[Congressional Bills 108th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1709 Introduced in House (IH)]






108th CONGRESS
  1st Session
                                H. R. 1709

      To restore standards to protect the privacy of individually 
 identifiable health information that were weakened by the August 2002 
                 modifications, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 10, 2003

Mr. Markey (for himself, Mr. Rohrabacher, Mr. Waxman, and Mr. Dingell) 
 introduced the following bill; which was referred to the Committee on 
  Energy and Commerce, and in addition to the Committees on Ways and 
Means, and Education and the Workforce, for a period to be subsequently 
   determined by the Speaker, in each case for consideration of such 
 provisions as fall within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
      To restore standards to protect the privacy of individually 
 identifiable health information that were weakened by the August 2002 
                 modifications, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Stop Taking Our Health Privacy 
(STOHP) Act of 2003''.

SEC. 2. FINDINGS.

     The Congress finds as follows:
            (1) People in the United States are deeply concerned about 
        the confidentiality of their health information. According to a 
        survey conducted by the Princeton Survey Research Associates, 1 
        in 6 people in the United States has done something out of the 
        ordinary to keep personal health information confidential, 
        including withholding information, providing inaccurate 
        information, or, in some cases, avoiding care entirely.
            (2) Pursuant to the Health Insurance Portability and 
        Accountability Act of 1996, commonly referred to as ``HIPAA'' 
        (Public Law 104-191; 110 Stat. 1936 et seq.), the Department of 
        Health and Human Services issued comprehensive medical privacy 
        regulations, which were promulgated in final form in December 
        2000.
            (3) These regulations established a sound foundation of 
        privacy protections by prohibiting the use or disclosure of an 
        individual's health information unless specifically authorized 
        by the regulations or by the individual. The regulations also 
        required health care providers such as physicians and health 
        clinics, health plans, and health care clearinghouses, which 
        are responsible for handling transactions such as billing 
        between health plans and providers, to notify individuals about 
        privacy practices regarding disclosure of health information. 
        The regulations also provided individuals with the right to 
        access and copy their own health records, and the right to 
        request corrections of their health records, among other 
        provisions.
            (4) The regulations took effect on April 14, 2000, and 
        required health care providers, health plans (other than small 
        health plans), and health care clearinghouses to comply not 
        later than April 14, 2003.
            (5) On August 14, 2002, the Department of Health and Human 
        Services issued modifications to the December 2000 medical 
        privacy rule that significantly weakened privacy protections.
            (6) These modifications eliminated the requirement that 
        health care providers, health plans, and health care 
        clearinghouses obtain patient consent before using or 
        disclosing patient health information for treatment, payment, 
        or health care operations. This change means that patients' 
        medical information can be used or disclosed without their 
        permission for a wide range of purposes, including business 
        activities that have nothing to do with patient care, such as 
        the sale or merger of a health maintenance organization (HMO). 
        This change also permits the use and disclosure of information 
        in existing medical records even though patients disclosed the 
        information with the understanding and expectation that it 
        would not be used or disclosed without their consent. The 
        elimination of consent compromises the confidentiality that is 
        the heart of physician-patient relationships and is 
        indispensable for the delivery of high-quality health care.
            (7) The August 2002 modifications also undermined medical 
        privacy protections by expanding the circumstances under which 
        patients' information can be shared without their knowledge or 
        consent to include activities that consumers typically consider 
        marketing. This change permits pharmacies and other providers 
        to use consumers' medical information without their permission 
        to mail them unsolicited drug product recommendations. 
        Furthermore, providers are not required to disclose fees paid 
        to them by drug companies for sending such communications nor 
        provide consumers with the choice to opt out of such future 
        communications.
            (8) The August 2002 modifications further undermined 
        medical privacy protections by changing the section of the rule 
        governing public health. The change allows providers to 
        disclose medical information without patient permission to 
        entities regulated by the Food and Drug Administration, such as 
        pharmaceutical companies and medical device manufacturers, for 
        a broad range of purposes including marketing campaigns. In 
        contrast, the December 2000 rule allowed nonconsensual 
        disclosure of patient health information for a limited list of 
        public health-related activities, such as reporting serious 
        side effects from a prescription drug to the Food and Drug 
        Administration.
            (9) Reversal of the August 2002 modifications to the 
        medical privacy rule is integral to any effort to ensure 
        privacy protections for consumers' personal health information 
        and preserve access to high-quality health care in the United 
        States.
            (10) Congress should restore core medical privacy 
        protections of the December 2000 medical privacy rule by--
                    (A) reinstating the patient consent requirement for 
                treatment, payment, and health care operations, while 
                ensuring that the requirement does not impede important 
                health care activities such as filling pharmaceutical 
                prescriptions and making physician referrals;
                    (B) returning to the December 2000 definition of 
                ``marketing'' and thus ensuring that activities 
                typically considered ``marketing,'' such as drug 
                companies paying pharmacies to send product 
                recommendations to patients, fall under the rule's 
                privacy protections governing marketing activities; and
                    (C) eliminating the broad ``public health'' 
                loophole created by the August 2002 rule.

SEC. 3. PURPOSE.

     The purpose of this Act is to restore patient privacy protections 
essential for high-quality health care that were undermined by the 
August 2002 modifications of the December 2000 medical privacy rule.

SEC. 4. RESTORATION OF PRIVACY PROTECTIONS.

    (a) Consent for Uses or Disclosures to Carry Out Treatment, 
Payment, or Health Care Operations.--
            (1) In general.--The modifications made to section 164.506 
        of title 45, Code of Federal Regulations, by the August 2002 
        medical privacy rule shall have no force or effect.
            (2) Clarification regarding instances when consent is not 
        required.-- In addition to the circumstances described in the 
        December 2000 medical privacy rule, and notwithstanding any 
        provision to the contrary, such section 164.506 shall be 
        construed and applied so as to permit a health care provider to 
        use or disclose an individual's protected health information 
        without obtaining the prior consent of the individual in the 
        following circumstances:
                    (A) A health care provider may use or disclose an 
                individual's protected health information to fill or 
                dispense a prescription, search for drug interactions 
                related to that prescription, and determine eligibility 
                and obtain authorization for payment regarding that 
                prescription, if the health care provider obtains 
                written consent from the individual as soon as 
                practicable.
                    (B) A health care provider may use or disclose an 
                individual's protected health information to carry out 
                treatment of that individual if--
                            (i) the individual and the health care 
                        provider have not had in-person communication 
                        regarding such treatment;
                            (ii) obtaining consent would be 
                        impracticable;
                            (iii) the health care provider determines, 
                        in the exercise of professional judgment, that 
                        the individual's consent is clearly inferred 
                        from the circumstances, such as an order or 
                        referral from another health care provider; and
                            (iv) the health care provider obtains 
                        written consent from the individual as soon as 
                        practicable.
    (b) Marketing.--
            (1) In general.--The modifications made by the August 2002 
        medical privacy rule to the definition of the term 
        ``marketing'' in section 164.501 of title 45, Code of Federal 
        Regulations, shall have no force or effect.
            (2) Treatment of certain communications.--The exception for 
        oral communications in paragraph (2)(i) of the definition of 
        the term ``marketing'' in section 164.501 of title 45, Code of 
        Federal Regulations, as contained in the December 2000 medical 
        privacy rule, shall have no force or effect.
            (3) Authorizations for marketing.--Section 164.508 of title 
        45, Code of Federal Regulations, shall be construed and applied 
        so as to require that, if an authorization is required for a 
        use or disclosure for marketing, the authorization shall be 
        considered invalid unless it--
                    (A) uses the term ``marketing'';
                    (B) states that the purpose of the use or 
                disclosure involved is marketing;
                    (C) describes the specific marketing uses and 
                disclosures authorized, including whether the protected 
                health information involved--
                            (i) may be used for purposes internal to 
                        the covered entity;
                            (ii) may be disclosed to, and used by, a 
                        business associate of the covered entity; and
                            (iii) may be disclosed to, and used by, any 
                        person or entity other than a business 
                        associate of the covered entity; and
                    (D) states that the use or disclosure of protected 
                health information for marketing will directly result 
                in remuneration to the covered entity from a third 
                party, in any case in which a covered entity expects, 
                or reasonably should expect, that such remuneration 
                will occur.
    (c) Public Health.--The modifications made to section 
164.512(b)(1)(iii) of title 45, Code of Federal Regulations, by the 
August 2002 medical privacy rule shall have no force or effect.

SEC. 5. DEFINITIONS; EFFECTIVE DATE.

    (a) In General.--For purposes of this Act:
            (1) December 2000 medical privacy rule.--The term 
        ``December 2000 medical privacy rule'' means the final rule on 
        standards for privacy of individually identifiable health 
        information published on December 28, 2000, in the Federal 
        Register (65 Fed. Reg. 82462), including the provisions of 
        title 45, Code of Federal Regulations, revised or added by such 
        rule.
            (2) August 2002 medical privacy rule.--The term ``August 
        2002 medical privacy rule'' means the final rule, published on 
        August 14, 2002, in the Federal Register (67 Fed. Reg. 53182), 
        that modified the December 2000 medical privacy rule.
    (b) Other Terms Defined.--For purposes of this Act:
            (1) Business associate; covered entity; health care 
        provider.--The terms ``business associate'', ``covered 
        entity'', and ``health care provider'' shall have the meaning 
        given such terms in section 160.103 of title 45, Code of 
        Federal Regulations, as contained in the December 2000 medical 
        privacy rule.
            (2) Disclosure; individual, protected health information; 
        treatment; use.--The terms ``disclosure'', ``individual'', 
        ``protected health information'', ``treatment'', and ``use'' 
        shall have the meaning given such terms in section 164.501 of 
        title 45, Code of Federal Regulations, as contained in the 
        December 2000 medical privacy rule.
    (c) Effective Date; No Regulations Required.--This Act shall take 
effect on the date of the enactment of this Act and does not require 
the issuance of regulations.
                                 <all>