[Congressional Bills 107th Congress]
[From the U.S. Government Publishing Office]
[H.R. 5646 Introduced in House (IH)]







107th CONGRESS
  2d Session
                                H. R. 5646

      To restore standards to protect the privacy of individually 
 identifiable health information that were weakened by the August 2002 
                 modifications, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                            October 16, 2002

 Mr. Markey (for himself, Mr. Waxman, Mr. Dingell, Mr. Berman, and Mr. 
   Capuano) introduced the following bill; which was referred to the 
Committee on the Energy and Commerce, and in addition to the Committees 
on Ways and Means, and Education and the Workforce, for a period to be 
subsequently determined by the Speaker, in each case for consideration 
  of such provisions as fall within the jurisdiction of the committee 
                               concerned

_______________________________________________________________________

                                 A BILL


 
      To restore standards to protect the privacy of individually 
 identifiable health information that were weakened by the August 2002 
                 modifications, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Stop Taking Our Health Privacy 
(STOHP) Act of 2002''.

SEC. 2. FINDINGS.

     The Congress finds as follows:
            (1) People in the United States are deeply concerned about 
        the confidentiality of their health information. According to a 
        recent survey conducted by the Princeton Survey Research 
        Associates, 1 in 6 people in the United States has done 
        something out of the ordinary to keep personal health 
        information confidential, including withholding information, 
        providing inaccurate information, or, in some cases, avoiding 
        care entirely.
            (2) Pursuant to the Health Insurance Portability and 
        Accountability Act of 1996 (Public Law 104-191; 110 Stat. 1936 
        et seq.) (commonly referred to as ``HIPAA''), the Clinton 
        Administration issued comprehensive medical privacy regulations 
        which were promulgated in final form in December 2000.
            (3) Such regulations established a sound foundation of 
        privacy protections by prohibiting the use or disclosure of an 
        individual's health information unless specifically authorized 
        by the regulations or by the individual. The regulations also 
        provided individuals with the right to be notified of the 
        privacy practices of health plans, health care providers, and 
        health care clearinghouses regarding disclosure of their health 
        information, the right to access and copy their own health 
        records, and the right to request corrections of their health 
        records, among other provisions.
            (4) Such regulations took effect in April 2001 and require 
        health care providers, health plans (other than small health 
        plans) and health care clearinghouses to comply not later than 
        April 2003.
            (5) In August 2002, the Bush Administration issued a final 
        rule that significantly weakened medical privacy protections in 
        the December 2000 medical privacy rule.
            (6) The Bush Administration undermined medical privacy 
        protections by eliminating the rule's requirement that covered 
        entities obtain patient consent before using and disclosing 
        patient health information for treatment, payment, and health 
        care operations. This change means that patients' medical 
        records can be used and disclosed without their permission for 
        a wide range of purposes including business activities that 
        have nothing to do with the treatment of a patient, such as the 
        sale or merger of a health maintenance organization. This 
        change also allows the use and disclosure of information in 
        existing medical records even though patients disclosed the 
        information with the understanding and expectation that it 
        would not be further used or disclosed without their consent. 
        The elimination of consent compromises the confidentiality at 
        the heart of physician-patient relationships, which is 
        indispensable for the delivery of high-quality, thorough care.
            (7) The Bush Administration also undermined medical privacy 
        protections by expanding the circumstances under which 
        patients' information can be shared without their knowledge or 
        consent to include activities that consumers typically consider 
        marketing. This change was accomplished by narrowing the scope 
        of activities that are regulated by the provisions of the rule 
        governing marketing. Under this change, pharmacies and other 
        providers can use a consumer's medical information without 
        consent to mail the consumer unsolicited drug product 
        recommendations, without having to disclose fees paid by drug 
        companies for sending such communications or provide the 
        consumer an opportunity to decline to receive such 
        communications in the future.
            (8) The Bush Administration further undermined medical 
        privacy protections by changing the language in the section of 
        the rule governing public health to allow the disclosure of 
        medical information without patient permission to entities 
regulated by the Food and Drug Administration, such as pharmaceutical 
companies and medical device manufacturers, for an expanded and broad 
range of purposes which may include marketing campaigns. In contrast, 
the December 2000 rule allowed nonconsensual disclosure of patient 
health information for an exclusive list of public health related 
activities, such as for the purpose of reporting serious side effects 
from a prescription drug to the Food and Drug Administration.
            (9) Reversal of the Bush Administration's changes to the 
        December 2000 medical privacy rule is integral to any effort to 
        ensure medical privacy protection for consumers and preserve 
        access to high-quality health care in the United States.
            (10) Core medical privacy protections of the December 2000 
        medical privacy rule should be restored by--
                    (A) reinstating the patient consent requirement for 
                treatment, payment, and health care operations, while 
                ensuring that the requirement does not impede important 
                health care activities such as filling pharmaceutical 
                prescriptions and making referrals;
                    (B) returning to the December 2000 definition of 
                ``marketing'' and thus ensuring that activities 
                typically considered marketing, such as drug companies 
                paying pharmacies to send product recommendations to 
                patients, fall under the rule's privacy protections 
                relating to the use of patient health information for 
                marketing activities; and
                    (C) eliminating the broad ``public health'' 
                exemption created by the August 2002 rule.

SEC. 3. PURPOSE.

     The purpose of this Act is to restore patient privacy protections 
essential for high-quality health care that were undermined by the Bush 
Administration's August 2002 modifications of the December 2000 medical 
privacy rule.

SEC. 4. RESTORATION OF PRIVACY PROTECTIONS.

    (a) Consent for Uses or Disclosures To Carry Out Treatment, 
Payment, or Health Care Operations.--
            (1) In general.--The modifications made to section 164.506 
        of title 45, Code of Federal Regulations, by the August 2002 
        medical privacy rule shall have no force or effect.
            (2) Clarification regarding instances when consent is not 
        required.--In addition to the circumstances described in the 
        December 2000 medical privacy rule, and notwithstanding any 
        provision to the contrary, such section 164.506 shall be 
        construed and applied so as to permit a health care provider to 
        use or disclose an individual's protected health information 
        without obtaining the prior consent of the individual in the 
        following circumstances:
                    (A) A health care provider may use or disclose an 
                individual's protected health information to fill or 
                dispense a prescription, search for drug interactions 
                related to that prescription, and determine eligibility 
                and obtain authorization for payment regarding that 
                prescription, if the health care provider obtains 
                written consent from the individual as soon as 
                practicable.
                    (B) A health care provider may use or disclose an 
                individual's protected health information to carry out 
                treatment of that individual if--
                            (i) the individual and the health care 
                        provider have not had in-person communication 
                        regarding such treatment;
                            (ii) obtaining consent would be 
                        impracticable;
                            (iii) the health care provider determines, 
                        in the exercise of professional judgment, that 
                        the individual's consent is clearly inferred 
                        from the circumstances, such as an order or 
                        referral from another health care provider; and
                            (iv) the health care provider obtains 
                        written consent from the individual as soon as 
                        practicable.
    (b) Marketing.--
            (1) In general.--The modifications made by the August 2002 
        medical privacy rule to the definition of the term 
        ``marketing'' in section 164.501 of title 45, Code of Federal 
        Regulations, shall have no force or effect.
            (2) Treatment of certain communications.--The exception for 
        oral communications in paragraph (2)(i) of the definition of 
        the term ``marketing'' in section 164.501 of title 45, Code of 
        Federal Regulations, as contained in the December 2000 medical 
        privacy rule, shall have no force or effect.
            (3) Authorizations for marketing.--Section 164.508 of title 
        45, Code of Federal Regulations, shall be construed and applied 
        so as to require that, if an authorization is required for a 
        use or disclosure for marketing, the authorization shall be 
        considered invalid unless it--
                    (A) uses the term ``marketing'';
                    (B) states that the purpose of the use or 
                disclosure involved is marketing;
                    (C) describes the specific marketing uses and 
                disclosures authorized, including whether the protected 
                health information involved--
                            (i) may be used for purposes internal to 
                        the covered entity;
                            (ii) may be disclosed to, and used by, a 
                        business associate of the covered entity; and
                            (iii) may be disclosed to, and used by, any 
                        person or entity other than a business 
                        associate of the covered entity; and
                    (D) states that the use or disclosure of protected 
                health information for marketing will directly result 
                in remuneration to the covered entity from a third 
                party, in any case in which a covered entity expects, 
                or reasonably should expect, that such remuneration 
                will occur.
    (c) Public Health.--The modifications made to section 
164.512(b)(1)(iii) of title 45, Code of Federal Regulations, by the 
August 2002 medical privacy rule shall have no force or effect.

SEC. 5. DEFINITIONS; EFFECTIVE DATE.

    (a) In General.--For purposes of this Act:
            (1) December 2000 medical privacy rule.--The term 
        ``December 2000 medical privacy rule'' means the final rule on 
        standards for privacy of individually identifiable health 
        information published on December 28, 2000, in the Federal 
        Register (65 Fed. Reg. 82462), including the provisions of 
        title 45, Code of Federal Regulations, revised or added by such 
        rule.
            (2) August 2002 medical privacy rule.--The term ``August 
        2002 medical privacy rule'' means the final rule, published on 
        August 14, 2002, in the Federal Register (67 Fed. Reg. 53182), 
        that modified the December 2000 medical privacy rule.
    (b) Other Terms Defined.--For purposes of this Act:
            (1) Business associate; covered entity; health care 
        provider.--The terms ``business associate'', ``covered 
        entity'', and ``health care provider'' shall have the meaning 
        given such terms in section 160.103 of title 45, Code of 
        Federal Regulations, as contained in the December 2000 medical 
        privacy rule.
            (2) Disclosure; individual, protected health information; 
        treatment; use.--The terms ``disclosure'', ``individual'', 
        ``protected health information'', ``treatment'', and ``use'' 
        shall have the meaning given such terms in section 164.501 of 
        title 45, Code of Federal Regulations, as contained in the 
        December 2000 medical privacy rule.
    (c) Effective Date; No Regulations Required.--This Act shall take 
effect on the date of the enactment of this Act and does not require 
the issuance of regulations.
                                 <all>