


110 HR 6357 IH: PRO(TECH)T Act of 2008
U.S. House of Representatives
2008-06-24
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		I
		110th CONGRESS
		2d Session
		H. R. 6357
		IN THE HOUSE OF REPRESENTATIVES
		
			June 24, 2008
			Mr. Dingell (for
			 himself, Mr. Barton of Texas,
			 Mr. Pallone,
			 Mr. Deal of Georgia,
			 Mr. Gordon of Tennessee,
			 Mr. Hall of Texas,
			 Mr. Towns,
			 Mr. Upton,
			 Mr. Engel,
			 Mrs. Wilson of New Mexico,
			 Mr. Gonzalez,
			 Mr. Gingrey, and
			 Mrs. Biggert) introduced the following
			 bill; which was referred to the Committee
			 on Energy and Commerce, and in addition to the Committees on
			 Science and Technology
			 and Ways and Means, for a
			 period to be subsequently determined by the Speaker, in each case for
			 consideration of such provisions as fall within the jurisdiction of the
			 committee concerned
		
		A BILL
		To amend the Public Health Service Act to promote the
		  adoption of health information technology, and for other
		  purposes.
	
	
		1.Short title; table of
			 contents
			(a)Short
			 titleThis Act may be cited
			 as the Protecting Records, Optimizing
			 Treatment, and Easing Communication through Healthcare Technology Act of
			 2008 or the PRO(TECH)T Act of 2008.
			(b)Table of
			 contentsThe table of contents of this Act is as follows:
				
					Sec. 1. Short title; table of contents.
					Title I—Health Information Technology
					Subtitle A—Promotion of Health Information
				Technology
					Part I—Improving health care quality, safety, and
				efficiency
					Sec. 101. ONCHIT; standards development and adoption; health
				information technology resource center.
						Title XXX—Health Information Technology and Quality
						Sec. 3000. Definitions.
						Subtitle A—Promotion of Health Information
				  Technology
						Sec. 3001. Office of the National Coordinator for Health
				  Information Technology.
						Sec. 3002. HIT Policy Committee.
						Sec. 3003. HIT Standards Committee.
						Sec. 3004. Process for adoption of endorsed
				  recommendations.
						Sec. 3005. Application and use of adopted standards and
				  implementation specifications by Federal agencies.
						Sec. 3006. Voluntary application and use of adopted standards
				  and implementation specifications by private entities.
						Sec. 3007. Health Information Technology Resource
				  Center.
					Sec. 102. Transitions.
					Part II—Application and use of adopted health information
				technology standards; reports
					Sec. 111. Coordination of Federal activities with adopted
				standards and implementation specifications.
					Sec. 112. Application to private entities.
					Sec. 113. Reports.
					Subtitle B—Incentives for the Use of Health Information
				Technology
					Sec. 121. Grant, loan, and demonstration
				programs.
						Subtitle B—Incentives for the Use of Health Information
				  Technology
						Sec. 3011. Grants and loans to facilitate the widespread
				  adoption of qualified health information technology.
						Sec. 3012. Demonstration program to integrate information
				  technology into clinical education.
					Title II—Testing of Health Information Technology
					Sec. 201. National Institute for Standards and Technology
				testing.
					Sec. 202. Research and development programs.
					Title III—Privacy and security provisions
					Sec. 300. Definitions.
					Subtitle A—Security provisions
					Sec. 301. Application of security provisions and penalties to
				business associates of covered entities; annual guidance on security
				provisions.
					Sec. 302. Notification in the case of breach.
					Sec. 303. Education on Health Information Privacy and report on
				compliance.
					Subtitle B—Improved privacy provisions and additional security
				provisions
					Sec. 311. Application of penalties to business associates of
				covered entities for violations of privacy contract requirements.
					Sec. 312. Restrictions on certain disclosures of health
				information; accounting of certain protected health information
				disclosures.
					Sec. 313. Conditions on certain contacts as part of health care
				operations.
					Sec. 314. Study on application of privacy and security
				requirements to vendors of personal health records.
					Sec. 315. Temporary breach notification requirement for vendors
				of personal health records.
					Sec. 316. Business associate contracts required for certain
				entities.
					Sec. 317. Guidance on implementation specification to
				de-identify protected health information.
					Sec. 318. GAO report on treatment disclosures.
					Sec. 319. Clarification of application of wrongful disclosures
				criminal penalties.
					Subtitle C—Relationship to other laws; clarification;
				effective date
					Sec. 321. Relationship to other laws.
					Sec. 322. Effective date.
				
			IHealth Information
			 Technology
			APromotion of
			 Health Information Technology
				IImproving health
			 care quality, safety, and efficiency
					101.ONCHIT;
			 standards development and adoption; health information technology resource
			 center
						(a)In
			 generalThe
			 Public Health Service Act (42 U.S.C.
			 201 et seq.) is amended by adding at the end the following:
							
								XXXHealth
				Information Technology and Quality
									3000.DefinitionsIn this title:
										(1)Enterprise
				integrationThe term
				enterprise integration means the electronic linkage of health care
				providers, health plans, the government, and other interested parties, to
				enable the electronic exchange and use of health information among all the
				components in the health care infrastructure in accordance with applicable law,
				and such term includes related application protocols and other related
				standards.
										(2)Health care
				providerThe term health care provider means a
				hospital, skilled nursing facility, nursing facility, home health entity,
				health care clinic, Federally qualified health center, group practice (as
				defined in section 1877(h)(4) of the Social
				Security Act), a pharmacist, a pharmacy, a laboratory, a physician
				(as defined in section 1861(r) of the Social
				Security Act), a practitioner (as described in section
				1842(b)(18)(C) of the Social Security
				Act), a provider operated by, or under contract with, the Indian
				Health Service or by an Indian tribe (as defined in the Indian
				Self-Determination and Education Assistance Act), tribal organization, or urban
				Indian organization (as defined in section 4 of the Indian Health Care
				Improvement Act), a rural health clinic, and any other category of facility or
				clinician determined appropriate by the Secretary.
										(3)Health
				informationThe term health information has the
				meaning given such term in section 1171(4) of the Social Security Act.
										(4)Health
				information technologyThe
				term health information technology means hardware, software,
				license, right, intellectual property, equipment, or other information
				technology (including new versions, upgrades, and connectivity) designed or
				provided primarily for the electronic creation, maintenance, or exchange of
				health information to coordinate care or improve health care quality,
				efficiency, or research.
										(5)Health
				planThe term health plan has the meaning given such
				term in section 1171(5) of the Social Security Act.
										(6)HIT Policy
				CommitteeThe term HIT Policy Committee means such
				Committee established under section 3002(a).
										(7)HIT Standards
				CommitteeThe term HIT Standards Committee means
				such Committee established under section 3003(a).
										(8)Individually
				identifiable health informationThe term individually
				identifiable health information has the meaning given such term in
				section 1171(6) of the Social Security
				Act.
										(9)LaboratoryThe
				term laboratory has the meaning given such term in section
				353(a).
										(10)National
				CoordinatorThe term National Coordinator means the
				head of the Office of the National Coordinator for Health Information
				Technology established under section 3001(a).
										(11)PharmacistThe
				term pharmacist has the meaning given such term in section 804(2)
				of the Federal Food, Drug, and Cosmetic
				Act.
										(12)StateThe
				term State means each of the several States, the District of
				Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the
				Northern Mariana Islands.
										APromotion of Health
				Information Technology
										3001.Office of the
				National Coordinator for Health Information Technology
											(a)EstablishmentThere
				is established within the Department of Health and Human Services an Office of
				the National Coordinator for Health Information Technology (referred to in this
				section as the Office). The Office shall be headed by a National
				Coordinator who shall be appointed by the Secretary and shall report directly
				to the Secretary.
											(b)PurposeThe
				National Coordinator shall perform the duties under subsection (c) in a manner
				consistent with the development of a nationwide interoperable health
				information technology infrastructure that—
												(1)ensures that each
				patient’s health information is secure and protected, in accordance with
				applicable law;
												(2)improves health
				care quality, reduces medical errors, and advances the delivery of
				patient-centered medical care;
												(3)reduces health
				care costs resulting from inefficiency, medical errors, inappropriate care,
				duplicative care, and incomplete information;
												(4)ensures that
				appropriate information to help guide medical decisions is available at the
				time and place of care;
												(5)ensures the
				inclusion of meaningful public input in such development of such
				infrastructure;
												(6)improves the
				coordination of care and information among hospitals, laboratories, physician
				offices, and other entities through an effective infrastructure for the secure
				and authorized exchange of health care information;
												(7)improves public
				health reporting and facilitates the early identification and rapid response to
				public health threats and emergencies, including bioterror events and
				infectious disease outbreaks;
												(8)facilitates health
				and clinical research and health care quality;
												(9)promotes
				prevention of chronic diseases;
												(10)promotes a more
				effective marketplace, greater competition, greater systems analysis, increased
				consumer choice, and improved outcomes in health care services; and
												(11)improves efforts
				to reduce health disparities.
												(c)Duties of the
				National Coordinator
												(1)StandardsThe National Coordinator shall review and
				determine whether to endorse each standard, implementation specification, and
				certification criterion for the electronic exchange and use of health
				information that is recommended by the HIT Standards Committee under section
				3003 for purposes of adoption under section 3004(b). The Coordinator shall make
				such determination, and report to the Secretary such determination, not later
				than 90 days after the date the recommendation is received by the
				Coordinator.
												(2)HIT policy
				coordinationThe National
				Coordinator shall coordinate health information technology policy and programs
				of the Department with those of other relevant executive branch agencies with a
				goal of avoiding duplication of efforts and of helping to ensure that each
				agency undertakes health information technology activities primarily within the
				areas of its greatest expertise and technical capability.
												(3)Strategic
				plan
													(A)In
				generalThe National Coordinator shall, in consultation with
				other appropriate Federal agencies (including the National Institute of
				Standards and Technology), maintain and update a strategic plan with specific
				objectives, milestones, and metrics for the following:
														(i)The electronic exchange and use of health
				information and the enterprise integration of such information.
														(ii)The utilization of an electronic health
				record for each person in the United States by 2014.
														(iii)The incorporation of privacy and security
				protections for the electronic exchange of an individual’s individually
				identifiable health information.
														(iv)Ensuring security methods to ensure
				appropriate authorization, electronic authentication, and encryption of health
				information.
														(v)Specifying a framework for coordination and
				flow of recommendations and policies under this subtitle among the Secretary,
				the National Coordinator, the HIT Policy Committee, the HIT Standards
				Committee, and other health information exchanges and other relevant
				entities.
														(vi)Methods to foster
				the public understanding of health information technology.
														(vii)Strategies to enhance the use of health
				information technology in improving the quality of health care, reducing
				medical errors, reducing health disparities, and in improving the continuity of
				care among health care settings.
														(B)CollaborationThe strategic plan shall be developed and
				updated through collaboration of public and private interests.
													(C)Measurable
				outcome goalsThe strategic plan shall include measurable outcome
				goals.
													(D)PublicationThe National Coordinator shall publish the
				strategic plan, including all updates.
													(4)WebsiteThe National Coordinator shall maintain and
				frequently update an Internet website on which there is posted information that
				includes the following:
													(A)The schedule
				developed by the HIT Standards Committee under section 3003(b)(3).
													(B)The
				recommendations of the HIT Policy Committee under section 3002.
													(C)Recommendations of
				the HIT Standards Committee under section 3003.
													(D)Sources of Federal
				grant funds and technical assistance that are available to facilitate the
				purchase of, or enhance the utilization of, health information technology
				systems.
													(E)The report
				prepared by the National Coordinator under paragraph (5).
													(F)The assessment by
				the National Coordinator under paragraph (6).
													(G)The evaluation by
				the National Coordinator under paragraph (7).
													(H)The annual
				estimate of resources required under paragraph (8).
													(5)Implementation
				reportThe National
				Coordinator shall prepare a report that identifies lessons learned from major
				public and private health care systems in their implementation of health
				information technology systems, including information on whether the systems
				and practices developed by such systems may be applicable to and usable in
				whole or in part by other health care providers.
												(6)Assessment of
				impact of HIT on communities with health disparities and uninsured,
				underinsured, and medically underserved areasThe National Coordinator shall assess and
				publish the impact of health information technology in communities with health
				disparities and in areas that serve uninsured, underinsured, and medically
				underserved individuals (including urban and rural areas) and identify
				practices to increase the adoption of such technology by health care providers
				in such communities.
												(7)Evaluation of
				benefits and costs of the electronic use and exchange of health
				informationThe National
				Coordinator shall evaluate and publish evidence on the benefits and costs of
				the electronic use and exchange of health information and assess to whom these
				benefits and costs accrue.
												(8)Resource
				requirementsThe National
				Coordinator shall estimate and publish resources required annually to reach the
				goal of utilization of an electronic health record for each person in the
				United States by 2014, including the required level of Federal funding,
				expectations for regional, State, and private investment, and the expected
				contributions by volunteers to activities for the utilization of such
				records.
												(9)Certification
													(A)In
				generalThe National
				Coordinator, in consultation with the Director of the National Institute of
				Standards and Technology, shall develop a program (either directly or by
				contract) for the voluntary certification of health information technology as
				being in compliance with applicable certification criteria adopted under this
				subtitle. Such program shall include testing of the technology in accordance
				with section 201(b) of the PRO(TECH)T Act of 2008.
													(B)Certification
				criteria describedIn this title, the term certification
				criteria means, with respect to standards and implementation
				specifications for health information technology, criteria to establish that
				the technology meets such standards and implementation specifications.
													(d)Detail of
				Federal Employees
												(1)In
				generalUpon the request of the National Coordinator, the head of
				any Federal agency is authorized to detail, with or without reimbursement from
				the Office, any of the personnel of such agency to the Office to assist it in
				carrying out its duties under this section.
												(2)Effect of
				detailAny detail of personnel under paragraph (1) shall—
													(A)not interrupt or
				otherwise affect the civil service status or privileges of the Federal
				employee; and
													(B)be in addition to
				any other staff of the Department employed by the National Coordinator.
													(3)Acceptance of
				detaileesNotwithstanding any other provision of law, the Office
				may accept detailed personnel from other Federal agencies without regard to
				whether the agency described under paragraph (1) is reimbursed.
												(e)Authorization of
				AppropriationsThere are authorized to be appropriated to carry
				out this section $66,000,000 for fiscal year 2009.
											3002.HIT Policy
				Committee
											(a)EstablishmentThere is established a HIT Policy Committee
				to make policy recommendations to the National Coordinator relating to the
				implementation of a nationwide health information technology infrastructure,
				including implementation of the strategic plan described in section
				3001(c)(3).
											(b)Duties
												(1)Recommendations
				on health information technology infrastructureNot later than 1
				year after the date of the enactment of this title, the HIT Policy Committee
				shall recommend a policy framework for the development and adoption of a
				nationwide health information technology infrastructure that permits the
				electronic exchange and use of health information as is consistent with the
				strategic plan under section 3001(c)(3) and that includes the recommendations
				under paragraph (2). Annually thereafter the Committee shall update such
				recommendations and make new recommendations as appropriate.
												(2)Specific areas
				of standard development
													(A)In
				generalThe HIT Policy Committee shall recommend the areas in
				which standards, implementation specifications, and certification criteria are
				needed for the electronic exchange and use of health information for purposes
				of adoption under section 3004(b) and shall recommend an order of priority for
				the development, harmonization, and recognition of such standards,
				specifications, and criteria among the areas so recommended. Such standards and
				implementation specifications shall include named standards, architectures, and
				software schemes for the authentication and security of individually
				identifiable health information and other information as needed to ensure the
				reproducible development of common solutions across disparate entities.
													(B)Areas required
				for considerationIn making recommendations under subparagraph
				(A), the HIT Policy Committee shall consider at least the following
				areas:
														(i)Technologies that protect the privacy of
				health information and promote security, including for the protection from
				disclosure of specific individually identifiable health information, in
				accordance with applicable law, and for the use and disclosure of limited data
				sets (as defined for purposes of regulations promulgated under section 264(c)
				of the Health Insurance Portability and Accountability Act of 1996) of such
				information.
														(ii)A nationwide interoperable health
				information technology infrastructure that permits the electronic exchange and
				use of health information.
														(iii)The utilization
				of an electronic health record for each person in the United States by
				2014.
														(C)Other areas for
				considerationIn making recommendations under subparagraph (A),
				the HIT Policy Committee may consider the following additional areas:
														(i)The appropriate
				uses of a nationwide health information infrastructure, including for purposes
				of—
															(I)the collection of
				quality data and public reporting;
															(II)biosurveillance
				and public health;
															(III)medical and
				clinical research; and
															(IV)drug
				safety.
															(ii)Self-service
				technologies that facilitate the use and exchange of patient information and
				reduce wait times.
														(iii)Telemedicine
				technologies, in order to reduce travel requirements for patients in remote
				areas.
														(iv)Technologies that
				facilitate home health care and the monitoring of patients recuperating at
				home.
														(v)Technologies that
				help reduce medical errors.
														(vi)Technologies that facilitate the continuity
				of care among health settings.
														(vii)Technologies
				that meet the needs of diverse populations.
														(viii)Any other
				technology that the HIT Policy Committee finds to be among the technologies
				with the greatest potential to improve the quality and efficiency of health
				care.
														(3)ForumThe HIT Policy Committee shall serve as a
				forum for broad stakeholder input with specific expertise in policies relating
				to the matters described in paragraphs (1) and (2).
												(4)WebsiteThe HIT Policy Committee shall develop and
				maintain an Internet website on which there is posted information that includes
				the following:
													(A)Established
				governance rules.
													(B)A business
				plan.
													(C)Meeting notices at
				least 14 days prior to each meeting.
													(D)Meeting agendas at
				least 7 days prior to each meeting.
													(E)Meeting materials
				at least 3 days prior to each meeting.
													(c)Membership
												(1)AppointmentsThe
				HIT Policy Committee shall be composed of members to be appointed as
				follows:
													(A)3 members shall be
				appointed by the Secretary, 1 of whom shall be appointed to represent the
				Department of Health and Human Services and 1 of whom shall be a public health
				official.
													(B)1 member shall be
				appointed by the majority leader of the Senate.
													(C)1 member shall be
				appointed by the minority leader of the Senate.
													(D)1 member shall be
				appointed by the Speaker of the House of Representatives.
													(E)1 member shall be
				appointed by the minority leader of the House of Representatives.
													(F)Such other members
				as shall be appointed by the President as representatives of other relevant
				Federal agencies.
													(G)11 members shall be
				appointed by the Comptroller General of the United States of whom—
														(i)1
				member shall be an advocate for patients or consumers;
														(ii)2
				members shall represent health care providers, one of which shall be a
				physician;
														(iii)1 member shall
				be from a labor organization representing health care workers;
														(iv)1
				member shall have expertise in privacy and security;
														(v)1
				member shall have expertise in improving the health of vulnerable
				populations;
														(vi)1
				member shall be from the research community;
														(vii)1 member shall
				represent health plans or other third-party payers;
														(viii)1 member shall
				represent information technology vendors;
														(ix)1
				member shall represent purchasers or employers; and
														(x)1
				member shall have expertise in health care quality measurement and
				reporting.
														(2)National
				CoordinatorThe National
				Coordinator shall be a member of the HIT Policy Committee and act as a liaison
				among the HIT Policy Committee, the HIT Standards Committee, and the Federal
				Government.
												(3)Chairperson and
				vice chairpersonThe HIT Policy Committee shall designate 1
				member to serve as the chairperson and 1 member to serve as the vice
				chairperson of the HIT Policy Committee.
												(4)ParticipationThe members of the HIT Policy Committee
				appointed under paragraph (1) shall represent a balance among various sectors
				of the health care system so that no single sector unduly influences the
				recommendations of such Committee.
												(5)Terms
													(A)In
				generalThe terms of members
				of the HIT Policy Committee appointed under paragraph (1) shall be 3 years
				except that the Comptroller General of the United States shall designate
				staggered terms for the members first appointed under paragraph (1)(G).
													(B)VacanciesAny member appointed to fill a vacancy in
				the membership of the HIT Policy Committee that occurs prior to the expiration
				of the term for which the member’s predecessor was appointed shall be appointed
				only for the remainder of that term. A member may serve after the expiration of
				that member’s term until a successor has been appointed. A vacancy in the HIT
				Policy Committee shall be filled in the manner in which the original
				appointment was made.
													(6)Outside
				involvementThe HIT Policy
				Committee shall ensure an adequate opportunity for the participation in
				activities of the Committee of outside advisors, including individuals with
				expertise in the development of policies for the electronic exchange and use of
				health information, including in the areas of health information privacy and
				security.
												(7)QuorumTen members of the HIT Policy Committee
				shall constitute a quorum for purposes of voting, but a lesser number of
				members may meet and hold hearings.
												(d)Application of
				FACAThe Federal Advisory
				Committee Act (5 U.S.C. App.), other than section 14 of such Act,
				shall apply to the HIT Policy Committee.
											(e)PublicationThe Secretary shall provide for publication
				in the Federal Register and the posting on the Internet website of the Office
				of the National Coordinator for Health Information Technology of all policy
				recommendations made by the HIT Policy Committee under this section.
											3003.HIT Standards
				Committee
											(a)EstablishmentThere is established a committee to be
				known as the HIT Standards Committee to recommend to the National Coordinator
				standards, implementation specifications, and certification criteria for the
				electronic exchange and use of health information for purposes of adoption
				under section 3004(b), consistent with the implementation of the strategic plan
				described in section 3001(c)(3).
											(b)Duties
												(1)Standard
				development
													(A)In
				generalBeginning not later than 1 year after the date of the
				enactment of this title, the HIT Standards Committee shall recommend to the
				National Coordinator standards, implementation specifications, and
				certification criteria described in subsection (a) that have been developed,
				harmonized, or recognized by the Committee. Annually thereafter the Committee
				shall update such recommendations and make new recommendations as appropriate,
				including in response to a notification sent under section 3004(b)(2). Such
				recommendations shall be consistent with the latest recommendations made by the
				HIT Policy Committee.
													(B)Pilot testing of
				standards and implementation specificationsIn the development, harmonization, or
				recognition of standards and implementation specifications, the HIT Standards
				Committee, as appropriate, shall provide for the testing of such standards and
				specifications by the National Institute for Standards and Technology under
				section 201 of the PRO(TECH)T Act of 2008.
													(C)ConsistencyThe
				standards, implementation specifications, and certification criteria
				recommended under this subsection shall be consistent with the standards for
				information transactions and data elements adopted pursuant to section 1173 of
				the Social Security Act.
													(2)ForumThe HIT Standards Committee shall serve as
				a forum for the participation of a broad range of stakeholders to provide input
				on the development, harmonization, and recognition of standards, implementation
				specifications, and certification criteria necessary for the development and
				adoption of a nationwide interoperable health information technology
				infrastructure.
												(3)ScheduleNot
				later than 90 days after the date of the enactment of this title, the HIT
				Standards Committee shall develop a schedule for the assessment of policy
				recommendations developed by the HIT Policy Committee under section 3002. The
				HIT Standards Committee shall update such schedule annually. The Secretary
				shall publish such schedule in the Federal Register.
												(4)Public
				inputThe HIT Standards
				Committee shall conduct open public meetings and develop a process to allow for
				public comment on the schedule described in paragraph (3) and recommendations
				described in this subsection. Under such process comments shall be submitted in
				a timely manner after the date of publication of a recommendation under this
				subsection.
												(5)WebsiteThe HIT Standards Committee shall develop
				and maintain an Internet website on which there is posted information that
				includes the following:
													(A)Established
				governance rules.
													(B)A business
				plan.
													(C)Meeting notices at
				least 14 days prior to each meeting.
													(D)Meeting agendas at
				least 7 days prior to each meeting.
													(E)Meeting materials
				at least 3 days prior to each meeting.
													(6)Requirement to
				integrate recommendationsIn
				carrying out the activities under this section, the HIT Standards Committee
				shall integrate the recommendations of the HIT Policy Committee.
												(c)Membership
												(1)AppointmentsThe HIT Standards Committee shall be
				composed of members to be appointed as follows:
													(A)2 members shall be
				appointed by the Secretary.
													(B)1 member shall be
				appointed by the majority leader of the Senate.
													(C)1 member shall be
				appointed by the minority leader of the Senate.
													(D)1 member shall be
				appointed by the Speaker of the House of Representatives.
													(E)1 member shall be
				appointed by the minority leader of the House of Representatives.
													(F)9 members shall be
				appointed by the Comptroller General of the United States of whom—
														(i)1
				member shall be a representative of consumer or patient organizations;
														(ii)1
				member shall be a representative of organizations with expertise in
				privacy;
														(iii)1 member shall
				be a representative of organizations with expertise in security;
														(iv)2
				members shall be a representative of health care providers, one of which shall
				be a physician;
														(v)1
				member shall be a representative of health plans or other third party
				payers;
														(vi)1
				member shall be a representative of information technology vendors;
														(vii)1 member shall
				be a representative of purchasers or employers; and
														(viii)1 member shall
				be a representative of the health research community.
														(G)1 member shall be
				appointed by the Director of the National Institute for Standards and
				Technology.
													(2)National
				coordinatorThe National
				Coordinator shall be a member of the HIT Standards Committee and act as a
				liaison among the HIT Standards Committee, the HIT Policy Committee, and the
				Federal government.
												(3)Chairperson and
				vice chairpersonThe HIT
				Standards Committee shall designate 1 member to serve as the chairperson and 1
				member to serve as the vice chairperson of the Committee.
												(4)ParticipationThe members of the HIT Standards Committee
				appointed under paragraph (1) shall represent a balance among various sectors
				of the health care system so that no single sector unduly influences the
				recommendations of such Committee.
												(5)Terms
													(A)In
				generalThe terms of members
				of the HIT Standards Committee appointed under paragraph (1) shall be 3 years
				except that the Comptroller General of the United States shall designate
				staggered terms for the members first appointed under paragraph (1)(F).
													(B)VacanciesAny member appointed to fill a vacancy in
				the membership of the HIT Standards Committee that occurs prior to the
				expiration of the term for which the member’s predecessor was appointed shall
				be appointed only for the remainder of that term. A member may serve after the
				expiration of that member’s term until a successor has been appointed. A
				vacancy in the HIT Standards Committee shall be filled in the manner in which
				the original appointment was made.
													(6)Outside
				involvementThe HIT Standards
				Committee shall ensure an adequate opportunity for the participation in
				activities of the Committee of outside advisors, including individuals with
				expertise in the development of standards for the electronic exchange and use
				of health information, including in the areas of health information privacy and
				security.
												(7)QuorumEight members of the HIT Standards
				Committee shall constitute a quorum for purposes of voting, but a lesser number
				of members may meet and hold hearings.
												(d)Application of
				FACAThe Federal Advisory
				Committee Act (5 U.S.C. App.), other than section 14, shall apply to
				the HIT Standards Committee.
											(e)PublicationThe Secretary shall provide for publication
				in the Federal Register and the posting on the Internet website of the Office
				of the National Coordinator for Health Information Technology of all
				recommendations made by the HIT Standards Committee under this section.
											3004.Process for
				adoption of endorsed recommendations
											(a)Review of
				endorsed standards, specifications, and criteriaNot later than 90 days after the date of
				receipt of standards, implementation specifications, or certification criteria
				endorsed under section 3001(c), the Secretary, in consultation with
				representatives of other relevant Federal agencies, shall jointly review such
				standards, specifications, or criteria and shall determine whether or not to
				propose adoption of such standards, specifications, or criteria.
											(b)Determination to
				adopt standards, specifications, and criteriaIf the Secretary
				determines—
												(1)to propose adoption of any grouping of such
				standards, specifications, or criteria, the Secretary shall, through a
				rulemaking process, determine whether or not to adopt such grouping of
				standards, specifications, or criteria; or
												(2)not to propose adoption of any grouping of
				standards, specifications, or criteria, the Secretary shall notify the National
				Coordinator and the HIT Standards Committee in writing of such determination
				and the reasons for not proposing the adoption of such recommendation.
												(c)PublicationThe
				Secretary shall provide for publication in the Federal Register of all
				determinations made by the Secretary under subsection (a).
											3005.Application
				and use of adopted standards and implementation specifications by Federal
				agenciesFor requirements
				relating to the application and use by Federal agencies of the standards and
				implementation specifications adopted under section 3004(b), see section 111 of
				the PRO(TECH)T Act of 2008.
										3006.Voluntary
				application and use of adopted standards and implementation specifications by
				private entities
											(a)In
				generalExcept as provided
				under section 112 of the PRO(TECH)T Act of 2008, any standard or implementation
				specification adopted under section 3004(b) shall be voluntary with respect to
				private entities.
											(b)Rule of
				constructionNothing in this subtitle shall be construed to
				require that a private entity that enters into a contract with the Federal
				Government apply or use the standards and implementation specifications adopted
				under section 3004(b) with respect to activities not related to the
				contract.
											3007.Health
				Information Technology Resource Center
											(a)Development
												(1)In
				generalThe National Coordinator shall develop a Health
				Information Technology Resource Center to provide technical assistance and
				develop best practices to support and accelerate efforts to adopt, implement,
				and effectively use health information technology that allows for the
				electronic exchange and use of information in compliance with standards,
				implementation specifications, and certification criteria adopted under section
				3004(b).
												(2)PurposesThe
				purpose of the Center is to—
													(A)provide a forum
				for the exchange of knowledge and experience;
													(B)accelerate the
				transfer of lessons learned from existing public and private sector
				initiatives, including those currently receiving Federal financial
				support;
													(C)assemble, analyze,
				and widely disseminate evidence and experience related to the adoption,
				implementation, and effective use of health information technology that allows
				for the electronic exchange and use of information;
													(D)provide technical assistance for the
				establishment and evaluation of regional and local health information networks
				to facilitate the electronic exchange of information across health care
				settings and improve the quality of health care;
													(E)provide technical
				assistance for the development and dissemination of solutions to barriers to
				the exchange of electronic health information;
													(F)learn about
				effective strategies to adopt and utilize health information technology in
				medically underserved communities;
													(G)conduct other
				activities identified by the States, local or regional health information
				networks, or health care stakeholders as a focus for developing and sharing
				best practices; and
													(H)provide technical
				assistance to promote adoption and utilization of health information technology
				by health care providers, including in medically underserved
				communities.
													(b)Technical
				Assistance Telephone Number or WebsiteThe National Coordinator
				shall establish a toll-free telephone number or Internet website to provide
				health care providers with a single point of contact to—
												(1)learn about
				Federal grants and technical assistance services related to interoperable
				health information technology;
												(2)learn about
				standards, implementation specifications, and certification criteria adopted
				under section 3004(b);
												(3)learn about
				regional and local health information networks for assistance with health
				information technology; and
												(4)disseminate
				additional information determined by the National
				Coordinator.
												.
						102.Transitions
						(a)ONCHITTo the extent consistent with section 3001
			 of the Public Health Service Act, as added by section 101, all functions,
			 personnel, assets, liabilities, and administrative actions applicable to the
			 National Coordinator for Health Information Technology appointed under
			 Executive Order 13335 or the Office of such National Coordinator on the date
			 before the date of the enactment of this Act shall be transferred to the
			 National Coordinator appointed under section 3001(a) of such Act and the Office
			 of such National Coordinator as of the date of the enactment of this
			 Act.
						(b)AHIC
							(1)To the extent
			 consistent with sections 3002 and 3003 of the Public Health Service Act, as
			 added by section 101, all functions, personnel, assets, and liabilities
			 applicable to the American Health Information Community created in response to
			 Executive Order 13335 as of the day before the date of the enactment of this
			 Act shall be transferred to the HIT Policy Committee or the HIT Standards
			 Committee, established under section 3002(a) or 3003(a) of such Act, as
			 appropriate, as of the date of the enactment of this Act.
							(2)In carrying out section 3003(b)(1)(A) of
			 the Public Health Service Act, as so added, until recommendations are made by
			 the HIT Policy Committee, recommendations of the HIT Standards Committee shall
			 be consistent with the most recent recommendations made by the American Health
			 Information Community.
							(c)Rules of
			 construction
							(1)ONCHITNothing
			 in section 3001 of the Public Health Service Act, as added by section 101, or
			 subsection (a) shall be construed as requiring the creation of a new entity to
			 the extent that the Office of the National Coordinator for Health Information
			 Technology established pursuant to Executive Order 13335 is consistent with the
			 provisions of such section 3001.
							(2)AHICNothing in sections 3002 or 3003 of the
			 Public Health Service Act, as added by section 101, or subsection (b) shall be
			 construed as requiring the creation of a new entity to the extent that the
			 American Health Information Community created in response to Executive Order
			 13335 is consistent with the provisions of such sections 3002 and 3003.
							IIApplication and
			 use of adopted health information technology standards; reports
					111.Coordination of
			 Federal activities with adopted standards and implementation
			 specifications
						(a)Spending on
			 health information technology systemsAs each agency (as defined in the Executive
			 Order issued on August 22, 2006, relating to promoting quality and efficient
			 health care in Federal government administered or sponsored health care
			 programs) implements, acquires, or upgrades health information technology
			 systems used for the direct exchange of individually identifiable health
			 information between agencies and with non-Federal entities, it shall utilize,
			 where available, health information technology systems and products that meet
			 standards and implementation specifications adopted under section 3004(b) of
			 the Public Health Service Act, as added by section 101.
						(b)Federal
			 information collection activitiesWith respect to a standard or
			 implementation specification adopted under section 3004(b) of the Public Health
			 Service Act, as added by section 101, the President shall take measures to
			 ensure that Federal activities involving the broad collection and submission of
			 health information are consistent with such standard or specification,
			 respectively, within three years after the date of such adoption.
						(c)Application of
			 definitionsThe definitions contained in section 3000 of the
			 Public Health Service Act, as added by section 101, shall apply for purposes of
			 this part.
						112.Application to
			 private entitiesEach agency
			 (as defined in such Executive Order issued on August 22, 2006, relating to
			 promoting quality and efficient health care in Federal government administered
			 or sponsored health care programs) shall require in contracts or agreements
			 with health care providers, health plans, or health insurance issuers that as
			 each provider, plan, or issuer implements, acquires, or upgrades health
			 information technology systems, it shall utilize, where available, health
			 information technology systems and products that meet standards and
			 implementation specifications adopted under section 3004(b) of the Public
			 Health Service Act, as added by section 101.
					113.Reports
						(a)In
			 generalThe Secretary of
			 Health and Human Services shall submit to the Committee on Health, Education,
			 Labor, and Pensions and the Committee on Commerce, Science, and Transportation
			 of the Senate and the Committee on Energy and Commerce and the Committee on
			 Science and Technology of the House of Representatives, on an annual basis, a
			 report that—
							(1)describes the
			 specific actions that have been taken by the Federal Government and private
			 entities to facilitate the adoption of an interoperable nationwide system for
			 the electronic exchange of health information;
							(2)describes barriers
			 to the adoption of such a nationwide system; and
							(3)contains
			 recommendations to achieve full implementation of such a nationwide
			 system.
							(b)Reimbursement
			 incentive studyThe Secretary
			 of Health and Human Services shall carry out, or contract with a private entity
			 to carry out, a study that examines methods to create efficient reimbursement
			 incentives for improving health care quality in Federally qualified health
			 centers, rural health clinics, and free clinics.
						BIncentives for the
			 Use of Health Information Technology
				121.Grant, loan,
			 and demonstration programsTitle XXX of the Public Health Service Act,
			 as added by section 101, is amended by adding at the end the following new
			 subtitle:
					
						BIncentives for the
				Use of Health Information Technology
							3011.Grants and
				loans To facilitate the widespread adoption of qualified health information
				technology
								(a)Competitive
				grants To facilitate the widespread adoption of health information
				technology
									(1)In
				generalThe National Coordinator may award competitive grants to
				eligible entities to purchase qualified health information technology.
									(2)Qualified health
				information technologyFor
				purposes of this section, the term qualified health information
				technology means health information technology that consists of
				hardware, software, or the provision of support services and that—
										(A)enables the protection of health
				information, in accordance with applicable law;
										(B)is (or is necessary for the operation of)
				an electronic health records system, including the provision of decision
				support and physician order entry for medications;
										(C)has the ability to
				allow timely and permissible access to patient information and to transmit and
				exchange health information among providers, patients, or insurers; and
										(D)is certified under
				the program developed under section 3001(c)(9) to be in compliance with any
				applicable standards and implementation specifications adopted under section
				3004(b).
										(3)EligibilityTo be eligible to receive a grant under
				paragraph (1) an entity shall—
										(A)submit to the National Coordinator an
				application at such time and in such manner as the National Coordinator may
				require, and containing—
											(i)a
				plan on how the entity intends to maintain and support the qualified health
				information technology that would be purchased with amounts under such grant,
				including the type of resources expected to be involved; and
											(ii)such other
				information as the National Coordinator may require;
											(B)submit to the
				National Coordinator a strategic plan for the electronic exchange and use of
				health information;
										(C)be—
											(i)a
				not for profit hospital or a Federally qualified health center (as defined in
				section 1861(aa)(4) of the Social Security
				Act);
											(ii)an individual or
				group practice; or
											(iii)another health
				care provider not described in clause (i) or (ii);
											(D)demonstrate
				significant financial need;
										(E)agree to notify individuals in accordance
				with section 302 of the PRO(TECH)T Act of 2008 if their individually
				identifiable health information is accessed or acquired as a result of a
				breach; and
										(F)provide matching
				funds in accordance with paragraph (5).
										(4)Use of
				fundsAmounts received under a grant under this subsection shall
				be used to facilitate the purchase of qualified health information
				technology.
									(5)Matching
				requirementTo be eligible for a grant under this subsection an
				entity shall contribute non-Federal contributions to the costs of carrying out
				the activities for which the grant is awarded in an amount equal to $1 for each
				$3 of Federal funds provided under the grant.
									(6)Preference in
				awarding grantsIn awarding grants under this subsection the
				National Coordinator shall give preference to the following eligible
				entities:
										(A)Small health care
				providers.
										(B)Entities that are located in rural,
				frontier, and other areas that serve uninsured, underinsured, and medically
				underserved individuals (regardless of whether such area is urban, rural, or
				frontier).
										(C)Entities that will
				link, to the extent practicable, to local or regional health information plan
				or plans.
										(D)Nonprofit health
				care providers.
										(7)Additional
				sources of funding for health information technologyFunding made
				available under this subsection is in addition to funding which may be used
				toward the acquisition and utilization of health information technology under
				other law, which includes the following:
										(A)Medicaid
				transformation grants under section 1903(z) of the Social Security Act.
										(B)Grants or funding
				available through the Agency for Healthcare Research and Quality.
										(C)Grants or funding
				that may be available through the Health Resources and Services Administration
				for investment in health information technologies or telehealth.
										(D)Grants or funding
				that may be available through the Department of Agriculture’s Rural Development
				Telecommunications Program for investment in telemedicine.
										(b)Competitive
				Grants to States and Indian tribes for the Development of Loan Programs To
				Facilitate the Widespread Adoption of qualified Health Information
				Technology
									(1)In
				generalThe National
				Coordinator may award competitive grants to eligible entities for the
				establishment of programs for loans to health care providers to purchase
				qualified health information technology.
									(2)Eligible entity
				definedFor purposes of this
				subsection, the term eligible entity means a State or Indian tribe
				(as defined in the Indian Self-Determination and Education Assistance Act)
				that—
										(A)submits to the
				National Coordinator an application at such time, in such manner, and
				containing such information as the National Coordinator may require;
										(B)submits to the
				National Coordinator a strategic plan in accordance with paragraph (4) and
				provides to the National Coordinator assurances that the entity will update
				such plan annually in accordance with such paragraph;
										(C)provides
				assurances to the National Coordinator that the entity will establish a Loan
				Fund in accordance with paragraph (3);
										(D)provides
				assurances to the National Coordinator that the entity will not provide a loan
				from the Loan Fund to a health care provider unless the provider meets each of
				the conditions described in paragraph (5); and
										(E)agrees to provide
				matching funds in accordance with paragraph (9).
										(3)Establishment of
				fundFor purposes of paragraph (3)(C), an eligible entity shall
				establish a qualified health information technology loan fund (referred to in
				this subsection as a Loan Fund) and comply with the other
				requirements contained in this section. A grant to an eligible entity under
				this subsection shall be deposited in the Loan Fund established by the eligible
				entity. No funds authorized by other provisions of this subtitle to be used for
				other purposes specified in this subtitle shall be deposited in any Loan
				Fund.
									(4)Strategic
				plan
										(A)In
				generalFor purposes of paragraph (3)(B), a strategic plan of an
				eligible entity under this paragraph shall identify the intended uses of
				amounts available to the Loan Fund of such entity.
										(B)ContentsA
				strategic plan under subparagraph (A), with respect to a Loan Fund of an
				eligible entity, shall include for a year the following:
											(i)A
				list of the projects to be assisted through the Loan Fund during such
				year.
											(ii)A
				description of the criteria and methods established for the distribution of
				funds from the Loan Fund during the year.
											(iii)A description of
				the financial status of the Loan Fund as of the date of submission of the
				plan.
											(iv)The short-term
				and long-term goals of the Loan Fund.
											(5)Health care
				provider conditions for receipt of loansFor purposes of
				paragraph (2)(D), the conditions described in this paragraph, with respect to a
				health care provider that seeks a loan from a Loan Fund established under this
				subsection, are the following:
										(A)The health care
				provider links, to the extent practicable, to a local or regional health
				information network.
										(B)The health care
				provider consults with the Health Information Technology Resource Center
				established under section 3007 to access the knowledge and experience of
				existing initiatives regarding the successful implementation and effective use
				of health information technology.
										(C)The health care provider agrees to notify
				individuals in accordance with section 302 of the PRO(TECH)T Act of 2008 if
				their individually identifiable health information is accessed or acquired as a
				result of a breach.
										(D)The health care provider submits to the
				State or Indian tribe involved a plan on how the health care provider intends
				to maintain and support the qualified health information technology that would
				be purchased with such loan, including the type of resources expected to be
				involved and any such other information as the State or Indian Tribe,
				respectively, may require.
										(6)Use of
				funds
										(A)In
				generalAmounts deposited in a Loan Fund, including loan
				repayments and interest earned on such amounts, shall be used only for awarding
				loans or loan guarantees, or as a source of reserve and security for leveraged
				loans, the proceeds of which are deposited in the Loan Fund established under
				paragraph (1). Loans under this section may be used by a health care provider
				to purchase qualified health information technology.
										(B)LimitationAmounts
				received by an eligible entity under this subsection may not be used—
											(i)for the purchase
				or other acquisition of any health information technology system that is not a
				qualified health information technology;
											(ii)to conduct
				activities for which Federal funds are expended under this title; or
											(iii)for any purpose
				other than making loans to health care providers in accordance with this
				section.
											(7)Types of
				assistanceExcept as otherwise limited by applicable State law,
				amounts deposited into a Loan Fund under this subsection may only be used for
				the following:
										(A)To award loans
				that comply with the following:
											(i)The interest rate
				for each loan shall not exceed the market interest rate.
											(ii)The principal and
				interest payments on each loan shall commence not later than 1 year after the
				date the loan was awarded, and each loan shall be fully amortized not later
				than 10 years after the date of the loan.
											(iii)The Loan Fund
				shall be credited with all payments of principal and interest on each loan
				awarded from the Loan Fund.
											(B)To guarantee, or
				purchase insurance for, a local obligation (all of the proceeds of which
				finance a project eligible for assistance under this subsection) if the
				guarantee or purchase would improve credit market access or reduce the interest
				rate applicable to the obligation involved.
										(C)As a source of
				revenue or security for the payment of principal and interest on revenue or
				general obligation bonds issued by the eligible entity if the proceeds of the
				sale of the bonds will be deposited into the Loan Fund.
										(D)To earn interest
				on the amounts deposited into the Loan Fund.
										(8)Administration of
				Loan Funds
										(A)Combined
				financial administrationAn eligible entity may (as a convenience
				and to avoid unnecessary administrative costs) combine, in accordance with
				applicable State law, the financial administration of a Loan Fund established
				under this subsection with the financial administration of any other revolving
				fund established by the entity if otherwise not prohibited by the law under
				which the Loan Fund was established.
										(B)Cost of
				administering fundEach eligible entity may annually use not to
				exceed 4 percent of the funds provided to the entity under a grant under this
				subsection to pay the reasonable costs of the administration of the programs
				under this section, including the recovery of reasonable costs expended to
				establish a Loan Fund which are incurred after the date of the enactment of
				this title.
										(C)Guidance and
				regulationsThe National Coordinator shall publish guidance and
				promulgate regulations as may be necessary to carry out the provisions of this
				subsection, including—
											(i)provisions to
				ensure that each eligible entity commits and expends funds allotted to the
				entity under this subsection as efficiently as possible in accordance with this
				title and applicable State laws; and
											(ii)guidance to
				prevent waste, fraud, and abuse.
											(D)Private sector
				contributions
											(i)In
				generalA Loan Fund established under this subsection may accept
				contributions from private sector entities, except that such entities may not
				specify the recipient or recipients of any loan issued under this subsection.
				An eligible entity may agree to reimburse a private sector entity for any
				contribution made under this subparagraph, except that the amount of such
				reimbursement may not be greater than the principal amount of the contribution
				made.
											(ii)Availability of
				informationAn eligible entity shall make publicly available the
				identity of, and amount contributed by, any private sector entity under clause
				(i) and may issue letters of commendation or make other awards (that have no
				financial value) to any such entity.
											(9)Matching
				requirements
										(A)In
				generalThe National Coordinator may not make a grant under
				paragraph (1) to an eligible entity unless the entity agrees to make available
				(directly or through donations from public or private entities) non-Federal
				contributions in cash to the costs of carrying out the activities for which the
				grant is awarded in an amount equal to not less than $1 for each $1 of Federal
				funds provided under the grant.
										(B)Determination of
				amount of non-federal contributionIn determining the amount of
				non-Federal contributions that an eligible entity has provided pursuant to
				subparagraph (A), the National Coordinator may not include any amounts provided
				to the entity by the Federal Government.
										(10)ReportsThe
				National Coordinator shall annually submit to the Committee on Health,
				Education, Labor, and Pensions and the Committee on Finance of the Senate, and
				the Committee on Energy and Commerce of the House of Representatives, a report
				summarizing the reports received by the National Coordinator from each eligible
				entity that receives a grant under this subsection.
									(c)Competitive
				Grants for the Implementation of Regional or Local Health Information
				Technology Plans
									(1)In
				generalThe National Coordinator may award competitive grants to
				eligible entities to implement regional or local health information plans to
				improve health care quality and efficiency through the electronic exchange and
				use of health information.
									(2)EligibilityTo
				be eligible to receive a grant under paragraph (1) an entity shall—
										(A)facilitate the
				electronic exchange and use of health information within the local or regional
				area and among local and regional areas;
										(B)demonstrate
				financial need to the National Coordinator;
										(C)demonstrate that
				one of its principal missions or purposes is to use information technology to
				improve health care quality and efficiency;
										(D)adopt bylaws,
				memoranda of understanding, or other charter documents that demonstrate that
				the governance structure and decisionmaking processes of such entity allow for
				participation on an ongoing basis by multiple stakeholders within a community,
				including—
											(i)physicians (as
				defined in section 1861(r) of the Social Security
				Act), including physicians that provide services to low income
				populations and populations that are uninsured, underinsured, and medically
				underserved (including such populations in urban and rural areas);
											(ii)hospitals
				(including hospitals that provide services to low income and underserved
				populations);
											(iii)pharmacists and
				pharmacies;
											(iv)health
				plans;
											(v)health centers (as
				defined in section 330(b)) and Federally qualified health centers (as defined
				in section 1861(aa)(4) of the Social Security
				Act);
											(vi)rural health
				clinics (as defined in section 1861(aa) of the Social Security Act);
											(vii)patient or
				consumer organizations that reflect the population to be served;
											(viii)employers;
											(ix)public health
				agencies; and
											(x)such other health
				care providers or other entities, as determined appropriate by the National
				Coordinator;
											(E)demonstrate the
				participation, to the extent practicable, of stakeholders in the electronic
				exchange and use of health information within the local or regional health
				information plan pursuant to subparagraph (D);
										(F)adopt
				nondiscrimination and conflict of interest policies that demonstrate a
				commitment to open, fair, and nondiscriminatory participation in the regional
				or local health information plan by all stakeholders;
										(G)comply with applicable standards and
				implementation specifications adopted under subtitle A of this title;
										(H)prepare and submit
				to the National Coordinator an application in accordance with paragraph (3);
				and
										(I)agree to provide
				matching funds in accordance with paragraph (6).
										(3)Application
										(A)In
				generalTo be eligible to receive a grant under paragraph (1), an
				entity shall submit to the National Coordinator an application at such time, in
				such manner, and containing such information (in addition to information
				required under subparagraph (B), as the National Coordinator may
				require.
										(B)Required
				informationAt a minimum, an application submitted under this
				paragraph shall include—
											(i)clearly identified
				short-term and long-term objectives of the regional or local health information
				plan;
											(ii)an estimate of costs of the hardware,
				software, training, and other services necessary to implement the regional or
				local health information plan;
											(iii)a strategy that
				includes initiatives to improve health care quality and efficiency;
											(iv)a
				plan that describes provisions to encourage the electronic exchange and use of
				health information by all physicians, including single physician practices and
				small physician groups, participating in the health information plan;
											(v)a
				plan to ensure the privacy and security of individually identifiable health
				information that is consistent with applicable Federal and State law;
											(vi)a
				governance plan that defines the manner in which the stakeholders shall jointly
				make policy and operational decisions on an ongoing basis;
											(vii)a financial or
				business plan that describes—
												(I)the sustainability
				of the plan;
												(II)the financial
				costs and benefits of the plan; and
												(III)the entities to
				which such costs and benefits will accrue;
												(viii)a plan on how the entity involved intends
				to maintain and support the regional or local health information plan,
				including the type of resources expected to be involved; and
											(ix)in the case of an
				applicant that is unable to demonstrate the participation of all stakeholders
				pursuant to paragraph (2)(D), the justification from the entity for any such
				nonparticipation.
											(4)Use of
				fundsAmounts received under a grant under paragraph (1) shall be
				used to establish and implement a regional or local health information plan in
				accordance with this subsection.
									(5)PreferenceIn awarding grants under paragraph (1), the
				Secretary shall give preference to eligible entities that intend to use amounts
				received under a grant to establish or implement a regional or local health
				information plan that encompasses communities with health disparities or areas
				that serve uninsured, underinsured, and medically underserved individuals
				(including urban and rural areas).
									(6)Matching
				requirement
										(A)In
				generalThe National Coordinator may not make a grant under this
				subsection to an entity unless the entity agrees that, with respect to the
				costs of carrying out the activities for which the grant is awarded, the entity
				will make available (directly or through donations from public or private
				entities) non-Federal contributions toward such costs in an amount equal to not
				less than 50 percent of such costs ($1 for each $2 of Federal funds provided
				under the grant).
										(B)Determination of
				amount contributedNon-Federal contributions required under
				subparagraph (A) may be in cash or in kind, fairly evaluated, including
				equipment, technology, or services. Amounts provided by the Federal Government,
				or services assisted or subsidized to any significant extent by the Federal
				Government, may not be included in determining the amount of such non-Federal
				contributions.
										(d)ReportsNot
				later than 1 year after the date on which the first grant is awarded under this
				section, and annually thereafter during the grant period, an entity that
				receives a grant under this section shall submit to the National Coordinator a
				report on the activities carried out under the grant involved. Each such report
				shall include—
									(1)a description of
				the financial costs and benefits of the project involved and of the entities to
				which such costs and benefits accrue;
									(2)an analysis of the
				impact of the project on health care quality and safety;
									(3)a description of
				any reduction in duplicative or unnecessary care as a result of the project
				involved;
									(4)a description of
				the efforts of recipients under this section to facilitate secure patient
				access to health information;
									(5)an analysis of the
				effectiveness of the project involved on ensuring the privacy and security of
				individually identifiable health information in accordance with applicable
				Federal and State law; and
									(6)other information
				as required by the National Coordinator.
									(e)Requirement To
				improve quality of care and decrease in costsThe National
				Coordinator shall annually evaluate the activities conducted under this section
				and shall, in awarding grants, implement the lessons learned from such
				evaluation in a manner so that awards made subsequent to each such evaluation
				are made in a manner that, in the determination of the National Coordinator,
				will result in the greatest improvement in quality of care and decrease in
				costs.
								(f)LimitationAn
				eligible entity may only receive one non-renewable grant under subsection (a),
				one non-renewable grant under subsection (b), and one non-renewable grant under
				subsection (c).
								(g)Small health
				care providerFor purposes of this section, the term small
				health care provider means a health care provider that has an average of
				10 or fewer full-time equivalent employees during the period involved.
								(h)Authorization of
				Appropriations
									(1)In
				generalFor the purpose of carrying out subsections (a) through
				(d), there is authorized to be appropriated $115,000,000 for each of the fiscal
				years 2009 through 2013.
									(2)AvailabilityAmounts
				appropriated under paragraph (1) shall remain available through fiscal year
				2013.
									3012.Demonstration
				program to integrate information technology into clinical education
								(a)In
				GeneralThe Secretary may award grants under this section to
				carry out demonstration projects to develop academic curricula integrating
				qualified health information technology in the clinical education of health
				professionals. Such awards shall be made on a competitive basis and pursuant to
				peer review.
								(b)EligibilityTo
				be eligible to receive a grant under subsection (a), an entity shall—
									(1)submit to the
				Secretary an application at such time, in such manner, and containing such
				information as the Secretary may require;
									(2)submit to the
				Secretary a strategic plan for integrating qualified health information
				technology in the clinical education of health professionals to reduce medical
				errors and enhance health care quality;
									(3)be—
										(A)a school of medicine, osteopathic medicine,
				dentistry, or pharmacy, or a graduate program in behavioral or mental
				health;
										(B)a graduate school
				of nursing or physician assistant studies;
										(C)a consortium of
				two or more schools described in subparagraph (A) or (B); or
										(D)an institution
				with a graduate medical education program in medicine, osteopathic medicine,
				dentistry, pharmacy, nursing, or physician assistance studies.
										(4)provide for the
				collection of data regarding the effectiveness of the demonstration project to
				be funded under the grant in improving the safety of patients, the efficiency
				of health care delivery, and in increasing the likelihood that graduates of the
				grantee will adopt and incorporate qualified health information technology, in
				the delivery of health care services; and
									(5)provide matching
				funds in accordance with subsection (d).
									(c)Use of
				Funds
									(1)In
				generalWith respect to a grant under subsection (a), an eligible
				entity shall—
										(A)use grant funds in
				collaboration with 2 or more disciplines; and
										(B)use grant funds to
				integrate qualified health information technology into community-based clinical
				education.
										(2)LimitationAn
				eligible entity shall not use amounts received under a grant under subsection
				(a) to purchase hardware, software, or services.
									(d)Matching
				Funds
									(1)In
				generalThe Secretary may award a grant to an entity under this
				section only if the entity agrees to make available non-Federal contributions
				toward the costs of the program to be funded under the grant in an amount that
				is not less than $1 for each $2 of Federal funds provided under the
				grant.
									(2)Determination of
				amount contributedNon-Federal contributions under paragraph (1)
				may be in cash or in kind, fairly evaluated, including equipment or services.
				Amounts provided by the Federal Government, or services assisted or subsidized
				to any significant extent by the Federal Government, may not be included in
				determining the amount of such contributions.
									(e)EvaluationThe
				Secretary shall take such action as may be necessary to evaluate the projects
				funded under this section and publish, make available, and disseminate the
				results of such evaluations on as wide a basis as is practicable.
								(f)ReportsNot
				later than 1 year after the date of enactment of this title, and annually
				thereafter, the Secretary shall submit to the Committee on Health, Education,
				Labor, and Pensions and the Committee on Finance of the Senate, and the
				Committee on Energy and Commerce of the House of Representatives a report
				that—
									(1)describes the
				specific projects established under this section; and
									(2)contains
				recommendations for Congress based on the evaluation conducted under subsection
				(e).
									(g)Authorization of
				AppropriationsThere is authorized to be appropriated to carry
				out this section, $10,000,000 for each of fiscal years 2009 through
				2011.
								(h)SunsetThis
				section shall not apply after September 30,
				2011.
								.
				IITesting of Health
			 Information Technology
			201.National
			 Institute for Standards and Technology testing
				(a)Pilot testing of
			 standards and implementation specificationsIn coordination with
			 the HIT Standards Committee established under section 3003 of the Public Health
			 Service Act, as added by section 101, with respect to the development of
			 standards and implementation specifications under such section, the Director of
			 the National Institute for Standards and Technology shall test such standards
			 and specifications in order to assure the efficient implementation and use of
			 such standards and specifications.
				(b)Voluntary
			 testing programIn
			 coordination with the HIT Standards Committee established under section 3003 of
			 the Public Health Service Act, as added by section 101, with respect to the
			 development of standards and implementation specifications under such section,
			 the Director of the National Institute of Standards and Technology shall
			 support the establishment of a conformance testing infrastructure, including
			 the development of technical test beds. The development of this conformance
			 testing infrastructure may include a program to accredit independent,
			 non-Federal laboratories to perform testing.
				202.Research and
			 development programs
				(a)Health care
			 Information Enterprise Integration Research Centers
					(1)In
			 generalThe Director of the National Institute of Standards and
			 Technology, in consultation the Director of the National Science Foundation and
			 other appropriate Federal agencies, shall establish a program of assistance to
			 institutions of higher education (or consortia thereof which may include
			 nonprofit entities and Federal Government laboratories) to establish
			 multidisciplinary Centers for Health Care Information Enterprise
			 Integration.
					(2)Review;
			 competitionGrants shall be awarded under this subsection on a
			 merit-reviewed, competitive basis.
					(3)PurposeThe
			 purposes of the Centers described in paragraph (1) shall be—
						(A)to generate
			 innovative approaches to health care information enterprise integration by
			 conducting cutting-edge, multidisciplinary research on the systems challenges
			 to health care delivery; and
						(B)the development
			 and use of health information technologies and other complementary
			 fields.
						(4)Research
			 areasResearch areas may include—
						(A)interfaces between
			 human information and communications technology systems;
						(B)voice-recognition
			 systems;
						(C)software that
			 improves interoperability and connectivity among health information
			 systems;
						(D)software
			 dependability in systems critical to health care delivery;
						(E)measurement of the
			 impact of information technologies on the quality and productivity of health
			 care;
						(F)health information
			 enterprise management;
						(G)health information
			 technology security and integrity; and
						(H)relevant health
			 information technology to reduce medical errors.
						(5)ApplicationsAn
			 institution of higher education (or a consortium thereof) seeking funding under
			 this subsection shall submit an application to the Director of the National
			 Institute of Standards and Technology at such time, in such manner, and
			 containing such information as the Director may require. The application shall
			 include, at a minimum, a description of—
						(A)the research
			 projects that will be undertaken by the Center established pursuant to
			 assistance under paragraph (1) and the respective contributions of the
			 participating entities;
						(B)how the Center
			 will promote active collaboration among scientists and engineers from different
			 disciplines, such as information technology, biologic sciences, management,
			 social sciences, and other appropriate disciplines;
						(C)technology
			 transfer activities to demonstrate and diffuse the research results,
			 technologies, and knowledge; and
						(D)how the Center
			 will contribute to the education and training of researchers and other
			 professionals in fields relevant to health information enterprise
			 integration.
						(b)National
			 Information Technology Research and Development ProgramThe
			 National High-Performance Computing Program established by section 101 of the
			 High-Performance Computing Act of 1991 (15 U.S.C. 5511) shall coordinate
			 Federal research and development programs related to the development and
			 deployment of health information technology, including activities related
			 to—
					(1)computer
			 infrastructure;
					(2)data
			 security;
					(3)development of
			 large-scale, distributed, reliable computing systems;
					(4)wired, wireless,
			 and hybrid high-speed networking;
					(5)development of
			 software and software-intensive systems;
					(6)human-computer
			 interaction and information management technologies; and
					(7)the social and
			 economic implications of information technology.
					IIIPrivacy and
			 security provisions
			300.DefinitionsIn this title, except as specified
			 otherwise:
				(1)BreachThe term breach means the
			 unauthorized acquisition or disclosure of protected health information which
			 compromises the security, privacy, or integrity of protected health information
			 maintained by or on behalf of a person. Such term does not include any
			 unintentional acquisition of such information by an employee or agent of the
			 covered entity or business associate involved if such acquisition was made in
			 good faith and within the course and scope of the employment or other
			 contractual relationship of such employee or agent, respectively, with the
			 covered entity or business associate and if such information is not further
			 acquired, used, or disclosed by such employee or agent.
				(2)Business
			 associateThe term
			 business associate has the meaning given such term in section
			 160.103 of title 45, Code of Federal Regulations.
				(3)Covered
			 entityThe term covered
			 entity has the meaning given such term in section 160.103 of title 45,
			 Code of Federal Regulations.
				(4)DiscloseThe
			 terms disclose and disclosure have the meaning given
			 the term disclosure in section 160.103 of title 45, Code of
			 Federal Regulations.
				(5)EncryptionThe
			 term encryption has the meaning given such term in section 164.304
			 of title 45, Code of Federal Regulations.
				(6)Health care
			 operationsThe term
			 health care operation has the meaning given such term in section
			 164.501 of title 45, Code of Federal Regulations.
				(7)Health care
			 providerThe term health care provider has the
			 meaning given such term in section 160.103 of title 45, Code of Federal
			 Regulations.
				(8)Personal health
			 recordThe term
			 personal health record means an electronic record of individually
			 identifiable health information on an individual that is drawn from multiple
			 sources and that is managed, shared, and controlled by or for the
			 individual.
				(9)Protected health
			 informationThe term
			 protected health information has the meaning given such term under
			 section 160.103 of title 45, Code of Federal Regulations.
				(10)SecretaryThe
			 term Secretary means the Secretary of Health and Human
			 Services.
				(11)SecurityThe
			 term security has the meaning given such term in section 164.304
			 of title 45, Code of Federal Regulations.
				(12)StateThe
			 term State means each of the several States, the District of
			 Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the
			 Northern Mariana Islands.
				(13)UseThe
			 term use has the meaning given such term in section 160.103 of
			 title 45, Code of Federal Regulations.
				(14)Vendor of
			 personal health recordsThe term vendor means an
			 entity that offers or maintains a personal health record and that is not a
			 covered entity.
				ASecurity
			 provisions
				301.Application of
			 security provisions and penalties to business associates of covered entities;
			 annual guidance on security provisions
					(a)Application of
			 security provisionsSections
			 164.308, 164.310, and 164.312 of title 45, Code of Federal Regulations, shall
			 apply to a business associate of a covered entity in the same manner that such
			 sections apply to the covered entity.
					(b)Application of
			 civil and criminal penaltiesSections 1176 and 1177 of the Social
			 Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to a business associate
			 of a covered entity with respect to a section applied under subsection (a) to
			 such business associate in the same manner that such sections apply to a
			 covered entity with respect to such section.
					(c)Annual
			 guidanceFor the first year beginning after the date of the
			 enactment of this Act and annually thereafter, the Secretary of Health and
			 Human Services shall, in consultation with industry stakeholders, annually
			 issue guidance on the latest safeguard technologies for use in carrying out the
			 sections described in subsection (a).
					302.Notification in
			 the case of breach
					(a)In
			 generalA covered entity that accesses, maintains, retains,
			 modifies, records, stores, destroys, or otherwise holds, uses, or discloses
			 unencrypted protected health information (as defined in subsection (h)) shall,
			 in the case of a breach of such information that is discovered by the covered
			 entity, notify each individual whose unencrypted protected health information
			 has been, or is reasonably believed by the covered entity to have been,
			 accessed or acquired as a result of such breach.
					(b)Notification of
			 covered entity by business associateA business associate of a
			 covered entity that accesses, maintains, retains, modifies, records, stores,
			 destroys, or otherwise holds, uses, or discloses unencrypted protected health
			 information shall, following the discovery of a breach of such information,
			 notify the covered entity of such breach. Such notice shall include the
			 identification of each individual whose unencrypted protected health
			 information has been, or is reasonably believed to have been, accessed or
			 acquired during such breach.
					(c)Breaches treated
			 as discoveredFor purposes of this section, a breach shall be
			 treated as discovered by a covered entity or by a business associate as of the
			 first day on which such breach is known to such entity or associate,
			 respectively, (including any person that is an employee, officer, or other
			 agent of such entity or associate, respectively) or should reasonably have been
			 known to such entity or associate (or person) to have occurred.
					(d)Timeliness of
			 notification
						(1)In
			 generalAll notifications required under this section shall be
			 made without unreasonable delay and in no case later than 60 calendar days
			 after the discovery of a breach by the covered entity involved (or business
			 associate involved in the case of a notification required under subsection
			 (b)).
						(2)Burden of
			 proofThe covered entity involved (or business associate involved
			 in the case of a notification required under subsection (b)), shall have the
			 burden of demonstrating that all notifications were made as required under this
			 subtitle, including evidence demonstrating the necessity of any delay.
						(e)Methods of
			 notice
						(1)Individual
			 noticeNotice required under
			 this section to be provided to an individual, with respect to a breach, shall
			 be provided promptly and in the following form:
							(A)Written
			 notification by first-class mail to the individual (or the next of kin of the
			 individual if the individual is deceased) at the last known address of the
			 individual or the next of kin, respectively, or, if specified as a preference
			 by the individual, by electronic mail. The notification may be provided in one
			 or more mailings as information is available.
							(B)In the case where
			 there is insufficient, or out-of-date contact information that precludes direct
			 written (or, if specified by the individual under subparagraph (A), electronic)
			 notification to the individual, a substitute form of notice shall be provided,
			 including a conspicuous posting on the home page of the Web site of the covered
			 entity involved or notice in major print or broadcast media, including major
			 media in geographic areas where the individuals affected by the breach likely
			 reside. Such a notice in media will include a toll-free phone number where an
			 individual can learn whether or not the individual’s unencrypted protected
			 health information is possibly included in the breach.
							(C)In any case deemed
			 by the covered entity involved to require urgency because of possible imminent
			 misuse of unencrypted protected health information, the covered entity, in
			 addition to notice provided under subparagraph (A), may provide information to
			 individuals by telephone or other means, as appropriate.
							(2)Media
			 noticeNotice shall be provided to prominent media outlets
			 serving a State or jurisdiction, following the discovery of a breach described
			 in subsection (a), if the unencrypted protected health information of more than
			 500 residents of such State or jurisdiction is, or is reasonably believed to
			 have been, accessed or acquired during such breach.
						(3)Notice to
			 SecretaryNotice shall be
			 provided to the Secretary by covered entities of unencrypted protected health
			 information that has been acquired or disclosed in a breach.
						(4)Posting on HHS
			 public websiteThe Secretary
			 shall make available to the public on the Internet website of the Department of
			 Health and Human Services a list that identifies each covered entity involved
			 in a breach described in subsection (a) in which the unencrypted protected
			 health information of more than 1,000 individuals is acquired or
			 disclosed.
						(f)Content of
			 notificationRegardless of the method by which notice is provided
			 to individuals under this section, notice of a breach shall include, to the
			 extent possible, the following:
						(1)A brief description of what happened,
			 including the date of the breach and the date of the discovery of the breach,
			 if known.
						(2)A
			 description of the types of unencrypted protected health information that were
			 involved in the breach (such as full name, Social Security number, date of
			 birth, home address, account number, or disability code).
						(3)The steps
			 individuals should take to protect themselves from potential harm resulting
			 from the breach.
						(4)A
			 brief description of what the covered entity involved is doing to investigate
			 the breach, to mitigate losses, and to protect against any further
			 breaches.
						(5)Contact procedures
			 for individuals to ask questions or learn additional information, which shall
			 include a toll-free telephone number, an e-mail address, Web site, or postal
			 address.
						(g)Delay of
			 notification authorized for law enforcement purposesIf a law enforcement official determines
			 that a notification, notice, or posting required under this section would
			 impede a criminal investigation or cause damage to national security, such
			 notification, notice, or posting shall be delayed in the same manner as
			 provided under section 164.528(a)(2) of title 45, Code of Federal Regulations,
			 in the case of a disclosure covered under such section.
					(h)Unencrypted
			 protected health information definedFor purposes of this
			 section, the term unencrypted protected health information means
			 protected health information that is not protected—
						(1)through the use of
			 encryption; or
						(2)through the use of
			 a technology specified by the Secretary as being at least as effective as
			 encryption for purposes of rendering protected health information
			 indecipherable without authorization.
						303.Education on Health
			 Information Privacy and report on compliance
					(a)Regional office
			 privacy advisorsNot later
			 than 6 months after the date of the enactment of this Act, the Secretary shall
			 designate an individual in each regional office of the Department of Health and
			 Human Services to offer guidance and education to covered entities, business
			 associates, and individuals on their rights and responsibilities related to
			 Federal privacy requirements for protected health information.
					(b)Report on
			 compliance
						(1)In
			 generalFor the first year beginning after the date of the
			 enactment of this Act and annually thereafter, the Secretary shall prepare and
			 submit to Congress a report concerning complaints of alleged violations of the
			 provisions of sections 301 and 302, the provisions of subtitle B, and the
			 provisions of subparts C and E of title 45, Code of Federal Regulations that
			 are received by the Secretary during the year for which the report is being
			 prepared. Each such report shall include, with respect to such complaints
			 received during the year—
							(A)the number of such
			 complaints;
							(B)the resolution or
			 disposition of such complaints;
							(C)the amount of civil
			 money penalties imposed with respect to such complaints, as applicable;
							(D)the number of
			 compliance reviews conducted and the outcome of each such review;
							(E)the number of
			 subpoenas or inquiries issued; and
							(F)the Secretary’s
			 plan for improving compliance with and enforcement of such provisions for the
			 following year.
							(2)Availability to
			 publicEach report under paragraph (1) shall be made available to
			 the public on the Internet website of the Department of Health and Human
			 Services.
						(c)Education
			 initiative on uses of health information
						(1)In
			 generalThe Office for Civil
			 Rights within the Department of Health and Human Services shall develop and
			 maintain a multi-faceted national education initiative to enhance public
			 transparency regarding the uses of protected health information, including
			 programs to educate individuals about the potential uses of their health
			 information and effects of such uses. Such programs shall be conducted in a
			 variety of languages and present information in a clear and understandable
			 manner.
						(2)Authorization of
			 appropriationsThere is authorized to be appropriated to carry
			 out paragraph (1), $10,000,000 for the period of fiscal years 2009 through
			 2013.
						BImproved privacy
			 provisions and additional security provisions
				311.Application of
			 penalties to business associates of covered entities for violations of privacy
			 contract requirements
					(a)Application of
			 contract requirementsIn the
			 case of a business associate of a covered entity that obtains or creates
			 protected health information pursuant to a written contract (or other written
			 arrangement) described in section 164.502(e)(2) of title 45, Code of Federal
			 Regulations, with such covered entity, the business associate may use and
			 disclose such protected health information only if such use or disclosure,
			 respectively, is in compliance with each applicable requirement of section
			 164.504(e) of such title.
					(b)Application of
			 knowledge elements associated with contractsSection 164.504(e)(1)(ii) of title 45, Code
			 of Federal Regulations, shall apply to a business associate described in
			 subsection (a), with respect to compliance with such subsection, in the same
			 manner that such section applies to a covered entity, with respect to
			 compliance with the standards in sections 164.502(e) and 164.504(e) of such
			 title, except that in applying such section 164.504(e)(1)(ii) each reference to
			 the business associate, with respect to a contract, shall be treated as a
			 reference to the covered entity involved in such contract.
					(c)Application of
			 civil and criminal penaltiesIn the case of a business associate
			 that violates any provision of subsection (a) or (b), the provisions of
			 sections 1176 and 1177 of the Social Security Act shall apply to the business
			 associate with respect to such violation in the same manner as such provisions
			 apply to a person who violates a provision of part C of title XI of such
			 Act.
					312.Restrictions on
			 certain disclosures of health information; accounting of certain protected
			 health information disclosures
					(a)Requested
			 restrictions on certain disclosures of health informationIn the case that an individual requests
			 under paragraph (a)(1)(i)(A) of section 164.522 of title 45, Code of Federal
			 Regulations, that a covered entity restrict the disclosure of the protected
			 health information of the individual, notwithstanding paragraph (a)(1)(ii) of
			 such section, the covered entity must comply with the requested restriction
			 if—
						(1)except as
			 otherwise required by law, the disclosure is to a health plan for purposes of
			 carrying out payment or health care operations (and is not for purposes of
			 carrying out treatment); and
						(2)the protected
			 health information pertains solely to a health care item or service for which
			 the health care provider involved has been paid out of pocket in full.
						(b)Disclosures
			 required To be limited to the limited data set or the minimum
			 necessary
						(1)In
			 generalA covered entity shall be treated as being in compliance
			 with section 164.502(b)(1) of title 45, Code of Federal Regulations, with
			 respect to the use, disclosure, or request of protected health information
			 described in such section, only if the covered entity makes reasonable efforts
			 to limit such protected health information to the limited data set (as defined
			 in section 164.514(e)(2) of such title) or, if needed by such entity, to the
			 minimum necessary to accomplish the intended purpose of such use, disclosure,
			 or request, respectively.
						(2)Application of
			 exceptionsThe exceptions described in section 164.502(b)(2) of
			 title 45, Code of Federal Regulations, shall apply to the requirement under
			 paragraph (1) as of the effective date described in section 322 in the same
			 manner that such exceptions apply to section 164.502(b)(1) of such title before
			 such date.
						(c)Accounting of
			 certain protected health information disclosures required if covered entity
			 uses electronic medical record
						(1)In
			 GeneralIn the case that a covered entity uses or maintains an
			 electronic medical record with respect to protected health information, the
			 exception under section 164.528(a)(1)(i) of title 45, Code of Federal
			 Regulations, shall not apply to disclosures (other than oral disclosures) made
			 by such entity of such information.
						(2)Electronic
			 medical record definedFor purposes of paragraph (1), the term
			 electronic medical record means an electronic record of
			 individually identifiable health information on an individual that is created,
			 gathered, managed, and consulted by authorized clinicians and staff within a
			 single organization.
						(3)Effective
			 dateThe provisions of this subsection shall apply to disclosures
			 made by a covered entity on or after the date specified under section
			 322.
						(d)Application of
			 consent requirements for certain uses and disclosures by health care providers
			 with electronic medical records
						(1)In
			 generalIn applying section 164.506 of title 45, Code of Federal
			 Regulations, in the case of a covered entity that is a health care provider,
			 with respect to protected health information of an individual that is used or
			 maintained by such entity in an electronic medical record (as defined in
			 subsection (c)(2)), such covered entity may not use or disclose such protected
			 health information for purposes of health care operations unless the covered
			 entity obtains the consent of the individual to disclose such information for
			 such purposes and any such consent shall be revocable by the individual at any
			 time.
						(2)Effective
			 dateThe provisions of this subsection shall apply to disclosures
			 made by a covered entity on or after the date specified under section
			 322.
						313.Conditions on
			 certain contacts as part of health care operations
					(a)In
			 generalA communication by a
			 covered entity or business associate that is about a product or service and
			 that encourages recipients of the communication to purchase or use the product
			 or service shall not be considered a health care operation for purposes of
			 subpart E of part 164 of title 45, Code of Federal Regulations, unless the
			 communication is made as described in subparagraph (i), (ii), or (iii) of
			 paragraph (1) of the definition of marketing in section 164.501 of such title.
			 A covered entity or business associate may not receive direct payment for any
			 such communication made as described in such subparagraph (i), (ii), or
			 (iii).
					(b)Effective
			 dateSubsection (a) shall
			 apply to contracting occurring on or after the effective date specified under
			 section 322.
					314.Study on
			 application of privacy and security requirements to vendors of personal health
			 recordsNot later than one
			 year after the date of the enactment of this Act, the Secretary , in
			 consultation with the Federal Trade Commission, shall submit to Congress
			 recommendations—
					(1)to identify
			 requirements relating to security, privacy, and notification in the case of a
			 breach of security or privacy (including the applicability of an exemption to
			 notification in the case of protected health information which has been
			 rendered indecipherable through the use of encryption or alternative
			 technologies) that should be applied to vendors of personal health records and
			 to third party service providers that such vendors make available to
			 individuals with personal health records offered or maintained by such vendor,
			 with respect to information in such a record so offered or maintained;
			 and
					(2)to determine which
			 Federal government agency is best equipped to enforce such requirements
			 recommended to be applied to such vendors of personal health records and such
			 third party service providers.
					315.Temporary
			 breach notification requirement for vendors of personal health records
					(a)In
			 generalIn accordance with
			 subsection (c), each vendor of personal health records shall, following the
			 discovery of a breach of security of unencrypted individually identifiable
			 health information in such records maintained or offered by such vendor—
						(1)notify each
			 individual who is a citizen or resident of the United States whose unencrypted
			 individually identifiable health information was acquired by an unauthorized
			 person as a result of such a breach of security; and
						(2)notify the Federal
			 Trade Commission.
						(b)Notification of
			 vendors of personal health records by third party service
			 providersA third party service provider that is made available
			 by a vendor of personal health records to individuals with such records
			 maintained or offered by such vendor and that accesses, maintains, retains,
			 modifies, records, stores, destroys, or otherwise holds, uses, or discloses
			 unencrypted individually identifiable health information in such records shall,
			 following the discovery of a breach of security of such information, notify
			 such vendor of such breach. Such notice shall include the identification of
			 each individual whose unencrypted individually identifiable health information
			 has been, or is reasonably believed to have been, accessed or acquired during
			 such breach.
					(c)Application of
			 requirements for timeliness, method, and content of
			 notificationsSubsections (c), (d), (e), and (f) of section 302
			 shall apply to a notification required under subsection (a) and a vendor of
			 personal health records and a third party service provider described in
			 subsection (b), with respect to a breach of security under subsection (a) of
			 unencrypted individually identifiable health information in such records
			 maintained or offered by such vendor, in the same manner that such subsections
			 apply to a notification required under such section and a covered entity and a
			 business associate of such covered entity, with respect to a breach under such
			 section of unencrypted protected health information held, used, or disclosed by
			 such covered entity.
					(d)Notification of
			 the SecretaryUpon receipt of a notification of a breach of
			 security under subsection (a)(2), the Federal Trade Commission shall notify the
			 Secretary of such breach.
					(e)EnforcementA
			 violation of subsection (a) or (b) shall be treated as an unfair and deceptive
			 act or practice in violation of a regulation under section 18(a)(1)(B) of the
			 Federal Trade Commission Act (15
			 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or
			 practices.
					(f)DefinitionsFor purposes of this section:
						(1)Breach of
			 securityThe term breach of security means, with
			 respect to unencrypted individually identifiable health information of an
			 individual in a personal health record, acquisition of such information without
			 the authorization of the individual.
						(2)Individually
			 identifiable health informationThe term individually
			 identifiable health information has the meaning given such term in
			 section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)).
						(3)Unencrypted
			 individually identifiable health informationThe term
			 unencrypted individually identifiable health information means
			 individually identifiable health information that is not protected—
							(A)through the use of
			 encryption; or
							(B)through the use of
			 a technology specified by the Secretary as being at least as effective as
			 encryption for purposes of rendering individually identifiable health
			 information indecipherable without authorization.
							(g)Effective
			 dateThe provisions of this section shall apply to breaches of
			 security occurring during the 2-year period beginning on the date of the
			 enactment of this Act.
					316.Business
			 associate contracts required for certain entitiesEach organization, with respect to a covered
			 entity, that provides data transmission of protected health information to such
			 entity and that requires access on a routine basis to such protected health
			 information, such as a Health Information Exchange, Regional Health Information
			 Organization, or E-prescribing Gateway, is required to enter into a written
			 contract (or other written arrangement) described in section 164.502(e)(2) of
			 title 45, Code of Federal Regulations, with such entity and shall be treated as
			 a business associate of the covered entity for purposes of section 311.
				317.Guidance on
			 implementation specification to de-identify protected health
			 informationNot later than 12
			 months after the date of the enactment of this Act, the Secretary shall, in
			 consultation with stakeholders, issue guidance on how best to implement the
			 requirements for the de-identification of protected health information under
			 section 164.514(b) of title 45, Code of Federal Regulations.
				318.GAO report on
			 treatment disclosuresNot
			 later than one year after the date of the enactment of this Act, the
			 Comptroller General of the United States shall submit to Congress a report on
			 the best practices related to the disclosure among health care providers of
			 protected health information of an individual for purposes of treatment of such
			 individual. Such report shall include an examination of the best practices
			 implemented by States and by other entities, such as health information
			 exchanges and regional health information organizations, including an
			 examination of the extent to which such best practices are successful with
			 respect to the quality of the resulting health care provided to the individual
			 and with respect to the ability of the health care provider to manage such best
			 practices.
				319.Clarification
			 of application of wrongful disclosures criminal penaltiesSection 1177(a) of the Social Security Act
			 (42 U.S.C. 1320d–6(a)) is amended by adding at the end the following new
			 sentence: For purposes of the previous sentence, a person (including an
			 employee or other individual) shall be considered to have obtained or disclosed
			 individually identifiable health information in violation of this part if the
			 information is maintained by a covered entity (as defined in the HIPAA privacy
			 regulation described in section 1180(b)(3)) and the individual obtained or
			 disclosed such information without authorization..
				CRelationship to
			 other laws; clarification; effective date
				321.Relationship to
			 other laws
					(a)Application of
			 HIPAA State preemptionSection 1178 of the Social Security Act
			 (42 U.S.C. 1320d–7) shall apply to a provision or requirement under this title
			 in the same manner that such section applies to a provision or requirement
			 under part C of title XI of such Act or a standard or implementation
			 specification adopted or established under sections 1172 through 1174 of such
			 Act.
					(b)Health Insurance
			 Portability and Accountability ActThe standards governing the
			 privacy and security of individually identifiable health information
			 promulgated by the Secretary under sections 262(a) and 264 of the Health
			 Insurance Portability and Accountability Act of 1996 shall remain in effect to
			 the extent that they are consistent with this title. The Secretary shall by
			 rule amend such Federal regulations as required to make such regulations
			 consistent with this title.
					322.Effective
			 dateThe provisions of this
			 title (other than sections 301(c), 303, 314, 315, 317, 318, and 319) shall take
			 effect on the date that is 12 months after the date of the enactment of this
			 Act.
				
