any such information that is unlawfully obtained 
shall be excluded from court proceedings unless the defendant requests 
otherwise.

SEC. 211. DISCLOSURES FOR POSTMARKETING ADVERSE EXPERIENCE REPORTING 
              FOR HUMAN DRUG AND LICENSED BIOLOGICAL PRODUCTS.

    (a) Adverse Experience Reports.--
            (1) In general.--Pursuant to the regulations of the Food 
        and Drug Administration at sections 310.305, 314.80, and 600.80 
        of title 21, Code of Federal Regulations, manufacturers, 
        packers, and distributors of approved new drug applications, 
        abbreviated new drug applications, antibiotic applications, 
        marketed prescription of drugs for human use, and approved 
        biologic product license applications shall report adverse 
        experiences in accordance with such section.
            (2) No identification of patients.--In accordance with the 
        August 1997 Guidance for Industry of the Food and Drug 
        Administration, patients shall not be identified by name, 
        address, or social security number in any report described in 
        paragraph (1). The manufacturer, packer, or distributor 
        involved shall assign a code for a patient in each such report.
            (3) Non liability under act.--A manufacturer, packer, or 
        distributor who submits an adverse report in accordance with 
        this subsection and the regulations described in paragraph (1) 
        shall not be liable under this Act.
    (b) Rule of Construction.--An adverse experience report written in 
accordance with the regulations described in subsection (a) shall be 
deemed to be a disclosure of non-identifiable information under this 
Act.

SEC. 212. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTION.

    (a) Payment for Health Care Through Card or Electronic Means.--If 
an individual pays for health care by presenting a debit, credit, or 
other payment card or account number, or by any other electronic 
payment means, the entity receiving payment may disclose to a person 
described in subsection (b) only such protected health information 
about the individual as is necessary for the processing of the payment 
transaction or the billing or collection of amounts charged to, debited 
from, or otherwise paid by, the individual using the card, number, or 
other electronic means.
    (b) Transaction Processing.--A person who is a debit, credit, or 
other payment card issuer, or is otherwise directly involved in the 
processing of payment transactions involving such cards or other 
electronic payment transactions, or is otherwise directly involved in 
the billing or collection of amounts paid through such means, may use 
or disclose protected health information about an individual that has 
been disclosed in accordance with subsection (a) only when necessary 
for--
            (1) the authorization, settlement, billing or collection of 
        amounts charged to, debited from, or otherwise paid the 
        individual using a debit, credit, or other payment card or 
        account number, or by other electronic payment means;
            (2) the transfer of receivables, accounts, or interest 
        therein;
            (3) the audit of the debit, credit, or other payment card 
        account information;
            (4) compliance with Federal, State, or local law, or
            (5) compliance with a properly authorized civil, criminal, 
        or regulatory investigation by Federal, State, or local 
        authorities as governed by the requirements of this section.

SEC. 213. STANDARDS FOR ELECTRONIC DISCLOSURES.

    The Secretary shall promulgate standards for disclosing, 
authorizing, and authenticating, protected health information in 
electronic form consistent with this title.

SEC. 214. INDIVIDUAL REPRESENTATIVES.

    (a) In General.--Except as provided in subsections (b) and (c), a 
person who is authorized by law (based on grounds other than the 
individual being a minor), or by an instrument recognized under law, to 
act as an agent, attorney, proxy, or other legal representative of a 
protected individual, may, to the extent so authorized, exercise and 
discharge the rights of the individual under this Act.
    (b) Health Care Power of Attorney.--A person who is authorized by 
law (based on grounds other than being a minor), or by an instrument 
recognized under law, to make decisions about the provision of health 
care to an individual who is incapacitated, may exercise and discharge 
the rights of the individual under this Act to the extent necessary to 
effectuate the terms or purposes of the grant of authority.
    (c) No Court Declaration.--If a health care provider determines 
that an individual, who has not been declared to be legally 
incompetent, suffers from a medical condition that prevents the 
individual from acting knowingly or effectively on the individual's own 
behalf, the right of the individual to authorize disclosure under this 
Act may be exercised and discharged in the best interest of the 
individual by--
            (1) a person described in subsection (b) with respect to 
        the individual;
            (2) a person described in subsection (a) with respect to 
        the individual, but only if a person described in paragraph (1) 
        cannot be contacted after a reasonable effort;
            (3) the next of kin of the individual, but only if a person 
        described in paragraph (1) or (2) cannot be contacted after a 
        reasonable effort; or
            (4) the health care provider, but only if a person 
        described in paragraph (1), (2), or (3) cannot be contacted 
        after a reasonable effort.
    (d) Application to Deceased Individuals.--The provisions of this 
Act shall continue to apply to protected health information concerning 
a deceased individual for a period of 2-years following the death of 
that individual.
    (e) Exercise of Rights on Behalf of a Deceased Individual.--A 
person who is authorized by law or by an instrument recognized under 
law, to act as an executor of the estate of a deceased individual, or 
otherwise to exercise the rights of the deceased individual, may, to 
the extent so authorized, exercise and discharge the rights of such 
deceased individual under this Act for a period of 2-years following 
the death of that individual. If no such designee has been authorized, 
the rights of the deceased individual may be exercised as provided for 
in subsection (c).

SEC. 215. LIMITED LIABILITY FOR LAW ENFORCEMENT OFFICERS.

    Federal and State law enforcement officers shall not be personally 
liable for violations of this Act unless it is shown that the violation 
was a result of intentional conduct committed with the intent to sell, 
transfer, or use protected health information for commercial advantage, 
personal gain, or malicious harm.

SEC. 216. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.

    A health care provider, health plan, health oversight agency, 
health researcher, public health authority, law enforcement official, 
employer, health or life insurer, school, or university who makes a 
disclosure of protected health information about an individual that is 
permitted by this Act shall not be liable to the individual for such 
disclosure under common law.

                          TITLE III--SANCTIONS

                    Subtitle A--Criminal Provisions

SEC. 301. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.

    (a) In General.--Part I of title 18, United States Code, is amended 
by adding at the end the following:

   ``CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION

        ``Sec.
        ``2801. Wrongful disclosure of protected health information.
``Sec. 2801. Wrongful disclosure of protected health information
    ``(a) Offense.--The penalties described in subsection (b) shall 
apply to a person that knowingly and intentionally--
            ``(1) obtains protected health information relating to an 
        individual in violation of title II of the Health Care PIN Act;
            ``(2) discloses protected health information to another 
        person in violation of title II of the Health Care PIN Act; or
            ``(3) uses protected health information in violation of 
        title II of the Health Care PIN Act.
    ``(b) Penalties.--A person described in subsection (a) shall--
            ``(1) be fined not more than $50,000, imprisoned not more 
        than 1 year, or both;
            ``(2) if the offense is committed under false pretenses, be 
        fined not more than $250,000, imprisoned not more than 5 years, 
        or any combination of such penalties;
            ``(3) if the offense is committed with the intent to sell, 
        transfer, or use protected health information for commercial 
        advantage, personal gain, or malicious harm, be fined not more 
        than $500,000, imprisoned not more than 10 years, excluded from 
        participation in any federally funded health care programs, or 
        any combination of such penalties.
    ``(c) Subsequent Offenses.--In the case of a person described in 
subsection (a), the maximum penalties described in subsection (b) shall 
be doubled for every subsequent conviction for an offense arising out 
of a violation or violations related to a set of circumstances that are 
different from those involved in the previous violation or set of 
related violations described in such subsection (a).''.
    (b) Clerical Amendment.--The table of chapters for part I of title 
18, United States Code, is amended by inserting after the item relating 
to chapter 123 the following new item:

``124. Wrongful disclosure of protected health information..    2801''.

SEC. 302. DEBARMENT FOR CRIMES.

    (a) Purpose.--The purpose of this section is to promote the 
prevention and deterrence of instances of intentional criminal actions 
which violate criminal laws which are designed to safeguard the 
protected health information in a manner consistent with this Act.
    (b) Debarment.--Not later than 270 days after the effective date of 
this Act, the Attorney General, in consultation with the Secretary, 
shall promulgate regulations and establish procedures to permit the 
debarment of health care providers, health researchers, health or life 
insurers, or schools or universities from receiving benefits under any 
Federal health programs if the managers or officers of such entities 
are found guilty of violating section 2801 of title 18, United States 
Code, have civil penalties imposed against such officers or managers 
under section 311 in connection with the illegal disclosure of 
protected health information, or are found guilty of making a false 
statement or obstructing justice related to attempting to conceal or 
concealing such illegal disclosure. Such regulations shall take into 
account the need for continuity of medical care and may provide for a 
delay of any debarment imposed under this section to take into account 
the medical needs of patients.
    (c) Consultation.--Before publishing a proposed rule to implement 
subsection (b), the Attorney General shall consult with State law 
enforcement officials, health care providers, patient privacy rights' 
advocates, and other appropriate individuals and entities, to gain 
additional information regarding the debarment of entities under 
subsection (b) and the best methods to ensure the continuity of medical 
care.
    (d) Report.--The Attorney General shall annually prepare and submit 
to the Committee on the Judiciary of the House of Representatives and 
the Committee on the Judiciary of the Senate a report concerning the 
activities and debarment actions taken by the Attorney General under 
this section.
    (e) Assistance To Prevent Criminal Violations.--The Attorney 
General, in cooperation with any other appropriate individual, 
organization, or agency, may provide advice, training, technical 
assistance, and guidance regarding ways to reduce the incidence of 
improper disclosure of protected health information.
    (f) Relationship to Other Authorities.--A debarment imposed under 
this section shall not reduce or diminish the authority of a Federal, 
State, or local governmental agency or court to penalize, imprison, 
fine, suspend, debar, or take other adverse action against a person, in 
a civil, criminal, or administrative proceeding.

                      Subtitle B--Civil Sanctions

SEC. 311. CIVIL PENALTY.

    (a) Violation.--A health care provider, health researcher, health 
plan, health oversight agency, public health agency, law enforcement 
agency, employer, health or life insurer, school, or university, or the 
agent of any such individual or entity, who the Secretary, in 
consultation with the Attorney General, determines has substantially 
and materially failed to comply with this Act shall be subject, in 
addition to any other penalties that may be prescribed by law--
            (1) in a case in which the violation relates to title I, to 
        a civil penalty of not more than $500 for each such violation, 
        but not to exceed $5,000 in the aggregate for multiple 
        violations;
            (2) in a case in which the violation relates to title II, 
        to a civil penalty of not more than $10,000 for each such 
        violation, but not to exceed $50,000 in the aggregate for 
        multiple violations; or
            (3) in a case in which the Secretary finds that such 
        violations have occurred with such frequency as to constitute a 
        general business practice, to a civil penalty of not more than 
        $100,000.
    (b) Procedures for Imposition of Penalties.--Section 1128A of the 
Social Security Act, other than subsections (a) and (b) and the second 
sentence of subsection (f) of that section, shall apply to the 
imposition of a civil, monetary, or exclusionary penalty under this 
section in the same manner as such provisions apply with respect to the 
imposition of a penalty under section 1128A of such Act.

SEC. 312. PROCEDURES FOR IMPOSITION OF PENALTIES.

    (a) Initiation of Proceedings.--
            (1) In general.--The Secretary, in consultation with the 
        Attorney General, may initiate a proceeding to determine 
        whether to impose a civil money penalty under section 311. The 
        Secretary may not initiate an action under this section with 
        respect to any violation described in section 311 after the 
        expiration of the 6-year period beginning on the date on which 
        such violation was alleged to have occurred. The Secretary may 
        initiate an action under this section by serving notice of the 
        action in any manner authorized by Rule 4 of the Federal Rules 
        of Civil Procedure.
            (2) Notice and opportunity for hearing.--The Secretary 
        shall not make a determination adverse to any person under 
        paragraph (1) until the person has been given written notice 
        and an opportunity for the determination to be made on the 
        record after a hearing at which the person is entitled to be 
represented by counsel, to present witnesses, and to cross-examine 
witnesses against the person.
            (3) Estoppel.--In a proceeding under paragraph (1) that--
                    (A) is against a person who has been convicted 
                (whether upon a verdict after trial or upon a plea of 
                guilty or nolo contendere) of a crime under section 
                2801 of title 18, United States Code; and
                    (B) involves the same conduct as in the criminal 
                action;
        the person is estopped from denying the essential elements of 
        the criminal offense.
            (4) Sanctions for failure to comply.--The official 
        conducting a hearing under this section may sanction a person, 
        including any party or attorney, for failing to comply with an 
        order or procedure, failing to defend an action, or other 
        misconduct as would interfere with the speedy, orderly, or fair 
        conduct of the hearing. Such sanction shall reasonably relate 
        to the severity and nature of the failure or misconduct. Such 
        sanction may include--
                    (A) in the case of refusal to provide or permit 
                discovery, drawing negative factual inferences or 
                treating such refusal as an admission by deeming the 
                matter, or certain facts, to be established;
                    (B) prohibiting a party from introducing certain 
                evidence or otherwise supporting a particular claim or 
                defense;
                    (C) striking pleadings, in whole or in part;
                    (D) staying the proceedings;
                    (E) dismissal of the action;
                    (F) entering a default judgment;
                    (G) ordering the party or attorney to pay 
                attorneys' fees and other costs caused by the failure 
                or misconduct; and
                    (H) refusing to consider any motion or other action 
                which is not filed in a timely manner.
    (b) Scope of Penalty.--In determining the amount or scope of any 
penalty imposed pursuant to section 311, the Secretary shall take into 
account--
            (1) the nature of claims and the circumstances under which 
        they were presented;
            (2) the degree of culpability, history of prior offenses, 
        and financial condition of the person presenting the claims; 
        and
            (3) such other matters as justice may require.
    (c) Review of Determination.--
            (1) In general.--Any person adversely affected by a 
        determination of the Secretary under this section may obtain a 
        review of such determination in the United States Court of 
        Appeals for the circuit in which the person resides, or in 
        which the claim was presented, by filing in such court (within 
        60 days following the date the person is notified of the 
        determination of the Secretary) a written petition requesting 
        that the determination be modified or set aside.
            (2) Filing of record.--A copy of the petition filed under 
        paragraph (1) shall be forthwith transmitted by the clerk of 
        the court to the Secretary, and thereupon the Secretary shall 
        file in the Court the record in the proceeding as provided in 
        section 2112 of title 28, United States Code. Upon such filing, 
        the court shall have jurisdiction of the proceeding and of the 
        question determined therein, and shall have the power to make 
        and enter upon the pleadings, testimony, and proceedings set 
        forth in such record a decree affirming, modifying, remanding 
        for further consideration, or setting aside, in whole or in 
        part, the determination of the Secretary and enforcing the same 
        to the extent that such order is affirmed or modified.
            (3) Consideration of objections.--No objection that has not 
        been raised before the Secretary with respect to a 
        determination described in paragraph (1) shall be considered by 
        the court, unless the failure or neglect to raise such 
        objection shall be excused because of extraordinary 
        circumstances.
            (4) Findings.--The findings of the Secretary with respect 
        to questions of fact in an action under this subsection, if 
        supported by substantial evidence on the record considered as a 
        whole, shall be conclusive. If any party shall apply to the 
        court for leave to adduce additional evidence and shall show to 
        the satisfaction of the court that such additional evidence is 
        material and that there were reasonable grounds for the failure 
        to adduce such evidence in the hearing before the Secretary, 
        the court may order such additional evidence to be taken before 
        the Secretary and to be made a part of the record. The 
        Secretary may modify findings as to the facts, or make new 
        findings, by reason of additional evidence so taken and filed, 
        and shall file with the court such modified or new findings, 
        and such findings with respect to questions of fact, if 
        supported by substantial evidence on the record considered as a 
        whole, and the recommendations of the Secretary, if any, for 
the modification or setting aside of the original order, shall be 
conclusive.
            (5) Exclusive jurisdiction.--Upon the filing of the record 
        with the court under paragraph (2), the jurisdiction of the 
        court shall be exclusive and its judgment and decree shall be 
        final, except that the same shall be subject to review by the 
        Supreme Court of the United States, as provided for in section 
        1254 of title 28, United States Code.
    (d) Recovery of Penalties.--
            (1) In general.--Civil money penalties imposed under this 
        subtitle may be compromised by the Secretary and may be 
        recovered in a civil action in the name of the United States 
        brought in United States district court for the district where 
        the claim was presented, or where the claimant resides, as 
        determined by the Secretary. Amounts recovered under this 
        section shall be paid to the Secretary and deposited as 
        miscellaneous receipts of the Treasury of the United States.
            (2) Deduction from amounts owing.--The amount of any 
        penalty, when finally determined under this section, or the 
        amount agreed upon in compromise under paragraph (1), may be 
        deducted from any sum then or later owing by the United States 
        or a State to the person against whom the penalty has been 
        assessed.
    (e) Determination Final.--A determination by the Secretary to 
impose a penalty under section 321 shall be final upon the expiration 
of the 60-day period referred to in subsection (c)(1). Matters that 
were raised or that could have been raised in a hearing before the 
Secretary or in an appeal pursuant to subsection (c) may not be raised 
as a defense to a civil action by the United States to collect a 
penalty under section 311.
    (f) Subpoena Authority.--
            (1) In general.--For the purpose of any hearing, 
        investigation, or other proceeding authorized or directed under 
        this section, or relative to any other matter within the 
        jurisdiction of the Attorney General hereunder, the Attorney 
        General, acting through the Secretary shall have the power to 
        issue subpoenas requiring the attendance and testimony of 
        witnesses and the production of any evidence that relates to 
        any matter under investigation or in question before the 
        Secretary. Such attendance of witnesses and production of 
        evidence at the designated place of such hearing, 
        investigation, or other proceeding may be required from any 
        place in the United States or in any Territory or possession 
        thereof.
            (2) Service.--Subpoenas of the Secretary under paragraph 
        (1) shall be served by anyone authorized by the Secretary by 
        delivering a copy thereof to the individual named therein.
            (3) Proof of service.--A verified return by the individual 
        serving the subpoena under this subsection setting forth the 
        manner of service shall be proof of service.
            (4) Fees.--Witnesses subpoenaed under this subsection shall 
        be paid the same fees and mileage as are paid witnesses in the 
        district court of the United States.
            (5) Refusal to obey.--In case of contumacy by, or refusal 
        to obey a duly served upon, any person, any district court of 
        the United States for the judicial district in which such 
        person charged with contumacy or refusal to obey is found or 
        resides or transacts business, upon application by the 
        Secretary, shall have jurisdiction to issue an order requiring 
        such person to appear and give testimony, or to appear and 
        produce evidence, or both. Any failure to obey such order of 
        the court may be punished by the court as contempt thereof.
    (g) Injunctive Relief.--Whenever the Secretary has reason to 
believe that any person has engaged, is engaging, or is about to engage 
in any activity which makes the person subject to a civil monetary 
penalty under section 311, the Secretary may bring an action in an 
appropriate district court of the United States (or, if applicable, a 
United States court of any territory) to enjoin such activity, or to 
enjoin the person from concealing, removing, encumbering, or disposing 
of assets which may be required in order to pay a civil monetary 
penalty if any such penalty were to be imposed or to seek other 
appropriate relief.
    (h) Agency.--A principal is liable for penalties under section 311 
for the actions of the principal's agent acting within the scope of the 
agency.

SEC. 313. REPORT ON USE OF EXISTING ENFORCEMENT MECHANISMS.

    In addition to the criminal and civil penalties that may be applied 
under this title, the Secretary shall prepare and submit to Congress a 
report regarding the use of existing Federal, State and other 
licensure, certification and regulatory mechanisms, including State 
insurance regulations, for the imposition of sanctions or penalties for 
the wrongful disclosure of protected health information.

SEC. 314. CIVIL ACTION BY INDIVIDUALS.

    (a) In General.--Any individual whose rights under this Act have 
been knowingly or negligently violated may bring a civil action to 
recover--
            (1) such preliminary and equitable relief as the court 
        determines to be appropriate; and
            (2) the greater of compensatory damages or liquidated 
        damages of $5,000.
    (b) Punitive Damages.--In any action brought under this section in 
which the individual has prevailed because of a knowing violation of a 
provision of this Act, the court may, in addition to any relief awarded 
under subsection (a), award such punitive damages as may be 
appropriate.
    (c) Attorney's Fees.--In the case of a civil action brought under 
subsection (a) in which the individual has substantially prevailed, the 
court may assess against the respondent a reasonable attorney's fee and 
other litigation costs and expenses (including expert fees) reasonably 
incurred.
    (d) Limitation.--No action may be commenced under this section more 
than 3 years after the date on which the violation was or should 
reasonably have been discovered.

                        TITLE IV--MISCELLANEOUS

SEC. 401. RELATIONSHIP TO OTHER LAWS.

    (a) State and Federal Law.--
            (1) State law enacted prior to effective date.--Nothing in 
        this Act shall be construed to supersede any provision of State 
        law that establishes, implements, or continues in effect any 
        standard or requirement relating to the privacy of protected 
        health information if such provision is enacted prior to the 
        effective date of this Act. Such laws shall not be superseded 
        after such effective date to the extent that such laws are at 
        least as protective of the privacy of protected health 
        information as the protections provided under this Act.
            (2) State law enacted after effective date.--Except as 
        provided in subsections (b) and (c), the provisions of this Act 
        shall preempt any State law relating to the privacy of 
        protected health information if such law is enacted after the 
        effective date of this Act.
            (3) Federal law.--Nothing in this Act shall be construed as 
        repealing, explicitly or implicitly, other Federal laws or 
        regulations relating to protected health information or 
        relating to an individual's access to protected health 
        information or health care services.
    (b) Privileges.--Nothing in this title shall be construed to 
preempt or modify any provisions of State statutory or common law to 
the extent that such law concerns a privilege of a witness or person in 
a court of that State. This title shall not be construed to supersede 
or modify any provision of Federal statutory or common law to the 
extent such law concerns a privilege of a witness or person in a court 
of the United States. Authorizations pursuant to sections 202 and 203 
shall not be construed as a waiver of any such privilege.
    (c) Certain Duties Under Law.--Nothing in this title shall be 
construed to preempt, supersede, or modify the operation of any State 
law that--
            (1) provides for the reporting of vital statistics such as 
        birth or death information;
            (2) requires the reporting of abuse or neglect information 
        about any individual;
            (3) relates to public or mental health and that prevents or 
        otherwise restricts disclosure of information otherwise 
        permissible under this Act;
            (4) governs a minor's right to access protected health 
        information or health care services; or
            (5) authorizes the collecting, analysis, or dissemination 
        of information from an entity described in section 201(a) for 
        the purpose of developing use, cost effectiveness, performance, 
        or quality data.
    (d) Federal Privacy Act.--
            (1) Medical exemptions.--Sections 552a of title 5, United 
        States Code, is amended by adding at the end thereof the 
        following: ``The head of an agency that is an entity described 
        in section 311(a) of the Health Care PIN Act shall promulgate 
        rules, in accordance with the requirements (including general 
        notice) of subsections (b)(1), (b)(2), (b)(3), (c), and (e) of 
        section 553 of this title, to exempt a system of records within 
        an agency, to the extent that the system of records contains 
        protected health information (as defined in section 4(20) of 
        such Act), from all provisions of this section except 
        subsections (b)(6), (d), (e)(1), (e)(2), subparagraphs (A) and 
        (C) and (E) through (I) of subsection (e)(4), and subsections 
        (e)(5), (e)(6), (e)(9), (e)(12), (l), (n), (o), (p), (r), and 
        (u).''.
            (2) Technical amendment.--Section 552a(f)(3) of title 5, 
        United States Code, is amended by striking ``pertaining to 
        him,'' and all that follows through the semicolon and inserting 
        ``pertaining to the individual.''
    (e) Application to Certain Federal Agencies.--
            (1) Department of defense.--
                    (A) Exceptions.--The Secretary of Defense may, by 
                regulation, establish exceptions to the disclosure 
                requirements of this Act to the extent such Secretary 
                determines that disclosure of protected health 
                information relating to members of the armed forces 
                from systems of records operated by the Department of 
                Defense is necessary under circumstances different from 
                those permitted under this Act for the proper conduct 
                of national defense functions by members of the armed 
                forces.
                    (B) Application to civilian employees.--The 
                Secretary of Defense may, by regulation, establish for 
                civilian employees of the Department of Defense and 
                employees of Department of Defense contractors, 
                limitations on the right of such persons to revoke or 
                amend authorizations for disclosures under section 203 
                when such authorizations were provided by such 
                employees as a condition of employment and the 
                disclosure is determined necessary by the Secretary of 
                Defense to the proper conduct of national defense 
                functions by such employees.
            (2) Department of transportation.--
                    (A) Exceptions.--The Secretary of Transportation 
                may, with respect to members of the Coast Guard, 
                exercise the same powers as the Secretary of Defense 
                may exercise under paragraph (1)(A).
                    (B) Application to civilian employees.--The 
                Secretary of Transportation may, with respect to 
                civilian employees of the Coast Guard and Coast Guard 
                contractors, exercise the same powers as the Secretary 
                of Defense may exercise under paragraph (1)(B).
            (3) Department of veterans affairs.--The limitations on use 
        and disclosure of protected health information under this Act 
        shall not be construed to prevent any exchange of such 
        information within and among components of the Department of 
        Veterans Affairs that determine eligibility for or entitlement 
        to, or that provide, benefits under laws administered by the 
        Secretary of Veteran Affairs.

SEC. 402. EFFECTIVE DATE.

    (a) Effective Date.--Except as provided in subsection (b), this Act 
shall take effect on the date that is 18 months after the date of 
enactment of this Act.
    (b) Regulations.--The Secretary shall promulgate regulations 
implementing this Act not later than 12 months after the date of 
enactment of this Act.
                                 <all>