[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2991 Introduced in House (IH)]







110th CONGRESS
  1st Session
                                H. R. 2991

To improve the availability of health information and the provision of 
   health care by encouraging the creation, use, and maintenance of 
lifetime electronic health records of individuals in independent health 
record trusts and by providing a secure and privacy-protected framework 
   in which such records are made available only by the affirmative 
 consent of such individuals and are used to build a nationwide health 
                 information technology infrastructure.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 11, 2007

 Mr. Moore of Kansas (for himself, Mr. Ryan of Wisconsin, Mr. Barrow, 
   Mrs. Blackburn, Mr. Boustany, Mr. Boyd of Florida, Mrs. Boyda of 
 Kansas, Mr. Clay, Mr. Cleaver, Mr. Cooper, Mr. Crowley, Mr. Davis of 
Alabama, Mr. Lincoln Davis of Tennessee, Mr. Delahunt, Mr. Dicks, Mrs. 
 Emerson, Mr. Etheridge, Mr. Graves, Mr. Heller of Nevada, Mr. Herger, 
   Mr. Hill, Mr. Holden, Mr. Holt, Mrs. Jones of Ohio, Mr. Larson of 
  Connecticut, Mrs. McCarthy of New York, Mr. Mitchell, Mr. Moran of 
   Kansas, Mr. Putnam, Mrs. McMorris Rodgers, Mr. Sensenbrenner, Mr. 
 Sessions, Mr. Smith of Washington, Mrs. Tauscher, Mr. Tiahrt, and Mr. 
    Baird) introduced the following bill; which was referred to the 
 Committee on Energy and Commerce, and in addition to the Committee on 
   Ways and Means, for a period to be subsequently determined by the 
  Speaker, in each case for consideration of such provisions as fall 
           within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
To improve the availability of health information and the provision of 
   health care by encouraging the creation, use, and maintenance of 
lifetime electronic health records of individuals in independent health 
record trusts and by providing a secure and privacy-protected framework 
   in which such records are made available only by the affirmative 
 consent of such individuals and are used to build a nationwide health 
                 information technology infrastructure.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Independent Health 
Record Trust Act of 2007''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
Sec. 2. Purpose.
Sec. 3. Definitions.
Sec. 4. Establishment, certification, and membership of independent 
                            health record trusts.
Sec. 5. Duties of IHRT to IHRT participants.
Sec. 6. Availability and use of information from records in IHRT 
                            consistent with privacy protections and 
                            agreements.
Sec. 7. Voluntary nature of trust participation and information 
                            sharing.
Sec. 8. Financing of activities.
Sec. 9. Regulatory oversight.

SEC. 2. PURPOSE.

    It is the purpose of this Act to provide for the establishment of a 
nationwide health information technology network that--
            (1) improves health care quality, reduces medical errors, 
        increases the efficiency of care, and advances the delivery of 
        appropriate, evidence-based health care services;
            (2) promotes wellness, disease prevention, and the 
        management of chronic illnesses by increasing the availability 
        and transparency of information related to the health care 
        needs of an individual;
            (3) ensures that appropriate information necessary to make 
        medical decisions is available in a usable form at the time and 
        in the location that the medical service involved is provided;
            (4) produces greater value for health care expenditures by 
        reducing health care costs that result from inefficiency, 
        medical errors, inappropriate care, and incomplete information;
            (5) promotes a more effective marketplace, greater 
        competition, greater systems analysis, increased choice, 
        enhanced quality, and improved outcomes in health care 
        services;
            (6) improves the coordination of information and the 
        provision of such services through an effective infrastructure 
        for the secure and authorized exchange and use of health 
        information; and
            (7) ensures that the health information privacy, security, 
        and confidentiality of individually identifiable health 
        information is protected.

SEC. 3. DEFINITIONS.

    In this Act:
            (1) Access.--The term ``access'' means, with respect to an 
        electronic health record, entering information into such 
        account as well as retrieving information from such account.
            (2) Account.--The term ``account'' means an electronic 
        health record of an individual contained in an independent 
        health record trust.
            (3) Affirmative consent.--The term ``affirmative consent'' 
        means, with respect to an electronic health record of an 
        individual contained in an IHRT, express consent given by the 
        individual for the use of such record in response to a clear 
        and conspicuous request for such consent or at the individual's 
        own initiative.
            (4) Authorized ehr data user.--The term ``authorized EHR 
        data user'' means, with respect to an electronic health record 
        of an IHRT participant contained as part of an IHRT, any entity 
        (other than the participant) authorized (in the form of 
        affirmative consent) by the participant to access the 
        electronic health record.
            (5) Confidentiality.--The term ``confidentiality'' means, 
        with respect to individually identifiable health information of 
        an individual, the obligation of those who receive such 
        information to respect the health information privacy of the 
        individual.
            (6) Electronic health record.--The term ``electronic health 
        record'' means a longitudinal collection of information 
        concerning a single individual, including medical records and 
        personal health information, that is stored electronically.
            (7) Health information privacy.--The term ``health 
        information privacy'' means, with respect to individually 
        identifiable health information of an individual, the right of 
        such individual to control the acquisition, uses, or 
        disclosures of such information.
            (8) Health plan.--The term ``health plan'' means a group 
        health plan (as defined in section 2208(1) of the Public Health 
        Service Act (42 U.S.C. 300bb-8(1))) as well as a plan that 
        offers health insurance coverage in the individual market.
            (9) HIPAA privacy regulations.--The term ``HIPAA privacy 
        regulations'' means the regulations promulgated under section 
        264(c) of the Health Insurance Portability and Accountability 
        Act of 1996 (42 U.S.C. 1320d-2 note).
            (10) Independent health record trust; ihrt.--The terms 
        ``independent health record trust'' and ``IHRT'' mean a legal 
        arrangement under the administration of an IHRT operator that 
        meets the requirements of this Act with respect to electronic 
        health records of individuals participating in the trust or 
        IHRT.
            (11) IHRT operator.--The term ``IHRT operator'' means, with 
        respect to an IHRT, the organization that is responsible for 
        the administration and operation of the IHRT in accordance with 
        this Act.
            (12) IHRT participant.--The term ``IHRT participant'' 
        means, with respect to an IHRT, an individual who has a 
        participation agreement in effect with respect to the 
        maintenance of the individual's electronic health record by the 
        IHRT.
            (13) Individually identifiable health information.--The 
        term ``individually identifiable health information'' has the 
        meaning given such term in section 1171(6) of the Social 
        Security Act (42 U.S.C. 1320d(6)).
            (14) Security.--The term ``security'' means, with respect 
        to individually identifiable health information of an 
        individual, the physical, technological, or administrative 
        safeguards or tools used to protect such information from 
        unwarranted access or disclosure.

SEC. 4. ESTABLISHMENT, CERTIFICATION, AND MEMBERSHIP OF INDEPENDENT 
              HEALTH RECORD TRUSTS.

    (a) Establishment.--Not later than one year after the date of the 
enactment of this Act, the Federal Trade Commission, in consultation 
with the National Committee on Vital and Health Statistics, shall 
prescribe standards for the establishment, certification, operation, 
and interoperability of IHRTs to carry out the purposes described in 
section 2 in accordance with the provisions of this Act.
    (b) Certification.--
            (1) Certification by ftc.--The Federal Trade Commission 
        shall provide for the certification of IHRTs. No IHRT may be 
        certified unless the IHRT is determined to meet the standards 
        for certification established under subsection (a).
            (2) Decertification.--The Federal Trade Commission shall 
        establish a process for the revocation of certification of an 
        IHRT under this section in the case that the IHRT violates the 
        standards established under subsection (a).
    (c) Membership.--
            (1) In general.--To be eligible to be a participant in an 
        IHRT, an individual shall--
                    (A) submit to the IHRT information as required by 
                the IHRT to establish an electronic health record with 
                the IHRT; and
                    (B) enter into a privacy protection agreement 
                described in section 6(b)(1) with the IHRT.
        The process to determine eligibility of an individual under 
        this subsection shall allow for the establishment by such 
        individual of an electronic health record as expeditiously as 
        possible if such individual is determined so eligible.
            (2) No limitation on membership.--Nothing in this 
        subsection shall be construed to permit an IHRT to restrict 
        membership, including on the basis of health condition.

SEC. 5. DUTIES OF IHRT TO IHRT PARTICIPANTS.

    (a) Fiduciary Duty of IHRT; Penalties for Violations of Fiduciary 
Duty.--
            (1) Fiduciary duty.--With respect to the electronic health 
        record of an IHRT participant maintained by an IHRT, the IHRT 
        shall have a fiduciary duty to act for the benefit and in the 
        interests of such participant and of the IHRT as a whole. Such 
        duty shall include obtaining the affirmative consent of such 
        participant prior to the release of information in such 
        participant's electronic health record in accordance with the 
        requirements of this Act.
            (2) Penalties.--If the IHRT knowingly or recklessly 
        breaches the fiduciary duty described in paragraph (1), the 
        IHRT shall be subject to the following penalties:
                    (A) Loss of certification of the IHRT.
                    (B) A fine that is not in excess of $50,000.
                    (C) A term of imprisonment for the individuals 
                involved of not more than 5 years.
    (b) Electronic Health Record Deemed To Be Held in Trust by IHRT.--
With respect to an individual, an electronic health record maintained 
by an IHRT shall be deemed to be held in trust by the IHRT for the 
benefit of the individual and the IHRT shall have no legal or equitable 
interest in such electronic health record.

SEC. 6. AVAILABILITY AND USE OF INFORMATION FROM RECORDS IN IHRT 
              CONSISTENT WITH PRIVACY PROTECTIONS AND AGREEMENTS.

    (a) Protected Electronic Health Records Use and Access.--
            (1) General rights regarding uses of information.--
                    (A) In general.--With respect to the electronic 
                health record of an IHRT participant maintained by an 
                IHRT, subject to paragraph (2)(C), primary uses and 
                secondary uses (described in subparagraphs (B) and (C), 
                respectively) of information within such record (other 
                than by such participant) shall be permitted only upon 
                the authorization of such use, prior to such use, by 
                such participant.
                    (B) Primary uses.--For purposes of subparagraph (A) 
                and with respect to an electronic health record of an 
                individual, a primary use is a use for purposes of the 
                individual's self-care or care by health care 
                professionals.
                    (C) Secondary uses.--For purposes of subparagraph 
                (B) and with respect to an electronic health record of 
                an individual, a secondary use is any use not described 
                in subparagraph (B) and includes a use for purposes of 
                public health research or other related activities. 
                Additional authorization is required for a secondary 
                use extending beyond the original purpose of the 
                secondary use authorized by the IHRT participant 
                involved. Nothing in this paragraph shall be construed 
                as requiring authorization for every secondary use that 
                is within the authorized original purpose.
            (2) Rules for primary use of records for health care 
        purposes.--With respect to the electronic health record of an 
        IHRT participant (or specified parts of such electronic health 
        record) maintained by an IHRT standards for access to such 
        record shall provide for the following:
                    (A) Access by ihrt participants to their electronic 
                health records.--
                            (i) Ownership.--The participant maintains 
                        ownership over the entire electronic health 
                        record (and all portions of such record) and 
                        shall have the right to electronically access 
                        and review the contents of the entire record 
                        (and any portion of such record) at any time, 
                        in accordance with this subparagraph.
                            (ii) Addition of personal information.--The 
                        participant may add personal health information 
                        to the health record of that participant, 
                        except that such participant shall not alter 
                        information that is entered into the electronic 
                        health record by any authorized EHR data user. 
                        Such participant shall have the right to 
                        propose an amendment to information that is 
                        entered by an authorized EHR data user pursuant 
                        to standards prescribed by the Federal Trade 
                        Commission for purposes of amending such 
                        information.
                            (iii) Identification of information entered 
                        by participant.--Any additions or amendments 
                        made by the participant to the health record 
                        shall be identified and disclosed within such 
                        record as being made by such participant.
                    (B) Access by entities other than ihrt 
                participant.--
                            (i) Authorized access only.--Except as 
                        provided under subparagraph (C) and paragraph 
                        (4), access to the electronic health record (or 
                        any portion of the record)--
                                    (I) may be made only by authorized 
                                EHR data users and only to such 
                                portions of the record as specified by 
                                the participant; and
                                    (II) may be limited by the 
                                participant for purposes of entering 
                                information into such record, 
                                retrieving information from such 
                                record, or both.
                            (ii) Identification of entity that enters 
                        information.--Any information that is added by 
                        an authorized EHR data user to the health 
                        record shall be identified and disclosed within 
                        such record as being made by such user.
                            (iii) Satisfaction of hipaa privacy 
                        regulations.--In the case of a record of a 
                        covered entity (as defined for purposes of 
                        HIPAA privacy regulations), with respect to an 
                        individual, if such individual is an IHRT 
                        participant with an independent health record 
                        trust and such covered entity is an authorized 
                        EHR data user, the requirement under the HIPAA 
                        privacy regulations for such entity to provide 
                        the record to the participant shall be deemed 
                        met if such entity, without charge to the IHRT 
                        or the participant--
                                    (I) forwards to the trust an 
                                appropriately formatted electronic copy 
                                of the record (and updates to such 
                                records) for inclusion in the 
                                electronic health record of the 
                                participant maintained by the trust;
                                    (II) enters such record into the 
                                electronic health record of the 
                                participant so maintained; or
                                    (III) otherwise makes such record 
                                available for electronic access by the 
                                IHRT or the individual in a manner that 
                                permits such record to be included in 
                                the account of the individual contained 
                                in the IHRT.
                            (iv) Notification of sensitive 
                        information.--Any information, with respect to 
                        the participant, that is sensitive information, 
                        as specified by the Federal Trade Commission, 
                        shall not be forwarded or entered by an 
                        authorized EHR data user into the electronic 
                        health record of the participant maintained by 
                        the trust unless the user certifies that the 
                        participant has been notified of such 
                        information.
                    (C) Deemed authorization for access for emergency 
                health care.--
                            (i) Findings.--Congress finds that--
                                    (I) given the size and nature of 
                                visits to emergency departments in the 
                                United States, readily available health 
                                information could make the difference 
                                between life and death; and
                                    (II) because of the case mix and 
                                volume of patients treated, emergency 
                                departments are well positioned to 
                                provide information for public health 
                                surveillance, community risk 
                                assessment, research, education, 
                                training, quality improvement, and 
                                other uses.
                            (ii) Use of information.--With respect to 
                        the electronic health record of an IHRT 
                        participant (or specified parts of such 
                        electronic health record) maintained by an 
                        IHRT, the participant shall be deemed as 
                        providing authorization (in the form of 
                        affirmative consent) for health care providers 
                        to access, in connection with providing 
                        emergency care services to the participant, a 
                        limited, authenticated information set 
                        concerning the participant for emergency 
                        response purposes, unless the participant 
                        specifies that such information set (or any 
                        portion of such information set) may not be so 
                        accessed. Such limited information set may 
                        include information--
                                    (I) patient identification data, as 
                                determined appropriate by the 
                                participant;
                                    (II) provider identification that 
                                includes the use of unique provider 
                                identifiers;
                                    (III) payment information;
                                    (IV) information related to the 
                                individual's vitals, allergies, and 
                                medication history;
                                    (V) information related to existing 
                                chronic problems and active clinical 
                                conditions of the participant; and
                                    (VI) information concerning 
                                physical examinations, procedures, 
                                results, and diagnosis data.
            (3) Rules for secondary uses of records for research and 
        other purposes.--
                    (A) In general.--With respect to the electronic 
                health record of an IHRT participant (or specified 
                parts of such electronic health record) maintained by 
                an IHRT, the IHRT may sell such record (or specified 
                parts of such record) only if--
                            (i) the transfer is authorized by the 
                        participant pursuant to an agreement between 
                        the participant and the IHRT and is in 
                        accordance with the privacy protection 
                        agreement described in subsection (b)(1) 
                        entered into between such participant and such 
                        IHRT;
                            (ii) such agreement includes parameters 
                        with respect to the disclosure of information 
                        involved and a process for the authorization of 
                        the further disclosure of information in such 
                        record;
                            (iii) the information involved is to be 
                        used for research or other activities only as 
                        provided for in the agreement;
                            (iv) the recipient of the information 
                        provides assurances that the information will 
                        not be further transferred or reused in 
                        violation of such agreement; and
                            (v) the transfer otherwise meets the 
                        requirements and standards prescribed by the 
                        Federal Trade Commission.
                    (B) Treatment of public health reporting.--Nothing 
                in this paragraph shall be construed as prohibiting or 
                limiting the use of health care information of an 
                individual, including an individual who is an IHRT 
                participant, for public health reporting (or other 
                research) purposes prior to the inclusion of such 
                information in an electronic health record maintained 
                by an IHRT.
            (4) Law enforcement clarification.--Nothing in this Act 
        shall prevent an IHRT from disclosing information contained in 
        an electronic health record maintained by the IHRT when 
        required for purposes of a lawful investigation or official 
        proceeding inquiring into a violation of, or failure to comply 
        with, any criminal or civil statute or any regulation, rule, or 
        order issued pursuant to such a statute.
            (5) Rule of construction.--Nothing in this section shall be 
        construed to require a health care provider that does not 
        utilize electronic methods or appropriate levels of health 
        information technology on the date of the enactment of this Act 
        to adopt such electronic methods or technology as a requirement 
        for participation or compliance under this Act.
    (b) Privacy Protection Agreement; Treatment of State Privacy and 
Security Laws.--
            (1) Privacy protection agreement.--A privacy protection 
        agreement described in this subsection is an agreement, with 
        respect to an electronic health record of an IHRT participant 
        to be maintained by an independent health record trust, between 
        the participant and the trust--
                    (A) that is consistent with the standards described 
                in subsection (a)(2);
                    (B) under which the participant specifies the 
                portions of the record that may be accessed, under what 
                circumstances such portions may be accessed, any 
                authorizations for indicated authorized EHR data users 
                to access information contained in the record, and the 
                purposes for which the information (or portions of the 
                information) in the record may be used;
                    (C) which provides a process for the authorization 
                of the transfer of information contained in the record 
                to a third party, including for the sale of such 
                information for purposes of research, by an authorized 
                EHR data user and reuse of such information by such 
                third party, including a provision requiring that such 
                transfer and reuse is not in violation of any privacy 
                or transfer restrictions placed by the participant on 
                the independent health record of such participant; and
                    (D) under which the trust provides assurances that 
                the trust will not transfer, disclose, or provide 
                access to the record (or any portion of the record) in 
                violation of the parameters established in the 
                agreement or to any person or entity who has not agreed 
                to use and transfer such record (or portion of such 
                record) in accordance with such agreement.
            (2) Treatment of state laws.--
                    (A) In general.--Except as provided under 
                subparagraph (B), the provisions of a privacy 
                protection agreement entered into between an IHRT and 
                an IHRT participant shall preempt any provision of 
                State law (or any State regulation) relating to the 
                privacy and confidentiality of individually 
                identifiable health information or to the security of 
                such health information.
                    (B) Exception for privileged information.--The 
                provisions of a privacy protection agreement shall not 
                preempt any provision of State law (or any State 
                regulation) that recognizes privileged communications 
                between physicians, health care practitioners, and 
                patients of such physicians or health care 
                practitioners, respectively.
                    (C) State defined.--For purposes of this section, 
                the term ``State'' has the meaning given such term when 
                used in title XI of the Social Security Act, as 
                provided under section 1101(a) of such Act (42 U.S.C. 
                1301(a)).

SEC. 7. VOLUNTARY NATURE OF TRUST PARTICIPATION AND INFORMATION 
              SHARING.

    (a) In General.--Participation in an independent health record 
trust, or authorizing access to information from such a trust, is 
voluntary. No employer, health insurance issuer, group health plan, 
health care provider, or other person may require, as a condition of 
employment, issuance of a health insurance policy, coverage under a 
group health plan, the provision of health care services, payment for 
such services, or otherwise, that an individual participate in, or 
authorize access to information from, an independent health record 
trust.
    (b) Enforcement.--The penalties provided for in subsection (a) of 
section 1177 of the Social Security Act (42 U.S.C. 1320d-6) shall apply 
to a violation of subsection (a) in the same manner as such penalties 
apply to a person in violation of subsection (a) of such section.

SEC. 8. FINANCING OF ACTIVITIES.

    (a) In General.--Except as provided in subsection (b), an IHRT may 
generate revenue to pay for the operations of the IHRT through--
            (1) charging IHRT participants account fees for use of the 
        trust;
            (2) charging authorized EHR data users for accessing 
        electronic health records maintained in the trust;
            (3) the sale of information contained in the trust (as 
        provided for in section 6(a)(3)(A)); and
            (4) any other activity determined appropriate by the 
        Federal Trade Commission.
    (b) Prohibition Against Access Fees for Health Care Providers.--For 
purposes of providing incentives to health care providers to access 
information maintained in an IHRT, as authorized by the IHRT 
participants involved, the IHRT may not charge a fee for services 
specified by the IHRT. Such services shall include the transmittal of 
information from a health care provider to be included in an 
independent electronic health record maintained by the IHRT (or 
permitting such provider to input such information into the record), 
including the transmission of or access to information described in 
section 6(a)(2)(C)(ii) by appropriate emergency responders.
    (c) Required Disclosures.--The sources and amounts of revenue 
derived under subsection (a) for the operations of an IHRT shall be 
fully disclosed to each IHRT participant of such IHRT and to the 
public.
    (d) Treatment of Income.--For purposes of the Internal Revenue Code 
of 1986, any revenue described in subsection (a) shall not be included 
in gross income of any IHRT, IHRT participant, or authorized EHR data 
user.

SEC. 9. REGULATORY OVERSIGHT.

    (a) In General.--In carrying out this Act, the Federal Trade 
Commission shall promulgate regulations for independent health record 
trusts.
    (b) Establishment of Interagency Steering Committee.--
            (1) In general.--The Secretary of Health and Human Services 
        shall establish an Interagency Steering Committee in accordance 
        with this subsection.
            (2) Chairperson.--The Secretary of Health and Human 
        Services shall serve as the chairperson of the Interagency 
        Steering Committee.
            (3) Membership.--The members of the Interagency Steering 
        Committee shall consist of the Attorney General, the 
        Chairperson of the Federal Trade Commission, the Chairperson 
        for the National Committee for Vital and Health Statistics, a 
        representative of the Federal Reserve, and other Federal 
        officials determined appropriate by the Secretary of Health and 
        Human Services.
            (4) Duties.--The Interagency Steering Committee shall 
        coordinate the implementation of this Act, including the 
        implementation of policies described in subsection (d) based 
        upon the recommendations provided under such subsection, and 
        regulations promulgated under this Act.
    (c) Federal Advisory Committee.--
            (1) In general.--The National Committee for Vital and 
        Health Statistics shall serve as an advisory committee for the 
        IHRTs. The membership of such advisory committee shall include 
        a representative from the Federal Trade Commission and the 
        chairperson of the Interagency Steering Committee. Not less 
        than 60 percent of such membership shall consist of 
        representatives of nongovernment entities, at least one of whom 
        shall be a representative from an organization representing 
        health care consumers.
            (2) Duties.--The National Committee for Vital and Health 
        Statistics shall issue periodic reports and review policies 
        concerning IHRTs based on each of the following factors:
                    (A) Privacy and security policies.
                    (B) Economic progress.
                    (C) Interoperability standards.
    (d) Policies Recommended by Federal Trade Commission.--The Federal 
Trade Commission, in consultation with the National Committee for Vital 
and Health Statistics, shall recommend policies to--
            (1) provide assistance to encourage the growth of 
        independent health record trusts;
            (2) track economic progress as it pertains to operators of 
        independent health records trusts and individuals receiving 
        nontaxable income with respect to accounts;
            (3) conduct public education activities regarding the 
        creation and usage of the independent health records trusts;
            (4) establish standards for the interoperability of health 
        information technology to ensure that information contained in 
        such record may be shared between the trust involved, the 
        participant, and authorized EHR data users, including for the 
        standardized collection and transmission of individual health 
        records (or portions of such records) to authorized EHR data 
        users through a common interface and for the portability of 
        such records among independent health record trusts; and
            (5) carry out any other activities determined appropriate 
        by the Federal Trade Commission.
    (e) Regulations Promulgated by Federal Trade Commission.--The 
Federal Trade Commission shall promulgate regulations based on, at a 
minimum, the following factors:
            (1) Requiring that an IHRT participant, who has an 
        electronic health record that is maintained by an IHRT, be 
        notified of a security breech with respect to such record, and 
        any corrective action taken on behalf of the participant.
            (2) Requiring that information sent to, or received from, 
        an IHRT that has been designated as high-risk should be 
        authenticated through the use of methods such as the periodic 
        changing of passwords, the use of biometrics, the use of tokens 
        or other technology as determined appropriate by the council.
            (3) Requiring a delay in releasing sensitive health care 
        test results and other similar information to patients directly 
        in order to give physicians time to contact the patient.
            (4) Recommendations for entities operating IHRTs, including 
        requiring analysis of the potential risk of health transaction 
        security breeches based on set criteria.
            (5) The conduct of audits of IHRTs to ensure that they are 
        in compliance with the requirements and standards established 
        under this Act.
            (6) Disclosure to IHRT participants of the means by which 
        such trusts are financed, including revenue from the sale of 
        patient data.
            (7) Prevention of certification of an entity seeking 
        independent heath record trust certification based on--
                    (A) the potential for conflicts between the 
                interests of such entity and the security of the health 
                information involved; and
                    (B) the involvement of the entity in any activity 
                that is contrary to the best interests of a patient.
            (8) Prevention of the use of revenue sources that are 
        contrary to a patient's interests.
            (9) Public disclosure of audits in a manner similar to 
        financial audits required for publicly traded stock companies.
            (10) Requiring notification to a participating entity that 
        the information contained in such record may not be 
        representative of the complete or accurate electronic health 
        record of such account holder.
    (f) Compliance Report.--Not later than 1 year after the date of the 
enactment of this Act, and annually thereafter, the Commission shall 
submit to the Committee on Health, Education, Labor, and Pensions and 
the Committee on Finance of the Senate and the Committee on Energy and 
Commerce and the Committee on Ways and Means of the House of 
Representatives, a report on compliance by and progress of independent 
health record trusts with this Act. Such report shall describe the 
following:
            (1) The number of complaints submitted about independent 
        health record trusts, which shall be divided by complaints 
        related to security breaches, and complaints not related to 
        security breaches, and may include other categories as the 
        Interagency Steering Committee established under section (b) 
        determines appropriate.
            (2) The number of enforcement actions undertaken by the 
        Commission against independent health record trusts in response 
        to complaints under paragraph (1), which shall be divided by 
        enforcement actions related to security breaches and 
        enforcement actions not related to security breaches and may 
        include other categories as the Interagency Steering Committee 
        established under section (b) determines appropriate.
            (3) The economic progress of the individual owner or 
        institution operator as achieved through independent health 
        record trust usage and existing barriers to such usage.
            (4) The progress in security auditing as provided for by 
        the Interagency Steering Committee council under subsection 
        (b).
            (5) The other core responsibilities of the Commission as 
        described in subsection (a).
    (g) Interagency Memorandum of Understanding.--The Interagency 
Steering Committee shall ensure, through the execution of an 
interagency memorandum of understanding, that--
            (1) regulations, rulings, and interpretations issued by 
        Federal officials relating to the same matter over which 2 or 
        more such officials have responsibility under this Act are 
        administered so as to have the same effect at all times; and
            (2) the memorandum provides for the coordination of 
        policies related to enforcing the same requirements through 
        such officials in order to have coordinated enforcement 
        strategy that avoids duplication of enforcement efforts and 
        assigns priorities in enforcement.
                                 <all>