[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6357 Introduced in House (IH)]







110th CONGRESS
  2d Session
                                H. R. 6357

   To amend the Public Health Service Act to promote the adoption of 
         health information technology, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             June 24, 2008

Mr. Dingell (for himself, Mr. Barton of Texas, Mr. Pallone, Mr. Deal of 
  Georgia, Mr. Gordon of Tennessee, Mr. Hall of Texas, Mr. Towns, Mr. 
Upton, Mr. Engel, Mrs. Wilson of New Mexico, Mr. Gonzalez, Mr. Gingrey, 
and Mrs. Biggert) introduced the following bill; which was referred to 
the Committee on Energy and Commerce, and in addition to the Committees 
   on Science and Technology and Ways and Means, for a period to be 
subsequently determined by the Speaker, in each case for consideration 
  of such provisions as fall within the jurisdiction of the committee 
                               concerned

_______________________________________________________________________

                                 A BILL


 
   To amend the Public Health Service Act to promote the adoption of 
         health information technology, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Protecting 
Records, Optimizing Treatment, and Easing Communication through 
Healthcare Technology Act of 2008'' or the ``PRO(TECH)T Act of 2008''.
    (b) Table of Contents.--The table of contents of this Act is as 
follows:

Sec. 1. Short title; table of contents.
                 TITLE I--HEALTH INFORMATION TECHNOLOGY

         Subtitle A--Promotion of Health Information Technology

     Part I--Improving Health Care Quality, Safety, and Efficiency

Sec. 101. ONCHIT; standards development and adoption; health 
                            information technology resource center.
         ``TITLE XXX--HEALTH INFORMATION TECHNOLOGY AND QUALITY

        ``Sec. 3000. Definitions.
        ``Subtitle A--Promotion of Health Information Technology

        ``Sec. 3001. Office of the National Coordinator for Health 
                            Information Technology.
        ``Sec. 3002. HIT Policy Committee.
        ``Sec. 3003. HIT Standards Committee.
        ``Sec. 3004. Process for adoption of endorsed recommendations.
        ``Sec. 3005. Application and use of adopted standards and 
                            implementation specifications by Federal 
                            agencies.
        ``Sec. 3006. Voluntary application and use of adopted standards 
                            and implementation specifications by 
                            private entities.
        ``Sec. 3007. Health Information Technology Resource Center.
Sec. 102. Transitions.
 Part II--Application and Use of Adopted Health Information Technology 
                           Standards; Reports

Sec. 111. Coordination of Federal activities with adopted standards and 
                            implementation specifications.
Sec. 112. Application to private entities.
Sec. 113. Reports.
  Subtitle B--Incentives for the Use of Health Information Technology

Sec. 121. Grant, loan, and demonstration programs.
 ``Subtitle B--Incentives for the Use of Health Information Technology

        ``Sec. 3011. Grants and loans to facilitate the widespread 
                            adoption of qualified health information 
                            technology.
        ``Sec. 3012. Demonstration program to integrate information 
                            technology into clinical education.
           TITLE II--TESTING OF HEALTH INFORMATION TECHNOLOGY

Sec. 201. National Institute for Standards and Technology testing.
Sec. 202. Research and development programs.
               TITLE III--PRIVACY AND SECURITY PROVISIONS

Sec. 300. Definitions.
                    Subtitle A--Security Provisions

Sec. 301. Application of security provisions and penalties to business 
                            associates of covered entities; annual 
                            guidance on security provisions.
Sec. 302. Notification in the case of breach.
Sec. 303. Education on Health Information Privacy and report on 
                            compliance.
    Subtitle B--Improved Privacy Provisions and Additional Security 
                               Provisions

Sec. 311. Application of penalties to business associates of covered 
                            entities for violations of privacy contract 
                            requirements.
Sec. 312. Restrictions on certain disclosures of health information; 
                            accounting of certain protected health 
                            information disclosures.
Sec. 313. Conditions on certain contacts as part of health care 
                            operations.
Sec. 314. Study on application of privacy and security requirements to 
                            vendors of personal health records.
Sec. 315. Temporary breach notification requirement for vendors of 
                            personal health records.
Sec. 316. Business associate contracts required for certain entities.
Sec. 317. Guidance on implementation specification to de-identify 
                            protected health information.
Sec. 318. GAO report on treatment disclosures.
Sec. 319. Clarification of application of wrongful disclosures criminal 
                            penalties.
 Subtitle C--Relationship to Other Laws; Clarification; Effective Date

Sec. 321. Relationship to other laws.
Sec. 322. Effective date.

                 TITLE I--HEALTH INFORMATION TECHNOLOGY

         Subtitle A--Promotion of Health Information Technology

     PART I--IMPROVING HEALTH CARE QUALITY, SAFETY, AND EFFICIENCY

SEC. 101. ONCHIT; STANDARDS DEVELOPMENT AND ADOPTION; HEALTH 
              INFORMATION TECHNOLOGY RESOURCE CENTER.

    (a) In General.--The Public Health Service Act (42 U.S.C. 201 et 
seq.) is amended by adding at the end the following:

         ``TITLE XXX--HEALTH INFORMATION TECHNOLOGY AND QUALITY

``SEC. 3000. DEFINITIONS.

    ``In this title:
            ``(1) Enterprise integration.--The term `enterprise 
        integration' means the electronic linkage of health care 
        providers, health plans, the government, and other interested 
        parties, to enable the electronic exchange and use of health 
        information among all the components in the health care 
        infrastructure in accordance with applicable law, and such term 
        includes related application protocols and other related 
        standards.
            ``(2) Health care provider.--The term `health care 
        provider' means a hospital, skilled nursing facility, nursing 
        facility, home health entity, health care clinic, Federally 
        qualified health center, group practice (as defined in section 
        1877(h)(4) of the Social Security Act), a pharmacist, a 
        pharmacy, a laboratory, a physician (as defined in section 
        1861(r) of the Social Security Act), a practitioner (as 
        described in section 1842(b)(18)(C) of the Social Security 
        Act), a provider operated by, or under contract with, the 
        Indian Health Service or by an Indian tribe (as defined in the 
        Indian Self-Determination and Education Assistance Act), tribal 
        organization, or urban Indian organization (as defined in 
        section 4 of the Indian Health Care Improvement Act), a rural 
        health clinic, and any other category of facility or clinician 
        determined appropriate by the Secretary.
            ``(3) Health information.--The term `health information' 
        has the meaning given such term in section 1171(4) of the 
        Social Security Act.
            ``(4) Health information technology.--The term `health 
        information technology' means hardware, software, license, 
        right, intellectual property, equipment, or other information 
        technology (including new versions, upgrades, and connectivity) 
        designed or provided primarily for the electronic creation, 
        maintenance, or exchange of health information to coordinate 
        care or improve health care quality, efficiency, or research.
            ``(5) Health plan.--The term `health plan' has the meaning 
        given such term in section 1171(5) of the Social Security Act.
            ``(6) HIT policy committee.--The term `HIT Policy 
        Committee' means such Committee established under section 
        3002(a).
            ``(7) HIT standards committee.--The term `HIT Standards 
        Committee' means such Committee established under section 
        3003(a).
            ``(8) Individually identifiable health information.--The 
        term `individually identifiable health information' has the 
        meaning given such term in section 1171(6) of the Social 
        Security Act.
            ``(9) Laboratory.--The term `laboratory' has the meaning 
        given such term in section 353(a).
            ``(10) National coordinator.--The term `National 
        Coordinator' means the head of the Office of the National 
        Coordinator for Health Information Technology established under 
        section 3001(a).
            ``(11) Pharmacist.--The term `pharmacist' has the meaning 
        given such term in section 804(2) of the Federal Food, Drug, 
        and Cosmetic Act.
            ``(12) State.--The term `State' means each of the several 
        States, the District of Columbia, Puerto Rico, the Virgin 
        Islands, Guam, American Samoa, and the Northern Mariana 
        Islands.

        ``Subtitle A--Promotion of Health Information Technology

``SEC. 3001. OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION 
              TECHNOLOGY.

    ``(a) Establishment.--There is established within the Department of 
Health and Human Services an Office of the National Coordinator for 
Health Information Technology (referred to in this section as the 
`Office'). The Office shall be headed by a National Coordinator who 
shall be appointed by the Secretary and shall report directly to the 
Secretary.
    ``(b) Purpose.--The National Coordinator shall perform the duties 
under subsection (c) in a manner consistent with the development of a 
nationwide interoperable health information technology infrastructure 
that--
            ``(1) ensures that each patient's health information is 
        secure and protected, in accordance with applicable law;
            ``(2) improves health care quality, reduces medical errors, 
        and advances the delivery of patient-centered medical care;
            ``(3) reduces health care costs resulting from 
        inefficiency, medical errors, inappropriate care, duplicative 
        care, and incomplete information;
            ``(4) ensures that appropriate information to help guide 
        medical decisions is available at the time and place of care;
            ``(5) ensures the inclusion of meaningful public input in 
        such development of such infrastructure;
            ``(6) improves the coordination of care and information 
        among hospitals, laboratories, physician offices, and other 
        entities through an effective infrastructure for the secure and 
        authorized exchange of health care information;
            ``(7) improves public health reporting and facilitates the 
        early identification and rapid response to public health 
        threats and emergencies, including bioterror events and 
        infectious disease outbreaks;
            ``(8) facilitates health and clinical research and health 
        care quality;
            ``(9) promotes prevention of chronic diseases;
            ``(10) promotes a more effective marketplace, greater 
        competition, greater systems analysis, increased consumer 
        choice, and improved outcomes in health care services; and
            ``(11) improves efforts to reduce health disparities.
    ``(c) Duties of the National Coordinator.--
            ``(1) Standards.--The National Coordinator shall review and 
        determine whether to endorse each standard, implementation 
        specification, and certification criterion for the electronic 
        exchange and use of health information that is recommended by 
        the HIT Standards Committee under section 3003 for purposes of 
        adoption under section 3004(b). The Coordinator shall make such 
        determination, and report to the Secretary such determination, 
        not later than 90 days after the date the recommendation is 
        received by the Coordinator.
            ``(2) HIT policy coordination.--The National Coordinator 
        shall coordinate health information technology policy and 
        programs of the Department with those of other relevant 
        executive branch agencies with a goal of avoiding duplication 
        of efforts and of helping to ensure that each agency undertakes 
        health information technology activities primarily within the 
        areas of its greatest expertise and technical capability.
            ``(3) Strategic plan.--
                    ``(A) In general.--The National Coordinator shall, 
                in consultation with other appropriate Federal agencies 
                (including the National Institute of Standards and 
                Technology), maintain and update a strategic plan with 
                specific objectives, milestones, and metrics for the 
                following:
                            ``(i) The electronic exchange and use of 
                        health information and the enterprise 
                        integration of such information.
                            ``(ii) The utilization of an electronic 
                        health record for each person in the United 
                        States by 2014.
                            ``(iii) The incorporation of privacy and 
                        security protections for the electronic 
                        exchange of an individual's individually 
                        identifiable health information.
                            ``(iv) Ensuring security methods to ensure 
                        appropriate authorization, electronic 
                        authentication, and encryption of health 
                        information.
                            ``(v) Specifying a framework for 
                        coordination and flow of recommendations and 
                        policies under this subtitle among the 
                        Secretary, the National Coordinator, the HIT 
                        Policy Committee, the HIT Standards Committee, 
                        and other health information exchanges and 
                        other relevant entities.
                            ``(vi) Methods to foster the public 
                        understanding of health information technology.
                            ``(vii) Strategies to enhance the use of 
                        health information technology in improving the 
                        quality of health care, reducing medical 
                        errors, reducing health disparities, and in 
                        improving the continuity of care among health 
                        care settings.
                    ``(B) Collaboration.--The strategic plan shall be 
                developed and updated through collaboration of public 
                and private interests.
                    ``(C) Measurable outcome goals.--The strategic plan 
                shall include measurable outcome goals.
                    ``(D) Publication.--The National Coordinator shall 
                publish the strategic plan, including all updates.
            ``(4) Website.--The National Coordinator shall maintain and 
        frequently update an Internet website on which there is posted 
        information that includes the following:
                    ``(A) The schedule developed by the HIT Standards 
                Committee under section 3003(b)(3).
                    ``(B) The recommendations of the HIT Policy 
                Committee under section 3002.
                    ``(C) Recommendations of the HIT Standards 
                Committee under section 3003.
                    ``(D) Sources of Federal grant funds and technical 
                assistance that are available to facilitate the 
                purchase of, or enhance the utilization of, health 
                information technology systems.
                    ``(E) The report prepared by the National 
                Coordinator under paragraph (5).
                    ``(F) The assessment by the National Coordinator 
                under paragraph (6).
                    ``(G) The evaluation by the National Coordinator 
                under paragraph (7).
                    ``(H) The annual estimate of resources required 
                under paragraph (8).
            ``(5) Implementation report.--The National Coordinator 
        shall prepare a report that identifies lessons learned from 
        major public and private health care systems in their 
        implementation of health information technology systems, 
        including information on whether the systems and practices 
        developed by such systems may be applicable to and usable in 
        whole or in part by other health care providers.
            ``(6) Assessment of impact of hit on communities with 
        health disparities and uninsured, underinsured, and medically 
        underserved areas.--The National Coordinator shall assess and 
        publish the impact of health information technology in 
        communities with health disparities and in areas that serve 
        uninsured, underinsured, and medically underserved individuals 
        (including urban and rural areas) and identify practices to 
        increase the adoption of such technology by health care 
        providers in such communities.
            ``(7) Evaluation of benefits and costs of the electronic 
        use and exchange of health information.--The National 
        Coordinator shall evaluate and publish evidence on the benefits 
        and costs of the electronic use and exchange of health 
        information and assess to whom these benefits and costs accrue.
            ``(8) Resource requirements.--The National Coordinator 
        shall estimate and publish resources required annually to reach 
        the goal of utilization of an electronic health record for each 
        person in the United States by 2014, including the required 
        level of Federal funding, expectations for regional, State, and 
        private investment, and the expected contributions by 
        volunteers to activities for the utilization of such records.
            ``(9) Certification.--
                    ``(A) In general.--The National Coordinator, in 
                consultation with the Director of the National 
                Institute of Standards and Technology, shall develop a 
                program (either directly or by contract) for the 
                voluntary certification of health information 
                technology as being in compliance with applicable 
                certification criteria adopted under this subtitle. 
                Such program shall include testing of the technology in 
                accordance with section 201(b) of the PRO(TECH)T Act of 
                2008.
                    ``(B) Certification criteria described.--In this 
                title, the term `certification criteria' means, with 
                respect to standards and implementation specifications 
                for health information technology, criteria to 
                establish that the technology meets such standards and 
                implementation specifications.
    ``(d) Detail of Federal Employees.--
            ``(1) In general.--Upon the request of the National 
        Coordinator, the head of any Federal agency is authorized to 
        detail, with or without reimbursement from the Office, any of 
        the personnel of such agency to the Office to assist it in 
        carrying out its duties under this section.
            ``(2) Effect of detail.--Any detail of personnel under 
        paragraph (1) shall--
                    ``(A) not interrupt or otherwise affect the civil 
                service status or privileges of the Federal employee; 
                and
                    ``(B) be in addition to any other staff of the 
                Department employed by the National Coordinator.
            ``(3) Acceptance of detailees.--Notwithstanding any other 
        provision of law, the Office may accept detailed personnel from 
        other Federal agencies without regard to whether the agency 
        described under paragraph (1) is reimbursed.
    ``(e) Authorization of Appropriations.--There are authorized to be 
appropriated to carry out this section $66,000,000 for fiscal year 
2009.

``SEC. 3002. HIT POLICY COMMITTEE.

    ``(a) Establishment.--There is established a HIT Policy Committee 
to make policy recommendations to the National Coordinator relating to 
the implementation of a nationwide health information technology 
infrastructure, including implementation of the strategic plan 
described in section 3001(c)(3).
    ``(b) Duties.--
            ``(1) Recommendations on health information technology 
        infrastructure.--Not later than 1 year after the date of the 
        enactment of this title, the HIT Policy Committee shall 
        recommend a policy framework for the development and adoption 
        of a nationwide health information technology infrastructure 
        that permits the electronic exchange and use of health 
        information as is consistent with the strategic plan under 
        section 3001(c)(3) and that includes the recommendations under 
        paragraph (2). Annually thereafter the Committee shall update 
        such recommendations and make new recommendations as 
        appropriate.
            ``(2) Specific areas of standard development.--
                    ``(A) In general.--The HIT Policy Committee shall 
                recommend the areas in which standards, implementation 
                specifications, and certification criteria are needed 
                for the electronic exchange and use of health 
                information for purposes of adoption under section 
                3004(b) and shall recommend an order of priority for 
                the development, harmonization, and recognition of such 
                standards, specifications, and criteria among the areas 
                so recommended. Such standards and implementation 
                specifications shall include named standards, 
                architectures, and software schemes for the 
                authentication and security of individually 
                identifiable health information and other information 
                as needed to ensure the reproducible development of 
                common solutions across disparate entities.
                    ``(B) Areas required for consideration.--In making 
                recommendations under subparagraph (A), the HIT Policy 
                Committee shall consider at least the following areas:
                            ``(i) Technologies that protect the privacy 
                        of health information and promote security, 
                        including for the protection from disclosure of 
                        specific individually identifiable health 
                        information, in accordance with applicable law, 
                        and for the use and disclosure of limited data 
                        sets (as defined for purposes of regulations 
                        promulgated under section 264(c) of the Health 
                        Insurance Portability and Accountability Act of 
                        1996) of such information.
                            ``(ii) A nationwide interoperable health 
                        information technology infrastructure that 
                        permits the electronic exchange and use of 
                        health information.
                            ``(iii) The utilization of an electronic 
                        health record for each person in the United 
                        States by 2014.
                    ``(C) Other areas for consideration.--In making 
                recommendations under subparagraph (A), the HIT Policy 
                Committee may consider the following additional areas:
                            ``(i) The appropriate uses of a nationwide 
                        health information infrastructure, including 
                        for purposes of--
                                    ``(I) the collection of quality 
                                data and public reporting;
                                    ``(II) biosurveillance and public 
                                health;
                                    ``(III) medical and clinical 
                                research; and
                                    ``(IV) drug safety.
                            ``(ii) Self-service technologies that 
                        facilitate the use and exchange of patient 
                        information and reduce wait times.
                            ``(iii) Telemedicine technologies, in order 
                        to reduce travel requirements for patients in 
                        remote areas.
                            ``(iv) Technologies that facilitate home 
                        health care and the monitoring of patients 
                        recuperating at home.
                            ``(v) Technologies that help reduce medical 
                        errors.
                            ``(vi) Technologies that facilitate the 
                        continuity of care among health settings.
                            ``(vii) Technologies that meet the needs of 
                        diverse populations.
                            ``(viii) Any other technology that the HIT 
                        Policy Committee finds to be among the 
                        technologies with the greatest potential to 
                        improve the quality and efficiency of health 
                        care.
            ``(3) Forum.--The HIT Policy Committee shall serve as a 
        forum for broad stakeholder input with specific expertise in 
        policies relating to the matters described in paragraphs (1) 
        and (2).
            ``(4) Website.--The HIT Policy Committee shall develop and 
        maintain an Internet website on which there is posted 
        information that includes the following:
                    ``(A) Established governance rules.
                    ``(B) A business plan.
                    ``(C) Meeting notices at least 14 days prior to 
                each meeting.
                    ``(D) Meeting agendas at least 7 days prior to each 
                meeting.
                    ``(E) Meeting materials at least 3 days prior to 
                each meeting.
    ``(c) Membership.--
            ``(1) Appointments.--The HIT Policy Committee shall be 
        composed of members to be appointed as follows:
                    ``(A) 3 members shall be appointed by the 
                Secretary, 1 of whom shall be appointed to represent 
                the Department of Health and Human Services and 1 of 
                whom shall be a public health official.
                    ``(B) 1 member shall be appointed by the majority 
                leader of the Senate.
                    ``(C) 1 member shall be appointed by the minority 
                leader of the Senate.
                    ``(D) 1 member shall be appointed by the Speaker of 
                the House of Representatives.
                    ``(E) 1 member shall be appointed by the minority 
                leader of the House of Representatives.
                    ``(F) Such other members as shall be appointed by 
                the President as representatives of other relevant 
                Federal agencies.
                    ``(G) 11 members shall be appointed by the 
                Comptroller General of the United States of whom--
                            ``(i) 1 member shall be an advocate for 
                        patients or consumers;
                            ``(ii) 2 members shall represent health 
                        care providers, one of which shall be a 
                        physician;
                            ``(iii) 1 member shall be from a labor 
                        organization representing health care workers;
                            ``(iv) 1 member shall have expertise in 
                        privacy and security;
                            ``(v) 1 member shall have expertise in 
                        improving the health of vulnerable populations;
                            ``(vi) 1 member shall be from the research 
                        community;
                            ``(vii) 1 member shall represent health 
                        plans or other third-party payers;
                            ``(viii) 1 member shall represent 
                        information technology vendors;
                            ``(ix) 1 member shall represent purchasers 
                        or employers; and
                            ``(x) 1 member shall have expertise in 
                        health care quality measurement and reporting.
            ``(2) National coordinator.--The National Coordinator shall 
        be a member of the HIT Policy Committee and act as a liaison 
        among the HIT Policy Committee, the HIT Standards Committee, 
        and the Federal Government.
            ``(3) Chairperson and vice chairperson.--The HIT Policy 
        Committee shall designate 1 member to serve as the chairperson 
        and 1 member to serve as the vice chairperson of the HIT Policy 
        Committee.
            ``(4) Participation.--The members of the HIT Policy 
        Committee appointed under paragraph (1) shall represent a 
        balance among various sectors of the health care system so that 
        no single sector unduly influences the recommendations of such 
        Committee.
            ``(5) Terms.--
                    ``(A) In general.--The terms of members of the HIT 
                Policy Committee appointed under paragraph (1) shall be 
                3 years except that the Comptroller General of the 
                United States shall designate staggered terms for the 
                members first appointed under paragraph (1)(G).
                    ``(B) Vacancies.--Any member appointed to fill a 
                vacancy in the membership of the HIT Policy Committee 
                that occurs prior to the expiration of the term for 
                which the member's predecessor was appointed shall be 
                appointed only for the remainder of that term. A member 
                may serve after the expiration of that member's term 
                until a successor has been appointed. A vacancy in the 
                HIT Policy Committee shall be filled in the manner in 
                which the original appointment was made.
            ``(6) Outside involvement.--The HIT Policy Committee shall 
        ensure an adequate opportunity for the participation in 
        activities of the Committee of outside advisors, including 
        individuals with expertise in the development of policies for 
        the electronic exchange and use of health information, 
        including in the areas of health information privacy and 
        security.
            ``(7) Quorum.--Ten members of the HIT Policy Committee 
        shall constitute a quorum for purposes of voting, but a lesser 
        number of members may meet and hold hearings.
    ``(d) Application of FACA.--The Federal Advisory Committee Act (5 
U.S.C. App.), other than section 14 of such Act, shall apply to the HIT 
Policy Committee.
    ``(e) Publication.--The Secretary shall provide for publication in 
the Federal Register and the posting on the Internet website of the 
Office of the National Coordinator for Health Information Technology of 
all policy recommendations made by the HIT Policy Committee under this 
section.

``SEC. 3003. HIT STANDARDS COMMITTEE.

    ``(a) Establishment.--There is established a committee to be known 
as the HIT Standards Committee to recommend to the National Coordinator 
standards, implementation specifications, and certification criteria 
for the electronic exchange and use of health information for purposes 
of adoption under section 3004(b), consistent with the implementation 
of the strategic plan described in section 3001(c)(3).
    ``(b) Duties.--
            ``(1) Standard development.--
                    ``(A) In general.--Beginning not later than 1 year 
                after the date of the enactment of this title, the HIT 
                Standards Committee shall recommend to the National 
                Coordinator standards, implementation specifications, 
                and certification criteria described in subsection (a) 
                that have been developed, harmonized, or recognized by 
                the Committee. Annually thereafter the Committee shall 
                update such recommendations and make new 
                recommendations as appropriate, including in response 
                to a notification sent under section 3004(b)(2). Such 
                recommendations shall be consistent with the latest 
                recommendations made by the HIT Policy Committee.
                    ``(B) Pilot testing of standards and implementation 
                specifications.--In the development, harmonization, or 
                recognition of standards and implementation 
                specifications, the HIT Standards Committee, as 
                appropriate, shall provide for the testing of such 
                standards and specifications by the National Institute 
                for Standards and Technology under section 201 of the 
                PRO(TECH)T Act of 2008.
                    ``(C) Consistency.--The standards, implementation 
                specifications, and certification criteria recommended 
                under this subsection shall be consistent with the 
                standards for information transactions and data 
                elements adopted pursuant to section 1173 of the Social 
                Security Act.
            ``(2) Forum.--The HIT Standards Committee shall serve as a 
        forum for the participation of a broad range of stakeholders to 
        provide input on the development, harmonization, and 
        recognition of standards, implementation specifications, and 
        certification criteria necessary for the development and 
        adoption of a nationwide interoperable health information 
        technology infrastructure.
            ``(3) Schedule.--Not later than 90 days after the date of 
        the enactment of this title, the HIT Standards Committee shall 
        develop a schedule for the assessment of policy recommendations 
        developed by the HIT Policy Committee under section 3002. The 
        HIT Standards Committee shall update such schedule annually. 
        The Secretary shall publish such schedule in the Federal 
        Register.
            ``(4) Public input.--The HIT Standards Committee shall 
        conduct open public meetings and develop a process to allow for 
        public comment on the schedule described in paragraph (3) and 
        recommendations described in this subsection. Under such 
        process comments shall be submitted in a timely manner after 
        the date of publication of a recommendation under this 
        subsection.
            ``(5) Website.--The HIT Standards Committee shall develop 
        and maintain an Internet website on which there is posted 
        information that includes the following:
                    ``(A) Established governance rules.
                    ``(B) A business plan.
                    ``(C) Meeting notices at least 14 days prior to 
                each meeting.
                    ``(D) Meeting agendas at least 7 days prior to each 
                meeting.
                    ``(E) Meeting materials at least 3 days prior to 
                each meeting.
            ``(6) Requirement to integrate recommendations.--In 
        carrying out the activities under this section, the HIT 
        Standards Committee shall integrate the recommendations of the 
        HIT Policy Committee.
    ``(c) Membership.--
            ``(1) Appointments.--The HIT Standards Committee shall be 
        composed of members to be appointed as follows:
                    ``(A) 2 members shall be appointed by the 
                Secretary.
                    ``(B) 1 member shall be appointed by the majority 
                leader of the Senate.
                    ``(C) 1 member shall be appointed by the minority 
                leader of the Senate.
                    ``(D) 1 member shall be appointed by the Speaker of 
                the House of Representatives.
                    ``(E) 1 member shall be appointed by the minority 
                leader of the House of Representatives.
                    ``(F) 9 members shall be appointed by the 
                Comptroller General of the United States of whom--
                            ``(i) 1 member shall be a representative of 
                        consumer or patient organizations;
                            ``(ii) 1 member shall be a representative 
                        of organizations with expertise in privacy;
                            ``(iii) 1 member shall be a representative 
                        of organizations with expertise in security;
                            ``(iv) 2 members shall be a representative 
                        of health care providers, one of which shall be 
                        a physician;
                            ``(v) 1 member shall be a representative of 
                        health plans or other third party payers;
                            ``(vi) 1 member shall be a representative 
                        of information technology vendors;
                            ``(vii) 1 member shall be a representative 
                        of purchasers or employers; and
                            ``(viii) 1 member shall be a representative 
                        of the health research community.
                    ``(G) 1 member shall be appointed by the Director 
                of the National Institute for Standards and Technology.
            ``(2) National coordinator.--The National Coordinator shall 
        be a member of the HIT Standards Committee and act as a liaison 
        among the HIT Standards Committee, the HIT Policy Committee, 
        and the Federal government.
            ``(3) Chairperson and vice chairperson.--The HIT Standards 
        Committee shall designate 1 member to serve as the chairperson 
        and 1 member to serve as the vice chairperson of the Committee.
            ``(4) Participation.--The members of the HIT Standards 
        Committee appointed under paragraph (1) shall represent a 
        balance among various sectors of the health care system so that 
        no single sector unduly influences the recommendations of such 
        Committee.
            ``(5) Terms.--
                    ``(A) In general.--The terms of members of the HIT 
                Standards Committee appointed under paragraph (1) shall 
                be 3 years except that the Comptroller General of the 
                United States shall designate staggered terms for the 
                members first appointed under paragraph (1)(F).
                    ``(B) Vacancies.--Any member appointed to fill a 
                vacancy in the membership of the HIT Standards 
                Committee that occurs prior to the expiration of the 
                term for which the member's predecessor was appointed 
                shall be appointed only for the remainder of that term. 
                A member may serve after the expiration of that 
                member's term until a successor has been appointed. A 
                vacancy in the HIT Standards Committee shall be filled 
                in the manner in which the original appointment was 
                made.
            ``(6) Outside involvement.--The HIT Standards Committee 
        shall ensure an adequate opportunity for the participation in 
        activities of the Committee of outside advisors, including 
        individuals with expertise in the development of standards for 
        the electronic exchange and use of health information, 
        including in the areas of health information privacy and 
        security.
            ``(7) Quorum.--Eight members of the HIT Standards Committee 
        shall constitute a quorum for purposes of voting, but a lesser 
        number of members may meet and hold hearings.
    ``(d) Application of FACA.--The Federal Advisory Committee Act (5 
U.S.C. App.), other than section 14, shall apply to the HIT Standards 
Committee.
    ``(e) Publication.--The Secretary shall provide for publication in 
the Federal Register and the posting on the Internet website of the 
Office of the National Coordinator for Health Information Technology of 
all recommendations made by the HIT Standards Committee under this 
section.

``SEC. 3004. PROCESS FOR ADOPTION OF ENDORSED RECOMMENDATIONS.

    ``(a) Review of Endorsed Standards, Specifications, and Criteria.--
Not later than 90 days after the date of receipt of standards, 
implementation specifications, or certification criteria endorsed under 
section 3001(c), the Secretary, in consultation with representatives of 
other relevant Federal agencies, shall jointly review such standards, 
specifications, or criteria and shall determine whether or not to 
propose adoption of such standards, specifications, or criteria.
    ``(b) Determination to Adopt Standards, Specifications, and 
Criteria.--If the Secretary determines--
            ``(1) to propose adoption of any grouping of such 
        standards, specifications, or criteria, the Secretary shall, 
        through a rulemaking process, determine whether or not to adopt 
        such grouping of standards, specifications, or criteria; or
            ``(2) not to propose adoption of any grouping of standards, 
        specifications, or criteria, the Secretary shall notify the 
        National Coordinator and the HIT Standards Committee in writing 
        of such determination and the reasons for not proposing the 
        adoption of such recommendation.
    ``(c) Publication.--The Secretary shall provide for publication in 
the Federal Register of all determinations made by the Secretary under 
subsection (a).

``SEC. 3005. APPLICATION AND USE OF ADOPTED STANDARDS AND 
              IMPLEMENTATION SPECIFICATIONS BY FEDERAL AGENCIES.

    ``For requirements relating to the application and use by Federal 
agencies of the standards and implementation specifications adopted 
under section 3004(b), see section 111 of the PRO(TECH)T Act of 2008.

``SEC. 3006. VOLUNTARY APPLICATION AND USE OF ADOPTED STANDARDS AND 
              IMPLEMENTATION SPECIFICATIONS BY PRIVATE ENTITIES.

    ``(a) In General.--Except as provided under section 112 of the 
PRO(TECH)T Act of 2008, any standard or implementation specification 
adopted under section 3004(b) shall be voluntary with respect to 
private entities.
    ``(b) Rule of Construction.--Nothing in this subtitle shall be 
construed to require that a private entity that enters into a contract 
with the Federal Government apply or use the standards and 
implementation specifications adopted under section 3004(b) with 
respect to activities not related to the contract.

``SEC. 3007. HEALTH INFORMATION TECHNOLOGY RESOURCE CENTER.

    ``(a) Development.--
            ``(1) In general.--The National Coordinator shall develop a 
        Health Information Technology Resource Center to provide 
        technical assistance and develop best practices to support and 
        accelerate efforts to adopt, implement, and effectively use 
        health information technology that allows for the electronic 
        exchange and use of information in compliance with standards, 
        implementation specifications, and certification criteria 
        adopted under section 3004(b).
            ``(2) Purposes.--The purpose of the Center is to--
                    ``(A) provide a forum for the exchange of knowledge 
                and experience;
                    ``(B) accelerate the transfer of lessons learned 
                from existing public and private sector initiatives, 
                including those currently receiving Federal financial 
                support;
                    ``(C) assemble, analyze, and widely disseminate 
                evidence and experience related to the adoption, 
                implementation, and effective use of health information 
                technology that allows for the electronic exchange and 
                use of information;
                    ``(D) provide technical assistance for the 
                establishment and evaluation of regional and local 
                health information networks to facilitate the 
                electronic exchange of information across health care 
                settings and improve the quality of health care;
                    ``(E) provide technical assistance for the 
                development and dissemination of solutions to barriers 
                to the exchange of electronic health information;
                    ``(F) learn about effective strategies to adopt and 
                utilize health information technology in medically 
                underserved communities;
                    ``(G) conduct other activities identified by the 
                States, local or regional health information networks, 
                or health care stakeholders as a focus for developing 
                and sharing best practices; and
                    ``(H) provide technical assistance to promote 
                adoption and utilization of health information 
                technology by health care providers, including in 
                medically underserved communities.
    ``(b) Technical Assistance Telephone Number or Website.--The 
National Coordinator shall establish a toll-free telephone number or 
Internet website to provide health care providers with a single point 
of contact to--
            ``(1) learn about Federal grants and technical assistance 
        services related to interoperable health information 
        technology;
            ``(2) learn about standards, implementation specifications, 
        and certification criteria adopted under section 3004(b);
            ``(3) learn about regional and local health information 
        networks for assistance with health information technology; and
            ``(4) disseminate additional information determined by the 
        National Coordinator.''.

SEC. 102. TRANSITIONS.

    (a) ONCHIT.--To the extent consistent with section 3001 of the 
Public Health Service Act, as added by section 101, all functions, 
personnel, assets, liabilities, and administrative actions applicable 
to the National Coordinator for Health Information Technology appointed 
under Executive Order 13335 or the Office of such National Coordinator 
on the date before the date of the enactment of this Act shall be 
transferred to the National Coordinator appointed under section 3001(a) 
of such Act and the Office of such National Coordinator as of the date 
of the enactment of this Act.
    (b) AHIC.--
            (1) To the extent consistent with sections 3002 and 3003 of 
        the Public Health Service Act, as added by section 101, all 
        functions, personnel, assets, and liabilities applicable to the 
        American Health Information Community created in response to 
        Executive Order 13335 as of the day before the date of the 
        enactment of this Act shall be transferred to the HIT Policy 
        Committee or the HIT Standards Committee, established under 
        section 3002(a) or 3003(a) of such Act, as appropriate, as of 
        the date of the enactment of this Act.
            (2) In carrying out section 3003(b)(1)(A) of the Public 
        Health Service Act, as so added, until recommendations are made 
        by the HIT Policy Committee, recommendations of the HIT 
        Standards Committee shall be consistent with the most recent 
        recommendations made by the American Health Information 
        Community.
    (c) Rules of Construction.--
            (1) ONCHIT.--Nothing in section 3001 of the Public Health 
        Service Act, as added by section 101, or subsection (a) shall 
        be construed as requiring the creation of a new entity to the 
        extent that the Office of the National Coordinator for Health 
        Information Technology established pursuant to Executive Order 
        13335 is consistent with the provisions of such section 3001.
            (2) AHIC.--Nothing in sections 3002 or 3003 of the Public 
        Health Service Act, as added by section 101, or subsection (b) 
        shall be construed as requiring the creation of a new entity to 
        the extent that the American Health Information Community 
        created in response to Executive Order 13335 is consistent with 
        the provisions of such sections 3002 and 3003.

 PART II--APPLICATION AND USE OF ADOPTED HEALTH INFORMATION TECHNOLOGY 
                           STANDARDS; REPORTS

SEC. 111. COORDINATION OF FEDERAL ACTIVITIES WITH ADOPTED STANDARDS AND 
              IMPLEMENTATION SPECIFICATIONS.

    (a) Spending on Health Information Technology Systems.--As each 
agency (as defined in the Executive Order issued on August 22, 2006, 
relating to promoting quality and efficient health care in Federal 
government administered or sponsored health care programs) implements, 
acquires, or upgrades health information technology systems used for 
the direct exchange of individually identifiable health information 
between agencies and with non-Federal entities, it shall utilize, where 
available, health information technology systems and products that meet 
standards and implementation specifications adopted under section 
3004(b) of the Public Health Service Act, as added by section 101.
    (b) Federal Information Collection Activities.--With respect to a 
standard or implementation specification adopted under section 3004(b) 
of the Public Health Service Act, as added by section 101, the 
President shall take measures to ensure that Federal activities 
involving the broad collection and submission of health information are 
consistent with such standard or specification, respectively, within 
three years after the date of such adoption.
    (c) Application of Definitions.--The definitions contained in 
section 3000 of the Public Health Service Act, as added by section 101, 
shall apply for purposes of this part.

SEC. 112. APPLICATION TO PRIVATE ENTITIES.

    Each agency (as defined in such Executive Order issued on August 
22, 2006, relating to promoting quality and efficient health care in 
Federal government administered or sponsored health care programs) 
shall require in contracts or agreements with health care providers, 
health plans, or health insurance issuers that as each provider, plan, 
or issuer implements, acquires, or upgrades health information 
technology systems, it shall utilize, where available, health 
information technology systems and products that meet standards and 
implementation specifications adopted under section 3004(b) of the 
Public Health Service Act, as added by section 101.

SEC. 113. REPORTS.

    (a) In General.--The Secretary of Health and Human Services shall 
submit to the Committee on Health, Education, Labor, and Pensions and 
the Committee on Commerce, Science, and Transportation of the Senate 
and the Committee on Energy and Commerce and the Committee on Science 
and Technology of the House of Representatives, on an annual basis, a 
report that--
            (1) describes the specific actions that have been taken by 
        the Federal Government and private entities to facilitate the 
        adoption of an interoperable nationwide system for the 
        electronic exchange of health information;
            (2) describes barriers to the adoption of such a nationwide 
        system; and
            (3) contains recommendations to achieve full implementation 
        of such a nationwide system.
    (b) Reimbursement Incentive Study.--The Secretary of Health and 
Human Services shall carry out, or contract with a private entity to 
carry out, a study that examines methods to create efficient 
reimbursement incentives for improving health care quality in Federally 
qualified health centers, rural health clinics, and free clinics.

  Subtitle B--Incentives for the Use of Health Information Technology

SEC. 121. GRANT, LOAN, AND DEMONSTRATION PROGRAMS.

    Title XXX of the Public Health Service Act, as added by section 
101, is amended by adding at the end the following new subtitle:

 ``Subtitle B--Incentives for the Use of Health Information Technology

``SEC. 3011. GRANTS AND LOANS TO FACILITATE THE WIDESPREAD ADOPTION OF 
              QUALIFIED HEALTH INFORMATION TECHNOLOGY.

    ``(a) Competitive Grants To Facilitate the Widespread Adoption of 
Health Information Technology.--
            ``(1) In general.--The National Coordinator may award 
        competitive grants to eligible entities to purchase qualified 
        health information technology.
            ``(2) Qualified health information technology.--For 
        purposes of this section, the term `qualified health 
        information technology' means health information technology 
        that consists of hardware, software, or the provision of 
        support services and that--
                    ``(A) enables the protection of health information, 
                in accordance with applicable law;
                    ``(B) is (or is necessary for the operation of) an 
                electronic health records system, including the 
                provision of decision support and physician order entry 
                for medications;
                    ``(C) has the ability to allow timely and 
                permissible access to patient information and to 
                transmit and exchange health information among 
                providers, patients, or insurers; and
                    ``(D) is certified under the program developed 
                under section 3001(c)(9) to be in compliance with any 
                applicable standards and implementation specifications 
                adopted under section 3004(b).
            ``(3) Eligibility.--To be eligible to receive a grant under 
        paragraph (1) an entity shall--
                    ``(A) submit to the National Coordinator an 
                application at such time and in such manner as the 
                National Coordinator may require, and containing--
                            ``(i) a plan on how the entity intends to 
                        maintain and support the qualified health 
                        information technology that would be purchased 
                        with amounts under such grant, including the 
                        type of resources expected to be involved; and
                            ``(ii) such other information as the 
                        National Coordinator may require;
                    ``(B) submit to the National Coordinator a 
                strategic plan for the electronic exchange and use of 
                health information;
                    ``(C) be--
                            ``(i) a not for profit hospital or a 
                        Federally qualified health center (as defined 
                        in section 1861(aa)(4) of the Social Security 
                        Act);
                            ``(ii) an individual or group practice; or
                            ``(iii) another health care provider not 
                        described in clause (i) or (ii);
                    ``(D) demonstrate significant financial need;
                    ``(E) agree to notify individuals in accordance 
                with section 302 of the PRO(TECH)T Act of 2008 if their 
                individually identifiable health information is 
                accessed or acquired as a result of a breach; and
                    ``(F) provide matching funds in accordance with 
                paragraph (5).
            ``(4) Use of funds.--Amounts received under a grant under 
        this subsection shall be used to facilitate the purchase of 
        qualified health information technology.
            ``(5) Matching requirement.--To be eligible for a grant 
        under this subsection an entity shall contribute non-Federal 
        contributions to the costs of carrying out the activities for 
        which the grant is awarded in an amount equal to $1 for each $3 
        of Federal funds provided under the grant.
            ``(6) Preference in awarding grants.--In awarding grants 
        under this subsection the National Coordinator shall give 
        preference to the following eligible entities:
                    ``(A) Small health care providers.
                    ``(B) Entities that are located in rural, frontier, 
                and other areas that serve uninsured, underinsured, and 
                medically underserved individuals (regardless of 
                whether such area is urban, rural, or frontier).
                    ``(C) Entities that will link, to the extent 
                practicable, to local or regional health information 
                plan or plans.
                    ``(D) Nonprofit health care providers.
            ``(7) Additional sources of funding for health information 
        technology.--Funding made available under this subsection is in 
        addition to funding which may be used toward the acquisition 
        and utilization of health information technology under other 
        law, which includes the following:
                    ``(A) Medicaid transformation grants under section 
                1903(z) of the Social Security Act.
                    ``(B) Grants or funding available through the 
                Agency for Healthcare Research and Quality.
                    ``(C) Grants or funding that may be available 
                through the Health Resources and Services 
                Administration for investment in health information 
                technologies or telehealth.
                    ``(D) Grants or funding that may be available 
                through the Department of Agriculture's Rural 
                Development Telecommunications Program for investment 
                in telemedicine.
    ``(b) Competitive Grants to States and Indian Tribes for the 
Development of Loan Programs To Facilitate the Widespread Adoption of 
Qualified Health Information Technology.--
            ``(1) In general.--The National Coordinator may award 
        competitive grants to eligible entities for the establishment 
        of programs for loans to health care providers to purchase 
        qualified health information technology.
            ``(2) Eligible entity defined.--For purposes of this 
        subsection, the term `eligible entity' means a State or Indian 
        tribe (as defined in the Indian Self-Determination and 
        Education Assistance Act) that--
                    ``(A) submits to the National Coordinator an 
                application at such time, in such manner, and 
                containing such information as the National Coordinator 
                may require;
                    ``(B) submits to the National Coordinator a 
                strategic plan in accordance with paragraph (4) and 
                provides to the National Coordinator assurances that 
                the entity will update such plan annually in accordance 
                with such paragraph;
                    ``(C) provides assurances to the National 
                Coordinator that the entity will establish a Loan Fund 
                in accordance with paragraph (3);
                    ``(D) provides assurances to the National 
                Coordinator that the entity will not provide a loan 
                from the Loan Fund to a health care provider unless the 
                provider meets each of the conditions described in 
                paragraph (5); and
                    ``(E) agrees to provide matching funds in 
                accordance with paragraph (9).
            ``(3) Establishment of fund.--For purposes of paragraph 
        (3)(C), an eligible entity shall establish a qualified health 
        information technology loan fund (referred to in this 
        subsection as a `Loan Fund') and comply with the other 
        requirements contained in this section. A grant to an eligible 
        entity under this subsection shall be deposited in the Loan 
        Fund established by the eligible entity. No funds authorized by 
        other provisions of this subtitle to be used for other purposes 
        specified in this subtitle shall be deposited in any Loan Fund.
            ``(4) Strategic plan.--
                    ``(A) In general.--For purposes of paragraph 
                (3)(B), a strategic plan of an eligible entity under 
                this paragraph shall identify the intended uses of 
                amounts available to the Loan Fund of such entity.
                    ``(B) Contents.--A strategic plan under 
                subparagraph (A), with respect to a Loan Fund of an 
                eligible entity, shall include for a year the 
                following:
                            ``(i) A list of the projects to be assisted 
                        through the Loan Fund during such year.
                            ``(ii) A description of the criteria and 
                        methods established for the distribution of 
                        funds from the Loan Fund during the year.
                            ``(iii) A description of the financial 
                        status of the Loan Fund as of the date of 
                        submission of the plan.
                            ``(iv) The short-term and long-term goals 
                        of the Loan Fund.
            ``(5) Health care provider conditions for receipt of 
        loans.--For purposes of paragraph (2)(D), the conditions 
        described in this paragraph, with respect to a health care 
        provider that seeks a loan from a Loan Fund established under 
        this subsection, are the following:
                    ``(A) The health care provider links, to the extent 
                practicable, to a local or regional health information 
                network.
                    ``(B) The health care provider consults with the 
                Health Information Technology Resource Center 
                established under section 3007 to access the knowledge 
                and experience of existing initiatives regarding the 
                successful implementation and effective use of health 
                information technology.
                    ``(C) The health care provider agrees to notify 
                individuals in accordance with section 302 of the 
                PRO(TECH)T Act of 2008 if their individually 
                identifiable health information is accessed or acquired 
                as a result of a breach.
                    ``(D) The health care provider submits to the State 
                or Indian tribe involved a plan on how the health care 
                provider intends to maintain and support the qualified 
                health information technology that would be purchased 
                with such loan, including the type of resources 
                expected to be involved and any such other information 
                as the State or Indian Tribe, respectively, may 
                require.
            ``(6) Use of funds.--
                    ``(A) In general.--Amounts deposited in a Loan 
                Fund, including loan repayments and interest earned on 
                such amounts, shall be used only for awarding loans or 
                loan guarantees, or as a source of reserve and security 
                for leveraged loans, the proceeds of which are 
                deposited in the Loan Fund established under paragraph 
                (1). Loans under this section may be used by a health 
                care provider to purchase qualified health information 
                technology.
                    ``(B) Limitation.--Amounts received by an eligible 
                entity under this subsection may not be used--
                            ``(i) for the purchase or other acquisition 
                        of any health information technology system 
                        that is not a qualified health information 
                        technology;
                            ``(ii) to conduct activities for which 
                        Federal funds are expended under this title; or
                            ``(iii) for any purpose other than making 
                        loans to health care providers in accordance 
                        with this section.
            ``(7) Types of assistance.--Except as otherwise limited by 
        applicable State law, amounts deposited into a Loan Fund under 
        this subsection may only be used for the following:
                    ``(A) To award loans that comply with the 
                following:
                            ``(i) The interest rate for each loan shall 
                        not exceed the market interest rate.
                            ``(ii) The principal and interest payments 
                        on each loan shall commence not later than 1 
                        year after the date the loan was awarded, and 
                        each loan shall be fully amortized not later 
                        than 10 years after the date of the loan.
                            ``(iii) The Loan Fund shall be credited 
                        with all payments of principal and interest on 
                        each loan awarded from the Loan Fund.
                    ``(B) To guarantee, or purchase insurance for, a 
                local obligation (all of the proceeds of which finance 
                a project eligible for assistance under this 
                subsection) if the guarantee or purchase would improve 
                credit market access or reduce the interest rate 
                applicable to the obligation involved.
                    ``(C) As a source of revenue or security for the 
                payment of principal and interest on revenue or general 
                obligation bonds issued by the eligible entity if the 
                proceeds of the sale of the bonds will be deposited 
                into the Loan Fund.
                    ``(D) To earn interest on the amounts deposited 
                into the Loan Fund.
            ``(8) Administration of loan funds.--
                    ``(A) Combined financial administration.--An 
                eligible entity may (as a convenience and to avoid 
                unnecessary administrative costs) combine, in 
                accordance with applicable State law, the financial 
                administration of a Loan Fund established under this 
                subsection with the financial administration of any 
                other revolving fund established by the entity if 
                otherwise not prohibited by the law under which the 
                Loan Fund was established.
                    ``(B) Cost of administering fund.--Each eligible 
                entity may annually use not to exceed 4 percent of the 
                funds provided to the entity under a grant under this 
                subsection to pay the reasonable costs of the 
                administration of the programs under this section, 
                including the recovery of reasonable costs expended to 
                establish a Loan Fund which are incurred after the date 
                of the enactment of this title.
                    ``(C) Guidance and regulations.--The National 
                Coordinator shall publish guidance and promulgate 
                regulations as may be necessary to carry out the 
                provisions of this subsection, including--
                            ``(i) provisions to ensure that each 
                        eligible entity commits and expends funds 
                        allotted to the entity under this subsection as 
                        efficiently as possible in accordance with this 
                        title and applicable State laws; and
                            ``(ii) guidance to prevent waste, fraud, 
                        and abuse.
                    ``(D) Private sector contributions.--
                            ``(i) In general.--A Loan Fund established 
                        under this subsection may accept contributions 
                        from private sector entities, except that such 
                        entities may not specify the recipient or 
                        recipients of any loan issued under this 
                        subsection. An eligible entity may agree to 
                        reimburse a private sector entity for any 
                        contribution made under this subparagraph, 
                        except that the amount of such reimbursement 
                        may not be greater than the principal amount of 
                        the contribution made.
                            ``(ii) Availability of information.--An 
                        eligible entity shall make publicly available 
                        the identity of, and amount contributed by, any 
                        private sector entity under clause (i) and may 
                        issue letters of commendation or make other 
                        awards (that have no financial value) to any 
                        such entity.
            ``(9) Matching requirements.--
                    ``(A) In general.--The National Coordinator may not 
                make a grant under paragraph (1) to an eligible entity 
                unless the entity agrees to make available (directly or 
                through donations from public or private entities) non-
                Federal contributions in cash to the costs of carrying 
                out the activities for which the grant is awarded in an 
                amount equal to not less than $1 for each $1 of Federal 
                funds provided under the grant.
                    ``(B) Determination of amount of non-federal 
                contribution.--In determining the amount of non-Federal 
                contributions that an eligible entity has provided 
                pursuant to subparagraph (A), the National Coordinator 
                may not include any amounts provided to the entity by 
                the Federal Government.
            ``(10) Reports.--The National Coordinator shall annually 
        submit to the Committee on Health, Education, Labor, and 
        Pensions and the Committee on Finance of the Senate, and the 
        Committee on Energy and Commerce of the House of 
        Representatives, a report summarizing the reports received by 
        the National Coordinator from each eligible entity that 
        receives a grant under this subsection.
    ``(c) Competitive Grants for the Implementation of Regional or 
Local Health Information Technology Plans.--
            ``(1) In general.--The National Coordinator may award 
        competitive grants to eligible entities to implement regional 
        or local health information plans to improve health care 
        quality and efficiency through the electronic exchange and use 
        of health information.
            ``(2) Eligibility.--To be eligible to receive a grant under 
        paragraph (1) an entity shall--
                    ``(A) facilitate the electronic exchange and use of 
                health information within the local or regional area 
                and among local and regional areas;
                    ``(B) demonstrate financial need to the National 
                Coordinator;
                    ``(C) demonstrate that one of its principal 
                missions or purposes is to use information technology 
                to improve health care quality and efficiency;
                    ``(D) adopt bylaws, memoranda of understanding, or 
                other charter documents that demonstrate that the 
                governance structure and decisionmaking processes of 
                such entity allow for participation on an ongoing basis 
                by multiple stakeholders within a community, 
                including--
                            ``(i) physicians (as defined in section 
                        1861(r) of the Social Security Act), including 
                        physicians that provide services to low income 
                        populations and populations that are uninsured, 
                        underinsured, and medically underserved 
                        (including such populations in urban and rural 
                        areas);
                            ``(ii) hospitals (including hospitals that 
                        provide services to low income and underserved 
                        populations);
                            ``(iii) pharmacists and pharmacies;
                            ``(iv) health plans;
                            ``(v) health centers (as defined in section 
                        330(b)) and Federally qualified health centers 
                        (as defined in section 1861(aa)(4) of the 
                        Social Security Act);
                            ``(vi) rural health clinics (as defined in 
                        section 1861(aa) of the Social Security Act);
                            ``(vii) patient or consumer organizations 
                        that reflect the population to be served;
                            ``(viii) employers;
                            ``(ix) public health agencies; and
                            ``(x) such other health care providers or 
                        other entities, as determined appropriate by 
                        the National Coordinator;
                    ``(E) demonstrate the participation, to the extent 
                practicable, of stakeholders in the electronic exchange 
                and use of health information within the local or 
                regional health information plan pursuant to 
                subparagraph (D);
                    ``(F) adopt nondiscrimination and conflict of 
                interest policies that demonstrate a commitment to 
                open, fair, and nondiscriminatory participation in the 
                regional or local health information plan by all 
                stakeholders;
                    ``(G) comply with applicable standards and 
                implementation specifications adopted under subtitle A 
                of this title;
                    ``(H) prepare and submit to the National 
                Coordinator an application in accordance with paragraph 
                (3); and
                    ``(I) agree to provide matching funds in accordance 
                with paragraph (6).
            ``(3) Application.--
                    ``(A) In general.--To be eligible to receive a 
                grant under paragraph (1), an entity shall submit to 
                the National Coordinator an application at such time, 
                in such manner, and containing such information (in 
                addition to information required under subparagraph 
                (B), as the National Coordinator may require.
                    ``(B) Required information.--At a minimum, an 
                application submitted under this paragraph shall 
                include--
                            ``(i) clearly identified short-term and 
                        long-term objectives of the regional or local 
                        health information plan;
                            ``(ii) an estimate of costs of the 
                        hardware, software, training, and other 
                        services necessary to implement the regional or 
                        local health information plan;
                            ``(iii) a strategy that includes 
                        initiatives to improve health care quality and 
                        efficiency;
                            ``(iv) a plan that describes provisions to 
                        encourage the electronic exchange and use of 
                        health information by all physicians, including 
                        single physician practices and small physician 
                        groups, participating in the health information 
                        plan;
                            ``(v) a plan to ensure the privacy and 
                        security of individually identifiable health 
                        information that is consistent with applicable 
                        Federal and State law;
                            ``(vi) a governance plan that defines the 
                        manner in which the stakeholders shall jointly 
                        make policy and operational decisions on an 
                        ongoing basis;
                            ``(vii) a financial or business plan that 
                        describes--
                                    ``(I) the sustainability of the 
                                plan;
                                    ``(II) the financial costs and 
                                benefits of the plan; and
                                    ``(III) the entities to which such 
                                costs and benefits will accrue;
                            ``(viii) a plan on how the entity involved 
                        intends to maintain and support the regional or 
                        local health information plan, including the 
                        type of resources expected to be involved; and
                            ``(ix) in the case of an applicant that is 
                        unable to demonstrate the participation of all 
                        stakeholders pursuant to paragraph (2)(D), the 
                        justification from the entity for any such 
                        nonparticipation.
            ``(4) Use of funds.--Amounts received under a grant under 
        paragraph (1) shall be used to establish and implement a 
        regional or local health information plan in accordance with 
        this subsection.
            ``(5) Preference.--In awarding grants under paragraph (1), 
        the Secretary shall give preference to eligible entities that 
        intend to use amounts received under a grant to establish or 
        implement a regional or local health information plan that 
        encompasses communities with health disparities or areas that 
        serve uninsured, underinsured, and medically underserved 
        individuals (including urban and rural areas).
            ``(6) Matching requirement.--
                    ``(A) In general.--The National Coordinator may not 
                make a grant under this subsection to an entity unless 
                the entity agrees that, with respect to the costs of 
                carrying out the activities for which the grant is 
                awarded, the entity will make available (directly or 
                through donations from public or private entities) non-
                Federal contributions toward such costs in an amount 
                equal to not less than 50 percent of such costs ($1 for 
                each $2 of Federal funds provided under the grant).
                    ``(B) Determination of amount contributed.--Non-
                Federal contributions required under subparagraph (A) 
                may be in cash or in kind, fairly evaluated, including 
                equipment, technology, or services. Amounts provided by 
                the Federal Government, or services assisted or 
                subsidized to any significant extent by the Federal 
                Government, may not be included in determining the 
                amount of such non-Federal contributions.
    ``(d) Reports.--Not later than 1 year after the date on which the 
first grant is awarded under this section, and annually thereafter 
during the grant period, an entity that receives a grant under this 
section shall submit to the National Coordinator a report on the 
activities carried out under the grant involved. Each such report shall 
include--
            ``(1) a description of the financial costs and benefits of 
        the project involved and of the entities to which such costs 
        and benefits accrue;
            ``(2) an analysis of the impact of the project on health 
        care quality and safety;
            ``(3) a description of any reduction in duplicative or 
        unnecessary care as a result of the project involved;
            ``(4) a description of the efforts of recipients under this 
        section to facilitate secure patient access to health 
        information;
            ``(5) an analysis of the effectiveness of the project 
        involved on ensuring the privacy and security of individually 
        identifiable health information in accordance with applicable 
        Federal and State law; and
            ``(6) other information as required by the National 
        Coordinator.
    ``(e) Requirement To Improve Quality of Care and Decrease in 
Costs.--The National Coordinator shall annually evaluate the activities 
conducted under this section and shall, in awarding grants, implement 
the lessons learned from such evaluation in a manner so that awards 
made subsequent to each such evaluation are made in a manner that, in 
the determination of the National Coordinator, will result in the 
greatest improvement in quality of care and decrease in costs.
    ``(f) Limitation.--An eligible entity may only receive one non-
renewable grant under subsection (a), one non-renewable grant under 
subsection (b), and one non-renewable grant under subsection (c).
    ``(g) Small Health Care Provider.--For purposes of this section, 
the term `small health care provider' means a health care provider that 
has an average of 10 or fewer full-time equivalent employees during the 
period involved.
    ``(h) Authorization of Appropriations.--
            ``(1) In general.--For the purpose of carrying out 
        subsections (a) through (d), there is authorized to be 
        appropriated $115,000,000 for each of the fiscal years 2009 
        through 2013.
            ``(2) Availability.--Amounts appropriated under paragraph 
        (1) shall remain available through fiscal year 2013.

``SEC. 3012. DEMONSTRATION PROGRAM TO INTEGRATE INFORMATION TECHNOLOGY 
              INTO CLINICAL EDUCATION.

    ``(a) In General.--The Secretary may award grants under this 
section to carry out demonstration projects to develop academic 
curricula integrating qualified health information technology in the 
clinical education of health professionals. Such awards shall be made 
on a competitive basis and pursuant to peer review.
    ``(b) Eligibility.--To be eligible to receive a grant under 
subsection (a), an entity shall--
            ``(1) submit to the Secretary an application at such time, 
        in such manner, and containing such information as the 
        Secretary may require;
            ``(2) submit to the Secretary a strategic plan for 
        integrating qualified health information technology in the 
        clinical education of health professionals to reduce medical 
        errors and enhance health care quality;
            ``(3) be--
                    ``(A) a school of medicine, osteopathic medicine, 
                dentistry, or pharmacy, or a graduate program in 
                behavioral or mental health;
                    ``(B) a graduate school of nursing or physician 
                assistant studies;
                    ``(C) a consortium of two or more schools described 
                in subparagraph (A) or (B); or
                    ``(D) an institution with a graduate medical 
                education program in medicine, osteopathic medicine, 
                dentistry, pharmacy, nursing, or physician assistance 
                studies.
            ``(4) provide for the collection of data regarding the 
        effectiveness of the demonstration project to be funded under 
        the grant in improving the safety of patients, the efficiency 
        of health care delivery, and in increasing the likelihood that 
        graduates of the grantee will adopt and incorporate qualified 
        health information technology, in the delivery of health care 
        services; and
            ``(5) provide matching funds in accordance with subsection 
        (d).
    ``(c) Use of Funds.--
            ``(1) In general.--With respect to a grant under subsection 
        (a), an eligible entity shall--
                    ``(A) use grant funds in collaboration with 2 or 
                more disciplines; and
                    ``(B) use grant funds to integrate qualified health 
                information technology into community-based clinical 
                education.
            ``(2) Limitation.--An eligible entity shall not use amounts 
        received under a grant under subsection (a) to purchase 
        hardware, software, or services.
    ``(d) Matching Funds.--
            ``(1) In general.--The Secretary may award a grant to an 
        entity under this section only if the entity agrees to make 
        available non-Federal contributions toward the costs of the 
        program to be funded under the grant in an amount that is not 
        less than $1 for each $2 of Federal funds provided under the 
        grant.
            ``(2) Determination of amount contributed.--Non-Federal 
        contributions under paragraph (1) may be in cash or in kind, 
        fairly evaluated, including equipment or services. Amounts 
        provided by the Federal Government, or services assisted or 
        subsidized to any significant extent by the Federal Government, 
        may not be included in determining the amount of such 
        contributions.
    ``(e) Evaluation.--The Secretary shall take such action as may be 
necessary to evaluate the projects funded under this section and 
publish, make available, and disseminate the results of such 
evaluations on as wide a basis as is practicable.
    ``(f) Reports.--Not later than 1 year after the date of enactment 
of this title, and annually thereafter, the Secretary shall submit to 
the Committee on Health, Education, Labor, and Pensions and the 
Committee on Finance of the Senate, and the Committee on Energy and 
Commerce of the House of Representatives a report that--
            ``(1) describes the specific projects established under 
        this section; and
            ``(2) contains recommendations for Congress based on the 
        evaluation conducted under subsection (e).
    ``(g) Authorization of Appropriations.--There is authorized to be 
appropriated to carry out this section, $10,000,000 for each of fiscal 
years 2009 through 2011.
    ``(h) Sunset.--This section shall not apply after September 30, 
2011.''.

           TITLE II--TESTING OF HEALTH INFORMATION TECHNOLOGY

SEC. 201. NATIONAL INSTITUTE FOR STANDARDS AND TECHNOLOGY TESTING.

    (a) Pilot Testing of Standards and Implementation Specifications.--
In coordination with the HIT Standards Committee established under 
section 3003 of the Public Health Service Act, as added by section 101, 
with respect to the development of standards and implementation 
specifications under such section, the Director of the National 
Institute for Standards and Technology shall test such standards and 
specifications in order to assure the efficient implementation and use 
of such standards and specifications.
    (b) Voluntary Testing Program.--In coordination with the HIT 
Standards Committee established under section 3003 of the Public Health 
Service Act, as added by section 101, with respect to the development 
of standards and implementation specifications under such section, the 
Director of the National Institute of Standards and Technology shall 
support the establishment of a conformance testing infrastructure, 
including the development of technical test beds. The development of 
this conformance testing infrastructure may include a program to 
accredit independent, non-Federal laboratories to perform testing.

SEC. 202. RESEARCH AND DEVELOPMENT PROGRAMS.

    (a) Health Care Information Enterprise Integration Research 
Centers.--
            (1) In general.--The Director of the National Institute of 
        Standards and Technology, in consultation the Director of the 
        National Science Foundation and other appropriate Federal 
        agencies, shall establish a program of assistance to 
        institutions of higher education (or consortia thereof which 
        may include nonprofit entities and Federal Government 
        laboratories) to establish multidisciplinary Centers for Health 
        Care Information Enterprise Integration.
            (2) Review; competition.--Grants shall be awarded under 
        this subsection on a merit-reviewed, competitive basis.
            (3) Purpose.--The purposes of the Centers described in 
        paragraph (1) shall be--
                    (A) to generate innovative approaches to health 
                care information enterprise integration by conducting 
                cutting-edge, multidisciplinary research on the systems 
                challenges to health care delivery; and
                    (B) the development and use of health information 
                technologies and other complementary fields.
            (4) Research areas.--Research areas may include--
                    (A) interfaces between human information and 
                communications technology systems;
                    (B) voice-recognition systems;
                    (C) software that improves interoperability and 
                connectivity among health information systems;
                    (D) software dependability in systems critical to 
                health care delivery;
                    (E) measurement of the impact of information 
                technologies on the quality and productivity of health 
                care;
                    (F) health information enterprise management;
                    (G) health information technology security and 
                integrity; and
                    (H) relevant health information technology to 
                reduce medical errors.
            (5) Applications.--An institution of higher education (or a 
        consortium thereof) seeking funding under this subsection shall 
        submit an application to the Director of the National Institute 
        of Standards and Technology at such time, in such manner, and 
        containing such information as the Director may require. The 
        application shall include, at a minimum, a description of--
                    (A) the research projects that will be undertaken 
                by the Center established pursuant to assistance under 
                paragraph (1) and the respective contributions of the 
                participating entities;
                    (B) how the Center will promote active 
                collaboration among scientists and engineers from 
                different disciplines, such as information technology, 
                biologic sciences, management, social sciences, and 
                other appropriate disciplines;
                    (C) technology transfer activities to demonstrate 
                and diffuse the research results, technologies, and 
                knowledge; and
                    (D) how the Center will contribute to the education 
                and training of researchers and other professionals in 
                fields relevant to health information enterprise 
                integration.
    (b) National Information Technology Research and Development 
Program.--The National High-Performance Computing Program established 
by section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 
5511) shall coordinate Federal research and development programs 
related to the development and deployment of health information 
technology, including activities related to--
            (1) computer infrastructure;
            (2) data security;
            (3) development of large-scale, distributed, reliable 
        computing systems;
            (4) wired, wireless, and hybrid high-speed networking;
            (5) development of software and software-intensive systems;
            (6) human-computer interaction and information management 
        technologies; and
            (7) the social and economic implications of information 
        technology.

               TITLE III--PRIVACY AND SECURITY PROVISIONS

SEC. 300. DEFINITIONS.

    In this title, except as specified otherwise:
            (1) Breach.--The term ``breach'' means the unauthorized 
        acquisition or disclosure of protected health information which 
        compromises the security, privacy, or integrity of protected 
        health information maintained by or on behalf of a person. Such 
        term does not include any unintentional acquisition of such 
        information by an employee or agent of the covered entity or 
        business associate involved if such acquisition was made in 
        good faith and within the course and scope of the employment or 
        other contractual relationship of such employee or agent, 
        respectively, with the covered entity or business associate and 
        if such information is not further acquired, used, or disclosed 
        by such employee or agent.
            (2) Business associate.--The term ``business associate'' 
        has the meaning given such term in section 160.103 of title 45, 
        Code of Federal Regulations.
            (3) Covered entity.--The term ``covered entity'' has the 
        meaning given such term in section 160.103 of title 45, Code of 
        Federal Regulations.
            (4) Disclose.--The terms ``disclose'' and ``disclosure'' 
        have the meaning given the term ``disclosure'' in section 
        160.103 of title 45, Code of Federal Regulations.
            (5) Encryption.--The term ``encryption'' has the meaning 
        given such term in section 164.304 of title 45, Code of Federal 
        Regulations.
            (6) Health care operations.--The term ``health care 
        operation'' has the meaning given such term in section 164.501 
        of title 45, Code of Federal Regulations.
            (7) Health care provider.--The term ``health care 
        provider'' has the meaning given such term in section 160.103 
        of title 45, Code of Federal Regulations.
            (8) Personal health record.--The term ``personal health 
        record'' means an electronic record of individually 
        identifiable health information on an individual that is drawn 
        from multiple sources and that is managed, shared, and 
        controlled by or for the individual.
            (9) Protected health information.--The term ``protected 
        health information'' has the meaning given such term under 
        section 160.103 of title 45, Code of Federal Regulations.
            (10) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (11) Security.--The term ``security'' has the meaning given 
        such term in section 164.304 of title 45, Code of Federal 
        Regulations.
            (12) State.--The term ``State'' means each of the several 
        States, the District of Columbia, Puerto Rico, the Virgin 
        Islands, Guam, American Samoa, and the Northern Mariana 
        Islands.
            (13) Use.--The term ``use'' has the meaning given such term 
        in section 160.103 of title 45, Code of Federal Regulations.
            (14) Vendor of personal health records.--The term 
        ``vendor'' means an entity that offers or maintains a personal 
        health record and that is not a covered entity.

                    Subtitle A--Security Provisions

SEC. 301. APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO BUSINESS 
              ASSOCIATES OF COVERED ENTITIES; ANNUAL GUIDANCE ON 
              SECURITY PROVISIONS.

    (a) Application of Security Provisions.--Sections 164.308, 164.310, 
and 164.312 of title 45, Code of Federal Regulations, shall apply to a 
business associate of a covered entity in the same manner that such 
sections apply to the covered entity.
    (b) Application of Civil and Criminal Penalties.--Sections 1176 and 
1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6) shall 
apply to a business associate of a covered entity with respect to a 
section applied under subsection (a) to such business associate in the 
same manner that such sections apply to a covered entity with respect 
to such section.
    (c) Annual Guidance.--For the first year beginning after the date 
of the enactment of this Act and annually thereafter, the Secretary of 
Health and Human Services shall, in consultation with industry 
stakeholders, annually issue guidance on the latest safeguard 
technologies for use in carrying out the sections described in 
subsection (a).

SEC. 302. NOTIFICATION IN THE CASE OF BREACH.

    (a) In General.--A covered entity that accesses, maintains, 
retains, modifies, records, stores, destroys, or otherwise holds, uses, 
or discloses unencrypted protected health information (as defined in 
subsection (h)) shall, in the case of a breach of such information that 
is discovered by the covered entity, notify each individual whose 
unencrypted protected health information has been, or is reasonably 
believed by the covered entity to have been, accessed or acquired as a 
result of such breach.
    (b) Notification of Covered Entity by Business Associate.--A 
business associate of a covered entity that accesses, maintains, 
retains, modifies, records, stores, destroys, or otherwise holds, uses, 
or discloses unencrypted protected health information shall, following 
the discovery of a breach of such information, notify the covered 
entity of such breach. Such notice shall include the identification of 
each individual whose unencrypted protected health information has 
been, or is reasonably believed to have been, accessed or acquired 
during such breach.
    (c) Breaches Treated as Discovered.--For purposes of this section, 
a breach shall be treated as discovered by a covered entity or by a 
business associate as of the first day on which such breach is known to 
such entity or associate, respectively, (including any person that is 
an employee, officer, or other agent of such entity or associate, 
respectively) or should reasonably have been known to such entity or 
associate (or person) to have occurred.
    (d) Timeliness of Notification.--
            (1) In general.--All notifications required under this 
        section shall be made without unreasonable delay and in no case 
        later than 60 calendar days after the discovery of a breach by 
        the covered entity involved (or business associate involved in 
        the case of a notification required under subsection (b)).
            (2) Burden of proof.--The covered entity involved (or 
        business associate involved in the case of a notification 
        required under subsection (b)), shall have the burden of 
        demonstrating that all notifications were made as required 
        under this subtitle, including evidence demonstrating the 
        necessity of any delay.
    (e) Methods of Notice.--
            (1) Individual notice.--Notice required under this section 
        to be provided to an individual, with respect to a breach, 
        shall be provided promptly and in the following form:
                    (A) Written notification by first-class mail to the 
                individual (or the next of kin of the individual if the 
                individual is deceased) at the last known address of 
                the individual or the next of kin, respectively, or, if 
                specified as a preference by the individual, by 
                electronic mail. The notification may be provided in 
                one or more mailings as information is available.
                    (B) In the case where there is insufficient, or 
                out-of-date contact information that precludes direct 
                written (or, if specified by the individual under 
                subparagraph (A), electronic) notification to the 
                individual, a substitute form of notice shall be 
                provided, including a conspicuous posting on the home 
                page of the Web site of the covered entity involved or 
                notice in major print or broadcast media, including 
                major media in geographic areas where the individuals 
                affected by the breach likely reside. Such a notice in 
                media will include a toll-free phone number where an 
                individual can learn whether or not the individual's 
                unencrypted protected health information is possibly 
                included in the breach.
                    (C) In any case deemed by the covered entity 
                involved to require urgency because of possible 
                imminent misuse of unencrypted protected health 
                information, the covered entity, in addition to notice 
                provided under subparagraph (A), may provide 
                information to individuals by telephone or other means, 
                as appropriate.
            (2) Media notice.--Notice shall be provided to prominent 
        media outlets serving a State or jurisdiction, following the 
        discovery of a breach described in subsection (a), if the 
        unencrypted protected health information of more than 500 
        residents of such State or jurisdiction is, or is reasonably 
        believed to have been, accessed or acquired during such breach.
            (3) Notice to secretary.--Notice shall be provided to the 
        Secretary by covered entities of unencrypted protected health 
        information that has been acquired or disclosed in a breach.
            (4) Posting on hhs public website.--The Secretary shall 
        make available to the public on the Internet website of the 
        Department of Health and Human Services a list that identifies 
        each covered entity involved in a breach described in 
        subsection (a) in which the unencrypted protected health 
        information of more than 1,000 individuals is acquired or 
        disclosed.
    (f) Content of Notification.--Regardless of the method by which 
notice is provided to individuals under this section, notice of a 
breach shall include, to the extent possible, the following:
            (1) A brief description of what happened, including the 
        date of the breach and the date of the discovery of the breach, 
        if known.
            (2) A description of the types of unencrypted protected 
        health information that were involved in the breach (such as 
        full name, Social Security number, date of birth, home address, 
        account number, or disability code).
            (3) The steps individuals should take to protect themselves 
        from potential harm resulting from the breach.
            (4) A brief description of what the covered entity involved 
        is doing to investigate the breach, to mitigate losses, and to 
        protect against any further breaches.
            (5) Contact procedures for individuals to ask questions or 
        learn additional information, which shall include a toll-free 
        telephone number, an e-mail address, Web site, or postal 
        address.
    (g) Delay of Notification Authorized for Law Enforcement 
Purposes.--If a law enforcement official determines that a 
notification, notice, or posting required under this section would 
impede a criminal investigation or cause damage to national security, 
such notification, notice, or posting shall be delayed in the same 
manner as provided under section 164.528(a)(2) of title 45, Code of 
Federal Regulations, in the case of a disclosure covered under such 
section.
    (h) Unencrypted Protected Health Information Defined.--For purposes 
of this section, the term ``unencrypted protected health information'' 
means protected health information that is not protected--
            (1) through the use of encryption; or
            (2) through the use of a technology specified by the 
        Secretary as being at least as effective as encryption for 
        purposes of rendering protected health information 
        indecipherable without authorization.

SEC. 303. EDUCATION ON HEALTH INFORMATION PRIVACY AND REPORT ON 
              COMPLIANCE.

    (a) Regional Office Privacy Advisors.--Not later than 6 months 
after the date of the enactment of this Act, the Secretary shall 
designate an individual in each regional office of the Department of 
Health and Human Services to offer guidance and education to covered 
entities, business associates, and individuals on their rights and 
responsibilities related to Federal privacy requirements for protected 
health information.
    (b) Report on Compliance.--
            (1) In general.--For the first year beginning after the 
        date of the enactment of this Act and annually thereafter, the 
        Secretary shall prepare and submit to Congress a report 
        concerning complaints of alleged violations of the provisions 
        of sections 301 and 302, the provisions of subtitle B, and the 
        provisions of subparts C and E of title 45, Code of Federal 
        Regulations that are received by the Secretary during the year 
        for which the report is being prepared. Each such report shall 
        include, with respect to such complaints received during the 
        year--
                    (A) the number of such complaints;
                    (B) the resolution or disposition of such 
                complaints;
                    (C) the amount of civil money penalties imposed 
                with respect to such complaints, as applicable;
                    (D) the number of compliance reviews conducted and 
                the outcome of each such review;
                    (E) the number of subpoenas or inquiries issued; 
                and
                    (F) the Secretary's plan for improving compliance 
                with and enforcement of such provisions for the 
                following year.
            (2) Availability to public.--Each report under paragraph 
        (1) shall be made available to the public on the Internet 
        website of the Department of Health and Human Services.
    (c) Education Initiative on Uses of Health Information.--
            (1) In general.--The Office for Civil Rights within the 
        Department of Health and Human Services shall develop and 
        maintain a multi-faceted national education initiative to 
        enhance public transparency regarding the uses of protected 
        health information, including programs to educate individuals 
        about the potential uses of their health information and 
        effects of such uses. Such programs shall be conducted in a 
        variety of languages and present information in a clear and 
        understandable manner.
            (2) Authorization of appropriations.--There is authorized 
        to be appropriated to carry out paragraph (1), $10,000,000 for 
        the period of fiscal years 2009 through 2013.

    Subtitle B--Improved Privacy Provisions and Additional Security 
                               Provisions

SEC. 311. APPLICATION OF PENALTIES TO BUSINESS ASSOCIATES OF COVERED 
              ENTITIES FOR VIOLATIONS OF PRIVACY CONTRACT REQUIREMENTS.

    (a) Application of Contract Requirements.--In the case of a 
business associate of a covered entity that obtains or creates 
protected health information pursuant to a written contract (or other 
written arrangement) described in section 164.502(e)(2) of title 45, 
Code of Federal Regulations, with such covered entity, the business 
associate may use and disclose such protected health information only 
if such use or disclosure, respectively, is in compliance with each 
applicable requirement of section 164.504(e) of such title.
    (b) Application of Knowledge Elements Associated With Contracts.--
Section 164.504(e)(1)(ii) of title 45, Code of Federal Regulations, 
shall apply to a business associate described in subsection (a), with 
respect to compliance with such subsection, in the same manner that 
such section applies to a covered entity, with respect to compliance 
with the standards in sections 164.502(e) and 164.504(e) of such title, 
except that in applying such section 164.504(e)(1)(ii) each reference 
to the business associate, with respect to a contract, shall be treated 
as a reference to the covered entity involved in such contract.
    (c) Application of Civil and Criminal Penalties.--In the case of a 
business associate that violates any provision of subsection (a) or 
(b), the provisions of sections 1176 and 1177 of the Social Security 
Act shall apply to the business associate with respect to such 
violation in the same manner as such provisions apply to a person who 
violates a provision of part C of title XI of such Act.

SEC. 312. RESTRICTIONS ON CERTAIN DISCLOSURES OF HEALTH INFORMATION; 
              ACCOUNTING OF CERTAIN PROTECTED HEALTH INFORMATION 
              DISCLOSURES.

    (a) Requested Restrictions on Certain Disclosures of Health 
Information.--In the case that an individual requests under paragraph 
(a)(1)(i)(A) of section 164.522 of title 45, Code of Federal 
Regulations, that a covered entity restrict the disclosure of the 
protected health information of the individual, notwithstanding 
paragraph (a)(1)(ii) of such section, the covered entity must comply 
with the requested restriction if--
            (1) except as otherwise required by law, the disclosure is 
        to a health plan for purposes of carrying out payment or health 
        care operations (and is not for purposes of carrying out 
        treatment); and
            (2) the protected health information pertains solely to a 
        health care item or service for which the health care provider 
        involved has been paid out of pocket in full.
    (b) Disclosures Required To Be Limited to the Limited Data Set or 
the Minimum Necessary.--
            (1) In general.--A covered entity shall be treated as being 
        in compliance with section 164.502(b)(1) of title 45, Code of 
        Federal Regulations, with respect to the use, disclosure, or 
        request of protected health information described in such 
        section, only if the covered entity makes reasonable efforts to 
        limit such protected health information to the limited data set 
        (as defined in section 164.514(e)(2) of such title) or, if 
        needed by such entity, to the minimum necessary to accomplish 
        the intended purpose of such use, disclosure, or request, 
        respectively.
            (2) Application of exceptions.--The exceptions described in 
        section 164.502(b)(2) of title 45, Code of Federal Regulations, 
        shall apply to the requirement under paragraph (1) as of the 
        effective date described in section 322 in the same manner that 
        such exceptions apply to section 164.502(b)(1) of such title 
        before such date.
    (c) Accounting of Certain Protected Health Information Disclosures 
Required if Covered Entity Uses Electronic Medical Record.--
            (1) In general.--In the case that a covered entity uses or 
        maintains an electronic medical record with respect to 
        protected health information, the exception under section 
        164.528(a)(1)(i) of title 45, Code of Federal Regulations, 
        shall not apply to disclosures (other than oral disclosures) 
        made by such entity of such information.
            (2) Electronic medical record defined.--For purposes of 
        paragraph (1), the term ``electronic medical record'' means an 
        electronic record of individually identifiable health 
        information on an individual that is created, gathered, 
        managed, and consulted by authorized clinicians and staff 
        within a single organization.
            (3) Effective date.--The provisions of this subsection 
        shall apply to disclosures made by a covered entity on or after 
        the date specified under section 322.
    (d) Application of Consent Requirements for Certain Uses and 
Disclosures by Health Care Providers With Electronic Medical Records.--
            (1) In general.--In applying section 164.506 of title 45, 
        Code of Federal Regulations, in the case of a covered entity 
        that is a health care provider, with respect to protected 
        health information of an individual that is used or maintained 
        by such entity in an electronic medical record (as defined in 
        subsection (c)(2)), such covered entity may not use or disclose 
        such protected health information for purposes of health care 
        operations unless the covered entity obtains the consent of the 
        individual to disclose such information for such purposes and 
        any such consent shall be revocable by the individual at any 
        time.
            (2) Effective date.--The provisions of this subsection 
        shall apply to disclosures made by a covered entity on or after 
        the date specified under section 322.

SEC. 313. CONDITIONS ON CERTAIN CONTACTS AS PART OF HEALTH CARE 
              OPERATIONS.

    (a) In General.--A communication by a covered entity or business 
associate that is about a product or service and that encourages 
recipients of the communication to purchase or use the product or 
service shall not be considered a health care operation for purposes of 
subpart E of part 164 of title 45, Code of Federal Regulations, unless 
the communication is made as described in subparagraph (i), (ii), or 
(iii) of paragraph (1) of the definition of marketing in section 
164.501 of such title. A covered entity or business associate may not 
receive direct payment for any such communication made as described in 
such subparagraph (i), (ii), or (iii).
    (b) Effective Date.--Subsection (a) shall apply to contracting 
occurring on or after the effective date specified under section 322.

SEC. 314. STUDY ON APPLICATION OF PRIVACY AND SECURITY REQUIREMENTS TO 
              VENDORS OF PERSONAL HEALTH RECORDS.

    Not later than one year after the date of the enactment of this 
Act, the Secretary , in consultation with the Federal Trade Commission, 
shall submit to Congress recommendations--
            (1) to identify requirements relating to security, privacy, 
        and notification in the case of a breach of security or privacy 
        (including the applicability of an exemption to notification in 
        the case of protected health information which has been 
        rendered indecipherable through the use of encryption or 
        alternative technologies) that should be applied to vendors of 
        personal health records and to third party service providers 
        that such vendors make available to individuals with personal 
        health records offered or maintained by such vendor, with 
        respect to information in such a record so offered or 
        maintained; and
            (2) to determine which Federal government agency is best 
        equipped to enforce such requirements recommended to be applied 
        to such vendors of personal health records and such third party 
        service providers.

SEC. 315. TEMPORARY BREACH NOTIFICATION REQUIREMENT FOR VENDORS OF 
              PERSONAL HEALTH RECORDS.

    (a) In General.--In accordance with subsection (c), each vendor of 
personal health records shall, following the discovery of a breach of 
security of unencrypted individually identifiable health information in 
such records maintained or offered by such vendor--
            (1) notify each individual who is a citizen or resident of 
        the United States whose unencrypted individually identifiable 
        health information was acquired by an unauthorized person as a 
        result of such a breach of security; and
            (2) notify the Federal Trade Commission.
    (b) Notification of Vendors of Personal Health Records by Third 
Party Service Providers.--A third party service provider that is made 
available by a vendor of personal health records to individuals with 
such records maintained or offered by such vendor and that accesses, 
maintains, retains, modifies, records, stores, destroys, or otherwise 
holds, uses, or discloses unencrypted individually identifiable health 
information in such records shall, following the discovery of a breach 
of security of such information, notify such vendor of such breach. 
Such notice shall include the identification of each individual whose 
unencrypted individually identifiable health information has been, or 
is reasonably believed to have been, accessed or acquired during such 
breach.
    (c) Application of Requirements for Timeliness, Method, and Content 
of Notifications.--Subsections (c), (d), (e), and (f) of section 302 
shall apply to a notification required under subsection (a) and a 
vendor of personal health records and a third party service provider 
described in subsection (b), with respect to a breach of security under 
subsection (a) of unencrypted individually identifiable health 
information in such records maintained or offered by such vendor, in 
the same manner that such subsections apply to a notification required 
under such section and a covered entity and a business associate of 
such covered entity, with respect to a breach under such section of 
unencrypted protected health information held, used, or disclosed by 
such covered entity.
    (d) Notification of the Secretary.--Upon receipt of a notification 
of a breach of security under subsection (a)(2), the Federal Trade 
Commission shall notify the Secretary of such breach.
    (e) Enforcement.--A violation of subsection (a) or (b) shall be 
treated as an unfair and deceptive act or practice in violation of a 
regulation under section 18(a)(1)(B) of the Federal Trade Commission 
Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or 
practices.
    (f) Definitions.--For purposes of this section:
            (1) Breach of security.--The term ``breach of security'' 
        means, with respect to unencrypted individually identifiable 
        health information of an individual in a personal health 
        record, acquisition of such information without the 
        authorization of the individual.
            (2) Individually identifiable health information.--The term 
        ``individually identifiable health information'' has the 
        meaning given such term in section 1171(6) of the Social 
        Security Act (42 U.S.C. 1320d(6)).
            (3) Unencrypted individually identifiable health 
        information.--The term ``unencrypted individually identifiable 
        health information'' means individually identifiable health 
        information that is not protected--
                    (A) through the use of encryption; or
                    (B) through the use of a technology specified by 
                the Secretary as being at least as effective as 
                encryption for purposes of rendering individually 
                identifiable health information indecipherable without 
                authorization.
    (g) Effective Date.--The provisions of this section shall apply to 
breaches of security occurring during the 2-year period beginning on 
the date of the enactment of this Act.

SEC. 316. BUSINESS ASSOCIATE CONTRACTS REQUIRED FOR CERTAIN ENTITIES.

    Each organization, with respect to a covered entity, that provides 
data transmission of protected health information to such entity and 
that requires access on a routine basis to such protected health 
information, such as a Health Information Exchange, Regional Health 
Information Organization, or E-prescribing Gateway, is required to 
enter into a written contract (or other written arrangement) described 
in section 164.502(e)(2) of title 45, Code of Federal Regulations, with 
such entity and shall be treated as a business associate of the covered 
entity for purposes of section 311.

SEC. 317. GUIDANCE ON IMPLEMENTATION SPECIFICATION TO DE-IDENTIFY 
              PROTECTED HEALTH INFORMATION.

    Not later than 12 months after the date of the enactment of this 
Act, the Secretary shall, in consultation with stakeholders, issue 
guidance on how best to implement the requirements for the de-
identification of protected health information under section 164.514(b) 
of title 45, Code of Federal Regulations.

SEC. 318. GAO REPORT ON TREATMENT DISCLOSURES.

    Not later than one year after the date of the enactment of this 
Act, the Comptroller General of the United States shall submit to 
Congress a report on the best practices related to the disclosure among 
health care providers of protected health information of an individual 
for purposes of treatment of such individual. Such report shall include 
an examination of the best practices implemented by States and by other 
entities, such as health information exchanges and regional health 
information organizations, including an examination of the extent to 
which such best practices are successful with respect to the quality of 
the resulting health care provided to the individual and with respect 
to the ability of the health care provider to manage such best 
practices.

SEC. 319. CLARIFICATION OF APPLICATION OF WRONGFUL DISCLOSURES CRIMINAL 
              PENALTIES.

    Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) 
is amended by adding at the end the following new sentence: ``For 
purposes of the previous sentence, a person (including an employee or 
other individual) shall be considered to have obtained or disclosed 
individually identifiable health information in violation of this part 
if the information is maintained by a covered entity (as defined in the 
HIPAA privacy regulation described in section 1180(b)(3)) and the 
individual obtained or disclosed such information without 
authorization.''.

 Subtitle C--Relationship to Other Laws; Clarification; Effective Date

SEC. 321. RELATIONSHIP TO OTHER LAWS.

    (a) Application of HIPAA State Preemption.--Section 1178 of the 
Social Security Act (42 U.S.C. 1320d-7) shall apply to a provision or 
requirement under this title in the same manner that such section 
applies to a provision or requirement under part C of title XI of such 
Act or a standard or implementation specification adopted or 
established under sections 1172 through 1174 of such Act.
    (b) Health Insurance Portability and Accountability Act.--The 
standards governing the privacy and security of individually 
identifiable health information promulgated by the Secretary under 
sections 262(a) and 264 of the Health Insurance Portability and 
Accountability Act of 1996 shall remain in effect to the extent that 
they are consistent with this title. The Secretary shall by rule amend 
such Federal regulations as required to make such regulations 
consistent with this title.

SEC. 322. EFFECTIVE DATE.

    The provisions of this title (other than sections 301(c), 303, 314, 
315, 317, 318, and 319) shall take effect on the date that is 12 months 
after the date of the enactment of this Act.
                                 <all>