[Congressional Bills 109th Congress]
[From the U.S. Government Publishing Office]
[S. 3454 Introduced in Senate (IS)]








109th CONGRESS
  2d Session
                                S. 3454

 To amend the Internal Revenue Code of 1986 to improve the exchange of 
healthcare information through the use of technology, to encourage the 
  creation, use and maintenance of lifetime electronic health records 
     that may contain health plan and debit card functionality in 
    independent health record banks, to use such records to build a 
nationwide health information technology infrastructure, and to promote 
 participation in health information exchange by consumers through tax 
                   incentives and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              June 6, 2006

  Mr. Brownback (for himself and Mr. Talent) introduced the following 
  bill; which was read twice and referred to the Committee on Finance

_______________________________________________________________________

                                 A BILL


 
 To amend the Internal Revenue Code of 1986 to improve the exchange of 
healthcare information through the use of technology, to encourage the 
  creation, use and maintenance of lifetime electronic health records 
     that may contain health plan and debit card functionality in 
    independent health record banks, to use such records to build a 
nationwide health information technology infrastructure, and to promote 
 participation in health information exchange by consumers through tax 
                   incentives and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Independent Health Record Bank Act 
of 2006''.

SEC. 2. PURPOSES.

    It is the purpose of this Act to provide for the establishment of a 
nationwide health information technology network to--
            (1) improve healthcare quality, reduce medical errors, 
        increase the efficiency of care, and advance the delivery of 
        appropriate, evidence-based healthcare services;
            (2) promotes the wellness, disease prevention, and 
        management of chronic illnesses by increasing the availability 
        and transparency of information related to the healthcare needs 
        of an individual;
            (3) ensure that appropriate information necessary to make 
        medical decisions is available in a usable form at the time and 
        in the location that the medical service involved is provided;
            (4) produces greater value for healthcare expenditures by 
        reducing healthcare costs that result from inefficiency, 
        medical errors, inappropriate care, and incomplete information;
            (5) promotes a more effective marketplace, greater 
        competition, greater systems analysis, increased choice, 
        enhanced quality, and improved outcomes in healthcare services;
            (6) improve the coordination of information and the 
        provision of such services through an effective infrastructure 
        for the secure and authorized exchange and use of healthcare 
        information; and
            (7) ensure that the confidentiality of individually 
        identifiable health information of a patient is secure and 
        protected.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Account.--The term ``account'' means an electronic 
        health record of an individual contained in an independent 
        health record bank.
            (2) Electronic health record.--The term ``electronic health 
        record'' means a longitudinal collection of personal health 
        information concerning a single individual, entered or accepted 
        by healthcare providers, and stored electronically.
            (3) Healthcare entity.--The term ``healthcare entity'' 
        includes healthcare consumers, providers, and payers, 
        government agencies, pharmaceutical companies, laboratories, 
        and research institutes.
            (4) HIPAA.--The term ``HIPAA'' means the regulations under 
        section 264(c) of the Health Insurance Portability and 
        Accountability Act of 1996 (42 U.S.C. 1320d-2 note).
            (5) Individually identifiable health information.--The term 
        ``individually identifiable health information'' has the 
        meaning given such term in section 1171(6) of the Social 
        Security Act (42 U.S.C. 1320d(6)).
            (6) Nonidentifiable health information.--The term 
        ``nonidentifiable health information'' means any list, 
        description or other grouping of consumer information 
        (including publicly available information pertaining to them) 
        that is derived without using personally identifiable 
        information that is not publicly available.
            (7) Partially identifiable health information.--The term 
        ``partially identifiable health information'' means any list, 
        description, or other grouping of consumer information (and 
        publicly available information pertaining to them) derived 
        using any personally identifiable information that is not 
        publicly available.
            (8) Protected health information.--The term ``protected 
        health information'' shall have the meaning given such term for 
        purposes of HIPAA.
            (9) Secretary.--The term ``Secretary'' means the Secretary 
        of Commerce.

SEC. 4. INDEPENDENT HEALTH RECORD BANKS.

    (a) Purpose.--It is the purpose of this section to provide for the 
establishment of independent health record banks to achieve a savings 
of money and lives in the healthcare system through--
            (1) the creation and storage of lifetime individual 
        electronic health records for individuals that may contain 
        health plan and debit card functionality and that serves the 
        interests of all healthcare entities;
            (2) the utilization of technological infrastructure with 
        the goal of connecting health records to build a national 
        health information network;
            (3) the provision of health information data sets, within 
        distinct authorization boundaries, based on usage needs, 
        including--
                    (A) the sale of approved data for research and 
                other consumer purposes as provided for under section 
                6(b);
                    (B) the provision of data for emergency healthcare 
                as provided for under section 6(c); and
                    (C) the provision of data for all other healthcare 
                needs determined appropriate by the Secretary (in 
                accordance with the protections provided for under 
                section 6);
            (4) the offering of incentives to employers that face 
        rising employee health costs, to encourage employee 
        participation in independent health record banks; and
            (5) the creation of a source of tax-free income to support 
        the operations of the independent health record banks, and, 
        through revenue sharing, to provide incentives to independent 
        health record bank account holders, healthcare providers, and 
        fee payers to contribute health information.
    (b) Establishment.--
            (1) In general.--Not later than 1 year after the date of 
        enactment of this Act, the Secretary shall prescribe standards 
        for the establishment and certification of independent health 
        record banks to carry out the purposes described in subsection 
        (a).
            (2) Requirement of non-profit entity.--The standards under 
        paragraph (1) shall permit a non-profit entity to establish an 
        independent health record bank as a cooperative entity that 
        operates for the benefit and in the interests of the membership 
        of the bank as a whole. Such bank shall be owned and controlled 
        by its members.
            (3) For-profit entities.--A for-profit entity may not 
        participate in the establishment and operation of an 
        independent health record bank, except to the extent that such 
        entity is by contract employed to assist in carrying out the 
        operations of the bank.
            (4) Treatment as covered entity for purposes of hipaa.--To 
        the extent that an independent health record bank (or 
        associated vendor) is engaged in transmitting protected health 
        information, the bank shall be considered to be a covered 
        entity for purposes of HIPAA with respect to such information.
    (c) Membership.--
            (1) In general.--To be eligible to be a member of an 
        independent health record bank, an individual shall obtain or 
        have obtained a product or service from a covered entity that 
        is to be used primarily for personal, family, or household 
        purposes, or that individual's legal representative.
            (2) No limitation on membership.--Nothing in this 
        subsection shall be construed to permit an independent health 
        record bank to restrict membership.
    (d) Rights Relating to Information in the Bank.--
            (1) Individual consumers.--
                    (A) General right.--An individual who has a health 
                record contained in an independent health record bank 
                shall maintain ownership over the entire health record 
                and shall have the right to review the contents of the 
                record in its entirety at any time during the normal 
                business operating hours of the bank.
                    (B) Additional information and limitation.--An 
                individual described in subparagraph (A) may add 
                personal health information to the health record of 
                that individual, except that such individual shall not 
                alter or falsify information that is entered into the 
                health record by another healthcare entity. Such an 
                individual shall have the right to propose an amendment 
                to such information pursuant to standards prescribed by 
                the Secretary relating to the correction of information 
                contained in a health record.
            (2) Other healthcare entities.--A healthcare entity (other 
        than an individual) shall serve as the custodian of only that 
        information that has been added by such entity to the health 
        record of an individual that is maintained by an independent 
        health record bank. Such entity may be permitted to have access 
        to other specified information contained in such health record 
        (including the entire record if appropriate) if such access is 
        granted by the independent health record bank and the 
        individual involved (pursuant to standards prescribed by the 
        Secretary relating to access to information).
    (e) Financing of Activities.--
            (1) In general.--An independent health record bank may 
        generate revenue to pay for the operations of the bank 
        through--
                    (A) charging healthcare entities, including 
                individual account holders, account fees for use of the 
                bank;
                    (B) the sale of nonidentifiable and partially 
                identifiable health information contained in the bank 
                for research purposes (as provided for in section 
                6(b)); and
                    (C) the conduct of any other activities determined 
                appropriate by the Secretary.
            (2) Sharing of revenue.--Revenue derived under paragraph 
        (1)(B) shall be shared with independent health record bank 
        account holders, and may be shared with healthcare providers 
        and payers, in accordance with this Act.
            (3) Treatment of income.--For purposes of the Internal 
        Revenue Code of 1986, any revenue described in this subsection 
        shall not be included in gross income of any independent health 
        record bank, independent health record bank account holder, 
        healthcare provider, or payer described in this subsection.

SEC. 5. HEALTHCARE CLEARINGHOUSE ACTIVITIES.

    (a) Application of Section.--This section shall apply to an 
independent health record bank (and associated vendors) with respect to 
activities undertaken by such bank in operating as a health care 
clearinghouse (as such term is defined in section 1171(2) of the Social 
Security Act (42 U.S.C. 1329d(2)).
    (b) Accreditation.--
            (1) In general.--To be eligible to carry out clearinghouse 
        activities under this section, an independent health record 
        bank (and associated vendors performing clearinghouse 
        functions) shall be accredited by a national standards 
        development organization, utilizing the criteria described in 
        paragraph (2), that is properly authenticated and registered 
        with the Attorney General and the Federal Trade Commission 
        pursuant to the provisions of the National Cooperation Research 
        and Production Act of 1993 (15 U.S.C. 4301 et seq.).
            (2) Criteria.--The criteria to be used by a national 
        standards development organization in the accreditation of an 
        independent health record bank under this section shall be 
        designed to measure the competency, assets, practices, and 
        procedures of the bank for purposes of conducting clearinghouse 
        activities. Such criteria shall include--
                    (A) the technical capacity and electronic 
                facilities of the bank for the receipt, transmission, 
                and handling of electronic health information 
                transactions;
                    (B) the ability of the bank to process transactions 
                to which HIPAA applies;
                    (C) the backup and disaster recovery plans and 
                capacity of the bank;
                    (D) the privacy practices, procedures, and employee 
                training programs of the bank consistent with HIPAA; 
                and
                    (E) the security practices, procedures, and 
                employee training programs of the bank consistent with 
                HIPAA, including compliance with the HIPAA security 
                rule that protected health information must only be 
                viewable by the intended recipient.
            (3) Existing clearinghouses.--An independent health record 
        bank operated by an entity that has been certified under part C 
        of title XI of the Social Security Act (42 U.S.C. 1320d et 
        seq.) as a health care clearinghouse prior to the date of 
        enactment of this Act shall be considered to be accredited for 
        purposes of paragraph (1).
    (c) Information Requirement.--An independent health record bank 
acting as a health care clearinghouse under this section shall ensure 
that reporting services are provided to individual consumers in a 
manner that includes the provision of lists of individuals or 
organizations that have accessed the health record account of the 
consumer or to whom health information disclosures concerning the 
consumer have been made in accordance with the requirements of HIPAA.

SEC. 6. AVAILABILITY AND USE OF HEALTHCARE INFORMATION IN BANK.

    (a) General Rule.--Except as provided in this section, access to 
specified sections of, or an entire, electronic health record 
maintained by an independent health record bank concerning an 
individual shall only be provided with the prior authorization of the 
individual involved, as authenticated as provided for under the 
standards prescribed by the Secretary under section 8.
    (b) Availability of Data for Research and Other Activities.--An 
independent health record bank may sell nonidentifiable and partially 
identifiable health information concerning and individual only if--
            (1) the bank and the individual involved agree to the sale;
            (2) the agreement provided for under paragraph (1) includes 
        parameters with respect to the disclosure of information 
        involved and a process for the authorization of the further 
        disclosure of partially identifiable health information;
            (3) the data involved is to be used for research or other 
        activities only as provided for in the agreement under 
        paragraph (1);
            (4) the data involved does not identify the individual who 
        is the subject of the data;
            (5) the revenue to be derived from the sale of the data is 
        collected by the bank and equally divided between the bank and 
        the individual involved, except that revenue may also be 
        distributed to healthcare providers and payers as incentives to 
        contribute additional data to the bank; and
            (6) the transaction otherwise meets the requirements and 
        standards prescribed by the Secretary.
    (c) Availability of Data for Emergency Healthcare.--
            (1) Findings.--Congress finds that--
                    (A) given the size and nature of visits to 
                emergency departments in the United States, readily 
                available health data could make the difference between 
                life and death; and
                    (B) due to the case mix and volume of patients 
                treated, emergency departments are well positioned to 
                provide data for public health surveillance, community 
                risk assessment, research, education, training, quality 
                improvement, and other uses.
            (2) Use of data.--An independent health record bank may 
        permit healthcare providers to access, during an emergency 
        department visit, a limited, authenticated data set concerning 
        an individual for emergency response purposes without the prior 
        consent of the individual. Such limited data may include--
                    (A) patient identification data, as determined 
                appropriate by the individual involved;
                    (B) provider identification that includes the use 
                of a unique provider identifiers as provided for in 
                section 1173 of the Social Security Act (42 U.S.C. 
                1320d-2);
                    (C) payment data;
                    (D) arrival and first assessment data;
                    (E) data related to the individual's vitals, 
                allergies, and medication history;
                    (F) data related to existing chronic problems and 
                active clinical conditions of the individual; and
                    (G) data concerning physical examinations, 
                procedures, results, and diagnosis data relating to the 
                visit.
    (d) Effect on HIPAA.--Nothing in this Act shall be construed to 
affect the scope, substance, or applicability of the part C of title XI 
of the Social Security Act (42 U.S.C. 1320d et seq.) or HIPAA as such 
relates to individually identifiable health information maintained in 
an independent health record bank.

SEC. 7. APPLICATION OF FEDERAL AND STATE SECURITY AND CONFIDENTIALITY 
              STANDARDS.

    (a) In General.--Existing Federal security and confidentiality 
standards and State security and confidentiality laws shall apply to 
this Act (and the amendments made by this Act) until such time as 
Congress acts to amend such standards.
    (b) Provision of Information and Informational Provision.--
            (1) Designation of agency.--Each State with an independent 
        health records bank operating in the State shall designate a 
        State agency to be responsible for addressing complaints by 
        residents of the State with respect to health records contained 
        in the bank.
            (2) Provision of information.--An independent health record 
        bank operating in a State shall provide the State authority 
        designated under paragraph (1) with an informational filing 
        that describes the policies of the bank, the types of 
        information sold by the bank, and other relevant information 
        determined appropriate by such authority.
            (3) Information.--An individual who has a health record 
        maintained by an independent health record bank shall direct 
        any concerns, problems, or questions related to such record 
        directly to the appropriate State authority.
    (c) Definitions.--For purposes of this section:
            (1) State security and confidentiality laws.--The term 
        ``State security and confidentiality laws'' means State laws 
        and regulations relating to the privacy and confidentiality of 
        individually identifiable health information or to the security 
        of such information.
            (2) Current federal security and confidentiality 
        standards.--The term ``current Federal security and 
        confidentiality standards'' means the Federal privacy standards 
        established pursuant to section 264(c) of the Health Insurance 
        Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 
        note) and security standards established under section 1173(d) 
        of the Social Security Act.
            (3) State.--The term ``State'' has the meaning given such 
        term when used in title XI of the Social Security Act, as 
        provided under section 1101(a) of such Act (42 U.S.C. 1301(a)).

SEC. 8. REGULATORY OVERSIGHT.

    (a) In General.--In carrying out this Act, the Secretary, acting 
through the Under Secretary for Technology or other appropriate 
official, shall--
            (1) develop a program to certify entities to operate 
        independent health record banks;
            (2) provide assistance to encourage the growth of 
        independent health record banks;
            (3) track economic progress as it pertains to independent 
        health records bank operators and individuals receiving non-
        taxable income with respect to accounts;
            (4) conduct public education activities regarding the 
        creation and usage of the independent health records banks;
            (5) establish an interagency council under subsection (b) 
        to develop standards for Federal security auditing for entities 
        operating independent health record banks; and
            (6) carry out any other activities determined appropriate 
        by the Secretary.
    (b) Interagency Council for Security Auditing.--
            (1) In general.--The Secretary, in consultation with the 
        Secretary of Health and Human Services and other appropriate 
        Federal officials, shall establish an interagency council to 
        develop standards for Federal security auditing as it relates 
        to data security, authentication, and authorization 
        recommendations, and reviews of independent health record 
        banks.
            (2) Duties.--The interagency council established under 
        paragraph (1) shall take into consideration the following 
        factors when developing recommendations for security, 
        authentication, and authorization of data in independent health 
        record banks:
                    (A) The number and type of factors used for the 
                exchange of protected health information.
                    (B) Requiring that individuals, who have health 
                records that are maintained by the bank, be notified of 
                a security breech with respect to such records, and any 
                corrective action taken on behalf of the individual.
                    (C) Requiring that information sent to, or received 
                from, an independent health record bank that has been 
                designated as high-risk should be authenticated through 
                the use of methods such as the periodic changing of 
                passwords, the use of biometrics, the use of tokens or 
                other technology as determined appropriate by the 
                council.
                    (D) Recommendations for entities operating 
                independent health record banks, including requiring 
                analysis of the potential risk of health transaction 
                security breeches based on set criteria.
                    (E) The conduct of audits of independent health 
                record banks to ensure that they are in compliance with 
                the requirements and standards established under this 
                Act.
            (3) Compliance report.--The interagency council established 
        under this subsection shall annually submit to the Secretary a 
        report on compliance by independent health record banks with 
        the requirements and standard under this Act. Such report shall 
        be included in the report required under subsection (d).
    (c) Interagency Memorandum of Understanding.--The Secretary and the 
Secretary of Health and Human Services, and other Federal officials 
that may be impacted by this Act, shall ensure, through the execution 
of an interagency memorandum of understanding among such Secretaries, 
that--
            (1) regulations, rulings, and interpretations issued by 
        such Secretaries or officials relating to the same matter over 
        which 2 or more such Secretaries or officials have 
        responsibility under this Act are administered so as to have 
        the same effect at all times; and
            (2) coordination of policies relating to enforcing the same 
        requirements through such Secretaries or officials in order to 
        have coordinated enforcement strategy that avoids duplication 
        of enforcement efforts and assigns priorities in enforcement.
    (d) Annual Report.--Not later than 1 year after the date of 
enactment of this Act, and annually thereafter, the Secretary, acting 
through the Under Secretary for Technology, shall submit to Committee 
on Health, Education, Labor, and Pensions and the Committee on Finance 
of the Senate and the Committee on Energy and Commerce and the 
Committee on Ways and Means of the House of Representatives, a report 
that--
            (1) describes individual owner or institution operator 
        economic progress as achieved through independent health record 
        bank usage and existing barriers to such usage;
            (2) describes progress in security auditing as provided for 
        by the interagency security council under subsection (b); and
            (3) contains information on the other core responsibilities 
        of the Secretary as described in subsection (a).

SEC. 9. PENALTIES FOR FRAUD AND ABUSE.

    The penalties provided for in section 1177(b) of the Social 
Security Act (42 U.S.C. 1320d-6) shall apply to the wrongful disclosure 
of information collected, maintained, or made available by an 
independent health record bank under this Act, including disclosures by 
any employees or associates of any such bank or other healthcare entity 
using or disclosing such information.

SEC. 10. TAX CREDIT FOR EMPLOYER-PROVIDED EMPLOYEE INDEPENDENT HEALTH 
              RECORD BANK ACCOUNT FEES.

    (a) Allowance of Credit.--Subpart D of part IV of subchapter A of 
chapter 1 of the Internal Revenue Code of 1986 (relating to business 
related credits) is amended by adding at the end the following new 
section:

``SEC. 45N. EMPLOYER-PROVIDED EMPLOYEE INDEPENDENT HEALTH RECORD BANK 
              ACCOUNT FEES.

    ``(a) Determination of Amount.--For purposes of section 38, the 
independent health record bank account investment credit determined 
under this section with respect to any taxpayer for any taxable year is 
an amount equal to the independent health record bank account 
investment provided by such taxpayer during the taxable year.
    ``(b) Independent Health Record Bank Account Investment.--For 
purposes of this section, the term `independent health record bank 
account investment' means, with respect to each employee of the 
taxpayer for any taxable year, an amount equal to the lesser of--
            ``(1) 50 percent of the cost for such employee to maintain 
        an independent health record bank account paid by the taxpayer 
        during the taxable year, or
            ``(2) $50.
    ``(c) Independent Health Record Bank Account.--For purposes of this 
section, the term `independent health record bank account' has the 
meaning given to the term `account' under section 3(1) of the 
Independent Health Record Bank Act of 2006.
    ``(d) Special Rules.--No deduction or credit (other than under this 
section) shall be allowed under this chapter with respect to any 
expense which is taken into account under subsection (a) in determining 
the credit under this section.
    ``(e) Reports.--
            ``(1) In general.--Each taxpayer shall make such reports to 
        the Secretary and to employees of the taxpayer regarding--
                    ``(A) independent health record bank account 
                investments made with respect to such employee during 
                any calendar year, and
                    ``(B) such other information as the Secretary may 
                require.
            ``(2) Time for making reports.--The reports required by 
        this subsection--
                    ``(A) shall be filed at such time and in such 
                manner as the Secretary prescribes, and
                    ``(B) shall be furnished to employees--
                            ``(i) not later than January 31 of the 
                        calendar year following the calendar year to 
                        which such reports relate, and
                            ``(ii) in such manner as the Secretary 
                        prescribes.
    ``(f) Regulations.--The Secretary may prescribe such regulations as 
may be necessary or appropriate to carry out this section.
    ``(g) Application of Section.--This section shall apply with 
respect to any independent health record bank account investments made 
by the taxpayer for the 5-taxable year period beginning with the first 
taxable year during which such investments are made by the taxpayer.''.
    (b) Credit Treated as Business Credit.--Section 38(b) of the 
Internal Revenue Code of 1986 (relating to current year business 
credit) is amended by striking ``and'' at the end of paragraph (29), by 
striking the period at the end of paragraph (30) and inserting ``, 
plus'', and by adding at the end the following new paragraph:
            ``(31) the independent health record bank account 
        investment credit determined under section 45N(a).''.
    (c) Conforming Amendment.--The table of sections for subpart C of 
part IV of subchapter A of chapter 1 of the Internal Revenue Code of 
1986 is amended by adding at the end the following new item:

``Sec. 45N. Employer-provided employee independent health record bank 
                            account fees.''.
    (d) Effective Date.--The amendments made by this section shall 
apply to taxable years beginning after the date of the enactment of 
this Act.
    (e) Additional Incentive for Consumers Participating in IHRB.--
Revenue generated by an independent health record bank and received by 
an account holder, healthcare entity, or healthcare payer shall not be 
considered taxable income under the Internal Revenue Code of 1986.
                                 <all>