[Congressional Bills 106th Congress]
[From the U.S. Government Publishing Office]
[S. 881 Introduced in Senate (IS)]







106th CONGRESS
  1st Session
                                 S. 881

 To ensure confidentiality with respect to medical records and health 
           care-related information, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             April 27, 1999

 Mr. Bennett (for himself, Mr. Mack, Mr. Murkowski, and Mr. Santorum) 
introduced the following bill; which was read twice and referred to the 
          Committee on Health, Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
 To ensure confidentiality with respect to medical records and health 
           care-related information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Medical 
Information Protection Act of 1999''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Purposes.
Sec. 4. Definitions.
                      TITLE I--INDIVIDUAL'S RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

Sec. 101. Inspection and copying of protected health information.
Sec. 102. Amendment of protected health information.
Sec. 103. Notice of confidentiality practices.
                Subtitle B--Establishment of Safeguards

Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

Sec. 201. General rules regarding use and disclosure.
Sec. 202. Procurement of authorizations for use and disclosure of 
                            protected health information for treatment, 
                            payment, and health care operations.
Sec. 203. Authorizations for use or disclosure of protected health 
                            information other than for treatment, 
                            payment, and health care operations.
Sec. 204. Next of kin and directory information.
Sec. 205. Emergency circumstances.
Sec. 206. Oversight.
Sec. 207. Public health.
Sec. 208. Health research.
Sec. 209. Disclosure in civil, judicial, and administrative procedures.
Sec. 210. Disclosure for law enforcement purposes.
Sec. 211. Payment card and electronic payment transaction. 
Sec. 212. Individual representatives.
Sec. 213. No liability for permissible disclosures.
Sec. 214. Sale of business, mergers, etc.
                          TITLE III--SANCTIONS

                    Subtitle A--Criminal Provisions

Sec. 301. Wrongful disclosure of protected health information.
                      Subtitle B--Civil Sanctions

Sec. 311. Civil penalty violation.
Sec. 312. Procedures for imposition of penalties.
Sec. 313. Enforcement by State insurance commissioners.
                        TITLE IV--MISCELLANEOUS

Sec. 401. Relationship to other laws.
Sec. 402. Conforming amendment.
Sec. 403. Study by Institute of Medicine.
Sec. 405. Effective date.

SEC. 2. FINDINGS.

    The Congress finds that--
            (1) individuals have a right of confidentiality with 
        respect to their personal health information and records;
            (2) with respect to information about medical care and 
        health status, the traditional right of confidentiality is at 
        risk;
            (3) an erosion of the right of confidentiality may reduce 
        the willingness of patients to confide in physicians and other 
        practitioners, thus jeopardizing quality health care;
            (4) an individual's confidentiality right means that an 
        individual's consent is needed to disclose his or her protected 
        health information, except in limited circumstances required by 
        the public interest;
            (5) any disclosure of protected health information should 
        be limited to that information or portion of the medical record 
        necessary to fulfill the purpose of the disclosure;
            (6) the availability of timely and accurate personal health 
        data for the delivery of health care services throughout the 
        Nation is needed;
            (7) personal health care data is essential for medical 
        research;
            (8) public health uses of personal health data are critical 
        to both personal health as well as public health; and
            (9) confidentiality of an individual's health information 
        must be assured without jeopardizing the pursuit of clinical 
        and epidemiological research undertaken to improve health care 
        and health outcomes and to assure the quality and efficiency of 
        health care.

SEC. 3. PURPOSES.

    The purpose of this Act is to--
            (1) establish strong and effective mechanisms to protect 
        against the unauthorized and inappropriate disclosure of 
        protected health information that is created or maintained as 
        part of health care treatment, diagnosis, enrollment, payment, 
        plan administration, testing, or research processes;
            (2) promote the efficiency and security of the health 
        information infrastructure so that members of the health care 
        community may more effectively exchange and transfer health 
        information in a manner that will ensure the confidentiality of 
        protected health information without impeding the delivery of 
        high quality health care; and
            (3) establish strong and effective remedies for violations 
        of this Act.

SEC. 4. DEFINITIONS.

    As used in this Act:
            (1) Accrediting body.--The term ``accrediting body'' means 
        a national body, committee, organization, or institution (such 
        as the Joint Commission on Accreditation of Health Care 
        Organizations or the National Committee for Quality Assurance) 
        that has been authorized by law or is recognized by a health 
        care regulating authority as an accrediting entity or any other 
        entity that has been similarly authorized or recognized by law 
        to perform specific accreditation, licensing or credentialing 
        activities.
            (2) Agent.--The term ``agent'' means a person, including a 
        contractor, who represents and acts for another under the 
        contract or relation of agency, or whose function is to bring 
        about, modify, effect, accept performance of, or terminate 
        contractual obligations between the principal and a third 
        person.
            (3) Common rule.--The term ``common rule'' means the 
        Federal policy for protection of human subjects from research 
        risks originally published as 56 Federal Register 28.025 (1991) 
        as adopted and implemented by a Federal department or agency.
            (4) Disclose and disclosure.--
                    (A) Disclose.--The term ``disclose'' means to 
                release, transfer, provide access to, or otherwise 
                divulge protected health information to any person 
                other than the individual who is the subject of such 
                information.
                    (B) Disclosure.--
                            (i) In general.--The term ``disclosure'' 
                        refers to a release, transfer, provision for 
                        access to, or communication of information as 
                        described in subparagraph (A).
                            (ii) Use.--The use of protected health 
                        information by an authorized person and its 
                        agents shall not be considered a disclosure for 
                        purposes of this Act if the use is consistent 
                        with the purposes for which the information was 
                        lawfully obtained. Using or providing access to 
                        health information in the form of 
                        nonidentifiable health information shall not be 
                        construed as a disclosure of protected health 
                        information.
            (5) Employer.--The term ``employer'' has the meaning given 
        such term under section 3(5) of the Employee Retirement Income 
        Security Act of 1974 (29 U.S.C. 1002(5)), except that such term 
        shall include only employers of two or more employees.
            (6) Health care.--The term ``health care'' means--
                    (A) preventive, diagnostic, therapeutic, 
                rehabilitative, maintenance, or palliative care, 
                including appropriate assistance with disease or 
                symptom management and maintenance, counseling, 
                assessment, service, or procedure--
                            (i) with respect to the physical or mental 
                        condition of an individual; or
                            (ii) affecting the structure or function of 
                        the human body or any part of the human body, 
                        including the banking of blood, sperm, organs, 
                        or any other tissue; or
                    (B) pursuant to a prescription or medical order any 
                sale or dispensing of a drug, device, equipment, or 
                other health care related item to an individual, or for 
                the use of an individual.
            (7) Health care operations.--The term ``health care 
        operations'' means services provided by or on behalf of a 
        health plan or health care provider for the purpose of carrying 
        out the management functions of a health care provider or 
        health plan, or implementing the terms of a contract for health 
        plan benefits, including--
                    (A) coordinating health care, including health care 
                management of the individual through risk assessment 
                and case management;
                    (B) conducting quality assessment and improvement 
                activities, including outcomes evaluation, clinical 
                guideline development, and improvement;
                    (C) reviewing the competence or qualifications of 
                health care professionals, evaluating provider 
                performance, and conducting health care education, 
                accreditation, certification, licensing, or 
                credentialing activities;
                    (D) carrying out utilization review activities, 
                including precertification and preauthorization of 
                services, and health plan rating and insurance 
                activities, including underwriting, experience rating 
                and reinsurance; and
                    (E) conducting or arranging for auditing services, 
                including fraud detection and compliance programs.
            (8) Health care provider.--The term ``health care 
        provider'' means a person, who with respect to a specific item 
        of protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a person who is licensed, certified, 
                registered, or otherwise authorized by Federal or State 
                law to provide an item or service that constitutes 
                health care in the ordinary course of business, or 
                practice of a profession;
                    (B) a Federal, State, employer sponsored or other 
                privately sponsored program that directly provides 
                items or services that constitute health care to 
                beneficiaries; or
                    (C) an officer or employee of a person described in 
                subparagraph (A) or (B).
            (9) Health oversight agency.--The term ``health oversight 
        agency'' means a person who, with respect to a specific item of 
        protected health information, receives, creates, uses, 
        maintains, or discloses the information while acting in whole 
        or in part in the capacity of--
                    (A) a person who performs or oversees the 
                performance of an assessment, evaluation, 
                determination, or investigation, relating to the 
                licensing, accreditation, certification, or 
                credentialing of health care providers; or
                    (B) a person who--
                            (i) performs or oversees the performance of 
                        an audit, assessment, evaluation, 
                        determination, or investigation relating to the 
                        effectiveness of, compliance with, or 
                        applicability of, legal, fiscal, medical, or 
                        scientific standards or aspects of performance 
                        related to the delivery of health care; and
                            (ii) is a public agency, acting on behalf 
                        of a public agency, acting pursuant to a 
                        requirement of a public agency, or carrying out 
                        activities under a Federal or State law 
                        governing the assessment, evaluation, 
                        determination, investigation, or prosecution 
                        described in subparagraph (A).
            (10) Health plan.--The term ``health plan'' means any 
        health insurance issuer, health insurance plan, including any 
        hospital or medical service plan, dental or other health 
        service plan or health maintenance organization plan, provider 
        sponsored organization, or other program providing or arranging 
        for the provision of health benefits. Such term does not 
        include any policy, plan or program to the extent that it 
        provides, arranges or administers health benefits pursuant to a 
        program of workers compensation or automobile insurance.
            (11) Health research and health researcher.--
                    (A) Health research.--The term ``health research'' 
                means a systematic investigation of health (including 
                basic biological processes and structures), health 
                care, or its delivery and financing, including research 
                development, testing and evaluation, designed to 
                develop or contribute to generalizable knowledge 
                concerning human health, health care, or health care 
                delivery.
                    (B) Health researcher.--The term ``health 
                researcher'' means a person involved in health 
                research, or an officer, employee, or agent of such 
                person.
            (12) Key.--The term ``key'' means a method or procedure 
        used to transform nonidentifiable health information that is in 
        a coded or encrypted form into protected health information.
            (13) Law enforcement inquiry.--The term ``law enforcement 
        inquiry'' means a lawful investigation or official proceeding 
        inquiring into a violation of, or failure to comply with, any 
        criminal or civil statute or any regulation, rule, or order 
        issued pursuant to such a statute.
            (14) Life insurer.--The term ``life insurer'' means life 
        insurance company as defined in section 816 of the Internal 
        Revenue Code of 1986.
            (15) Nonidentifiable health information.--The term 
        ``nonidentifiable health information'' means protected health 
        information from which personal identifiers, that directly 
        reveal the identity of the individual who is the subject of 
        such information or provide a direct means of identifying the 
        individual (such as name, address, and social security number), 
        have been removed, encrypted, or replaced with a code, such 
        that the identity of the individual is not evident without (in 
        the case of encrypted or coded information) use of key.
            (16) Originating provider.--The term ``originating 
        provider'' means a health care provider who initiates a 
        treatment episode, such as prescribing a drug, ordering a 
        diagnostic test, or admitting an individual to a health care 
        facility. A hospital or nursing facility is the originating 
        provider with respect to protected health information created 
        or received as part of inpatient or outpatient treatment 
        provided in such settings.
            (17) Payment.--The term ``payment'' means--
                    (A) the activities undertaken by--
                            (i) or on behalf of a health plan to 
                        determine its responsibility for coverage under 
                        the plan; or
                            (ii) a health care provider to obtain 
                        payment for items or services provided to an 
                        individual, provided under a health plan, or 
                        provided based on a determination by the health 
                        plan of responsibility for coverage under the 
                        plan; and
                    (B) activities undertaken as described in 
                subparagraph (A) including--
                            (i) billing, claims management, medical 
                        data processing, other administrative services, 
                        and actual payment;
                            (ii) determinations of coverage or 
                        adjudication of health benefit or subrogation 
                        claims; and
                            (iii) review of health care services with 
                        respect to coverage under a health plan or 
                        justification of charges.
            (18) Person.--The term ``person'' means a government, 
        governmental subdivision, agency or authority; corporation; 
        company; association; firm; partnership; society; estate; 
        trust; joint venture; individual; individual representative; 
        tribal government; and any other legal entity.
            (19) Protected health information.--The term ``protected 
        health information'' with respect to the individual who is the 
        subject of such information means any information which 
        identifies such individual, whether oral or recorded in any 
        form or medium, that--
                    (A) is created or received by a health care 
                provider, health plan, health oversight agency, public 
                health authority, employer, life insurer, school or 
                university;
                    (B) relates to the past, present, or future 
                physical or mental health or condition of an individual 
                (including individual cells and their components);
                    (C) is derived from--
                            (i) the provision of health care to the 
                        individual; or
                            (ii) payment for the provision of health 
                        care to the individual; and
                    (D) is not nonidentifiable health information.
            (20) Public health authority.--The term ``public health 
        authority'' means an authority or instrumentality of the United 
        States, a tribal government, a State, or a political 
        subdivision of a State that is--
                    (A) primarily responsible for health or welfare 
                matters; and
                    (B) primarily engaged in activities such as 
                incidence reporting, public health surveillance, and 
                investigation or intervention.
            (21) School or university.--The term ``school or 
        university'' means an institution or place accredited or 
        licensed for purposes of providing for instruction or 
        education, including an elementary school, secondary school, or 
        institution of higher learning, a college, or an assemblage of 
        colleges united under one corporate organization or government.
            (22) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (23) Signed.--The term ``signed'' refers to documentation 
        of assent in any medium, whether ink, digital or biometric 
        signatures, or recorded oral authorizations.
            (24) State.--The term ``State'' includes the District of 
        Columbia, Puerto Rico, the Virgin Islands, Guam, American 
        Samoa, and the Northern Mariana Islands.
            (25) Treatment.--The term ``treatment'' means the provision 
        of health care by a health care provider.
            (26) Writing and written.--
                    (A) Writing.--The term ``writing'' means any form 
                of documentation, whether paper, electronic, digital, 
                biometric or tape recorded.
                    (B) Written.--The term ``written'' includes paper, 
                electronic, digital, biometric and tape-recorded 
                formats.

                      TITLE I--INDIVIDUAL'S RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.

    (a) General Rules.--
            (1) Compliance with section.--At the request of an 
        individual who is the subject of protected health information 
        and except as provided in subsection (c), a health care 
        provider, a health plan, employer, life insurer, school, or 
        university shall arrange for inspection or copying of protected 
        health information concerning the individual, including records 
        created under section 102, as provided for in this section.
            (2) Availability of information through originating 
        provider.--Protected health information that is created or 
        received by a health plan or health care provider as part of 
        treatment or payment shall be made available for inspection or 
        copying as provided for in this title through the originating 
        provider.
            (3) Other entities.--An employer, life insurer, school, or 
        university that creates or receives protected health 
        information in performing any function other than providing 
        treatment, payment, or health care operations with respect to 
        the individual who is the subject of such information, shall 
        make such information available for inspection or copying as 
        provided for in this title, or through any provider designated 
        by the individual.
            (4) Procedures.--The person providing access to information 
        under this title may set forth appropriate procedures to be 
        followed for such inspection or copying and may require an 
        individual to pay reasonable costs associated with such 
        inspection or copying.
    (b) Special Circumstances.--If an originating provider, its agent, 
or contractor no longer maintains the protected health information 
sought by an individual pursuant to subsection (a), a health plan or 
another health care provider that maintains such information shall 
arrange for inspection or copying.
    (c) Exceptions.--Unless ordered by a court of competent 
jurisdiction, a person acting pursuant to subsection (a) or (b) is not 
required to permit the inspection or copying of protected health 
information if any of the following conditions are met:
            (1) Endangerment to life or safety.--The person determines 
        that the disclosure of the information could reasonably be 
        expected to endanger the life or physical safety of any 
        individual.
            (2) Confidential source.--The information identifies, or 
        could reasonably lead to the identification of, a person who 
        provided information under a promise of confidentiality to a 
        health care provider concerning the individual who is the 
        subject of the information.
            (3) Information compiled in anticipation of or in 
        connection with a fraud investigation or litigation.--The 
        information is compiled principally--
                    (A) in anticipation of or in connection with a 
                fraud investigation, an investigation of material 
                misrepresentation in connection with an insurance 
                policy, a civil, criminal, or administrative action or 
                proceeding; or
                    (B) for use in such action or proceeding.
            (4) Investigational information.--The protected health 
        information was created, received or maintained by a health 
        researcher as provided in section 208.
    (d) Denial of a Request for Inspection or Copying.--If a person 
described in subsection (a) or (b) denies a request for inspection or 
copying pursuant to subsection (c), the person shall inform the 
individual in writing of--
            (1) the reasons for the denial of the request for 
        inspection or copying;
            (2) the availability of procedures for further review of 
        the denial; and
            (3) the individual's right to file with the person a 
        concise statement setting forth the request for inspection or 
        copying.
    (e) Statement Regarding Request.--If an individual has filed a 
statement under subsection (d)(3), the person in any subsequent 
disclosure of the portion of the information requested under subsection 
(a) or (b)--
            (1) shall include a notation concerning the individual's 
        statement; and
            (2) may include a concise statement of the reasons for 
        denying the request for inspection or copying.
    (f) Inspection and Copying of Segregable Portion.--A person 
described in subsection (a) or (b) shall permit the inspection and 
copying of any reasonably segregable portion of a record after deletion 
of any portion that is exempt under subsection (c).
    (g) Deadline.--A person described in subsection (a) or (b) shall 
comply with or deny, in accordance with subsection (d), a request for 
inspection or copying of protected health information under this 
section not later than 60 days after the date on which the person 
receives the request.
    (h) Rules of Construction.--
            (1) Agents.--An agent of a person described in subsection 
        (a) or (b) shall not be required to provide for the inspection 
        and copying of protected health information, except where--
                    (A) the protected health information is retained by 
                the agent; and
                    (B) the agent has been asked in writing by the 
                person involved to fulfill the requirements of this 
                section.
            (2) No requirement for hearing.--This section shall not be 
        construed to require a person described in subsection (a) or 
        (b) to conduct a formal, informal, or other hearing or 
        proceeding concerning a request for inspection or copying of 
        protected health information.

SEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.

    (a) Right To Amend.--
            (1) In general.--Protected health information shall be 
        subject to amendment as provided for in this section.
            (2) Compliance with request.--Except as provided in 
        subsection (c), not later than 45 days after the date on which 
        an originating provider, employer, life insurer, school, or 
        university receives from an individual a request in writing to 
        amend protected health information, such person shall--
                    (A) make the amendment requested;
                    (B) inform the individual of the amendment that has 
                been made; and
                    (C) inform any person identified by the individual 
                in the request for amendment and--
                            (i) who is not an officer, employee, or 
                        agent of the person; and
                            (ii) to whom the unamended portion of the 
                        information was disclosed within the previous 
                        year by sending a notice to the individual's 
                        last known address that there has been a 
                        substantive amendment to the protected health 
                        information of such individual.
    (b) Request of Originating Providers.--
            (1) In general.--Protected health information that is 
        created or received by a health plan or health care provider as 
        part of treatment or payment shall be subject to amendment as 
        provided for in this section upon a written request made to the 
        originating provider.
            (2) Special circumstances.--If an originating provider, its 
        agent, or contractor no longer maintains the protected health 
        information sought to be amended by an individual pursuant to 
        paragraph (1), a health plan or another health care provider 
        that maintains such information may arrange for amendment 
        consistent with this section.
    (c) Refusal To Amend.--If a person described in subsection (a)(2) 
refuses to make the amendment requested under such subsection, the 
person shall inform the individual in writing of--
            (1) the reasons for the refusal to make the amendment;
            (2) the availability of procedures for further review of 
        the refusal; and
            (3) the procedures by which the individual may file with 
        the person a concise statement setting forth the requested 
        amendment and the individual's reasons for disagreeing with the 
        refusal.
    (d) Statement of Disagreement.--If an individual has filed a 
statement of disagreement under subsection (c)(3), the person involved, 
in any subsequent disclosure of the disputed portion of the 
information--
            (1) shall include a notation concerning the individual's 
        statement; and
            (2) may include a concise statement of the reasons for not 
        making the requested amendment.
    (e) Rules Governing Agents.--The agent of a person described in 
subsection (a)(2) shall not be required to make amendments to protected 
health information, except where--
            (1) the protected health information is retained by the 
        agent; and
            (2) the agent has been asked in writing by such person to 
        fulfill the requirements of this section.
    (f) Repeated Requests for Amendments.--If a person described in 
subsection (a)(2) receives a request for an amendment of information as 
provided for in such subsection and a statement of disagreement has 
been filed pursuant to subsection (d), the person shall inform the 
individual of such filing and shall not be required to carry out the 
procedures required under this section.
    (g) Rules of Construction.--This section shall not be construed 
to--
            (1) require that a person described in subsection (a)(2) 
        conduct a formal, informal, or other hearing or proceeding 
        concerning a request for an amendment to protected health 
        information;
            (2) require a provider to amend an individual's protected 
        health information as to the type, duration, or quality of 
        treatment the individual believes he or she should have been 
        provided; or
            (3) permit any deletions or alterations of the original 
        information.

SEC. 103. NOTICE OF CONFIDENTIALITY PRACTICES.

    (a) Preparation of Written Notice.--A health care provider, health 
plan, health oversight agency, public health authority, employer, life 
insurer, health researcher, school, or university shall post or 
provide, in writing and in a clear and conspicuous manner, notice of 
the person's confidentiality practices, that shall include--
            (1) a description of an individual's rights with respect to 
        protected health information;
            (2) the uses and disclosures of protected health 
        information authorized under this Act;
            (3) the procedures for authorizing disclosures of protected 
        health information and for revoking such authorizations;
            (4) the procedures established by the person for the 
        exercise of the individual's rights; and
            (5) the right to obtain a copy of the notice of the 
        confidentiality practices required under this Act.
    (b) Model Notice.--The Secretary, after notice and opportunity for 
public comment, shall develop and disseminate model notices of 
confidentiality practices, using the advice of the National Committee 
on Vital Health Statistics, for use under this section. Use of the 
model notice shall serve as an absolute defense against claims of 
receiving inappropriate notice.

                Subtitle B--Establishment of Safeguards

SEC. 111. ESTABLISHMENT OF SAFEGUARDS.

    (a) In General.--A health care provider, health plan, health 
oversight agency, public health authority, employer, life insurer, 
health researcher, law enforcement official, school, or university 
shall establish and maintain appropriate administrative, technical, and 
physical safeguards to protect the confidentiality, security, accuracy, 
and integrity of protected health information created, received, 
obtained, maintained, used, transmitted, or disposed of by such person.
    (b) Fundamental Safeguards.--The safeguards established pursuant to 
subsection (a) shall address the following factors:
            (1) The purpose for which protected health information is 
        needed and whether that purpose can be accomplished with 
        nonidentifiable health information.
            (2) Appropriate procedures for maintaining the security of 
        protected health information and assuring the appropriate use 
        of any key used in creating nonidentifiable health information.
            (3) The categories of personnel who will have access to 
        protected health information and appropriate training, 
        supervision and sanctioning of such personnel with respect to 
        their use of protected health information and adherence to 
        established safeguards.
            (4) Appropriate limitations on access to individual 
        identifiers.
            (5) Appropriate mechanisms for limiting disclosures of 
        protected information to the information necessary to respond 
        to the request for disclosure.
            (6) Procedures for handling requests for protected health 
        information by persons other than the individual who is the 
        subject of such information, including relatives and affiliates 
        of such individual, law enforcement officials, parties in civil 
        litigation, health care providers, and health plans.

SEC. 112. ACCOUNTING FOR DISCLOSURES.

    (a) In General.--A health care provider, health plan, health 
oversight agency, public health authority, employer, life insurer, 
health researcher, law enforcement official, school, or university 
shall establish and maintain a process for documenting the disclosure 
of protected health information by any such person through the 
recording of the name and address of the recipient of the information, 
or through the recording of another mean of contacting the recipient, 
and the purpose of the disclosure.
    (b) Record of Disclosure.--A record (or other means of 
documentation) established under subsection (a) shall be maintained for 
not less than 7 years.
    (c) Identification of Disclosed Information as Protected Health 
Information.--Except as otherwise provided in this title, protected 
health information shall be clearly identified as protected health 
information that is subject to this Act.

              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.

    (a) Disclosure Prohibited.--A health care provider, health plan, 
health oversight agency, public health authority, employer, life 
insurer, health researcher, law enforcement official, school, or 
university, or any agents of such a person, may not disclose protected 
health information except as authorized under this Act or as authorized 
by the individual who is the subject of such information.
    (b) Applicability to Agents.--
            (1) In general.--A person described in subsection (a) may 
        use an agent, including a contractor, to carry out an otherwise 
        lawful activity using protected health information maintained 
        by such person if the person specifies the activities for which 
        the agent is authorized to use such protected health 
        information and prohibits the agent from using or disclosing 
        protected health information for purposes other than carrying 
        out the specified activities.
            (2) Limitation on liability.--Notwithstanding any other 
        provision of this Act, a person who has limited the activities 
        of an agent as provided for in paragraph (1), shall not be 
        liable for the actions or disclosures of the agent that are not 
        in fulfillment of those activities.
            (3) Limitations on agents.--An agent who receives protected 
        health information from a person described in subsection (a) 
        shall, in its own right, be subject to the applicable 
        provisions of this Act.
    (c) Applicability to Employers.--
            (1) In general.--An employer may use an employee or agent 
        to create, receive, or maintain protected health information in 
        order to carry out an otherwise lawful activity so long as--
                    (A) the disclosure of the protected employee health 
                information within the entity is compatible with the 
                purpose for which the information was obtained and 
                limited to information necessary to accomplish the 
                purpose of the disclosure; and
                    (B) the employer prohibits the release, transfer or 
                communication of the protected health information to 
                officers, employees, or agents responsible for hiring, 
                promotion, and making work assignment decisions with 
                respect to the subject of the information.
            (2) Determination.--For purposes of paragraph (1)(A), the 
        determination of what constitutes information necessary to 
        accomplish the purpose for which the information is obtained 
        shall be made by a health care provider, except in situations 
        involving payment for health plan operations undertaken by the 
        employer.
    (d) Creation of Nonidentifiable Health Information.--A person 
described in subsection (a) may use protected health information for 
the purpose of creating nonidentifiable health information.
    (e) Individual Authorization.--To be valid, an authorization to 
disclose protected health information under this title shall--
            (1) identify the individual who is the subject of the 
        protected health information;
            (2) describe the nature of the information to be disclosed;
            (3) identify the type of person to whom the information is 
        to be disclosed;
            (4) describe the purpose of the disclosure;
            (5) be subject to revocation by the individual and indicate 
        that the authorization is valid until revocation by the 
        individual; and
            (6) be in writing, dated, and signed by the individual, a 
        family member or other authorized representative.
    (f) Manipulation of Nonidentifiable Health Information.--Any person 
who manipulates nonidentifiable health information in order to identify 
an individual, or uses a key to identify an individual without 
authorization, is deemed to have disclosed protected health 
information.

SEC. 202. PROCUREMENT OF AUTHORIZATIONS FOR USE AND DISCLOSURE OF 
              PROTECTED HEALTH INFORMATION FOR TREATMENT, PAYMENT, AND 
              HEALTH CARE OPERATIONS.

    (a) Authorizations.--
            (1) In general.--With respect to each individual, a single 
        authorization that substantially complies with section 201(e) 
        must be secured to permit the use and disclosure of protected 
        health information concerning such individual for treatment, 
        payment, and health care operations, as provided for in this 
        subsection.
            (2) Employers.--Every employer offering a health plan to 
        its employees shall, at the time of, and as a condition of 
        enrollment in the health plan, obtain a signed, written 
        authorization that is a legal, informed authorization 
        concerning the use and disclosure of protected health 
        information for treatment, payment, and health care operations 
        with respect to each individual who is eligible to receive care 
        under the health plan.
            (3) Health plans.--Every health plan offering enrollment to 
        individuals or non-employer groups shall, at the time of, and 
        as a condition of enrollment in the health plan, obtain a 
        signed, written authorization that is a legal, informed 
        authorization concerning the use and disclosure of protected 
        health information for treatment, payment, and health care 
        operations, with respect to each individual who is eligible to 
        receive care under the plan.
            (4) Uninsured.--An originating provider providing health 
        care to an uninsured individual, shall obtain a signed, written 
        authorization to use and disclose protected health information 
        with respect to such individual for treatment, payment, and 
        health care operations of such provider, and in arranging for 
treatment and payment from other providers.
            (5) Providers.--Any health care provider providing health 
        care to an individual may, in connection with providing such 
        care, obtain a signed, written authorization that is a legal, 
        informed authorization concerning the use and disclosure of 
        protected health information with respect to such individual 
        for treatment, payment, and health care operations of such 
        provider.
    (b) Revocation of Authorization.--
            (1) In general.--An individual may revoke an authorization 
        under this section at any time, by sending written notice to 
        the person who obtained such authorization, unless the 
        disclosure that is the subject of the authorization is required 
        to complete a course of treatment, effectuate payment, or 
        conduct health care operations for health care that has been 
        provided to the individual.
            (2) Health plans.--With respect to a health plan, the 
        authorization of an individual is deemed to be revoked at the 
        time of the cancellation or non-renewal of enrollment in the 
        health plan, except as may be necessary to conduct health care 
        operations and complete payment requirements related to the 
        individual's period of enrollment.
            (3) Termination of plan.--With respect to the revocation of 
        an authorization under this section by an enrollee in a health 
        plan, the health plan may terminate the coverage of such 
        enrollee under such plan if the health plan determines that the 
        revocation has resulted in the inability of the plan to provide 
        care for the enrollee or conduct health care operations.
    (c) Record of Individual's Authorizations and Revocations.--Each 
person who obtains or is required to obtain an authorization under this 
section shall maintain a record for a period of 7 years of each such 
authorization of an individual and revocation thereof.
    (d) Model Authorizations.--The Secretary, after notice and 
opportunity for public comment, shall develop and disseminate model 
written authorizations of the type described in subsection (a). The 
Secretary shall consult with the National Committee on Vital and Health 
Statistics in developing such authorizations. An authorization obtained 
on a model authorization form developed by the Secretary pursuant to 
the preceding sentence shall be deemed to meet the authorization 
requirements of this section.
    (e) Rules of Construction.--
            (1) Single authorizations.--An employer or health plan 
        shall be deemed to meet the requirements of subsection (a) with 
        respect to a spouse, child, or other eligible dependent if, at 
        the time of enrollment, a single authorization under subsection 
        (a) is obtained from the employee or other individual who 
        accepts responsibility for health plan enrollment.
            (2) Requirement for separate authorization.--An 
        authorization for the disclosure of protected health 
        information for treatment, payment, and health care operations 
        shall not directly or indirectly authorize the disclosure of 
        such information for any other purpose. Any other such 
        disclosures shall require a separate authorization under 
        section 203.

SEC. 203. AUTHORIZATIONS FOR USE OR DISCLOSURE OF PROTECTED HEALTH 
              INFORMATION OTHER THAN FOR TREATMENT, PAYMENT, AND HEALTH 
              CARE OPERATIONS.

    (a) In General.--An individual who is the subject of protected 
health information may authorize any person to disclose or use such 
information for any purpose. An authorization under this section shall 
not be valid if the signing of such authorization by the individual is 
a prerequisite for the signing of an authorization under section 202.
    (b) Written Authorizations.--A person may disclose and use 
protected health information, for purposes other than those authorized 
under section 202, pursuant to a written authorization signed by the 
individual who is the subject of the information that meets the 
requirements of section 201(e). An authorization under this section 
shall be separate from any authorization provided under section 202.
    (c) Limitation on Authorizations.--
            (1) In general.--Notwithstanding any other provision of 
        Federal law, life insurers, and any other entity that offers 
        disability income or long term care insurance under the laws of 
        any State, shall meet the requirements of section 201(a) with 
        respect to an individual for purposes of life, disability 
        income or long term care insurance, by obtaining the 
        authorization of the individual under this section.
            (2) During period of coverage.--Notwithstanding paragraph 
        (1), an authorization obtained in the ordinary course of 
        business in connection with life, disability income or long-
        term care insurance under this section shall remain in effect 
        during the term of the individual's insurance coverage and as 
may be necessary to enable the issuer to meet its obligations with 
respect to such individual under the terms of the policy, plan or 
program.
            (3) Other authorizations.--An authorization obtained from 
        an individual in connection with an application that does not 
        result in coverage with respect to such individual shall expire 
        the earlier of the date specified in the individual's 
        authorization or the effective date of any revocation under 
        subsection (d).
    (d) Revocation or Amendment of Authorization.--
            (1) In general.--Except as otherwise provided for in this 
        section, an individual may revoke or amend an authorization 
        described in this section by providing written notice to the 
        person who obtained such authorization unless the disclosure 
        that is the subject of the authorization is related to the 
        evaluation of an application for life, disability income or 
        long-term care insurance coverage or a claim for life, 
        disability income or long-term care insurance benefits.
            (2) Notice of revocation.--A person that discloses 
        protected health information pursuant to an authorization that 
        has been revoked under paragraph (1) shall not be subject to 
        any liability or penalty under this title if that person had no 
        actual notice of the revocation.
    (e) Disclosure for Purpose Only.--A recipient of protected health 
information pursuant to an authorization under subsection (b) may 
disclose such information only to carry out the purposes for which the 
information was authorized to be disclosed.
    (f) Model Authorizations.--
            (1) In general.--The Secretary, after notice and 
        opportunity for public comment, shall develop and disseminate 
        model written authorizations of the type described in 
        subsection (b). The Secretary shall consult with the National 
        Committee on Vital and Health Statistics in developing such 
        authorizations.
            (2) Authority of insurance commissioner.--Notwithstanding 
        paragraph (1), the insurance commissioner of the State of 
        domicile of a life insurer may exercise exclusive authority in 
        developing and disseminating model written authorizations for 
        purposes of subsection (c).
            (3) Compliance with requirements.--An authorization 
        obtained using a model authorization promulgated under this 
        subsection shall be deemed to meet the authorization 
        requirements of this section.
    (g) Authorizations for Research.--This section applies to health 
research only where such research is not governed by section 208.

SEC. 204. NEXT OF KIN AND DIRECTORY INFORMATION.

    (a) Next of Kin.--A health care provider, or a person who receives 
protected health information under section 205, may disclose protected 
health information regarding an individual to the individual's spouse, 
parent, child, sister, brother, next of kin, or to another person whom 
the individual has identified, if--
            (1) the individual who is the subject of the information--
                    (A) has been notified of the individual's right to 
                object to such disclosure and the individual has not 
                objected to the disclosure; or
                    (B) is in a physical or mental condition such that 
                the individual is not capable of objecting, and there 
                are no prior indications that the individual would 
                object;
            (2) the information disclosed relates to health care 
        currently being provided to that individual; and
            (3) the disclosure of the protected health information is 
        consistent with good medical or professional practice.
    (b) Directory Information.--
            (1) Disclosure.--
                    (A) In general.--Except as provided in paragraph 
                (2), a person described in subsection (a) may disclose 
                the information described in subparagraph (B) to any 
                person if the individual who is the subject of the 
                information--
                            (i) has been notified of the individual's 
                        right to object and the individual has not 
                        objected to the disclosure; or
                            (ii) is in a physical or mental condition 
                        such that the individual is not capable of 
                        objecting, the individual's next of kin has not 
                        objected, and there are no prior indications 
                        that the individual would object.
                    (B) Information.--Information described in this 
                subparagraph is information that consists only of 1 or 
                more of the following items:
                            (i) The name of the individual who is the 
                        subject of the information.
                            (ii) The general health status of the 
                        individual, described as critical, poor, fair, 
                        stable, or satisfactory or in terms denoting 
                        similar conditions.
                            (iii) The location of the individual on 
                        premises controlled by a provider.
            (2) Exception.--
                    (A) Location.--Paragraph (1)(B)(iii) shall not 
                apply if disclosure of the location of the individual 
                would reveal specific information about the physical or 
                mental condition of the individual, unless the 
                individual expressly authorizes such disclosure.
                    (B) Directory or next of kin information.--A 
                disclosure may not be made under this section if the 
                health care provider involved has reason to believe 
                that the disclosure of directory or next of kin 
                information could lead to the physical or mental harm 
                of the individual, unless the individual expressly 
                authorizes such disclosure.

SEC. 205. EMERGENCY CIRCUMSTANCES.

    Any person who creates or receives protected health information 
under this title may disclose protected health information in emergency 
circumstances when necessary to protect the health or safety of the 
individual who is the subject of such information from serious, 
imminent harm. No disclosure made in the good faith belief that the 
disclosure was necessary to protect the health or safety of an 
individual from serious, imminent harm shall be in violation of, or 
punishable under, this Act.

SEC. 206. OVERSIGHT.

    (a) In General.--Any person may disclose protected health 
information to an accrediting body or public health authority, a health 
oversight agency, or a State insurance department, for purposes of an 
oversight function authorized by law.
    (b) Protection From Further Disclosure.--Protected health 
information this is disclosed under this section shall not be further 
disclosed by an accrediting body or public health authority, a health 
oversight agency, a State insurance department, or their agents for any 
purpose unrelated to the authorized oversight function. Notwithstanding 
any other provision of law, protected health information disclosed 
under this section shall be protected from further disclosure by an 
accrediting body or public health authority, a health oversight agency, 
a State insurance department, or their agents pursuant to a subpoena, 
discovery request, introduction as evidence, testimony, or otherwise.
    (c) Authorization by a Supervisor.--For purposes of this section, 
the individual with authority to authorize the oversight function 
involved shall provide to the person described in subsection (a) a 
statement that the protected health information is being sought for a 
legally authorized oversight function.
    (d) Use in Action Against Individuals.--Protected health 
information about an individual that is disclosed under this section 
may not be used by the recipient in, or disclosed by the recipient to 
any person for use in, an administrative, civil, or criminal action or 
investigation directed against the individual who is the subject of the 
protected health information unless the action or investigation arises 
out of and is directly related to--
            (1) the receipt of health care or payment for health care; 
        or
            (2) a fraudulent claim related to health care, or a 
        fraudulent or material misrepresentation of the health of the 
        individual.

SEC. 207. PUBLIC HEALTH.

    (a) In General.--A health care provider, health plan, public health 
authority, health researcher, employer, life insurer, law enforcement 
official, school, or university may disclose protected health 
information to a public health authority or other person authorized by 
law for use in a legally authorized--
            (1) disease or injury report;
            (2) public health surveillance;
            (3) public health investigation or intervention;
            (4) vital statistics report, such as birth or death 
        information;
            (5) report of abuse or neglect information about any 
        individual; or
            (6) report of information concerning a communicable disease 
        status.
    (b) Identification of Deceased Individual.--Any person may disclose 
protected health information if such disclosure is necessary to assist 
in the identification or safe handling of a deceased individual.
    (c) Requirement To Release Protected Health Information to Coroners 
and Medical Examiners.--
            (1) In general.--When a Coroner or a Medical Examiner, or 
        the duly appointed deputy of a Coroner or Medical Examiner, 
        seeks protected health information for the purpose of inquiry 
        into and determination of, the cause, manner, and circumstances 
        of a death, the health care provider, health plan, health 
        oversight agency, public health authority, employer, life 
        insurer, health researcher, law enforcement official, school, 
        or university involved shall provide the protected health 
        information to the Coroner or Medical Examiner or to the duly 
        appointed deputy without undue delay.
            (2) Production of additional information.--If a Coroner or 
        Medical Examiner, or the duly appointed deputy of a Coroner or 
        Medical Examiner, receives health information from a person 
        referred to in paragraph (1), such health information shall 
        remain as protected health information unless the health 
        information is attached to or otherwise made a part of a 
        Coroner's or Medical Examiner's official report, in which case 
        it shall no longer be protected.
            (3) Exemption.--Health information attached to or otherwise 
        made a part of a Coroner's or Medical Examiner's official 
        report, shall be exempt from the provisions of this Act.

SEC. 208. HEALTH RESEARCH.

    (a) In General.--A person lawfully in possession of protected 
health information may disclose such information to a health researcher 
under any of the following arrangements:
            (1) Research governed by the common rule.--A person 
        identified in subsection (a) may disclose protected health 
        information to a health researcher if the research project has 
        been approved by an institutional review board pursuant to the 
        requirements of the common rule as implemented by a Federal 
        agency.
            (2) Analyses of health care records and medical archives.--
        A person identified in subsection (a) may disclose protected 
        health information to a health researcher if--
                    (A) consistent with the safeguards established 
                pursuant to section 111 and the person's policies and 
                procedures established under this section, the health 
                research has been reviewed by a board, committee, or 
                other group formally designated by such person to 
                review research programs;
                    (B) the health research involves analysis of 
                protected health information previously created or 
                collected by the person;
                    (C) the person that maintains the protected health 
                information to be used in the analyses has in place a 
                written policy and procedure to assure the security and 
                confidentiality of protected health information and to 
                specify permissible and impermissible uses of such 
                information for health research;
                    (D) the person that maintains the protected health 
                information to be used in the analyses enters into a 
                written agreement with the recipient health researcher 
                that specifies the permissible and impermissible uses 
                of the protected health information and provides notice 
                to the researcher that any misuse or further disclosure 
                of the information to other persons is prohibited and 
                may provide a basis for action against the health 
                researcher under this Act; and
                    (E) the person keeps a record of health researchers 
                to whom protected health information has been 
                disclosed.
            (3) Safety and efficacy reports.--A person may disclose 
        protected health information to a manufacturer of a drug, 
        biologic or medical device, in connection with any monitoring 
        activity or reports made to such manufacturer for use in 
        verifying the safety or efficacy of such manufacturer's 
        approved product in special populations or for long term use.
    (b) Oversight.--On the advice of the National Committee on Vital 
and Health Statistics, the Secretary shall report to the Congress not 
later than 18 months after the effective date of this section 
concerning the adequacy of the policies and procedures implemented 
pursuant to subsection (a)(2) for protecting the confidentiality of 
protected health information while promoting its use in research 
concerning health care outcomes, the epidemiology and etiology of 
diseases and conditions and the safety, efficacy and cost effectiveness 
of health care interventions. Based on the conclusions of such report, 
the Secretary may promulgate model language for written agreements 
deemed to comply with subsection (a)(2)(C).
    (c) Statutory Assurance of Confidentiality.--
            (1) In general.--Protected health information obtained by a 
        health researcher pursuant to this section shall be used and 
        maintained in confidence, consistent with the confidentiality 
        practices established by the health researcher pursuant to 
        section 111.
            (2) Limitation on compelled disclosure.--A health 
        researcher may not be compelled in any Federal, State, or local 
        civil, criminal, administrative, legislative, or other 
        proceeding to disclose protected health information created, 
        maintained or received under this section. Nothing in this 
        paragraph shall be construed to prevent an audit or lawful 
        investigation pursuant to the authority of a Federal department 
        or agency, of a research project conducted, supported or 
        subject to regulation by such department or agency.
            (3) Limitation on further use or disclosure.--
        Notwithstanding any other provision of law, information 
        disclosed by a health researcher to a Federal department or 
        agency under this subsection may not be further used or 
        disclosed by the department or agency for a purpose unrelated 
        to the department's or agency's oversight or investigation.

SEC. 209. DISCLOSURE IN CIVIL, JUDICIAL, AND ADMINISTRATIVE PROCEDURES.

    (a) In General.--A health care provider, health plan, public health 
authority, employer, life insurer, law enforcement official, school, or 
university may disclose protected health information pursuant to a 
discovery request or subpoena in a civil action brought in a Federal or 
State court or a request or subpoena related to a Federal or State 
administrative proceeding if such discovery request or subpoena is made 
through or pursuant to a court order as provided for in subsection (b).
    (b) Court Orders.--
            (1) Standard for issuance.--In considering a request for a 
        court order regarding the disclosure of protected health 
        information under subsection (a), the court shall issue such 
        order if the court determines that without the disclosure of 
        such information, the person requesting the order would be 
        impaired from establishing a claim or defense.
            (2) Requirements.--An order issued under paragraph (1) 
        shall--
                    (A) provide that the protected health information 
                involved is subject to court protection;
                    (B) specify to whom the information may be 
                disclosed;
                    (C) specify that such information may not otherwise 
                be disclosed or used; and
                    (D) meet any other requirements that the court 
                determines are needed to protect the confidentiality of 
                the information.
    (c) Applicability.--This section shall not apply in a case in which 
the protected health information sought under such discovery request or 
subpoena relates to a party to the litigation or an individual whose 
medical condition is at issue.
    (d) Effect of Section.--This section shall not be construed to 
supersede any grounds that may apply under Federal or State law for 
objecting to turning over the protected health information.

SEC. 210. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.

    A person who receives protected health information pursuant to 
sections 202 through 207, may disclose such information to a State or 
Federal law enforcement agency if such disclosure is pursuant to--
            (1) a subpoena issued under the authority of a grand jury;
            (2) an administrative or judicial subpoena or summons;
            (3) a warrant issued upon a showing of probable cause;
            (4) a Federal or State law requiring the reporting of 
        specific medical information to law enforcement authorities;
            (5) a written consent or waiver of privilege by an 
        individual allowing access to the individual's protected health 
        information; or
            (6) by other court order.

SEC. 211. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTION.

    (a) Payment for Health Care Through Card or Electronic Means.--If 
an individual pays for health care by presenting a debit, credit, or 
other payment card or account number, or by any other payment means, 
the person receiving the payment may disclose to a person described in 
subsection (b) only such protected health information about the 
individual as is necessary in connection with activities described in 
subsection (b), including the processing of the payment transaction or 
the billing or collection of amounts charged to, debited from, or 
otherwise paid by, the individual using the card, number, or other 
means.
    (b) Transaction Processing.--A person who is a debit, credit, or 
other payment card issuer, a payment system operator, a financial 
institution participant in a payment system or is an entity assisting 
such an issuer, operator, or participant in connection with activities 
described in this subsection, may use or disclose protected health 
information about an individual in connection with--
            (1) the authorization, settlement, billing, processing, 
        clearing, transferring, reconciling, or collection of amounts 
        charged, debited or otherwise paid using a debit, credit, or 
        other payment card or account number, or by other payment 
        means;
            (2) the transfer of receivables, accounts, or interest 
        therein;
            (3) the audit of the debit, credit, or other payment 
        information;
            (4) compliance with Federal, State, or local law;
            (5) compliance with a properly authorized civil, criminal, 
        or regulatory investigation by Federal, State, or local 
        authorities as governed by the requirements of this section; or
            (6) fraud protection, risk control, resolving customer 
        disputes or inquiries, communicating with the person to whom 
        the information relates, or reporting to consumer reporting 
        agencies.
    (c) Specific Prohibitions.--A person described in subsection (b) 
may not disclose protected health information for any purpose that is 
not described in subsection (b). Notwithstanding any other provision of 
law, any health care provider, health plan, health oversight agency, 
health researcher, employer, life insurer, school or university who 
makes a good faith disclosure of protected health information to an 
entity and for the purposes described in subsection (b) shall not be 
liable for subsequent disclosures by such entity.
    (d) Scope.--
            (1) In general.--The use of protected health information by 
        a person described in subsection (b) and its agents shall not 
        be considered a disclosure for purposes of this Act, so long as 
        the use involved is consistent with the activities authorized 
        in subsection (b) or other purposes for which the information 
        was lawfully obtained.
            (2) Regulated institutions.--A person who is subject to 
        enforcement pursuant to section 8 of the Federal Deposit 
        Insurance Act or who is a Federal credit union or State credit 
        union as defined in the Federal Credit Union Act or who is 
        registered pursuant to the Securities and Exchange Act, or who 
        is an entity assisting such a person--
                    (A) shall not be subject to this Act to the extent 
                that such person or entity is described in subsection 
                (b) and to the extent that such person or entity is 
                engaged in activities authorized in that subsection; 
                and
                    (B) shall be subject to enforcement exclusively 
                under section 8 of the Federal Deposit Insurance Act, 
                the Federal Credit Union Act, or the Securities and 
                Exchange Act, as applicable, to the extent that such 
                person or entity is engaged in activities other than 
                those permitted under subsection (b).
            (3) Rule of Construction.--Nothing in this subsection shall 
        be construed to exempt entities described in paragraph (2) from 
        the prohibition set forth in subsection (c).

SEC. 212. INDIVIDUAL REPRESENTATIVES.

    (a) In General.--Except as provided in subsections (b) and (c), a 
person who is authorized by law (based on grounds other than the 
individual being a minor), or by an instrument recognized under law, to 
act as an agent, attorney, proxy, or other legal representative of a 
protected individual, may, to the extent so authorized, exercise and 
discharge the rights of the individual under this Act.
    (b) Health Care Power of Attorney.--A person who is authorized by 
law (based on grounds other than being a minor), or by an instrument 
recognized under law, to make decisions about the provision of health 
care to an individual who is incapacitated, may exercise and discharge 
the rights of the individual under this Act to the extent necessary to 
effectuate the terms or purposes of the grant of authority.
    (c) No Court Declaration.--If a health care provider determines 
that an individual, who has not been declared to be legally 
incompetent, suffers from a medical condition that prevents the 
individual from acting knowingly or effectively on the individual's own 
behalf, the right of the individual to authorize disclosure under this 
Act may be exercised and discharged in the best interest of the 
individual by--
            (1) a person described in subsection (b) with respect to 
        the individual;
            (2) a person described in subsection (a) with respect to 
        the individual, but only if a person described in paragraph (1) 
        cannot be contacted after a reasonable effort;
            (3) the next of kin of the individual, but only if a person 
        described in paragraph (1) or (2) cannot be contacted after a 
        reasonable effort; or
            (4) the health care provider, but only if a person 
        described in paragraph (1), (2), or (3) cannot be contacted 
        after a reasonable effort.
    (d) Application to Deceased Individuals.--The provisions of this 
Act shall continue to prevent disclosure of protected health 
information concerning a deceased individual.
    (e) Exercise of Rights on Behalf of a Deceased Individual.--
            (1) In general.--A person who is authorized by law or by an 
        instrument recognized under law, to act as an executor of the 
        estate of a deceased individual, or otherwise to exercise the 
        rights of the deceased individual, may, to the extent so 
        authorized, exercise and discharge the rights of such deceased 
        individual under this Act for a period of 2 years following the 
        death of such individual. If no such designee has been 
        authorized, the rights of the deceased individual may be 
        exercised as provided for in subsection (c).
            (2) Insured individuals.--In the case of an individual who 
        is deceased and who was the insured under an insurance policy 
        or policies, the right to authorize disclosure of protected 
        health information may be exercised by the beneficiary or 
        beneficiaries of such insurance policy or policies.
    (f) Rights of Minors.--The rights of minors under this Act shall be 
exercised by a parent, the minor or other person as provided under 
applicable state law.

SEC. 213. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.

    A health care provider, health plan, health oversight agency, 
health researcher, employer, life insurer, school, or university, or an 
agent of any such person, that makes a disclosure of protected health 
information about an individual that is permitted by this Act shall not 
be liable to the individual for such disclosure under common law.

SEC. 214. SALE OF BUSINESS, MERGERS, ETC.

    (a) In General.--A health care provider, health plan, health 
oversight agency, employer, life insurer, school, or university may 
disclose protected health information to a person or persons for 
purposes of enabling business decisions to be made about or in 
connection with the purchase, transfer, merger, or sale of a business 
or businesses.
    (b) No Further Use or Disclosure.--A person or persons who receive 
protected health information under this section shall make no further 
use or disclosure of such information unless otherwise authorized under 
this Act.

                          TITLE III--SANCTIONS

                    Subtitle A--Criminal Provisions

SEC. 301. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.

    (a) In General.--Part I of title 18, United States Code, is amended 
by adding at the end the following:

   ``CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION

``SEC. 2801. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.

    ``(a) Offense.--The penalties described in subsection (b) shall 
apply to a person that knowingly and intentionally--
            ``(1) obtains protected health information relating to an 
        individual from a health care provider, health plan, health 
        oversight agency, public health authority, employer, life 
        insurer, health researcher, law enforcement official, school, 
        or university except as provided in title II of the Medical 
        Information Protection Act of 1999; or
            ``(2) discloses protected health information to another 
        person in a manner other than that which is permitted under 
        title II of the Medical Information Protection Act of 1999.
    ``(b) Penalties.--A person described in subsection (a) shall--
            ``(1) be fined not more than $50,000, imprisoned not more 
        than 1 year, or both;
            ``(2) if the offense is committed under false pretenses, be 
        fined not more than $100,000, imprisoned not more than 5 years, 
        or both; or
            ``(3) if the offense is committed with the intent to sell, 
        transfer, or use protected health information for monetary gain 
        or malicious harm, be fined not more than $250,000, imprisoned 
        not more than 10 years, or both.
    ``(c) Subsequent Offenses.--In the case of a person described in 
subsection (a), the maximum penalties described in subsection (b) shall 
be doubled for every subsequent conviction for an offense arising out 
of a violation or violations related to a set of circumstances that are 
different from those involved in the previous violation or set of 
related violations described in such subsection (a).''.
    (b) Clerical Amendment.--The table of chapters for part I of title 
18, United States Code, is amended by inserting after the item relating 
to chapter 123 the following new item:

``124. Wrongful disclosure of protected health information..    2801''.

                      Subtitle B--Civil Sanctions

SEC. 311. CIVIL PENALTY VIOLATION.

    A person who the Secretary, in consultation with the Attorney 
General, determines has substantially and materially failed to comply 
with this Act shall be subject, in addition to any other penalties that 
may be prescribed by law--
            (1) in a case in which the violation relates to title I, to 
        a civil penalty of not more than $500 for each such violation, 
        but not to exceed $5,000 in the aggregate for multiple 
        violations arising from the same failure to comply with the 
        Act;
            (2) in a case in which the violation relates to title II, 
        to a civil penalty of not more than $10,000 for each such 
        violation, but not to exceed $50,000 in the aggregate for 
        multiple violations arising from the same failure to comply 
        with the Act; or
            (3) in a case in which the Secretary finds that such 
        violations have occurred with such frequency as to constitute a 
        general business practice, to a civil penalty of not more than 
        $100,000.

SEC. 312. PROCEDURES FOR IMPOSITION OF PENALTIES.

    (a) Initiation of Proceedings.--
            (1) In general.--The Secretary, in consultation with the 
        Attorney General, may initiate a proceeding to determine 
        whether to impose a civil money penalty under section 311. The 
        Secretary may not initiate an action under this section with 
        respect to any violation described in section 311 after the 
        expiration of the 6-year period beginning on the date on which 
        such violation was alleged to have occurred. The Secretary may 
        initiate an action under this section by serving notice of the 
        action in any manner authorized by Rule 4 of the Federal Rules 
        of Civil Procedure.
            (2) Notice and opportunity for hearing.--The Secretary 
        shall not make a determination adverse to any person under 
        paragraph (1) until the person has been given written notice 
        and an opportunity for the determination to be made on the 
        record after a hearing at which the person is entitled to be 
        represented by counsel, to present witnesses, and to cross-
        examine witnesses against the person.
            (3) Sanctions for failure to comply.--The official 
        conducting a hearing under this section may sanction a person, 
        including any party or attorney, for failing to comply with an 
        order or procedure, failing to defend an action, or other 
        misconduct as would interfere with the speedy, orderly, or fair 
        conduct of the hearing. Such sanction shall reasonably relate 
        to the severity and nature of the failure or misconduct. Such 
        sanction may include--
                    (A) in the case of refusal to provide or permit 
                discovery, drawing negative factual inferences or 
                treating such refusal as an admission by deeming the 
                matter, or certain facts, to be established;
                    (B) prohibiting a party from introducing certain 
                evidence or otherwise supporting a particular claim or 
                defense;
                    (C) striking pleadings, in whole or in part;
                    (D) staying the proceedings;
                    (E) dismissal of the action;
                    (F) entering a default judgment;
                    (G) ordering the party or attorney to pay 
                attorneys' fees and other costs caused by the failure 
                or misconduct; and
                    (H) refusing to consider any motion or other action 
                which is not filed in a timely manner.
    (b) Scope of Penalty.--In determining the amount or scope of any 
penalty imposed pursuant to section 311, the Secretary shall take into 
account--
            (1) the nature of claims and the circumstances under which 
        they were presented;
            (2) the degree of culpability, history of prior offenses, 
        and financial condition of the person presenting the claims;
            (3) evidence of good faith endeavor to protect the 
        confidentiality of protected health information; and
            (4) such other matters as justice may require.
    (c) Review of Determination.--
            (1) In general.--Any person adversely affected by a 
        determination of the Secretary under this section may obtain a 
        review of such determination in the United States Court of 
        Appeals for the circuit in which the person resides, or in 
        which the claim was presented, by filing in such court (within 
        60 days following the date the person is notified of the 
        determination of the Secretary) a written petition requesting 
        that the determination be modified or set aside.
            (2) Filing of record.--A copy of the petition filed under 
        paragraph (1) shall be forthwith transmitted by the clerk of 
        the court to the Secretary, and thereupon the Secretary shall 
        file in the Court the record in the proceeding as provided in 
        section 2112 of title 28, United States Code. Upon such filing, 
        the court shall have jurisdiction of the proceeding and of the 
        question determined therein, and shall have the power to make 
        and enter upon the pleadings, testimony, and proceedings set 
        forth in such record a decree affirming, modifying, remanding 
        for further consideration, or setting aside, in whole or in 
        part, the determination of the Secretary and enforcing the same 
        to the extent that such order is affirmed or modified.
            (3) Consideration of objections.--No objection that has not 
        been raised before the Secretary with respect to a 
        determination described in paragraph (1) shall be considered by 
        the court, unless the failure or neglect to raise such 
        objection shall be excused because of extraordinary 
        circumstances.
            (4) Findings.--The findings of the Secretary with respect 
        to questions of fact in an action under this subsection, if 
        supported by substantial evidence on the record considered as a 
        whole, shall be conclusive. If any party shall apply to the 
        court for leave to adduce additional evidence and shall show to 
        the satisfaction of the court that such additional evidence is 
        material and that there were reasonable grounds for the failure 
        to adduce such evidence in the hearing before the Secretary, 
        the court may order such additional evidence to be taken before 
        the Secretary and to be made a part of the record. The 
        Secretary may modify findings as to the facts, or make new 
        findings, by reason of additional evidence so taken and filed, 
        and shall file with the court such modified or new findings, 
        and such findings with respect to questions of fact, if 
        supported by substantial evidence on the record considered as a 
        whole, and the recommendations of the Secretary, if any, for 
        the modification or setting aside of the original order, shall 
        be conclusive.
            (5) Exclusive jurisdiction.--Upon the filing of the record 
        with the court under paragraph (2), the jurisdiction of the 
        court shall be exclusive and its judgment and decree shall be 
        final, except that the same shall be subject to review by the 
        Supreme Court of the United States, as provided for in section 
        1254 of title 28, United States Code.
    (d) Recovery of Penalties.--
            (1) In general.--Civil money penalties imposed under this 
        subtitle may be compromised by the Secretary and may be 
recovered in a civil action in the name of the United States brought in 
United States district court for the district where the claim was 
presented, or where the claimant resides, as determined by the 
Secretary. Amounts recovered under this section shall be paid to the 
Secretary and deposited as miscellaneous receipts of the Treasury of 
the United States.
            (2) Deduction from amounts owing.--The amount of any 
        penalty, when finally determined under this section, or the 
        amount agreed upon in compromise under paragraph (1), may be 
        deducted from any sum then or later owing by the United States 
        or a State to the person against whom the penalty has been 
        assessed.
    (e) Determination Final.--A determination by the Secretary to 
impose a penalty under section 311 shall be final upon the expiration 
of the 60-day period referred to in subsection (c)(1). Matters that 
were raised or that could have been raised in a hearing before the 
Secretary or in an appeal pursuant to subsection (c) may not be raised 
as a defense to a civil action by the United States to collect a 
penalty under section 311.
    (f) Subpoena Authority.--
            (1) In general.--For the purpose of any hearing, 
        investigation, or other proceeding authorized or directed under 
        this section, or relative to any other matter within the 
        jurisdiction of the Attorney General hereunder, the Attorney 
        General, acting through the Secretary shall have the power to 
        issue subpoenas requiring the attendance and testimony of 
        witnesses and the production of any evidence that relates to 
        any matter under investigation or in question before the 
        Secretary. Such attendance of witnesses and production of 
        evidence at the designated place of such hearing, 
        investigation, or other proceeding may be required from any 
        place in the United States or in any Territory or possession 
        thereof.
            (2) Service.--Subpoenas of the Secretary under paragraph 
        (1) shall be served by anyone authorized by the Secretary by 
        delivering a copy thereof to the individual named therein.
            (3) Proof of service.--A verified return by the individual 
        serving the subpoena under this subsection setting forth the 
        manner of service shall be proof of service.
            (4) Fees.--Witnesses subpoenaed under this subsection shall 
        be paid the same fees and mileage as are paid witnesses in the 
        district court of the United States.
            (5) Refusal to obey.--In case of contumacy by, or refusal 
        to obey a subpoenaed duly served upon, any person, any district 
        court of the United States for the judicial district in which 
        such person charged with contumacy or refusal to obey is found 
        or resides or transacts business, upon application by the 
        Secretary, shall have jurisdiction to issue an order requiring 
        such person to appear and give testimony, or to appear and 
        produce evidence, or both. Any failure to obey such order of 
        the court may be punished by the court as contempt thereof.
    (g) Injunctive Relief.--Whenever the Secretary has reason to 
believe that any person has engaged, is engaging, or is about to engage 
in any activity which makes the person subject to a civil monetary 
penalty under section 311, the Secretary may bring an action in an 
appropriate district court of the United States (or, if applicable, a 
United States court of any territory) to enjoin such activity, or to 
enjoin the person from concealing, removing, encumbering, or disposing 
of assets which may be required in order to pay a civil monetary 
penalty if any such penalty were to be imposed or to seek other 
appropriate relief.
    (h) Agency.--A principal is liable for penalties under section 311 
for the actions of the principal's agent acting within the scope of the 
agency.

SEC. 313. ENFORCEMENT BY STATE INSURANCE COMMISSIONERS.

    (a) State Penalties.--Subject to section 401, and notwithstanding 
any other provision of this title, the insurance commissioner of the 
State of residence of an insured under a life, disability income or 
long-term care insurance policy may exercise exclusive authority to 
impose any penalties on a life insurer for violations of this Act in 
connection with life, disability income or long-term care insurance 
pursuant to the administrative procedures provided under that State's 
insurance laws.
    (b) Fail-Safe Federal Authority.--In the case of a State that fails 
to substantially enforce the requirements of title I or title II of 
this Act with respect to life insurers regulated by such State, the 
provisions of this title shall apply with respect to a life insurer in 
the same way that they apply to other persons subject to the Act.

                        TITLE IV--MISCELLANEOUS

SEC. 401. RELATIONSHIP TO OTHER LAWS.

    (a) State and Federal Law.--Except as provided in this section, the 
provisions of this Act shall preempt any State law that relates to 
matters covered by this Act. Nothing in this Act shall be construed to 
preempt, modify, repeal or affect the interpretation of a provision of 
Federal or State law that relates to the disclosure of protected health 
information or any other information about a minor to a parent or 
guardian of such minor. This Act shall not be construed as repealing, 
explicitly or implicitly, other Federal laws or regulations relating to 
protected health information or relating to an individual's access to 
protected health information or health care services.
    (b) Privileges.--Nothing in this title shall be construed to 
preempt or modify any provisions of State statutory or common law to 
the extent that such law concerns a privilege of a witness or person in 
a court of that State. This title shall not be construed to supersede 
or modify any provision of Federal statutory or common law to the 
extent such law concerns a privilege of a witness or person in a court 
of the United States. Authorizations pursuant to sections 202 and 203 
shall not be construed as a waiver of any such privilege.
    (c) Reports Concerning Federal Privacy Act.--Not later than 1 year 
after the date of enactment of this Act, the head of each Federal 
agency shall prepare and submit to Congress a report concerning the 
effect of this Act on each such agency. Such reports shall 
include recommendations for legislation to address concerns relating to 
the Federal Privacy Act.
    (d) Application to Certain Federal Agencies.--
            (1) Department of defense.--
                    (A) Exceptions.--The Secretary of Defense may, by 
                regulation, establish exceptions to the disclosure 
                requirements of this Act to the extent such Secretary 
                determines that disclosure of protected health 
                information relating to members of the armed forces 
                from systems of records operated by the Department of 
                Defense is necessary under circumstances different from 
                those permitted under this Act for the proper conduct 
                of national defense functions by members of the armed 
                forces.
                    (B) Application to civilian employees.--The 
                Secretary of Defense may, by regulation, establish for 
                civilian employees of the Department of Defense and 
                employees of Department of Defense contractors, 
                limitations on the right of such persons to revoke or 
                amend authorizations for disclosures under section 203 
                when such authorizations were provided by such 
                employees as a condition of employment and the 
                disclosure is determined necessary by the Secretary of 
                Defense to the proper conduct of national defense 
                functions by such employees.
            (2) Department of transportation.--
                    (A) Exceptions.--The Secretary of Transportation 
                may, with respect to members of the Coast Guard, 
                exercise the same powers as the Secretary of Defense 
                may exercise under paragraph (1)(A).
                    (B) Application to civilian employees.--The 
                Secretary of Transportation may, with respect to 
                civilian employees of the Coast Guard and Coast Guard 
                contractors, exercise the same powers as the Secretary 
                of Defense may exercise under paragraph (1)(B).
            (3) Department of veterans affairs.--The limitations on use 
        and disclosure of protected health information under this Act 
        shall not be construed to prevent any exchange of such 
        information within and among components of the Department of 
        Veterans Affairs that determine eligibility for or entitlement 
        to, or that provide, benefits under laws administered by the 
        Secretary of Veteran Affairs.

SEC. 402. CONFORMING AMENDMENT.

    Section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)) is 
amended to read as follows:
            ``(6) Individually identifiable health information.--The 
        term `individually identifiable health information' has the 
        same meaning given the term `protected health information' by 
        section 4 of the Medical Information Protection Act of 1999.''.

SEC. 403. STUDY BY INSTITUTE OF MEDICINE.

    Not later than 2 years after the date of enactment of this Act, the 
National Research Council in conjunction with the Institute of Medicine 
of the National Academy of Sciences shall conduct a study to examine 
research issues relating to protected health information, such as the 
quality and uniformity of institutional review boards and their 
practices with respect to data management for both researchers and 
institutional review boards, as well as current and proposed protection 
of health information in relation to the legitimate needs of law 
enforcement. The Council shall prepare and submit to Congress a report 
concerning the results of such study.

SEC. 405. EFFECTIVE DATE.

    (a) Effective Date.--Except as provided in subsection (b), this Act 
shall take effect on the date that is 12 months after the date on which 
regulations are promulgated as required under subsection (c).
    (b) Applicability.--The provisions of this Act shall only apply to 
protected health information collected and disclosed 12 months after 
the date on which regulations are promulgated as required under 
subsection (c).
    (c) Regulations.--Not later than 12 months after the date of 
enactment of this Act, the Secretary shall, in consultation with the 
National Committee on Vital and Health Statistics, promulgate 
regulations implementing this Act.
    (d) Exception.--If, not later than 18 months after the date of 
enactment of this Act, the Secretary has not promulgated the 
regulations required under subsection (c), the effective date for 
purposes of subsections (a) and (b) shall be the date that is 30 months 
after the date of enactment of this Act or 12 months after the 
promulgation of such regulations, whichever is earlier.
                                 <all>