

	

		II

		109th CONGRESS

		1st Session

		S. 810

		IN THE SENATE OF THE UNITED STATES

		

			April 14, 2005

			Mrs. Clinton introduced

			 the following bill; which was read twice and referred to the

			 Committee on the

			 Judiciary

		

		A BILL

		To regulate the transmission of personally identifiable

		  information to foreign affiliates and subcontractors

	

	

		1.Short

			 titleThis Act may be cited as

			 the Safeguarding Americans From

			 Exporting Identification Data Act or the

			 SAFE-ID

			 Act.

		2.DefinitionsAs used in this Act:

			(1)Business

			 enterpriseThe term business enterprise

			 means—

				(A)any organization,

			 association, or venture established to make a profit;

				(B)any health care

			 business;

				(C)any private,

			 nonprofit organization; or

				(D)any contractor,

			 subcontractor, or potential subcontractor of an entity described in

			 subparagraph (A), (B), or (C).

				(2)Health care

			 businessThe term health care business means any

			 business enterprise or private, nonprofit organization that collects or retains

			 personally identifiable information about consumers in relation to medical

			 care, including—

				(A)hospitals;

				(B)health

			 maintenance organizations;

				(C)medical

			 partnerships;

				(D)emergency medical

			 transportation companies;

				(E)medical

			 transcription companies;

				(F)banks that

			 collect or process medical billing information; and

				(G)subcontractors,

			 or potential subcontractors, of the entities described in subparagraphs (A)

			 through (F).

				(3)Personally

			 identifiable informationThe term personally identifiable

			 information includes information such as—

				(A)name;

				(B)postal

			 address;

				(C)financial

			 information;

				(D)medical

			 records;

				(E)date of

			 birth;

				(F)phone

			 number;

				(G)e-mail

			 address;

				(H)social security

			 number;

				(I)mother's maiden

			 name;

				(J)password;

				(K)state

			 identification information; and

				(L)driver's license

			 number.

				3.Transmission of

			 information

			(a)ProhibitionA

			 business enterprise may not disclose personally identifiable information

			 regarding a resident of the United States to any foreign branch, affiliate,

			 subcontractor, or unaffiliated third party located in a foreign country

			 unless—

				(1)the business

			 enterprise provides the notice of privacy protections described in sections 502

			 and 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802 and 6803) or required by

			 the regulations promulgated pursuant to section 264(c) of the Health Insurance

			 Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), as

			 appropriate;

				(2)the business

			 enterprise complies with the safeguards described in section 501(b) of the

			 Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)), as appropriate;

				(3)the consumer is

			 given the opportunity, before the time that such information is initially

			 disclosed, to object to the disclosure of such information to such foreign

			 branch, affiliate, subcontractor, or unaffiliated third party; and

				(4)the consumer is

			 given an explanation of how the consumer can exercise the nondisclosure option

			 described in paragraph (3).

				(b)Health care

			 businessesA health care

			 business may not terminate an existing relationship with a consumer of health

			 care services to avoid the consumer from objecting to the disclosure under

			 subsection (a)(3).

			(c)Effect on

			 business relationship

				(1)NondiscriminationA

			 business enterprise may not discriminate against or deny an otherwise qualified

			 consumer a financial product or a health care service because the consumer has

			 objected to the disclosure under subsection (a)(3).

				(2)Products and

			 servicesA business enterprise shall not be required to offer or

			 provide a product or service through affiliated entities or jointly with

			 nonaffiliated business enterprises.

				(3)Incentives and

			 discountsNothing in this subsection is intended to prohibit a

			 business enterprise from offering incentives or discounts to elicit a specific

			 response to the notice required under subsection (a).

				(d)Liability

				(1)In

			 generalA business enterprise that knowingly and directly

			 transfers personally identifiable information to a foreign branch, affiliate,

			 subcontractor, or unaffiliated third party shall be liable to any person

			 suffering damages resulting from the improper storage, duplication, sharing, or

			 other misuse of such information by the transferee.

				(2)Civil

			 actionAn injured party under paragraph (1) may sue in law or in

			 equity in any court of competent jurisdiction to recover the damages sustained

			 as a result of a violation of this section.

				(e)RulemakingThe

			 Chairman of the Federal Trade Commission shall promulgate regulations through

			 which the Chairman may enforce the provisions of this section and impose a

			 civil penalty for a violation of this section.

			4.Privacy for

			 consumers of health servicesThe Secretary of Health and Human Services

			 shall revise the regulations promulgated pursuant to

			 section

			 264(c) of the Health Insurance

			 Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note) to

			 require a covered entity (as defined by such regulations) that outsources

			 protected health information (as defined by such regulations) outside the

			 United States to include in such entity’s notice of privacy protections—

			(1)notification that

			 the covered entity outsources protected health information to business

			 associates (as defined by such regulations) for processing outside the United

			 States;

			(2)a description of

			 the privacy laws of the country to which the protected health information will

			 be sent;

			(3)any additional

			 risks and consequences to the privacy and security of protected health

			 information that arise as a result of the processing of such information in a

			 foreign country;

			(4)additional

			 measures the covered entity is taking to protect the protected health

			 information outsourced for processing outside the United States;

			(5)notification that

			 the protected health information will not be outsourced outside the United

			 States if the consumer objects; and

			(6)a certification

			 that—

				(A)the covered

			 entity has taken reasonable steps to identify the locations where protected

			 health information is outsourced by such business associates;

				(B)attests to the

			 privacy and security of the protected health information outsourced for

			 processing outside the United States; and

				(C)states the

			 reasons for the determination by the covered entity that the privacy and

			 security of such information is maintained.

				5.Privacy for

			 consumers of financial servicesSection 503(b) of the Gramm-Leach-Bliley Act

			 (15 U.S.C.

			 6803(b)) is amended—

			(1)in paragraph (3),

			 by striking and after the semicolon;

			(2)in paragraph (4),

			 by striking the period at the end and inserting ; and;

			 and

			(3)by adding at the

			 end the following:

				

					(5)if the financial

				institution outsources nonpublic personal information outside the United

				States—

						(A)information

				informing the consumer in simple language—

							(i)that the

				financial institution outsources nonpublic personal information to entities for

				processing outside the United States;

							(ii)of the privacy

				laws of the country to which nonpublic personal information will be

				sent;

							(iii)of any

				additional risks and consequences to the privacy and security of an

				individual’s nonpublic personal information that arise as a result of the

				processing of such information in a foreign country; and

							(iv)of the

				additional measures the financial institution is taking to protect the

				nonpublic personal information outsourced for processing outside the United

				States; and

							(B)a certification

				that—

							(i)the financial

				institution has taken reasonable steps to identify the locations where

				nonpublic personal information is outsourced by such entities;

							(ii)attests to the

				privacy and security of the nonpublic personal information outsourced for

				processing outside the United States; and

							(iii)states the

				reasons for the determination by the institution that the privacy and security

				of such information is

				maintained.

							.

			6.Effective

			 dateThis Act shall take

			 effect on the expiration of the date which is 90 days after the date of

			 enactment of this Act.

		

