


110 HR 5442 IH: TRUST in Health Information Act of

U.S. House of Representatives
2008-02-14
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		I
		110th CONGRESS
		2d Session
		H. R. 5442
		IN THE HOUSE OF REPRESENTATIVES
		
			February 14, 2008
			Mr. Markey (for
			 himself, Mr. Emanuel, and
			 Mrs. Capps) introduced the following
			 bill; which was referred to the Committee
			 on Energy and Commerce, and in addition to the Committees on
			 Ways and Means,
			 Education and Labor, and
			 Financial Services, for a
			 period to be subsequently determined by the Speaker, in each case for
			 consideration of such provisions as fall within the jurisdiction of the
			 committee concerned
		
		A BILL
		To provide individuals with access to health information
		  of which they are a subject, to ensure personal privacy, security, and
		  confidentiality with respect to health related information in promoting the
		  development of a nationwide interoperable health information infrastructure, to
		  impose criminal and civil penalties for unauthorized use of personal health
		  information, to provide for the strong enforcement of these rights, to protect
		  States’ rights, and for other purposes.
	
	
		1.Short title
			(a)Short
			 titleThis Act may be cited
			 as the Technologies for Restoring
			 Users’ Security and Trust in Health Information Act of
			 2008 or as the TRUST in Health Information Act of
			 2008.
			(b)Table of
			 ContentsThe table of contents of this Act is as follows:
				
					Sec. 1. Short title.
					Sec. 2. Findings; purposes.
					Title I—Health Information Privacy and Security
					Sec. 100. Summary of privacy rights and security
				obligations.
					Subtitle A—Access to and Accuracy of Personal Health
				Information
					Sec. 101. Inspection and copying of personal health
				information.
					Sec. 102. Modifications to personal health
				information.
					Subtitle B—Security of Personal Health Information
					Sec. 111. Notice of privacy practices.
					Sec. 112. Establishment of safeguards.
					Sec. 113. Notification in the case of breach.
					Sec. 114. Transparency.
					Sec. 115. Risk management.
					Sec. 116. Accounting for disclosures and use.
					Subtitle C—Use and Disclosure of Personal Health
				Information
					Chapter 1—General Restrictions
					Sec. 121. General rules regarding use and
				disclosure.
					Sec. 122. Informed consent for disclosure of personal health
				information for treatment and payment.
					Sec. 123. Informed consent and authorization for disclosure of
				personal health information other than for treatment or payment.
					Chapter 2—Exceptions
					Sec. 131. Disclosure for law enforcement, national security,
				and intelligence purposes.
					Sec. 132. Disclosure for public health purposes.
					Sec. 133. Reporting of abuse and neglect to protection and
				advocacy agencies.
					Sec. 134. Disclosure to next of kin and directory
				information.
					Chapter 3—Special Circumstances
					Sec. 141. Emergency circumstances.
					Sec. 142. Health research.
					Sec. 143. Health oversight functions.
					Sec. 144. Individual representatives.
					Subtitle D—Enforcement
					Sec. 151. In general.
					Sec. 152. Enforcement by State attorneys general.
					Subtitle E—Miscellaneous
					Sec. 161. Office of Health Information Privacy.
					Sec. 162. Protection for whistleblowers.
					Sec. 163. Demonstration grant for individuals with limited
				English language proficiency or limited health literacy.
					Sec. 164. Relationship to other laws.
					Sec. 165. Effective date.
					Subtitle F—General Definitions
					Sec. 171. General definitions.
					Title II—Promotion of Health Information Technology
					Subtitle A—Improving the Interoperability of Health
				Information Technology
					Sec. 201. Office of the National Coordinator of Health
				Information Technology.
					Sec. 202. Partnership for Health Care Improvement.
					Sec. 203. American Health Information Community
				policies.
					Sec. 204. Research access to health care data and reporting on
				performance.
					Subtitle B—Facilitating the Widespread Adoption of
				Interoperable Health Information Technology
					Sec. 211. Facilitating the widespread adoption of interoperable
				health information technology.
					Sec. 212. Demonstration program to integrate information
				technology into clinical education.
					Sec. 213. Qualified health information technology system
				defined.
					Subtitle C—Improving the Quality of Health Care
					Sec. 221. Fostering development and use of health care quality
				measures.
					Sec. 222. Adoption and use of quality measures;
				reporting.
					Subtitle D—Miscellaneous Provisions
					Sec. 231. Health Information Technology Resource
				Center.
					Sec. 232. Facilitating the provision of telehealth services
				across State lines.
					Subtitle E—Definitions
					Sec. 241. Definitions.
					Title III—Additional provisions
					Sec. 301. Federal purchasing and data collection by CMS and
				other Federal agencies.
					Sec. 302. Ensuring health care providers participating in the
				medicare program may maintain health information in electronic
				form.
				
			2.Findings;
			 purposes
			(a)FindingsCongress
			 finds the following:
				(1)Americans are
			 deeply concerned about the privacy and security of their personal information,
			 including their health records.
				(2)In October 2007, a Harris Interactive Poll
			 commissioned by the Institute of Medicine found that 58 percent of respondents
			 indicated they do not believe Federal and State laws and organizational
			 practices offer sufficient protection of personal health information.
				(3)In February 2007,
			 the Markle Foundation reported that 80 percent of individuals surveyed were
			 very concerned about identity theft or fraud and 77 percent were very concerned
			 that their medical information would be used for marketing purposes.
				(4)Concerns about the
			 privacy and security of personal health information are fueled by the
			 escalating number of breaches of personal information that have occurred in
			 recent years and numerous reports of the inadequacy of the security of
			 electronic networks.
				(5)According to the
			 Privacy Rights Clearinghouse, more than 216,000,000 data records belonging to
			 U.S. residents have been exposed to potential misuse as a result of security
			 breaches since January 2005.
				(6)A nationwide interoperable health
			 information infrastructure can strengthen privacy, security, and
			 confidentiality safeguards, protecting patients’ personal health information
			 while also improving health care quality, safety, and affordability.
				(7)In order for
			 individuals, health care providers, and health care payers to achieve the
			 benefits associated with such infrastructure, strong data privacy, security,
			 and confidentiality standards must be developed, adopted, and incorporated into
			 the health information technology infrastructure.
				(8)While Executive
			 Order 13335 regarding interoperable health information technology issued on
			 April 27, 2004, called for widespread adoption of interoperable electronic
			 health records within 10 years, established the position of National
			 Coordinator of Health Information Technology, and stipulated that the plan for
			 the nationwide implementation of interoperable health information technology
			 should address privacy and security issues, adequate progress has not been made
			 to ensure that a strong data privacy, security, and confidentiality approach
			 will guide the development of this nationwide infrastructure beginning in its
			 initial stages and continuing throughout its formulation.
				(9)According to a February 1, 2007, report of
			 the Government Accountability Office (GAO), the Department of Health and Human
			 Services and its Office of the National Coordinator of Health Information
			 Technology have not yet defined an overall approach for integrating
			 privacy-related initiatives the Department has undertaken in the area of health
			 information technology or addressing key privacy principles, nor has the
			 Department defined milestones for integrating the results of these activities
			 while it has moved forward with development of standards for a national
			 electronic health information system.
				(10)All Americans
			 have a right to privacy, security, and confidentiality with respect to the
			 electronic disclosure of their personal health information, and the nationwide
			 implementation of interoperable health information technology should abide by,
			 and be consistent with, this right.
				(11)Without adequate
			 privacy, security, and confidentiality standards, individuals will be more
			 likely to avoid or delay medical treatment or withhold pertinent information
			 from their health providers, potentially resulting in lost productivity,
			 increased morbidity rates, and increased costs to the health care
			 system.
				(12)As stipulated by
			 the Secretary of Health and Human Services in the Final Rule for Standards for
			 Privacy of Individually Identifiable Health Information (45 C.F.R. parts 160
			 and 164), the standards contained in the Final Rule are intended to establish a
			 floor of privacy protection and are not designed to serve as best
			 practices for the use or disclosure of personal health
			 information.
				(13)To guide the
			 development, implementation, and operation of an interoperable nationwide
			 health information technology infrastructure, Congress should establish
			 specific minimum standards for the use and disclosure of individuals’ personal
			 health information and direct the Department of Health and Human Services to
			 promulgate regulations relating to personal health information that are
			 consistent with individuals’ right to privacy, security, and confidentiality
			 with respect to the electronic use or disclosure of their personal health
			 information, the public interest, and the purposes of this Act.
				(b)PurposeThe purposes of this Act are as
			 follows:
				(1)To
			 recognize that individuals have a right to privacy, confidentiality, and
			 security with respect to health information, including genetic information, and
			 that those fundamental rights are rooted in the Nation’s history and medical
			 ethics and must be protected.
				(2)To ensure that individuals are able to
			 exercise their right to health information privacy by requiring their consent
			 for the use and disclosure of their identifiable health information unless
			 otherwise required by law.
				(3)To encourage the development of a
			 nationwide interoperable health information technology infrastructure that
			 protects individuals’ privacy, confidentiality, and security with respect to
			 their health information while also improving health care quality, promoting
			 data accuracy, reducing medical errors, and increasing the efficiency of
			 care.
				(4)To
			 create incentives to turn personal health information into de-identified health
			 information (as defined in section 171(5)), where appropriate.
				(5)To designate an
			 Office of Health Information Privacy within the Department of Health and Human
			 Services to protect individuals’ right of privacy.
				(6)To
			 provide individuals with—
					(A)access to health
			 information of which they are the subject;
					(B)the opportunity to
			 challenge the accuracy and completeness of such information by being able to
			 file modifications to or request the deletion of such information; and
					(C)the right to limit
			 the use and disclosure of personal health information.
					(7)To
			 establish strong and effective mechanisms to protect against the unauthorized
			 and inappropriate use of personal health information and ensure that these
			 mechanisms safeguard this information wherever it may reside.
				(8)To provide notice to individuals of
			 breaches of their personal health information.
				(9)To invoke the
			 sweep of congressional powers, including the power to enforce the 14th
			 Amendment to the Constitution, to regulate commerce, and to abrogate the
			 immunity of the States under the 11th Amendment to the Constitution, in order
			 to address violations of the rights of individuals to privacy, to provide
			 individuals with access to their health information, and to prevent the
			 unauthorized use of personal health information that is genetic
			 information.
				(10)To establish
			 strong and effective remedies for violations of this Act.
				(11)To protect the
			 rights of States.
				IHealth Information
			 Privacy and Security
			100.Summary of
			 privacy rights and security obligations
				(a)Privacy
			 rightsIn order to provide
			 individuals who are the subject of personal health information with privacy,
			 security, and control in the use and disclosure of such information, such
			 individuals are provided the following rights under this title:
					(1)The right to not
			 have their personal health information disclosed without their informed consent
			 unless otherwise required by law, pursuant to subtitle C.
					(2)The right to
			 inspect and copy their personal health information, pursuant to section
			 101.
					(3)The right to
			 correct, supplement, or remove their personal information held by a person,
			 pursuant to section 102.
					(4)The right to
			 prohibit access by certain categories of persons to particularly sensitive
			 personal health information about individuals, such as information relating to
			 mental health, domestic violence, sexually transmitted diseases, and infection
			 with the human immunodeficiency virus (HIV), pursuant to section 122.
					(5)The right to
			 receive notification of actual or suspected security breaches of their personal
			 health information, pursuant to section 113.
					(6)The right to
			 receive an accounting of all electronic disclosures of their personal health
			 information upon request, pursuant to section 116.
					(b)Security
			 obligationsA person that
			 discloses, uses, or receives an individual’s personal health information has
			 obligations under this title, including the following:
					(1)The obligation to
			 expressly recognize the right to privacy and security of such individual with
			 respect to the use and disclosure of such information under subtitle B.
					(2)The obligation to
			 permit individuals who are the subject of such personal health information to
			 inspect and copy the personal health information concerning the individual
			 pursuant to section 101.
					(3)The obligation to provide written
			 notification to an individual of the person’s privacy practices pursuant to
			 section 111.
					(4)The obligation to promptly notify
			 individuals of an actual or suspected security breach of their personal health
			 information pursuant to section 113.
					(5)The obligation to establish and maintain
			 appropriate administrative, organizational, technical and physical safeguards
			 to ensure the privacy, confidentiality, security, accuracy, and integrity of
			 personal health information that is accessed, maintained, modified, recorded,
			 stored, destroyed, or otherwise used or disclosed by such person pursuant to
			 section 112.
					(6)The obligation to make publicly available
			 on the Internet a list, including contact information, of each data partner
			 with which the person has entered into a contract or relationship to provide
			 services involving personal health information pursuant to section 114.
					(7)The obligation to obtain an individual’s
			 informed consent or authorization before using or disclosing an individual’s
			 personal health information pursuant to chapter 1 of subtitle C.
					(8)The obligation to establish and update risk
			 management processes to protect against vulnerabilities to the privacy and
			 security of individual’s personal health information pursuant to sections 112
			 and 114.
					(9)The obligation to establish and maintain a
			 record of each disclosure of an individual’s personal health information
			 pursuant to section 116.
					(10)The obligation to provide individuals with
			 concise, comprehensive, and explicit information if seeking to use or disclose
			 their personal health information for marketing purposes and receive a separate
			 authorization from an individual before using or disclosing the information for
			 that purpose pursuant to section 123.
					AAccess to and
			 Accuracy of Personal Health Information
				101.Inspection and
			 copying of personal health information
					(a)Right of
			 individual
						(1)In
			 generalA health information
			 person (as defined in section 171(13)) shall permit an individual who is the
			 subject of personal health information (as defined in section 171(23)) that the
			 person holds, uses, or discloses, or the individual’s designee, to inspect and
			 copy the personal health information concerning the individual.
						(2)Procedures and
			 feesA health information person may establish appropriate
			 procedures to be followed for inspection and copying under paragraph (1) and
			 may require an individual to pay reasonable fees associated with such
			 inspection and copying in an amount that is not in excess of the actual costs
			 of providing such copying. Such fees may not be assessed where such an
			 assessment would have the effect of inhibiting an individual from gaining
			 access to the information described in paragraph (1).
						(b)DeadlineA
			 health information person shall comply with a request for inspection or copying
			 of personal health information under this section not later than—
						(1)15 business days
			 after the date on which the person receives the request, if such request
			 requires the inspection, copying, or sending of printed materials; or
						(2)5
			 business days after the date on which the person receives the request, or
			 sooner if the Secretary determines appropriate, if such request requires only
			 the inspection, copying, or sending of electronic or other digital
			 materials.
						(c)Rules governing
			 agentsA person that is the agent, officer, or employee of a
			 health information person shall provide for the inspection and copying of
			 personal health information if—
						(1)the personal
			 health information is retained by the person; and
						(2)the person has been
			 asked by the health information person to fulfill the requirements of this
			 section.
						(d)Special rule
			 relating to ongoing clinical trialsWith respect to personal
			 health information that is created as part of an individual's voluntary
			 participation in an ongoing clinical trial, access to the information shall be
			 provided within 15 business days after the date on which the health information
			 person receives the request or consistent with the individual's agreement to
			 participate in the clinical trial, whichever is sooner.
					102.Modifications
			 to personal health information
					(a)In
			 generalNot later than 15 business days, or earlier if the
			 Secretary determines appropriate, after the date on which a health information
			 person receives from an individual a request in writing to supplement, correct,
			 amend, segregate, or remove personal health information that the person holds,
			 uses, or discloses concerning the individual, such person—
						(1)shall, subject to
			 subsections (b) and (c), modify the information, by adding the requested
			 supplement, correction, or amendment to the information, or by removing any
			 information that has been requested to be destroyed;
						(2)shall inform the
			 individual that the modification has been made; and
						(3)shall make
			 reasonable efforts to inform any person to which the portion of the unmodified
			 information was previously disclosed, of any substantive modification that has
			 been made.
						(b)Refusal To
			 modifyIf a health information person declines to make the
			 modification requested under subsection (a) within 15 business days after
			 receipt of such request, such person shall inform the individual in writing
			 of—
						(1)the reasons for
			 declining to make the modification;
						(2)any procedures for
			 further review of the declining of such modification; and
						(3)the individual's
			 right to file with the person a concise statement setting forth the requested
			 modification and the individual's reasons for disagreeing with the declining
			 person and the individual's right to include a copy of this refusal in the
			 health record set (as defined in section 171(17)) concerning the
			 individual.
						(c)Statement of
			 disagreementIf an individual has filed with a health information
			 person a statement of disagreement under subsection (b)(3), the person, in any
			 subsequent disclosure of the disputed portion of the information—
						(1)shall include, at
			 the individual's request, a copy of the individual's statement in the
			 individual's health record set; and
						(2)may include a
			 concise statement of the reasons for not making the requested
			 modification.
						(d)Rules governing
			 agentsA person that is the agent of a health information person
			 shall only be required to make a modification to personal health information
			 where—
						(1)the personal
			 health information is retained, distributed, used, or maintained by the agent;
			 and
						(2)the agent has been
			 asked by such person to fulfill the requirements of this section.
						BSecurity of
			 Personal Health Information
				111.Notice of
			 privacy practices
					(a)Preparation of
			 written noticeA health information person shall prepare a
			 written notice of the privacy practices of such person, including information
			 with respect to the following:
						(1)The express right
			 of an individual to privacy, security, and confidentiality with respect to the
			 disclosure of such individual’s personal health information.
						(2)The procedures for
			 an individual to exercise that right by authorizing disclosures of personal
			 health information, and to object to, modify, and revoke such
			 authorizations.
						(3)The right of an
			 individual to inspect, copy, and modify that individual’s personal health
			 information.
						(4)The right of an individual not to have
			 employment or the receipt of services or choice of health plan conditioned upon
			 the execution by the individual of an authorization for disclosure, except as
			 permitted by section 122(c).
						(5)A description of—
							(A)the categories or
			 types of employees, by general category or by general job description, who have
			 access to or use of personal health information regarding the
			 individual;
							(B)the right of the
			 individual to limit access to or use of his or her personal health information
			 by employees, agents, and contractors of the person; and
							(C)the procedures for
			 effecting such limitations.
							(6)A
			 simple, concise description of any information systems used to store or
			 transmit personal health information, including a description of any linkages
			 made with other networks, systems, or databases outside the person’s direct
			 control.
						(7)The circumstances
			 under which the information will be, lawfully and actually, used or disclosed
			 without an authorization executed by the individual.
						(8)A
			 statement that, if an individual elects to pay for health care from the
			 individual's own funds, that individual may elect for personal health
			 information, including any identifying information, not to be disclosed to
			 anyone other than designated health care providers, unless such disclosure is
			 required by mandatory reporting requirements or other similar information
			 collection duties required by law.
						(9)The right of the
			 individual to have continued maintenance, distribution, or storage of that
			 individual’s personal health information not conditioned upon whether that
			 individual amends or revokes an authorization for disclosure, or requests a
			 modification of personal health information.
						(10)The right of and
			 procedures for an individual to request that personal health information be
			 transferred to a third party person without unreasonable delay.
						(11)The right to
			 prompt notification of an actual or suspected security breach of personal
			 health information, and how such breaches will be remedied by the
			 person.
						(12)The right of an
			 individual to inspect and obtain a copy of records of authorized and
			 unauthorized disclosures as well as attempted and actual access and use by an
			 authorized or unauthorized person.
						(13)The right of an
			 individual to exercise nondisclosure and nonuse rights with respect to their
			 personal health information, including the right to opt out of any local,
			 regional, or nationwide health information network or system that is used by
			 the person.
						(b)Provision and
			 posting of written notice
						(1)ProvisionA health information person shall provide
			 in writing a copy of the notice of privacy practices required under subsection
			 (a)—
							(A)at the first contact between the individual
			 and the person; and
							(B)upon the request of
			 an individual.
							(2)PostingA
			 health information person shall post, in a clear and conspicuous manner, a
			 brief summary of the privacy practices of the person.
						(c)Model
			 noticeThe Secretary, in consultation with the Director of the
			 Office of Health Information Privacy, after notice and opportunity for public
			 comment, shall develop and disseminate model notices of privacy practices, and
			 model summary notices for posting for use under this section. Use of such model
			 notice shall be deemed to satisfy the requirements of this section.
					112.Establishment
			 of safeguards
					(a)In
			 generalA health information
			 person shall—
						(1)establish and
			 maintain appropriate administrative, organizational, technical, and physical
			 safeguards and procedures to ensure the privacy, confidentiality, security,
			 accuracy, and integrity of personal health information that is accessed,
			 maintained, retained, modified, recorded, stored, destroyed, or otherwise held,
			 used, or disclosed by such person; and
						(2)employ an individual whose responsibilities
			 include the management of the person’s information security.
						(b)Factors To be
			 consideredThe policies and safeguards established under
			 subsection (a) shall ensure that—
						(1)personal health
			 information is used or disclosed only with informed consent (as defined in
			 section 171(19));
						(2)the categories of
			 personnel who will, with the informed consent of the individual, have access to
			 personal health information are identified;
						(3)the feasibility of
			 limiting access to personal health information is considered;
						(4)the privacy,
			 security, and confidentiality of personal health information is
			 maintained;
						(5)personal health
			 information is protected against any reasonably anticipated vulnerabilities to
			 the privacy, security, or integrity of such information; and
						(6)personal health
			 information is protected against unauthorized access, use, or misuse of such
			 information.
						(c)Model
			 guidelinesThe Secretary, in
			 consultation with the Director of the Office of Health Information Privacy
			 appointed under section 161, after notice and opportunity for public comment,
			 in accordance with the requirements of chapter 5 of title 5, United States
			 Code, shall develop and disseminate model guidelines for the establishment of
			 safeguards and procedures for use under this section, such as, where
			 appropriate, individual authentication of uses of computer systems, access
			 controls, audit trails, encryption or any additional security methodology or
			 technology other than encryption which renders data in electronic form
			 unreadable or indecipherable, physical security, protection of remote access
			 points and protection of external electronic communications, periodic security
			 assessments, incident reports, and sanctions. The Secretary, in consultation
			 with the Director, shall update and disseminate the guidelines, as appropriate,
			 to take advantage of new technologies, so as to ensure that the guidelines
			 emphasize the need for stringent privacy, security, and confidentiality
			 safeguards and procedures.
					(d)Review and
			 updating of safeguardsPersons subject to this title shall
			 monitor, evaluate, and adjust, as appropriate, all safeguards and procedures,
			 concomitant with relevant changes in technology, the sensitivity of personally
			 identifiable information, internal or external threats to personally
			 identifiable information, and any changes in the contracts or business of the
			 person. For the purpose of reviewing and updating safeguards, the Secretary may
			 provide technical assistance to health information persons, as
			 appropriate.
					113.Notification in
			 the case of breach
					(a)In
			 generalA health information person that accesses, maintains,
			 retains, modifies, records, stores, destroys, or otherwise holds, uses, or
			 discloses personal health information shall, following the discovery of a
			 security breach (as defined in section 171(28)) of such information, notify
			 each individual whose personal health information has been, or is reasonably
			 believed to have been, accessed, or acquired during such breach.
					(b)Obligation of
			 owner or licensee
						(1)Notice to owner
			 or licenseeAny person engaged in interstate commerce, that uses,
			 accesses, transmits, stores, disposes of, or collects personal health
			 information that the person does not own or license shall notify the owner or
			 licensee of the information following the discovery of a security breach
			 involving such information.
						(2)Notice by owner,
			 licensee, or other designated third partyNothing in this subtitle shall be construed
			 to prevent or abrogate an agreement between a person required to give notice
			 under this section and a designated third party, including an owner or licensee
			 of the personal health information subject to the security breach, to provide
			 the notifications required under subsection (a).
						(3)Person relieved
			 from giving noticeA person obligated to give notice under
			 subsection (a) shall be relieved of such obligation if an owner or licensee of
			 the personal health information subject to the security breach, or other
			 designated third party, provides such notification.
						(c)Timeliness of
			 notification
						(1)In
			 generalAll notifications required under this section shall be
			 made within 15 business days, or earlier if the Secretary determines
			 appropriate, following the discovery by the person of a security breach.
						(2)Burden of
			 proofThe person required to
			 provide notification under this section shall have the burden of demonstrating
			 that all notifications were made as required under this subtitle, including
			 evidence demonstrating the necessity of any delay.
						(d)Methods of
			 noticeA person described in subsection (a) shall provide to an
			 individual the following forms of notice in the case of a security
			 breach:
						(1)Individual
			 noticeNotice required under this section shall be provided in
			 such form as the individual selects, including—
							(A)written
			 notification to the last known home mailing address of the individual in the
			 records of the person;
							(B)telephone notice
			 to the individual personally; or
							(C)e-mail notice, if
			 the individual has consented to receive such notice and the notice is
			 consistent with the provisions permitting electronic transmission of notices
			 under section 101 of the Electronic Signatures in Global and National Commerce
			 Act (15 U.S.C. 7001).
							(2)Media
			 noticeNotice shall be provided to prominent media outlets
			 serving a State or jurisdiction, if the personal health information of more
			 than 500 residents of such State or jurisdiction is, or is reasonably believed
			 to have been, acquired by an unauthorized person.
						(3)Notice to
			 secretaryNotice shall be provided to the Secretary for health
			 information persons that have lost, stolen, disclosed, or used in an
			 unauthorized manner or for an unauthorized purpose the personal health
			 information of a significant number of individuals.
						(e)Content of
			 notificationRegardless of the method by which notice is provided
			 to individuals under this section, notice of a security breach shall include,
			 to the extent possible—
						(1)a
			 description of the personal health information that has been, or is reasonably
			 believed to have been, accessed, disclosed, or otherwise used by an
			 unauthorized person;
						(2)a
			 toll-free number that the individual may use to contact the person described in
			 subsection (a) to learn what types of personal health information the person
			 maintained about that individual; and
						(3)toll-free contact
			 telephone numbers and addresses for major credit reporting agencies.
						(f)Delay of
			 notification authorized for law enforcement purposes
						(1)In
			 generalIf a Federal law enforcement agency determines that the
			 notification required under this section would impede a criminal investigation
			 or cause damage to national security, such notification shall be delayed upon
			 written notice from the Federal law enforcement agency to the person that
			 experienced the breach.
						(2)Extended delay
			 of notificationIf the notification required under subsection (a)
			 is delayed pursuant to paragraph (1), a person shall give notice not later than
			 30 days after such law enforcement delay was invoked unless a Federal law
			 enforcement agency provides written notification that further delay is
			 necessary.
						114.Transparency
					(a)Public list of
			 data partners
						(1)In
			 generalA health information person shall establish a list of
			 data partners (as defined in paragraph (2)) with which such person has entered
			 into a contract or relationship for the purposes of providing services
			 involving any personal health information held, used, or disclosed by the
			 person. Such list and the contact information for each partner shall be made
			 publicly accessible on the Internet.
						(2)Data partner
			 definedIn paragraph (1), the term data partner
			 means a data bank, data warehouse, information clearinghouse, record locator
			 system, or other business entity, which for monetary fees, dues, or on a
			 cooperative nonprofit basis, engages in the practice of accessing, collecting,
			 maintaining, modifying, storing, recording, transmitting, destroying, or
			 otherwise using or disclosing the personal health information of individuals.
			 Any person maintaining personal health information for the purposes of making
			 such information available to the individual or the health care provider,
			 including persons furnishing free or paid personal health records, electronic
			 health records, electronic medical records, and related products and services,
			 shall be deemed to be a data partner subject to the requirements of this
			 title.
						(b)Subcontracting
			 and outsourcing overseasIn the event a health information person
			 contracts with service providers not subject to this title, including service
			 providers operating in a foreign country, such person shall—
						(1)take reasonable
			 steps to select and retain third party service providers capable of maintaining
			 appropriate safeguards for the security, privacy, and integrity of personal
			 health information;
						(2)require by
			 contract that such service providers implement and maintain appropriate
			 measures designed to meet the requirements applicable to health information
			 persons under this title;
						(3)be held liable for
			 any violation of this title by an overseas service provider or other provider
			 not subject to this title; and
						(4)in the case of a
			 service provider operating in a foreign country, obtain the informed consent of
			 the individual involved prior to outsourcing such individual's personal health
			 information to such provider.
						(c)List of
			 personsThe Secretary shall maintain a public list identifying
			 health information persons that have lost, stolen, disclosed, or used in an
			 unauthorized manner or for an unauthorized purpose the personal health
			 information of 1,000 or more individuals. The list shall include how many
			 individuals were affected by such action and be displayed on the Web site of
			 the Department of Health and Human Services.
					115.Risk
			 management
					(a)In
			 generalEach health information person shall establish risk
			 management and control processes to protect against anticipated vulnerabilities
			 to the privacy, security, and integrity of personal health information that the
			 person accesses, holds, uses, or discloses.
					(b)Risk
			 assessmentA health information person shall perform annual risk
			 assessments of procedures, systems, or networks involved in the creation,
			 accessing, maintenance, retention, modification, recording, storage,
			 distribution, destruction, or other use or disclosure of personal health
			 information. Such risk assessment shall include—
						(1)identifying
			 reasonably foreseeable internal and external vulnerabilities that could result
			 in inaccuracy or in unauthorized access, disclosure, use, or modification of
			 personal health information, or of systems containing personal health
			 information;
						(2)assessing the
			 likelihood of and potential damage from inaccuracy or from unauthorized access,
			 disclosure, use, or modification of personal health information;
						(3)assessing the
			 sufficiency of policies, technologies, and safeguards in place to enable
			 compliance with individuals’ informed consent to the access, disclosure, use,
			 or modification of their personal health information and minimize and control
			 risks from unauthorized access, disclosure, use, or modification of
			 individuals’ personal health information; and
						(4)assessing the
			 vulnerability of personal health information during destruction and disposal of
			 such information, including through the disposal or retirement of
			 hardware.
						(c)Risk
			 managementA health information person shall establish risk
			 management and control procedures designed to control risks such as those
			 identified in subsection (b). Such procedures shall include—
						(1)a
			 means for the detection and recording of actual or attempted, unauthorized,
			 fraudulent, or otherwise unlawful access, disclosure, transmission,
			 modification, use, or loss of personal health information;
						(2)procedures for
			 ensuring the secure disposal of personal health information;
						(3)a
			 means for limiting physical access to hardware, software, data storage
			 technology, servers, systems, or networks by unauthorized persons in order to
			 minimize the risk of information disclosure, modification, transmission,
			 access, use, or loss;
						(4)providing
			 appropriate risk management and control training for employees; and
						(5)carrying out
			 annual testing of such risk management and control procedures.
						116.Accounting for
			 disclosures and use
					(a)In
			 generalA health information person shall establish and maintain,
			 with respect to any personal health information disclosure, a record of each
			 disclosure in accordance with regulations promulgated by the Secretary in
			 consultation with the Director of the Office of Health Information Privacy.
			 Such record shall include the purpose of any disclosure and the identity of the
			 specific individual executing the disclosure, as well as the person to which
			 such information is disclosed.
					(b)Maintenance of
			 recordA record established under subsection (a) shall be
			 maintained for not less than 6 years.
					(c)Electronic
			 recordsA health information
			 person shall, to the maximum extent practicable, maintain an accessible
			 electronic record concerning each access, use, or disclosure, whether
			 authorized or unauthorized and whether successful or unsuccessful, of personal
			 health information maintained by such person in electronic form. The record
			 shall include the identities of the specific individuals (or a way to identify
			 such individuals, or information helpful in determining the identities of such
			 individuals) who access or seek to gain access to, use or seek to use, or
			 disclose or seek to disclose, information sufficient to identify the personal
			 health information sought or accessed, and other appropriate
			 information.
					(d)Access to
			 recordsA health information person shall permit an individual
			 who is the subject of personal health information, or the individual’s
			 designee, to inspect and copy the records created in subsections (a) and
			 (c).
					CUse and Disclosure
			 of Personal Health Information
				1General
			 Restrictions
					121.General rules
			 regarding use and disclosure
						(a)Prohibition
							(1)General
			 ruleA person may not disclose, access, or use personal health
			 information except as authorized under this title.
							(2)Rule of
			 constructionDisclosure or use of health information that meets
			 the standards of being de-identified health information shall not be construed
			 as a disclosure or use of personal health information.
							(b)Scope of
			 disclosure or use
							(1)In
			 generalA disclosure or use of personal health information under
			 this subtitle shall be limited to the minimum amount of information necessary
			 to accomplish the purpose for which the disclosure or use is made, such as the
			 individual’s name and address, date of service, place of service, type of
			 service, cost of service, and diagnosis.
							(2)DeterminationThe
			 determination as to what constitutes the minimum disclosure or use possible for
			 purposes of paragraph (1) shall be made by the individual or entity holding the
			 information. The minimum necessary standard is intended to be consistent with,
			 and not override, professional judgment and standards.
							(c)Use or
			 disclosure for purpose only
							(1)In
			 generalAn authorized recipient (as defined in paragraph (2)) of
			 information pursuant to this subtitle may use or disclose such information
			 solely to carry out the purpose for which the information was disclosed, except
			 as provided in section 143.
							(2)Authorized
			 recipient definedIn paragraph (1), the term authorized
			 recipient means a person granted the authority by an individual, in
			 accordance with this title, to access, maintain, retain, modify, record, store,
			 destroy, or otherwise use the individual’s personal health information through
			 an authorized disclosure.
							(d)No general
			 requirement To discloseNothing in this subtitle permitting the
			 disclosure of personal health information shall be construed to require such
			 disclosure.
						(e)Identification
			 of disclosed information as personal health informationPersonal health information disclosed or
			 used pursuant to this subtitle shall be clearly identified and labeled as
			 personal health information that is subject to this title.
						(f)Disclosure or
			 use by agentsAn agent,
			 employee, or affiliate of a health information person that accesses, seeks to
			 access, obtains, discloses, uses, or receives personal health information from
			 such person, shall be subject to this subtitle to the same extent as the
			 person.
						(g)Disclosure or
			 use by othersA person
			 receiving personal health information initially held by a person described in
			 subsection (f) shall be subject to this subtitle to the same extent as the
			 person described in subsection (f).
						(h)Creation of
			 de-identified informationNotwithstanding subsection (c), but
			 subject to the other provisions of this section, a person described in
			 subsection (f) may disclose personal health information to an employee or other
			 agent of the person for purposes of creating de-identified information.
						(i)Unauthorized use
			 or disclosure of the decryption keyThe unauthorized disclosure
			 of a decryption key (as defined in section 171(7)) or other secondary or
			 tertiary means for accessing personal health information shall be deemed for
			 purposes of this subtitle to be a disclosure of personal health information.
			 The unauthorized use of a decryption key (or other secondary or tertiary means
			 for accessing personal health information) or de-identified health information
			 in order to identify an individual is deemed for purposes of this subtitle to
			 be disclosure of personal health information.
						(j)No
			 waiverExcept as provided in this title, an informed consent or
			 other authorization to disclose or use personally identifiable health
			 information executed by an individual pursuant to this subtitle shall not be
			 construed as a waiver of any rights that the individual has under other Federal
			 or State laws, the rules of evidence, or common law.
						(k)Opt-in to
			 network sharing
							(1)In
			 generalBefore a health information person may share personal
			 health information, through disclosure, access, use, or otherwise, with a
			 health information network or system, the individual must opt in to the sharing
			 of such information with such network or system.
							(2)Health
			 information network or system definedIn this subsection, the term health
			 information network or system means an interoperable health information
			 infrastructure consisting of health information systems and other networks that
			 connect providers, consumers, and others involved in supporting health and
			 health care.
							(l)Disposal of
			 dataTo prevent the
			 unauthorized disclosure or use of personal health information, such
			 information, when disposed of, shall be de-identified, destroyed, or expunged
			 from any electronic, paper, or other files and documents maintained by
			 authorized persons to make such information permanently unreadable and
			 undecipherable.
						(m)Obligations of
			 unauthorized recipientsA
			 person that obtains, accesses, or receives personal health information and that
			 is an unauthorized recipient of such information may not access, maintain,
			 retain, modify, record, store, destroy, or otherwise use or disclose such
			 information for any purposes, and use or disclosure of personal health
			 information under such circumstances shall be deemed for purposes of this
			 subtitle an unauthorized disclosure of personal health information, unless the
			 disclosure is for the purpose of informing the Secretary, law enforcement
			 authorities, or Congress of the person’s unauthorized receipt of the personal
			 health information.
						122.Informed
			 consent for disclosure of personal health information for treatment and
			 payment
						(a)Requirements
			 relating to employers, health plans, health or life insurers, uninsured and
			 self-pay individuals, and providers
							(1)In
			 generalAn employer, health
			 plan, health or life insurer, or health care provider that seeks to disclose
			 personal health information in connection with treatment or payment shall
			 obtain informed consent (as defined in section 171(19)) from the subject of
			 such personal health information that satisfies the requirements of this
			 section. A single consent may authorize multiple disclosures.
							(2)Health plans,
			 health or life insurersEvery
			 health plan or health or life insurer offering enrollment to individual or
			 nonemployer groups shall, at the time of enrollment in the plan or insurance,
			 obtain an informed consent for the use and disclosure of personal health
			 information with respect to each individual who is eligible to receive care or
			 benefits under the plan or insurance.
							(3)Uninsured and
			 self-payAn originating
			 provider that provides health care in other than a network plan setting, or
			 provides health care to an uninsured individual, shall obtain an informed
			 consent for access to or use of personal health information in providing health
			 care or arranging for health care from other providers or seeking payment for
			 the provision of health care services.
							(4)ProvidersEvery health care provider that provides
			 health care to an individual that has not been given the appropriate prior
			 consent under this section, shall at the time of providing such care, or at
			 such time as is practicable if services are necessary prior to the opportunity
			 to obtain consent, obtain an informed consent for the use and disclosure of
			 personal health information with respect to such individual.
							(b)Requirements for
			 individual informed consentTo satisfy the requirements of this
			 subsection, an informed consent from an individual to disclose the individual’s
			 personal health information shall—
							(1)identify, by
			 general job description or other functional description and by geographic
			 location, those persons that are authorized to disclose the information,
			 including entities employed by a person authorized to disclose the
			 information;
							(2)describe the
			 specific nature of the information to be disclosed;
							(3)identify, by
			 general job description or other functional description and by geographic
			 location, those persons to which the information will be disclosed, including
			 entities employed by a person to which information is authorized to be
			 disclosed;
							(4)describe the
			 purpose of the disclosures;
							(5)permit the
			 executing individual to indicate that a particular person or class of persons
			 (a group of persons with similar roles or functions) listed on the informed
			 consent is not authorized to receive personal health information concerning the
			 individual, except as provided for in subsection (c)(3);
							(6)provide the means
			 by which an individual may indicate that some of the individual's personal
			 health information should be segregated and to what persons or classes of
			 persons such segregated information may be disclosed;
							(7)be subject to
			 revocation by the individual and indicate that the informed consent is valid
			 until revocation by the individual or until an event or date specified;
							(8)(A)be in writing, dated,
			 and signed by the individual; and
								(B)not have been revoked under subsection
			 (f);
								(9)describe the
			 procedure by which an individual can amend an informed consent previously
			 obtained by a person;
							(10)describe the
			 extent to which the authorized person will share information with
			 sub-contracted persons, and the geographic location of sub-contracted persons,
			 including those operating or located overseas, except that the authorized
			 person shall obtain the informed consent of the individual involved prior to
			 outsourcing such individual's personal health information to a sub-contracted
			 person operating or located overseas; and
							(11)describe the
			 nature and probability of harm to the individual resulting from the informed
			 consent for use or disclosure, consistent with the principle of informed
			 consent.
							(c)Limitation on
			 informed consent
							(1)In
			 generalSubject to paragraphs
			 (2) and (3), a health information person that seeks informed consent under this
			 subtitle may not condition the delivery of treatment or payment for services on
			 the receipt of such an informed consent.
							(2)Right to require
			 self-payment
								(A)In
			 generalIf an individual has refused to provide an informed
			 consent for disclosure of administrative billing information (as defined in
			 subparagraph (B)) to a person and such informed consent is necessary for a
			 health care provider to receive payment for services delivered, the health care
			 provider may require the individual to pay from their own funds for the
			 services.
								(B)Administrative
			 billing informationIn subparagraph (A), the term
			 administrative billing information means any of the following
			 forms of personal health information:
									(i)Date
			 of service, policy, patient identifiers, and practitioner or facility
			 identifiers.
									(ii)Diagnostic codes,
			 in accordance with medicare billing codes, for which treatment is being
			 rendered or requested.
									(iii)Complexity of
			 service codes, indicating duration of treatment.
									(iv)Total billed
			 charges.
									(3)Right of health
			 care provider to require informed consent for treatment
			 purposesIf a health care provider that is seeking an informed
			 consent for disclosure of an individual's personal health information believes
			 that the disclosure of such information is necessary so as not to endanger the
			 health or treatment of the individual, and if the withholding of services will
			 not endanger the life of the individual, the health care provider may condition
			 the provision of services upon the individual’s execution of an informed
			 consent to disclose personal health information to the minimum extent
			 necessary.
							(4)informed
			 consents for payment under certain circumstancesIf an individual
			 is in a physical or mental condition such that the individual is not capable of
			 authorizing the disclosure of personal health information and no other
			 arrangements have been made to pay for the health care services being rendered
			 to the patient, such information may be disclosed to a governmental authority
			 to the extent necessary to determine the individual's eligibility for, and to
			 obtain, payment under a governmental program for health care services provided
			 to the patient. The information may also be disclosed to another provider of
			 health care or health care service plan as necessary to assist the other
			 provider or health care service plan in obtaining payment for health care
			 services rendered by that provider of health care or health care service plan
			 to the patient.
							(d)Model informed
			 consentThe Secretary, in consultation with the Director of the
			 Office of Health Information Privacy, after notice and opportunity for public
			 comment in accordance with section 553 of title 5, United States Code, shall
			 develop and disseminate model written informed consents of the type described
			 in this section, which represent informed consent from the subject of such
			 personal health information that satisfies the requirements of this section,
			 and model statements of the limitations on informed consents. Any informed
			 consent obtained on a model informed consent form under this section developed
			 by the Secretary pursuant to the preceding sentence shall be deemed to satisfy
			 the requirements for an informed consent under this section.
						(e)Segregation of
			 filesA health information person shall comply with the request
			 of an individual who is the subject of personal health information—
							(1)to hide, mask, or
			 mark separate any type or amount of personal health information held by the
			 person; and
							(2)to limit the use
			 or disclosure of the segregated health information within the person to those
			 specifically designated by the subject of the personal health
			 information.
							(f)Revocation of
			 informed consent
							(1)In
			 generalAn individual may revoke or amend in writing an informed
			 consent under this section at any time, unless the disclosure that is the
			 subject of the consent is required to effectuate payment for health care that
			 has been provided to the individual and for which the individual has declined
			 or refused to pay from the individual’s own funds.
							(2)Health
			 planWith respect to a health plan, the informed consent of an
			 individual is deemed to be revoked at the time of the cancellation or
			 non-renewal of enrollment in the health plan, except as may be necessary to
			 complete plan administration and payment requirements related to the
			 individual's period of enrollment.
							(g)Record of
			 individual's informed consents and revocationsEach person
			 accessing, maintaining, retaining, modifying, recording, storing, destroying,
			 or otherwise using personally identifiable or personal health information for
			 purposes of treatment or payment shall maintain a record for a period of 6
			 years of each informed consent by an individual and any revocation thereof, and
			 such record shall become part of the individual’s health record set.
						123.Informed
			 consent and authorization for disclosure of personal health information other
			 than for treatment or payment
						(a)In
			 generalA health information person that seeks to disclose
			 personal health information for a purpose other than treatment or payment shall
			 obtain informed consent. Such consent under this section shall be separate from
			 an informed consent provided under section 122.
						(b)Limitation on
			 authorizationsA person subject to section 122 may not condition
			 the delivery of treatment, or payment for services, on the receipt of an
			 informed consent or authorization described in this section.
						(c)Model informed
			 consents and authorizationsThe Secretary, in consultation with
			 the Director of the Office of Health Information Privacy, after notice and
			 opportunity for public comment in accordance with section 553 of title 5,
			 United States Code, shall develop and disseminate model informed consents of
			 the type described in subsection (a) and written authorizations of the type
			 described in subsections (d) and (e). Any consent or authorization obtained on
			 a respective model form shall be deemed to meet the requirements under the
			 respective subsection.
						(d)Requirement of
			 separate, additional authorization for personnel decisionsA
			 health information person subject to section 122 may not disclose personal
			 health information to any employees or agents who are responsible for making
			 employment, work assignment, or other personnel decisions with respect to the
			 subject of the information without a separate, additional written authorization
			 permitting such a disclosure.
						(e)Requirement of
			 separate, additional authorization for marketing
							(1)In
			 generalA health information
			 person may not disclose personal health information for marketing purposes
			 without a separate, additional written authorization permitting such a
			 disclosure.
							(2)RequirementsIn the case of a disclosure of personal
			 health information for marketing purposes, a separate authorization required by
			 paragraph (1), to be valid, shall—
								(A)state that one purpose of the disclosure is
			 for marketing;
								(B)state that the
			 purpose of the use or disclosure involved is marketing;
								(C)describe the
			 specific marketing uses and disclosures authorized, including whether the
			 personal health information involved—
									(i)may be used for
			 purposes internal to the person;
									(ii)may be disclosed
			 to, and used by, a business associate of the person; and
									(iii)may be disclosed
			 to, and used by, any person or entity other than a business associate of the
			 person; and
									(D)state that the use
			 or disclosure of personal health information for marketing will directly result
			 in remuneration to the person from a third party, in any case in which a person
			 expects, or reasonably should expect, that such remuneration will occur.
								(3)Marketing
			 defined
								(A)In
			 generalIn this subsection,
			 the term marketing is a communication about a product or service
			 a purpose of which is to encourage recipients of the communication to purchase
			 or use the product or service in return for direct or indirect
			 compensation.
								(B)Exclusions
									(i)In
			 generalSubject to clause (ii), such term excludes the following
			 exceptions:
										(I)Communications made by person for the
			 purpose of describing the entities participating in a provider network or
			 health plan network, and communications made by a person for the purpose of
			 describing if and the extent to which a product or service, or payment for a
			 product or service, is provided by the person or included in a benefit
			 plan.
										(II)Communications tailored to the
			 circumstances of a particular individual, made by a health care provider to an
			 individual as part of the treatment of the individual, and for the purpose of
			 furthering the treatment of that individual.
										(III)Communications tailored to the
			 circumstances of a particular individual and made by a health care provider or
			 health plan to an individual in the course of managing or coordinating the
			 treatment of that individual or for the purpose of directing or recommending to
			 that individual alternative treatments, therapies, providers, or settings of
			 care.
										(ii)ExceptionClause (i) shall not apply, and a
			 communication shall be considered marketing, if a person receives direct or
			 indirect remuneration from a third party for making a written communication
			 otherwise described in subclause (I), (II), or (III) of such clause.
									(f)Requirement To
			 release personal health information to coroners and medical examiners
							(1)In
			 generalWhen a coroner or
			 medical examiner or their duly appointed deputies seek personal health
			 information for the purpose of inquiry into and determination of, the cause,
			 manner, and circumstances of an individual's death, the health information
			 person shall provide that individual’s personal health information to the
			 coroner or medical examiner or to the duly appointed deputies without undue
			 delay or consent by the deceased individual’s representative.
							(2)Production of
			 additional informationIf a coroner or medical examiner or their
			 duly appointed deputies receives health information from a person referred to
			 in paragraph (1), such health information shall remain as personal health
			 information unless the health information is attached to or otherwise made a
			 part of a coroner's or medical examiner's official report, in which case it
			 shall no longer be protected.
							(3)ExemptionHealth
			 information attached to or otherwise made a part of a coroner's or medical
			 examiner's official report shall be exempt from the provisions of this title
			 except as provided for in this subsection.
							(4)ReimbursementA
			 person referred to in paragraph (1) may request reimbursement from a coroner or
			 medical examiner for the reasonable costs associated with inspection or copying
			 of personal health information maintained, retained, or stored by such
			 person.
							(g)Revocation or
			 amendment of consent or authorizationAn individual may revoke or
			 amend in writing an informed consent or authorization under this section at any
			 time.
						(h)ActionsIt
			 shall not be a violation of this title with respect to the disclosure of
			 personal health information—
							(1)if the disclosure
			 was made based on a good faith reliance on the individual’s informed consent or
			 authorization under this section at the time disclosure was made;
							(2)in a case in which
			 the consent or authorization is revoked, if the disclosing person had no actual
			 or constructive notice of the revocation; or
							(3)if the disclosure
			 was for the purpose of protecting another individual from imminent physical
			 harm and is authorized under section 141.
							(i)Record of
			 consents, authorizations, and revocationsEach person accessing,
			 maintaining, retaining, modifying, recording, storing, destroying, or otherwise
			 using personally identifiable or personal health information for purposes other
			 than treatment or payment shall maintain a record for a period of 6 years of
			 each informed consent and authorization by an individual and any revocation
			 thereof, and such record shall become part of the individual’s health record
			 set.
						2Exceptions
					131.Disclosure for
			 law enforcement, national security, and intelligence purposes
						(a)Access to
			 personal health information for law enforcement, national security, and
			 intelligence activitiesA health information person, or a person
			 who receives personal health information pursuant to section 131, may disclose
			 personal health information to—
							(1)an investigative
			 or law enforcement officer (as defined in subsection (k)) pursuant to a warrant
			 issued under the Federal Rules of Criminal Procedure, an equivalent State
			 warrant, a grand jury subpoena, civil subpoena, civil investigative demand, or
			 a court order under limitations set forth in subsection (b); and
							(2)an authorized
			 Federal official for the conduct of lawful intelligence, counter-intelligence,
			 and other national security activities authorized by the National Security Act
			 (50 U.S.C. 401 et seq.) and implementing authority (Executive Order 12333), or
			 otherwise by law.
							(b)Limitation on
			 use and disclosure for national security, intelligence, and other law
			 enforcement inquiries
							(1)In
			 generalPersonal health information about an individual that is
			 disclosed under this section may not be used in, or disclosed to any entity for
			 use in, any administrative, civil, or criminal action or investigation directed
			 against the individual, unless the action or investigation arises out of, or is
			 directly related to, the law enforcement, national security, or intelligence
			 inquiry for which the information was obtained.
							(2)Law enforcement
			 inquiry definedIn paragraph (1), the term law enforcement
			 inquiry means a lawful executive branch investigation or official
			 proceeding inquiring into a violation of, or failure to comply with, any
			 criminal or civil statute or any regulation, rule, or order issued pursuant to
			 such a statute.
							(c)RedactionsTo
			 the maximum extent practicable, and consistent with the requirements of due
			 process, a law enforcement agency shall redact personally identifying
			 information from personal health information prior to the public disclosure of
			 such protected information in a judicial or administrative proceeding.
						(d)ExceptionThis
			 section shall not be construed to limit or restrict the ability of law
			 enforcement authorities to gain information while in hot pursuit of a suspect
			 or if other exigent circumstances exist.
						(e)Investigative or
			 law enforcement officer definedIn this section, the term
			 investigative or law enforcement officer means any officer of the
			 United States or of a State or political subdivision thereof, who is empowered
			 by law to conduct investigations of, or to make arrests for, civil or criminal
			 offenses, and any attorney authorized by law to prosecute or participate in the
			 prosecution of such offenses.
						132.Disclosure for
			 public health purposes
						(a)In
			 generalA health information person may disclose personal health
			 information to a public health authority (as defined in section 171(24)) or
			 other entity authorized by public health law, when receipt of such information
			 by the authority or other entity—
							(1)relates directly
			 to a specified public health purpose;
							(2)is reasonably
			 likely to achieve such purpose; and
							(3)is
			 intended for a purpose that cannot be achieved through the receipt or use of
			 de-identified health information.
							(b)Public health
			 protection definedFor purposes of subsection (a), the term
			 public health purpose means a population-based activity or
			 individual effort, authorized by law, the purpose of which is the prevention of
			 injury, disease, or premature mortality, or the promotion of health, in a
			 community, including—
							(1)assessing the
			 health needs and status of the community through public health surveillance and
			 epidemiological research;
							(2)implementing
			 public health policy;
							(3)responding to
			 public health needs and emergencies; and
							(4)any other
			 activities or efforts authorized by law.
							(c)LimitationsThe
			 purpose of the disclosure described in subsection (a) shall be of significant
			 importance such that it warrants the potential effect on, or risk to, the
			 privacy of individuals that the additional exposure of personal health
			 information might bring. Any infringement on the right to privacy under this
			 section shall use the least intrusive means that are tailored to minimize
			 intrusion on the right to privacy.
						133.Reporting of
			 abuse and neglect to protection and advocacy agenciesAny health information person may disclose
			 personal health information to a protection and advocacy agency established
			 under part C of title I of the Developmental Disabilities Assistance and Bill
			 of Rights Act (42 U.S.C. 6041 et seq.) or under the Protection and Advocacy for
			 Mentally Ill Individuals Act of 1986 (42 U.S.C. 10801 et seq.) when such person
			 reasonably believes that an individual who is the subject of the personal
			 health information is vulnerable to abuse and neglect by an entity providing
			 health or social services to the individual.
					134.Disclosure to
			 next of kin and directory information
						(a)Next of
			 kinA health care provider, or a person that receives personal
			 health information under section 141, may disclose personal health information
			 about health care services provided to an individual to the individual's next
			 of kin, or to another entity that the individual has identified, if at the time
			 of the treatment of the individual—
							(1)the
			 individual—
								(A)has been notified
			 of the individual's right to object to such disclosure and the individual has
			 not objected to the disclosure; or
								(B)is in a physical
			 or mental condition such that the individual is not capable of objecting, and
			 there are no prior indications that the individual would object; and
								(2)the information
			 disclosed is relevant to health care services currently being provided to that
			 individual.
							(b)Directory
			 information
							(1)Disclosure
								(A)In
			 generalExcept as provided in paragraph (2), with respect to an
			 individual who is admitted as an inpatient to a health care facility, a person
			 described in subsection (a) may disclose information described in subparagraph
			 (B) about the individual to any entity if, at the time of the admission, the
			 individual—
									(i)has
			 been notified of the individual's right to object and has not objected to the
			 disclosure; or
									(ii)is
			 in a physical or mental condition such that the individual is not capable of
			 objecting and there are no prior indications that the individual would
			 object.
									(B)InformationInformation
			 described in this subparagraph is information that consists only of 1 or more
			 of the following items:
									(i)The
			 name of the individual who is the subject of the information.
									(ii)The
			 general health status of the individual, described as critical, poor, fair,
			 stable, or satisfactory or in terms denoting similar conditions.
									(iii)The location of
			 the individual within the health care facility to which the individual is
			 admitted.
									(2)ExceptionParagraph
			 (1)(B)(iii) shall not apply if disclosure of the location of the individual
			 would reveal specific information about the physical or mental condition of the
			 individual, unless the individual expressly authorizes such disclosure.
							(c)Directory or
			 next-of-kin informationA disclosure may not be made under this
			 section if the disclosing person described in subsection (a) has reason to
			 believe that the disclosure of directory or next-of-kin information could lead
			 to the physical or mental harm of the individual, unless the individual
			 expressly authorizes such disclosure.
						3Special
			 Circumstances
					141.Emergency
			 circumstances
						(a)General
			 ruleIn the event of a threat of imminent physical or mental harm
			 to the subject of personal health information, any person may, in order to
			 allay or remedy such threat, disclose personal health information about such
			 subject to a health care provider, health care facility, law enforcement
			 authority, or emergency medical personnel, to the minimum extent necessary and
			 only if determined appropriate by a health care provider.
						(b)Harm to
			 othersAny person may disclose personal health information about
			 the subject of the information where—
							(1)such subject has
			 made an identifiable threat of serious injury or death with respect to an
			 identifiable individual or group of individuals;
							(2)the subject has
			 the ability to carry out such threat; and
							(3)the release of
			 such information is necessary to prevent or significantly reduce the
			 possibility of such threat being carried out.
							142.Health
			 research
						(a)Regulations
							(1)In
			 generalThe requirements and protections provided for under part
			 46 of title 45, Code of Federal Regulations (as in effect on the date of
			 enactment of this Act), shall apply to all health research.
							(2)Effective
			 dateParagraph (1) shall not take effect until the Secretary has
			 promulgated final regulations to implement such paragraph.
							(b)EvaluationNot
			 later than 24 months after the date of the enactment of this Act, the Secretary
			 shall prepare and submit to Congress detailed recommendations on whether
			 informed consent should be required, and if so, under what circumstances,
			 before personal health information can be used for health research.
						(c)RecommendationsThe
			 recommendations required to be submitted under subsection (b) shall
			 include—
							(1)a
			 detailed explanation of current institutional review board practices, including
			 the extent to which the privacy of individuals is taken into account as a
			 factor before allowing waivers and under what circumstances informed consent is
			 being waived;
							(2)a list of all known breaches of health
			 information privacy over the past 5 years in research projects approved by an
			 institutional review board;
							(3)a summary of how technology that both
			 facilitates research and preserves privacy could be used to obtain informed
			 consent and strip identifying data for the purpose of research;
							(4)an analysis of State and Federal laws,
			 medical ethics, and ethics in the performance of health research that examines
			 requirements for the receipt of informed consent; and
							(5)an analysis of the
			 risks and benefits of allowing individuals to consent or to refuse to consent,
			 at the time of receiving medical treatment, to the possible future use of
			 records of medical treatments for research studies.
							(d)ConsultationIn carrying out this section, the Secretary
			 shall consult with individuals who have distinguished themselves in the fields
			 of health research, privacy, related technology including electronic consent
			 management tools, consumer interests in health information, health data
			 standards, and the provision of health services.
						(e)Congressional
			 noticeNot later than 6 months after the date on which the
			 Secretary submits to Congress the recommendations required under subsection
			 (b), the Secretary shall propose to implement such recommendations through
			 regulations promulgated on the record after opportunity for a hearing, and
			 shall advise the Congress of such proposal.
						(f)Other
			 requirements
							(1)Obligations of
			 the recipientA person who receives personal health information
			 pursuant to this section shall remove or destroy, at the earliest opportunity
			 consistent with the purposes of the project involved, information that would
			 enable an individual to be identified, unless—
								(A)an institutional
			 review board has determined that there is a health or research justification
			 for the retention of such identifiers;
								(B)an institutional review board has, to the
			 maximum extent practicable, attempted to contact the individual to whom the
			 identifiers relate;
								(C)upon being
			 contacted pursuant to subparagraph (B), the individual does not object to the
			 retention of such identifiers; and
								(D)there is an
			 adequate plan to protect the identifiers from disclosure consistent with this
			 section.
								(2)Periodic review
			 and technical assistance
								(A)Institutional
			 review boardAny institutional review board that authorizes
			 research under this section shall provide the Secretary with the names and
			 addresses of the institutional review board members.
								(B)Technical
			 assistanceThe Secretary shall provide technical assistance to
			 institutional review boards described in this subsection.
								(C)MonitoringThe Secretary shall periodically monitor
			 institutional review boards described in this subsection, including with
			 respect to the privacy, security, and confidentiality practices of such
			 boards.
								(D)ReportsNot
			 later than 3 years after the date of enactment of this Act, the Secretary shall
			 report to Congress regarding the activities of institutional review boards
			 described in this subsection.
								(g)LimitationNothing
			 in this section shall be construed to permit personal health information that
			 is received by a researcher under this section to be accessed for purposes
			 other than research or as authorized by the individual that is the subject of
			 such personal health information.
						143.Health
			 oversight functions
						(a)In
			 generalA health information person may disclose personal health
			 information to a health oversight agency (as defined in section 171(16)) to
			 enable the agency to perform a health oversight function authorized by law,
			 if—
							(1)the purpose for
			 which the disclosure is to be made cannot reasonably be accomplished without
			 personal health information;
							(2)the purpose for
			 which the disclosure is to be made is of sufficient importance to warrant the
			 effect on, or the risk to, the privacy of the individuals that additional
			 exposure of the information might bring; and
							(3)there is a
			 reasonable probability that the purpose of the disclosure will be
			 accomplished.
							(b)Use and
			 maintenance of personal health informationA health oversight
			 agency that receives personal health information under subsection (a)—
							(1)shall, to the maximum extent practicable,
			 obtain the informed consent of the individual to whom the personal health
			 information relates before using or disclosing the information;
							(2)shall secure
			 personal health information in all work papers and all documents summarizing
			 the health oversight activity through technological, administrative, and
			 physical safeguards including cryptographic-key based encryption;
							(3)shall maintain in
			 its records only such information about an individual as is relevant and
			 necessary to accomplish the purpose for which the personal health information
			 was obtained;
							(4)using appropriate
			 encryption measures, shall maintain such information securely and limit access
			 to such information to those persons with a legitimate need for access to carry
			 out the purpose for which the records were obtained; and
							(5)shall remove or
			 destroy the information that allows subjects of personal health information to
			 be identified at the earliest time at which removal or destruction can be
			 accomplished, consistent with the purpose of the health oversight
			 activity.
							(c)Authorization by
			 a supervisorFor purposes of this section, the individual with
			 authority to authorize the oversight function involved shall provide to the
			 disclosing person described in subsection (a) a statement that the personal
			 health information is being sought for a legally authorized oversight
			 function.
						144.Individual
			 representatives
						(a)In
			 generalExcept as provided in subsections (b) and (c), a person
			 who is authorized by law (based on grounds other than an individual's status as
			 a minor), or by an instrument recognized under law, to act as an agent,
			 attorney, proxy, or other legal representative of an individual, may, to the
			 extent so authorized, exercise and discharge the rights of the individual under
			 this title.
						(b)Health care
			 power of attorneyA person who is authorized by law (based on
			 grounds other than being a minor), or by an instrument recognized under law, to
			 make decisions about the provision of health care to an individual who is
			 incapacitated, may exercise and discharge the rights of the individual under
			 this title to the extent necessary to effectuate the terms or purposes of the
			 grant of authority.
						(c)Individuals
			 suffering from certain medical conditionsIf a physician or other
			 health care provider determines that an individual, who has not been declared
			 to be legally incompetent, suffers from a medical condition that prevents the
			 individual from acting knowingly or effectively on the individual's own behalf,
			 the right of the individual to access or amend the health information and to
			 authorize disclosure under this title may be exercised and discharged in the
			 best interest of the individual by—
							(1)a
			 person described in subsection (b) with respect to the individual;
							(2)a
			 person described in subsection (a) with respect to the individual, but only if
			 a person described in paragraph (1) cannot be contacted after a reasonable
			 effort or if there is no individual who fits the description in paragraph
			 (1);
							(3)the next of kin of
			 the individual, but only if a person described in paragraph (1) or (2) cannot
			 be contacted after a reasonable effort; or
							(4)the health care
			 provider, but only if a person described in paragraph (1), (2), or (3) cannot
			 be contacted after a reasonable effort.
							(d)Rights of
			 minors
							(1)Individuals who
			 are 18 or legally capableIn the case of an individual—
								(A)who is 18 years of
			 age or older, all rights of the individual under this title shall be exercised
			 by the individual; or
								(B)who, acting alone,
			 can consent to health care without violating any applicable law, and who has
			 sought such care, the individual shall exercise all rights of an individual
			 under this title with respect to personal health information relating to such
			 health care.
								(2)Individuals
			 under 18Except as provided in paragraph (1)(B), in the case of
			 an individual who is—
								(A)under 14 years of
			 age, all of the individual's rights under this title shall be exercised through
			 the parent or legal guardian; or
								(B)14 through 17
			 years of age, the rights of inspection, supplementation, and modification, and
			 the right to authorize use and disclosure of personal health information of the
			 individual shall be exercised by—
									(i)the
			 individual where no parent or legal guardian exists;
									(ii)the
			 parent or legal guardian of the individual; or
									(iii)the individual
			 if the parent or legal guardian determined that the individual has the sole
			 right the control their health information.
									(e)Deceased
			 individuals
							(1)Application of
			 ActThe provisions of this title shall continue to apply to
			 personal health information concerning a deceased individual.
							(2)Exercise of
			 rights on behalf of a deceased individualA person who is
			 authorized by law or by an instrument recognized under law, to act as an
			 executor or administrator of the estate of a deceased individual, or otherwise
			 to exercise the rights of the deceased individual, may, to the extent so
			 authorized, exercise and discharge the rights of such deceased individual under
			 this title. If no such designee has been authorized, the rights of the deceased
			 individual may be exercised as provided for in subsection (c).
							(3)Identification of
			 deceased individualA person described in section 136(a) may
			 disclose personal health information if such disclosure is necessary to assist
			 in the identification of a deceased individual.
							DEnforcement
				151.In
			 general
					(a)Civil
			 penaltyA health information person who the Secretary, in
			 consultation with the Attorney General, determines has substantially and
			 materially failed to comply with this title shall be subject, in addition to
			 any other penalties that may be prescribed by law—
						(1)in a case in which
			 the violation relates to subtitle A, B, or C, to a civil penalty of not more
			 than $500 for each such violation, but not to exceed $5,000 in the aggregate
			 for multiple violations;
						(2)in a case in which the violation relates to
			 subtitle A, B, or C, to a civil penalty of not more than $10,000 for each such
			 violation, but not to exceed $50,000 in the aggregate for multiple violations;
			 or
						(3)in a case in which
			 such violations have occurred with such frequency as to constitute a general
			 business practice, to a civil penalty of not more than $100,000.
						(b)Civil action by
			 individuals
						(1)In
			 generalAny individual whose rights under subtitle A, B, or C
			 have been knowingly or negligently violated may bring a civil action to
			 recover—
							(A)such preliminary
			 and equitable relief as the court determines to be appropriate; and
							(B)the greater of
			 compensatory damages or liquidated damages of $5,000.
							(2)Additional
			 remediesThe equitable relief or damages that may be available
			 under this section shall be in addition to any other lawful remedy or award
			 that may be available.
						152.Enforcement by
			 State attorneys general
					(a)Civil
			 actionsIn any case in which the attorney general of a State or
			 any State or local law enforcement agency authorized by the State attorney
			 general or by State law to prosecute violations of consumer protection laws,
			 has reason to believe that an interest of the residents of that State has been
			 or is threatened or adversely affected by the engagement of a person in a
			 practice that is prohibited under subtitle A, B, or C, the State or local law
			 enforcement agency on behalf of the residents of the agency's jurisdiction, may
			 bring a civil action on behalf of the residents of the State or jurisdiction in
			 a district court of the United States of appropriate jurisdiction to—
						(1)enjoin that act or
			 practice;
						(2)enforce compliance
			 with the respective subtitle; or
						(3)obtain civil penalties in an amount
			 calculated by multiplying the number of violations by an amount not greater
			 than $11,000.
						For
			 purposes of civil penalties under this subsection, each day that a person is in
			 violation of the requirements of subtitle A, B, or C shall be treated as a
			 separate violation, up to a maximum civil penalty of $5,000,000.(b)Rule of
			 constructionFor purposes of bringing any civil action under
			 subsection (a), nothing in this subtitle regarding notification shall be
			 construed to prevent an attorney general of a State from exercising the powers
			 conferred on such attorney general by the laws of that State to—
						(1)conduct
			 investigations;
						(2)administer oaths
			 or affirmations; or
						(3)compel the
			 attendance of witnesses or the production of documentary and other
			 evidence.
						(c)Venue; service
			 of process
						(1)VenueAny
			 action brought under subsection (a) may be brought in the district court of the
			 United States that meets applicable requirements relating to venue under
			 section 1391 of title 28, United States Code.
						(2)Service of
			 processIn an action brought under subsection (a), process may be
			 served in any district in which the defendant—
							(A)is an inhabitant;
			 or
							(B)may be
			 found.
							EMiscellaneous
				161.Office of
			 Health Information Privacy
					(a)In
			 generalThe Secretary shall designate an office within the
			 Department of Health and Human Services to be known as the Office of Health
			 Information Privacy (referred to in this section as the Office).
			 The Office shall be headed by a Director, who shall be appointed by the
			 Secretary.
					(b)DutiesThe
			 Director of the Office shall—
						(1)receive and
			 investigate complaints of alleged violations of this title;
						(2)provide for the
			 conduct of audits where appropriate;
						(3)provide guidance
			 to the Secretary on the implementation of this Act;
						(4)provide guidance
			 to health care providers and other relevant individuals concerning the manner
			 in which to interpret and implement the privacy protections under this title
			 (and the regulations promulgated under this title);
						(5)prepare and submit
			 the report described in subsection (c);
						(6)consult with, and
			 provide recommendation to, the Secretary concerning improvements in the privacy
			 and security of personal health information and concerning medical privacy
			 research needs; and
						(7)carry out any
			 other activities determined appropriate by the Secretary.
						(c)Standards for
			 certification
						(1)EstablishmentNot later than 12 months after the date of
			 enactment of this Act, the Secretary, in consultation with the Director of the
			 Office and the Director of the Office of Civil Rights, shall establish and
			 implement standards for health information technology products, including
			 qualified health information technology systems (as defined in section 213),
			 used to access, disclose, maintain, store, distribute, transmit, amend, or
			 dispose of personal health information in a manner that protects the
			 individual’s right to privacy, confidentiality, and security relating to that
			 information.
						(2)Stakeholder
			 participationIn establishing
			 the standards under paragraph (1), the Secretary shall ensure the participation
			 of various stakeholders, including patients and consumer advocates, privacy
			 advocates, experts in information technology and information systems, and
			 experts in health care. The Secretary shall ensure that these advocates and
			 experts are equally represented, such that the stakeholder process does not
			 result in the experts in information technology, information systems, and
			 health care being disproportionately represented compared to advocates for the
			 interests of consumers and privacy proponents.
						(d)Report on
			 complianceNot later than January 1 of the first calendar year
			 beginning more than 1 year after the establishment of the Office under
			 subsection (a), and every January 1 thereafter, the Secretary, in consultation
			 with the Director of the Office, shall prepare and submit to Congress a report
			 concerning the number of complaints of alleged violations of subtitle A that
			 are received during the year for which the report is being prepared. Such
			 report shall describe the complaints and any remedial action taken concerning
			 such complaints and shall be made available to the public on the Internet
			 website of the Department of Health and Human Services.
					162.Protection for
			 whistleblowers
					(a)Prohibition
			 against discriminationA
			 health information person may not—
						(1)discharge, demote,
			 suspend, threaten, harass, retaliate against, or in any other manner
			 discriminate or cause any employer to discriminate against an employee in the
			 terms and conditions of employment because of—
							(A)the refusal of the
			 employee to engage in a violation of this title; or
							(B)any lawful act the employee has committed
			 or is about to commit, or which the health information person perceives the
			 employee to have committed, to provide information or cause information to be
			 provided, including in the course of the employee’s routine job duties, to the
			 individual’s employer or to a State or Federal official relating to an actual
			 or suspected violation of this title by any person, including an employer or an
			 employee of an employer; or
							(2)adversely affect
			 another person, directly or indirectly, because such person has exercised a
			 right under this title, disclosed information relating to a possible violation
			 of subtitle A, B, or C or this section, or associated with, or assisted, an
			 individual in the exercise of a right under this title.
						(b)Enforcement
			 actions
						(1)In
			 general
							(A)Complaint with
			 Secretary of LaborAny
			 employee or former employee who alleges a violation of subsection (a) may seek
			 relief under subsection (c), by filing a complaint with the Secretary of
			 Labor.
							(B)Appellate review
			 in case of final orderUnless
			 an employee brings an action in district court under subparagraph (C), any
			 person adversely affected or aggrieved by a final order of the Secretary of
			 Labor with respect to a complaint filed under subparagraph (A) may obtain
			 review of the order in the United States court of appeals for the circuit in
			 which the violation, with respect to which the order was issued, allegedly
			 occurred or the circuit in which the complainant resided on the date of such
			 violation. The petition for review must be filed not later than 60 days after
			 the date of the issuance of the final order. The review shall conform to
			 chapter 7 of title 5, United States Code. The commencement of proceedings under
			 this subparagraph shall not, unless ordered by the court, operate as a stay of
			 the order.
							(C)De novo
			 reviewIf the Secretary of
			 Labor has not issued a final decision within 180 days after the filing of the
			 complaint, or within 90 days after receiving any written determination, the
			 complainant may bring an action at law or equity for de novo review in the
			 appropriate district court of the United States with jurisdiction, which shall
			 have jurisdiction over such an action without regard to the amount in
			 controversy, and which action shall, at the request of either party to such
			 action, be tried by the court with a jury.
							(2)Procedures
							(A)In
			 generalExcept as provided in this paragraph, the complaint
			 procedures contained in section 42121(b) of title 49, United States Code, shall
			 apply with respect to a complaint filed under paragraph (1)(A).
							(B)ExceptionWith
			 respect to a complaint filed under paragraph (1)(A), the notification provided
			 for under section 42121(b)(1) of title 49, United States Code, (as required
			 under subparagraph (A)) shall be made to the person named in the complaint and
			 to the employer.
							(C)Burden of
			 proofThe legal burdens of proof contained in section 42121(b) of
			 title 49, United States Code, shall apply to any action brought under this
			 subsection.
							(D)Statute of
			 limitationsA complaint shall be filed under paragraph (1)(A) not
			 later than 2 years after the date on which the alleged violation occurs.
							(E)Civil actions to
			 enforceIf a person fails to
			 comply with an order issued by the Secretary of Labor pursuant to the
			 procedures in section 42121(b) of title 49, United States Code, the Secretary
			 shall have the authority described in section 42121(b)(5) of title 49, United
			 States Code, to bring a civil action to enforce the order in the district court
			 of the United States for the judicial district in which the violation
			 occurred.
							(c)Remedies
						(1)In
			 generalIf the Secretary of Labor or the district court
			 determines that a violation of subsection (a) has occurred, the Secretary or
			 court shall order any relief necessary to make the employee whole.
						(2)Compensatory
			 damagesRelief in any action under such subsection shall
			 include—
							(A)reinstatement of
			 the employee to the employee's former position with the same seniority status
			 that the employee would have had but for the discrimination;
							(B)payment of the
			 amount of back pay, with interest, to which the employee is entitled;
			 and
							(C)the payment of
			 compensation for any special damages sustained by the employee as a result of
			 the discrimination, including litigation costs, expert witness fees, and
			 reasonable attorney fees.
							(3)Punitive
			 damagesRelief in any action under such subsection may include
			 punitive damages in an amount not to exceed $250,000.
						(d)Rights retained
			 by the employeeNothing in this section shall be construed to
			 diminish or eliminate the rights, privileges, or remedies available to an
			 employee under any Federal or State law, or under any collective bargaining
			 agreement.
					(e)LimitationThe
			 protections of this section shall not apply to any employee who—
						(1)deliberately
			 causes or participates in the alleged violation; or
						(2)knowingly or
			 recklessly provides materially false information to an individual or entity
			 described in subsection (a).
						(f)DefinitionsIn
			 this section:
						(1)EmployThe
			 term employ has the meaning given such term under section 3(g)
			 of the Fair Labor Standards Act of 1938 (29 U.S.C. 203(g)) for the purposes of
			 implementing the requirements of that Act (29 U.S.C. 201, et seq.).
						(2)EmployeeThe
			 term employee means an individual who is employed by an
			 employer.
						(3)EmployerThe
			 term employer means any person who employs employees, including
			 any person acting directly or indirectly in the interest of any employer in
			 relation to an employee and includes a public agency.
						163.Demonstration
			 grant for individuals with limited English language proficiency or limited
			 health literacy
					(a)In
			 generalThe Secretary shall award contracts or competitive grants
			 to eligible entities to support demonstration projects that are designed to
			 improve the communication of information pertaining to health privacy rights
			 with individuals with limited English language proficiency and limited health
			 literacy.
					(b)PurposeIt
			 is the purpose of this section, to promote the cultural competency of persons
			 that access, maintain, retain, modify, record, store, destroy, or otherwise use
			 or disclose personal health information, and to enable such persons to better
			 communicate privacy procedures to non-English speakers, those with limited
			 English proficiency, and those with limited health literacy.
					(c)Eligible
			 entitiesIn this section, the term eligible entity
			 means an organization or community-based consortium that includes—
						(1)individuals who
			 are representatives of organizations serving or advocating for ethnic and
			 racial minorities, low income immigrant populations, and others with limited
			 English language proficiency and limited health literacy;
						(2)health care
			 providers that provide care for ethnic and racial minorities, low income
			 immigrant populations, and others with limited English language proficiency and
			 limited health literacy;
						(3)community leaders
			 and leaders of community-based organizations; and
						(4)experts and
			 researchers in the areas of social and behavioral sciences, who have knowledge,
			 training, or practical experience in health policy, advocacy, cultural and
			 linguistic competency, or other relevant areas as determined by the
			 Secretary.
						(d)ApplicationAn
			 eligible entity seeking a contract or grant under this section shall submit an
			 application to the Secretary at such time, in such manner, and containing such
			 information as the Secretary may require.
					(e)Use of
			 fundsAn eligible entity shall use amounts received under this
			 section to carry out programs and studies designed to help identify best
			 practices in the communication of privacy rights and procedures to ensure
			 comprehension by individuals with limited English proficiency and limited
			 health literacy.
					164.Relationship to
			 other laws
					(a)Federal and
			 State lawsNothing in this Act shall be construed as preempting,
			 superseding, or repealing, explicitly or implicitly, other Federal or State
			 laws or regulations relating to personal health information or relating to an
			 individual's access to personal health information or health care services, if
			 such laws or regulations provide protections for the rights of individuals to
			 the privacy of, and access to, their health information that is greater than
			 those provided for in this Act.
					(b)PrivilegesNothing in this Act shall be construed to
			 preempt or modify any provisions of State statutory or common law to the extent
			 that such law concerns a privilege of a witness or person in a court of that
			 State. This Act shall not be construed to supersede or modify any provision of
			 Federal statutory or common law to the extent such law concerns a privilege of
			 a witness or entity prior to a court proceeding or in a court of the United
			 States. Informed consent shall not be construed as a waiver of any such
			 privilege.
					(c)Certain duties
			 under lawNothing in this Act shall be construed to preempt,
			 supersede, or modify the operation of any State law that—
						(1)provides for the
			 reporting of vital statistics such as birth or death information;
						(2)requires the
			 reporting of abuse or neglect information about any individual;
						(3)regulates the
			 disclosure or reporting of information concerning an individual's mental
			 health; or
						(4)governs a minor's
			 rights to access personal health information or health care services.
						(d)Health Insurance
			 Portability and Accountability ActThe standards governing the
			 privacy and security of individually identifiable health information
			 promulgated by the Secretary of Health and Human Services under sections 262(a)
			 and 264 of the Health Insurance Portability and Accountability Act of 1996
			 shall remain in effect to the extent that they are consistent with this title.
			 The Secretary shall by rule amend such Federal regulations as required to make
			 such regulations consistent with this title.
					165.Effective
			 date
					(a)Effective
			 dateUnless specifically provided for otherwise, this title shall
			 take effect on the date that is 12 months after the date of the promulgation of
			 the regulations required under subsection (b), or 30 months after the date of
			 enactment of this Act, whichever is earlier.
					(b)RegulationsNot
			 later than 12 months after the date of enactment of this Act, or as
			 specifically provided for otherwise, the Secretary shall promulgate regulations
			 implementing this title.
					FGeneral
			 Definitions
				171.General
			 definitionsIn this
			 Act:
					(1)AgentThe
			 term agent means a person that represents or acts for another
			 person (a principal) under a contract or relationship of agency, or that
			 functions to bring about, modify, affect, accept performance of, or terminate,
			 contractual obligations between the principal and a third person. With respect
			 to an employer, such term includes the employees of the employer.
					(2)AuthorizationThe
			 term authorization means the authority granted by an individual
			 that is the subject of personal health information, in accordance with this
			 title, for the disclosure or use of the individual’s personal health
			 information.
					(3)BreachThe
			 term breach means the unauthorized acquisition, disclosure, or
			 loss of personal health information which compromises the security, privacy, or
			 integrity of personal health information maintained by or on behalf of a
			 person.
					(4)ConfidentialityThe
			 term confidentiality means the obligations of those who receive
			 information to respect the privacy interests of those to whom the data
			 relate.
					(5)De-identified
			 health informationThe term de-identified health
			 information means any personal health information, with respect to
			 which—
						(A)all personal
			 identifiers, or other information that may be used by itself or in combination
			 with other information which may be available to re-identify (as defined in
			 section 171(25)) the subject of the information (such as geographic, credit,
			 and financial information and all of the identifiers enumerated at section
			 164.514(b)(2) of title 45 of the Code of Federal Regulations (as in effect on
			 January 1, 2008)) have been removed;
						(B)a good faith
			 effort has been made to evaluate, minimize, and mitigate the risks of
			 re-identification of the subject of such information, using commonly accepted
			 scientific and statistical standards and methods for minimizing risk of
			 disclosure; and
						(C)there is no
			 reasonable basis to believe that the information can be used to identify an
			 individual.
						(6)DiscloseThe
			 term disclose means to release, publish, share, transfer,
			 transmit, disseminate, show, permit access to, communicate (orally or
			 otherwise), re-identify, or otherwise divulge personal health information to
			 any person other than the individual who is the subject of such information.
			 Such term includes the initial disclosure and any subsequent re-disclosure of
			 personal health information.
					(7)Decryption
			 keyThe term decryption key means the variable
			 information used in or produced by a mathematical formula, code, or algorithm,
			 or any component thereof, used for encryption (as defined in paragraph (10)) or
			 decryption of wire, electronic, or other communications or stored
			 information.
					(8)Director of the
			 Office of Health Information PrivacyThe term Director of
			 the Office of Health Information Privacy means such Director as
			 appointed under section 161.
					(9)EmployerExcept
			 as otherwise provided in section 164, the term employer means a
			 person that is engaged in business affecting commerce and that has
			 employees.
					(10)EncryptionThe
			 term encryption—
						(A)means the
			 protection of data in electronic form, in storage or in transit, using an
			 encryption technology that has been adopted by an established standards setting
			 body which renders such data indecipherable in the absence of associated
			 cryptographic keys necessary to enable decryption of such data; and
						(B)includes
			 appropriate management and safeguards of such cryptographic keys so as to
			 protect the integrity of the encryption.
						(11)Health
			 careThe term health care means—
						(A)preventive,
			 diagnostic, therapeutic, rehabilitative, maintenance, or palliative care,
			 including appropriate assistance with disease or symptom management and
			 maintenance, counseling, service, or procedure—
							(i)with
			 respect to the physical or mental condition of an individual; or
							(ii)affecting the
			 structure or function of the human body or any part of the human body,
			 including the banking of blood, sperm, organs, or any other tissue; or
							(B)any sale or
			 dispensing of a drug, device, equipment, or other health care-related item to
			 an individual, or for the use of an individual, pursuant to a
			 prescription.
						(12)Health care
			 providerThe term health care provider means a
			 person that, with respect to a specific item of personal health information,
			 receives, accesses, maintains, retains, modifies, records, stores, destroys, or
			 otherwise uses or discloses the information while acting in whole or in part in
			 the capacity of—
						(A)an entity that is,
			 or holds itself out to be, licensed, certified, registered, or otherwise
			 authorized by Federal or State law to provide an item or service that
			 constitutes health care in the ordinary course of business, or practice of a
			 profession;
						(B)a contractor or
			 other health care provider or facility authorized to provide items or services
			 related to diagnosis or treatment of a health concern, including a hospital,
			 nursing facility, allied health professional, and a facility used or maintained
			 by allied health professionals;
						(C)a Federal or State
			 program that directly provides items or services that constitute health care to
			 beneficiaries;
						(D)an officer or
			 employee or agent of a person described in subparagraph (A) or (C) who is
			 engaged in the provision of health care or who uses personal health
			 information; or
						(E)medical personnel
			 in an emergency situation, including while communicating personal health
			 information by radio transmission or other means.
						(13)Health
			 information personThe term
			 health information person means, in relation to personal health
			 information, a person, including a health care provider, health researcher,
			 health plan, health insurer, health care clearinghouse, health oversight
			 agency, or public health authority, or such person’s agent, officer, employee,
			 or affiliate, that accesses, maintains, retains, modifies, records, stores, or
			 otherwise holds, uses, or discloses such information.
					(14)Health
			 plan
						(A)In
			 generalThe term health plan means—
							(i)a group health plan (as defined in section
			 2791(a)(1) of the Public Health Service Act (42 U.S.C. 300gg–91(a)(1)));
							(ii)health insurance
			 coverage (as such term is defined in section 2791(b)(1) of the Public Health
			 Service Act (42 U.S.C. 300gg–91(b)(1)); or
							(iii)a
			 safety net health plan (as defined in subparagraph (B)).
							(B)Safety net
			 health planFor purposes of subparagraph (A)(iii), the term
			 safety net health plan means a managed care organization, as
			 defined in section 1932(a)(1)(B)(i) of the Social Security Act—
							(i)that
			 is exempt from or not subject to Federal income tax, or that is owned by an
			 entity or entities exempt from or not subject to Federal income tax; and
							(ii)for
			 which not less than 75 percent of the enrolled population receives benefits
			 under a Federal health care program (as defined in section 1128B(f)(1) of the
			 Social Security Act) or a health care plan or program which is funded, in whole
			 or in part, by a State (other than a program for government employees).
							(15)Health or life
			 insurerThe term health or life insurer means a
			 health insurance issuer (as defined in section 9805(b)(2) of the Internal
			 Revenue Code of 1986) or a life insurance company (as defined in section 816 of
			 such Code) and includes the employees and agents of such a person.
					(16)Health
			 oversight agencyThe term health oversight
			 agency—
						(A)means a person
			 that—
							(i)performs or
			 oversees the performance of an assessment, investigation, or prosecution
			 relating to compliance with legal or fiscal standards relating to health care
			 fraud or fraudulent claims regarding health care, health services or equipment,
			 related activities and items, or the effectiveness of health privacy and
			 security measures; and
							(ii)is
			 a public executive branch agency, acting on behalf of a public executive branch
			 agency, acting pursuant to a requirement of a public executive branch agency,
			 or carrying out activities under a Federal or State law governing an
			 assessment, evaluation, determination, investigation, or prosecution described
			 in clause (i); and
							(B)includes the
			 employees and agents of such a person.
						(17)Health record
			 setThe term health record set means any item,
			 collection, or grouping of information that includes personal health
			 information, such as a medical record, electronic health record, electronic
			 medical record, personal health record, or account of disclosure, use or
			 access, that is created, accessed, received, maintained, retained, modified,
			 recorded, stored, destroyed, or otherwise used or disclosed by a health care
			 provider, employer, insurer, health plan, health researcher, data partner, or
			 other person that relates to the health or illness of the body, mind, or genome
			 of an individual.
					(18)Health
			 researcherThe term health researcher means a person
			 that is engaged in activities conducted for the purpose of advancing public
			 knowledge and, with respect to a specific item of personal health information,
			 receives the information—
						(A)pursuant to
			 section 142 (relating to health research); or
						(B)while acting in
			 whole or in part in the capacity of an officer, employee, or agent of a person
			 that receives the information pursuant to such section.
						(19)Informed
			 consent
						(A)In
			 generalSubject to subparagraph (B), the term informed
			 consent means the written authorization for use or disclosure of
			 personal health information by the individual who is the subject of such
			 information, conditioned upon—
							(i)that
			 individual’s having been informed of the nature and probability of harm to the
			 individual resulting from such authorization; and
							(ii)the
			 authorization meeting the requirements of section 122(b).
							(B)Through
			 inferenceInformed consent may be inferred, in the absence of a
			 contrary indication by the individual—
							(i)to the extent
			 necessary to provide treatment and obtain payment for health care in emergency
			 situations;
							(ii)to the extent
			 necessary to provide treatment and payment where a health care provider is
			 required by law to treat the individual;
							(iii)if the health
			 care provider is unable to obtain informed consent due to substantial barriers
			 to communicating with the individual and the provider reasonably infers from
			 the circumstances, based upon the exercise of professional judgment, that the
			 individual does not object to the disclosure or the disclosure is in the best
			 interest of the individual; and
							(iv)to the extent the
			 information is necessary to carry out or otherwise implement a medical or
			 mental health practitioner’s order or prescription for health services, medical
			 devices or supplies, or pharmaceuticals.
							(C)Multiple uses
			 and disclosuresInformed consent may authorize multiple uses or
			 disclosures.
						(20)Office of
			 health information privacyThe term Office of Health
			 Information Privacy means the Office of Health Information Privacy
			 designated under section 161.
					(21)PersonThe
			 term person means an entity that is a government, governmental
			 subdivision of an executive branch agency or authority, corporation, company,
			 association, firm, partnership, society, estate, trust, joint venture,
			 individual, individual representative, tribal government, or any other legal
			 entity. Such term also includes the employees, contractors, agents, and
			 affiliates of all legal entities described in the preceding sentence, whether
			 or not they are acting in the capacity of their employment, contract, agency,
			 or affiliation.
					(22)PrivacyThe
			 term privacy means an individual's right to control the
			 acquisition, uses, or disclosures of his or her identifiable health
			 data.
					(23)Personal health
			 information
						(A)In
			 generalThe term personal health information means
			 any information, including genetic information, biometric information,
			 demographic information, and tissue samples collected from an individual,
			 whether oral or recorded in any form or medium, that—
							(i)is
			 created or received by a health care provider, health researcher, health plan,
			 health or life insurer, medical or health savings plan administrator, health
			 care clearinghouse, health oversight agency, public health authority, employer,
			 data partner, or other person or such person’s agent, officer, or employee;
			 and
							(ii)(I)relates to the past,
			 present, or future physical or mental health or condition of an individual
			 (including individual cells and their components), the provision of health care
			 to an individual, or the past, present, or future payment for the provision of
			 health care to an individual; and
								(II)(aa)identifies an
			 individual; or
									(bb)with respect to which there is a
			 reasonable basis to believe that the information can be used to identify an
			 individual.
									(B)Inclusion of
			 decryption keyThe term personal health
			 information includes any decryption key used for the encryption or
			 decryption of information described in subparagraph (A).
						(24)Public health
			 authorityThe term public health authority means an
			 authority or instrumentality of the United States, a tribal government, a
			 State, or a political subdivision of a State that is—
						(A)primarily
			 responsible for public health matters; and
						(B)primarily engaged
			 in activities such as injury reporting, public health surveillance, and public
			 health investigation or intervention.
						(25)Re-identifyThe
			 term re-identify, when used with respect to de-identified health
			 information, means an attempt, successful or otherwise, to ascertain—
						(A)the identity of
			 the individual who is the subject of such information; or
						(B)the decryption key
			 with respect to the information (when undertaken with knowledge that such key
			 would allow for the identification of the individual who is the subject of such
			 information).
						(26)SecretaryThe
			 term Secretary means the Secretary of Health and Human
			 Services.
					(27)SecurityThe
			 term security means physical, technological, or administrative
			 safeguards or tools used to protect identifiable health data from unwarranted
			 access or disclosure.
					(28)Security
			 breachThe term security breach means the physical,
			 structural, or substantive compromise of the security of personal health
			 information, through unauthorized disclosure, use, or access, whether actual or
			 attempted, resulting in the acquisition, access, or use of such information by
			 an unauthorized person. Such term does not apply to good faith or accidental
			 acquisition, or disclosure of personal health information by an unauthorized
			 person, so long as no further use or disclosure is made by such person.
					(29)SegregateThe
			 term segregate means to hide, mask, or mark separate a designated
			 subset of an individual’s personal health information, or to place such a
			 subset in a location that is securely separated from the location used to store
			 other personal health information, such that access to or use of any
			 information so segregated may be effectively limited to those persons that are
			 authorized by the individual to access or use that segregated
			 information.
					(30)SignedThe term signed refers both to
			 signatures in ink and to electronic signatures that are authenticated by the
			 individual using an authentication method approved by the Secretary.
					(31)StateThe
			 term State means each of the several States, the District of
			 Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the
			 Northern Mariana Islands.
					(32)To the maximum
			 extent practicableThe term to the maximum extent
			 practicable means the level of compliance that a reasonable person would
			 deem technologically feasible so long as such feasibility is periodically
			 evaluated in light of scientific advances.
					(33)UseThe
			 term use means to create, record, collect, access, obtain, store,
			 maintain, amend, correct, restore, modify, supplement, identify, re-identify,
			 employ, apply, utilize, examine, analyze, detect, remove, destroy, dispose of,
			 account for, or monitor the flow of personal health information.
					(34)Writing;
			 writtenThe terms
			 writing and written mean writing or written,
			 respectively, in either a paper-based or computer-based form, including
			 electronic and digital signatures.
					IIPromotion of
			 Health Information Technology
			AImproving the
			 Interoperability of Health Information Technology
				201.Office of the
			 National Coordinator of Health Information Technology
					(a)EstablishmentThere
			 is established within the office of the Secretary, the Office of the National
			 Coordinator of Health Information Technology. The National Coordinator shall be
			 appointed by the Secretary in consultation with the President, and shall report
			 directly to the Secretary.
					(b)PurposeThe
			 Office of the National Coordinator shall be responsible for—
						(1)ensuring that key
			 health information technology initiatives are coordinated across programs of
			 the Department of Health and Human Services;
						(2)ensuring that
			 health information technology policies and programs of the Department of Health
			 and Human Services are coordinated with such policies and programs of other
			 relevant Federal agencies (including Federal commissions and advisory
			 committees) with a goal of avoiding duplication of efforts and of helping to
			 ensure that each agency undertakes activities primarily within the areas of its
			 greatest expertise and technical capability;
						(3)reviewing Federal
			 health information technology investments to ensure that Federal health
			 information technology programs are meeting the objectives of the strategic
			 plan published by the Office of the National Coordinator of Health Information
			 Technology to establish a nationwide interoperable health information
			 technology infrastructure;
						(4)providing comments
			 and advice regarding specific Federal health information technology programs,
			 at the request of Office of Management and Budget;
						(5)enhancing the use
			 of health information technology to improve the quality of health care in the
			 prevention and management of chronic disease and to address population health;
			 and
						(6)consulting with
			 the Office of Health Information Privacy to ensure that key health information
			 technology initiatives of the Department of Health and Human Services and other
			 Federal agencies are consistent with the privacy, confidentiality, and security
			 requirements in title I.
						(c)Role With
			 American Health Information Community and the Partnership for Health Care
			 ImprovementThe Office of the National Coordinator shall—
						(1)serve as an ex
			 officio member of the American Health Information Community established under
			 section 203, and act as a liaison between the Federal Government and the
			 Community;
						(2)serve as an ex officio member of the
			 Partnership and act as a liaison between the Federal Government and the
			 Partnership for Health Care Improvement (established under section 202);
			 and
						(3)serve as a liaison
			 between the Partnership and the Community.
						(d)Reports and
			 WebsiteThe Office of the National Coordinator shall—
						(1)develop and
			 publish a strategic plan for implementing a nationwide interoperable health
			 information technology infrastructure;
						(2)maintain and
			 frequently update an Internet website that—
							(A)publishes the
			 schedule for the assessment of standards for significant use cases;
							(B)publishes the
			 recommendations of the American Health Information Community;
							(C)publishes the
			 recommendations of the Partnership for Health Care Improvement;
							(D)publishes quality
			 measures;
							(E)identifies sources
			 of funds that will be made available to facilitate the purchase of, or enhance
			 the utilization of, health information technology systems, either through
			 grants or technical assistance; and
							(F)publishes a plan
			 for a transition of any functions of the Office of the National Coordinator
			 that should be continued after September 30, 2014;
							(3)prepare a report
			 on the lessons learned from major public and private health care systems that
			 have implemented health information technology systems, including an
			 explanation of whether the systems and practices developed by such systems may
			 be applicable to and usable in whole or in part by other health care providers;
			 and
						(4)assess the impact
			 of health information technology in communities with health disparities and
			 identify practices to increase the adoption of such technology by health care
			 providers in such communities.
						(e)Rule of
			 ConstructionNothing in this section shall be construed as
			 requiring the duplication of Federal efforts with respect to the establishment
			 of the Office of the National Coordinator of Health Information Technology,
			 regardless of whether such efforts are carried out before or after the date of
			 the enactment of this title.
					(f)Authorization of
			 AppropriationsThere is authorized to be appropriated to carry
			 out this section, $5,000,000 for each of fiscal years 2009 and 2010.
					(g)SunsetThe
			 provisions of this section shall not apply after September 30, 2014.
					202.Partnership for
			 Health Care Improvement
					(a)Establishment
						(1)In
			 generalThere is established a public-private Partnership for
			 Health Care Improvement (in this title referred to as the
			 Partnership) to—
							(A)provide advice to
			 the Secretary and the Nation and recommend specific actions to achieve a
			 nationwide interoperable health information technology infrastructure;
							(B)make recommendations concerning standards,
			 including privacy, security, and confidentiality standards, implementation
			 specifications, and certification criteria for the electronic exchange of
			 personal health information (including for the reporting of quality data under
			 section 221) for adoption by the Federal Government and voluntary adoption by
			 private entities that are consistent with the requirements of title I;
							(C)serve as a forum for the participation of a
			 broad range of stakeholders with specific technical expertise in the
			 development of standards, implementation specifications, and certification
			 criteria and protection of privacy and data security to provide input on the
			 effective implementation of health information technology systems; and
							(D)develop and
			 maintain an Internet website that—
								(i)publishes
			 established governance rules (including a subsequent appointment
			 process);
								(ii)publishes a
			 business plan;
								(iii)publishes meeting
			 notices at least 14 days prior to each meeting;
								(iv)publishes meeting
			 agendas at least 7 days prior to each meeting; and
								(v)publishes meeting
			 materials at least 3 days prior to each meeting.
								(2)LimitationThe
			 Partnership shall not meet or take any action until an advisory committee
			 charter has been filed with the Secretary and with the appropriate committees
			 of the Senate and House of Representatives for the American Health Information
			 Community described in section 203.
						(b)Membership
						(1)MembersThe members of the Partnership shall
			 consist of the following:
							(A)Appointed
			 membersThe appointed members of the Partnership shall be
			 appointed as follows:
								(i)2
			 members shall be appointed by the Secretary.
								(ii)1
			 member shall be appointed by the majority leader of the Senate.
								(iii)1
			 member shall be appointed by the minority leader of the Senate.
								(iv)1
			 member shall be appointed by the Speaker of the House of
			 Representatives.
								(v)1
			 member shall be appointed by the minority leader of the House of
			 Representatives.
								(vi)Seven members
			 shall be appointed by the Comptroller General of whom—
									(I)one member shall
			 be a representative of consumer or patient organizations;
									(II)one member shall
			 be a representative of organizations with expertise in the protection of
			 privacy;
									(III)one member shall
			 be a representative of organizations with expertise in security;
									(IV)one member shall
			 be a representative of health care providers;
									(V)one member shall
			 be a representative of health plans or other third party payers;
									(VI)one member shall be
			 a representative of information technology vendors; and
									(VII)one member shall
			 be a representative of purchasers or employers.
									(B)National
			 CoordinatorThe National Coordinator shall be a member of the
			 Partnership and act as a liaison among the Partnership, the community, and the
			 Federal Government.
							(2)Chairperson and
			 vice chairpersonThe Partnership shall designate one member to
			 serve as the chairperson and one member to serve as the vice chairperson of the
			 Partnership.
						(3)ParticipationMembers shall be appointed under paragraph
			 (1)(A), and the Partnership shall develop procedures for conducting its
			 activities, so as to ensure a balance among various sectors of the health care
			 system so that no single sector unduly influences the recommendations of the
			 Partnership.
						(4)TermsMembers
			 appointed under paragraph (1)(A) shall serve for 3 year terms, except that any
			 member appointed to fill a vacancy for an unexpired term shall be appointed for
			 the remainder of such term. A member may serve for not to exceed 180 days after
			 the expiration of such member’s term or until a successor has been
			 appointed.
						(5)Outside
			 involvementThe Partnership shall ensure an adequate opportunity
			 for the participation of outside advisors, including individuals with expertise
			 in—
							(A)the protection of
			 personal health information privacy;
							(B)personal health
			 information security;
							(C)health care quality
			 and patient safety, including individuals with expertise in utilizing health
			 information technology to improve health care quality and patient
			 safety;
							(D)medical and
			 clinical research data exchange; and
							(E)developing health
			 information technology standards and new health information technology.
							(6)QuorumTwo-thirds
			 of the members of the Partnership shall constitute a quorum for the purpose of
			 conducting votes.
						(c)Standards and
			 Implementation Specifications
						(1)ScheduleNot
			 later than 90 days after the date of enactment of this title, the Partnership
			 shall develop a schedule for the assessment of standards and implementation
			 specifications under this section. The Partnership shall update such schedule
			 annually. The Secretary shall publish such schedule in the Federal Register and
			 on the Internet website of the Department of Health and Human Services.
						(2)First year
			 recommendationsConsistent with the schedule published under
			 paragraph (1) and not later than 1 year after date of enactment of this title,
			 the Partnership shall recommend, and the Secretary shall review, such standards
			 and implementation specifications.
						(3)Ongoing
			 recommendationsThe Partnership shall review and modify, as
			 appropriate but at least annually, adopted standards and implementation
			 specifications and continue to recommend additional standards and
			 implementation specifications, consistent with the schedule published pursuant
			 to paragraph (1). The Secretary shall review such modifications and
			 recommendations.
						(4)Recognition of
			 private entitiesThe Partnership, in consultation with the
			 Secretary, may recognize a private entity or entities for the purpose of
			 developing and updating standards and implementation specifications to achieve
			 uniform and consistent implementation of the standards adopted by the President
			 under this title. Such entity or entities shall make recommendations to the
			 Partnership consistent with this section.
						(5)PublicationAll
			 recommendations made by the Partnership pursuant to this section shall be
			 published in the Federal Register and on the Internet website of the Office of
			 the National Coordinator.
						(6)Requirement for
			 certain recommendationsThe
			 Partnership may not issue any recommendation that affects an individual’s right
			 to health information privacy unless such recommendation receives the
			 affirmative support of the consumer or patient organization representative of
			 the Partnership appointed under subsection (b)(1)(A)(vi)(I).
						(7)Pilot
			 testingThe Secretary may conduct, or recognize a private entity
			 or entities to conduct, a pilot project to test the standards and
			 implementation specifications developed under this section in order to provide
			 for the efficient implementation of the standards and implementation
			 specifications described in this subsection prior to issuing such
			 recommendations.
						(8)Public
			 inputThe Partnership shall conduct open public meetings and
			 develop a process to allow for public comment on the schedule and
			 recommendations described in this section. Such process shall ensure that such
			 comments will be submitted within 30 days of the publication of a
			 recommendation under this section.
						(9)Federal
			 actionNot later than 90 days
			 after the issuance of a recommendation from the Partnership under this
			 subsection, the Secretary, in collaboration with representatives of other
			 relevant Federal agencies as determined appropriate by the President, shall
			 jointly review such recommendation. If appropriate, the President shall provide
			 for the adoption by the Federal Government of any standard or implementation
			 specification contained in such recommendation only after providing an
			 opportunity for public comment in accordance with section 553 of title 5,
			 United States Code. Such determination shall be published in the Federal
			 Register and on the Internet website of the Office of the National Coordinator
			 within 30 days after such determination is made.
						(10)ConsistencyThe standards and implementation
			 specifications described in this subsection shall be consistent with the
			 privacy protections in title I and the standards for information transactions
			 and data elements developed pursuant to the regulations promulgated under
			 section 264(c) of the Health Insurance Portability and Accountability Act of
			 1996.
						(d)Certification
						(1)Developing
			 criteriaThe Partnership, in consultation with the Secretary, may
			 recognize a private entity or entities for the purpose of developing and
			 recommending to the Partnership criteria to certify that appropriate categories
			 of health information technology products that claim to be in compliance with
			 applicable standards and implementation specifications adopted under this title
			 have established such compliance.
						(2)Adoption of
			 criteriaThe Secretary, based upon the recommendations of the
			 Partnership, shall review, and if appropriate, adopt such criteria.
						(3)Conducting
			 certificationThe Secretary may recognize a private entity or
			 entities to conduct the certifications described under paragraph (1) using the
			 criteria adopted by the Secretary under this subsection.
						(e)Rule of
			 ConstructionNothing in this section shall be construed as
			 disrupting existing activities described in subsection (c) or (d).
					(f)Requirement to
			 Consider RecommendationsIn carrying out the activities described
			 in subsections (c) and (d), the Partnership shall adopt and integrate the
			 recommendations of the American Health Information Community that are adopted
			 by the Secretary.
					(g)Authorization of
			 AppropriationsThere are authorized to be appropriated to carry
			 out this section, $2,000,000 for each of the fiscal years 2009 and 2010.
					203.American Health
			 Information Community policies
					(a)EstablishmentThere
			 is established a committee to be known as the American Health Information
			 Community (in this section referred to as the Community). The
			 Community shall—
						(1)provide advice to
			 the Secretary and the heads of any relevant Federal agencies concerning the
			 policy considerations related to health information technology;
						(2)not later than 1
			 year after the date of enactment of this title, and annually thereafter, make
			 recommendations concerning a policy framework for the development and adoption
			 of a nationwide interoperable health information technology
			 infrastructure;
						(3)not later than 1
			 year after the date of enactment of this title, and annually thereafter, make
			 recommendation concerning national policies for adoption by the Federal
			 Government, and voluntary adoption by private entities, to support the
			 widespread adoption of health information technology, including—
							(A)the protection of
			 personal health information, including policies concerning the individual’s
			 ability to control the acquisition, uses, and disclosures of personal health
			 information;
							(B)methods to protect
			 personal health information from improper use and disclosures and methods to
			 notify patients if their personal health information is wrongfully
			 disclosed;
							(C)methods to
			 facilitate and secure access to such individual’s personal health
			 information;
							(D)the appropriate
			 uses of a nationwide personal health information infrastructure
			 including—
								(i)the
			 collection of quality data and public reporting;
								(ii)biosurveillance
			 and public health;
								(iii)medical and
			 clinical research; and
								(iv)drug
			 safety;
								(E)fostering the
			 public understanding of health information technology;
							(F)strategies to
			 enhance the use of health information technology in preventing and managing
			 chronic disease;
							(G)policies to
			 incorporate the input of employees of health care providers in the design and
			 implementation of health information technology systems; and
							(H)other policies
			 determined to be necessary by the Community; and
							(4)serve as a forum
			 for the participation of a broad range of stakeholders to provide input on
			 improving the effective implementation of health information technology
			 systems.
						The
			 Community may not make any recommendation that affects an individual’s right to
			 health information privacy unless the recommendation receives the affirmative
			 support of the consumer or patient organization representative appointed under
			 subsection (c)(1)(A)(viii)(I).(b)PublicationAll recommendations made by the Community
			 pursuant to this section shall be published in the Federal Register and on the
			 Internet website of the National Coordinator. The Secretary shall review all
			 recommendations and determine which recommendations shall be endorsed by the
			 Federal Government and such determination shall be published on the Internet
			 website of the Office of the National Coordinator after an opportunity for
			 public comment in accordance with section 553 of title 5, United States
			 Code.
					(c)Membership
						(1)MembersThe members of the Community shall consist
			 of the following:
							(A)Appointed
			 membersThe appointed members of the Community shall be appointed
			 as follows:
								(i)3
			 members shall be appointed by the Secretary, 1 of whom shall be a
			 representative from the Department of Health and Human Services.
								(ii)1
			 member shall be appointed by the Secretary of Veterans Affairs who shall
			 represent the Department of Veterans Affairs.
								(iii)1
			 member shall be appointed by the Secretary of Defense who shall represent the
			 Department of Defense.
								(iv)1
			 member shall be appointed by the majority leader of the Senate.
								(v)1
			 member shall be appointed by the minority leader of the Senate.
								(vi)1
			 member shall be appointed by the Speaker of the House of
			 Representatives.
								(vii)1
			 member shall be appointed by the minority leader of the House of
			 Representatives.
								(viii)Nine members
			 shall be appointed by the Comptroller General of whom—
									(I)one member shall
			 be advocates for patients or consumers;
									(II)one member shall
			 represent health care providers;
									(III)one member shall
			 be from a labor organization representing health care workers;
									(IV)one member shall
			 have expertise in the protection of privacy and data security;
									(V)one member shall
			 have expertise in improving the health of vulnerable populations;
									(VI)one member shall
			 represent health plans or other third party payers;
									(VII)one member shall
			 represent information technology vendors;
									(VIII)one member
			 shall represent purchasers or employers; and
									(IX)one member shall
			 have expertise in health care quality measurement and reporting.
									(B)National
			 CoordinatorThe National Coordinator shall be a member of the
			 Community and act as a liaison among the Community, the partnership, and the
			 Federal Government.
							(2)Chairperson and
			 vice chairpersonThe Community shall designate one member to
			 serve as the chairperson and one member to serve as the vice chairperson of the
			 Community.
						(3)ParticipationThe
			 members of the Community appointed under paragraph (1) shall represent a
			 balance among various sectors of the health care system so that no single
			 sector unduly influences the recommendations of the Community.
						(4)Terms
							(A)In
			 generalThe terms of members of the Community shall be for 3
			 years except that the Comptroller General shall designate staggered terms for
			 the members first appointed.
							(B)VacanciesAny
			 member appointed to fill a vacancy in the membership of the Community that
			 occurs prior to the expiration of the term for which the member’s predecessor
			 was appointed shall be appointed only for the remainder of that term. A member
			 may serve after the expiration of that member’s term until a successor has been
			 appointed. A vacancy in the Community shall be filled in the manner in which
			 the original appointment was made.
							(5)Outside
			 involvementThe Community shall ensure an adequate opportunity
			 for the participation of outside advisors, including individuals with expertise
			 in—
							(A)the protection of
			 health information privacy and security;
							(B)improving the
			 health of vulnerable populations;
							(C)health care quality
			 and patient safety, including individuals with expertise in measurement and the
			 use of health information technology to capture data to improve health care
			 quality and patient safety;
							(D)ethics, including the ethical standards of
			 professional medical and mental health practitioner associations;
							(E)medical and
			 clinical research data exchange;
							(F)developing health
			 information technology standards and new health information technology;
			 and
							(G)the operation of a
			 State or local health information network.
							(6)QuorumTen
			 members of the Community shall constitute a quorum for purposes of voting, but
			 a lesser number of members may meet and hold hearings.
						(d)Federal
			 Agencies
						(1)Staff of other
			 federal agenciesUpon the request of the Community, the head of
			 any Federal agency may detail, without reimbursement, any of the personnel of
			 such agency to the Community to assist in carrying out the duties of the
			 Community. Any such detail shall not interrupt or otherwise affect the civil
			 service status or privileges of the Federal employee involved.
						(2)Technical
			 assistanceUpon the request of the Community, the head of a
			 Federal agency shall provide such technical assistance to the Community as the
			 Community determines to be necessary to carry out its duties.
						(3)Other
			 resourcesThe Community shall have reasonable access to
			 materials, resources, statistical data, and other information from the Library
			 of Congress and agencies and elected representatives of the executive and
			 legislative branches of the Federal Government. The chairperson or vice
			 chairperson of the Community shall make requests for such access in writing
			 when necessary.
						(e)Application of
			 FACAThe Federal Advisory Committee Act (5 U.S.C. App.) shall
			 apply to the Community, except that the term provided for under section
			 14(a)(2) of such Act shall be not longer than 7 years.
					(f)SunsetThe
			 provisions of this section shall not apply after September 20, 2014.
					(g)Authorization of
			 AppropriationsThere is authorized to be appropriated to carry
			 out this section, $2,000,000 for each of fiscal years 2009 and 2010.
					204.Research access
			 to health care data and reporting on performanceThe Secretary shall permit researchers that
			 meet criteria used to evaluate the appropriateness of the release data for
			 research purpose (as established by the Secretary) to—
					(1)have access to all
			 Federal health care data; and
					(2)report on the
			 performance of health care providers and suppliers, including reporting in a
			 provider- or supplier-identifiable format.
					BFacilitating the
			 Widespread Adoption of Interoperable Health Information Technology
				211.Facilitating
			 the widespread adoption of interoperable health information technology
					(a)Competitive
			 Grants for Adoption of Technology
						(1)In
			 generalThe Secretary may award competitive grants to eligible
			 entities to facilitate the purchase and enhance the utilization of qualified
			 health information technology systems (as defined in section 213) to improve
			 the quality and efficiency of health care.
						(2)EligibilityTo
			 be eligible to receive a grant under paragraph (1) an entity shall—
							(A)submit to the
			 Secretary an application at such time, in such manner, and containing such
			 information as the Secretary may require;
							(B)submit to the
			 Secretary a strategic plan for the implementation of data sharing and
			 interoperability measures;
							(C)adopt the
			 standards adopted by the Federal Government under section 301;
							(D)implement the
			 measures adopted under section 221 and report to the Secretary on such
			 measures;
							(E)comply with the requirements of title
			 I;
							(F)take into account
			 the input of employees and staff who are directly involved in patient care of
			 such health care providers in the design, implementation, and use of qualified
			 health information technology systems;
							(G)demonstrate
			 significant financial need;
							(H)provide matching
			 funds in accordance with paragraph (4); and
							(I)be a—
								(i)public or not for
			 profit hospital;
								(ii)federally
			 qualified health center (as defined in section 1861(aa)(4) of the Social
			 Security Act);
								(iii)individual or
			 group practice (or a consortium thereof); or
								(iv)another health
			 care provider not described in clause (i) or (ii);
								that
			 serves medically undeserved communities.(3)Use of
			 fundsAmounts received under a grant under this subsection shall
			 be used to—
							(A)facilitate the
			 purchase of qualified health information technology systems;
							(B)train personnel in
			 the use of such systems;
							(C)enhance the
			 utilization of qualified health information technology systems (which may
			 include activities to increase the awareness among consumers of health care
			 privacy protections); or
							(D)improve the
			 prevention and management of chronic disease.
							(4)Matching
			 requirementTo be eligible for a grant under this subsection an
			 entity shall contribute non-Federal contributions to the costs of carrying out
			 the activities for which the grant is awarded in an amount equal to $1 for each
			 $3 of Federal funds provided under the grant.
						(5)Preference in
			 awarding grantsIn awarding grants under this subsection the
			 Secretary shall give preference to—
							(A)eligible entities
			 that will improve the degree to which such entity will link the qualified
			 health information technology system to local or regional health information
			 plan or plans; and
							(B)with respect to
			 awards made for the purpose of providing care in an outpatient medical setting,
			 entities that organize their practices as a patient-centered medical
			 home.
							(b)Competitive
			 Grants for the Development of State Loan Programs To Facilitate the Widespread
			 Adoption of Health Information Technology
						(1)In
			 generalThe Secretary may award competitive grants to States for
			 the establishment of State programs for loans to health care providers to
			 facilitate the purchase and enhance the utilization of qualified health
			 information technology.
						(2)Establishment of
			 fundTo be eligible to receive a competitive grant under this
			 subsection, a State shall establish a qualified health information technology
			 loan fund (referred to in this subsection as a State loan fund)
			 and comply with the other requirements contained in this subsection. Amounts
			 received under a grant under this subsection shall be deposited in the State
			 loan fund established by the State. No funds authorized by other provisions of
			 this title to be used for other purposes specified in this title shall be
			 deposited in any such State loan fund.
						(3)EligibilityTo
			 be eligible to receive a grant under paragraph (1) a State shall—
							(A)submit to the
			 Secretary an application at such time, in such manner, and containing such
			 information as the Secretary may require;
							(B)submit to the
			 Secretary a strategic plan in accordance with paragraph (4);
							(C)establish a
			 qualified health information technology loan fund in accordance with paragraph
			 (2);
							(D)require that
			 health care providers receiving loans under the grant—
								(i)link, to the
			 extent practicable, the qualified health information system to a local or
			 regional health information network;
								(ii)consult, as
			 needed, with the Health Information Technology Resource Center established in
			 section 914(d) to access the knowledge and experience of existing initiatives
			 regarding the successful implementation and effective use of health information
			 technology;
								(iii)agree to notify
			 individuals if their personal health information is wrongfully disclosed;
			 and
								(iv)take into account
			 the input of employees and staff who are directly involved in patient care of
			 such health care providers in the design and implementation and use of
			 qualified health information technology systems;
								(E)require that
			 health care providers receiving loans under the grant adopt the standards
			 adopted by the Federal Government under section 301;
							(F)require that
			 health care providers receiving loans under the grant implement the measures
			 adopted under section 221 and report to the Secretary on such measures;
			 and
							(G)provide matching
			 funds in accordance with paragraph (8).
							(4)Strategic
			 plan
							(A)In
			 generalA State that receives a grant under this subsection shall
			 annually prepare a strategic plan that identifies the intended uses of amounts
			 available to the State loan fund of the State.
							(B)ContentsA
			 strategic plan under subparagraph (A) shall include—
								(i)a
			 list of the projects to be assisted through the State loan fund in the first
			 fiscal year that begins after the date on which the plan is submitted;
								(ii)a
			 description of the criteria and methods established for the distribution of
			 funds from the State loan fund;
								(iii)a
			 description of the financial status of the State loan fund and the short-term
			 and long-term goals of the State loan fund; and
								(iv)a
			 description of the strategies the State will use to address challenges in the
			 adoption of health information technology due to limited broadband
			 access.
								(5)Use of
			 funds
							(A)In
			 generalAmounts deposited in a State loan fund, including loan
			 repayments and interest earned on such amounts, shall be used only for awarding
			 loans or loan guarantees, or as a source of reserve and security for leveraged
			 loans, the proceeds of which are deposited in the State loan fund established
			 under paragraph (1). Loans under this section may be used by a health care
			 provider to—
								(i)facilitate the
			 purchase of qualified health information technology systems;
								(ii)enhance the
			 utilization of qualified health information technology systems (which may
			 include activities to increase the awareness among consumers of health care of
			 privacy protections and privacy rights); or
								(iii)train personnel
			 in the use of such systems.
								(B)LimitationAmounts
			 received by a State under this subsection may not be used—
								(i)for
			 the purchase or other acquisition of any health information technology system
			 that is not a qualified health information technology system;
								(ii)to conduct activities for which Federal
			 funds are expended under this title, or the amendments made by this title;
			 or
								(iii)for any purpose
			 other than making loans to eligible entities under this section.
								(6)Types of
			 assistanceExcept as otherwise limited by applicable State law,
			 amounts deposited into a State loan fund under this subsection may only be used
			 for the following:
							(A)To award loans
			 that comply with the following:
								(i)The
			 interest rate for each loan shall be less than or equal to the market interest
			 rate.
								(ii)The
			 principal and interest payments on each loan shall commence not later than 1
			 year after the date on which the loan was awarded, and each loan shall be fully
			 amortized not later than 10 years after such date.
								(iii)The State loan
			 fund shall be credited with all payments of principal and interest on each loan
			 awarded from the fund.
								(B)To guarantee, or
			 purchase insurance for, a local obligation (all of the proceeds of which
			 finance a project eligible for assistance under this subsection) if the
			 guarantee or purchase would improve credit market access or reduce the interest
			 rate applicable to the obligation involved.
							(C)As a source of
			 revenue or security for the payment of principal and interest on revenue or
			 general obligation bonds issued by the State if the proceeds of the sale of the
			 bonds will be deposited into the State loan fund.
							(D)To earn interest
			 on the amounts deposited into the State loan fund.
							(7)Administration
			 of state loan funds
							(A)Combined
			 financial administrationA State may (as a convenience and to
			 avoid unnecessary administrative costs) combine, in accordance with State law,
			 the financial administration of a State loan fund established under this
			 subsection with the financial administration of any other revolving fund
			 established by the State if not otherwise prohibited by the law under which the
			 State loan fund was established.
							(B)Cost of
			 administering fundEach State may annually use not to exceed 4
			 percent of the funds provided to the State under a grant under this subsection
			 to pay the reasonable costs of the administration of the programs under this
			 section, including the recovery of reasonable costs expended to establish a
			 State loan fund which are incurred after the date of enactment of this
			 title.
							(C)Guidance and
			 regulationsThe Secretary shall publish guidance and promulgate
			 regulations as may be necessary to carry out the provisions of this subsection,
			 including—
								(i)provisions to
			 ensure that each State commits and expends funds allotted to the State under
			 this subsection as efficiently as possible in accordance with this title and
			 applicable State laws; and
								(ii)guidance to
			 prevent waste, fraud, and abuse.
								(D)Private sector
			 contributions
								(i)In
			 generalA State loan fund established under this subsection may
			 accept contributions from private sector entities, except that such entities
			 may not specify the recipient or recipients of any loan issued under this
			 subsection.
								(ii)Availability of
			 informationA State shall make publicly available the identity
			 of, and amount contributed by, any private sector entity under clause (i) and
			 may issue letters of commendation or make other awards (that have no financial
			 value) to any such entity.
								(8)Matching
			 requirements
							(A)In
			 generalThe Secretary may not make a grant under paragraph (1) to
			 a State unless the State agrees to make available (directly or through
			 donations from public or private entities) non-Federal contributions in cash
			 toward the costs of the State program to be implemented under the grant in an
			 amount equal to not less than $1 for each $1 of Federal funds provided under
			 the grant.
							(B)Determination of
			 amount of non-federal contributionIn determining the amount of
			 non-Federal contributions that a State has provided pursuant to subparagraph
			 (A), the Secretary may not include any amounts provided to the State by the
			 Federal Government.
							(9)Preference in
			 awarding grantsThe Secretary may give a preference in awarding
			 grants under this subsection to States that adopt value-based purchasing
			 programs to improve health care quality.
						(10)ReportsThe
			 Secretary shall annually submit to the Committee on Health, Education, Labor,
			 and Pensions and the Committee on Finance of the Senate, and the Committee on
			 Energy and Commerce and the Committee on Ways and Means of the House of
			 Representatives, a report summarizing the reports received by the Secretary
			 from each State that receives a grant under this subsection.
						(c)Competitive
			 Grants for the Implementation of Regional or Local Health Information
			 Technology Plans
						(1)In
			 generalThe Secretary may award competitive grants to eligible
			 entities to implement regional or local health information plans to improve
			 health care quality and efficiency through the electronic exchange of personal
			 health information pursuant to the standards, implementation specifications and
			 certification criteria, and other requirements adopted by the Secretary under
			 section 221.
						(2)EligibilityTo be eligible to receive a grant under
			 paragraph (1) an entity, which may be a health record bank or trust,
			 shall—
							(A)demonstrate
			 financial need to the Secretary;
							(B)demonstrate that
			 one of its principal missions or purposes is to use information technology to
			 improve health care quality and efficiency;
							(C)adopt bylaws,
			 memoranda of understanding, or other charter documents that demonstrate that
			 the governance structure and decision making processes of such entity allow for
			 participation on an ongoing basis by multiple stakeholders within a community,
			 including—
								(i)health care
			 providers (including health care providers that provide services to low income
			 and undeserved populations);
								(ii)pharmacists or
			 pharmacies;
								(iii)health
			 plans;
								(iv)health centers
			 (as defined in section 330(b)) and federally qualified health centers (as
			 defined in section 1861(aa)(4) of the Social Security Act) and rural health
			 clinics (as defined in section 1861(aa) of the Social Security Act), if such
			 centers or clinics are present in the community served by the entity;
								(v)patient or
			 consumer organizations;
								(vi)organizations
			 dedicated to improving the health of vulnerable populations;
								(vii)employers;
								(viii)State or local
			 health departments; and
								(ix)any
			 other health care providers or other entities, as determined appropriate by the
			 Secretary;
								(D)demonstrate the
			 participation, to the extent practicable, of stakeholders in the electronic
			 exchange of personal health information within the local or regional plan
			 pursuant to subparagraph (C);
							(E)adopt
			 nondiscrimination and conflict of interest policies that demonstrate a
			 commitment to open, fair, and nondiscriminatory participation in the health
			 information plan by all stakeholders;
							(F)adopt the
			 standards adopted by the Secretary under section 301;
							(G)require that
			 health care providers receiving such grants—
								(i)implement the
			 measures adopted under section 221 and report to the Secretary on such
			 measures; and
								(ii)take into account
			 the input of employees and staff who are directly involved in patient care of
			 such health care providers in the design, implementation, and use of health
			 information technology systems;
								(H)agree to comply with the requirements of
			 title I;
							(I)facilitate the
			 electronic exchange of personal health information within the local or regional
			 area and among local and regional areas;
							(J)prepare and submit
			 to the Secretary an application in accordance with paragraph (3);
							(K)agree to provide
			 matching funds in accordance with paragraph (5); and
							(L)reduce barriers to
			 the implementation of health information technology by providers.
							(3)Application
							(A)In
			 generalTo be eligible to receive a grant under paragraph (1), an
			 entity shall submit to the Secretary an application at such time, in such
			 manner, and containing such information as the Secretary may require.
							(B)Required
			 informationAt a minimum, an application submitted under this
			 paragraph shall include—
								(i)clearly identified
			 short-term and long-term objectives of the regional or local health information
			 plan;
								(ii)a
			 technology plan that complies with the standards, implementation
			 specifications, and certification criteria adopted under section 202(c)(6) and
			 that includes a descriptive and reasoned estimate of costs of the hardware,
			 software, training, and consulting services necessary to implement the regional
			 or local health information plan;
								(iii)a
			 strategy that includes initiatives to improve health care quality and
			 efficiency, including the use and reporting of health care quality measures
			 adopted under section 221;
								(iv)a plan that
			 describes provisions to encourage the implementation of the electronic exchange
			 of personal health information by all health care providers participating in
			 the health information plan;
								(v)a plan to ensure the privacy and security
			 of personal health information that is consistent with the requirements of
			 title I;
								(vi)a
			 governance plan that defines the manner in which the stakeholders shall jointly
			 make policy and operational decisions on an ongoing basis;
								(vii)a
			 financial or business plan that describes—
									(I)the sustain
			 ability of the plan;
									(II)the financial
			 costs and benefits of the plan; and
									(III)the entities to
			 which such costs and benefits will accrue;
									(viii)a
			 description of whether the State in which the entity resides has received a
			 grant under section 319D of the Public Health Service Act, alone or as a part
			 of a consortium, and if the State has received such a grant, how the entity
			 will coordinate the activities funded under such section 319D with the system
			 under this section; and
								(ix)in
			 the case of an applicant entity that is unable to demonstrate the participation
			 of all stakeholders pursuant to paragraph (2)(C), the justification from the
			 entity for any such nonparticipation.
								(4)Use of
			 fundsAmounts received under a grant under paragraph (1) shall be
			 used to establish and implement a regional or local health information plan in
			 accordance with this subsection.
						(5)Matching
			 requirement
							(A)In
			 generalThe Secretary may not make a grant under this subsection
			 to an entity unless the entity agrees that, with respect to the costs to be
			 incurred by the entity in carrying out the network program for which the grant
			 was awarded, the entity will make available (directly or through donations from
			 public or private entities) non-Federal contributions toward such costs in an
			 amount equal to not less than 50 percent of such costs ($1 for each $2 of
			 Federal funds provided under the grant).
							(B)Determination of
			 amount contributedNon-Federal contributions required under
			 subparagraph (A) may be in cash or in kind, fairly evaluated, including
			 equipment, technology, or services. Amounts provided by the Federal Government,
			 or services assisted or subsidized to any significant extent by the Federal
			 Government, may not be included in determining the amount of such non-Federal
			 contributions.
							(6)Health record
			 bank or trust definedIn this
			 section, the term health record bank or trust means an
			 independent organization that provides a secure electronic repository for
			 storing and maintaining an individual’s lifetime health and medical records
			 from multiple sources and ensuring that the individual always has complete
			 control over who accesses their information.
						(d)ReportsNot
			 later than 1 year after the date on which the first grant is awarded under this
			 section, and annually thereafter during the grant period, an entity that
			 receives a grant under this section shall submit to the Secretary a report on
			 the activities carried out under the grant involved. Each such report shall
			 include—
						(1)a
			 description of the financial costs and benefits of the project involved and of
			 the entities to which such costs and benefits accrue;
						(2)an analysis of the
			 impact of the project on health care quality and safety;
						(3)a
			 description of any reduction in duplicative or unnecessary care as a result of
			 the project involved; and
						(4)other information
			 as required by the Secretary.
						(e)Authorization of
			 Appropriations
						(1)In
			 generalFor the purpose of carrying out this section, there is
			 authorized to be appropriated $139,000,000 for fiscal year 2009 and
			 $139,000,000 for fiscal year 2010.
						(2)AvailabilityAmounts
			 appropriated under paragraph (1) shall remain available through fiscal year
			 2012.
						212.Demonstration
			 program to integrate information technology into clinical education
					(a)In
			 GeneralThe Secretary may award grants to eligible entities or
			 consortia under this section to carry out demonstration projects to develop
			 academic curricula integrating qualified health information technology systems
			 in the clinical education of health professionals or analyze clinical data sets
			 to discover quality measures. Such awards shall be made on a competitive basis
			 and pursuant to peer review.
					(b)EligibilityTo
			 be eligible to receive a grant under subsection (a), an entity or consortium
			 shall—
						(1)submit to the
			 Secretary an application at such time, in such manner, and containing such
			 information as the Secretary may require;
						(2)be or
			 include—
							(A)a health
			 professions school;
							(B)a school of
			 nursing; or
							(C)an institution
			 with a graduate medical education program;
							(3)provide for the
			 collection of data regarding the effectiveness of the demonstration project to
			 be funded under the grant in improving the safety of patients and the
			 efficiency of health care delivery; and
						(4)provide matching
			 funds in accordance with subsection (d).
						(c)Use of
			 Funds
						(1)In
			 generalWith respect to a grant under subsection (a), an eligible
			 entity or consortium shall use amounts received under the grant in
			 collaboration with 2 or more disciplines.
						(2)LimitationAn
			 eligible entity or consortium shall not award a grant under subsection (a) to
			 purchase hardware, software, or services.
						(d)Matching
			 Funds
						(1)In
			 generalThe Secretary may award a grant to an entity under or
			 consortium this section only if the entity of consortium agrees to make
			 available non-Federal contributions toward the costs of the program to be
			 funded under the grant in an amount that is not less than $1 for each $2 of
			 Federal funds provided under the grant.
						(2)Determination of
			 amount contributedNon-Federal contributions under paragraph (1)
			 may be in cash or in kind, fairly evaluated, including equipment or services.
			 Amounts provided by the Federal Government, or services assisted or subsidized
			 to any significant extent by the Federal Government, may not be included in
			 determining the amount of such contributions.
						(e)EvaluationThe
			 Secretary shall take such action as may be necessary to evaluate the projects
			 funded under this section and publish, make available, and disseminate the
			 results of such evaluations on as wide a basis as is practicable.
					(f)ReportsNot
			 later than 1 year after the date of enactment of this title, and annually
			 thereafter, the Secretary shall submit to the Committee on Health, Education,
			 Labor, and Pensions and the Committee on Finance of the Senate, and the
			 Committee on Energy and Commerce and the Committee on Ways and Means of the
			 House of Representatives a report that—
						(1)describes the
			 specific projects established under this section; and
						(2)contains
			 recommendations for Congress based on the evaluation conducted under subsection
			 (e).
						(g)Authorization of
			 AppropriationsThere is authorized to be appropriated to carry
			 out this section, $2,000,000 for each of fiscal years 2009 and 2010.
					(h)SunsetThis
			 provisions of this section shall not apply after September 30, 2012.
					213.Qualified
			 health information technology system definedIn this subtitle, the term qualified
			 health information technology system means a computerized system
			 (including hardware and software) that—
					(1)safeguards the
			 privacy, security, and confidentiality of personal health information in
			 accordance with the requirements of title I;
					(2)maintains and
			 provides permitted access to health information in an electronic format;
					(3)with respect to
			 personal health information maintained in a designated record set, preserves an
			 audit trail of each individual that has gained access to such record
			 set;
					(4)incorporates
			 decision support to reduce medical errors and enhance health care
			 quality;
					(5)complies with the
			 standards adopted by the Federal Government under section 202;
					(6)has the ability to
			 transmit and exchange information to other health information technology
			 systems and, to the extent feasible, public health information technology
			 systems; and
					(7)allows for the
			 reporting of quality measures adopted under section 221.
					CImproving the
			 Quality of Health Care
				221.Fostering
			 development and use of health care quality measures
					(a)In
			 GeneralThe Secretary shall provide for the development and use
			 of health care quality measures (referred to in this title as quality
			 measures) for the purpose of measuring the quality and efficiency of
			 health care that patients receive.
					(b)Designation of,
			 and Arrangement With, Organization
						(1)In
			 generalNot later than 90 days after the date of enactment of
			 this title, the Secretary shall designate, and have in effect an arrangement
			 with, a single organization that meets the requirements of subsection (c) under
			 which such organization shall promote the development of quality measures and
			 provide the Secretary with advice and recommendations on the key elements and
			 priorities of a national system for healthcare performance measurement.
						(2)ResponsibilitiesThe
			 responsibilities to be performed by the organization designated under paragraph
			 (1) (in this title referred to as the designated organization)
			 shall include—
							(A)establishing and
			 managing an integrated national strategy and process for setting priorities and
			 goals in establishing quality measures;
							(B)coordinating and
			 harmonizing the development and testing of such measures;
							(C)establishing
			 standards for the development and testing of such measures;
							(D)endorsing national
			 consensus quality measures;
							(E)recommending, in
			 collaboration with multi-stakeholder groups, quality measures to the Secretary
			 for adoption and use;
							(F)promoting the
			 development and use of electronic health records that contain the functionality
			 for automated collection, aggregation, and transmission of performance
			 measurement information; and
							(G)providing
			 recommendations and advice to the Partnership for Health Care Improvement
			 regarding the integration of quality measures into the certification process
			 outlined under section 202 and the American Health Information Community
			 regarding national policies outlined under section 203.
							(c)Requirements
			 DescribedThe requirements described in this subsection are the
			 following:
						(1)Private
			 entityThe organization shall be a private nonprofit entity that
			 is governed by a board of directors and an individual who is designated as
			 president and chief executive officer.
						(2)Board
			 membershipThe members of the board of directors of the entity
			 shall include representatives of—
							(A)health care
			 providers or groups representing providers;
							(B)health plans or
			 groups representing health plans;
							(C)patients or
			 consumers enrolled in such plans or groups representing individuals enrolled in
			 such plans;
							(D)health care
			 purchasers and employers or groups representing purchasers or employers;
			 and
							(E)organizations that
			 develop health information technology standards and new health information
			 technology.
							(3)Other membership
			 requirementsThe membership of the board of directors of the
			 entity shall be representative of individuals with experience with—
							(A)urban health care
			 issues;
							(B)safety net health
			 care issues;
							(C)rural or frontier
			 health care issues;
							(D)quality and safety
			 issues;
							(E)State or local
			 health programs;
							(F)individuals or
			 entities skilled in the conduct and interpretation of biomedical, health
			 services, and health economics research and with expertise in outcomes and
			 effectiveness research and technology assessment;
							(G)individuals or
			 entities involved in the development and establishment of standards and
			 certification for health information technology systems and clinical data;
			 and
							(H)members of the medical and mental health
			 professions with expertise in standards of professional ethics.
							(4)Open and
			 transparentWith respect to matters related to the arrangement
			 with the Secretary under subsection (a)(1), the organization shall conduct its
			 business in an open and transparent manner, and provide the opportunity for
			 public comment and ensure a balance among disparate stakeholders, so that no
			 member organization unduly influences the work of the organization.
						(5)Voluntary
			 consensus standards setting organizationsThe organization shall
			 operate as a voluntary consensus standards setting organization as defined for
			 purposes of section 12(d) of the National Technology Transfer and Advancement
			 Act of 1995 (Public Law 104–113) and Office of Management and Budget Revised
			 Circular A–119 (published in the Federal Register on February 10, 1998).
						(6)ParticipationIf
			 the organization requires a fee for membership, the organization shall ensure
			 that such fee is not a substantial barrier to participation in the entity’s
			 activities related to the arrangement with the Secretary.
						(d)Requirements for
			 MeasuresThe quality measures developed under this title shall
			 comply with the following:
						(1)MeasuresThe
			 designated organization, in promoting the development of quality measures under
			 this title, shall ensure that such measures—
							(A)are evidence-based,
			 reliable, and valid;
							(B)include—
								(i)measures of
			 clinical processes and outcomes, patient experience, efficiency, and equity;
			 and
								(ii)measures to
			 assess effectiveness, timeliness, patient self-management, patient
			 centeredness, and safety; and
								(C)include measures
			 of underuse and overuse.
							(2)PrioritiesIn
			 carrying out its responsibilities under this section, the designated
			 organization shall ensure that priority is given to—
							(A)measures that preserve access to quality
			 health care by protecting the privacy and security of personal health
			 information;
							(B)measures with the
			 greatest potential impact for improving the performance and efficiency of
			 care;
							(C)measures that may
			 be rapidly implemented by group health plans, health insurance issuers,
			 physicians, hospitals, nursing homes, long-term care providers, and other
			 providers;
							(D)measures which may
			 inform health care decisions made by consumers and patients;
							(E)measures that apply
			 to multiple services furnished by different providers during an episode of
			 care;
							(F)measures that can
			 be integrated into certification process described in section 202; and
							(G)measures that may
			 be integrated into the decision support function of qualified health
			 information technology as defined by this title.
							(3)Risk
			 adjustmentThe designated organization, in consultation with
			 performance measure developers and other stakeholders, shall establish
			 procedures to ensure that quality measures take into account differences in
			 patient health status, patient characteristics, and geographic location, as
			 appropriate.
						(4)MaintenanceThe
			 designated organization, in consultation with owners and developers of quality
			 measures, shall require the owners or developers of quality measures to update
			 and enhance such measures, including the development of more accurate and
			 precise specifications, and retire existing outdated measures. Such updating
			 shall occur not more often than once during each 12-month period, except in the
			 case of emergency circumstances requiring a more immediate update to a
			 measure.
						(e)Grants for
			 Performance Measure DevelopmentThe Secretary, acting through the
			 Agency for Healthcare Research and Quality, may award grants, in amounts not to
			 exceed $50,000 each, to organizations to support the development and testing of
			 quality measures that meet the standards established by the designated
			 organization.
					222.Adoption and
			 use of quality measures; reporting
					(a)In
			 GeneralFor purposes of carrying out activities authorized or
			 required by this title to ensure the use of quality measures and to foster
			 uniformity between health care quality measures utilized by private entities,
			 the Secretary shall—
						(1)select quality
			 measures for adoption and use, from quality measures recommended by
			 multi-stakeholder groups and endorsed by the designated organization;
			 and
						(2)ensure that
			 standards adopted under section 301 integrate the quality measures endorsed,
			 adopted, and utilized under this section.
						(b)Relationship
			 With Programs Under the Social Security ActThe Secretary shall
			 ensure that the quality measures adopted under this section—
						(1)complement quality
			 measures developed by the Secretary under programs administered by the
			 Secretary under the Social Security Act, including programs under titles XVIII,
			 XIX, and XXI of such Act; and
						(2)do not conflict
			 with the needs and priorities of the programs under titles XVIII, XIX, and XXI
			 of such Act, as set forth by the Administrator of the Centers for Medicare
			 & Medicaid Services.
						(c)ReportingThe
			 Secretary shall implement procedures, consistent with generally accepted
			 standards, to enable the Department of Health and Human Services to accept the
			 electronic submission of data for purposes of performance measurement,
			 including at the provider level, using the quality measures developed,
			 endorsed, and adopted pursuant to this title.
					(d)Dissemination of
			 InformationIn order to make comparative performance information
			 available to health care consumers, health professionals, public health
			 officials, oversight organizations, researchers, and other appropriate
			 individuals and entities, after consultation with multi-stakeholder groups, the
			 Secretary shall promulgate regulations to provide for the dissemination,
			 aggregation, and analysis of quality measures collected pursuant to this
			 title.
					DMiscellaneous
			 Provisions
				231.Health
			 Information Technology Resource CenterSection 914 of the Public Health Service Act
			 (42 U.S.C. 299b–3) is amended by adding at the end the following:
					
						(d)Health
				Information Technology Resource Center
							(1)In
				generalThe Secretary, acting
				through the Director, shall develop a Health Information Technology Resource
				Center (referred to in this subsection as the Center) to provide
				technical assistance and develop best practices to support and accelerate
				efforts to adopt, implement, and effectively use interoperable health
				information technology in compliance with sections 202 and 221 of the TRUST in
				Health Information Act of 2008.
							(2)PurposesThe
				purposes of the Center are to—
								(A)provide a forum
				for the exchange of knowledge and experience;
								(B)accelerate the
				transfer of lessons learned from existing public and private sector
				initiatives, including those currently receiving Federal financial
				support;
								(C)assemble, analyze,
				and widely disseminate evidence and experience related to the adoption,
				implementation, and effective use of interoperable health information
				technology;
								(D)provide for the
				establishment of regional and local health information networks to facilitate
				the development of interoperability across health care settings and improve the
				quality of health care;
								(E)provide for the
				development of solutions to barriers to the exchange of electronic health
				information; and
								(F)conduct other
				activities identified by the States, local, or regional health information
				networks, or health care stakeholders as a focus for developing and sharing
				best practices.
								(3)Support for
				activitiesTo provide support for the activities of the Center,
				the Director shall modify the requirements, if necessary, that apply to the
				National Resource Center for Health Information Technology to provide the
				necessary infrastructure to support the duties and activities of the Center and
				facilitate information exchange across the public and private sectors.
							(4)Rule of
				constructionNothing in this subsection shall be construed to
				require the duplication of Federal efforts with respect to the establishment of
				the Center, regardless of whether such efforts were carried out prior to or
				after the enactment of this subsection.
							(e)Authorization of
				AppropriationsThere is authorized to be appropriated, such sums
				as may be necessary for each of fiscal years 2009 and 2010 to carry out this
				section.
						.
				232.Facilitating
			 the provision of telehealth services across State linesSection 330L of the Public Health Service
			 Act (42 U.S.C. 254c–18) is amended to read as follows:
					
						330L.Telemedicine;
				incentive grants regarding coordination among states
							(a)Facilitating the
				Provision of Telehealth Services Across State LinesThe Secretary
				may make grants to States that have adopted regional State reciprocity
				agreements for practitioner licensure, in order to expedite the provision of
				telehealth services across State lines.
							(b)Authorization of
				AppropriationsFor the purpose of carrying out subsection (a),
				there are authorized to be appropriated such sums as may be necessary for each
				of the fiscal years 2009 and
				2010.
							.
				EDefinitions
				241.DefinitionsIn this title, the following terms, defined
			 in section 171, have the meanings given such terms in such section: Breach ,
			 confidentiality, de-identified health information, disclose, Director of the
			 Office of Health Information Privacy, employer, health care, health care
			 provider, Office of Health Information Privacy, privacy, personal health
			 information, Secretary, security, State, and use.
				IIIAdditional
			 provisions
			301.Federal
			 purchasing and data collection by CMS and other Federal agencies
				(a)Coordination of
			 Federal Spending
					(1)In
			 generalNot later than 1 year after the adoption by the President
			 of a recommendation under section 202(c)(6), the Administrator of the Center
			 for Medicare & Medicaid Services and the head of any other Federal agency
			 shall not expend Federal funds for the purchase of any new health information
			 technology or health information technology system for clinical care or for the
			 electronic retrieval, storage, or exchange of personal health information if
			 such technology or system is not consistent with applicable standards adopted
			 by the Federal Government under section 202.
					(2)Rule of
			 constructionNothing in paragraph (1) shall be construed to
			 restrict the purchase of minor (as determined by the Secretary) hardware or
			 software components in order to modify, correct a deficiency in, or extend the
			 life of existing hardware or software.
					(b)Voluntary
			 Adoption
					(1)In
			 generalAny standards and implementation specifications adopted
			 by the Federal Government under section 202(c) shall be voluntary with respect
			 to private entities.
					(2)RequirementPrivate
			 entities that enter into a contract with the Federal Government shall adopt the
			 standards and implementation specifications adopted by the Federal Government
			 under this section for the purpose of activities under such Federal
			 contract.
					(3)Rule of
			 constructionNothing in this section shall be construed to
			 require that a private entity that enters into a contract with the Federal
			 Government adopt the standards and implementation specifications adopted by the
			 Federal Government under this section with respect to activities not related to
			 the contract.
					(c)Coordination of
			 Federal Data CollectionNot later than 3 years after the adoption
			 by the Federal Government of a recommendation as provided for in section
			 202(c), all Federal agencies (including the Center for Medicare & Medicaid
			 Services) collecting health data in an electronic format for the purposes of
			 quality reporting, surveillance, epidemiology, adverse event reporting,
			 research, or for other purposes determined appropriate by the Secretary, shall
			 comply with the standards and implementation specifications adopted under such
			 subsection.
				302.Ensuring health
			 care providers participating in the medicare program may maintain health
			 information in electronic formSection 1871 of the Social Security Act (42
			 U.S.C. 1395hh) is amended by adding at the end the following new
			 subsection:
				
					(g)(1)Any provider of services
				or supplier shall be deemed as meeting any requirement for the maintenance of
				data in paper form under this title (whether or not for purposes of management,
				billing, reporting, reimbursement, or otherwise) if the required data is
				maintained in an electronic form.
						(2)Nothing in this subsection shall be
				construed as requiring health care providers to maintain or submit data in
				electronic
				form.
						.
			
