[Congressional Bills 110th Congress]
[From the U.S. Government Publishing Office]
[H.R. 6898 Introduced in House (IH)]







110th CONGRESS
  2d Session
                                H. R. 6898

   To promote the adoption and meaningful use of health information 
                  technology, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           September 15, 2008

 Mr. Stark (for himself, Ms. Schwartz, Mr. McDermott, Mr. McNulty, Mr. 
 Levin, Mr. Emanuel, Mr. Neal of Massachusetts, Mr. Pascrell, and Mr. 
Lewis of Georgia) introduced the following bill; which was referred to 
the Committee on Energy and Commerce, and in addition to the Committees 
   on Ways and Means and Science and Technology, for a period to be 
subsequently determined by the Speaker, in each case for consideration 
  of such provisions as fall within the jurisdiction of the committee 
                               concerned

_______________________________________________________________________

                                 A BILL


 
   To promote the adoption and meaningful use of health information 
                  technology, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Health-e 
Information Technology Act of 2008''.
    (b) Table of Contents.--The table of contents for this Act is as 
follows:

Sec. 1. Short title; table of contents.
          TITLE I--PROMOTION OF HEALTH INFORMATION TECHNOLOGY

   Subtitle A--Improving Health Care Quality, Safety, and Efficiency

Sec. 101. ONCHIT; standards development and adoption; health 
                            information technology resource center.
         ``TITLE XXX--HEALTH INFORMATION TECHNOLOGY AND QUALITY

        ``Sec. 3000. Definitions.
        ``Subtitle A--Promotion of Health Information Technology

        ``Sec. 3001. Office of the National Coordinator for Health 
                            Information Technology.
        ``Sec. 3002. HIT Advisory Committee.
        ``Sec. 3003. Process for adoption of recommended standards and 
                            guidance.
        ``Sec. 3004. Application and use of adopted standards by 
                            Federal agencies.
        ``Sec. 3005. Voluntary application and use of adopted standards 
                            by private entities.
        ``Sec. 3006. Health Information Technology Resource Center.
Sec. 102. Transitions.
     Subtitle B--Application and Use of Adopted Health Information 
                     Technology Standards; Reports

Sec. 111. Coordination of Federal activities with adopted standards.
Sec. 112. Application to private entities.
Sec. 113. Annual reports.
           TITLE II--TESTING OF HEALTH INFORMATION TECHNOLOGY

Sec. 201. National Institute for Standards and Technology testing.
  TITLE III--INCENTIVES FOR ADOPTION OF HEALTH INFORMATION TECHNOLOGY

                      Subtitle A--Medicare Program

Sec. 301. Incentives for eligible professionals.
Sec. 302. Incentives for hospitals.
Sec. 303. Incentives for certain Medicare Advantage plans.
 Subtitle B--Other Incentives for the Implementation and Use of Health 
                         Information Technology

Sec. 311. Grant, loan, and demonstration programs.
 ``Subtitle B--Incentives for the Use of Health Information Technology

        ``Sec. 3011. Grants and loans to facilitate the widespread 
                            adoption of qualified health information 
                            technology.
        ``Sec. 3012. Demonstration program to integrate information 
                            technology into clinical education.
               TITLE IV--PRIVACY AND SECURITY PROVISIONS

Sec. 400. Definitions.
    Subtitle A--Improved Privacy Provisions and Security Provisions

Sec. 401. Application of security provisions and penalties to business 
                            associates of covered entities; annual 
                            guidance on privacy and security 
                            provisions.
Sec. 402. Notification in the case of breach.
Sec. 403. Education on health information privacy and report on 
                            compliance.
Sec. 404. Application of penalties to business associates of covered 
                            entities for violations of privacy contract 
                            requirements.
Sec. 405. Restrictions on certain uses and disclosures and sales of 
                            health information; accounting of certain 
                            protected health information disclosures; 
                            access to certain information in electronic 
                            format.
Sec. 406. Limitations on certain activities as part of health care 
                            operations.
Sec. 407. Study and report on application of privacy and security 
                            requirements to non-HIPAA covered entities.
Sec. 408. Temporary breach notification requirement for vendors of 
                            personal health records and other non-HIPAA 
                            covered entities.
Sec. 409. Business associate contracts required for certain entities; 
                            other provisions related to business 
                            associate contracts.
Sec. 410. Guidance on implementation specification to de-identify 
                            protected health information.
Sec. 411. GAO report on treatment, payment, and health care operations 
                            uses and disclosures.
Sec. 412. Clarification of application of wrongful disclosures criminal 
                            penalties.
Sec. 413. Improved enforcement.
Sec. 414. Audits.
Sec. 415. Technical amendment.
  Subtitle B--Chief Privacy Officer of ONCHIT; Standards and Guidance 
            Recommendations Related to Privacy and Security

Sec. 421. Chief Privacy Officer of the Office of the National 
                            Coordinator .
Sec. 422. Additional standards and guidance recommendations related to 
                            privacy and security.
    Subtitle C--Relationship to Other Laws; Regulatory References; 
                             Effective Date

Sec. 431. Relationship to other laws.
Sec. 432. Regulatory references.
Sec. 433. Effective date.

          TITLE I--PROMOTION OF HEALTH INFORMATION TECHNOLOGY

   Subtitle A--Improving Health Care Quality, Safety, and Efficiency

SEC. 101. ONCHIT; STANDARDS DEVELOPMENT AND ADOPTION; HEALTH 
              INFORMATION TECHNOLOGY RESOURCE CENTER.

    (a) In General.--The Public Health Service Act (42 U.S.C. 201 et 
seq.) is amended by adding at the end the following:

         ``TITLE XXX--HEALTH INFORMATION TECHNOLOGY AND QUALITY

``SEC. 3000. DEFINITIONS.

    ``In this title:
            ``(1) Electronic health record.--The term `electronic 
        health record' means an electronic record of health-related 
        information on an individual that is created, managed, and 
        consulted by authorized health care clinicians and staff of one 
        or more organizations, that conforms to standards adopted under 
        section 3003(a), and is made accessible electronically to other 
        health care organizations and other authorized users.
            ``(2) Health care provider.--The term `health care 
        provider' means a hospital, skilled nursing facility, nursing 
        facility, home health entity, health care clinic, Federally 
        qualified health center, group practice (as defined in section 
        1877(h)(4) of the Social Security Act), a pharmacist, a 
        pharmacy, a laboratory, a physician (as defined in section 
        1861(r)) of the Social Security Act), a practitioner (as 
        described in section 1842(b)(18)(C) of the Social Security 
        Act), a provider operated by, or under contract with, the 
        Indian Health Service or by an Indian tribe (as defined in the 
        Indian Self-Determination and Education Assistance Act), tribal 
        organization, or urban Indian organization (as defined in 
        section 4 of the Indian Health Care Improvement Act), a rural 
        health clinic, and any other category of facility or clinician 
        determined appropriate by the Secretary.
            ``(3) Health information.--The term `health information' 
        has the meaning given such term in section 1171(4) of the 
        Social Security Act.
            ``(4) Health information technology.--The term `health 
        information technology' means hardware, software, integrated 
        technologies and related licenses, intellectual property, 
        upgrades, and packaged solutions sold as services that are 
        specifically designed for use by health care entities for the 
        electronic creation, maintenance, or exchange of health 
        information.
            ``(5) Health plan.--The term `health plan' has the meaning 
        given such term in section 1171(5) of the Social Security Act.
            ``(6) HIT advisory committee.--The term `HIT Advisory 
        Committee' means such Committee established under section 
        3002(a).
            ``(7) Individually identifiable health information.--The 
        term `individually identifiable health information' has the 
        meaning given such term in section 1171(6) of the Social 
        Security Act.
            ``(8) Laboratory.--The term `laboratory' has the meaning 
        given such term in section 353(a).
            ``(9) National coordinator.--The term `National 
        Coordinator' means the head of the Office of the National 
        Coordinator for Health Information Technology established under 
        section 3001(a).
            ``(10) Pharmacist.--The term `pharmacist' has the meaning 
        given such term in section 804(2) of the Federal Food, Drug, 
        and Cosmetic Act.
            ``(11) State.--The term `State' means each of the several 
        States, the District of Columbia, Puerto Rico, the Virgin 
        Islands, Guam, American Samoa, and the Northern Mariana 
        Islands.

        ``Subtitle A--Promotion of Health Information Technology

``SEC. 3001. OFFICE OF THE NATIONAL COORDINATOR FOR HEALTH INFORMATION 
              TECHNOLOGY.

    ``(a) Establishment.--There is established within the Department of 
Health and Human Services an Office of the National Coordinator for 
Health Information Technology (referred to in this section as the 
`Office'). The Office shall be headed by a National Coordinator who 
shall be appointed by the Secretary and shall report directly to the 
Secretary.
    ``(b) Purpose.--The National Coordinator shall perform the duties 
under subsection (c) in a manner consistent with the development of a 
nationwide health information technology infrastructure that allows for 
the electronic use and exchange of information and that--
            ``(1) ensures that each patient's health information is 
        secure and protected, in accordance with applicable law;
            ``(2) improves health care quality, reduces medical errors, 
        and advances the delivery of patient-centered medical care;
            ``(3) reduces health care costs resulting from 
        inefficiency, medical errors, inappropriate care, duplicative 
        care, and incomplete information;
            ``(4) ensures that appropriate information to help guide 
        medical decisions is available at the time and place of care;
            ``(5) ensures the inclusion of meaningful public input in 
        such development of such infrastructure;
            ``(6) improves the coordination of care and information 
        among hospitals, laboratories, physician offices, and other 
        entities through an effective infrastructure for the secure and 
        authorized exchange of health care information;
            ``(7) improves public health reporting and facilitates the 
        early identification and rapid response to public health 
        threats and emergencies, including bioterror events and 
        infectious disease outbreaks;
            ``(8) facilitates health and clinical research and health 
        care quality;
            ``(9) promotes prevention of chronic diseases;
            ``(10) promotes a more effective marketplace, greater 
        competition, greater systems analysis, increased consumer 
        choice, and improved outcomes in health care services; and
            ``(11) improves efforts to reduce health disparities.
    ``(c) Duties of the National Coordinator.--
            ``(1) HIT policy coordination.--The National Coordinator 
        shall coordinate health information technology policy and 
        programs within the Department and with those of other relevant 
        executive branch agencies with a goal of avoiding duplication 
        of efforts and of helping to ensure that each agency undertakes 
        health information technology activities primarily within the 
        areas of its greatest expertise and technical capability.
            ``(2) Standards, guidance.--
                    ``(A) Development and recommendations of standards 
                and guidance.--
                            ``(i) In general.--
                                    ``(I) Initial implementation.--The 
                                National Coordinator shall, in 
                                consultation with the HIT Advisory 
                                Committee under section 3002 and 
                                consistent with the implementation of 
                                the strategic plan under paragraph (6), 
                                develop and recommend to the Secretary 
                                standards and guidance (which may 
                                include best practices), as applicable, 
                                for each of the categories described in 
                                clauses (iii), (iv), and (v). In 
                                accordance with the previous sentence, 
                                the National Coordinator shall ensure 
                                that an initial set of appropriate 
                                standards is developed and recommended 
                                to the Secretary under this subclause 
                                by such time as to enable the Secretary 
                                to adopt such an initial set in 
                                accordance with section 3003(b).
                                    ``(II) Biennial updating.--
                                Biennially thereafter the National 
                                Coordinator, in consultation with the 
                                HIT Advisory Committee, shall update 
                                such recommendations and make new 
                                recommendations as appropriate, 
                                including in response to a notification 
                                sent under section 3003(a)(2).
                            ``(ii) Coordination among categories.--The 
                        National Coordinator shall coordinate the 
                        development, recommendations, and updating 
                        among the categories so described to take into 
                        account the interdependence of standards and 
                        guidance among such categories.
                            ``(iii) Technical interoperability 
                        category.--
                                    ``(I) In general.--The category 
                                described in this clause is the 
                                category for technical interoperability 
                                to provide for the electronic exchange 
                                and use of health information.
                                    ``(II) Application to different 
                                levels of interoperability.--In 
                                developing recommendations respecting 
                                the category described in this clause, 
                                the National Coordinator shall 
                                initially use the different levels of 
                                interoperability (as described on pages 
                                6 though 8 of GAO report 08-954 titled 
                                `Electronic Health Records: DOD and VA 
                                Have Increased Sharing of Health 
                                Information, but More Work Remains' and 
                                provide for the development and 
                                recommendations of different standards 
                                and guidance for each of such different 
                                levels.
                            ``(iv) Privacy and security category.--The 
                        category described in this clause is the 
                        category for privacy and security to ensure the 
                        secure exchange of protected health 
                        information, in accordance with title IV of the 
                        Health-e Information Technology Act of 2008 
                        including the amendments made by such title.
                            ``(v) Clinical and quality category.--
                                    ``(I) In general.--The category 
                                described in this clause is the 
                                category for clinical and quality 
                                functionalities of health information 
                                technology and strategies to enhance 
                                the use of such technology including 
                                for the following purposes:
                                            ``(aa) To improve the 
                                        quality of health care, such as 
                                        through the reduction of 
                                        medical errors, using 
                                        electronic provider order entry 
                                        and clinical decision support 
                                        systems.
                                            ``(bb) To facilitate 
                                        patient-centered care, such as 
                                        through improved patient-
                                        provider communication through 
                                        secure electronic messaging, 
                                        and improved patient support.
                                            ``(cc) To reduce health 
                                        disparities.
                                            ``(dd) To improve 
                                        population health, such as 
                                        through the use of registries 
                                        and automated quality reporting 
                                        and performance measures.
                                            ``(ee) To improve the 
                                        continuity of care among health 
                                        care settings.
                                    ``(II) Requirements.--In developing 
                                recommendations respecting the category 
                                described in this clause, the National 
                                Coordinator shall ensure the following:
                                            ``(aa) Information is 
                                        collected and transmitted in a 
                                        manner that is reliable, 
                                        accurate, and unambiguous and 
                                        based on a uniform provider 
                                        data set, including a set of 
                                        comprehensive data elements.
                                            ``(bb) Information is 
                                        communicated in a manner to 
                                        promote coordination of health 
                                        care, applying appropriate data 
                                        filtering for the situation.
                                            ``(cc) Practices optimize 
                                        for continuous improvement, 
                                        advancement of research and 
                                        education, and population 
                                        disease management.
                                            ``(dd) Sensitive protected 
                                        health information may be 
                                        segmented, with the goal of 
                                        minimizing the reluctance of 
                                        patients to seek care (or 
                                        disclose information about a 
                                        condition) because of privacy 
                                        concerns involving sensitive 
                                        protected health information, 
                                        while maximizing patient safety 
                                        and clinical utility of the 
                                        information.
                    ``(B) Incorporation of current cchit certification 
                criteria.--In developing and recommending standards and 
                guidance under subparagraph (A), the National 
                Coordinator shall, to the maximum extent appropriate, 
                incorporate the ambulatory and inpatient functionality 
                certification criteria that have been adopted by the 
                Certification Commission for Health Information 
                Technology as of the date of the enactment of this 
                title. Nothing in this paragraph shall be construed as 
                preventing the National Coordinator from incorporating 
                into such recommendations such certification criteria 
                as such Commission is in the process of adopting as of 
                such date.
                    ``(C) Provider and setting specific.--
                Recommendations made under subparagraph (A) may be 
                established in a provider-specific and setting-specific 
                manner and in a manner such that they apply to a broad 
                variety of providers, including physicians, hospitals, 
                and other health care providers and to a broad variety 
                of settings, including for health information 
                technology systems that are hospital-based and for such 
                systems that are office-based.
                    ``(D) Pilot testing of standards and implementation 
                specifications.--In the development of standards under 
                this paragraph, the National Coordinator, as 
                appropriate, shall provide for the testing of such 
                standards in collaboration with the National Institute 
                for Standards and Technology under section 201 of the 
                Health-e Information Technology Act of 2008.
                    ``(E) Consistency with privacy and security 
                requirements.--The standards recommended under this 
                paragraph shall be consistent with applicable privacy 
                and security standards and requirements adopted 
                pursuant to section 1173 of the Social Security Act, to 
                title IV of the Health-e Information Technology Act of 
                2008, or otherwise.
                    ``(F) Public input.--The National Coordinator shall 
                conduct open public meetings and develop a process to 
                allow for public comment on the recommendations made 
                under this paragraph. Under such process comments shall 
                be submitted in a timely manner after the date of 
                publication of a recommendation under this paragraph.
                    ``(G) Publication.--The Secretary shall provide for 
                publication in the Federal Register and the posting on 
                the Internet website of the Office of the National 
                Coordinator for Health Information Technology of all 
                recommendations made by the National Coordinator under 
                this paragraph.
            ``(3) Certification.--The National Coordinator, in 
        consultation with the Director of the National Institute of 
        Standards and Technology and other relevant Federal agencies, 
        shall develop a program (either directly or by contract) for 
        the voluntary certification (and periodic recertification) of 
        health information technology systems (and components of such 
        systems) as being in compliance with all applicable standards 
        (for each category described in paragraph (2)(A)) that are 
        adopted under this subtitle. Such program shall include testing 
        of the technology in accordance with section 201(b) of the 
        Health-e Information Technology Act of 2008.
            ``(4) Federal open source health it system.--
                    ``(A) In general.--The National Coordinator shall 
                provide for coordinating the development, routine 
                updating, and provision of an open source health 
                information technology system that is either new or 
                based on an open source health information technology 
                system, such as VistA, that is in existence as of the 
                date of the enactment of this title and that is in 
                compliance with all applicable standards (for each 
                category described in paragraph (2)(A)) that are 
                adopted under this subtitle. The National Coordinator 
                shall make such system publicly available for use, 
                after appropriate pilot testing, as soon as practicable 
                but not later than 9 months after the date of the 
                adoption by the Secretary of the initial set of 
                standards and guidance under section 3003(c).
                    ``(B) Consortium.--In order to carry out 
                subparagraph (A), the National Coordinator shall 
                establish, not later than 6 months after the date of 
                the enactment of this section, a consortium comprised 
                of individuals with technical, clinical, and legal 
                expertise open source health information technology. 
                The Secretary, through agencies with the Department, 
                shall provide assistance to the consortium in 
                conducting its activities under this paragraph.
                    ``(C) Authorization to charge nominal fee.--The 
                National Coordinator may impose a nominal fee for the 
                adoption by a health care provider of the health 
                information technology system developed or approved 
                under subparagraph (A). Such fee shall take into 
                account the circumstances of smaller providers and 
                providers located in rural or other medically 
                underserved areas.
                    ``(D) Open source defined.--In this paragraph, the 
                term `open source' has the meaning given such term by 
                the Open Source Initiative.
            ``(5) Nationwide health information network.--The National 
        Coordinator shall facilitate the development and expansion of 
        sub-national health information organizations and the 
        coordination of such organizations in order to provide for the 
        nationwide electronic exchange of health information among such 
        organizations that ensures that appropriate information is 
        available at the time and place of care and enables the 
        aggregation of health information for research and public 
        health purposes.
            ``(6) Strategic plan.--
                    ``(A) In general.--Not later than 12 months after 
                the date of the enactment of this title, the National 
                Coordinator shall, in consultation with other 
                appropriate Federal agencies (including the National 
                Institute of Standards and Technology), develop and 
                maintain a strategic plan with specific objectives, 
                milestones, and metrics for each strategic plan area 
                described in subparagraph (B). The National Coordinator 
                shall, in consultation with such other appropriate 
                Federal agencies, annually update such strategic plan.
                    ``(B) Strategic plan areas required.--The strategic 
                plan areas include at least the following:
                            ``(i) The establishment of recommendations 
                        for and development of standards and guidance 
                        for each category under paragraph (2)(A), 
                        including recommendations described in section 
                        422 of the Health-e Information Technology Act 
                        of 2008, and the adoption of standards so 
                        recommended, including the process of updating 
                        of such standards and guidance.
                            ``(ii) The development of the certification 
                        program under paragraph (3) and the 
                        establishment and maintenance of a list of 
                        health information technology systems (and 
                        components of such systems) that have been 
                        certified under such program.
                            ``(iii) The development of a Federal open 
                        source health IT system in accordance with 
                        paragraph (4).
                            ``(iv) The widespread utilization of 
                        electronic health records in the United States 
                        and the establishment of a nationwide health 
                        information network described in paragraph (5).
                            ``(v) Specifying a framework for the 
                        coordination and flow of recommendations and 
                        policies under this subtitle among the 
                        Secretary, the National Coordinator, the HIT 
                        Policy Committee, health information exchanges, 
                        and other relevant entities.
                            ``(vi) Methods to foster the public 
                        understanding of health information technology 
                        and related privacy and security laws.
                            ``(vii) The availability of technical 
                        assistance and training for health care 
                        providers in the implementation and utilization 
                        of health information technology systems.
                    ``(C) Collaboration.--The strategic plan shall be 
                developed and updated through collaboration of public 
                and private interests.
                    ``(D) Measurable outcome goals.--The strategic plan 
                shall include measurable outcome goals including 
                timeframes for such goals.
                    ``(E) Publication.--The National Coordinator shall 
                publish the strategic plan, including all updates.
            ``(7) Implementation reports.--Not later than 12 months 
        after the date of publication of the strategic plan under 
        paragraph (6) and annually thereafter, the National Coordinator 
        shall submit to the Secretary a report that identifies the 
        progress achieved with respect to the objectives, milestones, 
        and metrics identified in such strategic plan for each 
        strategic plan area described in paragraph (6)(B).
            ``(8) Assessment of impact of hit on communities with 
        health disparities and uninsured, underinsured, and medically 
        underserved areas.--The National Coordinator shall assess and 
        publish the impact of health information technology in 
        communities with health disparities and in areas that serve 
        uninsured, underinsured, and medically underserved individuals 
        (including urban and rural areas) and identify practices to 
        increase the adoption of such technology by health care 
        providers in such communities.
            ``(9) Website.--The National Coordinator shall maintain and 
        frequently update an Internet website on which there is posted 
        information that includes the following:
                    ``(A) Recommendations made by the National 
                Coordinator under paragraph (2)(A).
                    ``(B) The standards and guidance adopted by the 
                Secretary under section 3003(a).
                    ``(C) Sources of Federal grant funds and technical 
                assistance that are available to facilitate the 
                purchase of, or enhance the utilization of, health 
                information technology systems.
                    ``(D) The reports prepared by the National 
                Coordinator under paragraph (7).
                    ``(E) The assessment by the National Coordinator 
                under paragraph (8).
    ``(d) Staff.--
            ``(1) In general.--The National Coordinator may appoint 
        personnel to the Office as the National Coordinator considers 
        appropriate. Such personnel shall have the requisite skills 
        needed to develop and make recommendations in each of the 
        categories described in clauses (iii), (iv), and (v) of 
        subsection (c)(2)(A).
            ``(2) Detail of federal employees.--
                    ``(A) In general.--Upon the request of the National 
                Coordinator, the head of any Federal agency is 
                authorized to detail, with or without reimbursement 
                from the Office, any of the personnel of such agency to 
                the Office to assist it in carrying out its duties 
                under this section.
                    ``(B) Effect of detail.--Any detail of personnel 
                under subparagraph (A) shall--
                            ``(i) not interrupt or otherwise affect the 
                        civil service status or privileges of the 
                        Federal employee; and
                            ``(ii) be in addition to any other staff of 
                        the Department employed by the National 
                        Coordinator.
                    ``(C) Acceptance of detailees.--Notwithstanding any 
                other provision of law, the Office may accept detailed 
                personnel from other Federal agencies without regard to 
                whether the agency described under subparagraph (A) is 
                reimbursed.
            ``(3) Temporary and intermittent services.--The National 
        Coordinator may procure temporary and intermittent services 
        under section 3109(b) of title 5, United States Code to the 
        extent that such services cannot adequately be provided by any 
        personnel appointed or detailed under paragraph (1) or (2), 
        respectively.
    ``(e) Funding.--
            ``(1) Authorization of appropriations.--There are 
        authorized to be appropriated to carry out this section such 
        sums as may be necessary for each of the fiscal years 2009 
        through 2013.
            ``(2) DHHS agency contributions.--In addition to amounts 
        authorized under paragraph (1), for purposes of carrying out 
        this section, for each of the fiscal years 2009 through 2013 
        there shall be transferred to the National Coordinator from the 
        amount appropriated for the fiscal year to each agency within 
        the Department an amount that is equal to 1 percent of the 
        amount appropriated to the agency for the fiscal year to carry 
        out health information technology activities.
            ``(3) Open source product licensing fee.--In addition to 
        amounts authorized under paragraph (1) and transferred under 
        paragraph (2), any fees collected under subsection (c)(4)(B) 
        shall be available to the National Coordinator for purposes of 
        carrying out this section.

``SEC. 3002. HIT ADVISORY COMMITTEE.

    ``(a) Establishment.--There is established a HIT Advisory Committee 
to make recommendations to and advise the National Coordinator with 
respect to all of the duties of the National Coordinator described in 
section 3001(c).
    ``(b) Additional Duties.--
            ``(1) Forum.--The HIT Advisory Committee shall serve as a 
        forum for broad stakeholder input with specific expertise 
        necessary to advise the National Coordinator for purposes of 
        carrying out the duties of the National Coordinator described 
        in section 3001(c), including expertise related to the 
        categories described in paragraph (2)(A) of such section.
            ``(2) Website.--The HIT Advisory Committee shall develop 
        and maintain an Internet website on which there is posted 
        information that includes the following:
                    ``(A) Established governance rules.
                    ``(B) A business plan.
                    ``(C) Meeting notices at least 14 days prior to 
                each meeting.
                    ``(D) Meeting agendas at least 7 days prior to each 
                meeting.
                    ``(E) Meeting materials at least 3 days prior to 
                each meeting.
    ``(c) Membership.--
            ``(1) Appointments.--The HIT Advisory Committee shall be 
        composed of members to be appointed as follows:
                    ``(A) Such members as shall be appointed by the 
                Secretary, from the Department of Health and Human 
                Services as representatives of agencies within the 
                Department, including from the Agency for Healthcare 
                Research and Quality, the Centers for Disease Control 
                and Prevention, the Centers of Medicare & Medicaid 
                Services, the Health Resources and Services 
                Administration, and the Indian Health Service.
                    ``(B) 1 member shall be appointed by the majority 
                leader of the Senate.
                    ``(C) 1 member shall be appointed by the minority 
                leader of the Senate.
                    ``(D) 1 member shall be appointed by the Speaker of 
                the House of Representatives.
                    ``(E) 1 member shall be appointed by the minority 
                leader of the House of Representatives.
                    ``(F) Such other members as shall be appointed by 
                the President as representatives of other relevant 
                Federal agencies, such as the Department of Veterans 
                Affairs, the National Institute of Standards and 
                Technology, and the Department of Defense.
                    ``(G) 12 members shall be appointed by the 
                Comptroller General of the United States of whom--
                            ``(i) 1 member shall be an advocate for 
                        patients or consumers;
                            ``(ii) 2 members shall represent health 
                        care providers, one of which shall be a 
                        physician;
                            ``(iii) 1 member shall be from a labor 
                        organization representing health care workers;
                            ``(iv) 1 member shall have expertise in 
                        privacy and security;
                            ``(v) 1 member shall have expertise in 
                        improving the health of vulnerable populations;
                            ``(vi) 1 member shall be from the health 
                        research community;
                            ``(vii) 1 member shall represent health 
                        plans or other third-party payers;
                            ``(viii) 1 member shall represent 
                        information technology vendors;
                            ``(ix) 1 member shall represent purchasers 
                        or employers;
                            ``(x) 1 member shall have expertise in 
                        health care quality measurement and reporting; 
                        and
                            ``(xi) 1 member shall have expertise in 
                        open source health information technology 
                        systems.
                In no case may the total number of members appointed 
                under subparagraphs (A) and (F) exceed 10.
            ``(2) National coordinator.--The National Coordinator shall 
        be a member of the HIT Advisory Committee and act as a liaison 
        between the Committee and agencies of the Federal Government.
            ``(3) Chairperson and vice chairperson.--The HIT Advisory 
        Committee shall designate 1 member to serve as the chairperson 
        and 1 member to serve as the vice chairperson of the HIT 
        Advisory Committee, such that one is a representative of the 
        public sector and one is a representative from the private 
        sector.
            ``(4) Participation.--The members of the HIT Advisory 
        Committee appointed under paragraph (1) shall represent a 
        balance among various sectors of the health care system so that 
        no single sector unduly influences the recommendations of such 
        Committee.
            ``(5) Authorized use of task forces and work groups.--The 
        National Coordinator, in consultation with the chairperson and 
        vice chairperson of the HIT Advisory Committee, may convene 
        task forces or working groups as necessary to carry out the 
        duties of the Committee.
            ``(6) Compensation.--Subject to the availability of 
        appropriations, while serving on the business of the HIT 
        Advisory Committee (including traveltime), a member of the 
        Committee who is not a Federal employee shall be entitled to 
        compensation at the per diem equivalent of the rate provided 
        for level IV of the Executive Schedule under section 5315 of 
        title 5, United States Code; and while so serving away from 
        home and the member's regular place of business, a member may 
        be allowed travel expenses, as authorized by the Chairman of 
        the Committee.
            ``(7) Terms.--
                    ``(A) In general.--The terms of members of the HIT 
                Advisory Committee appointed under paragraph (1) shall 
                be 3 years except that the Comptroller General of the 
                United States shall designate staggered terms for the 
                members first appointed under paragraph (1)(G).
                    ``(B) Vacancies.--Any member appointed to fill a 
                vacancy in the membership of the HIT Advisory Committee 
                that occurs prior to the expiration of the term for 
                which the member's predecessor was appointed shall be 
                appointed only for the remainder of that term. A member 
                may serve after the expiration of that member's term 
                until a successor has been appointed. A vacancy in the 
                HIT Advisory Committee shall be filled in the manner in 
                which the original appointment was made.
            ``(8) Outside involvement.--The HIT Advisory Committee 
        shall ensure an adequate opportunity for the participation in 
        activities of the Committee of outside advisors, including 
        individuals with expertise in the development of policies for 
        the electronic exchange and use of health information, 
        including in the areas of health information privacy and 
        security.
            ``(9) Quorum.--Ten members of the HIT Advisory Committee 
        shall constitute a quorum for purposes of voting, but a lesser 
        number of members may meet and hold hearings.
    ``(d) Application of FACA.--The Federal Advisory Committee Act (5 
U.S.C. App.), other than section 14 of such Act, shall apply to the HIT 
Advisory Committee.
    ``(e) Publication.--The Secretary shall provide for publication in 
the Federal Register and the posting on the Internet website of the 
Office of the National Coordinator for Health Information Technology of 
all policy recommendations made by the HIT Advisory Committee under 
this section.

``SEC. 3003. PROCESS FOR ADOPTION OF RECOMMENDED STANDARDS AND 
              GUIDANCE.

    ``(a) In General.--
            ``(1) Standards.--Not later than 9 months after the date of 
        receipt of a recommendation under section 3001(c)(2) from the 
        National Coordinator for any grouping of standards for purposes 
        of certifying health information technology under the 
        certification program under section 3001(c)(3), the Secretary 
        shall, through a rulemaking process and after consideration of 
        public comments, determine whether or not to adopt such 
        grouping of standards.
            ``(2) Guidance.--Not later than 9 months after the date of 
        receipt of a recommendation under section 3001(c)(2) from the 
        National Coordinator for any guidance, the Secretary shall, 
        through the applicable administrative process that includes 
        public notice in the Federal Register and opportunity for 
        public comment, determine whether or not to adopt such 
        guidance.
    ``(b) Initial Standards.--Not later than September 30, 2011, the 
Secretary shall, through a rulemaking process and after consideration 
of public comments, adopt the initial set of standards recommended from 
the National Coordinator pursuant to the second sentence under section 
3001(c)(2). Such initial set of standards shall include, at a minimum, 
technical standards for de-identifying health information and for 
immutable audit trails.
    ``(c) Publication.--Not later than 30 days after the Secretary 
makes a determination under subsection (a), the Secretary shall provide 
for publication in the Federal Register, and on the Internet website 
maintained by the National Coordinator in accordance with section 
3001(c)(9), of such determination.

``SEC. 3004. APPLICATION AND USE OF ADOPTED STANDARDS BY FEDERAL 
              AGENCIES.

    ``For requirements relating to the application and use by Federal 
agencies of the standards adopted under section 3003(a), see section 
111 of the Health-e Information Technology Act of 2008.

``SEC. 3005. VOLUNTARY APPLICATION AND USE OF ADOPTED STANDARDS BY 
              PRIVATE ENTITIES.

    ``(a) In General.--Except as provided under section 112 of the 
Health-e Information Technology Act of 2008, any standard adopted under 
section 3003(a) shall be voluntary with respect to private entities.
    ``(b) Rule of Construction.--Nothing in this subtitle shall be 
construed to require that a private entity that enters into a contract 
with the Federal Government apply or use the standards adopted under 
section 3003(a) with respect to activities not related to the contract. 
The previous sentence shall not affect any other provision of law, such 
as part C of title XI of the Social Security Act, title III of the 
Health-e Information Technology Act of 2008, or regulations promulgated 
to carry out section 264(c) of the Health Insurance Portability and 
Accountability Act of 1996, that requires the application or use of 
such a standard.

``SEC. 3006. HEALTH INFORMATION TECHNOLOGY RESOURCE CENTER.

    ``(a) Development.--
            ``(1) In general.--The National Coordinator shall develop a 
        Health Information Technology Resource Center to provide 
        technical assistance and develop best practices to support and 
        accelerate efforts to adopt, implement, and effectively use 
        health information technology that allows for the electronic 
        exchange and use of information in compliance with standards 
        and any guidance adopted under section 3003(a), including for 
        purposes of each of the categories described in such section 
        3001(c)(2).
            ``(2) Purposes.--The purpose of the Center is to--
                    ``(A) provide a forum for the exchange of knowledge 
                and experience;
                    ``(B) accelerate the transfer of lessons learned 
                from existing public and private sector initiatives, 
                including those currently receiving Federal financial 
                support;
                    ``(C) assemble, analyze, and widely disseminate 
                evidence and experience related to the adoption, 
                implementation, and effective use of health information 
                technology that allows for the electronic exchange and 
                use of information;
                    ``(D) provide technical assistance for the 
                establishment and evaluation of regional and local 
                health information networks to facilitate the 
                electronic exchange of information across health care 
                settings and improve the quality of health care;
                    ``(E) provide technical assistance for the 
                development and dissemination of solutions to barriers 
                to the exchange of electronic health information;
                    ``(F) learn about effective strategies to adopt and 
                utilize health information technology in medically 
                underserved communities;
                    ``(G) conduct other activities identified by the 
                States, local or regional health information networks, 
                or health care stakeholders as a focus for developing 
                and sharing best practices; and
                    ``(H) provide technical assistance to promote 
                adoption and utilization of health information 
                technology by health care providers, including in 
                medically underserved communities.
    ``(b) Technical Assistance Telephone Number or Website.--The 
National Coordinator shall establish a toll-free telephone number or 
Internet website to provide health care providers with a single point 
of contact to--
            ``(1) learn about Federal grants and technical assistance 
        services related to the electronic exchange and use of health 
        information;
            ``(2) learn about standards adopted under section 3003(a);
            ``(3) learn about regional and local health information 
        networks for assistance with health information technology; and
            ``(4) disseminate additional information determined by the 
        National Coordinator.''.

SEC. 102. TRANSITIONS.

    (a) ONCHIT.--To the extent consistent with section 3001 of the 
Public Health Service Act, as added by section 101, all functions, 
personnel, assets, liabilities, and administrative actions applicable 
to the National Coordinator for Health Information Technology appointed 
under Executive Order 13335 or the Office of such National Coordinator 
on the date before the date of the enactment of this Act shall be 
transferred to the National Coordinator appointed under section 3001(a) 
of such Act and the Office of such National Coordinator as of the date 
of the enactment of this Act.
    (b) AHIC.--To the extent consistent with section 3002 of the Public 
Health Service Act, as added by section 101, all functions, personnel, 
assets, and liabilities applicable to the American Health Information 
Community created in response to Executive Order 13335 as of the day 
before the date of the enactment of this Act shall be transferred to 
the HIT Advisory Committee, established under section 3002(a)of such 
Act, as appropriate, as of the date of the enactment of this Act.
    (c) Rules of Construction.--
            (1) ONCHIT.--Nothing in section 3001 of the Public Health 
        Service Act, as added by section 101, or subsection (a) shall 
        be construed as requiring the creation of a new entity to the 
        extent that the Office of the National Coordinator for Health 
        Information Technology established pursuant to Executive Order 
        13335 is consistent with the provisions of such section 3001.
            (2) AHIC.--Nothing in section 3002 of the Public Health 
        Service Act, as added by section 101, or subsection (b) shall 
        be construed as requiring the creation of a new entity to the 
        extent that the American Health Information Community created 
        in response to Executive Order 13335 is consistent with the 
        provisions of such section 3002.

     Subtitle B--Application and Use of Adopted Health Information 
                     Technology Standards; Reports

SEC. 111. COORDINATION OF FEDERAL ACTIVITIES WITH ADOPTED STANDARDS.

    (a) Spending on Health Information Technology Systems.--As each 
agency (as defined in the Executive Order issued on August 22, 2006, 
relating to promoting quality and efficient health care in Federal 
government administered or sponsored health care programs) implements, 
acquires, or upgrades health information technology systems used for 
the direct exchange of individually identifiable health information 
between agencies and with non-Federal entities, it shall utilize, where 
available, health information technology systems and products that meet 
standards adopted under section 3003(a) of the Public Health Service 
Act, as added by section 101.
    (b) Federal Information Collection Activities.--With respect to a 
standard adopted under section 3003(a) of the Public Health Service 
Act, as added by section 101, the President shall take measures to 
ensure that Federal activities involving the broad collection and 
submission of health information are consistent with such standard 
within three years after the date of such adoption.
    (c) Application of Definitions.--The definitions contained in 
section 3000 of the Public Health Service Act, as added by section 101, 
shall apply for purposes of this part.

SEC. 112. APPLICATION TO PRIVATE ENTITIES.

    Each agency (as defined in such Executive Order issued on August 
22, 2006, relating to promoting quality and efficient health care in 
Federal government administered or sponsored health care programs) 
shall require in contracts or agreements with health care providers, 
health plans, or health insurance issuers that as each provider, plan, 
or issuer implements, acquires, or upgrades health information 
technology systems, it shall utilize, where available, health 
information technology systems and products that meet standards adopted 
under section 3003(a) of the Public Health Service Act, as added by 
section 101.

SEC. 113. ANNUAL REPORTS.

    Not later than 2 years after the date of the enactment of this Act 
and annually thereafter, the Secretary of Health and Human Services 
shall submit to the Committee on Finance, the Committee on Health, 
Education, Labor, and Pensions and the Committee on Commerce, Science, 
and Transportation of the Senate and the Committee on Ways and Means, 
the Committee on Energy and Commerce, and the Committee on Science and 
Technology of the House of Representatives a report that--
            (1) describes the specific actions that have been taken by 
        the Federal Government and private entities to facilitate the 
        adoption of a nationwide system for the electronic use and 
        exchange of health information, including information from the 
        implementation reports submitted under section 3001(c)(7) of 
        the Public Health Service Act, as added by section 101;
            (2) describes barriers to the adoption of such a nationwide 
        system; and
            (3) contains recommendations to achieve full implementation 
        of such a nationwide system.

           TITLE II--TESTING OF HEALTH INFORMATION TECHNOLOGY

SEC. 201. NATIONAL INSTITUTE FOR STANDARDS AND TECHNOLOGY TESTING.

    (a) Pilot Testing of Standards and Implementation Specifications.--
In coordination with the Office of the National Coordinator of Health 
Information Technology established under section 3001 of the Public 
Health Service Act, as added by section 101, with respect to the 
development of standards under such section, the Director of the 
National Institute for Standards and Technology shall test such 
standards in order to assure the efficient implementation and use of 
such standards.
    (b) Voluntary Testing Program.--In coordination with the Office of 
the National Coordinator of Health Information Technology established 
under section 3001 of the Public Health Service Act, as added by 
section 101, with respect to the development of standards under such 
section, the Director of the National Institute of Standards and 
Technology shall support the establishment of a conformance testing 
infrastructure, including the development of technical test beds. The 
development of this conformance testing infrastructure may include a 
program to accredit independent, non-Federal laboratories to perform 
testing.

  TITLE III--INCENTIVES FOR ADOPTION OF HEALTH INFORMATION TECHNOLOGY

                      Subtitle A--Medicare Program

SEC. 301. INCENTIVES FOR ELIGIBLE PROFESSIONALS.

    (a) Incentive Payments.--Section 1848 of the Social Security Act 
(42 U.S.C. 1395w-4) is amended by adding at the end the following new 
subsection:
    ``(o) Incentives for Adoption and Meaningful Use of Certified 
Health Information Technology System.--
            ``(1) Incentive payments.--
                    ``(A) In general.--Subject to subparagraphs (B), 
                (C), and (D), with respect to covered professional 
                services furnished by an eligible professional during a 
                reporting period during the first calendar year 
                beginning after the date specified under subparagraph 
                (B)(iv) (or, if sooner, 2013) or any subsequent year 
                (before 2017), if the eligible professional is a 
                meaningful HIT user for the reporting period (as 
                determined under paragraph (2), in addition to the 
                amount otherwise paid under this part, there also shall 
                be paid to the eligible professional (or to an employer 
                or facility in the cases described in clause (A) of 
                section 1842(b)(6)) or, in the case of a group practice 
                under paragraph (2)(D), to the group practice, from the 
                Federal Supplementary Medical Insurance Trust Fund 
                established under section 1841 an amount equal to 75 
                percent of the Secretary's estimate (based on claims 
                submitted not later than 2 months after the end of the 
                reporting period) of the allowed charges under this 
                part for all such covered professional services 
                furnished by the eligible professional (or, in the case 
                of a group practice under paragraph (2)(D), by the 
                group practice) during the reporting period.
                    ``(B) Limitations on amounts of incentive 
                payments.--
                            ``(i) In general.--In no case shall the 
                        amount of the incentive payment provided under 
                        this paragraph exceed the applicable amount 
                        specified in clause (ii) with respect to any 
                        eligible professional.
                            ``(ii) Amount.--Subject to clauses (iii) 
                        and (iv), the applicable amount specified in 
                        this clause is as follows:
                                    ``(I) For the first calendar year 
                                beginning after the date specified in 
                                clause (iv) or, if sooner, for 2013, 
                                $15,000.
                                    ``(II) For the calendar year 
                                following the year specified in 
                                subclause (I), $12,000.
                                    ``(III) For the calendar year 
                                following the year specified in 
                                subclause (II), $8,000.
                                    ``(IV) For the calendar year 
                                following the year specified in 
                                subclause (III), $4,000.
                                    ``(V) For the calendar year 
                                following the year specified in 
                                subclause (IV), $2,000.
                            ``(iii) Pro-ration for partial year 
                        professionals.--In the case of an eligible 
                        professional who is a meaningful HIT user for 
                        only a portion of a reporting period for 
                        reasons such as the professional did not 
                        provide services for which payment is made 
                        under this part for the entire period or the 
                        professional initiated the use of health 
                        information technology during the period, the 
                        Secretary may pro-rate the applicable amount 
                        specified under clause (ii) to reflect the 
                        portion of the period during which the 
                        professional was a meaningful HIT user.
                            ``(iv) Date specified.--The date specified 
                        in this subclause is the date on which the open 
                        source health information technology system 
                        under section 3001(c)(4) of the Public Health 
                        Service Act is first made publicly available.
                    ``(C) Non-application to hospital-based eligible 
                professionals.--
                            ``(i) In general.--No payment may be made 
                        under subparagraph (A) in the case of hospital-
                        based eligible professionals.
                            ``(ii) Hospital-based eligible 
                        professional.--For purposes of clause (i), the 
                        term `hospital-based eligible professional' 
                        means an eligible professional, such as a 
                        pathologist or anesthesiologist, who furnishes 
                        items and services principally in a hospital 
                        setting and through the use of the facilities 
                        and equipment, including computer equipment, of 
                        the hospital.
                    ``(D) Form of payment.--The payment under this 
                subsection for a reporting period may be in the form of 
                a single consolidated payment or in the form of such 
                periodic installments as the Secretary may specify.
            ``(2) Meaningful hit user.--
                    ``(A) In general.--For purposes of paragraph (1), 
                an eligible professional shall be treated as a 
                meaningful HIT user for a reporting period for a year 
                if the eligible professional demonstrates to the 
                satisfaction of the Secretary that the professional is 
                meaningfully using a certified health information 
                technology system during the reporting period, as 
                demonstrated in accordance with applicable measures 
                established under subparagraph (B).
                    ``(B) Measures for meaningful use.--The Secretary 
                shall establish measures under which an eligible 
                professional may demonstrate meaningful use of a 
                certified health information technology system for a 
                reporting period. Such measures may include--
                            ``(i) self-certification of operational use 
                        of such a system;
                            ``(ii) the submission (or ability to 
                        submit), in a form and manner specified by the 
                        Secretary, of such information on clinical 
                        measures and data (that does not include 
                        individually identifiable health information) 
                        from such system that indicates a meaningful 
                        utilization of such a system during the period; 
                        and
                            ``(iii) such other means as the Secretary 
                        may specify.
                The Secretary may establish and apply different 
                measures based on the stage of implementation or 
                adoption of the certified health information technology 
                system involved.
                    ``(C) Use of part d data.--Notwithstanding sections 
                1860D-15(d)(2)(B) and 1860D-15(f)(2), the Secretary may 
                use data regarding drug claims submitted for purposes 
                of section 1860D-15 that are necessary for purposes of 
                subparagraph (B)(ii).
                    ``(D) Satisfactory measures for group practices.--
                            ``(i) In general.--Not later than January 
                        1, 2013, the Secretary shall provide for a 
                        method of applying the measures established 
                        under subparagraph (B) or revised under 
                        subparagraph (F) to eligible professionals in a 
                        group practice (as defined by the Secretary).
                            ``(ii) Statistical sampling model.--In the 
                        case that the Secretary provides for a method 
                        under clause (i), the method may provide for 
                        the use of a statistical sampling model to 
                        submit data on measures, such as the model used 
                        under the Physician Group Practice 
                        demonstration project under section 1866A.
                            ``(iii) No double payments.--Payments for a 
                        reporting period to a group practice under this 
                        paragraph by reason of the method under clause 
                        (i) shall be in lieu of the payments that would 
                        otherwise be made under this paragraph to 
                        eligible professionals in the group practice 
                        for being a meaningful HIT user during such 
                        period.
                    ``(E) Authority to revise measures.--The Secretary 
                may periodically revise the measures established under 
                subparagraph (B) with respect to demonstrating 
                meaningful use of a certified health information 
                technology system.
            ``(3) Application.--
                    ``(A) Physician reporting system rules.--Paragraphs 
                (5), (6),and (8) of subsection (k) shall apply for 
                purposes of this subsection in the same manner as they 
                apply for purposes of such subsection.
                    ``(B) Coordination with other bonus payments.--The 
                provisions of this subsection shall not be taken into 
                account in applying subsections (m) and (u) of section 
                1833 and any payment under such subsections shall not 
                be taken into account in computing allowable charges 
                under this subsection.
                    ``(C) Limitations on review.--There shall be no 
                administrative or judicial review under 1869, section 
                1878, or otherwise of--
                            ``(i) the determination of measures 
                        applicable to services furnished by eligible 
                        professionals under this subsection;
                            ``(ii) the determination of a meaningful 
                        HIT user under paragraph (2)(A), a limitation 
                        under paragraph (1)(B), and the exception under 
                        subsection (a)(7)(B); and
                            ``(iii) the determination of any incentive 
                        payment under this subsection and the payment 
                        adjustment under subsection (a)(7)(A).
                    ``(D) Posting on website.--The Secretary shall post 
                on the Internet website of the Centers for Medicare & 
                Medicaid Services, in an easily understandable format, 
                a list of the names, business addresses, and business 
                phone numbers of the eligible professionals (or, in the 
                case of reporting under paragraph (2)(D), the group 
                practices) who are meaningful HIT users.
            ``(4) Definitions.--For purposes of this subsection:
                    ``(A) Certified health information technology 
                system.--The term `certified health information 
                technology system' means, with respect to an eligible 
                professional and a reporting period for a year, a 
                health information technology system (as defined in 
                section 3000 of the Public Health Service Act) that has 
                a current certification under section 3001(c)(3) of 
                such Act as satisfying all interoperability standards, 
                privacy and security standards, and clinical and 
                quality functions adopted under section 3003(a) of such 
                Act that are applicable to the eligible professional.
                    ``(B) Covered professional services.--The term 
                `covered professional services' has the meaning given 
                such term in subsection (k)(3).
                    ``(C) Eligible professional.--The term `eligible 
                professional' means a physician, as defined in section 
                1861(r)(1).
                    ``(D) Reporting period.--The term `reporting 
                period' means any period, with respect to a calendar 
                year, as specified by the Secretary.''.
    (b) Incentive Payment Adjustment.--Section 1848(a) of the Social 
Security Act (42 U.S.C. 1395w-4(a)) is amended by adding at the end the 
following new paragraph:
            ``(7) Incentives for meaningful use of health information 
        technology systems.--
                    ``(A) Adjustment.--
                            ``(i) In general.--Subject to subparagraph 
                        (B), with respect to covered professional 
                        services furnished by an eligible professional 
                        during 2016 or any subsequent year, if the 
                        eligible professional is not a meaningful HIT 
                        user for a reporting period for the year (as 
                        determined under subsection (o)(2)), the fee 
                        schedule amount for such services furnished by 
                        such professional during the year (including 
                        the fee schedule amount for purposes of 
                        determining a payment based on such amount) 
                        shall be equal to the applicable percent of the 
                        fee schedule amount that would otherwise apply 
                        to such services under this subsection 
                        (determined after application of paragraph (3) 
                        but without regard to this paragraph).
                            ``(ii) Applicable percent.--For purposes of 
                        clause (i), the term `applicable percent' 
                        means--
                                    ``(I) for 2016, 99 percent;
                                    ``(II) for 2017, 98.5 percent;
                                    ``(III) for 2018, 98 percent;
                                    ``(IV) for 2019, 97.5 percent; and
                                    ``(V) for 2020 and each subsequent 
                                year, 97 percent.
                    ``(B) Significant hardship exception.--The 
                Secretary may, on a case-by-case basis, exempt an 
                eligible professional from the application of the 
                payment adjustment under subparagraph (A) if the 
                Secretary determines, subject to annual renewal, that 
                compliance with the requirement for being a meaningful 
                HIT user would result in a significant hardship, such 
                as in the case of an eligible professional who 
                practices in a rural area without sufficient Internet 
                access. In no case may an eligible professional be 
                granted an exemption under this subparagraph for more 
                than 5 years.
                    ``(C) Application of physician reporting system 
                rules.--Paragraphs (5), (6), and (8) of subsection (k) 
                shall apply for purposes of this paragraph in the same 
                manner as they apply for purposes of such subsection.
                    ``(D) Non-application to hospital-based eligible 
                professionals.--No payment adjustment may be made under 
                subparagraph (A) in the case of hospital-based eligible 
                professionals (as defined in subsection (o)(1)(C)(ii)).
                    ``(E) Definitions.--For purposes of this paragraph:
                            ``(i) Covered professional services.--The 
                        term `covered professional services' has the 
                        meaning given such term in subsection (k)(3).
                            ``(ii) Eligible professional.--The term 
                        `eligible professional' means a physician, as 
                        defined in section 1861(r)(1).
                            ``(iii) Reporting period.--The term 
                        `reporting period' means, with respect to a 
                        year, a period specified by the Secretary.''.
    (c) Conforming Amendments to e-Prescribing.--
            (1) Section 1848(a)(5)(A)(ii)(III) of the Social Security 
        Act (42 U.S.C. 1395w-4(a)(5)(A)(ii)(III)) is amended by 
        striking ``and each subsequent year'' and inserting ``and 
        2015''.
            (2) Section 1848(m)(2) of the Social Security Act (42 
        U.S.C. 1395w-4(m)(2)) is amended--
                    (A) in subparagraph (A), by striking ``For 2009'' 
                and inserting ``Subject to subparagraph (D), for 
                2009''; and
                    (B) by adding at the end the following new 
                subparagraph:
                    ``(D) Limitation with respect to health information 
                technology incentive payments.--The provisions of this 
                paragraph shall not apply to an eligible professional 
                (or, in the case of a group practice under paragraph 
                (3)(C), to the group practice) if, for the reporting 
                period the eligible professional (or group practice) 
                receives an incentive payment under subsection 
                (o)(1)(A) with respect to a certified health 
                information system (as defined in subsection (o)(4)(A)) 
                that has the capability of electronic prescribing.''.
    (d) GAO Study and Report.--
            (1) Study.--The Comptroller General of the United States 
        shall conduct a study to determine the extent to which and 
        manner in which payment incentives (such as under title XVIII 
        or XIX of the Social Security Act) and other funding for 
        purposes of implementing and using health information 
        technology should be made available to health care providers 
        who are receiving minimal or no payment incentives or other 
        funding under this Act, under title XVIII or XIX of the Social 
        Security Act, or otherwise, for such purposes. Such study shall 
        include an examination of--
                    (A) the adoption rates of certified health 
                information technology systems by such health care 
                providers;
                    (B) the clinical utility of such systems by such 
                health care providers;
                    (C) whether the services furnished by such health 
                care providers are appropriate for or would benefit 
                from the use of such systems;
                    (D) the extent to which such health care providers 
                work in settings that might otherwise receive an 
                incentive payment or other funding under this Act, 
                title XVIII or XIX of the Social Security Act, or 
                otherwise;
                    (E) the potential costs and the potential benefits 
                of making payment incentives and other funding 
                available to such health care providers; and
                    (F) any other issues the Comptroller General deems 
                to be appropriate.
            (2) Report.--Not later than June 30, 2010, the Comptroller 
        General shall submit to Congress a report on the findings and 
        conclusions of the study conducted under paragraph (1).

SEC. 302. INCENTIVES FOR HOSPITALS.

    (a) Incentive Payment.--Section 1886 of the Social Security Act (42 
U.S.C. 1395ww) is amended by adding at the end the following new 
subsection:
    ``(o) Incentives for Adoption and Meaningful Use of Certified 
Health Information Technology Systems.--
            ``(1) In general.--Subject to the succeeding provisions of 
        this subsection, with respect to inpatient hospital services 
        furnished by an eligible hospital during the first fiscal year 
        beginning after the date specified in paragraph (6) (or, if 
        sooner, fiscal year 2013) or any subsequent fiscal year (before 
        fiscal year 2017), if the eligible hospital is a meaningful HIT 
        user for the fiscal year (as determined under paragraph (3)), 
        in addition to the amount otherwise paid under this section, 
        there also shall be paid to the eligible hospital, from the 
        Federal Hospital Insurance Trust Fund established under section 
        1817, an amount equal to the applicable amount specified in 
        paragraph (2)(A) for such fiscal year.
            ``(2) Payment amount.--
                    ``(A) In general.--Subject to subparagraph (F), the 
                applicable amount specified in this subparagraph for an 
                eligible hospital for a fiscal year is equal to the 
                product of the following:
                            ``(i) Initial amount.--The sum of--
                                    ``(I) the base amount specified in 
                                subparagraph (B); plus
                                    ``(II) the discharge related amount 
                                specified in subparagraph (C) for a 
                                period selected by the Secretary with 
                                respect to such fiscal year.
                            ``(ii) Medicare share.--The Medicare share 
                        as specified in subparagraph (D) for the 
                        hospital for a period selected by the Secretary 
                        with respect to such fiscal year.
                            ``(iii) Transition factor.--The transition 
                        factor specified in subparagraph (E) for the 
                        fiscal year.
                    ``(B) Base amount.--The base amount specified in 
                this subparagraph is $1,000,000.
                    ``(C) Discharge related amount.--The discharge 
                related amount specified in this subparagraph for a 
                period shall be determined as the sum of the amount, 
                based upon total discharges (regardless of any source 
                of payment) for the period, for each discharge up to 
                the 13,800th discharge as follows:
                            ``(i) For the 1150th through the 9,200nd 
                        discharge, $200.
                            ``(ii) For the 9,201st through the 13,800th 
                        discharge, 50 percent of the amount specified 
                        in clause (i).
                    ``(D) Medicare share.--The Medicare share specified 
                under this subparagraph for a hospital for a period is 
                equal to the fraction--
                            ``(i) the numerator of which is the sum 
                        (for the period and with respect to the 
                        hospital) of--
                                    ``(I) the number of inpatient-bed-
                                days (as established by the Secretary) 
                                which are attributable to individuals 
                                with respect to whom payment may be 
                                made under part A; and
                                    ``(II) the number of inpatient-bed-
                                days (as so established) which are 
                                attributable to individuals who are 
                                enrolled under a risk-sharing contract 
                                with an eligible organization under 
                                section 1876 and who are entitled to 
                                part A or with a Medicare Advantage 
                                organization under part C; and
                            ``(ii) the denominator of which is the 
                        product of--
                                    ``(I) the total number of 
                                inpatient-bed-days with respect to the 
                                hospital during the period; and
                                    ``(II) the total amount of the 
                                hospital's charges during the period, 
                                not including any charges that are 
                                attributable to charity care (as such 
                                term is used for purposes of hospital 
                                cost reporting under this title), 
                                divided by the total amount of the 
                                hospital's charges during the period.
                    ``(E) Transition factor specified.--The transition 
                factor specified in this subparagraph is as follows:
                            ``(i) For the first fiscal year beginning 
                        after the date specified in paragraph (6) (or, 
                        of sooner, fiscal year 2013), 1.
                            ``(ii) For the fiscal year following the 
                        fiscal year specified in clause (i), \3/4\.
                            ``(iii) For the fiscal year following the 
                        fiscal year specified in clause (ii), \1/2\.
                            ``(iv) For the fiscal year following the 
                        fiscal year specified in clause (iii), \1/4\.
                    ``(F) Limitations.--
                            ``(i) Pro-ration for partial year 
                        hospitals.--In the case of an eligible hospital 
                        that is a meaningful HIT user for only a 
                        portion of a fiscal year for reasons such as 
                        the hospital did not provide services for which 
                        payment is made under this section for a 
                        portion of the fiscal year or the hospital 
                        changed the use of health information 
                        technology during the fiscal year, the 
                        Secretary may pro-rate the applicable amount 
                        specified under subparagraph (A) to reflect the 
                        portion of the fiscal year during which the 
                        hospital was a meaningful HIT user.
                            ``(ii) Form of payment.--The payment under 
                        this subsection for a fiscal year may be in the 
                        form of a single consolidated payment or in the 
                        form of such periodic installments as the 
                        Secretary may specify.
                There shall be no incentive payment under this 
                subsection, or payment adjustment under subsection 
                (b)(3)(B)(ix), for a fiscal year in the case of an 
                eligible hospital for which the sum of the inpatient-
                bed days described in subclauses (I) and (II) of 
                subparagraph (D)(i), for a period specified by the 
                Secretary with respect to such fiscal year, is an 
                amount that is less than 1,000.
            ``(3) Meaningful hit user.--
                    ``(A) In general.--For purposes of paragraph (1), 
                an eligible hospital shall be treated as a meaningful 
                HIT user for a fiscal year if the eligible hospital 
                demonstrates to the satisfaction of the Secretary that 
                the hospital is meaningfully using a certified health 
                information technology system with respect to such 
                fiscal year, as demonstrated in accordance with 
                applicable measures established under subparagraph (B).
                    ``(B) Standards for meaningful use.--The Secretary 
                shall establish measures under which an eligible 
                hospital may demonstrate meaningful use of a certified 
                health information technology system for a fiscal year. 
                Such measures may include--
                            ``(i) self-certification of operational use 
                        of such a system;
                            ``(ii) the submission (or ability to 
                        submit), in a form and manner specified by the 
                        Secretary (which may include the manner used 
                        for purposes of subsection (b)(3)(B)(viii)), of 
                        such information on clinical measures and data 
                        (that does not include individually 
                        identifiable health information) from such 
                        system that indicates a meaningful utilization 
                        of such a system during the year; and
                            ``(iii) such other means as the Secretary 
                        may specify.
                The Secretary may establish and apply different 
                measures based on the stage of implementation or 
                adoption of the certified health information technology 
                system involved or based on the characteristics (such 
                as size) of the hospital.
                    ``(C) Authority to revise measures.--The Secretary 
                may periodically revise the measures established under 
                subparagraph (B) with respect to demonstrating 
                meaningful use of a certified health information 
                technology system.
            ``(4) Application.--
                    ``(A) Limitations on review.--There shall be no 
                administrative or judicial review under 1869, section 
                1878, or otherwise of--
                            ``(i) the determination of measures 
                        applicable to services furnished by eligible 
                        hospitals under this subsection;
                            ``(ii) the determination of a meaningful 
                        HIT user under paragraph (3)(A) and the 
                        exception under subsection (b)(3)(B)(ix)(III); 
                        and
                            ``(iii) the determination of any incentive 
                        payment under this subsection and the payment 
                        adjustment under subsection (b)(3)(B)(ix).
                    ``(B) Posting on website.--The Secretary shall post 
                on the Internet website of the Centers for Medicare & 
                Medicaid Services, in an easily understandable format, 
                a list of the names of the eligible hospitals that are 
                meaningful HIT users and other relevant data as 
                determined appropriate by the Secretary. The Secretary 
                shall ensure that a hospital has the opportunity to 
                review the other relevant data that are to be made 
                public with respect to the hospital prior to such data 
                being made public.
            ``(5) Application to certain ma hospitals.--Notwithstanding 
        section 1851(i)(1), an eligible hospital that is under common 
        corporate governance with a qualifying MA organization (as 
        defined in section 1853(l)(5)) and that serves individuals 
        enrolled under a plan offered by such organization shall be 
        eligible for an incentive payment under this subsection in the 
        same manner as an eligible hospital that is not under such 
        common corporate governance with a qualifying MA organization.
            ``(6) Date specified.--The date specified in this paragraph 
        is the date on which the open source health information 
        technology system under section 3001(c)(4) of the Public Health 
        Service Act is first made publicly available.
            ``(7) Definitions.--For purposes of this subsection and 
        subsection (b)(3)(B)(ix):
                    ``(A) Certified health information technology 
                system.--The term `certified health information 
                technology system' means, with respect to an eligible 
                hospital and a fiscal year, a health information 
                technology system (as defined in section 3000 of the 
                Public Health Service Act) that has a current 
                certification under section 3001(c)(3) of such Act as 
                satisfying all interoperability standards, privacy and 
                security standards, and clinical and quality functions 
                adopted under section 3003(a) of such Act as of a date 
                specified by the Secretary with respect to such fiscal 
                year that are applicable to the eligible hospital.
                    ``(B) Eligible hospital.--The term `eligible 
                hospital' means a subsection (d) hospital.''.
    (b) Incentive Market Basket Adjustment.--Section 1886(b)(3)(B) of 
the Social Security Act (42 U.S.C. 1395ww(b)(3)(B)) is amended--
            (1) in clause (viii)(I), by inserting ``(or, beginning with 
        fiscal year 2016, by one-half)'' after ``2.0 percentage 
        points''; and
            (2) by adding at the end the following new clause:
    ``(ix)(I) Subject to the third sentence of subsection (o)(2)(F), 
for purposes of clause (i) for fiscal year 2016 and each subsequent 
fiscal year, in the case of a subsection (d) hospital that is not a 
meaningful HIT user (as defined in subsection (o)(3)) with respect to 
such fiscal year, one-half of the applicable percentage increase 
otherwise applicable under clause (i) for such fiscal year shall be 
reduced by 25 percent for fiscal year 2016, 50 percent for fiscal year 
2017, 75 percent for fiscal year 2018, and 100 percent for fiscal year 
2019 and each subsequent fiscal year. Such reduction shall apply only 
with respect to the fiscal year involved and the Secretary shall not 
take into account such reduction in computing the applicable percentage 
increase under clause (i) for a subsequent fiscal year.
    ``(II) The Secretary may, on a case-by-case basis, exempt a 
subsection (d) hospital from the application of subclause (I) with 
respect to a fiscal year if the Secretary determines, subject to annual 
renewal, that requiring such hospital to be a meaningful HIT user 
during such fiscal year would result in a significant hardship, such as 
in the case of a hospital in a rural area without sufficient Internet 
access. In no case may a hospital be granted an exemption under this 
subclause for more than 5 years.''.
    (c) Conforming Amendment.--Section 1851(i)(1) of such Act (42 
U.S.C. 1395w-21(i)(1)) is amended by striking ``and 1886(h)(3)(D)'' and 
inserting ``1886(h)(3)(D), and 1886(o)(6)''.
    (d) GAO Study and Report.--
            (1) Study.--The Comptroller General of the United States 
        shall conduct a study to determine the extent to which and 
        manner in which payment incentives (such as under title XVIII 
        or XIX of the Social Security Act) and other funding for 
        purposes of implementing and using health information 
        technology should be made available to health care settings 
        that are receiving minimal or no payments or other funding 
        under this Act, title XVIII or XIX of the Social Security Act, 
        or otherwise, for such purposes. Such health care settings may 
        include skilled nursing facilities, home health agencies, 
        hospice programs, laboratories, federally qualified health 
        centers, and pediatric hospitals. Such study shall include an 
        examination of--
                    (A) the adoption rates of certified health 
                information technology systems at such settings;
                    (B) the clinical utility of such systems at such 
                settings;
                    (C) whether the services furnished at such settings 
                are appropriate for or would benefit from the use of 
                such systems;
                    (D) the potential costs and the potential benefits 
                of providing such settings with incentive payments and 
                other funding for such purposes; and
                    (E) any other issues the Comptroller General deems 
                to be appropriate.
            (2) Report.--Not later than June 30, 2010, the Comptroller 
        General shall submit to Congress a report on the findings and 
        conclusions of the study conducted under paragraph (1).

SEC. 303. INCENTIVES FOR CERTAIN MEDICARE ADVANTAGE PLANS.

    (a) In General.--Section 1853 of the Social Security Act (42 U.S.C. 
1395w-23) is amended--
            (1) in subsection (a)(1)(A), by striking ``and (i)'' and 
        inserting ``(i), and (l)''; and
            (2) by adding at the end the following new subsections:
    ``(l) Application of Eligible Professional Incentives for Certain 
MA Organizations To Implement Certified Health Information Technology 
Systems.--
            ``(1) In general.--Subject to paragraphs (3) and (4), in 
        the case of a qualifying MA organization, the provisions of 
        sections 1848(o) and 1848(a)(7) shall apply with respect to 
        eligible professionals described in paragraph (2) of the 
        organization who the organization attests under section 
        1854(a)(1)(A)(iv) to be meaningful HIT users under in a similar 
        manner as they apply to eligible professionals in a group 
        practice under such sections.
            ``(2) Eligible professionals described.--With respect to a 
        qualifying MA organization, eligible professionals described in 
        this paragraph are eligible professionals (as defined for 
        purposes of section 1848(o)) who--
                    ``(A) are employed by the organization or are 
                employed by or partners of an entity that, through 
                contract with the organization, provides its services 
                predominantly or exclusively to enrollees of such 
                organization; and
                    ``(B) furnish, on average, at least 20 hours per 
                week of professional services.
            ``(3) Incentive payments.--In applying section 1848(o) 
        under paragraph (1), instead of the additional payment amount 
        under subparagraph (A) of section 1848(o)(1), there shall be 
        substituted the maximum amount permitted under such section 
        multiplied by the medicare share (as determined by the 
        Secretary). Such medicare share for an organization shall be 
        determined in a manner so as to result in the same aggregate 
        payments to the organization as would be paid under section 
        1848(o) to the eligible professionals described in paragraph 
        (2)(A) for services furnished under part B of this title.
            ``(4) Payment adjustment.--
                    ``(A) In general.--In applying section 1848(a)(7) 
                under paragraph (1), instead of the payment adjustment 
                being an applicable percent of the fee schedule amount 
                for a year under such section, the payment adjustment 
                under paragraph (1) shall be equal to the percent 
                specified in subparagraph (B) for such year of the 
                payment amount otherwise provided under this section 
                for the year.
                    ``(B) Specified percent.--The percent specified 
                under this subparagraph for--
                            ``(i) 2016 is 99.6 percent;
                            ``(ii) 2017 is 99.2 percent;
                            ``(iii) 2018 is 98.8 percent; and
                            ``(iv) 2019 and each subsequent year is 
                        98.4 percent.
            ``(5) Qualifying ma organization defined.--In this 
        subsection and subsection (m), the term `qualifying MA 
        organization' means an organization that is organized as a 
        health maintenance organization (as defined in section 
        2791(b)(3) of the Public Health Service Act) that offers one or 
        more MA plans under which the physicians furnishing physicians' 
        services under such a plan are predominantly either employees 
        of the organization or are employees or partners of an entity 
        that, through contract with the organization, provides its 
        services predominantly or exclusively to enrollees of such 
        organization.
    ``(m) Eligible Hospital Incentives for Certain MA Organizations To 
Implement Certified Health Information Technology Systems.--
            ``(1) In general.--Subject to paragraph (3), in the case of 
        a qualifying MA organization (as defined in section 
        1853(l)(5)), if, according to the attestation of the 
        organization submitted under section 1854(a)(1)(A)(iv) for a 
        year, one or more eligible hospitals (as defined in section 
        1886(o)(7)(B)) that are under common corporate governance with 
        such organization and that serve individuals enrolled under a 
        plan offered by such organization are not meaningful HIT users 
        (as defined in section 1886(o)(3) with respect to a year, the 
        payment amount payable under this section for such organization 
        for such year shall be--
                    ``(A) reduced by a percent specified by the 
                Secretary for such year; or
                    ``(B) in the case the Secretary is not able to 
                specify reductions under subparagraph (A) because of 
                insufficient encounter data or other appropriate date, 
                the amount that is equal to the percent specified under 
                paragraph (2) of the payment amount otherwise provided 
                under this section to the organization for the year.
        Reductions specified by the Secretary under subparagraph (A) 
        shall be determined in a manner so as to result in the same 
        aggregate reductions to the organization as would be applied 
        under section 1886(b)(3)(B)(ix) to all such eligible hospitals 
        under common corporate governance with such organization if 
        payment for inpatient services furnished by such hospitals was 
        payable under part A instead of this part.
            ``(2) Alternative percent specified.--The percent specified 
        under this paragraph for--
                    ``(A) 2016 is 99.95 percent;
                    ``(B) 2017 is 99.90 percent;
                    ``(C) 2018 is 99.85 percent; and
                    ``(D) 2019 and each subsequent year is 99.80 
                percent.
            ``(3) Limitation.--In no case may the application of 
        subsection (l) and this subsection with respect to a year 
        result in a payment amount payable under this section for a 
        qualifying MA organization for the year that is less than the 
        amount that is equal to the percent specified under paragraph 
        (4) of the payment amount that would otherwise be provided 
        under this section to the organization for the year without 
        regard to subsection (l) and this subsection.
            ``(4) Specified percent.--The percent specified under this 
        paragraph for--
                    ``(A) 2016 is 99 percent;
                    ``(B) 2017 is 98 percent;
                    ``(C) 2018 is 97 percent; and
                    ``(D) 2019 and each subsequent year is 96 
                percent.''.
    (b) Meaningful HIT User Attestation With Bids.--Section 
1854(a)(1)(A) of the Social Security Act (42 U.S.C. 1395w-24(a)(1)(A)) 
is amended by adding at the end the following new clause:
                            ``(iv) An attestation identifying whether 
                        each eligible professional described in section 
                        1853(l)(2) with respect to such organization is 
                        a meaningful HIT user (as defined in section 
                        1848(o)(3)) for the year and whether each 
                        eligible hospital described in section 
                        1853(m)(1), with respect to such organization, 
                        is a meaningful HIT user (as defined in section 
                        1886(o)(3)) for the year.''.
    (c) HIT Incentive Payments Exempt From Benchmark Determinations.--
Section 1853(c) of the Social Security Act (42 U.S.C. 1395w-23(c)) is 
amended--
            (1) in paragraph (1)(D)(i), by striking ``section 1886(h)'' 
        and inserting ``sections 1848(o), 1886(h), and 1886(o)''; and
            (2) in paragraph (6)(A), by inserting after ``under part 
        B,'' the following: ``excluding expenditures attributable to 
        sections 1848(o) and 1886(o)''.
    (d) Conforming Amendment.--Section 1853(f) of such Act (42 U.S.C. 
1395w-23(f)) is amended by inserting ``and for payments under 
subsection (l)'' after ``with the organization''.

 Subtitle B--Other Incentives for the Implementation and Use of Health 
                         Information Technology

SEC. 311. GRANT, LOAN, AND DEMONSTRATION PROGRAMS.

    Title XXX of the Public Health Service Act, as added by section 
101, is amended by adding at the end the following new subtitle:

 ``Subtitle B--Incentives for the Use of Health Information Technology

``SEC. 3011. GRANTS AND LOANS TO FACILITATE THE WIDESPREAD ADOPTION OF 
              QUALIFIED HEALTH INFORMATION TECHNOLOGY.

    ``(a) Competitive Grants To Facilitate the Widespread Adoption of 
Health Information Technology.--
            ``(1) In general.--The National Coordinator may award 
        competitive grants to eligible entities to purchase qualified 
        health information technology.
            ``(2) Qualified health information technology.--For 
        purposes of this section, the term `qualified health 
        information technology' means health information technology 
        that consists of hardware, software, or the provision of 
        support services and that--
                    ``(A) enables the protection of health information, 
                in accordance with applicable law;
                    ``(B) is (or is necessary for the operation of) an 
                electronic health records system, including the 
                provision of decision support and physician order entry 
                for medications;
                    ``(C) has the ability to allow timely and 
                permissible access to patient information and to 
                transmit and exchange health information among 
                providers, patients, or insurers; and
                    ``(D) is certified under the program developed 
                under section 3001(c)(3) to be in compliance with any 
                applicable standards adopted under section 3003(a).
            ``(3) Eligibility.--To be eligible to receive a grant under 
        paragraph (1) an entity shall--
                    ``(A) submit to the National Coordinator an 
                application at such time and in such manner as the 
                National Coordinator may require, and containing--
                            ``(i) a plan on how the entity intends to 
                        maintain and support the qualified health 
                        information technology that would be purchased 
                        with amounts under such grant, including the 
                        type of resources expected to be involved; and
                            ``(ii) such other information as the 
                        National Coordinator may require;
                    ``(B) submit to the National Coordinator a plan for 
                how qualified health information technology purchased 
                by the entity will result in the electronic exchange 
                and use of health information;
                    ``(C) be--
                            ``(i) a not for profit hospital or a 
                        Federally qualified health center (as defined 
                        in section 1861(aa)(4) of the Social Security 
                        Act);
                            ``(ii) an individual or group practice; or
                            ``(iii) another health care provider, such 
                        as a rural health clinic, not described in 
                        clause (i) or (ii);
                    ``(D) demonstrate significant financial need;
                    ``(E) agree to notify individuals in accordance 
                with section 402 of the Health-e Information Technology 
                Act of 2008 (relating to notifications in the case of 
                breaches);
                    ``(F) provide matching funds in accordance with 
                paragraph (5);
                    ``(G) consult with the Health Information 
                Technology Resource Center established under section 
                3006 to access the knowledge and experience of existing 
                initiatives regarding the successful implementation and 
                effective use of health information technology; and
                    ``(H) link, to the extent practicable, to one or 
                more local or regional health information plans.
            ``(4) Use of funds.--Amounts received under a grant under 
        this subsection shall be used to facilitate the purchase of 
        qualified health information technology.
            ``(5) Matching requirement.--To be eligible for a grant 
        under this subsection an entity shall contribute non-Federal 
        contributions to the costs of carrying out the activities for 
        which the grant is awarded in an amount equal to $1 for each $3 
        of Federal funds provided under the grant.
            ``(6) Preference in awarding grants.--
                    ``(A) In general.--In awarding grants under this 
                subsection the National Coordinator shall give 
                preference to the following eligible entities:
                            ``(i) Small health care providers.
                            ``(ii) Entities that are located in rural 
                        and other areas that serve uninsured, 
                        underinsured, and medically underserved 
                        individuals (regardless of whether such area is 
                        urban or rural).
                            ``(iii) Nonprofit health care providers.
                            ``(iv) Health care providers (such as 
                        children's hospitals, pediatricians, 
                        obstetrician-gynecologists, and hospitals that 
                        serve uninsured, underinsured, and medically 
                        underserved individuals and that have limited 
                        Medicare patient loads) that have not received 
                        any funds, or have received a minimal amount of 
                        funds, under sections 1848(o) and 1886(o) of 
                        the Social Security Act.
                    ``(B) Consideration.--In awarding grants to 
                entities under this subsection, the National 
                Coordinator shall take into account the amount of funds 
                provided to such entities under other laws, including 
                under sections 1848(o) and 1886(o) of the Social 
                Security Act.
            ``(7) Additional sources of funding for health information 
        technology.--Funding made available under this subsection is in 
        addition to funding which may be used toward the acquisition 
        and utilization of health information technology under other 
        law, which includes the following:
                    ``(A) Medicaid transformation grants under section 
                1903(z) of the Social Security Act.
                    ``(B) Grants or funding available through the 
                Agency for Healthcare Research and Quality.
                    ``(C) Grants or funding that may be available 
                through the Health Resources and Services 
                Administration for investment in health information 
                technologies or telehealth.
                    ``(D) Grants or funding that may be available 
                through the Department of Agriculture's Rural 
                Development Telecommunications Program for investment 
                in telemedicine.
                    ``(E) Sections 1848(o) and 1886(o) of the Social 
                Security Act.
    ``(b) Competitive Grants to States and Indian Tribes for the 
Development of Loan Programs To Facilitate the Widespread Adoption of 
Qualified Health Information Technology.--
            ``(1) In general.--The National Coordinator may award 
        competitive grants to eligible entities for the establishment 
        of programs for loans to health care providers to purchase 
        qualified health information technology.
            ``(2) Eligible entity defined.--For purposes of this 
        subsection, the term `eligible entity' means a State or Indian 
        tribe (as defined in the Indian Self-Determination and 
        Education Assistance Act) that--
                    ``(A) submits to the National Coordinator an 
                application at such time, in such manner, and 
                containing such information as the National Coordinator 
                may require;
                    ``(B) submits to the National Coordinator a 
                strategic plan in accordance with paragraph (4) and 
                provides to the National Coordinator assurances that 
                the entity will update such plan annually in accordance 
                with such paragraph;
                    ``(C) provides assurances to the National 
                Coordinator that the entity will establish a Loan Fund 
                in accordance with paragraph (3);
                    ``(D) provides assurances to the National 
                Coordinator that the entity will not provide a loan 
                from the Loan Fund to a health care provider unless the 
                provider meets each of the conditions described in 
                paragraph (5); and
                    ``(E) agrees to provide matching funds in 
                accordance with paragraph (9).
            ``(3) Establishment of fund.--For purposes of paragraph 
        (2)(C), an eligible entity shall establish a qualified health 
        information technology loan fund (referred to in this 
        subsection as a `Loan Fund') and comply with the other 
        requirements contained in this section. A grant to an eligible 
        entity under this subsection shall be deposited in the Loan 
        Fund established by the eligible entity. No funds authorized by 
        other provisions of this subtitle to be used for other purposes 
        specified in this subtitle shall be deposited in any Loan Fund.
            ``(4) Strategic plan.--
                    ``(A) In general.--For purposes of paragraph 
                (2)(B), a strategic plan of an eligible entity under 
                this paragraph shall identify the intended uses of 
                amounts available to the Loan Fund of such entity.
                    ``(B) Contents.--A strategic plan under 
                subparagraph (A), with respect to a Loan Fund of an 
                eligible entity, shall include for a year the 
                following:
                            ``(i) A list of the projects to be assisted 
                        through the Loan Fund during such year.
                            ``(ii) A description of the criteria and 
                        methods established for the distribution of 
                        funds from the Loan Fund during the year.
                            ``(iii) A description of the financial 
                        status of the Loan Fund as of the date of 
                        submission of the plan.
                            ``(iv) The short-term and long-term goals 
                        of the Loan Fund.
            ``(5) Health care provider conditions for receipt of 
        loans.--For purposes of paragraph (2)(D), the conditions 
        described in this paragraph, with respect to a health care 
        provider that seeks a loan from a Loan Fund established under 
        this subsection, are the following:
                    ``(A) The health care provider links, to the extent 
                practicable, to one or more local or regional health 
                information networks.
                    ``(B) The health care provider consults with the 
                Health Information Technology Resource Center 
                established under section 3006 to access the knowledge 
                and experience of existing initiatives regarding the 
                successful implementation and effective use of health 
                information technology.
                    ``(C) The health care provider agrees to notify 
                individuals in accordance with section 402 of the 
                Health-e Information Technology Act of 2008 (relating 
                to notifications in the case of breaches).
                    ``(D) The health care provider submits to the State 
                or Indian tribe involved a plan on how the health care 
                provider intends to maintain and support the qualified 
                health information technology that would be purchased 
                with such loan, including the type of resources 
                expected to be involved and any such other information 
                as the State or Indian Tribe, respectively, may 
                require.
            ``(6) Use of funds.--
                    ``(A) In general.--Amounts deposited in a Loan 
                Fund, including loan repayments and interest earned on 
                such amounts, shall be used only for awarding loans or 
                loan guarantees, making reimbursements described in 
                paragraph (8)(D)(I), or as a source of reserve and 
                security for leveraged loans, the proceeds of which are 
                deposited in the Loan Fund established under paragraph 
                (1). Loans under this section may be used by a health 
                care provider to purchase qualified health information 
                technology.
                    ``(B) Limitation.--Amounts received by an eligible 
                entity under this subsection may not be used--
                            ``(i) for the purchase or other acquisition 
                        of any health information technology system 
                        that is not a qualified health information 
                        technology; or
                            ``(ii) to conduct activities for which 
                        Federal funds are expended under this title.
            ``(7) Types of assistance.--Except as otherwise limited by 
        applicable State law, amounts deposited into a Loan Fund under 
        this subsection may only be used for the following:
                    ``(A) To award loans that comply with the 
                following:
                            ``(i) The interest rate for each loan shall 
                        not exceed the market interest rate.
                            ``(ii) The principal and interest payments 
                        on each loan shall commence not later than 1 
                        year after the date the loan was awarded, and 
                        each loan shall be fully amortized not later 
                        than 10 years after the date of the loan.
                            ``(iii) The Loan Fund shall be credited 
                        with all payments of principal and interest on 
                        each loan awarded from the Loan Fund.
                    ``(B) To guarantee, or purchase insurance for, a 
                local obligation (all of the proceeds of which finance 
                a project eligible for assistance under this 
                subsection) if the guarantee or purchase would improve 
                credit market access or reduce the interest rate 
                applicable to the obligation involved.
                    ``(C) As a source of revenue or security for the 
                payment of principal and interest on revenue or general 
                obligation bonds issued by the eligible entity if the 
                proceeds of the sale of the bonds will be deposited 
                into the Loan Fund.
                    ``(D) To earn interest on the amounts deposited 
                into the Loan Fund.
                    ``(E) To make reimbursements described in paragraph 
                (8)(D)(I).
            ``(8) Administration of loan funds.--
                    ``(A) Combined financial administration.--An 
                eligible entity may (as a convenience and to avoid 
                unnecessary administrative costs) combine, in 
                accordance with applicable State law, the financial 
                administration of a Loan Fund established under this 
                subsection with the financial administration of any 
                other revolving fund established by the entity if 
                otherwise not prohibited by the law under which the 
                Loan Fund was established.
                    ``(B) Cost of administering fund.--Each eligible 
                entity may annually use not to exceed 4 percent of the 
                funds provided to the entity under a grant under this 
                subsection to pay the reasonable costs of the 
                administration of the programs under this section, 
                including the recovery of reasonable costs expended to 
                establish a Loan Fund which are incurred after the date 
                of the enactment of this title.
                    ``(C) Guidance and regulations.--The National 
                Coordinator shall publish guidance and promulgate 
                regulations as may be necessary to carry out the 
                provisions of this subsection, including--
                            ``(i) provisions to ensure that each 
                        eligible entity commits and expends funds 
                        allotted to the entity under this subsection as 
                        efficiently as possible in accordance with this 
                        title and applicable State laws; and
                            ``(ii) guidance to prevent waste, fraud, 
                        and abuse.
                    ``(D) Private sector contributions.--
                            ``(i) In general.--A Loan Fund established 
                        under this subsection may accept contributions 
                        from private sector entities, except that such 
                        entities may not specify the recipient or 
                        recipients of any loan issued under this 
                        subsection. An eligible entity may agree to 
                        reimburse a private sector entity for any 
                        contribution made under this subparagraph, 
                        except that the amount of such reimbursement 
                        may not be greater than the principal amount of 
                        the contribution made.
                            ``(ii) Availability of information.--An 
                        eligible entity shall make publicly available 
                        the identity of, and amount contributed by, any 
                        private sector entity under clause (i) and may 
                        issue letters of commendation or make other 
                        awards (that have no financial value) to any 
                        such entity.
            ``(9) Matching requirements.--
                    ``(A) In general.--The National Coordinator may not 
                make a grant under paragraph (1) to an eligible entity 
                unless the entity agrees to make available (directly or 
                through donations from public or private entities) non-
                Federal contributions in cash to the costs of carrying 
                out the activities for which the grant is awarded in an 
                amount equal to not less than $1 for each $1 of Federal 
                funds provided under the grant.
                    ``(B) Determination of amount of non-federal 
                contribution.--In determining the amount of non-Federal 
                contributions that an eligible entity has provided 
                pursuant to subparagraph (A), the National Coordinator 
                may not include any amounts provided to the entity by 
                the Federal Government.
            ``(10) Reports.--The National Coordinator shall annually 
        submit to the Committee on Health, Education, Labor, and 
        Pensions and the Committee on Finance of the Senate, and the 
        Committees on Energy and Commerce and Ways and Means of the 
        House of Representatives, a report summarizing the reports 
        received by the National Coordinator from each eligible entity 
        that receives a grant under this subsection.
    ``(c) Competitive Grants for the Implementation of Regional or 
Local Health Information Technology Plans.--
            ``(1) In general.--The National Coordinator may award 
        competitive grants to eligible entities to implement regional 
        or local health information plans to improve health care 
        quality and efficiency through the electronic exchange and use 
        of health information.
            ``(2) Eligibility.--To be eligible to receive a grant under 
        paragraph (1) an entity shall--
                    ``(A) facilitate the electronic exchange and use of 
                health information within the local or regional area 
                and among local and regional areas;
                    ``(B) demonstrate financial need to the National 
                Coordinator;
                    ``(C) demonstrate that one of its principal 
                missions or purposes is to use information technology 
                to improve health care quality and efficiency;
                    ``(D) adopt bylaws, memoranda of understanding, or 
                other charter documents that demonstrate that the 
                governance structure and decisionmaking processes of 
                such entity allow for participation on an ongoing basis 
                by multiple stakeholders within a community, 
                including--
                            ``(i) physicians (as defined in section 
                        1861(r)) of the Social Security Act), including 
                        physicians that provide services to low income 
                        populations and populations that are uninsured, 
                        underinsured, and medically underserved 
                        (including such populations in urban and rural 
                        areas);
                            ``(ii) other health care providers, such as 
                        hospitals that serve uninsured, underinsured, 
                        and medically underserved individuals;
                            ``(iii) patient or consumer organizations 
                        that reflect the population to be served;
                            ``(iv) employers;
                            ``(v) public health agencies; and
                            ``(vi) such other entities, as determined 
                        appropriate by the National Coordinator;
                    ``(E) demonstrate the participation, to the extent 
                practicable, of stakeholders in the electronic exchange 
                and use of health information within the local or 
                regional health information plan pursuant to 
                subparagraph (D);
                    ``(F) adopt nondiscrimination and conflict of 
                interest policies that demonstrate a commitment to 
                open, fair, and nondiscriminatory participation in the 
                regional or local health information plan by all 
                stakeholders;
                    ``(G) comply with applicable standards adopted 
                under section 3003(a);
                    ``(H) prepare and submit to the National 
                Coordinator an application in accordance with paragraph 
                (3); and
                    ``(I) agree to provide matching funds in accordance 
                with paragraph (6).
            ``(3) Application.--
                    ``(A) In general.--To be eligible to receive a 
                grant under paragraph (1), an entity shall submit to 
                the National Coordinator an application at such time, 
                in such manner, and containing such information (in 
                addition to information required under subparagraph 
                (B)), as the National Coordinator may require.
                    ``(B) Required information.--At a minimum, an 
                application submitted under this paragraph shall 
                include--
                            ``(i) clearly identified short-term and 
                        long-term objectives of the regional or local 
                        health information plan;
                            ``(ii) an estimate of costs of the 
                        hardware, software, training, and other 
                        services necessary to implement the regional or 
                        local health information plan;
                            ``(iii) a strategy that includes 
                        initiatives to improve health care quality and 
                        efficiency;
                            ``(iv) a plan that describes provisions to 
                        encourage the electronic exchange and use of 
                        health information by all physicians, including 
                        single physician practices and small physician 
                        groups, participating in the health information 
                        plan;
                            ``(v) a plan to ensure the privacy and 
                        security of individually identifiable health 
                        information that is consistent with applicable 
                        Federal and State law;
                            ``(vi) a governance plan that defines the 
                        manner in which the stakeholders shall jointly 
                        make policy and operational decisions on an 
                        ongoing basis;
                            ``(vii) a financial or business plan that 
                        describes--
                                    ``(I) the sustainability of the 
                                plan;
                                    ``(II) the financial costs and 
                                benefits of the plan; and
                                    ``(III) the entities to which such 
                                costs and benefits will accrue;
                            ``(viii) a plan on how the entity involved 
                        intends to maintain and support the regional or 
                        local health information plan, including the 
                        type of resources expected to be involved; and
                            ``(ix) in the case of an applicant that is 
                        unable to demonstrate the participation of all 
                        stakeholders pursuant to paragraph (2)(D), the 
                        justification from the entity for any such 
                        nonparticipation.
            ``(4) Use of funds.--Amounts received under a grant under 
        paragraph (1) shall be used to establish and implement a 
        regional or local health information plan in accordance with 
        this subsection.
            ``(5) Preference.--In awarding grants under paragraph (1), 
        the Secretary shall give preference to eligible entities that 
        intend to use amounts received under a grant to establish or 
        implement a regional or local health information plan that 
        encompasses communities with health disparities or areas that 
        serve uninsured, underinsured, and medically underserved 
        individuals (including urban and rural areas).
            ``(6) Matching requirement.--
                    ``(A) In general.--The National Coordinator may not 
                make a grant under this subsection to an entity unless 
                the entity agrees that, with respect to the costs of 
                carrying out the activities for which the grant is 
                awarded, the entity will make available (directly or 
                through donations from public or private entities) non-
                Federal contributions toward such costs in an amount 
                equal to not less than 50 percent of such costs ($1 for 
                each $2 of Federal funds provided under the grant).
                    ``(B) Determination of amount contributed.--Non-
                Federal contributions required under subparagraph (A) 
                may be in cash or in kind, fairly evaluated, including 
                equipment, technology, or services. Amounts provided by 
                the Federal Government, or services assisted or 
                subsidized to any significant extent by the Federal 
                Government, may not be included in determining the 
                amount of such non-Federal contributions.
    ``(d) Reports.--Not later than 1 year after the date on which the 
first grant is awarded under this section, and annually thereafter 
during the grant period, an entity that receives a grant under this 
section shall submit to the National Coordinator a report on the 
activities carried out under the grant involved. Each such report shall 
include--
            ``(1) a description of the financial costs and benefits of 
        the project involved and of the entities to which such costs 
        and benefits accrue;
            ``(2) an analysis of the impact of the project on health 
        care quality and safety;
            ``(3) a description of any reduction in duplicative or 
        unnecessary care as a result of the project involved;
            ``(4) a description of the efforts of recipients under this 
        section to facilitate secure patient access to health 
        information;
            ``(5) an analysis of the effectiveness of the project 
        involved on ensuring the privacy and security of individually 
        identifiable health information in accordance with applicable 
        Federal and State law; and
            ``(6) other information as required by the National 
        Coordinator.
    ``(e) Requirement To Improve Quality of Care and Decrease in 
Costs.--The National Coordinator shall annually evaluate the activities 
conducted under this section and shall, in awarding grants, implement 
the lessons learned from such evaluation in a manner so that awards 
made subsequent to each such evaluation are made in a manner that, in 
the determination of the National Coordinator, will result in the 
greatest improvement in quality of care and decrease in costs.
    ``(f) Limitation.--An eligible entity may only receive one non-
renewable grant under subsection (a), one non-renewable grant under 
subsection (b), and one non-renewable grant under subsection (c).
    ``(g) Small Health Care Provider.--For purposes of this section, 
the term `small health care provider' means a health care provider that 
has an average of 10 or fewer full-time equivalent employees during the 
period involved.
    ``(h) Authorization of Appropriations.--
            ``(1) In general.--For the purpose of carrying out 
        subsections (a) through (d), there is authorized to be 
        appropriated $115,000,000 for each of the fiscal years 2009 
        through 2013.
            ``(2) Availability.--Amounts appropriated under paragraph 
        (1) shall remain available through fiscal year 2013.

``SEC. 3012. DEMONSTRATION PROGRAM TO INTEGRATE INFORMATION TECHNOLOGY 
              INTO CLINICAL EDUCATION.

    ``(a) In General.--The Secretary may award grants under this 
section to carry out demonstration projects to develop academic 
curricula integrating qualified health information technology in the 
clinical education of health professionals. Such awards shall be made 
on a competitive basis and pursuant to peer review.
    ``(b) Eligibility.--To be eligible to receive a grant under 
subsection (a), an entity shall--
            ``(1) submit to the Secretary an application at such time, 
        in such manner, and containing such information as the 
        Secretary may require;
            ``(2) submit to the Secretary a strategic plan for 
        integrating qualified health information technology in the 
        clinical education of health professionals to reduce medical 
        errors and enhance health care quality;
            ``(3) be--
                    ``(A) a school of medicine, osteopathic medicine, 
                dentistry, or pharmacy, a graduate program in 
                behavioral or mental health, or any other graduate 
                health professions school;
                    ``(B) a graduate school of nursing or physician 
                assistant studies;
                    ``(C) a consortium of two or more schools described 
                in subparagraph (A) or (B); or
                    ``(D) an institution with a graduate medical 
                education program in medicine, osteopathic medicine, 
                dentistry, pharmacy, nursing, or physician assistance 
                studies;
            ``(4) provide for the collection of data regarding the 
        effectiveness of the demonstration project to be funded under 
        the grant in improving the safety of patients, the efficiency 
        of health care delivery, and in increasing the likelihood that 
        graduates of the grantee will adopt and incorporate qualified 
        health information technology, in the delivery of health care 
        services; and
            ``(5) provide matching funds in accordance with subsection 
        (d).
    ``(c) Use of Funds.--
            ``(1) In general.--With respect to a grant under subsection 
        (a), an eligible entity shall--
                    ``(A) use grant funds in collaboration with 2 or 
                more disciplines; and
                    ``(B) use grant funds to integrate qualified health 
                information technology into community-based clinical 
                education.
            ``(2) Limitation.--An eligible entity shall not use amounts 
        received under a grant under subsection (a) to purchase 
        hardware, software, or services.
    ``(d) Matching Funds.--
            ``(1) In general.--The Secretary may award a grant to an 
        entity under this section only if the entity agrees to make 
        available non-Federal contributions toward the costs of the 
        program to be funded under the grant in an amount that is not 
        less than $1 for each $2 of Federal funds provided under the 
        grant.
            ``(2) Determination of amount contributed.--Non-Federal 
        contributions under paragraph (1) may be in cash or in kind, 
        fairly evaluated, including equipment or services. Amounts 
        provided by the Federal Government, or services assisted or 
        subsidized to any significant extent by the Federal Government, 
        may not be included in determining the amount of such 
        contributions.
    ``(e) Evaluation.--The Secretary shall take such action as may be 
necessary to evaluate the projects funded under this section and 
publish, make available, and disseminate the results of such 
evaluations on as wide a basis as is practicable.
    ``(f) Reports.--Not later than 1 year after the date of enactment 
of this title, and annually thereafter, the Secretary shall submit to 
the Committee on Health, Education, Labor, and Pensions and the 
Committee on Finance of the Senate, and the Committees on Energy and 
Commerce and Ways and Means of the House of Representatives a report 
that--
            ``(1) describes the specific projects established under 
        this section; and
            ``(2) contains recommendations for Congress based on the 
        evaluation conducted under subsection (e).
    ``(g) Authorization of Appropriations.--There is authorized to be 
appropriated to carry out this section, $10,000,000 for each of fiscal 
years 2009 through 2011.
    ``(h) Sunset.--This section shall not apply after September 30, 
2011.''.

               TITLE IV--PRIVACY AND SECURITY PROVISIONS

SEC. 400. DEFINITIONS.

    In this title, except as specified otherwise:
            (1) Breach.--The term ``breach'' means the unauthorized 
        acquisition, access, or disclosure of protected health 
        information which compromises the security, privacy, or 
        integrity of protected health information maintained by or on 
        behalf of a person. Such term does not include any 
        unintentional acquisition or access of such information by an 
        employee or agent of the covered entity or business associate 
        involved if such acquisition or access, respectively, was made 
        in good faith and within the course and scope of the employment 
        or other contractual relationship of such employee or agent, 
        respectively, with the covered entity or business associate and 
        if such information is not further acquired, accessed, or 
        disclosed by such employee or agent.
            (2) Business associate.--The term ``business associate'' 
        has the meaning given such term in section 160.103 of title 45, 
        Code of Federal Regulations.
            (3) Covered entity.--The term ``covered entity'' has the 
        meaning given such term in section 160.103 of title 45, Code of 
        Federal Regulations.
            (4) Disclose.--The terms ``disclose'' and ``disclosure'' 
        have the meaning given the term ``disclosure'' in section 
        160.103 of title 45, Code of Federal Regulations.
            (5) Electronic health record.--The term ``electronic health 
        record'' means an electronic record of health-related 
        information on an individual that is created, gathered, 
        managed, and consulted by authorized health care clinicians and 
        staff of one or more organizations, that conforms to standards 
        adopted under section 3003(a) of the Public Health Service Act, 
        as added by section 101, and is made accessible electronically 
        to other health care organizations and other authorized users.
            (6) Electronic medical record.--The term ``electronic 
        medical record'' means an electronic record of individually 
        identifiable health information on an individual that is 
        created, gathered, managed, and consulted by authorized health 
        care clinicians and staff within a single organization.
            (7) Health care operations.--The term ``health care 
        operation'' has the meaning given such term in section 164.501 
        of title 45, Code of Federal Regulations.
            (8) Health care provider.--The term ``health care 
        provider'' has the meaning given such term in section 160.103 
        of title 45, Code of Federal Regulations.
            (9) Health plan.--The term ``health plan'' has the meaning 
        given such term in section 1171(5) of the Social Security Act, 
        as amended by section 415.
            (10) National coordinator.--The term ``National 
        Coordinator'' means the head of the Office of the National 
        Coordinator for Health Information Technology established under 
        section 3001(a) of the Public Health Service Act, as added by 
        section 101.
            (11) Payment.--The term ``payment'' has the meaning given 
        such term in section 164.501 of title 45, Code of Federal 
        Regulations.
            (12) Personal health record.--The term ``personal health 
        record'' means an electronic record of individually 
        identifiable health information on an individual that can be 
        drawn from multiple sources and that is managed, shared, and 
        controlled by or for the individual.
            (13) Protected health information.--The term ``protected 
        health information'' has the meaning given such term in section 
        160.103 of title 45, Code of Federal Regulations.
            (14) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (15) Security.--The term ``security'' has the meaning given 
        such term in section 164.304 of title 45, Code of Federal 
        Regulations.
            (16) State.--The term ``State'' means each of the several 
        States, the District of Columbia, Puerto Rico, the Virgin 
        Islands, Guam, American Samoa, and the Northern Mariana 
        Islands.
            (17) Treatment.--The term ``treatment'' has the meaning 
        given such term in section 164.501 of title 45, Code of Federal 
        Regulations.
            (18) Use.--The term ``use'' has the meaning given such term 
        in section 160.103 of title 45, Code of Federal Regulations.
            (19) Vendor of personal health records.--The term ``vendor 
        of personal health records'' means an entity that offers or 
        maintains a personal health record. Such term does not include 
        an entity that is a covered entity for purposes of offering or 
        maintaining such personal health record.

    Subtitle A--Improved Privacy Provisions and Security Provisions

SEC. 401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO BUSINESS 
              ASSOCIATES OF COVERED ENTITIES; ANNUAL GUIDANCE ON 
              PRIVACY AND SECURITY PROVISIONS.

    (a) Application of Security Provisions.--Sections 164.308, 164.310, 
164.312, and 164.316 of title 45, Code of Federal Regulations, and any 
applicable security standards adopted by the Secretary under section 
3003(a) of the Public Health Service Act, as added by section 101, 
shall apply to a business associate of a covered entity in the same 
manner that such sections and standards, respectively, apply to the 
covered entity.
    (b) Application of Civil and Criminal Penalties.--Sections 1176 and 
1177 of the Social Security Act (42 U.S.C. 1320d-5, 1320d-6) shall 
apply to a business associate of a covered entity with respect to a 
section applied under subsection (a) to such business associate in the 
same manner that such sections apply to a covered entity with respect 
to such section.
    (c) Annual Guidance.--Not later than 12 months after the date of 
the enactment of this Act and annually thereafter, the Secretary of 
Health and Human Services shall, in consultation with industry 
stakeholders, annually issue guidance on the latest privacy and 
security safeguard technologies for use in carrying out the sections 
described in subsection (a).

SEC. 402. NOTIFICATION IN THE CASE OF BREACH.

    (a) In General.--A covered entity that accesses, maintains, 
retains, modifies, records, stores, destroys, or otherwise holds, uses, 
or discloses unsecured protected health information (as defined in 
subsection (h)(1)) shall, in the case of a breach of such information 
that is discovered by the covered entity, notify each individual whose 
unsecured protected health information has been, or is reasonably 
believed by the covered entity to have been, accessed, acquired, or 
disclosed as a result of such breach.
    (b) Notification of Covered Entity by Business Associate.--A 
business associate of a covered entity that accesses, maintains, 
retains, modifies, records, stores, destroys, or otherwise holds, uses, 
or discloses unsecured protected health information shall, following 
the discovery of a breach of such information, notify the covered 
entity of such breach. Such notice shall include the identification of 
each individual whose unsecured protected health information has been, 
or is reasonably believed by the business associate to have been, 
accessed, acquired, or disclosed during such breach.
    (c) Breaches Treated as Discovered.--For purposes of this section, 
a breach shall be treated as discovered by a covered entity or by a 
business associate as of the first day on which such breach is known to 
such entity or associate, respectively, (including any person that is 
an employee, officer, or other agent of such entity or associate, 
respectively) or should reasonably have been known to such entity or 
associate (or person) to have occurred.
    (d) Timeliness of Notification.--
            (1) In general.--Subject to subsection (g), all 
        notifications required under this section shall be made without 
        unreasonable delay and in no case later than 60 calendar days 
        after the discovery of a breach by the covered entity involved 
        (or business associate involved in the case of a notification 
        required under subsection (b)).
            (2) Burden of proof.--The covered entity involved (or 
        business associate involved in the case of a notification 
        required under subsection (b)), shall have the burden of 
        demonstrating that all notifications were made as required 
        under this subtitle, including evidence demonstrating the 
        necessity of any delay.
    (e) Methods of Notice.--
            (1) Individual notice.--Notice required under this section 
        to be provided to an individual, with respect to a breach, 
        shall be provided promptly and in the following form:
                    (A) Written notification by first-class mail to the 
                individual (or the next of kin of the individual if the 
                individual is deceased) at the last known address of 
                the individual or the next of kin, respectively, or, if 
                specified as a preference by the individual, by 
                electronic mail. The notification may be provided in 
                one or more mailings as information is available.
                    (B) In the case in which there is insufficient, or 
                out-of-date contact information that precludes direct 
                written (or, if specified by the individual under 
                subparagraph (A), electronic) notification to the 
                individual, a substitute form of notice shall be 
                provided, including a conspicuous posting on the home 
                page of the Web site of the covered entity involved or 
                notice in major print or broadcast media, including 
                major media in geographic areas where the individuals 
                affected by the breach likely reside. Such a notice in 
                media will include a toll-free phone number where an 
                individual can learn whether or not the individual's 
                unsecured protected health information is possibly 
                included in the breach.
                    (C) In any case deemed by the covered entity 
                involved to require urgency because of possible 
                imminent misuse of unsecured protected health 
                information, the covered entity, in addition to notice 
                provided under subparagraph (A), may provide 
                information to individuals by telephone or other means, 
                as appropriate.
            (2) Media notice.--Notice shall be provided to prominent 
        media outlets serving a State or jurisdiction, following the 
        discovery of a breach described in subsection (a), if the 
        unsecured protected health information of more than 500 
        residents of such State or jurisdiction is, or is reasonably 
        believed to have been, accessed, acquired, or disclosed during 
        such breach.
            (3) Notice to secretary.--Notice shall be provided to the 
        Secretary by covered entities of unsecured protected health 
        information that has been acquired or disclosed in a breach.
            (4) Posting on hhs public website.--The Secretary shall 
        make available to the public on the Internet website of the 
        Department of Health and Human Services a list that identifies 
        each covered entity involved in a breach described in 
        subsection (a) in which the unsecured protected health 
        information of more than 1,000 individuals is acquired or 
        disclosed.
    (f) Content of Notification.--Regardless of the method by which 
notice is provided to individuals under this section, notice of a 
breach shall include, to the extent possible, the following:
            (1) A brief description of what happened, including the 
        date of the breach and the date of the discovery of the breach, 
        if known.
            (2) A description of the types of unsecured protected 
        health information that were involved in the breach (such as 
        full name, Social Security number, date of birth, home address, 
        account number, or disability code).
            (3) The steps individuals should take to protect themselves 
        from potential harm resulting from the breach.
            (4) A brief description of what the covered entity involved 
        is doing to investigate the breach, to mitigate losses, and to 
        protect against any further breaches.
            (5) Contact procedures for individuals to ask questions or 
        learn additional information, which shall include a toll-free 
        telephone number, an e-mail address, Web site, or postal 
        address.
    (g) Delay of Notification Authorized for Law Enforcement 
Purposes.--If a law enforcement official determines that a 
notification, notice, or posting required under this section would 
impede a criminal investigation or cause damage to national security, 
such notification, notice, or posting shall be delayed in the same 
manner as provided under section 164.528(a)(2) of title 45, Code of 
Federal Regulations, in the case of a disclosure covered under such 
section.
    (h) Unsecured Protected Health Information.--
            (1) Definition.--
                    (A) In general.--Subject to subparagraph (B), for 
                purposes of this section, the term ``unsecured 
                protected health information'' means protected health 
                information that is not protected through the use of a 
                technology or methodology specified by the Secretary in 
                the guidance issued under paragraph (2).
                    (B) Exception in case timely guidance not issued.--
                In the case that the Secretary does not issue guidance 
                under paragraph (2) by the date specified in such 
                paragraph, for purposes of this section, the term 
                ``unsecured protected health information'' shall mean 
                information that is not protected by technology 
                standards developed or endorsed by a standards 
                developing organization that is accredited by the 
                American National Standards Institute.
            (2) Guidance.--For purposes of paragraph (1) and section 
        415(f), not later than the date that is 60 days after the date 
        of the enactment of this Act, the Secretary shall, after 
        consultation with stakeholders, issue (and annually update) 
        guidance specifying the technologies and methodologies that 
        render protected health information unusable, unreadable, or 
        indecipherable to unauthorized individuals.
    (i) Report to Congress on Breaches.--
            (1) In general.--Not later than 12 months after the date of 
        the enactment of this Act and annually thereafter, the 
        Secretary shall prepare and submit to the Committee on Finance 
        and the Committee on Health, Education, Labor, and Pensions of 
        the Senate and the Committee on Ways and Means and the 
        Committee on Energy and Commerce of the House of 
        Representatives a report containing the information described 
        in paragraph (2) regarding breaches for which notice was 
        provided to the Secretary under subsection (e)(3).
            (2) Information.--The information described in this 
        paragraph regarding breaches specified in paragraph (1) shall 
        include--
                    (A) the number and nature of such breaches;
                    (B) actions taken in response to such breaches; and
                    (C) any recommendations described in section 
                422(b)(9) made by the National Coordinator for the year 
                involved.
    (j) Effective Date.--The provisions of this section shall apply to 
breaches that are discovered on or after the date that is 90 days after 
the date of the enactment of this Act.

SEC. 403. EDUCATION ON HEALTH INFORMATION PRIVACY AND REPORT ON 
              COMPLIANCE.

    (a) Regional Office Privacy Advisors.--Not later than 6 months 
after the date of the enactment of this Act, the Secretary shall 
designate an individual in each regional office of the Department of 
Health and Human Services to offer guidance and education to covered 
entities, business associates, and individuals on their rights and 
responsibilities related to Federal privacy and security requirements 
for protected health information.
    (b) Report on Compliance.--
            (1) In general.--Not later than 24 months after the date of 
        the enactment of this Act and annually thereafter, the 
        Secretary shall prepare and submit to the Committee on Finance 
        and the Committee on Health, Education, Labor, and Pensions of 
        the Senate and the Committee on Ways and Means and the 
        Committee on Energy and Commerce of the House of 
        Representatives a report concerning the number of audits 
        performed and a summary of audit findings pursuant to section 
        414 and complaints of alleged violations of the provisions of 
        sections 401 and 402, the provisions of subtitle B, and the 
        provisions of subparts C and E of title 45, Code of Federal 
        Regulations that are received by the Secretary during the year 
        for which the report is being prepared. Each such report shall 
        include, with respect to such complaints received during the 
        year--
                    (A) the number of such complaints;
                    (B) the number of such complaints resolved 
                informally, a summary of the types of such complaints 
                so resolved, and the number of covered entities that 
                received technical assistance from the Secretary during 
                such year in order to achieve compliance with such 
                provisions and the types of such technical assistance 
                provided;
                    (C) the number of such complaints that resulted in 
                the imposition of civil money penalties, the amount of 
                the civil money penalty imposed in each such case, and 
                a summary of the basis for each such civil money 
                penalty;
                    (D) the number of compliance reviews conducted and 
                the outcome of each such review;
                    (E) the number of subpoenas or inquiries issued; 
                and
                    (F) the Secretary's plan for improving compliance 
                with and enforcement of such provisions for the 
                following year.
            (2) Availability to public.--Each report under paragraph 
        (1) shall be made available to the public on the Internet 
        website of the Department of Health and Human Services.
    (c) Education Initiative on Uses of Health Information.--
            (1) In general.--Not later than 12 months after the date of 
        the enactment of this Act, the Office for Civil Rights within 
        the Department of Health and Human Services shall develop and 
        maintain a multi-faceted national education initiative to 
        enhance public transparency regarding the uses of protected 
        health information, including programs to educate individuals 
        about the potential uses of their protected health information, 
        the effects of such uses, and the rights of individuals with 
        respect to such uses. Such programs shall be conducted in a 
        variety of languages and present information in a clear and 
        understandable manner.
            (2) Authorization of appropriations.--There is authorized 
        to be appropriated to carry out paragraph (1), $10,000,000 for 
        the period of fiscal years 2009 through 2013.

SEC. 404. APPLICATION OF PENALTIES TO BUSINESS ASSOCIATES OF COVERED 
              ENTITIES FOR VIOLATIONS OF PRIVACY CONTRACT REQUIREMENTS.

    (a) Application of Contract Requirements.--In the case of a 
business associate of a covered entity that obtains or creates 
protected health information pursuant to a written contract (or other 
written arrangement) described in section 164.502(e)(2) of title 45, 
Code of Federal Regulations, with such covered entity, the business 
associate may use and disclose such protected health information only 
if such use or disclosure, respectively, is in compliance with each 
applicable requirement of section 164.504(e) of such title and section 
405(b).
    (b) Application of Knowledge Elements Associated With Contracts.--
Section 164.504(e)(1)(ii) of title 45, Code of Federal Regulations, 
shall apply to a business associate described in subsection (a), with 
respect to compliance with such subsection, in the same manner that 
such section applies to a covered entity, with respect to compliance 
with the standards in sections 164.502(e) and 164.504(e) of such title, 
except that in applying such section 164.504(e)(1)(ii) each reference 
to the business associate, with respect to a contract, shall be treated 
as a reference to the covered entity involved in such contract.
    (c) Application of Civil and Criminal Penalties.--In the case of a 
business associate that violates any provision of subsection (a) or 
(b), the provisions of sections 1176 and 1177 of the Social Security 
Act (42 U.S.C. 1320d-5, 1320d-6) shall apply to the business associate 
with respect to such violation in the same manner as such provisions 
apply to a person who violates a provision of part C of title XI of 
such Act.

SEC. 405. RESTRICTIONS ON CERTAIN USES AND DISCLOSURES AND SALES OF 
              HEALTH INFORMATION; ACCOUNTING OF CERTAIN PROTECTED 
              HEALTH INFORMATION DISCLOSURES; ACCESS TO CERTAIN 
              INFORMATION IN ELECTRONIC FORMAT.

    (a) Requested Restrictions on Certain Disclosures of Health 
Information.--In the case that an individual requests under paragraph 
(a)(1)(i)(A) of section 164.522 of title 45, Code of Federal 
Regulations, that a covered entity restrict the disclosure of the 
protected health information of the individual, notwithstanding 
paragraph (a)(1)(ii) of such section, the covered entity must comply 
with the requested restriction if--
            (1) except as otherwise required by law, the disclosure is 
        to a health plan for purposes of carrying out payment or health 
        care operations (and is not for purposes of carrying out 
        treatment); and
            (2) the protected health information pertains solely to a 
        health care item or service for which the health care provider 
        involved has been paid out of pocket in full.
    (b) Disclosures Required To Be Limited to the Limited Data Set or 
the Minimum Necessary.--
            (1) Transitional rule.--
                    (A) In general.--Subject to subparagraph (B), a 
                covered entity shall be treated as being in compliance 
                with section 164.502(b)(1) of title 45, Code of Federal 
                Regulations, and for purposes of section 404(a) a 
                business associate shall be treated as being in 
                compliance with this subsection, with respect to the 
                use, disclosure, or request of protected health 
                information described in such section, only if the 
                covered entity or business associate, respectively, 
                limits such protected health information, to the extent 
                practicable, to either the limited data set (as defined 
                in section 164.514(e)(2) of such title) or to the 
                minimum necessary to accomplish the intended purpose of 
                such use, disclosure, or request, respectively.
                    (B) Sunset.--Subparagraph (A) shall not apply on 
                and after the earlier of--
                            (i) the effective date on which the 
                        Secretary adopts, taking into consideration the 
                        regulations promulgated under section 406(d), 
                        the study under section 410, and the report 
                        under section 411, a standard under section 
                        3003(a) of the Public Health Service Act, as 
                        added by section 101, which defines the term 
                        ``minimum necessary'' for purposes of subpart E 
                        of part 164 of title 45, Code of Federal 
                        Regulations; or
                            (ii) the National Coordinator recommends 
                        guidance under section 3001(c)(2) of such Act 
                        which defines such term for such purposes.
            (2) Determination of minimum necessary.--For purposes of 
        paragraph (1), in the case of the disclosure of protected 
        health information, the covered entity or business associate 
        disclosing such information shall determine what constitute the 
        minimum necessary to accomplish the intended purpose of such 
        disclosure.
            (3) Application of exceptions.--The exceptions described in 
        section 164.502(b)(2) of title 45, Code of Federal Regulations, 
        shall apply to the requirement under paragraph (1) as of the 
        effective date described in section 433 in the same manner that 
        such exceptions apply to section 164.502(b)(1) of such title 
        before such date.
            (4) Rule of construction.--Nothing in this subsection shall 
        be construed as affecting the use, disclosure, or request of 
        protected health information that has been de-identified to the 
        greatest extent practicable rather than the use of protected 
        health information that has been limited to the limited data 
        set.
    (c) Accounting of Certain Protected Health Information Disclosures 
Required if Covered Entity Uses Electronic Medical Record or Electronic 
Health Record.--
            (1) In general.--In applying section 164.528 of title 45, 
        Code of Federal Regulations, in the case of protected health 
        information used or maintained by a covered entity in an 
        electronic medical record or an electronic health record--
                    (A) the exception under section paragraph (a)(1)(i) 
                of such section shall not apply to disclosures (other 
                than oral disclosures) made by such entity of such 
                information; and
                    (B) an individual shall have a right to receive an 
                accounting of disclosures described in such paragraph 
                of such information made by such covered entity during 
                only the three years prior to the date on which the 
                accounting is requested.
            (2) Effective date.--The provisions of this subsection 
        shall apply to disclosures, with respect to protected health 
        information, made by a covered entity on or after the sooner of 
        the following dates:
                    (A) In the case of an entity that does not use or 
                maintain an electronic medical record or electronic 
                health record before the date of the enactment of this 
                Act with respect to such information, the date on which 
                the covered entity first uses or maintains an 
                electronic medical record or electronic health record, 
                with respect to such information, and in the case of an 
                entity that uses or maintains an electronic medical 
                record or electronic health record with respect to such 
                information before such date of enactment, the date on 
                which the covered entity upgrades such electronic 
                medical record or electronic health record.
                    (B) If a standard that relates to technologies that 
                allow for an accounting for disclosures made by a 
                covered entity for purposes of treatment, payment, and 
                health care operations is adopted under section 3003(a) 
                of the Public Health Service Act, as added by section 
                101, the date that is 6 months after the date of such 
                adoption.
    (d) Prohibition on Certain Disclosures.--
            (1) In general.--The following uses and disclosures shall 
        not be considered to be permitted uses or disclosures of 
        protected health information for purposes of subparts C and E 
        of part 164 of title 45, Code of Federal Regulations:
                    (A) Sale of protected health information.--The sale 
                of any protected health information of an individual by 
                a covered entity or business associate unless the 
                covered entity or business associate obtains from the 
                individual, in accordance with section 164.508 of title 
                45, Code of Federal Regulations, a valid authorization 
                (as described in paragraph (b) of such section) to sell 
                such information or unless the sale is for purposes of 
                research and public health activities (as described in 
                sections 164.501, 164.512(i), and 164.512(b) of title 
                45, Code of Federal Regulations) and the price charged 
                reflects the costs of preparation and transmittal of 
                the data for such purposes.
                    (B) Re-identification of de-identified 
                information.--In the case of an entity that has 
                received information that has been de-identified in 
                accordance with section 164.514 of title 45, Code of 
                Federal Regulations, the re-identification by the 
                entity of such information.
                    (C) Identification of individual through use of 
                limited data set.--In the case of an entity that has 
                received a limited data set (as defined in section 
                164.514(e)(2) of title 45, Code of Federal 
                Regulations), the use, alone or in combination with 
                other information, of such set to identify the subject 
                of the data set.
            (2) Limitation on condition.--In no case may a covered 
        entity condition the provision of treatment to an individual, 
        or payment for such treatment, on the individual providing 
        authorization described in paragraph (1)(A).
            (3) Construction.--Nothing in this subsection shall be 
        construed as limiting the authority of the Secretary to adopt 
        standards and guidance under section 3003(a) of the Public 
        Health Service Act, as added by section 101.
            (4) Effective date.--The provisions of this subsection 
        shall apply to uses and disclosures made on or after the date 
        of the enactment of this Act.
    (e) Access to Certain Information in Electronic Format.--In 
applying section 164.524 of title 45, Code of Federal Regulations, in 
the case that a covered entity uses or maintains an electronic medical 
record or electronic health record with respect to protected health 
information of an individual--
            (1) the individual shall have a right to obtain from such 
        covered entity a copy of such information in an electronic 
        format; and
            (2) notwithstanding paragraph (c)(4) of such section, the 
        covered entity may not impose any fee for providing such 
        individual with a copy of such information (or a summary or 
        explanation of such information) if such copy (or summary or 
        explanation) is in an electronic form.
    (f) Application of Privacy Regulations for Making Amendments to 
Protected Health Information to Information in Electronic Format.--In 
applying section 164.526 of title 45, Code of Regulations, in the case 
of protected health information used or maintained by a covered entity 
in an electronic medical record or electronic health record, instead of 
any timeframes or deadlines described in such section the Secretary may 
apply such timeframes and deadlines as the Secretary determines to be 
appropriate.

SEC. 406. LIMITATIONS ON CERTAIN ACTIVITIES AS PART OF HEALTH CARE 
              OPERATIONS.

    (a) Marketing.--
            (1) In general.--A communication by a covered entity or 
        business associate that is about a product or service and that 
        encourages recipients of the communication to purchase or use 
        the product or service shall not be considered a health care 
        operation for purposes of subpart E of part 164 of title 45, 
        Code of Federal Regulations, unless the communication is made 
        as described in subparagraph (i), (ii), or (iii) of paragraph 
        (1) of the definition of marketing in section 164.501 of such 
        title.
            (2) Payment for certain communications.--Subject to 
        subparagraph (B), a covered entity or business associate may 
        not receive direct or indirect payment in exchange for making 
        any communication described in subparagraph (i), (ii), or (iii) 
        of paragraph (1) of the definition of marketing in section 
        164.501 of title 45, Code of Federal Regulations, except--
                    (A) a business associate of a covered entity may 
                receive payment from the covered entity for making any 
                such communication on behalf of the covered entity that 
                is consistent with the written contract (or other 
                written arrangement) described in section 164.502(e)(2) 
                of such title between such business associate and 
                covered entity; and
                    (B) a covered entity may receive payment in 
                exchange for making any such communication if the 
                entity obtains from the recipient of the communication, 
                in accordance with section 164.508 of title 45, Code of 
                Federal Regulations, a valid authorization (as 
                described in paragraph (b) of such section), which 
                shall be explicitly and affirmatively provided by the 
                recipient, with respect to such communication.
    (b) Fund Raising.--Fundraising for the benefit of a covered entity 
shall not be considered a health care operation for purposes of section 
164.501 of title 45, Code of Federal Regulations.
    (c) Effective Date.--Subsections (a) and (b) shall apply to 
contracting occurring on or after the effective date specified under 
section 433.
    (d) Regulations.--
            (1) In general.--Not later than 18 months after the date of 
        the enactment of this Act, the Secretary shall issue a notice 
        of proposed rulemaking in the Federal Register, taking into 
        account the report submitted under section 411 and the study 
        under section 410, to eliminate from the definition of health 
        care operations under section 164.501 of title 45, Code of 
        Federal Regulations, those activities (other than the process 
        of de-identifying health information) that can reasonably and 
        efficiently be conducted through the use of information that is 
        de-identified (in accordance with the requirements of section 
        164.514(b) of such title) or that should require a valid 
        authorization for use or disclosure. In promulgating any such 
        regulations, the Secretary may consider the form in which the 
        health information is maintained, such as non-electronic 
        records.
            (2) Considerations.--In promulgating any such regulations, 
        the Secretary shall take into consideration the extent to 
        which--
                    (A) specific health care operations require the use 
                or disclosure of protected health information; and
                    (B) clinical utility of such information would 
                potentially be decreased in the case that such 
                information is de-identified or valid authorization is 
                required; and
                    (C) the classification of health care operations 
                (as in existence as of the date of the enactment of 
                this Act) under section 164.501 of title 45, Code of 
                Federal Regulations, may be further delineated.

SEC. 407. STUDY AND REPORT ON APPLICATION OF PRIVACY AND SECURITY 
              REQUIREMENTS TO NON-HIPAA COVERED ENTITIES.

    Not later than one year after the date of the enactment of this 
Act, the Secretary, in consultation with the Federal Trade Commission, 
shall conduct a study on privacy and security requirements to entities 
that are not considered covered entities as of the date of the 
enactment of this Act and submit to the Committee on Finance and the 
Committee on Health, Education, Labor, and Pensions of the Senate and 
the Committee on Ways and Means and the Committee on Energy and 
Commerce of the House of Representatives a report on the findings of 
the study, including--
            (1) requirements relating to security, privacy, and 
        notification in the case of a breach of security or privacy 
        (including the applicability of an exemption to notification in 
        the case of individually identifiable health information that 
        has been rendered unusable, unreadable, or indecipherable 
        through technologies or methodologies recognized by appropriate 
        professional organization or standard setting bodies to provide 
        effective security for the information) that should be applied 
        to--
                    (A) vendors of personal health records;
                    (B) entities that offer products or services 
                through the website of a vendor of personal health 
                records;
                    (C) entities that are not covered entities and that 
                offer products or services through the websites of 
                covered entities that offer individuals personal health 
                records;
                    (D) entities that are not covered entities and that 
                access information in a personal health record or send 
                information to a personal health record; and
                    (E) third party service providers used by a vendor 
                or entity described in subparagraph (A), (B), (C), or 
                (D) to assist in providing personal health record 
                products or services;
            (2) a determination of which Federal government agency is 
        best equipped to enforce such requirements recommended to be 
        applied to such vendors, entities, and service providers under 
        paragraph (1); and
            (3) a timeframe for implementing regulations based on such 
        findings.

SEC. 408. TEMPORARY BREACH NOTIFICATION REQUIREMENT FOR VENDORS OF 
              PERSONAL HEALTH RECORDS AND OTHER NON-HIPAA COVERED 
              ENTITIES.

    (a) In General.--In accordance with subsection (c), each vendor of 
personal health records, following the discovery of a breach of 
security of unsecured PHR identifiable health information that is in a 
personal health record maintained or offered by such vendor, and each 
entity described in subparagraph (B), (C), or (D) of section 407(1), 
following the discovery of a breach of security of such information 
that is obtained through a product or service provided by such entity, 
shall--
            (1) notify each individual who is a citizen or resident of 
        the United States whose unsecured PHR identifiable health 
        information was acquired by an unauthorized person as a result 
        of such a breach of security; and
            (2) notify the Federal Trade Commission.
    (b) Notification by Third Party Service Providers.--A third party 
service provider that provides services to a vendor of personal health 
records or to an entity described in subparagraph (B), (C), or (D) of 
section 407(1) in connection with the offering or maintenance of a 
personal health record or a related product or service and that 
accesses, maintains, retains, modifies, records, stores, destroys, or 
otherwise holds, uses, or discloses unsecured PHR identifiable health 
information in such a record as a result of such services shall, 
following the discovery of a breach of security of such information, 
notify such vendor or entity, respectively, of such breach. Such notice 
shall include the identification of each individual whose unsecured PHR 
identifiable health information has been, or is reasonably believed to 
have been, accessed, acquired, or disclosed during such breach.
    (c) Application of Requirements for Timeliness, Method, and Content 
of Notifications.--Subsections (c), (d), (e), and (f) of section 402 
shall apply to a notification required under subsection (a) and a 
vendor of personal health records, an entity described in subsection 
(a) and a third party service provider described in subsection (b), 
with respect to a breach of security under subsection (a) of unsecured 
PHR identifiable health information in such records maintained or 
offered by such vendor, in a manner specified by the Federal Trade 
Commission.
    (d) Notification of the Secretary.--Upon receipt of a notification 
of a breach of security under subsection (a)(2), the Federal Trade 
Commission shall notify the Secretary of such breach.
    (e) Enforcement.--A violation of subsection (a) or (b) shall be 
treated as an unfair and deceptive act or practice in violation of a 
regulation under section 18(a)(1)(B) of the Federal Trade Commission 
Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or 
practices.
    (f) Definitions.--For purposes of this section:
            (1) Breach of security.--The term ``breach of security'' 
        means, with respect to unsecured PHR identifiable health 
        information of an individual in a personal health record, the 
        acquisition, use, or disclosure of such information without the 
        authorization of the individual.
            (2) PHR identifiable health information.--The term ``PHR 
        identifiable health information'' means individually 
        identifiable health information, as defined in section 1171(6) 
        of the Social Security Act (42 U.S.C. 1320d(6)), and includes, 
        with respect to an individual, information--
                    (A) that is provided by or on behalf of the 
                individual; and
                    (B) that identifies the individual or with respect 
                to which there is a reasonable basis to believe that 
                the information can be used to identify the individual.
            (3) Unsecured phr identifiable health information.--
                    (A) In general.--Subject to subparagraph (B), the 
                term ``unsecured PHR identifiable health information'' 
                means PHR identifiable health information that is not 
                protected through the use of a technology or 
                methodology specified by the Secretary in the guidance 
                issued under section 402(h)(2).
                    (B) Exception in case timely guidance not issued.--
                In the case that the Secretary does not issue guidance 
                under section 402(h)(2) by the date specified in such 
                section, for purposes of this section, the term 
                ``unsecured PHR identifiable health information'' shall 
                mean information that is not protected by technology 
                standards developed or endorsed by a standards 
                developing organization that is accredited by the 
                American National Standards Institute.
    (g) Effective Date; Sunset.--
            (1) In general.--Subject to paragraph (2), the provisions 
        of this section shall apply to breaches of security occurring 
        during the period beginning on the date that is 90 days after 
        the date of the enactment of this Act.
            (2) Sunset.--The provisions of this section shall not apply 
        to breaches of security occurring on or after the earlier of 
        the following:
                    (A) A standard relating to requirements for 
                entities that are not covered entities that includes 
                requirements relating to breach notification has been 
                adopted by the Secretary under section 3002 of the 
                Public Health Service Act, as added by section 101, and 
                has taken effect.
                    (B) A standard relating to requirements for 
                entities that are not covered entities that includes 
                requirements relating to breach notification has been 
                promulgated by the Federal Trade Commission and has 
                taken effect.

SEC. 409. BUSINESS ASSOCIATE CONTRACTS REQUIRED FOR CERTAIN ENTITIES; 
              OTHER PROVISIONS RELATED TO BUSINESS ASSOCIATE CONTRACTS.

    (a) In General.--Each organization, with respect to a covered 
entity, that provides data transmission of protected health information 
to such entity and that requires access on a routine basis to such 
protected health information, such as a Health Information Exchange, 
Regional Health Information Organization, or E-prescribing Gateway and 
each vendor of a personal health record that contracts with a covered 
entity for purposes of including a personal health record within an 
electronic medical record or electronic health record, is required to 
enter into a written contract (or other written arrangement) described 
in section 164.502(e)(2) of title 45, Code of Federal Regulations and a 
written contract (or other arrangement) described in section 164.308(b) 
of such title, with such entity and shall be treated as a business 
associate of the covered entity for purposes of the provisions of this 
title and subparts C and E of title 45, Code of Federal Regulations.
    (b) Covered Entities To Monitor Compliance of Business 
Associates.--
            (1) In general.--A covered entity shall monitor the extent 
        to which a business associate of such entity complies with the 
        terms of the written contract (or other arrangement) described 
        in section 164.502(e)(2) of title 45, Code of Federal 
        Regulations or section 164. 308(b) of such title, as 
        applicable, entered into between such entity and such business 
        associate.
            (2) Enforcement.--If in the process of investigating a 
        complaint related to a violation of the requirements of this 
        title or subpart C or E of title 45, Code of Federal 
        Regulations, committed by a business associate of a covered 
        entity, the Office for Civil Rights of the Department of Health 
        and Human Services determines that--
                    (A) the covered entity reasonably should have known 
                of a pattern of activity or practice of the business 
                associate that was not in compliance with the terms of 
                a contract described in paragraph (1) and that relates 
                to such violation; and
                    (B) the covered entity did not take action required 
                under section 164.504(e)(1)(ii) of title 45, Code of 
                Federal Regulations in response to such pattern or 
                practice,
        the covered entity shall be treated, for purposes of section 
        1176 of the Social Security Act (42 U.S.C. 1320d-5), as having 
        violated part C of title XI of such Act.

SEC. 410. GUIDANCE ON IMPLEMENTATION SPECIFICATION TO DE-IDENTIFY 
              PROTECTED HEALTH INFORMATION.

    Not later than 12 months after the date of the enactment of this 
Act, the Secretary shall, in consultation with stakeholders, issue 
guidance on how best to implement the requirements for the de-
identification of protected health information under section 164.514(b) 
of title 45, Code of Federal Regulations.

SEC. 411. GAO REPORT ON TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS 
              USES AND DISCLOSURES.

    Not later than one year after the date of the enactment of this 
Act, the Comptroller General of the United States shall submit to the 
Committee on Finance and the Committee on Health, Education, Labor, and 
Pensions of the Senate and the Committee on Ways and Means and the 
Committee on Energy and Commerce of the House of Representatives a 
report on--
            (1) the best practices related to the disclosure among 
        health care providers of protected health information of an 
        individual for purposes of treatment of such individual, 
        including an examination of the best practices implemented by 
        States and by other entities, such as health information 
        exchanges and regional health information organizations, and an 
        examination of the extent to which such best practices are 
        successful with respect to the quality of the resulting health 
        care provided to the individual and with respect to the ability 
        of the health care provider to manage such best practices; and
            (2) the best practices with respect to determining the 
        minimum necessary set of protected health information for uses 
        and disclosures of such information for purposes of payment and 
        the most common health care operations, as specified by the 
        Secretary, including those health care operations that could be 
        reasonably and efficiently performed with either de-identified 
        data (as defined in section 164.514(a) of title 45, Code of 
        Federal Regulations) or the limited data set (as defined 
        section 164.514(e)(1) of such title).

SEC. 412. CLARIFICATION OF APPLICATION OF WRONGFUL DISCLOSURES CRIMINAL 
              PENALTIES.

    Section 1177(a) of the Social Security Act (42 U.S.C. 1320d-6(a)) 
is amended by adding at the end the following new sentence: ``For 
purposes of the previous sentence, a person (including an employee or 
other individual who is not a covered entity, as defined in the HIPAA 
privacy regulation described in section 1180(b)(3)) shall be considered 
to have obtained or disclosed individually identifiable health 
information in violation of this part if the information is maintained 
by a covered entity (as so defined) and the person knowingly obtained 
or disclosed such information without authorization.''.

SEC. 413. IMPROVED ENFORCEMENT.

    (a) Improved Civil Penalties.--
            (1) In general.--Section 1176 of the Social Security Act 
        (42 U.S.C. 1320d-5) is amended--
                    (A) in subsection (b)(1), by striking ``the act 
                constitutes an offense punishable under section 1177'' 
                and inserting ``a penalty has been imposed under 
                section 1177 with respect to such act''; and
                    (B) by adding at the end the following new 
                subsection:
    ``(c) Noncompliance Due to Willful Neglect.--
            ``(1) In general.--A violation of a provision of this part 
        due to willful neglect is a violation for which the Secretary 
        is required to impose a penalty under subsection (a)(1).
            ``(2) Required investigation.--For purposes of paragraph 
        (1), the Secretary shall formally investigate any complaint of 
        a violation of a provision of this part if a preliminary 
        investigation of the facts of the complaint indicate such a 
        possible violation due to willful neglect.
            ``(3) Regulations.--Not later than 90 days after the date 
        of the enactment of the Health-e Information Technology Act of 
        2008, the Secretary shall issue a notice of proposed rulemaking 
        in the Federal Register to implement this subsection.''.
            (2) Effective date.--The amendments made by paragraph (1) 
        shall apply to penalties imposed on or after the date specified 
        in section 433.
    (b) Distribution of Civil Monetary Penalties Collected.--
            (1) In general.--Subject to the regulation promulgated 
        pursuant to paragraph (3), any civil monetary penalty collected 
        with respect to an offense punishable under this title or 
        section 1176 of the Social Security Act (42 U.S.C. 1320d-5) 
        shall be transferred to the Office of Civil Rights of the 
        Department of Health and Human Services to be used for purposes 
        of enforcing the provisions of this title and subparts C and E 
        of title 45, Code of Federal Regulations.
            (2) GAO report.--Not later than 18 months after the date of 
        the enactment of this Act, the Comptroller General shall submit 
        to the Secretary a report including recommendations for a 
        methodology under which an individual who is harmed by an act 
        that constitutes an offense punishable under this title or 
        section 1176 of the Social Security Act may receive a 
        percentage of any civil monetary penalty collected with respect 
        to such offense under this title or such section.
            (3) Establishment of methodology to distribute percentage 
        of cmps collected to harmed individuals.--Not later 3 years 
        after the date of the enactment of this Act, the Secretary 
        shall establish by regulation and based on the recommendations 
        submitted under paragraph (2), a methodology under which an 
        individual who is harmed by an act that constitutes an offense 
        punishable under this title or section 1176 of the Social 
        Security Act may receive a percentage of any civil monetary 
        penalty collected with respect to such offense under this title 
        or such section.
            (4) Application of methodology.--The methodology under 
        paragraph (3) shall be applied with respect to civil monetary 
        penalties imposed on or after the effective date of the 
        regulation.
    (c) Tiered Increase in Amount of Civil Monetary Penalties.--
            (1) In general.--Section 1176(a)(1) of the Social Security 
        Act (42 U.S.C. 1320d-5(a)(1)) is amended by striking ``who 
        violates a provision of this part a penalty of not more than'' 
        and all that follows and inserting the following: ``who 
        violates a provision of this part--
                    ``(A) in the case of a violation of such provision 
                in which it is established to the satisfaction of the 
                Secretary that the person did not know (and by 
                exercising reasonable diligence would not have known) 
                that such person violated such provision, a penalty for 
                each such violation of an amount that is at least the 
                amount described in paragraph (3)(A) but not to exceed 
                the amount described in paragraph (3)(D);
                    ``(B) in the case of a violation of such provision 
                in which it is established to the satisfaction of the 
                Secretary that the violation was due to reasonable 
                cause and not to willful neglect, a penalty for each 
                such violation of an amount that is at least the amount 
                described in paragraph (3)(B) but not to exceed the 
                amount described in paragraph (3)(D); and
                    ``(C) in the case of a violation of such provision 
                in which it is established to the satisfaction of the 
                Secretary that the violation was due to willful 
                neglect--
                            ``(i) if the violation is corrected as 
                        described in subsection (b)(3)(A), a penalty in 
                        an amount that is at least the amount described 
                        in paragraph (3)(C) but not to exceed the 
                        amount described in paragraph (3)(D); and
                            ``(ii) if the violation is not corrected as 
                        described in such subsection, a penalty in an 
                        amount that is at least the amount described in 
                        paragraph (3)(D).
                In determining the amount of a penalty under this 
                section for a violation, the Secretary shall base such 
                determination on the nature and extent of the violation 
                and the nature and extent of the harm resulting from 
                such violation.''.
            (2) Tiers of penalties described.--Section 1176(a) of such 
        Act (42 U.S.C. 1320d-5(a)) is further amended by adding at the 
        end the following new paragraph:
            ``(3) Tiers of penalties described.--For purposes of 
        paragraph (1), with respect to a violation by a person of a 
        provision of this part--
                    ``(A) the amount described in this subparagraph is 
                $100 for each such violation, except that the total 
                amount imposed on the person for all such violations of 
                an identical requirement or prohibition during a 
                calendar year may not exceed $25,000;
                    ``(B) the amount described in this subparagraph is 
                $1,000 for each such violation, except that the total 
                amount imposed on the person for all such violations of 
                an identical requirement or prohibition during a 
                calendar year may not exceed $100,000;
                    ``(C) the amount described in this subparagraph is 
                $10,000 for each such violation, except that the total 
                amount imposed on the person for all such violations of 
                an identical requirement or prohibition during a 
                calendar year may not exceed $250,000; and
                    ``(D) the amount described in this subparagraph is 
                $50,000 for each such violation, except that the total 
                amount imposed on the person for all such violations of 
                an identical requirement or prohibition during a 
                calendar year may not exceed $1,500,000.''.
            (3) Conforming amendments.--Section 1176(b) of such Act (42 
        U.S.C. 1320d-5(b)) is amended--
                    (A) by striking paragraph (2) and redesignating 
                paragraphs (3) and (4) as paragraphs (2) and (3), 
                respectively; and
                    (B) in paragraph (3)--
                            (i) in subparagraph (A), by striking ``in 
                        subparagraph (B), a penalty may not be imposed 
                        under subsection (a) if'' and all that follows 
                        through ``the failure to comply is corrected'' 
                        and inserting ``in subparagraph (B) or 
                        subsection (a)(1)(C), a penalty may not be 
                        imposed under subsection (a) if the failure to 
                        comply is corrected''; and
                            (ii) in subparagraph (B), by striking 
                        ``(A)(ii)'' each place it appears and inserting 
                        ``(A)''.
            (4) Effective date.--The amendments made by this subsection 
        shall apply to violations occurring after the date of the 
        enactment of this Act.
    (d) Enforcement by State Attorneys General.--
            (1) Civil actions.--In any case in which the attorney 
        general of a State or any State or local law enforcement agency 
        authorized by the State attorney general or by State law to 
        prosecute violations of consumer protection laws, has reason to 
        believe that an interest of the residents of that State has 
        been or is threatened or adversely affected by the engagement 
        of a person in a practice that is prohibited under a provision 
        of this title or subparts C or E of title 45, Code of Federal 
        Regulations, the State or local law enforcement agency on 
        behalf of the residents of the agency's jurisdiction, may bring 
        a civil action on behalf of the residents of the State or 
        jurisdiction in a district court of the United States of 
        appropriate jurisdiction to--
                    (A) enjoin that act or practice;
                    (B) enforce compliance with the provision; or
                    (C) obtain civil penalties in an amount calculated 
                by multiplying the number of violations by an amount 
                not greater than $11,000.
            (2) Rule of construction.--For purposes of bringing any 
        civil action under paragraph (1), nothing in this title 
        regarding notification shall be construed to prevent an 
        attorney general of a State from exercising the powers 
        conferred on such attorney general by the laws of that State 
        to--
                    (A) conduct investigations;
                    (B) administer oaths or affirmations; or
                    (C) compel the attendance of witnesses or the 
                production of documentary and other evidence.
            (3) Venue; service of process.--
                    (A) Venue.--Any action brought under paragraph (1) 
                may be brought in the district court of the United 
                States that meets applicable requirements relating to 
                venue under section 1391 of title 28, United States 
                Code.
                    (B) Service of process.--In an action brought under 
                paragraph (1), process may be served in any district in 
                which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.

SEC. 414. AUDITS.

    The Secretary shall provide for periodic audits to ensure that 
entities that are subject to the requirements of this title and 
subparts C and E of title 45, Code of Federal Regulations, comply with 
such requirements.

SEC. 415. TECHNICAL AMENDMENT.

    Section 1171(5) of the Social Security Act (42 U.S.C. 1320d) is 
amended by striking ``or C'' and inserting ``C, or D''.

  Subtitle B--Chief Privacy Officer of ONCHIT; Standards and Guidance 
            Recommendations Related to Privacy and Security

SEC. 421. CHIEF PRIVACY OFFICER OF THE OFFICE OF THE NATIONAL 
              COORDINATOR .

    (a) In General.--To assist the National Coordinator in carrying out 
all the duties of the National Coordinator relating to the privacy and 
security of health information, not later than 12 months after the date 
of the enactment of this Act, the Secretary shall appoint a Chief 
Privacy Officer of the Office of the National Coordinator established 
under section 3001(a) of the Public Health Service Act, as added by 
section 101.
    (b) Consultation.--In carrying out the duties under subsection (a), 
the Chief Privacy Officer shall consult with the officials designated 
under subsection (c)(1) and is encouraged to consult with officials in 
other Federal agencies who have primary responsibility relating to the 
privacy and security of individually identifiable information.
    (c) Coordination With Internal Privacy Officers.--The Secretary 
shall ensure that--
            (1) not later than 12 months after the date of the 
        enactment of this Act, each agency specified by the Secretary 
        with the Department of Health and Human Services that deals 
        with health information has an official who is designated with 
        specific responsibilities with regard to the privacy and 
        security of such information; and
            (2) such officials coordinate their activities with the 
        Chief Privacy Officer.

SEC. 422. ADDITIONAL STANDARDS AND GUIDANCE RECOMMENDATIONS RELATED TO 
              PRIVACY AND SECURITY.

    (a) In General.--In carrying out section 3001(c)(2) of the Public 
Health Service Act, as added by section 101, the National Coordinator 
shall--
            (1) periodically recommend to the Secretary standards and 
        guidance related to ensuring the privacy and security of health 
        information for purposes of adoption under section 3003(a) of 
        such Act, as so added; and
            (2) periodically review and revise as necessary health 
        information privacy and security standards and regulations 
        implemented under this title and subparts C and E of title 45, 
        Code of Federal Regulations.
    (b) Specific Recommendations.--For purposes of subsection (a), the 
National Coordinator shall submit to the Secretary recommendations on 
at least the following:
            (1) Application of hipaa to entities that aren't covered 
        entities.--Taking into account the results of the study 
        conducted under section 407, recommendations--
                    (A) on the extent to which the provisions of this 
                title and subparts C and E of title 45, Code of Federal 
                Regulations, should apply to entities using, disclosing 
                or receiving health information that are not included 
                under this title or such subparts as a covered entity 
                or business associate; and
                    (B) that identify to which entities that are not so 
                included should such provisions apply.
            (2) Collection limitations.--Recommendations identifying 
        under what circumstances and for what purposes protected health 
        information may be collected, including model notices for such 
        purposes as necessary and recommendations about which of such 
        purposes should require separate, prior authorization from the 
        individual involved. Such recommendations shall provide that--
                    (A) such collection will occur in a transparent 
                process;
                    (B) such collection shall be in accordance with 
                applicable Federal, State, and local laws; and
                    (C) such collection may only occur for the purposes 
                specified by the entity collecting the information and 
                such purposes must be so specified at least not later 
                than the time of collection.
            (3) Disclosure and use limitations.--Recommendations 
        identifying the circumstances under which, to whom, and for 
        what purposes protected health information may be used or 
        disclosed, including--
                    (A) recommendations about what uses or purposes are 
                permitted or required (taking into account that 
                protected health information shall be disclosed in a 
                non-identifiable manner to the maximum extent 
                possible);
                    (B) recommendations on best practices on de-
                identifying data;
                    (C) recommendations for a technical standard that 
                allows for the de-identification of health information;
                    (D) recommendations on how to segregate sensitive 
                protected health information with the goal of 
                minimizing the reluctance of patients to seek care (or 
                disclose information about a condition) because of 
                privacy concerns involving sensitive protected health 
                information while maximizing patient safety and 
                clinical utility of the information;
                    (E) recommendations to define the ``minimum 
                necessary'' set of health information for the most 
                common treatment and health care operations, as 
                specified by the Secretary; and
                    (F) recommendations for standardized notification 
                describing, in terms that are easily understandable to 
                individuals, permissible uses and disclosures for the 
                most common payment and health care operations purposes 
                and specific to the most common covered entities.
            (4) Electronic health records and electronic medical 
        records security features.--Recommendations on security 
        features, such as user authentication, identity management 
        tools, and data scrubbing, that electronic health records must 
        have in order to receive certification under the program under 
        section 3001(c)(3) of the Public Health Service Act, as added 
        by section 101. Such recommendations shall include at a minimum 
        recommendations with respect to immutable audit trails.
            (5) Data accuracy.--Recommendations on how to maximize the 
        accuracy of health information used or disclosed.
            (6) Accountability.--Recommendations on how to best provide 
        for accountability for uses and disclosures of health 
        information.
            (7) Transparency.--Recommendations on how to maximize the 
        transparency and openness of health information privacy and 
        security policies, including requiring that notices informing 
        individuals of such policies be written in an understandable 
        and simple manner and clearly and simply describe what the 
        privacy and security policies are and how individuals can 
        access their protected health information and amend it.
            (8) Enforcement.--Recommendation on how to improve and 
        revise the enforcement of this title and subparts C and E of 
        title 45, Code of Federal Regulations.
            (9) Reductions in breaches.--Recommendations on how to 
        reduce the number and scope of breaches, taking into account 
        information received by the Secretary under section 3002(e)(3) 
        of the Public Health Service Act.
The National Coordinator shall, to the maximum extent practicable, 
include the recommendations described in paragraphs (1), (3)(C), 
(3)(D), and (4) in the initial set of recommendations submitted by the 
Coordinator under section 3001(c)(2)(A) of the Public Health Service 
Act, as added by section 101.

    Subtitle C--Relationship to Other Laws; Regulatory References; 
                             Effective Date

SEC. 431. RELATIONSHIP TO OTHER LAWS.

    (a) Application of HIPAA State Preemption.--Section 1178 of the 
Social Security Act (42 U.S.C. 1320d-7) shall apply to a provision or 
requirement under this title in the same manner that such section 
applies to a provision or requirement under part C of title XI of such 
Act or a standard or implementation specification adopted or 
established under sections 1172 through 1174 of such Act.
    (b) Health Insurance Portability and Accountability Act.--The 
standards governing the privacy and security of individually 
identifiable health information promulgated by the Secretary under 
sections 262(a) and 264 of the Health Insurance Portability and 
Accountability Act of 1996 shall remain in effect to the extent that 
they are consistent with this title. The Secretary shall by rule amend 
such Federal regulations as required to make such regulations 
consistent with this title.

SEC. 432. REGULATORY REFERENCES.

    Each reference in this title to a provision of the Code of Federal 
Regulations refers to such provision as in effect on the date of the 
enactment of this Act (or to the most recent update of such provision).

SEC. 433. EFFECTIVE DATE.

    The provisions of subtitles A and B of this title (other than 
sections 401(c), 402, 403, 405(c), 405(d), 406(d), 407, 408, 410, 411, 
412, 413(b)(2), 413(b)(3), 413(c), 415, 421, 422, 431, and 432) shall 
take effect on the date that is 12 months after the date of the 
enactment of this Act.
                                 <all>