


110 HR 6898 IH: Health-e Information Technology

U.S. House of Representatives
2008-09-15
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.


	
		I
		110th CONGRESS
		2d Session
		H. R. 6898
		IN THE HOUSE OF REPRESENTATIVES
		
			September 15, 2008
			Mr. Stark (for
			 himself, Ms. Schwartz,
			 Mr. McDermott,
			 Mr. McNulty,
			 Mr. Levin,
			 Mr. Emanuel,
			 Mr. Neal of Massachusetts,
			 Mr. Pascrell, and
			 Mr. Lewis of Georgia) introduced the
			 following bill; which was referred to the Committee on Energy and Commerce, and in
			 addition to the Committees on Ways and
			 Means and Science and
			 Technology, for a period to be subsequently determined by the
			 Speaker, in each case for consideration of such provisions as fall within the
			 jurisdiction of the committee concerned
		
		A BILL
		To promote the adoption and meaningful use of health
		  information technology, and for other purposes.
	
	
		1.Short title; table of
			 contents
			(a)Short
			 titleThis Act may be cited
			 as the Health-e Information Technology
			 Act of 2008.
			(b)Table of
			 contentsThe table of contents for this Act is as follows:
				
					Sec. 1. Short title; table of contents.
					Title I—Promotion of Health Information Technology
					Subtitle A—Improving health care quality, safety, and
				efficiency
					Sec. 101. ONCHIT; standards development and adoption; health
				information technology resource center.
						Title XXX—Health Information Technology and Quality
						Sec. 3000. Definitions.
						Subtitle A—Promotion of Health Information
				  Technology
						Sec. 3001. Office of the National Coordinator for Health
				  Information Technology.
						Sec. 3002. HIT Advisory Committee.
						Sec. 3003. Process for adoption of recommended standards and
				  guidance.
						Sec. 3004. Application and use of adopted standards by Federal
				  agencies.
						Sec. 3005. Voluntary application and use of adopted standards
				  by private entities.
						Sec. 3006. Health Information Technology Resource
				  Center.
					Sec. 102. Transitions.
					Subtitle B—Application and use of adopted health information
				technology standards; reports
					Sec. 111. Coordination of Federal activities with adopted
				standards.
					Sec. 112. Application to private entities.
					Sec. 113. Annual reports.
					Title II—Testing of Health Information Technology
					Sec. 201. National Institute for Standards and Technology
				testing.
					Title III—Incentives for adoption of health information
				technology
					Subtitle A—Medicare program
					Sec. 301. Incentives for eligible professionals.
					Sec. 302. Incentives for hospitals.
					Sec. 303. Incentives for certain Medicare Advantage
				plans.
					Subtitle B—Other incentives for the Implementation and Use of
				Health Information Technology
					Sec. 311. Grant, loan, and demonstration
				programs.
						Subtitle B—Incentives for the Use of Health Information
				  Technology
						Sec. 3011. Grants and loans to facilitate the widespread
				  adoption of qualified health information technology.
						Sec. 3012. Demonstration program to integrate information
				  technology into clinical education.
					Title IV—Privacy and security provisions
					Sec. 400. Definitions.
					Subtitle A—Improved privacy provisions and security
				provisions
					Sec. 401. Application of security provisions and penalties to
				business associates of covered entities; annual guidance on privacy and
				security provisions.
					Sec. 402. Notification in the case of breach.
					Sec. 403. Education on health information privacy and report on
				compliance.
					Sec. 404. Application of penalties to business associates of
				covered entities for violations of privacy contract requirements.
					Sec. 405. Restrictions on certain uses and disclosures and
				sales of health information; accounting of certain protected health information
				disclosures; access to certain information in electronic format.
					Sec. 406. Limitations on certain activities as part of health
				care operations.
					Sec. 407. Study and report on application of privacy and
				security requirements to non-HIPAA covered entities.
					Sec. 408. Temporary breach notification requirement for vendors
				of personal health records and other non-HIPAA covered entities.
					Sec. 409. Business associate contracts required for certain
				entities; other provisions related to business associate contracts.
					Sec. 410. Guidance on implementation specification to
				de-identify protected health information.
					Sec. 411. GAO report on treatment, payment, and health care
				operations uses and disclosures.
					Sec. 412. Clarification of application of wrongful disclosures
				criminal penalties.
					Sec. 413. Improved enforcement.
					Sec. 414. Audits.
					Sec. 415. Technical amendment.
					Subtitle B—Chief Privacy Officer of ONCHIT; Standards and
				guidance recommendations related to privacy and security
					Sec. 421. Chief Privacy Officer of the Office of the National
				Coordinator .
					Sec. 422. Additional standards and guidance recommendations
				related to privacy and security.
					Subtitle C—Relationship to other laws; regulatory references;
				effective date
					Sec. 431. Relationship to other laws.
					Sec. 432. Regulatory references.
					Sec. 433. Effective date.
				
			IPromotion of
			 Health Information Technology
			AImproving health
			 care quality, safety, and efficiency
				101.ONCHIT;
			 standards development and adoption; health information technology resource
			 center
					(a)In
			 generalThe
			 Public Health Service Act (42 U.S.C.
			 201 et seq.) is amended by adding at the end the following:
						
							XXXHealth
				Information Technology and Quality
								3000.DefinitionsIn this title:
									(1)Electronic
				health recordThe term
				electronic health record means an electronic record of
				health-related information on an individual that is created, managed, and
				consulted by authorized health care clinicians and staff of one or more
				organizations, that conforms to standards adopted under section 3003(a), and is
				made accessible electronically to other health care organizations and other
				authorized users.
									(2)Health care
				providerThe term health care provider means a
				hospital, skilled nursing facility, nursing facility, home health entity,
				health care clinic, Federally qualified health center, group practice (as
				defined in section 1877(h)(4) of the Social
				Security Act), a pharmacist, a pharmacy, a laboratory, a physician
				(as defined in section 1861(r)) of the Social
				Security Act), a practitioner (as described in section
				1842(b)(18)(C) of the Social Security
				Act), a provider operated by, or under contract with, the Indian
				Health Service or by an Indian tribe (as defined in the Indian
				Self-Determination and Education Assistance Act), tribal organization, or urban
				Indian organization (as defined in section 4 of the Indian Health Care
				Improvement Act), a rural health clinic, and any other category of facility or
				clinician determined appropriate by the Secretary.
									(3)Health
				informationThe term health information has the
				meaning given such term in section 1171(4) of the Social Security Act.
									(4)Health
				information technologyThe
				term health information technology means hardware, software,
				integrated technologies and related licenses, intellectual property, upgrades,
				and packaged solutions sold as services that are specifically designed for use
				by health care entities for the electronic creation, maintenance, or exchange
				of health information.
									(5)Health
				planThe term health plan has the meaning given such
				term in section 1171(5) of the Social Security Act.
									(6)HIT Advisory
				CommitteeThe term HIT Advisory Committee means such
				Committee established under section 3002(a).
									(7)Individually
				identifiable health informationThe term individually
				identifiable health information has the meaning given such term in
				section 1171(6) of the Social Security
				Act.
									(8)LaboratoryThe
				term laboratory has the meaning given such term in section
				353(a).
									(9)National
				CoordinatorThe term National Coordinator means the
				head of the Office of the National Coordinator for Health Information
				Technology established under section 3001(a).
									(10)PharmacistThe
				term pharmacist has the meaning given such term in section 804(2)
				of the Federal Food, Drug, and Cosmetic
				Act.
									(11)StateThe
				term State means each of the several States, the District of
				Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the
				Northern Mariana Islands.
									APromotion of
				Health Information Technology
									3001.Office of the
				National Coordinator for Health Information Technology
										(a)EstablishmentThere
				is established within the Department of Health and Human Services an Office of
				the National Coordinator for Health Information Technology (referred to in this
				section as the Office). The Office shall be headed by a National
				Coordinator who shall be appointed by the Secretary and shall report directly
				to the Secretary.
										(b)PurposeThe
				National Coordinator shall perform the duties under subsection (c) in a manner
				consistent with the development of a nationwide health information technology
				infrastructure that allows for the electronic use and exchange of information
				and that—
											(1)ensures that each
				patient’s health information is secure and protected, in accordance with
				applicable law;
											(2)improves health
				care quality, reduces medical errors, and advances the delivery of
				patient-centered medical care;
											(3)reduces health
				care costs resulting from inefficiency, medical errors, inappropriate care,
				duplicative care, and incomplete information;
											(4)ensures that
				appropriate information to help guide medical decisions is available at the
				time and place of care;
											(5)ensures the
				inclusion of meaningful public input in such development of such
				infrastructure;
											(6)improves the
				coordination of care and information among hospitals, laboratories, physician
				offices, and other entities through an effective infrastructure for the secure
				and authorized exchange of health care information;
											(7)improves public
				health reporting and facilitates the early identification and rapid response to
				public health threats and emergencies, including bioterror events and
				infectious disease outbreaks;
											(8)facilitates health
				and clinical research and health care quality;
											(9)promotes prevention
				of chronic diseases;
											(10)promotes a more
				effective marketplace, greater competition, greater systems analysis, increased
				consumer choice, and improved outcomes in health care services; and
											(11)improves efforts
				to reduce health disparities.
											(c)Duties of the
				National Coordinator
											(1)HIT policy
				coordinationThe National
				Coordinator shall coordinate health information technology policy and programs
				within the Department and with those of other relevant executive branch
				agencies with a goal of avoiding duplication of efforts and of helping to
				ensure that each agency undertakes health information technology activities
				primarily within the areas of its greatest expertise and technical
				capability.
											(2)Standards,
				guidance
												(A)Development and
				recommendations of standards and guidance
													(i)In
				general
														(I)Initial
				implementationThe National Coordinator shall, in consultation
				with the HIT Advisory Committee under section 3002 and consistent with the
				implementation of the strategic plan under paragraph (6), develop and recommend
				to the Secretary standards and guidance (which may include best practices), as
				applicable, for each of the categories described in clauses (iii), (iv), and
				(v). In accordance with the previous sentence, the National Coordinator shall
				ensure that an initial set of appropriate standards is developed and
				recommended to the Secretary under this subclause by such time as to enable the
				Secretary to adopt such an initial set in accordance with section
				3003(b).
														(II)Biennial
				updatingBiennially
				thereafter the National Coordinator, in consultation with the HIT Advisory
				Committee, shall update such recommendations and make new recommendations as
				appropriate, including in response to a notification sent under section
				3003(a)(2).
														(ii)Coordination
				among categoriesThe National
				Coordinator shall coordinate the development, recommendations, and updating
				among the categories so described to take into account the interdependence of
				standards and guidance among such categories.
													(iii)Technical
				interoperability category
														(I)In
				generalThe category described in this clause is the category for
				technical interoperability to provide for the electronic exchange and use of
				health information.
														(II)Application to
				different levels of interoperabilityIn developing recommendations respecting
				the category described in this clause, the National Coordinator shall initially
				use the different levels of interoperability (as described on pages 6 though 8
				of GAO report 08–954 titled Electronic Health Records: DOD and VA Have
				Increased Sharing of Health Information, but More Work Remains and
				provide for the development and recommendations of different standards and
				guidance for each of such different levels.
														(iv)Privacy and
				security categoryThe
				category described in this clause is the category for privacy and security to
				ensure the secure exchange of protected health information, in accordance with
				title IV of the Health-e Information Technology Act of 2008 including the
				amendments made by such title.
													(v)Clinical and
				quality category
														(I)In
				generalThe category
				described in this clause is the category for clinical and quality
				functionalities of health information technology and strategies to enhance the
				use of such technology including for the following purposes:
															(aa)To
				improve the quality of health care, such as through the reduction of medical
				errors, using electronic provider order entry and clinical decision support
				systems.
															(bb)To
				facilitate patient-centered care, such as through improved patient-provider
				communication through secure electronic messaging, and improved patient
				support.
															(cc)To
				reduce health disparities.
															(dd)To
				improve population health, such as through the use of registries and automated
				quality reporting and performance measures.
															(ee)To
				improve the continuity of care among health care settings.
															(II)RequirementsIn
				developing recommendations respecting the category described in this clause,
				the National Coordinator shall ensure the following:
															(aa)Information is
				collected and transmitted in a manner that is reliable, accurate, and
				unambiguous and based on a uniform provider data set, including a set of
				comprehensive data elements.
															(bb)Information is
				communicated in a manner to promote coordination of health care, applying
				appropriate data filtering for the situation.
															(cc)Practices
				optimize for continuous improvement, advancement of research and education, and
				population disease management.
															(dd)Sensitive protected health information may
				be segmented, with the goal of minimizing the reluctance of patients to seek
				care (or disclose information about a condition) because of privacy concerns
				involving sensitive protected health information, while maximizing patient
				safety and clinical utility of the information.
															(B)Incorporation of
				current CCHIT certification criteriaIn developing and
				recommending standards and guidance under subparagraph (A), the National
				Coordinator shall, to the maximum extent appropriate, incorporate the
				ambulatory and inpatient functionality certification criteria that have been
				adopted by the Certification Commission for Health Information Technology as of
				the date of the enactment of this title. Nothing in this paragraph shall be
				construed as preventing the National Coordinator from incorporating into such
				recommendations such certification criteria as such Commission is in the
				process of adopting as of such date.
												(C)Provider and
				setting specificRecommendations made under subparagraph (A) may
				be established in a provider-specific and setting-specific manner and in a
				manner such that they apply to a broad variety of providers, including
				physicians, hospitals, and other health care providers and to a broad variety
				of settings, including for health information technology systems that are
				hospital-based and for such systems that are office-based.
												(D)Pilot testing of
				standards and implementation specificationsIn the development of standards under this
				paragraph, the National Coordinator, as appropriate, shall provide for the
				testing of such standards in collaboration with the National Institute for
				Standards and Technology under section 201 of the Health-e Information
				Technology Act of 2008.
												(E)Consistency with
				privacy and security requirementsThe standards recommended under
				this paragraph shall be consistent with applicable privacy and security
				standards and requirements adopted pursuant to section 1173 of the Social
				Security Act, to title IV of the Health-e Information Technology Act of 2008,
				or otherwise.
												(F)Public
				inputThe National
				Coordinator shall conduct open public meetings and develop a process to allow
				for public comment on the recommendations made under this paragraph. Under such
				process comments shall be submitted in a timely manner after the date of
				publication of a recommendation under this paragraph.
												(G)PublicationThe Secretary shall provide for publication
				in the Federal Register and the posting on the Internet website of the Office
				of the National Coordinator for Health Information Technology of all
				recommendations made by the National Coordinator under this paragraph.
												(3)CertificationThe National Coordinator, in consultation
				with the Director of the National Institute of Standards and Technology and
				other relevant Federal agencies, shall develop a program (either directly or by
				contract) for the voluntary certification (and periodic recertification) of
				health information technology systems (and components of such systems) as being
				in compliance with all applicable standards (for each category described in
				paragraph (2)(A)) that are adopted under this subtitle. Such program shall
				include testing of the technology in accordance with section 201(b) of the
				Health-e Information Technology Act of 2008.
											(4)Federal open
				source health IT system
												(A)In
				generalThe National
				Coordinator shall provide for coordinating the development, routine updating,
				and provision of an open source health information technology system that is
				either new or based on an open source health information technology system,
				such as VistA, that is in existence as of the date of the enactment of this
				title and that is in compliance with all applicable standards (for each
				category described in paragraph (2)(A)) that are adopted under this subtitle.
				The National Coordinator shall make such system publicly available for use,
				after appropriate pilot testing, as soon as practicable but not later than 9
				months after the date of the adoption by the Secretary of the initial set of
				standards and guidance under section 3003(c).
												(B)ConsortiumIn
				order to carry out subparagraph (A), the National Coordinator shall establish,
				not later than 6 months after the date of the enactment of this section, a
				consortium comprised of individuals with technical, clinical, and legal
				expertise open source health information technology. The Secretary, through
				agencies with the Department, shall provide assistance to the consortium in
				conducting its activities under this paragraph.
												(C)Authorization to
				charge nominal feeThe National Coordinator may impose a nominal
				fee for the adoption by a health care provider of the health information
				technology system developed or approved under subparagraph (A). Such fee shall
				take into account the circumstances of smaller providers and providers located
				in rural or other medically underserved areas.
												(D)Open source
				definedIn this paragraph, the term open source
				has the meaning given such term by the Open Source Initiative.
												(5)Nationwide
				health information networkThe National Coordinator shall
				facilitate the development and expansion of sub-national health information
				organizations and the coordination of such organizations in order to provide
				for the nationwide electronic exchange of health information among such
				organizations that ensures that appropriate information is available at the
				time and place of care and enables the aggregation of health information for
				research and public health purposes.
											(6)Strategic
				plan
												(A)In
				generalNot later than 12 months after the date of the enactment
				of this title, the National Coordinator shall, in consultation with other
				appropriate Federal agencies (including the National Institute of Standards and
				Technology), develop and maintain a strategic plan with specific objectives,
				milestones, and metrics for each strategic plan area described in subparagraph
				(B). The National Coordinator shall, in consultation with such other
				appropriate Federal agencies, annually update such strategic plan.
												(B)Strategic plan
				areas requiredThe strategic plan areas include at least the
				following:
													(i)The establishment of recommendations for
				and development of standards and guidance for each category under paragraph
				(2)(A), including recommendations described in section 422 of the Health-e
				Information Technology Act of 2008, and the adoption of standards so
				recommended, including the process of updating of such standards and
				guidance.
													(ii)The development of the certification
				program under paragraph (3) and the establishment and maintenance of a list of
				health information technology systems (and components of such systems) that
				have been certified under such program.
													(iii)The development
				of a Federal open source health IT system in accordance with paragraph
				(4).
													(iv)The widespread utilization of electronic
				health records in the United States and the establishment of a nationwide
				health information network described in paragraph (5).
													(v)Specifying a framework for the coordination
				and flow of recommendations and policies under this subtitle among the
				Secretary, the National Coordinator, the HIT Policy Committee, health
				information exchanges, and other relevant entities.
													(vi)Methods to foster
				the public understanding of health information technology and related privacy
				and security laws.
													(vii)The availability
				of technical assistance and training for health care providers in the
				implementation and utilization of health information technology systems.
													(C)CollaborationThe strategic plan shall be developed and
				updated through collaboration of public and private interests.
												(D)Measurable
				outcome goalsThe strategic plan shall include measurable outcome
				goals including timeframes for such goals.
												(E)PublicationThe National Coordinator shall publish the
				strategic plan, including all updates.
												(7)Implementation
				reportsNot later than 12
				months after the date of publication of the strategic plan under paragraph (6)
				and annually thereafter, the National Coordinator shall submit to the Secretary
				a report that identifies the progress achieved with respect to the objectives,
				milestones, and metrics identified in such strategic plan for each strategic
				plan area described in paragraph (6)(B).
											(8)Assessment of
				impact of HIT on communities with health disparities and uninsured,
				underinsured, and medically underserved areasThe National Coordinator shall assess and
				publish the impact of health information technology in communities with health
				disparities and in areas that serve uninsured, underinsured, and medically
				underserved individuals (including urban and rural areas) and identify
				practices to increase the adoption of such technology by health care providers
				in such communities.
											(9)WebsiteThe National Coordinator shall maintain and
				frequently update an Internet website on which there is posted information that
				includes the following:
												(A)Recommendations
				made by the National Coordinator under paragraph (2)(A).
												(B)The standards and
				guidance adopted by the Secretary under section 3003(a).
												(C)Sources of Federal
				grant funds and technical assistance that are available to facilitate the
				purchase of, or enhance the utilization of, health information technology
				systems.
												(D)The reports
				prepared by the National Coordinator under paragraph (7).
												(E)The assessment by
				the National Coordinator under paragraph (8).
												(d)Staff
											(1)In
				generalThe National Coordinator may appoint personnel to the
				Office as the National Coordinator considers appropriate. Such personnel shall
				have the requisite skills needed to develop and make recommendations in each of
				the categories described in clauses (iii), (iv), and (v) of subsection
				(c)(2)(A).
											(2)Detail of Federal
				Employees
												(A)In
				generalUpon the request of the National Coordinator, the head of
				any Federal agency is authorized to detail, with or without reimbursement from
				the Office, any of the personnel of such agency to the Office to assist it in
				carrying out its duties under this section.
												(B)Effect of
				detailAny detail of personnel under subparagraph (A)
				shall—
													(i)not interrupt or
				otherwise affect the civil service status or privileges of the Federal
				employee; and
													(ii)be in addition to
				any other staff of the Department employed by the National Coordinator.
													(C)Acceptance of
				detaileesNotwithstanding any other provision of law, the Office
				may accept detailed personnel from other Federal agencies without regard to
				whether the agency described under subparagraph (A) is reimbursed.
												(3)Temporary and
				intermittent servicesThe
				National Coordinator may procure temporary and intermittent services under
				section 3109(b) of title 5, United States Code to the extent that such services
				cannot adequately be provided by any personnel appointed or detailed under
				paragraph (1) or (2), respectively.
											(e)Funding
											(1)Authorization of
				appropriationsThere are authorized to be appropriated to carry
				out this section such sums as may be necessary for each of the fiscal years
				2009 through 2013.
											(2)DHHS agency
				contributionsIn addition to amounts authorized under paragraph
				(1), for purposes of carrying out this section, for each of the fiscal years
				2009 through 2013 there shall be transferred to the National Coordinator from
				the amount appropriated for the fiscal year to each agency within the
				Department an amount that is equal to 1 percent of the amount appropriated to
				the agency for the fiscal year to carry out health information technology
				activities.
											(3)Open source
				product licensing feeIn addition to amounts authorized under
				paragraph (1) and transferred under paragraph (2), any fees collected under
				subsection (c)(4)(B) shall be available to the National Coordinator for
				purposes of carrying out this section.
											3002.HIT Advisory
				Committee
										(a)EstablishmentThere is established a HIT Advisory
				Committee to make recommendations to and advise the National Coordinator with
				respect to all of the duties of the National Coordinator described in section
				3001(c).
										(b)Additional
				duties
											(1)ForumThe HIT Advisory Committee shall serve as a
				forum for broad stakeholder input with specific expertise necessary to advise
				the National Coordinator for purposes of carrying out the duties of the
				National Coordinator described in section 3001(c), including expertise related
				to the categories described in paragraph (2)(A) of such section.
											(2)WebsiteThe HIT Advisory Committee shall develop
				and maintain an Internet website on which there is posted information that
				includes the following:
												(A)Established
				governance rules.
												(B)A business
				plan.
												(C)Meeting notices at
				least 14 days prior to each meeting.
												(D)Meeting agendas at
				least 7 days prior to each meeting.
												(E)Meeting materials
				at least 3 days prior to each meeting.
												(c)Membership
											(1)AppointmentsThe
				HIT Advisory Committee shall be composed of members to be appointed as
				follows:
												(A)Such members as
				shall be appointed by the Secretary, from the Department of Health and Human
				Services as representatives of agencies within the Department, including from
				the Agency for Healthcare Research and Quality, the Centers for Disease Control
				and Prevention, the Centers of Medicare & Medicaid Services, the Health
				Resources and Services Administration, and the Indian Health Service.
												(B)1 member shall be
				appointed by the majority leader of the Senate.
												(C)1 member shall be
				appointed by the minority leader of the Senate.
												(D)1 member shall be
				appointed by the Speaker of the House of Representatives.
												(E)1 member shall be
				appointed by the minority leader of the House of Representatives.
												(F)Such other members
				as shall be appointed by the President as representatives of other relevant
				Federal agencies, such as the Department of Veterans Affairs, the National
				Institute of Standards and Technology, and the Department of Defense.
												(G)12 members shall
				be appointed by the Comptroller General of the United States of whom—
													(i)1
				member shall be an advocate for patients or consumers;
													(ii)2
				members shall represent health care providers, one of which shall be a
				physician;
													(iii)1 member shall
				be from a labor organization representing health care workers;
													(iv)1
				member shall have expertise in privacy and security;
													(v)1
				member shall have expertise in improving the health of vulnerable
				populations;
													(vi)1
				member shall be from the health research community;
													(vii)1 member shall
				represent health plans or other third-party payers;
													(viii)1 member shall
				represent information technology vendors;
													(ix)1
				member shall represent purchasers or employers;
													(x)1
				member shall have expertise in health care quality measurement and reporting;
				and
													(xi)1
				member shall have expertise in open source health information technology
				systems.
													In no
				case may the total number of members appointed under subparagraphs (A) and (F)
				exceed 10.(2)National
				CoordinatorThe National
				Coordinator shall be a member of the HIT Advisory Committee and act as a
				liaison between the Committee and agencies of the Federal Government.
											(3)Chairperson and
				vice chairpersonThe HIT
				Advisory Committee shall designate 1 member to serve as the chairperson and 1
				member to serve as the vice chairperson of the HIT Advisory Committee, such
				that one is a representative of the public sector and one is a representative
				from the private sector.
											(4)ParticipationThe members of the HIT Advisory Committee
				appointed under paragraph (1) shall represent a balance among various sectors
				of the health care system so that no single sector unduly influences the
				recommendations of such Committee.
											(5)Authorized use
				of task forces and work groupsThe National Coordinator, in consultation
				with the chairperson and vice chairperson of the HIT Advisory Committee, may
				convene task forces or working groups as necessary to carry out the duties of
				the Committee.
											(6)CompensationSubject to the availability of
				appropriations, while serving on the business of the HIT Advisory Committee
				(including traveltime), a member of the Committee who is not a Federal employee
				shall be entitled to compensation at the per diem equivalent of the rate
				provided for level IV of the Executive Schedule under section 5315 of title 5,
				United States Code; and while so serving away from home and the member's
				regular place of business, a member may be allowed travel expenses, as
				authorized by the Chairman of the Committee.
											(7)Terms
												(A)In
				generalThe terms of members
				of the HIT Advisory Committee appointed under paragraph (1) shall be 3 years
				except that the Comptroller General of the United States shall designate
				staggered terms for the members first appointed under paragraph (1)(G).
												(B)VacanciesAny member appointed to fill a vacancy in
				the membership of the HIT Advisory Committee that occurs prior to the
				expiration of the term for which the member’s predecessor was appointed shall
				be appointed only for the remainder of that term. A member may serve after the
				expiration of that member’s term until a successor has been appointed. A
				vacancy in the HIT Advisory Committee shall be filled in the manner in which
				the original appointment was made.
												(8)Outside
				involvementThe HIT Advisory
				Committee shall ensure an adequate opportunity for the participation in
				activities of the Committee of outside advisors, including individuals with
				expertise in the development of policies for the electronic exchange and use of
				health information, including in the areas of health information privacy and
				security.
											(9)QuorumTen members of the HIT Advisory Committee
				shall constitute a quorum for purposes of voting, but a lesser number of
				members may meet and hold hearings.
											(d)Application of
				FACAThe Federal Advisory
				Committee Act (5 U.S.C. App.), other than section 14 of such Act,
				shall apply to the HIT Advisory Committee.
										(e)PublicationThe Secretary shall provide for publication
				in the Federal Register and the posting on the Internet website of the Office
				of the National Coordinator for Health Information Technology of all policy
				recommendations made by the HIT Advisory Committee under this section.
										3003.Process for
				adoption of recommended standards and guidance
										(a)In
				general
											(1)StandardsNot later than 9 months after the date of
				receipt of a recommendation under section 3001(c)(2) from the National
				Coordinator for any grouping of standards for purposes of certifying health
				information technology under the certification program under section
				3001(c)(3), the Secretary shall, through a rulemaking process and after
				consideration of public comments, determine whether or not to adopt such
				grouping of standards.
											(2)GuidanceNot
				later than 9 months after the date of receipt of a recommendation under section
				3001(c)(2) from the National Coordinator for any guidance, the Secretary shall,
				through the applicable administrative process that includes public notice in
				the Federal Register and opportunity for public comment, determine whether or
				not to adopt such guidance.
											(b)Initial
				standardsNot later than
				September 30, 2011, the Secretary shall, through a rulemaking process and after
				consideration of public comments, adopt the initial set of standards
				recommended from the National Coordinator pursuant to the second sentence under
				section 3001(c)(2). Such initial set of standards shall include, at a minimum,
				technical standards for de-identifying health information and for immutable
				audit trails.
										(c)PublicationNot later than 30 days after the Secretary
				makes a determination under subsection (a), the Secretary shall provide for
				publication in the Federal Register, and on the Internet website maintained by
				the National Coordinator in accordance with section 3001(c)(9), of such
				determination.
										3004.Application
				and use of adopted standards by Federal agenciesFor requirements relating to the application
				and use by Federal agencies of the standards adopted under section 3003(a), see
				section 111 of the Health-e Information Technology Act of 2008.
									3005.Voluntary
				application and use of adopted standards by private entities
										(a)In
				generalExcept as provided
				under section 112 of the Health-e Information Technology Act of 2008, any
				standard adopted under section 3003(a) shall be voluntary with respect to
				private entities.
										(b)Rule of
				constructionNothing in this
				subtitle shall be construed to require that a private entity that enters into a
				contract with the Federal Government apply or use the standards adopted under
				section 3003(a) with respect to activities not related to the contract. The
				previous sentence shall not affect any other provision of law, such as part C
				of title XI of the Social Security Act, title III of the Health-e Information
				Technology Act of 2008, or regulations promulgated to carry out section 264(c)
				of the Health Insurance Portability and Accountability Act of 1996, that
				requires the application or use of such a standard.
										3006.Health
				Information Technology Resource Center
										(a)Development
											(1)In
				generalThe National Coordinator shall develop a Health
				Information Technology Resource Center to provide technical assistance and
				develop best practices to support and accelerate efforts to adopt, implement,
				and effectively use health information technology that allows for the
				electronic exchange and use of information in compliance with standards and any
				guidance adopted under section 3003(a), including for purposes of each of the
				categories described in such section 3001(c)(2).
											(2)PurposesThe
				purpose of the Center is to—
												(A)provide a forum
				for the exchange of knowledge and experience;
												(B)accelerate the
				transfer of lessons learned from existing public and private sector
				initiatives, including those currently receiving Federal financial
				support;
												(C)assemble, analyze,
				and widely disseminate evidence and experience related to the adoption,
				implementation, and effective use of health information technology that allows
				for the electronic exchange and use of information;
												(D)provide technical assistance for the
				establishment and evaluation of regional and local health information networks
				to facilitate the electronic exchange of information across health care
				settings and improve the quality of health care;
												(E)provide technical
				assistance for the development and dissemination of solutions to barriers to
				the exchange of electronic health information;
												(F)learn about
				effective strategies to adopt and utilize health information technology in
				medically underserved communities;
												(G)conduct other
				activities identified by the States, local or regional health information
				networks, or health care stakeholders as a focus for developing and sharing
				best practices; and
												(H)provide technical
				assistance to promote adoption and utilization of health information technology
				by health care providers, including in medically underserved
				communities.
												(b)Technical
				Assistance Telephone Number or WebsiteThe National Coordinator
				shall establish a toll-free telephone number or Internet website to provide
				health care providers with a single point of contact to—
											(1)learn about
				Federal grants and technical assistance services related to the electronic
				exchange and use of health information;
											(2)learn about
				standards adopted under section 3003(a);
											(3)learn about
				regional and local health information networks for assistance with health
				information technology; and
											(4)disseminate
				additional information determined by the National
				Coordinator.
											.
					102.Transitions
					(a)ONCHITTo the extent consistent with section 3001
			 of the Public Health Service Act, as added by section 101, all functions,
			 personnel, assets, liabilities, and administrative actions applicable to the
			 National Coordinator for Health Information Technology appointed under
			 Executive Order 13335 or the Office of such National Coordinator on the date
			 before the date of the enactment of this Act shall be transferred to the
			 National Coordinator appointed under section 3001(a) of such Act and the Office
			 of such National Coordinator as of the date of the enactment of this
			 Act.
					(b)AHICTo the extent consistent with section 3002
			 of the Public Health Service Act, as added by section 101, all functions,
			 personnel, assets, and liabilities applicable to the American Health
			 Information Community created in response to Executive Order 13335 as of the
			 day before the date of the enactment of this Act shall be transferred to the
			 HIT Advisory Committee, established under section 3002(a)of such Act, as
			 appropriate, as of the date of the enactment of this Act.
					(c)Rules of
			 construction
						(1)ONCHITNothing
			 in section 3001 of the Public Health Service Act, as added by section 101, or
			 subsection (a) shall be construed as requiring the creation of a new entity to
			 the extent that the Office of the National Coordinator for Health Information
			 Technology established pursuant to Executive Order 13335 is consistent with the
			 provisions of such section 3001.
						(2)AHICNothing in section 3002 of the Public
			 Health Service Act, as added by section 101, or subsection (b) shall be
			 construed as requiring the creation of a new entity to the extent that the
			 American Health Information Community created in response to Executive Order
			 13335 is consistent with the provisions of such section 3002.
						BApplication and
			 use of adopted health information technology standards; reports
				111.Coordination of
			 Federal activities with adopted standards
					(a)Spending on
			 health information technology systemsAs each agency (as defined in the Executive
			 Order issued on August 22, 2006, relating to promoting quality and efficient
			 health care in Federal government administered or sponsored health care
			 programs) implements, acquires, or upgrades health information technology
			 systems used for the direct exchange of individually identifiable health
			 information between agencies and with non-Federal entities, it shall utilize,
			 where available, health information technology systems and products that meet
			 standards adopted under section 3003(a) of the Public Health Service Act, as
			 added by section 101.
					(b)Federal
			 information collection activitiesWith respect to a standard adopted under
			 section 3003(a) of the Public Health Service Act, as added by section 101, the
			 President shall take measures to ensure that Federal activities involving the
			 broad collection and submission of health information are consistent with such
			 standard within three years after the date of such adoption.
					(c)Application of
			 definitionsThe definitions contained in section 3000 of the
			 Public Health Service Act, as added by section 101, shall apply for purposes of
			 this part.
					112.Application to
			 private entitiesEach agency
			 (as defined in such Executive Order issued on August 22, 2006, relating to
			 promoting quality and efficient health care in Federal government administered
			 or sponsored health care programs) shall require in contracts or agreements
			 with health care providers, health plans, or health insurance issuers that as
			 each provider, plan, or issuer implements, acquires, or upgrades health
			 information technology systems, it shall utilize, where available, health
			 information technology systems and products that meet standards adopted under
			 section 3003(a) of the Public Health Service Act, as added by section
			 101.
				113.Annual
			 reportsNot later than 2 years
			 after the date of the enactment of this Act and annually thereafter, the
			 Secretary of Health and Human Services shall submit to the Committee on
			 Finance, the Committee on Health, Education, Labor, and Pensions and the
			 Committee on Commerce, Science, and Transportation of the Senate and the
			 Committee on Ways and Means, the Committee on Energy and Commerce, and the
			 Committee on Science and Technology of the House of Representatives a report
			 that—
					(1)describes the specific actions that have
			 been taken by the Federal Government and private entities to facilitate the
			 adoption of a nationwide system for the electronic use and exchange of health
			 information, including information from the implementation reports submitted
			 under section 3001(c)(7) of the Public Health Service Act, as added by section
			 101;
					(2)describes barriers
			 to the adoption of such a nationwide system; and
					(3)contains
			 recommendations to achieve full implementation of such a nationwide
			 system.
					IITesting of Health
			 Information Technology
			201.National
			 Institute for Standards and Technology testing
				(a)Pilot testing of
			 standards and implementation specificationsIn coordination with
			 the Office of the National Coordinator of Health Information Technology
			 established under section 3001 of the Public Health Service Act, as added by
			 section 101, with respect to the development of standards under such section,
			 the Director of the National Institute for Standards and Technology shall test
			 such standards in order to assure the efficient implementation and use of such
			 standards.
				(b)Voluntary
			 testing programIn
			 coordination with the Office of the National Coordinator of Health Information
			 Technology established under section 3001 of the Public Health Service Act, as
			 added by section 101, with respect to the development of standards under such
			 section, the Director of the National Institute of Standards and Technology
			 shall support the establishment of a conformance testing infrastructure,
			 including the development of technical test beds. The development of this
			 conformance testing infrastructure may include a program to accredit
			 independent, non-Federal laboratories to perform testing.
				IIIIncentives for
			 adoption of health information technology
			AMedicare
			 program
				301.Incentives for
			 eligible professionals
					(a)Incentive
			 paymentsSection 1848 of the
			 Social Security Act (42 U.S.C. 1395w–4) is amended by adding at the end the
			 following new subsection:
						
							(o)Incentives for
				adoption and meaningful use of certified health information technology
				system
								(1)Incentive
				payments
									(A)In
				generalSubject to
				subparagraphs (B), (C), and (D), with respect to covered professional services
				furnished by an eligible professional during a reporting period during the
				first calendar year beginning after the date specified under subparagraph
				(B)(iv) (or, if sooner, 2013) or any subsequent year (before 2017), if the
				eligible professional is a meaningful HIT user for the reporting period (as
				determined under paragraph (2), in addition to the amount otherwise paid under
				this part, there also shall be paid to the eligible professional (or to an
				employer or facility in the cases described in clause (A) of section
				1842(b)(6)) or, in the case of a group practice under paragraph (2)(D), to the
				group practice, from the Federal Supplementary Medical Insurance Trust Fund
				established under section 1841 an amount equal to 75 percent of the Secretary’s
				estimate (based on claims submitted not later than 2 months after the end of
				the reporting period) of the allowed charges under this part for all such
				covered professional services furnished by the eligible professional (or, in
				the case of a group practice under paragraph (2)(D), by the group practice)
				during the reporting period.
									(B)Limitations on
				amounts of incentive payments
										(i)In
				generalIn no case shall the amount of the incentive payment
				provided under this paragraph exceed the applicable amount specified in clause
				(ii) with respect to any eligible professional.
										(ii)AmountSubject
				to clauses (iii) and (iv), the applicable amount specified in this clause is as
				follows:
											(I)For the first
				calendar year beginning after the date specified in clause (iv) or, if sooner,
				for 2013, $15,000.
											(II)For the calendar
				year following the year specified in subclause (I), $12,000.
											(III)For the calendar
				year following the year specified in subclause (II), $8,000.
											(IV)For the calendar
				year following the year specified in subclause (III), $4,000.
											(V)For the calendar
				year following the year specified in subclause (IV), $2,000.
											(iii)Pro-ration for
				partial year professionalsIn the case of an eligible
				professional who is a meaningful HIT user for only a portion of a reporting
				period for reasons such as the professional did not provide services for which
				payment is made under this part for the entire period or the professional
				initiated the use of health information technology during the period, the
				Secretary may pro-rate the applicable amount specified under clause (ii) to
				reflect the portion of the period during which the professional was a
				meaningful HIT user.
										(iv)Date
				specifiedThe date specified
				in this subclause is the date on which the open source health information
				technology system under section 3001(c)(4) of the Public Health Service Act is
				first made publicly available.
										(C)Non-application
				to hospital-based eligible professionals
										(i)In
				generalNo payment may be made under subparagraph (A) in the case
				of hospital-based eligible professionals.
										(ii)Hospital-based
				eligible professionalFor
				purposes of clause (i), the term hospital-based eligible
				professional means an eligible professional, such as a pathologist or
				anesthesiologist, who furnishes items and services principally in a hospital
				setting and through the use of the facilities and equipment, including computer
				equipment, of the hospital.
										(D)Form of
				paymentThe payment under this subsection for a reporting period
				may be in the form of a single consolidated payment or in the form of such
				periodic installments as the Secretary may specify.
									(2)Meaningful HIT
				user
									(A)In
				generalFor purposes of
				paragraph (1), an eligible professional shall be treated as a meaningful HIT
				user for a reporting period for a year if the eligible professional
				demonstrates to the satisfaction of the Secretary that the professional is
				meaningfully using a certified health information technology system during the
				reporting period, as demonstrated in accordance with applicable measures
				established under subparagraph (B).
									(B)Measures for
				meaningful useThe Secretary shall establish measures under which
				an eligible professional may demonstrate meaningful use of a certified health
				information technology system for a reporting period. Such measures may
				include—
										(i)self-certification
				of operational use of such a system;
										(ii)the submission (or ability to submit), in a
				form and manner specified by the Secretary, of such information on clinical
				measures and data (that does not include individually identifiable health
				information) from such system that indicates a meaningful utilization of such a
				system during the period; and
										(iii)such other means
				as the Secretary may specify.
										The
				Secretary may establish and apply different measures based on the stage of
				implementation or adoption of the certified health information technology
				system involved.(C)Use of part D
				dataNotwithstanding sections 1860D–15(d)(2)(B) and
				1860D–15(f)(2), the Secretary may use data regarding drug claims submitted for
				purposes of section 1860D–15 that are necessary for purposes of subparagraph
				(B)(ii).
									(D)Satisfactory
				measures for group practices
										(i)In
				generalNot later than January 1, 2013, the Secretary shall
				provide for a method of applying the measures established under subparagraph
				(B) or revised under subparagraph (F) to eligible professionals in a group
				practice (as defined by the Secretary).
										(ii)Statistical
				sampling modelIn the case that the Secretary provides for a
				method under clause (i), the method may provide for the use of a statistical
				sampling model to submit data on measures, such as the model used under the
				Physician Group Practice demonstration project under section 1866A.
										(iii)No double
				paymentsPayments for a reporting period to a group practice
				under this paragraph by reason of the method under clause (i) shall be in lieu
				of the payments that would otherwise be made under this paragraph to eligible
				professionals in the group practice for being a meaningful HIT user during such
				period.
										(E)Authority to
				revise measuresThe Secretary may periodically revise the
				measures established under subparagraph (B) with respect to demonstrating
				meaningful use of a certified health information technology system.
									(3)Application
									(A)Physician
				reporting system rulesParagraphs (5), (6),and (8) of subsection
				(k) shall apply for purposes of this subsection in the same manner as they
				apply for purposes of such subsection.
									(B)Coordination
				with other bonus paymentsThe provisions of this subsection shall
				not be taken into account in applying subsections (m) and (u) of section 1833
				and any payment under such subsections shall not be taken into account in
				computing allowable charges under this subsection.
									(C)Limitations on
				reviewThere shall be no
				administrative or judicial review under 1869, section 1878, or otherwise
				of—
										(i)the determination
				of measures applicable to services furnished by eligible professionals under
				this subsection;
										(ii)the determination
				of a meaningful HIT user under paragraph (2)(A), a limitation under paragraph
				(1)(B), and the exception under subsection (a)(7)(B); and
										(iii)the
				determination of any incentive payment under this subsection and the payment
				adjustment under subsection (a)(7)(A).
										(D)Posting on
				websiteThe Secretary shall post on the Internet website of the
				Centers for Medicare & Medicaid Services, in an easily understandable
				format, a list of the names, business addresses, and business phone numbers of
				the eligible professionals (or, in the case of reporting under paragraph
				(2)(D), the group practices) who are meaningful HIT users.
									(4)DefinitionsFor
				purposes of this subsection:
									(A)Certified health
				information technology systemThe term certified health
				information technology system means, with respect to an eligible
				professional and a reporting period for a year, a health information technology
				system (as defined in section 3000 of the Public Health Service Act) that has a
				current certification under section 3001(c)(3) of such Act as satisfying all
				interoperability standards, privacy and security standards, and clinical and
				quality functions adopted under section 3003(a) of such Act that are applicable
				to the eligible professional.
									(B)Covered
				professional servicesThe term covered professional
				services has the meaning given such term in subsection (k)(3).
									(C)Eligible
				professionalThe term
				eligible professional means a physician, as defined in section
				1861(r)(1).
									(D)Reporting
				periodThe term
				reporting period means any period, with respect to a calendar
				year, as specified by the
				Secretary.
									.
					(b)Incentive
			 payment adjustmentSection 1848(a) of the Social Security Act (42
			 U.S.C. 1395w–4(a)) is amended by adding at the end the following new
			 paragraph:
						
							(7)Incentives for
				meaningful use of health information technology systems
								(A)Adjustment
									(i)In
				generalSubject to subparagraph (B), with respect to covered
				professional services furnished by an eligible professional during 2016 or any
				subsequent year, if the eligible professional is not a meaningful HIT user for
				a reporting period for the year (as determined under subsection (o)(2)), the
				fee schedule amount for such services furnished by such professional during the
				year (including the fee schedule amount for purposes of determining a payment
				based on such amount) shall be equal to the applicable percent of the fee
				schedule amount that would otherwise apply to such services under this
				subsection (determined after application of paragraph (3) but without regard to
				this paragraph).
									(ii)Applicable
				percentFor purposes of clause (i), the term applicable
				percent means—
										(I)for 2016, 99
				percent;
										(II)for 2017, 98.5
				percent;
										(III)for 2018, 98
				percent;
										(IV)for 2019, 97.5
				percent; and
										(V)for 2020 and each
				subsequent year, 97 percent.
										(B)Significant
				hardship exceptionThe Secretary may, on a case-by-case basis,
				exempt an eligible professional from the application of the payment adjustment
				under subparagraph (A) if the Secretary determines, subject to annual renewal,
				that compliance with the requirement for being a meaningful HIT user would
				result in a significant hardship, such as in the case of an eligible
				professional who practices in a rural area without sufficient Internet access.
				In no case may an eligible professional be granted an exemption under this
				subparagraph for more than 5 years.
								(C)Application of
				physician reporting system rulesParagraphs (5), (6), and (8) of
				subsection (k) shall apply for purposes of this paragraph in the same manner as
				they apply for purposes of such subsection.
								(D)Non-application
				to hospital-based eligible professionalsNo payment adjustment
				may be made under subparagraph (A) in the case of hospital-based eligible
				professionals (as defined in subsection (o)(1)(C)(ii)).
								(E)DefinitionsFor
				purposes of this paragraph:
									(i)Covered
				professional servicesThe term covered professional
				services has the meaning given such term in subsection (k)(3).
									(ii)Eligible
				professionalThe term eligible professional means
				a physician, as defined in section 1861(r)(1).
									(iii)Reporting
				periodThe term reporting period means, with respect
				to a year, a period specified by the
				Secretary.
									.
					(c)Conforming
			 amendments to e-prescribing
						(1)Section
			 1848(a)(5)(A)(ii)(III) of the Social Security Act (42 U.S.C.
			 1395w–4(a)(5)(A)(ii)(III)) is amended by striking and each subsequent
			 year and inserting and 2015.
						(2)Section 1848(m)(2)
			 of the Social Security Act (42 U.S.C. 1395w–4(m)(2)) is amended—
							(A)in subparagraph
			 (A), by striking For 2009 and inserting Subject to
			 subparagraph (D), for 2009; and
							(B)by adding at the
			 end the following new subparagraph:
								
									(D)Limitation with
				respect to health information technology incentive paymentsThe provisions of this paragraph shall not
				apply to an eligible professional (or, in the case of a group practice under
				paragraph (3)(C), to the group practice) if, for the reporting period the
				eligible professional (or group practice) receives an incentive payment under
				subsection (o)(1)(A) with respect to a certified health information system (as
				defined in subsection (o)(4)(A)) that has the capability of electronic
				prescribing.
									.
							(d)GAO study and
			 report
						(1)StudyThe Comptroller General of the United
			 States shall conduct a study to determine the extent to which and manner in
			 which payment incentives (such as under title XVIII or XIX of the Social
			 Security Act) and other funding for purposes of implementing and using health
			 information technology should be made available to health care providers who
			 are receiving minimal or no payment incentives or other funding under this Act,
			 under title XVIII or XIX of the Social Security Act, or otherwise, for such
			 purposes. Such study shall include an examination of—
							(A)the adoption rates
			 of certified health information technology systems by such health care
			 providers;
							(B)the clinical
			 utility of such systems by such health care providers;
							(C)whether the
			 services furnished by such health care providers are appropriate for or would
			 benefit from the use of such systems;
							(D)the extent to
			 which such health care providers work in settings that might otherwise receive
			 an incentive payment or other funding under this Act, title XVIII or XIX of the
			 Social Security Act, or otherwise;
							(E)the potential
			 costs and the potential benefits of making payment incentives and other funding
			 available to such health care providers; and
							(F)any other issues
			 the Comptroller General deems to be appropriate.
							(2)ReportNot later than June 30, 2010, the
			 Comptroller General shall submit to Congress a report on the findings and
			 conclusions of the study conducted under paragraph (1).
						302.Incentives for
			 hospitals
					(a)Incentive
			 paymentSection 1886 of the
			 Social Security Act (42 U.S.C. 1395ww) is amended by adding at the end the
			 following new subsection:
						
							(o)Incentives for
				adoption and meaningful use of certified health information technology
				systems
								(1)In
				generalSubject to the
				succeeding provisions of this subsection, with respect to inpatient hospital
				services furnished by an eligible hospital during the first fiscal year
				beginning after the date specified in paragraph (6) (or, if sooner, fiscal year
				2013) or any subsequent fiscal year (before fiscal year 2017), if the eligible
				hospital is a meaningful HIT user for the fiscal year (as determined under
				paragraph (3)), in addition to the amount otherwise paid under this section,
				there also shall be paid to the eligible hospital, from the Federal Hospital
				Insurance Trust Fund established under section 1817, an amount equal to the
				applicable amount specified in paragraph (2)(A) for such fiscal year.
								(2)Payment
				amount
									(A)In
				generalSubject to subparagraph (F), the applicable amount
				specified in this subparagraph for an eligible hospital for a fiscal year is
				equal to the product of the following:
										(i)Initial
				amountThe sum of—
											(I)the base amount
				specified in subparagraph (B); plus
											(II)the discharge related amount specified in
				subparagraph (C) for a period selected by the Secretary with respect to such
				fiscal year.
											(ii)Medicare
				shareThe Medicare share as
				specified in subparagraph (D) for the hospital for a period selected by the
				Secretary with respect to such fiscal year.
										(iii)Transition
				factorThe transition factor specified in subparagraph (E) for
				the fiscal year.
										(B)Base
				amountThe base amount specified in this subparagraph is
				$1,000,000.
									(C)Discharge
				related amountThe discharge related amount specified in this
				subparagraph for a period shall be determined as the sum of the amount, based
				upon total discharges (regardless of any source of payment) for the period, for
				each discharge up to the 13,800th discharge as follows:
										(i)For the 1150th
				through the 9,200nd discharge, $200.
										(ii)For the 9,201st through the 13,800th
				discharge, 50 percent of the amount specified in clause (i).
										(D)Medicare
				shareThe Medicare share specified under this subparagraph for a
				hospital for a period is equal to the fraction—
										(i)the numerator of
				which is the sum (for the period and with respect to the hospital) of—
											(I)the number of inpatient-bed-days (as
				established by the Secretary) which are attributable to individuals with
				respect to whom payment may be made under part A; and
											(II)the number of inpatient-bed-days (as so
				established) which are attributable to individuals who are enrolled under a
				risk-sharing contract with an eligible organization under section 1876 and who
				are entitled to part A or with a Medicare Advantage organization under part C;
				and
											(ii)the denominator
				of which is the product of—
											(I)the total number of
				inpatient-bed-days with respect to the hospital during the period; and
											(II)the total amount
				of the hospital’s charges during the period, not including any charges that are
				attributable to charity care (as such term is used for purposes of hospital
				cost reporting under this title), divided by the total amount of the hospital’s
				charges during the period.
											(E)Transition
				factor specifiedThe transition factor specified in this
				subparagraph is as follows:
										(i)For the first
				fiscal year beginning after the date specified in paragraph (6) (or, of sooner,
				fiscal year 2013), 1.
										(ii)For the fiscal year following the fiscal
				year specified in clause (i), 3/4.
										(iii)For the fiscal year following the fiscal
				year specified in clause (ii), ½.
										(iv)For
				the fiscal year following the fiscal year specified in clause (iii),
				1/4.
										(F)Limitations
										(i)Pro-ration for
				partial year hospitalsIn the case of an eligible hospital that
				is a meaningful HIT user for only a portion of a fiscal year for reasons such
				as the hospital did not provide services for which payment is made under this
				section for a portion of the fiscal year or the hospital changed the use of
				health information technology during the fiscal year, the Secretary may
				pro-rate the applicable amount specified under subparagraph (A) to reflect the
				portion of the fiscal year during which the hospital was a meaningful HIT
				user.
										(ii)Form of
				paymentThe payment under this subsection for a fiscal year may
				be in the form of a single consolidated payment or in the form of such periodic
				installments as the Secretary may specify.
										There
				shall be no incentive payment under this subsection, or payment adjustment
				under subsection (b)(3)(B)(ix), for a fiscal year in the case of an eligible
				hospital for which the sum of the inpatient-bed days described in subclauses
				(I) and (II) of subparagraph (D)(i), for a period specified by the Secretary
				with respect to such fiscal year, is an amount that is less than 1,000.(3)Meaningful HIT
				user
									(A)In
				generalFor purposes of
				paragraph (1), an eligible hospital shall be treated as a meaningful HIT user
				for a fiscal year if the eligible hospital demonstrates to the satisfaction of
				the Secretary that the hospital is meaningfully using a certified health
				information technology system with respect to such fiscal year, as demonstrated
				in accordance with applicable measures established under subparagraph
				(B).
									(B)Standards for
				meaningful useThe Secretary shall establish measures under which
				an eligible hospital may demonstrate meaningful use of a certified health
				information technology system for a fiscal year. Such measures may
				include—
										(i)self-certification
				of operational use of such a system;
										(ii)the submission
				(or ability to submit), in a form and manner specified by the Secretary (which
				may include the manner used for purposes of subsection (b)(3)(B)(viii)), of
				such information on clinical measures and data (that does not include
				individually identifiable health information) from such system that indicates a
				meaningful utilization of such a system during the year; and
										(iii)such other means
				as the Secretary may specify.
										The
				Secretary may establish and apply different measures based on the stage of
				implementation or adoption of the certified health information technology
				system involved or based on the characteristics (such as size) of the
				hospital.(C)Authority to
				revise measuresThe Secretary may periodically revise the
				measures established under subparagraph (B) with respect to demonstrating
				meaningful use of a certified health information technology system.
									(4)Application
									(A)Limitations on
				reviewThere shall be no
				administrative or judicial review under 1869, section 1878, or otherwise
				of—
										(i)the determination
				of measures applicable to services furnished by eligible hospitals under this
				subsection;
										(ii)the determination
				of a meaningful HIT user under paragraph (3)(A) and the exception under
				subsection (b)(3)(B)(ix)(III); and
										(iii)the
				determination of any incentive payment under this subsection and the payment
				adjustment under subsection (b)(3)(B)(ix).
										(B)Posting on
				websiteThe Secretary shall post on the Internet website of the
				Centers for Medicare & Medicaid Services, in an easily understandable
				format, a list of the names of the eligible hospitals that are meaningful HIT
				users and other relevant data as determined appropriate by the Secretary. The
				Secretary shall ensure that a hospital has the opportunity to review the other
				relevant data that are to be made public with respect to the hospital prior to
				such data being made public.
									(5)Application to
				certain MA hospitalsNotwithstanding section 1851(i)(1), an
				eligible hospital that is under common corporate governance with a qualifying
				MA organization (as defined in section 1853(l)(5)) and that serves individuals
				enrolled under a plan offered by such organization shall be eligible for an
				incentive payment under this subsection in the same manner as an eligible
				hospital that is not under such common corporate governance with a qualifying
				MA organization.
								(6)Date
				specifiedThe date specified in this paragraph is the date on
				which the open source health information technology system under section
				3001(c)(4) of the Public Health Service Act is first made publicly
				available.
								(7)DefinitionsFor
				purposes of this subsection and subsection (b)(3)(B)(ix):
									(A)Certified health
				information technology systemThe term certified health
				information technology system means, with respect to an eligible
				hospital and a fiscal year, a health information technology system (as defined
				in section 3000 of the Public Health Service Act) that has a current
				certification under section 3001(c)(3) of such Act as satisfying all
				interoperability standards, privacy and security standards, and clinical and
				quality functions adopted under section 3003(a) of such Act as of a date
				specified by the Secretary with respect to such fiscal year that are applicable
				to the eligible hospital.
									(B)Eligible
				hospitalThe term
				eligible hospital means a subsection (d)
				hospital.
									.
					(b)Incentive market
			 basket adjustmentSection
			 1886(b)(3)(B) of the Social Security Act (42 U.S.C. 1395ww(b)(3)(B)) is
			 amended—
						(1)in clause
			 (viii)(I), by inserting (or, beginning with fiscal year 2016, by
			 one-half) after 2.0 percentage points; and
						(2)by adding at the
			 end the following new clause:
							
								(ix)(I)Subject to the third
				sentence of subsection (o)(2)(F), for purposes of clause (i) for fiscal year
				2016 and each subsequent fiscal year, in the case of a subsection (d) hospital
				that is not a meaningful HIT user (as defined in subsection (o)(3)) with
				respect to such fiscal year, one-half of the applicable percentage increase
				otherwise applicable under clause (i) for such fiscal year shall be reduced by
				25 percent for fiscal year 2016, 50 percent for fiscal year 2017, 75 percent
				for fiscal year 2018, and 100 percent for fiscal year 2019 and each subsequent
				fiscal year. Such reduction shall apply only with respect to the fiscal year
				involved and the Secretary shall not take into account such reduction in
				computing the applicable percentage increase under clause (i) for a subsequent
				fiscal year.
									(II)The Secretary may, on a case-by-case basis,
				exempt a subsection (d) hospital from the application of subclause (I) with
				respect to a fiscal year if the Secretary determines, subject to annual
				renewal, that requiring such hospital to be a meaningful HIT user during such
				fiscal year would result in a significant hardship, such as in the case of a
				hospital in a rural area without sufficient Internet access. In no case may a
				hospital be granted an exemption under this subclause for more than 5
				years.
									.
						(c)Conforming
			 amendmentSection 1851(i)(1) of such Act (42 U.S.C.
			 1395w–21(i)(1)) is amended by striking and 1886(h)(3)(D) and
			 inserting 1886(h)(3)(D), and 1886(o)(6).
					(d)GAO study and
			 report
						(1)StudyThe Comptroller General of the United
			 States shall conduct a study to determine the extent to which and manner in
			 which payment incentives (such as under title XVIII or XIX of the Social
			 Security Act) and other funding for purposes of implementing and using health
			 information technology should be made available to health care settings that
			 are receiving minimal or no payments or other funding under this Act, title
			 XVIII or XIX of the Social Security Act, or otherwise, for such purposes. Such
			 health care settings may include skilled nursing facilities, home health
			 agencies, hospice programs, laboratories, federally qualified health centers,
			 and pediatric hospitals. Such study shall include an examination of—
							(A)the adoption rates
			 of certified health information technology systems at such settings;
							(B)the clinical
			 utility of such systems at such settings;
							(C)whether the
			 services furnished at such settings are appropriate for or would benefit from
			 the use of such systems;
							(D)the potential
			 costs and the potential benefits of providing such settings with incentive
			 payments and other funding for such purposes; and
							(E)any other issues
			 the Comptroller General deems to be appropriate.
							(2)ReportNot later than June 30, 2010, the
			 Comptroller General shall submit to Congress a report on the findings and
			 conclusions of the study conducted under paragraph (1).
						303.Incentives for
			 certain Medicare Advantage plans
					(a)In
			 generalSection 1853 of the
			 Social Security Act (42 U.S.C. 1395w–23) is amended—
						(1)in subsection
			 (a)(1)(A), by striking and (i) and inserting (i), and
			 (l); and
						(2)by adding at the
			 end the following new subsections:
							
								(l)Application of
				eligible professional incentives for certain MA organizations To implement
				certified health information technology systems
									(1)In
				generalSubject to paragraphs
				(3) and (4), in the case of a qualifying MA organization, the provisions of
				sections 1848(o) and 1848(a)(7) shall apply with respect to eligible
				professionals described in paragraph (2) of the organization who the
				organization attests under section 1854(a)(1)(A)(iv) to be meaningful HIT users
				under in a similar manner as they apply to eligible professionals in a group
				practice under such sections.
									(2)Eligible
				professionals describedWith
				respect to a qualifying MA organization, eligible professionals described in
				this paragraph are eligible professionals (as defined for purposes of section
				1848(o)) who—
										(A)are employed by
				the organization or are employed by or partners of an entity that, through
				contract with the organization, provides its services predominantly or
				exclusively to enrollees of such organization; and
										(B)furnish, on
				average, at least 20 hours per week of professional services.
										(3)Incentive
				paymentsIn applying section 1848(o) under paragraph (1), instead
				of the additional payment amount under subparagraph (A) of section 1848(o)(1),
				there shall be substituted the maximum amount permitted under such section
				multiplied by the medicare share (as determined by the Secretary). Such
				medicare share for an organization shall be determined in a manner so as to
				result in the same aggregate payments to the organization as would be paid
				under section 1848(o) to the eligible professionals described in paragraph
				(2)(A) for services furnished under part B of this title.
									(4)Payment
				adjustment
										(A)In
				generalIn applying section 1848(a)(7) under paragraph (1),
				instead of the payment adjustment being an applicable percent of the fee
				schedule amount for a year under such section, the payment adjustment under
				paragraph (1) shall be equal to the percent specified in subparagraph (B) for
				such year of the payment amount otherwise provided under this section for the
				year.
										(B)Specified
				percentThe percent specified under this subparagraph for—
											(i)2016 is 99.6
				percent;
											(ii)2017 is 99.2
				percent;
											(iii)2018 is 98.8
				percent; and
											(iv)2019 and each
				subsequent year is 98.4 percent.
											(5)Qualifying MA
				organization definedIn this subsection and subsection (m), the
				term qualifying MA organization means an organization that is
				organized as a health maintenance organization (as defined in section
				2791(b)(3) of the Public Health Service Act) that offers one or more MA plans
				under which the physicians furnishing physicians’ services under such a plan
				are predominantly either employees of the organization or are employees or
				partners of an entity that, through contract with the organization, provides
				its services predominantly or exclusively to enrollees of such
				organization.
									(m)Eligible
				hospital incentives for certain MA organizations To implement certified health
				information technology systems
									(1)In
				generalSubject to paragraph
				(3), in the case of a qualifying MA organization (as defined in section
				1853(l)(5)), if, according to the attestation of the organization submitted
				under section 1854(a)(1)(A)(iv) for a year, one or more eligible hospitals (as
				defined in section 1886(o)(7)(B)) that are under common corporate governance
				with such organization and that serve individuals enrolled under a plan offered
				by such organization are not meaningful HIT users (as defined in section
				1886(o)(3) with respect to a year, the payment amount payable under this
				section for such organization for such year shall be—
										(A)reduced by a
				percent specified by the Secretary for such year; or
										(B)in the case the
				Secretary is not able to specify reductions under subparagraph (A) because of
				insufficient encounter data or other appropriate date, the amount that is equal
				to the percent specified under paragraph (2) of the payment amount otherwise
				provided under this section to the organization for the year.
										Reductions
				specified by the Secretary under subparagraph (A) shall be determined in a
				manner so as to result in the same aggregate reductions to the organization as
				would be applied under section 1886(b)(3)(B)(ix) to all such eligible hospitals
				under common corporate governance with such organization if payment for
				inpatient services furnished by such hospitals was payable under part A instead
				of this part.(2)Alternative
				percent specifiedThe percent specified under this paragraph
				for—
										(A)2016 is 99.95
				percent;
										(B)2017 is 99.90
				percent;
										(C)2018 is 99.85
				percent; and
										(D)2019 and each
				subsequent year is 99.80 percent.
										(3)LimitationIn
				no case may the application of subsection (l) and this subsection with respect
				to a year result in a payment amount payable under this section for a
				qualifying MA organization for the year that is less than the amount that is
				equal to the percent specified under paragraph (4) of the payment amount that
				would otherwise be provided under this section to the organization for the year
				without regard to subsection (l) and this subsection.
									(4)Specified
				percentThe percent specified under this paragraph for—
										(A)2016 is 99
				percent;
										(B)2017 is 98
				percent;
										(C)2018 is 97
				percent; and
										(D)2019 and each
				subsequent year is 96
				percent.
										.
						(b)Meaningful HIT
			 user attestation with bidsSection 1854(a)(1)(A) of the Social
			 Security Act (42 U.S.C. 1395w–24(a)(1)(A)) is amended by adding at the end the
			 following new clause:
						
							(iv)An attestation identifying whether each
				eligible professional described in section 1853(l)(2) with respect to such
				organization is a meaningful HIT user (as defined in section 1848(o)(3)) for
				the year and whether each eligible hospital described in section 1853(m)(1),
				with respect to such organization, is a meaningful HIT user (as defined in
				section 1886(o)(3)) for the
				year.
							.
					(c)HIT incentive
			 payments exempt from benchmark determinationsSection 1853(c) of the Social Security Act
			 (42 U.S.C. 1395w–23(c)) is amended—
						(1)in paragraph
			 (1)(D)(i), by striking section 1886(h) and inserting
			 sections 1848(o), 1886(h), and 1886(o); and
						(2)in
			 paragraph (6)(A), by inserting after under part B, the
			 following: excluding expenditures attributable to sections 1848(o) and
			 1886(o).
						(d)Conforming
			 amendmentSection 1853(f) of
			 such Act (42 U.S.C. 1395w–23(f)) is amended by inserting and for
			 payments under subsection (l) after with the
			 organization.
					BOther incentives
			 for the Implementation and Use of Health Information Technology
				311.Grant, loan,
			 and demonstration programsTitle XXX of the Public Health Service Act,
			 as added by section 101, is amended by adding at the end the following new
			 subtitle:
					
						BIncentives for the
				Use of Health Information Technology
							3011.Grants and
				loans to facilitate the widespread adoption of qualified health information
				technology
								(a)Competitive
				grants To facilitate the widespread adoption of health information
				technology
									(1)In
				generalThe National Coordinator may award competitive grants to
				eligible entities to purchase qualified health information technology.
									(2)Qualified health
				information technologyFor
				purposes of this section, the term qualified health information
				technology means health information technology that consists of
				hardware, software, or the provision of support services and that—
										(A)enables the protection of health
				information, in accordance with applicable law;
										(B)is (or is necessary for the operation of)
				an electronic health records system, including the provision of decision
				support and physician order entry for medications;
										(C)has the ability to
				allow timely and permissible access to patient information and to transmit and
				exchange health information among providers, patients, or insurers; and
										(D)is certified under
				the program developed under section 3001(c)(3) to be in compliance with any
				applicable standards adopted under section 3003(a).
										(3)EligibilityTo be eligible to receive a grant under
				paragraph (1) an entity shall—
										(A)submit to the National Coordinator an
				application at such time and in such manner as the National Coordinator may
				require, and containing—
											(i)a
				plan on how the entity intends to maintain and support the qualified health
				information technology that would be purchased with amounts under such grant,
				including the type of resources expected to be involved; and
											(ii)such other
				information as the National Coordinator may require;
											(B)submit to the
				National Coordinator a plan for how qualified health information technology
				purchased by the entity will result in the electronic exchange and use of
				health information;
										(C)be—
											(i)a
				not for profit hospital or a Federally qualified health center (as defined in
				section 1861(aa)(4) of the Social Security
				Act);
											(ii)an individual or
				group practice; or
											(iii)another health
				care provider, such as a rural health clinic, not described in clause (i) or
				(ii);
											(D)demonstrate
				significant financial need;
										(E)agree to notify individuals in accordance
				with section 402 of the Health-e Information Technology Act of 2008 (relating
				to notifications in the case of breaches);
										(F)provide matching
				funds in accordance with paragraph (5);
										(G)consult with the Health Information
				Technology Resource Center established under section 3006 to access the
				knowledge and experience of existing initiatives regarding the successful
				implementation and effective use of health information technology; and
										(H)link, to the extent practicable, to one or
				more local or regional health information plans.
										(4)Use of
				fundsAmounts received under a grant under this subsection shall
				be used to facilitate the purchase of qualified health information
				technology.
									(5)Matching
				requirementTo be eligible for a grant under this subsection an
				entity shall contribute non-Federal contributions to the costs of carrying out
				the activities for which the grant is awarded in an amount equal to $1 for each
				$3 of Federal funds provided under the grant.
									(6)Preference in
				awarding grants
										(A)In
				generalIn awarding grants under this subsection the National
				Coordinator shall give preference to the following eligible entities:
											(i)Small health care
				providers.
											(ii)Entities that are located in rural and
				other areas that serve uninsured, underinsured, and medically underserved
				individuals (regardless of whether such area is urban or rural).
											(iii)Nonprofit health
				care providers.
											(iv)Health care
				providers (such as children’s hospitals, pediatricians,
				obstetrician-gynecologists, and hospitals that serve uninsured, underinsured,
				and medically underserved individuals and that have limited Medicare patient
				loads) that have not received any funds, or have received a minimal amount of
				funds, under sections 1848(o) and 1886(o) of the Social Security Act.
											(B)ConsiderationIn awarding grants to entities under this
				subsection, the National Coordinator shall take into account the amount of
				funds provided to such entities under other laws, including under sections
				1848(o) and 1886(o) of the Social Security Act.
										(7)Additional
				sources of funding for health information technologyFunding made
				available under this subsection is in addition to funding which may be used
				toward the acquisition and utilization of health information technology under
				other law, which includes the following:
										(A)Medicaid
				transformation grants under section 1903(z) of the Social Security Act.
										(B)Grants or funding
				available through the Agency for Healthcare Research and Quality.
										(C)Grants or funding
				that may be available through the Health Resources and Services Administration
				for investment in health information technologies or telehealth.
										(D)Grants or funding
				that may be available through the Department of Agriculture’s Rural Development
				Telecommunications Program for investment in telemedicine.
										(E)Sections 1848(o)
				and 1886(o) of the Social Security Act.
										(b)Competitive
				Grants to States and Indian tribes for the Development of Loan Programs To
				Facilitate the Widespread Adoption of qualified Health Information
				Technology
									(1)In
				generalThe National
				Coordinator may award competitive grants to eligible entities for the
				establishment of programs for loans to health care providers to purchase
				qualified health information technology.
									(2)Eligible entity
				definedFor purposes of this
				subsection, the term eligible entity means a State or Indian tribe
				(as defined in the Indian Self-Determination and Education Assistance Act)
				that—
										(A)submits to the
				National Coordinator an application at such time, in such manner, and
				containing such information as the National Coordinator may require;
										(B)submits to the
				National Coordinator a strategic plan in accordance with paragraph (4) and
				provides to the National Coordinator assurances that the entity will update
				such plan annually in accordance with such paragraph;
										(C)provides
				assurances to the National Coordinator that the entity will establish a Loan
				Fund in accordance with paragraph (3);
										(D)provides
				assurances to the National Coordinator that the entity will not provide a loan
				from the Loan Fund to a health care provider unless the provider meets each of
				the conditions described in paragraph (5); and
										(E)agrees to provide
				matching funds in accordance with paragraph (9).
										(3)Establishment of
				fundFor purposes of paragraph (2)(C), an eligible entity shall
				establish a qualified health information technology loan fund (referred to in
				this subsection as a Loan Fund) and comply with the other
				requirements contained in this section. A grant to an eligible entity under
				this subsection shall be deposited in the Loan Fund established by the eligible
				entity. No funds authorized by other provisions of this subtitle to be used for
				other purposes specified in this subtitle shall be deposited in any Loan
				Fund.
									(4)Strategic
				plan
										(A)In
				generalFor purposes of paragraph (2)(B), a strategic plan of an
				eligible entity under this paragraph shall identify the intended uses of
				amounts available to the Loan Fund of such entity.
										(B)ContentsA
				strategic plan under subparagraph (A), with respect to a Loan Fund of an
				eligible entity, shall include for a year the following:
											(i)A
				list of the projects to be assisted through the Loan Fund during such
				year.
											(ii)A
				description of the criteria and methods established for the distribution of
				funds from the Loan Fund during the year.
											(iii)A description of
				the financial status of the Loan Fund as of the date of submission of the
				plan.
											(iv)The short-term
				and long-term goals of the Loan Fund.
											(5)Health care
				provider conditions for receipt of loansFor purposes of
				paragraph (2)(D), the conditions described in this paragraph, with respect to a
				health care provider that seeks a loan from a Loan Fund established under this
				subsection, are the following:
										(A)The health care
				provider links, to the extent practicable, to one or more local or regional
				health information networks.
										(B)The health care
				provider consults with the Health Information Technology Resource Center
				established under section 3006 to access the knowledge and experience of
				existing initiatives regarding the successful implementation and effective use
				of health information technology.
										(C)The health care provider agrees to notify
				individuals in accordance with section 402 of the Health-e Information
				Technology Act of 2008 (relating to notifications in the case of
				breaches).
										(D)The health care provider submits to the
				State or Indian tribe involved a plan on how the health care provider intends
				to maintain and support the qualified health information technology that would
				be purchased with such loan, including the type of resources expected to be
				involved and any such other information as the State or Indian Tribe,
				respectively, may require.
										(6)Use of
				funds
										(A)In
				generalAmounts deposited in a Loan Fund, including loan
				repayments and interest earned on such amounts, shall be used only for awarding
				loans or loan guarantees, making reimbursements described in paragraph
				(8)(D)(I), or as a source of reserve and security for leveraged loans, the
				proceeds of which are deposited in the Loan Fund established under paragraph
				(1). Loans under this section may be used by a health care provider to purchase
				qualified health information technology.
										(B)LimitationAmounts
				received by an eligible entity under this subsection may not be used—
											(i)for the purchase
				or other acquisition of any health information technology system that is not a
				qualified health information technology; or
											(ii)to conduct
				activities for which Federal funds are expended under this title.
											(7)Types of
				assistanceExcept as otherwise limited by applicable State law,
				amounts deposited into a Loan Fund under this subsection may only be used for
				the following:
										(A)To award loans
				that comply with the following:
											(i)The interest rate
				for each loan shall not exceed the market interest rate.
											(ii)The principal and
				interest payments on each loan shall commence not later than 1 year after the
				date the loan was awarded, and each loan shall be fully amortized not later
				than 10 years after the date of the loan.
											(iii)The Loan Fund
				shall be credited with all payments of principal and interest on each loan
				awarded from the Loan Fund.
											(B)To guarantee, or
				purchase insurance for, a local obligation (all of the proceeds of which
				finance a project eligible for assistance under this subsection) if the
				guarantee or purchase would improve credit market access or reduce the interest
				rate applicable to the obligation involved.
										(C)As a source of
				revenue or security for the payment of principal and interest on revenue or
				general obligation bonds issued by the eligible entity if the proceeds of the
				sale of the bonds will be deposited into the Loan Fund.
										(D)To earn interest
				on the amounts deposited into the Loan Fund.
										(E)To make
				reimbursements described in paragraph (8)(D)(I).
										(8)Administration
				of Loan Funds
										(A)Combined
				financial administrationAn eligible entity may (as a convenience
				and to avoid unnecessary administrative costs) combine, in accordance with
				applicable State law, the financial administration of a Loan Fund established
				under this subsection with the financial administration of any other revolving
				fund established by the entity if otherwise not prohibited by the law under
				which the Loan Fund was established.
										(B)Cost of
				administering fundEach eligible entity may annually use not to
				exceed 4 percent of the funds provided to the entity under a grant under this
				subsection to pay the reasonable costs of the administration of the programs
				under this section, including the recovery of reasonable costs expended to
				establish a Loan Fund which are incurred after the date of the enactment of
				this title.
										(C)Guidance and
				regulationsThe National Coordinator shall publish guidance and
				promulgate regulations as may be necessary to carry out the provisions of this
				subsection, including—
											(i)provisions to
				ensure that each eligible entity commits and expends funds allotted to the
				entity under this subsection as efficiently as possible in accordance with this
				title and applicable State laws; and
											(ii)guidance to
				prevent waste, fraud, and abuse.
											(D)Private sector
				contributions
											(i)In
				generalA Loan Fund established under this subsection may accept
				contributions from private sector entities, except that such entities may not
				specify the recipient or recipients of any loan issued under this subsection.
				An eligible entity may agree to reimburse a private sector entity for any
				contribution made under this subparagraph, except that the amount of such
				reimbursement may not be greater than the principal amount of the contribution
				made.
											(ii)Availability of
				informationAn eligible entity shall make publicly available the
				identity of, and amount contributed by, any private sector entity under clause
				(i) and may issue letters of commendation or make other awards (that have no
				financial value) to any such entity.
											(9)Matching
				requirements
										(A)In
				generalThe National Coordinator may not make a grant under
				paragraph (1) to an eligible entity unless the entity agrees to make available
				(directly or through donations from public or private entities) non-Federal
				contributions in cash to the costs of carrying out the activities for which the
				grant is awarded in an amount equal to not less than $1 for each $1 of Federal
				funds provided under the grant.
										(B)Determination of
				amount of non-federal contributionIn determining the amount of
				non-Federal contributions that an eligible entity has provided pursuant to
				subparagraph (A), the National Coordinator may not include any amounts provided
				to the entity by the Federal Government.
										(10)ReportsThe
				National Coordinator shall annually submit to the Committee on Health,
				Education, Labor, and Pensions and the Committee on Finance of the Senate, and
				the Committees on Energy and Commerce and Ways and Means of the House of
				Representatives, a report summarizing the reports received by the National
				Coordinator from each eligible entity that receives a grant under this
				subsection.
									(c)Competitive
				Grants for the Implementation of Regional or Local Health Information
				Technology Plans
									(1)In
				generalThe National Coordinator may award competitive grants to
				eligible entities to implement regional or local health information plans to
				improve health care quality and efficiency through the electronic exchange and
				use of health information.
									(2)EligibilityTo
				be eligible to receive a grant under paragraph (1) an entity shall—
										(A)facilitate the
				electronic exchange and use of health information within the local or regional
				area and among local and regional areas;
										(B)demonstrate
				financial need to the National Coordinator;
										(C)demonstrate that
				one of its principal missions or purposes is to use information technology to
				improve health care quality and efficiency;
										(D)adopt bylaws,
				memoranda of understanding, or other charter documents that demonstrate that
				the governance structure and decisionmaking processes of such entity allow for
				participation on an ongoing basis by multiple stakeholders within a community,
				including—
											(i)physicians (as
				defined in section 1861(r)) of the Social
				Security Act), including physicians that provide services to low
				income populations and populations that are uninsured, underinsured, and
				medically underserved (including such populations in urban and rural
				areas);
											(ii)other health care
				providers, such as hospitals that serve uninsured, underinsured, and medically
				underserved individuals;
											(iii)patient or
				consumer organizations that reflect the population to be served;
											(iv)employers;
											(v)public health
				agencies; and
											(vi)such other
				entities, as determined appropriate by the National Coordinator;
											(E)demonstrate the
				participation, to the extent practicable, of stakeholders in the electronic
				exchange and use of health information within the local or regional health
				information plan pursuant to subparagraph (D);
										(F)adopt
				nondiscrimination and conflict of interest policies that demonstrate a
				commitment to open, fair, and nondiscriminatory participation in the regional
				or local health information plan by all stakeholders;
										(G)comply with applicable standards adopted
				under section 3003(a);
										(H)prepare and submit
				to the National Coordinator an application in accordance with paragraph (3);
				and
										(I)agree to provide
				matching funds in accordance with paragraph (6).
										(3)Application
										(A)In
				generalTo be eligible to receive a grant under paragraph (1), an
				entity shall submit to the National Coordinator an application at such time, in
				such manner, and containing such information (in addition to information
				required under subparagraph (B)), as the National Coordinator may
				require.
										(B)Required
				informationAt a minimum, an application submitted under this
				paragraph shall include—
											(i)clearly identified
				short-term and long-term objectives of the regional or local health information
				plan;
											(ii)an estimate of costs of the hardware,
				software, training, and other services necessary to implement the regional or
				local health information plan;
											(iii)a strategy that
				includes initiatives to improve health care quality and efficiency;
											(iv)a
				plan that describes provisions to encourage the electronic exchange and use of
				health information by all physicians, including single physician practices and
				small physician groups, participating in the health information plan;
											(v)a
				plan to ensure the privacy and security of individually identifiable health
				information that is consistent with applicable Federal and State law;
											(vi)a
				governance plan that defines the manner in which the stakeholders shall jointly
				make policy and operational decisions on an ongoing basis;
											(vii)a financial or
				business plan that describes—
												(I)the sustainability
				of the plan;
												(II)the financial
				costs and benefits of the plan; and
												(III)the entities to
				which such costs and benefits will accrue;
												(viii)a plan on how the entity involved intends
				to maintain and support the regional or local health information plan,
				including the type of resources expected to be involved; and
											(ix)in the case of an
				applicant that is unable to demonstrate the participation of all stakeholders
				pursuant to paragraph (2)(D), the justification from the entity for any such
				nonparticipation.
											(4)Use of
				fundsAmounts received under a grant under paragraph (1) shall be
				used to establish and implement a regional or local health information plan in
				accordance with this subsection.
									(5)PreferenceIn awarding grants under paragraph (1), the
				Secretary shall give preference to eligible entities that intend to use amounts
				received under a grant to establish or implement a regional or local health
				information plan that encompasses communities with health disparities or areas
				that serve uninsured, underinsured, and medically underserved individuals
				(including urban and rural areas).
									(6)Matching
				requirement
										(A)In
				generalThe National Coordinator may not make a grant under this
				subsection to an entity unless the entity agrees that, with respect to the
				costs of carrying out the activities for which the grant is awarded, the entity
				will make available (directly or through donations from public or private
				entities) non-Federal contributions toward such costs in an amount equal to not
				less than 50 percent of such costs ($1 for each $2 of Federal funds provided
				under the grant).
										(B)Determination of
				amount contributedNon-Federal contributions required under
				subparagraph (A) may be in cash or in kind, fairly evaluated, including
				equipment, technology, or services. Amounts provided by the Federal Government,
				or services assisted or subsidized to any significant extent by the Federal
				Government, may not be included in determining the amount of such non-Federal
				contributions.
										(d)ReportsNot
				later than 1 year after the date on which the first grant is awarded under this
				section, and annually thereafter during the grant period, an entity that
				receives a grant under this section shall submit to the National Coordinator a
				report on the activities carried out under the grant involved. Each such report
				shall include—
									(1)a description of
				the financial costs and benefits of the project involved and of the entities to
				which such costs and benefits accrue;
									(2)an analysis of the
				impact of the project on health care quality and safety;
									(3)a description of
				any reduction in duplicative or unnecessary care as a result of the project
				involved;
									(4)a description of
				the efforts of recipients under this section to facilitate secure patient
				access to health information;
									(5)an analysis of the
				effectiveness of the project involved on ensuring the privacy and security of
				individually identifiable health information in accordance with applicable
				Federal and State law; and
									(6)other information
				as required by the National Coordinator.
									(e)Requirement To
				improve quality of care and decrease in costsThe National
				Coordinator shall annually evaluate the activities conducted under this section
				and shall, in awarding grants, implement the lessons learned from such
				evaluation in a manner so that awards made subsequent to each such evaluation
				are made in a manner that, in the determination of the National Coordinator,
				will result in the greatest improvement in quality of care and decrease in
				costs.
								(f)LimitationAn
				eligible entity may only receive one non-renewable grant under subsection (a),
				one non-renewable grant under subsection (b), and one non-renewable grant under
				subsection (c).
								(g)Small health
				care providerFor purposes of this section, the term small
				health care provider means a health care provider that has an average of
				10 or fewer full-time equivalent employees during the period involved.
								(h)Authorization of
				Appropriations
									(1)In
				generalFor the purpose of carrying out subsections (a) through
				(d), there is authorized to be appropriated $115,000,000 for each of the fiscal
				years 2009 through 2013.
									(2)AvailabilityAmounts
				appropriated under paragraph (1) shall remain available through fiscal year
				2013.
									3012.Demonstration
				program to integrate information technology into clinical education
								(a)In
				GeneralThe Secretary may award grants under this section to
				carry out demonstration projects to develop academic curricula integrating
				qualified health information technology in the clinical education of health
				professionals. Such awards shall be made on a competitive basis and pursuant to
				peer review.
								(b)EligibilityTo
				be eligible to receive a grant under subsection (a), an entity shall—
									(1)submit to the
				Secretary an application at such time, in such manner, and containing such
				information as the Secretary may require;
									(2)submit to the
				Secretary a strategic plan for integrating qualified health information
				technology in the clinical education of health professionals to reduce medical
				errors and enhance health care quality;
									(3)be—
										(A)a school of medicine, osteopathic medicine,
				dentistry, or pharmacy, a graduate program in behavioral or mental health, or
				any other graduate health professions school;
										(B)a graduate school
				of nursing or physician assistant studies;
										(C)a consortium of
				two or more schools described in subparagraph (A) or (B); or
										(D)an institution
				with a graduate medical education program in medicine, osteopathic medicine,
				dentistry, pharmacy, nursing, or physician assistance studies;
										(4)provide for the
				collection of data regarding the effectiveness of the demonstration project to
				be funded under the grant in improving the safety of patients, the efficiency
				of health care delivery, and in increasing the likelihood that graduates of the
				grantee will adopt and incorporate qualified health information technology, in
				the delivery of health care services; and
									(5)provide matching
				funds in accordance with subsection (d).
									(c)Use of
				Funds
									(1)In
				generalWith respect to a grant under subsection (a), an eligible
				entity shall—
										(A)use grant funds in
				collaboration with 2 or more disciplines; and
										(B)use grant funds to
				integrate qualified health information technology into community-based clinical
				education.
										(2)LimitationAn
				eligible entity shall not use amounts received under a grant under subsection
				(a) to purchase hardware, software, or services.
									(d)Matching
				Funds
									(1)In
				generalThe Secretary may award a grant to an entity under this
				section only if the entity agrees to make available non-Federal contributions
				toward the costs of the program to be funded under the grant in an amount that
				is not less than $1 for each $2 of Federal funds provided under the
				grant.
									(2)Determination of
				amount contributedNon-Federal contributions under paragraph (1)
				may be in cash or in kind, fairly evaluated, including equipment or services.
				Amounts provided by the Federal Government, or services assisted or subsidized
				to any significant extent by the Federal Government, may not be included in
				determining the amount of such contributions.
									(e)EvaluationThe
				Secretary shall take such action as may be necessary to evaluate the projects
				funded under this section and publish, make available, and disseminate the
				results of such evaluations on as wide a basis as is practicable.
								(f)ReportsNot
				later than 1 year after the date of enactment of this title, and annually
				thereafter, the Secretary shall submit to the Committee on Health, Education,
				Labor, and Pensions and the Committee on Finance of the Senate, and the
				Committees on Energy and Commerce and Ways and Means of the House of
				Representatives a report that—
									(1)describes the
				specific projects established under this section; and
									(2)contains
				recommendations for Congress based on the evaluation conducted under subsection
				(e).
									(g)Authorization of
				AppropriationsThere is authorized to be appropriated to carry
				out this section, $10,000,000 for each of fiscal years 2009 through
				2011.
								(h)SunsetThis
				section shall not apply after September 30,
				2011.
								.
				IVPrivacy and
			 security provisions
			400.DefinitionsIn this title, except as specified
			 otherwise:
				(1)BreachThe term breach means the
			 unauthorized acquisition, access, or disclosure of protected health information
			 which compromises the security, privacy, or integrity of protected health
			 information maintained by or on behalf of a person. Such term does not include
			 any unintentional acquisition or access of such information by an employee or
			 agent of the covered entity or business associate involved if such acquisition
			 or access, respectively, was made in good faith and within the course and scope
			 of the employment or other contractual relationship of such employee or agent,
			 respectively, with the covered entity or business associate and if such
			 information is not further acquired, accessed, or disclosed by such employee or
			 agent.
				(2)Business
			 associateThe term
			 business associate has the meaning given such term in section
			 160.103 of title 45, Code of Federal Regulations.
				(3)Covered
			 entityThe term covered
			 entity has the meaning given such term in section 160.103 of title 45,
			 Code of Federal Regulations.
				(4)DiscloseThe
			 terms disclose and disclosure have the meaning given
			 the term disclosure in section 160.103 of title 45, Code of
			 Federal Regulations.
				(5)Electronic
			 health recordThe term
			 electronic health record means an electronic record of
			 health-related information on an individual that is created, gathered, managed,
			 and consulted by authorized health care clinicians and staff of one or more
			 organizations, that conforms to standards adopted under section 3003(a) of the
			 Public Health Service Act, as added by section 101, and is made accessible
			 electronically to other health care organizations and other authorized
			 users.
				(6)Electronic
			 medical recordThe term electronic medical record
			 means an electronic record of individually identifiable health information on
			 an individual that is created, gathered, managed, and consulted by authorized
			 health care clinicians and staff within a single organization.
				(7)Health care
			 operationsThe term
			 health care operation has the meaning given such term in section
			 164.501 of title 45, Code of Federal Regulations.
				(8)Health care
			 providerThe term health care provider has the
			 meaning given such term in section 160.103 of title 45, Code of Federal
			 Regulations.
				(9)Health
			 planThe term health plan has the meaning given such
			 term in section 1171(5) of the Social Security Act, as amended by section
			 415.
				(10)National
			 CoordinatorThe term National Coordinator means
			 the head of the Office of the National Coordinator for Health Information
			 Technology established under section 3001(a) of the Public Health Service Act,
			 as added by section 101.
				(11)PaymentThe
			 term payment has the meaning given such term in section 164.501
			 of title 45, Code of Federal Regulations.
				(12)Personal health
			 recordThe term
			 personal health record means an electronic record of individually
			 identifiable health information on an individual that can be drawn from
			 multiple sources and that is managed, shared, and controlled by or for the
			 individual.
				(13)Protected
			 health informationThe term
			 protected health information has the meaning given such term in
			 section 160.103 of title 45, Code of Federal Regulations.
				(14)SecretaryThe
			 term Secretary means the Secretary of Health and Human
			 Services.
				(15)SecurityThe
			 term security has the meaning given such term in section 164.304
			 of title 45, Code of Federal Regulations.
				(16)StateThe
			 term State means each of the several States, the District of
			 Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the
			 Northern Mariana Islands.
				(17)TreatmentThe
			 term treatment has the meaning given such term in section
			 164.501 of title 45, Code of Federal Regulations.
				(18)UseThe
			 term use has the meaning given such term in section 160.103 of
			 title 45, Code of Federal Regulations.
				(19)Vendor of
			 personal health recordsThe term vendor of personal health
			 records means an entity that offers or maintains a personal health
			 record. Such term does not include an entity that is a covered entity for
			 purposes of offering or maintaining such personal health record.
				AImproved privacy
			 provisions and security provisions
				401.Application of
			 security provisions and penalties to business associates of covered entities;
			 annual guidance on privacy and security provisions
					(a)Application of
			 security provisionsSections
			 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal
			 Regulations, and any applicable security standards adopted by the Secretary
			 under section 3003(a) of the Public Health Service Act, as added by section
			 101, shall apply to a business associate of a covered entity in the same manner
			 that such sections and standards, respectively, apply to the covered
			 entity.
					(b)Application of
			 civil and criminal penaltiesSections 1176 and 1177 of the Social
			 Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to a business associate
			 of a covered entity with respect to a section applied under subsection (a) to
			 such business associate in the same manner that such sections apply to a
			 covered entity with respect to such section.
					(c)Annual
			 guidanceNot later than 12
			 months after the date of the enactment of this Act and annually thereafter, the
			 Secretary of Health and Human Services shall, in consultation with industry
			 stakeholders, annually issue guidance on the latest privacy and security
			 safeguard technologies for use in carrying out the sections described in
			 subsection (a).
					402.Notification in the
			 case of breach
					(a)In
			 generalA covered entity that accesses, maintains, retains,
			 modifies, records, stores, destroys, or otherwise holds, uses, or discloses
			 unsecured protected health information (as defined in subsection (h)(1)) shall,
			 in the case of a breach of such information that is discovered by the covered
			 entity, notify each individual whose unsecured protected health information has
			 been, or is reasonably believed by the covered entity to have been, accessed,
			 acquired, or disclosed as a result of such breach.
					(b)Notification of
			 covered entity by business associateA business associate of a
			 covered entity that accesses, maintains, retains, modifies, records, stores,
			 destroys, or otherwise holds, uses, or discloses unsecured protected health
			 information shall, following the discovery of a breach of such information,
			 notify the covered entity of such breach. Such notice shall include the
			 identification of each individual whose unsecured protected health information
			 has been, or is reasonably believed by the business associate to have been,
			 accessed, acquired, or disclosed during such breach.
					(c)Breaches treated
			 as discoveredFor purposes of this section, a breach shall be
			 treated as discovered by a covered entity or by a business associate as of the
			 first day on which such breach is known to such entity or associate,
			 respectively, (including any person that is an employee, officer, or other
			 agent of such entity or associate, respectively) or should reasonably have been
			 known to such entity or associate (or person) to have occurred.
					(d)Timeliness of
			 notification
						(1)In
			 generalSubject to subsection (g), all notifications required
			 under this section shall be made without unreasonable delay and in no case
			 later than 60 calendar days after the discovery of a breach by the covered
			 entity involved (or business associate involved in the case of a notification
			 required under subsection (b)).
						(2)Burden of
			 proofThe covered entity involved (or business associate involved
			 in the case of a notification required under subsection (b)), shall have the
			 burden of demonstrating that all notifications were made as required under this
			 subtitle, including evidence demonstrating the necessity of any delay.
						(e)Methods of
			 notice
						(1)Individual
			 noticeNotice required under
			 this section to be provided to an individual, with respect to a breach, shall
			 be provided promptly and in the following form:
							(A)Written
			 notification by first-class mail to the individual (or the next of kin of the
			 individual if the individual is deceased) at the last known address of the
			 individual or the next of kin, respectively, or, if specified as a preference
			 by the individual, by electronic mail. The notification may be provided in one
			 or more mailings as information is available.
							(B)In the case in
			 which there is insufficient, or out-of-date contact information that precludes
			 direct written (or, if specified by the individual under subparagraph (A),
			 electronic) notification to the individual, a substitute form of notice shall
			 be provided, including a conspicuous posting on the home page of the Web site
			 of the covered entity involved or notice in major print or broadcast media,
			 including major media in geographic areas where the individuals affected by the
			 breach likely reside. Such a notice in media will include a toll-free phone
			 number where an individual can learn whether or not the individual’s unsecured
			 protected health information is possibly included in the breach.
							(C)In any case deemed
			 by the covered entity involved to require urgency because of possible imminent
			 misuse of unsecured protected health information, the covered entity, in
			 addition to notice provided under subparagraph (A), may provide information to
			 individuals by telephone or other means, as appropriate.
							(2)Media
			 noticeNotice shall be provided to prominent media outlets
			 serving a State or jurisdiction, following the discovery of a breach described
			 in subsection (a), if the unsecured protected health information of more than
			 500 residents of such State or jurisdiction is, or is reasonably believed to
			 have been, accessed, acquired, or disclosed during such breach.
						(3)Notice to
			 SecretaryNotice shall be
			 provided to the Secretary by covered entities of unsecured protected health
			 information that has been acquired or disclosed in a breach.
						(4)Posting on HHS
			 public websiteThe Secretary
			 shall make available to the public on the Internet website of the Department of
			 Health and Human Services a list that identifies each covered entity involved
			 in a breach described in subsection (a) in which the unsecured protected health
			 information of more than 1,000 individuals is acquired or disclosed.
						(f)Content of
			 notificationRegardless of the method by which notice is provided
			 to individuals under this section, notice of a breach shall include, to the
			 extent possible, the following:
						(1)A brief description of what happened,
			 including the date of the breach and the date of the discovery of the breach,
			 if known.
						(2)A
			 description of the types of unsecured protected health information that were
			 involved in the breach (such as full name, Social Security number, date of
			 birth, home address, account number, or disability code).
						(3)The steps
			 individuals should take to protect themselves from potential harm resulting
			 from the breach.
						(4)A
			 brief description of what the covered entity involved is doing to investigate
			 the breach, to mitigate losses, and to protect against any further
			 breaches.
						(5)Contact procedures
			 for individuals to ask questions or learn additional information, which shall
			 include a toll-free telephone number, an e-mail address, Web site, or postal
			 address.
						(g)Delay of
			 notification authorized for law enforcement purposesIf a law enforcement official determines
			 that a notification, notice, or posting required under this section would
			 impede a criminal investigation or cause damage to national security, such
			 notification, notice, or posting shall be delayed in the same manner as
			 provided under section 164.528(a)(2) of title 45, Code of Federal Regulations,
			 in the case of a disclosure covered under such section.
					(h)Unsecured
			 protected health information
						(1)Definition
							(A)In
			 generalSubject to subparagraph (B), for purposes of this
			 section, the term unsecured protected health information means
			 protected health information that is not protected through the use of a
			 technology or methodology specified by the Secretary in the guidance issued
			 under paragraph (2).
							(B)Exception in
			 case timely guidance not issuedIn the case that the Secretary does not
			 issue guidance under paragraph (2) by the date specified in such paragraph, for
			 purposes of this section, the term unsecured protected health
			 information shall mean information that is not protected by technology
			 standards developed or endorsed by a standards developing organization that is
			 accredited by the American National Standards Institute.
							(2)GuidanceFor purposes of paragraph (1) and section
			 415(f), not later than the date that is 60 days after the date of the enactment
			 of this Act, the Secretary shall, after consultation with stakeholders, issue
			 (and annually update) guidance specifying the technologies and methodologies
			 that render protected health information unusable, unreadable, or
			 indecipherable to unauthorized individuals.
						(i)Report to
			 Congress on breaches
						(1)In
			 generalNot later than 12 months after the date of the enactment
			 of this Act and annually thereafter, the Secretary shall prepare and submit to
			 the Committee on Finance and the Committee on Health, Education, Labor, and
			 Pensions of the Senate and the Committee on Ways and Means and the Committee on
			 Energy and Commerce of the House of Representatives a report containing the
			 information described in paragraph (2) regarding breaches for which notice was
			 provided to the Secretary under subsection (e)(3).
						(2)InformationThe
			 information described in this paragraph regarding breaches specified in
			 paragraph (1) shall include—
							(A)the number and
			 nature of such breaches;
							(B)actions taken in
			 response to such breaches; and
							(C)any recommendations described in section
			 422(b)(9) made by the National Coordinator for the year involved.
							(j)Effective
			 dateThe provisions of this section shall apply to breaches that
			 are discovered on or after the date that is 90 days after the date of the
			 enactment of this Act.
					403.Education on health
			 information privacy and report on compliance
					(a)Regional office
			 privacy advisorsNot later
			 than 6 months after the date of the enactment of this Act, the Secretary shall
			 designate an individual in each regional office of the Department of Health and
			 Human Services to offer guidance and education to covered entities, business
			 associates, and individuals on their rights and responsibilities related to
			 Federal privacy and security requirements for protected health
			 information.
					(b)Report on
			 compliance
						(1)In
			 generalNot later than 24
			 months after the date of the enactment of this Act and annually thereafter, the
			 Secretary shall prepare and submit to the Committee on Finance and the
			 Committee on Health, Education, Labor, and Pensions of the Senate and the
			 Committee on Ways and Means and the Committee on Energy and Commerce of the
			 House of Representatives a report concerning the number of audits performed and
			 a summary of audit findings pursuant to section 414 and complaints of alleged
			 violations of the provisions of sections 401 and 402, the provisions of
			 subtitle B, and the provisions of subparts C and E of title 45, Code of Federal
			 Regulations that are received by the Secretary during the year for which the
			 report is being prepared. Each such report shall include, with respect to such
			 complaints received during the year—
							(A)the number of such
			 complaints;
							(B)the number of such
			 complaints resolved informally, a summary of the types of such complaints so
			 resolved, and the number of covered entities that received technical assistance
			 from the Secretary during such year in order to achieve compliance with such
			 provisions and the types of such technical assistance provided;
							(C)the number of such
			 complaints that resulted in the imposition of civil money penalties, the amount
			 of the civil money penalty imposed in each such case, and a summary of the
			 basis for each such civil money penalty;
							(D)the number of
			 compliance reviews conducted and the outcome of each such review;
							(E)the number of
			 subpoenas or inquiries issued; and
							(F)the Secretary’s
			 plan for improving compliance with and enforcement of such provisions for the
			 following year.
							(2)Availability to
			 publicEach report under paragraph (1) shall be made available to
			 the public on the Internet website of the Department of Health and Human
			 Services.
						(c)Education
			 initiative on uses of health information
						(1)In
			 generalNot later than 12
			 months after the date of the enactment of this Act, the Office for Civil Rights
			 within the Department of Health and Human Services shall develop and maintain a
			 multi-faceted national education initiative to enhance public transparency
			 regarding the uses of protected health information, including programs to
			 educate individuals about the potential uses of their protected health
			 information, the effects of such uses, and the rights of individuals with
			 respect to such uses. Such programs shall be conducted in a variety of
			 languages and present information in a clear and understandable manner.
						(2)Authorization of
			 appropriationsThere is authorized to be appropriated to carry
			 out paragraph (1), $10,000,000 for the period of fiscal years 2009 through
			 2013.
						404.Application of
			 penalties to business associates of covered entities for violations of privacy
			 contract requirements
					(a)Application of
			 contract requirementsIn the
			 case of a business associate of a covered entity that obtains or creates
			 protected health information pursuant to a written contract (or other written
			 arrangement) described in section 164.502(e)(2) of title 45, Code of Federal
			 Regulations, with such covered entity, the business associate may use and
			 disclose such protected health information only if such use or disclosure,
			 respectively, is in compliance with each applicable requirement of section
			 164.504(e) of such title and section 405(b).
					(b)Application of
			 knowledge elements associated with contractsSection 164.504(e)(1)(ii) of title 45, Code
			 of Federal Regulations, shall apply to a business associate described in
			 subsection (a), with respect to compliance with such subsection, in the same
			 manner that such section applies to a covered entity, with respect to
			 compliance with the standards in sections 164.502(e) and 164.504(e) of such
			 title, except that in applying such section 164.504(e)(1)(ii) each reference to
			 the business associate, with respect to a contract, shall be treated as a
			 reference to the covered entity involved in such contract.
					(c)Application of
			 civil and criminal penaltiesIn the case of a business associate
			 that violates any provision of subsection (a) or (b), the provisions of
			 sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6)
			 shall apply to the business associate with respect to such violation in the
			 same manner as such provisions apply to a person who violates a provision of
			 part C of title XI of such Act.
					405.Restrictions on
			 certain uses and disclosures and sales of health information; accounting of
			 certain protected health information disclosures; access to certain information
			 in electronic format
					(a)Requested
			 restrictions on certain disclosures of health informationIn the case that an individual requests
			 under paragraph (a)(1)(i)(A) of section 164.522 of title 45, Code of Federal
			 Regulations, that a covered entity restrict the disclosure of the protected
			 health information of the individual, notwithstanding paragraph (a)(1)(ii) of
			 such section, the covered entity must comply with the requested restriction
			 if—
						(1)except as
			 otherwise required by law, the disclosure is to a health plan for purposes of
			 carrying out payment or health care operations (and is not for purposes of
			 carrying out treatment); and
						(2)the protected
			 health information pertains solely to a health care item or service for which
			 the health care provider involved has been paid out of pocket in full.
						(b)Disclosures
			 required To be limited to the limited data set or the minimum
			 necessary
						(1)Transitional
			 rule
							(A)In
			 generalSubject to subparagraph (B), a covered entity shall be
			 treated as being in compliance with section 164.502(b)(1) of title 45, Code of
			 Federal Regulations, and for purposes of section 404(a) a business associate
			 shall be treated as being in compliance with this subsection, with respect to
			 the use, disclosure, or request of protected health information described in
			 such section, only if the covered entity or business associate, respectively,
			 limits such protected health information, to the extent practicable, to either
			 the limited data set (as defined in section 164.514(e)(2) of such title) or to
			 the minimum necessary to accomplish the intended purpose of such use,
			 disclosure, or request, respectively.
							(B)SunsetSubparagraph (A) shall not apply on and
			 after the earlier of—
								(i)the effective date on which the Secretary
			 adopts, taking into consideration the regulations promulgated under section
			 406(d), the study under section 410, and the report under section 411, a
			 standard under section 3003(a) of the Public Health Service Act, as added by
			 section 101, which defines the term minimum necessary for
			 purposes of subpart E of part 164 of title 45, Code of Federal Regulations;
			 or
								(ii)the
			 National Coordinator recommends guidance under section 3001(c)(2) of such Act
			 which defines such term for such purposes.
								(2)Determination of
			 minimum necessaryFor purposes of paragraph (1), in the case of
			 the disclosure of protected health information, the covered entity or business
			 associate disclosing such information shall determine what constitute the
			 minimum necessary to accomplish the intended purpose of such disclosure.
						(3)Application of
			 exceptionsThe exceptions described in section 164.502(b)(2) of
			 title 45, Code of Federal Regulations, shall apply to the requirement under
			 paragraph (1) as of the effective date described in section 433 in the same
			 manner that such exceptions apply to section 164.502(b)(1) of such title before
			 such date.
						(4)Rule of
			 constructionNothing in this subsection shall be construed as
			 affecting the use, disclosure, or request of protected health information that
			 has been de-identified to the greatest extent practicable rather than the use
			 of protected health information that has been limited to the limited data
			 set.
						(c)Accounting of
			 certain protected health information disclosures required if covered entity
			 uses electronic medical record or electronic health record
						(1)In
			 generalIn applying section
			 164.528 of title 45, Code of Federal Regulations, in the case of protected
			 health information used or maintained by a covered entity in an electronic
			 medical record or an electronic health record—
							(A)the exception under section paragraph
			 (a)(1)(i) of such section shall not apply to disclosures (other than oral
			 disclosures) made by such entity of such information; and
							(B)an individual
			 shall have a right to receive an accounting of disclosures described in such
			 paragraph of such information made by such covered entity during only the three
			 years prior to the date on which the accounting is requested.
							(2)Effective
			 dateThe provisions of this subsection shall apply to
			 disclosures, with respect to protected health information, made by a covered
			 entity on or after the sooner of the following dates:
							(A)In the case of an entity that does not use
			 or maintain an electronic medical record or electronic health record before the
			 date of the enactment of this Act with respect to such information, the date on
			 which the covered entity first uses or maintains an electronic medical record
			 or electronic health record, with respect to such information, and in the case
			 of an entity that uses or maintains an electronic medical record or electronic
			 health record with respect to such information before such date of enactment,
			 the date on which the covered entity upgrades such electronic medical record or
			 electronic health record.
							(B)If a standard that relates to technologies
			 that allow for an accounting for disclosures made by a covered entity for
			 purposes of treatment, payment, and health care operations is adopted under
			 section 3003(a) of the Public Health Service Act, as added by section 101, the
			 date that is 6 months after the date of such adoption.
							(d)Prohibition on
			 certain disclosures
						(1)In
			 generalThe following uses and disclosures shall not be
			 considered to be permitted uses or disclosures of protected health information
			 for purposes of subparts C and E of part 164 of title 45, Code of Federal
			 Regulations:
							(A)Sale of
			 protected health informationThe sale of any protected health
			 information of an individual by a covered entity or business associate unless
			 the covered entity or business associate obtains from the individual, in
			 accordance with section 164.508 of title 45, Code of Federal Regulations, a
			 valid authorization (as described in paragraph (b) of such section) to sell
			 such information or unless the sale is for purposes of research and public
			 health activities (as described in sections 164.501, 164.512(i), and 164.512(b)
			 of title 45, Code of Federal Regulations) and the price charged reflects the
			 costs of preparation and transmittal of the data for such purposes.
							(B)Re-identification
			 of de-identified informationIn the case of an entity that has received
			 information that has been de-identified in accordance with section 164.514 of
			 title 45, Code of Federal Regulations, the re-identification by the entity of
			 such information.
							(C)Identification
			 of individual through use of limited data setIn the case of an entity that has received
			 a limited data set (as defined in section 164.514(e)(2) of title 45, Code of
			 Federal Regulations), the use, alone or in combination with other information,
			 of such set to identify the subject of the data set.
							(2)Limitation on
			 conditionIn no case may a covered entity condition the provision
			 of treatment to an individual, or payment for such treatment, on the individual
			 providing authorization described in paragraph (1)(A).
						(3)ConstructionNothing
			 in this subsection shall be construed as limiting the authority of the
			 Secretary to adopt standards and guidance under section 3003(a) of the Public
			 Health Service Act, as added by section 101.
						(4)Effective
			 dateThe provisions of this subsection shall apply to uses and
			 disclosures made on or after the date of the enactment of this Act.
						(e)Access to
			 certain information in electronic formatIn applying section 164.524 of title 45,
			 Code of Federal Regulations, in the case that a covered entity uses or
			 maintains an electronic medical record or electronic health record with respect
			 to protected health information of an individual—
						(1)the individual
			 shall have a right to obtain from such covered entity a copy of such
			 information in an electronic format; and
						(2)notwithstanding
			 paragraph (c)(4) of such section, the covered entity may not impose any fee for
			 providing such individual with a copy of such information (or a summary or
			 explanation of such information) if such copy (or summary or explanation) is in
			 an electronic form.
						(f)Application of
			 privacy regulations for making amendments to protected health information to
			 information in electronic formatIn applying section 164.526 of
			 title 45, Code of Regulations, in the case of protected health information used
			 or maintained by a covered entity in an electronic medical record or electronic
			 health record, instead of any timeframes or deadlines described in such section
			 the Secretary may apply such timeframes and deadlines as the Secretary
			 determines to be appropriate.
					406.Limitations on
			 certain activities as part of health care operations
					(a)Marketing
						(1)In
			 generalA communication by a
			 covered entity or business associate that is about a product or service and
			 that encourages recipients of the communication to purchase or use the product
			 or service shall not be considered a health care operation for purposes of
			 subpart E of part 164 of title 45, Code of Federal Regulations, unless the
			 communication is made as described in subparagraph (i), (ii), or (iii) of
			 paragraph (1) of the definition of marketing in section 164.501 of such
			 title.
						(2)Payment for
			 certain communicationsSubject to subparagraph (B), a covered
			 entity or business associate may not receive direct or indirect payment in
			 exchange for making any communication described in subparagraph (i), (ii), or
			 (iii) of paragraph (1) of the definition of marketing in section 164.501 of
			 title 45, Code of Federal Regulations, except—
							(A)a business
			 associate of a covered entity may receive payment from the covered entity for
			 making any such communication on behalf of the covered entity that is
			 consistent with the written contract (or other written arrangement) described
			 in section 164.502(e)(2) of such title between such business associate and
			 covered entity; and
							(B)a covered entity
			 may receive payment in exchange for making any such communication if the entity
			 obtains from the recipient of the communication, in accordance with section
			 164.508 of title 45, Code of Federal Regulations, a valid authorization (as
			 described in paragraph (b) of such section), which shall be explicitly and
			 affirmatively provided by the recipient, with respect to such
			 communication.
							(b)Fund
			 raisingFundraising for the
			 benefit of a covered entity shall not be considered a health care operation for
			 purposes of section 164.501 of title 45, Code of Federal Regulations.
					(c)Effective
			 dateSubsections (a) and (b)
			 shall apply to contracting occurring on or after the effective date specified
			 under section 433.
					(d)Regulations
						(1)In
			 generalNot later than 18
			 months after the date of the enactment of this Act, the Secretary shall issue a
			 notice of proposed rulemaking in the Federal Register, taking into account the
			 report submitted under section 411 and the study under section 410, to
			 eliminate from the definition of health care operations under section 164.501
			 of title 45, Code of Federal Regulations, those activities (other than the
			 process of de-identifying health information) that can reasonably and
			 efficiently be conducted through the use of information that is de-identified
			 (in accordance with the requirements of section 164.514(b) of such title) or
			 that should require a valid authorization for use or disclosure. In
			 promulgating any such regulations, the Secretary may consider the form in which
			 the health information is maintained, such as non-electronic records.
						(2)ConsiderationsIn
			 promulgating any such regulations, the Secretary shall take into consideration
			 the extent to which—
							(A)specific health
			 care operations require the use or disclosure of protected health information;
			 and
							(B)clinical utility
			 of such information would potentially be decreased in the case that such
			 information is de-identified or valid authorization is required; and
							(C)the classification of health care
			 operations (as in existence as of the date of the enactment of this Act) under
			 section 164.501 of title 45, Code of Federal Regulations, may be further
			 delineated.
							407.Study and report
			 on application of privacy and security requirements to non-HIPAA covered
			 entitiesNot later than one
			 year after the date of the enactment of this Act, the Secretary, in
			 consultation with the Federal Trade Commission, shall conduct a study on
			 privacy and security requirements to entities that are not considered covered
			 entities as of the date of the enactment of this Act and submit to the
			 Committee on Finance and the Committee on Health, Education, Labor, and
			 Pensions of the Senate and the Committee on Ways and Means and the Committee on
			 Energy and Commerce of the House of Representatives a report on the findings of
			 the study, including—
					(1)requirements
			 relating to security, privacy, and notification in the case of a breach of
			 security or privacy (including the applicability of an exemption to
			 notification in the case of individually identifiable health information that
			 has been rendered unusable, unreadable, or indecipherable through technologies
			 or methodologies recognized by appropriate professional organization or
			 standard setting bodies to provide effective security for the information) that
			 should be applied to—
						(A)vendors of
			 personal health records;
						(B)entities that
			 offer products or services through the website of a vendor of personal health
			 records;
						(C)entities that are
			 not covered entities and that offer products or services through the websites
			 of covered entities that offer individuals personal health records;
						(D)entities that are
			 not covered entities and that access information in a personal health record or
			 send information to a personal health record; and
						(E)third party
			 service providers used by a vendor or entity described in subparagraph (A),
			 (B), (C), or (D) to assist in providing personal health record products or
			 services;
						(2)a determination of
			 which Federal government agency is best equipped to enforce such requirements
			 recommended to be applied to such vendors, entities, and service providers
			 under paragraph (1); and
					(3)a timeframe for implementing regulations
			 based on such findings.
					408.Temporary
			 breach notification requirement for vendors of personal health records and
			 other non-HIPAA covered entities
					(a)In
			 generalIn accordance with
			 subsection (c), each vendor of personal health records, following the discovery
			 of a breach of security of unsecured PHR identifiable health information that
			 is in a personal health record maintained or offered by such vendor, and each
			 entity described in subparagraph (B), (C), or (D) of section 407(1), following
			 the discovery of a breach of security of such information that is obtained
			 through a product or service provided by such entity, shall—
						(1)notify each
			 individual who is a citizen or resident of the United States whose unsecured
			 PHR identifiable health information was acquired by an unauthorized person as a
			 result of such a breach of security; and
						(2)notify the Federal
			 Trade Commission.
						(b)Notification by
			 third party service providersA third party service provider that
			 provides services to a vendor of personal health records or to an entity
			 described in subparagraph (B), (C), or (D) of section 407(1) in connection with
			 the offering or maintenance of a personal health record or a related product or
			 service and that accesses, maintains, retains, modifies, records, stores,
			 destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable
			 health information in such a record as a result of such services shall,
			 following the discovery of a breach of security of such information, notify
			 such vendor or entity, respectively, of such breach. Such notice shall include
			 the identification of each individual whose unsecured PHR identifiable health
			 information has been, or is reasonably believed to have been, accessed,
			 acquired, or disclosed during such breach.
					(c)Application of
			 requirements for timeliness, method, and content of
			 notificationsSubsections (c), (d), (e), and (f) of section 402
			 shall apply to a notification required under subsection (a) and a vendor of
			 personal health records, an entity described in subsection (a) and a third
			 party service provider described in subsection (b), with respect to a breach of
			 security under subsection (a) of unsecured PHR identifiable health information
			 in such records maintained or offered by such vendor, in a manner specified by
			 the Federal Trade Commission.
					(d)Notification of
			 the SecretaryUpon receipt of a notification of a breach of
			 security under subsection (a)(2), the Federal Trade Commission shall notify the
			 Secretary of such breach.
					(e)EnforcementA
			 violation of subsection (a) or (b) shall be treated as an unfair and deceptive
			 act or practice in violation of a regulation under section 18(a)(1)(B) of the
			 Federal Trade Commission Act (15
			 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
					(f)DefinitionsFor purposes of this section:
						(1)Breach of
			 securityThe term breach of security means, with
			 respect to unsecured PHR identifiable health information of an individual in a
			 personal health record, the acquisition, use, or disclosure of such information
			 without the authorization of the individual.
						(2)PHR identifiable
			 health informationThe term PHR identifiable health
			 information means individually identifiable health information, as
			 defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and
			 includes, with respect to an individual, information—
							(A)that is provided
			 by or on behalf of the individual; and
							(B)that identifies
			 the individual or with respect to which there is a reasonable basis to believe
			 that the information can be used to identify the individual.
							(3)Unsecured PHR
			 identifiable health information
							(A)In
			 generalSubject to
			 subparagraph (B), the term unsecured PHR identifiable health
			 information means PHR identifiable health information that is not
			 protected through the use of a technology or methodology specified by the
			 Secretary in the guidance issued under section 402(h)(2).
							(B)Exception in
			 case timely guidance not issuedIn the case that the Secretary does not
			 issue guidance under section 402(h)(2) by the date specified in such section,
			 for purposes of this section, the term unsecured PHR identifiable health
			 information shall mean information that is not protected by technology
			 standards developed or endorsed by a standards developing organization that is
			 accredited by the American National Standards Institute.
							(g)Effective date;
			 sunset
						(1)In
			 generalSubject to paragraph (2), the provisions of this section
			 shall apply to breaches of security occurring during the period beginning on
			 the date that is 90 days after the date of the enactment of this Act.
						(2)SunsetThe provisions of this section shall not
			 apply to breaches of security occurring on or after the earlier of the
			 following:
							(A)A standard
			 relating to requirements for entities that are not covered entities that
			 includes requirements relating to breach notification has been adopted by the
			 Secretary under section 3002 of the Public Health Service Act, as added by
			 section 101, and has taken effect.
							(B)A standard
			 relating to requirements for entities that are not covered entities that
			 includes requirements relating to breach notification has been promulgated by
			 the Federal Trade Commission and has taken effect.
							409.Business
			 associate contracts required for certain entities; other provisions related to
			 business associate contracts
					(a)In
			 generalEach organization,
			 with respect to a covered entity, that provides data transmission of protected
			 health information to such entity and that requires access on a routine basis
			 to such protected health information, such as a Health Information Exchange,
			 Regional Health Information Organization, or E-prescribing Gateway and each
			 vendor of a personal health record that contracts with a covered entity for
			 purposes of including a personal health record within an electronic medical
			 record or electronic health record, is required to enter into a written
			 contract (or other written arrangement) described in section 164.502(e)(2) of
			 title 45, Code of Federal Regulations and a written contract (or other
			 arrangement) described in section 164.308(b) of such title, with such entity
			 and shall be treated as a business associate of the covered entity for purposes
			 of the provisions of this title and subparts C and E of title 45, Code of
			 Federal Regulations.
					(b)Covered entities
			 To monitor compliance of business associates
						(1)In
			 generalA covered entity shall monitor the extent to which a
			 business associate of such entity complies with the terms of the written
			 contract (or other arrangement) described in section 164.502(e)(2) of title 45,
			 Code of Federal Regulations or section 164. 308(b) of such title, as
			 applicable, entered into between such entity and such business
			 associate.
						(2)EnforcementIf
			 in the process of investigating a complaint related to a violation of the
			 requirements of this title or subpart C or E of title 45, Code of Federal
			 Regulations, committed by a business associate of a covered entity, the Office
			 for Civil Rights of the Department of Health and Human Services determines
			 that—
							(A)the covered entity
			 reasonably should have known of a pattern of activity or practice of the
			 business associate that was not in compliance with the terms of a contract
			 described in paragraph (1) and that relates to such violation; and
							(B)the covered entity
			 did not take action required under section 164.504(e)(1)(ii) of title 45, Code
			 of Federal Regulations in response to such pattern or practice,
							the covered
			 entity shall be treated, for purposes of section 1176 of the Social Security
			 Act (42 U.S.C. 1320d–5), as having violated part C of title XI of such
			 Act.410.Guidance on
			 implementation specification to de-identify protected health
			 informationNot later than 12
			 months after the date of the enactment of this Act, the Secretary shall, in
			 consultation with stakeholders, issue guidance on how best to implement the
			 requirements for the de-identification of protected health information under
			 section 164.514(b) of title 45, Code of Federal Regulations.
				411.GAO report on
			 treatment, payment, and health care operations uses and
			 disclosuresNot later than one
			 year after the date of the enactment of this Act, the Comptroller General of
			 the United States shall submit to the Committee on Finance and the Committee on
			 Health, Education, Labor, and Pensions of the Senate and the Committee on Ways
			 and Means and the Committee on Energy and Commerce of the House of
			 Representatives a report on—
					(1)the best practices
			 related to the disclosure among health care providers of protected health
			 information of an individual for purposes of treatment of such individual,
			 including an examination of the best practices implemented by States and by
			 other entities, such as health information exchanges and regional health
			 information organizations, and an examination of the extent to which such best
			 practices are successful with respect to the quality of the resulting health
			 care provided to the individual and with respect to the ability of the health
			 care provider to manage such best practices; and
					(2)the best practices with respect to
			 determining the minimum necessary set of protected health information for uses
			 and disclosures of such information for purposes of payment and the most common
			 health care operations, as specified by the Secretary, including those health
			 care operations that could be reasonably and efficiently performed with either
			 de-identified data (as defined in section 164.514(a) of title 45, Code of
			 Federal Regulations) or the limited data set (as defined section 164.514(e)(1)
			 of such title).
					412.Clarification of
			 application of wrongful disclosures criminal penaltiesSection 1177(a) of the Social Security Act
			 (42 U.S.C. 1320d–6(a)) is amended by adding at the end the following new
			 sentence: For purposes of the previous sentence, a person (including an
			 employee or other individual who is not a covered entity, as defined in the
			 HIPAA privacy regulation described in section 1180(b)(3)) shall be considered
			 to have obtained or disclosed individually identifiable health information in
			 violation of this part if the information is maintained by a covered entity (as
			 so defined) and the person knowingly obtained or disclosed such information
			 without authorization..
				413.Improved
			 enforcement
					(a)Improved civil
			 penalties
						(1)In
			 generalSection 1176 of the
			 Social Security Act (42 U.S.C. 1320d–5) is amended—
							(A)in subsection
			 (b)(1), by striking the act constitutes an offense punishable under
			 section 1177 and inserting a penalty has been imposed under
			 section 1177 with respect to such act; and
							(B)by adding at the
			 end the following new subsection:
								
									(c)Noncompliance
				due to willful neglect
										(1)In
				generalA violation of a
				provision of this part due to willful neglect is a violation for which the
				Secretary is required to impose a penalty under subsection (a)(1).
										(2)Required
				investigationFor purposes of paragraph (1), the Secretary shall
				formally investigate any complaint of a violation of a provision of this part
				if a preliminary investigation of the facts of the complaint indicate such a
				possible violation due to willful neglect.
										(3)RegulationsNot later than 90 days after the date of
				the enactment of the Health-e Information Technology Act of 2008, the Secretary
				shall issue a notice of proposed rulemaking in the Federal Register to
				implement this
				subsection.
										.
							(2)Effective
			 dateThe amendments made by paragraph (1) shall apply to
			 penalties imposed on or after the date specified in section 433.
						(b)Distribution of
			 civil monetary penalties collected
						(1)In
			 generalSubject to the
			 regulation promulgated pursuant to paragraph (3), any civil monetary penalty
			 collected with respect to an offense punishable under this title or section
			 1176 of the Social Security Act (42 U.S.C. 1320d–5) shall be transferred to the
			 Office of Civil Rights of the Department of Health and Human Services to be
			 used for purposes of enforcing the provisions of this title and subparts C and
			 E of title 45, Code of Federal Regulations.
						(2)GAO
			 reportNot later than 18
			 months after the date of the enactment of this Act, the Comptroller General
			 shall submit to the Secretary a report including recommendations for a
			 methodology under which an individual who is harmed by an act that constitutes
			 an offense punishable under this title or section 1176 of the Social Security
			 Act may receive a percentage of any civil monetary penalty collected with
			 respect to such offense under this title or such section.
						(3)Establishment of
			 methodology to distribute percentage of CMPs collected to harmed
			 individualsNot later 3 years
			 after the date of the enactment of this Act, the Secretary shall establish by
			 regulation and based on the recommendations submitted under paragraph (2), a
			 methodology under which an individual who is harmed by an act that constitutes
			 an offense punishable under this title or section 1176 of the Social Security
			 Act may receive a percentage of any civil monetary penalty collected with
			 respect to such offense under this title or such section.
						(4)Application of
			 methodologyThe methodology under paragraph (3) shall be applied
			 with respect to civil monetary penalties imposed on or after the effective date
			 of the regulation.
						(c)Tiered increase
			 in amount of civil monetary penalties
						(1)In
			 generalSection 1176(a)(1) of
			 the Social Security Act (42 U.S.C. 1320d–5(a)(1)) is amended by striking
			 who violates a provision of this part a penalty of not more than
			 and all that follows and inserting the
			 following:
							
								who violates a provision of this
			 part—(A)in the case of a violation of such
				provision in which it is established to the satisfaction of the Secretary that
				the person did not know (and by exercising reasonable diligence would not have
				known) that such person violated such provision, a penalty for each such
				violation of an amount that is at least the amount described in paragraph
				(3)(A) but not to exceed the amount described in paragraph (3)(D);
								(B)in the case of a violation of such
				provision in which it is established to the satisfaction of the Secretary that
				the violation was due to reasonable cause and not to willful neglect, a penalty
				for each such violation of an amount that is at least the amount described in
				paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D);
				and
								(C)in the case of a violation of such
				provision in which it is established to the satisfaction of the Secretary that
				the violation was due to willful neglect—
									(i)if
				the violation is corrected as described in subsection (b)(3)(A), a penalty in
				an amount that is at least the amount described in paragraph (3)(C) but not to
				exceed the amount described in paragraph (3)(D); and
									(ii)if the violation is not corrected as
				described in such subsection, a penalty in an amount that is at least the
				amount described in paragraph (3)(D).
									In
				determining the amount of a penalty under this section for a violation, the
				Secretary shall base such determination on the nature and extent of the
				violation and the nature and extent of the harm resulting from such
				violation..
						(2)Tiers of
			 penalties describedSection
			 1176(a) of such Act (42 U.S.C. 1320d–5(a)) is further amended by adding at the
			 end the following new paragraph:
							
								(3)Tiers of
				penalties describedFor
				purposes of paragraph (1), with respect to a violation by a person of a
				provision of this part—
									(A)the amount described in this subparagraph
				is $100 for each such violation, except that the total amount imposed on the
				person for all such violations of an identical requirement or prohibition
				during a calendar year may not exceed $25,000;
									(B)the amount described in this subparagraph
				is $1,000 for each such violation, except that the total amount imposed on the
				person for all such violations of an identical requirement or prohibition
				during a calendar year may not exceed $100,000;
									(C)the amount described in this subparagraph
				is $10,000 for each such violation, except that the total amount imposed on the
				person for all such violations of an identical requirement or prohibition
				during a calendar year may not exceed $250,000; and
									(D)the amount described in this subparagraph
				is $50,000 for each such violation, except that the total amount imposed on the
				person for all such violations of an identical requirement or prohibition
				during a calendar year may not exceed
				$1,500,000.
									.
						(3)Conforming
			 amendmentsSection 1176(b) of
			 such Act (42 U.S.C. 1320d–5(b)) is amended—
							(A)by striking
			 paragraph (2) and redesignating paragraphs (3) and (4) as paragraphs (2) and
			 (3), respectively; and
							(B)in paragraph
			 (3)—
								(i)in
			 subparagraph (A), by striking in subparagraph (B), a penalty may not be
			 imposed under subsection (a) if and all that follows through the
			 failure to comply is corrected and inserting in subparagraph (B)
			 or subsection (a)(1)(C), a penalty may not be imposed under subsection (a) if
			 the failure to comply is corrected; and
								(ii)in
			 subparagraph (B), by striking (A)(ii) each place it appears and
			 inserting (A).
								(4)Effective
			 dateThe amendments made by this subsection shall apply to
			 violations occurring after the date of the enactment of this Act.
						(d)Enforcement by
			 State attorneys general
						(1)Civil
			 actionsIn any case in which the attorney general of a State or
			 any State or local law enforcement agency authorized by the State attorney
			 general or by State law to prosecute violations of consumer protection laws,
			 has reason to believe that an interest of the residents of that State has been
			 or is threatened or adversely affected by the engagement of a person in a
			 practice that is prohibited under a provision of this title or subparts C or E
			 of title 45, Code of Federal Regulations, the State or local law enforcement
			 agency on behalf of the residents of the agency’s jurisdiction, may bring a
			 civil action on behalf of the residents of the State or jurisdiction in a
			 district court of the United States of appropriate jurisdiction to—
							(A)enjoin that act or
			 practice;
							(B)enforce compliance
			 with the provision; or
							(C)obtain civil
			 penalties in an amount calculated by multiplying the number of violations by an
			 amount not greater than $11,000.
							(2)Rule of
			 constructionFor purposes of bringing any civil action under
			 paragraph (1), nothing in this title regarding notification shall be construed
			 to prevent an attorney general of a State from exercising the powers conferred
			 on such attorney general by the laws of that State to—
							(A)conduct
			 investigations;
							(B)administer oaths
			 or affirmations; or
							(C)compel the
			 attendance of witnesses or the production of documentary and other
			 evidence.
							(3)Venue; service
			 of process
							(A)VenueAny
			 action brought under paragraph (1) may be brought in the district court of the
			 United States that meets applicable requirements relating to venue under
			 section 1391 of title 28, United States Code.
							(B)Service of
			 processIn an action brought under paragraph (1), process may be
			 served in any district in which the defendant—
								(i)is
			 an inhabitant; or
								(ii)may
			 be found.
								414.AuditsThe Secretary shall provide for periodic
			 audits to ensure that entities that are subject to the requirements of this
			 title and subparts C and E of title 45, Code of Federal Regulations, comply
			 with such requirements.
				415.Technical
			 amendmentSection 1171(5) of
			 the Social Security Act (42 U.S.C. 1320d) is amended by striking or
			 C and inserting C, or D.
				BChief Privacy
			 Officer of ONCHIT; Standards and guidance recommendations related to privacy
			 and security
				421.Chief Privacy
			 Officer of the Office of the National Coordinator 
					(a)In
			 generalTo assist the
			 National Coordinator in carrying out all the duties of the National Coordinator
			 relating to the privacy and security of health information, not later than 12
			 months after the date of the enactment of this Act, the Secretary shall appoint
			 a Chief Privacy Officer of the Office of the National Coordinator established
			 under section 3001(a) of the Public Health Service Act, as added by section
			 101.
					(b)ConsultationIn
			 carrying out the duties under subsection (a), the Chief Privacy Officer shall
			 consult with the officials designated under subsection (c)(1) and is encouraged
			 to consult with officials in other Federal agencies who have primary
			 responsibility relating to the privacy and security of individually
			 identifiable information.
					(c)Coordination
			 with internal privacy officersThe Secretary shall ensure
			 that—
						(1)not later than 12
			 months after the date of the enactment of this Act, each agency specified by
			 the Secretary with the Department of Health and Human Services that deals with
			 health information has an official who is designated with specific
			 responsibilities with regard to the privacy and security of such information;
			 and
						(2)such officials
			 coordinate their activities with the Chief Privacy Officer.
						422.Additional
			 standards and guidance recommendations related to privacy and security
					(a)In
			 generalIn carrying out
			 section 3001(c)(2) of the Public Health Service Act, as added by section 101,
			 the National Coordinator shall—
						(1)periodically
			 recommend to the Secretary standards and guidance related to ensuring the
			 privacy and security of health information for purposes of adoption under
			 section 3003(a) of such Act, as so added; and
						(2)periodically
			 review and revise as necessary health information privacy and security
			 standards and regulations implemented under this title and subparts C and E of
			 title 45, Code of Federal Regulations.
						(b)Specific
			 recommendationsFor purposes
			 of subsection (a), the National Coordinator shall submit to the Secretary
			 recommendations on at least the following:
						(1)Application of
			 HIPAA to entities that aren’t covered entitiesTaking into
			 account the results of the study conducted under section 407,
			 recommendations—
							(A)on the extent to
			 which the provisions of this title and subparts C and E of title 45, Code of
			 Federal Regulations, should apply to entities using, disclosing or receiving
			 health information that are not included under this title or such subparts as a
			 covered entity or business associate; and
							(B)that identify to
			 which entities that are not so included should such provisions apply.
							(2)Collection
			 LimitationsRecommendations identifying under what circumstances
			 and for what purposes protected health information may be collected, including
			 model notices for such purposes as necessary and recommendations about which of
			 such purposes should require separate, prior authorization from the individual
			 involved. Such recommendations shall provide that—
							(A)such collection
			 will occur in a transparent process;
							(B)such collection
			 shall be in accordance with applicable Federal, State, and local laws;
			 and
							(C)such collection
			 may only occur for the purposes specified by the entity collecting the
			 information and such purposes must be so specified at least not later than the
			 time of collection.
							(3)Disclosure and
			 use limitationsRecommendations identifying the circumstances
			 under which, to whom, and for what purposes protected health information may be
			 used or disclosed, including—
							(A)recommendations
			 about what uses or purposes are permitted or required (taking into account that
			 protected health information shall be disclosed in a non-identifiable manner to
			 the maximum extent possible);
							(B)recommendations on
			 best practices on de-identifying data;
							(C)recommendations for a technical standard
			 that allows for the de-identification of health information;
							(D)recommendations on
			 how to segregate sensitive protected health information with the goal of
			 minimizing the reluctance of patients to seek care (or disclose information
			 about a condition) because of privacy concerns involving sensitive protected
			 health information while maximizing patient safety and clinical utility of the
			 information;
							(E)recommendations to
			 define the “minimum necessary” set of health information for the most common
			 treatment and health care operations, as specified by the Secretary; and
							(F)recommendations
			 for standardized notification describing, in terms that are easily
			 understandable to individuals, permissible uses and disclosures for the most
			 common payment and health care operations purposes and specific to the most
			 common covered entities.
							(4)Electronic
			 health records and electronic medical records security featuresRecommendations on security features, such
			 as user authentication, identity management tools, and data scrubbing, that
			 electronic health records must have in order to receive certification under the
			 program under section 3001(c)(3) of the Public Health Service Act, as added by
			 section 101. Such recommendations shall include at a minimum recommendations
			 with respect to immutable audit trails.
						(5)Data
			 accuracyRecommendations on how to maximize the accuracy of
			 health information used or disclosed.
						(6)AccountabilityRecommendations
			 on how to best provide for accountability for uses and disclosures of health
			 information.
						(7)TransparencyRecommendations
			 on how to maximize the transparency and openness of health information privacy
			 and security policies, including requiring that notices informing individuals
			 of such policies be written in an understandable and simple manner and clearly
			 and simply describe what the privacy and security policies are and how
			 individuals can access their protected health information and amend it.
						(8)EnforcementRecommendation
			 on how to improve and revise the enforcement of this title and subparts C and E
			 of title 45, Code of Federal Regulations.
						(9)Reductions in
			 breachesRecommendations on how to reduce the number and scope of
			 breaches, taking into account information received by the Secretary under
			 section 3002(e)(3) of the Public Health Service Act.
						The
			 National Coordinator shall, to the maximum extent practicable, include the
			 recommendations described in paragraphs (1), (3)(C), (3)(D), and (4) in the
			 initial set of recommendations submitted by the Coordinator under section
			 3001(c)(2)(A) of the Public Health Service Act, as added by section 101.CRelationship to
			 other laws; regulatory references; effective date
				431.Relationship to
			 other laws
					(a)Application of
			 HIPAA State preemptionSection 1178 of the Social Security Act
			 (42 U.S.C. 1320d–7) shall apply to a provision or requirement under this title
			 in the same manner that such section applies to a provision or requirement
			 under part C of title XI of such Act or a standard or implementation
			 specification adopted or established under sections 1172 through 1174 of such
			 Act.
					(b)Health Insurance
			 Portability and Accountability ActThe standards governing the privacy and
			 security of individually identifiable health information promulgated by the
			 Secretary under sections 262(a) and 264 of the Health Insurance Portability and
			 Accountability Act of 1996 shall remain in effect to the extent that they are
			 consistent with this title. The Secretary shall by rule amend such Federal
			 regulations as required to make such regulations consistent with this
			 title.
					432.Regulatory
			 referencesEach reference in
			 this title to a provision of the Code of Federal Regulations refers to such
			 provision as in effect on the date of the enactment of this Act (or to the most
			 recent update of such provision).
				433.Effective
			 dateThe provisions of
			 subtitles A and B of this title (other than sections 401(c), 402, 403, 405(c),
			 405(d), 406(d), 407, 408, 410, 411, 412, 413(b)(2), 413(b)(3), 413(c), 415,
			 421, 422, 431, and 432) shall take effect on the date that is 12 months after
			 the date of the enactment of this Act.
				
