[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[S. 3351 Introduced in Senate (IS)]

112th CONGRESS
  2d Session
                                S. 3351

To amend the American Recovery and Reinvestment Act with respect to the 
                privacy of protected health information.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             June 27, 2012

  Mr. Franken introduced the following bill; which was read twice and 
  referred to the Committee on Health, Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
To amend the American Recovery and Reinvestment Act with respect to the 
                privacy of protected health information.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Protect Our Health Privacy Act''.

SEC. 2. REPORTING REQUIREMENTS.

    (a) Notification in the Case of Breach.--Paragraph (2) of section 
13402(i) of division A of the American Recovery and Reinvestment Act of 
2009 (42 U.S.C. 17932(i)) is amended to read as follows:
            ``(2) Information.--The information described in this 
        paragraph regarding breaches specified in paragraph (1) shall 
        include--
                    ``(A) the number and nature of all such breaches, 
                including a description of the types of unsecured 
                protected health information that were involved in each 
                breach;
                    ``(B) the identity of the covered entity involved 
                in each breach, or if the breach affected less than 500 
                individuals, the kind of covered entity involved (such 
                as a health plan, health care clearinghouse, or a 
                health care provider who transmits any health 
                information in electronic form in connection with a 
                transaction covered by this subtitle); and
                    ``(C) actions taken in response to such 
                breaches.''.
    (b) Report on Compliance.--Section 13424 of division A of the 
American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17954) is 
amended--
            (1) in subsection (a)(1)--
                    (A) by amending subparagraph (B) to read as 
                follows:
                    ``(B) information about such complaints resolved 
                informally, including--
                            ``(i) the number of such complaints 
                        resolved informally;
                            ``(ii) a summary of the types of complaints 
                        so resolved, including identification of the 
                        most common types complaints so resolved, 
                        categorized by the privacy and security rule 
                        allegedly violated;
                            ``(iii) for each such category, the average 
                        amount of time between receipt of a complaint 
                        to resolution of such complaint;
                            ``(iv) examples, with entity and patient 
                        names and other individually identifiable 
                        health information redacted, of complaints 
                        resolved informally and the Secretary's 
                        rationale for resolving such complaints 
                        informally; and
                            ``(v) the number of covered entities that 
                        received technical assistance from the 
                        Secretary during such year in order to achieve 
                        compliance with such provisions and the types 
                        of such technical assistance provided.'';
                    (B) in subparagraph (E), by inserting ``and a 
                summary of the outcome of such subpoenas or inquiries'' 
                after ``inquiries issued'';
                    (C) in subparagraph (F), by striking ``following 
                year; and'' and inserting ``following year and 
                enforcement priorities for the succeeding year;'';
                    (D) in subparagraph (G), by striking the period at 
                the end and inserting a semicolon; and
                    (E) by adding at the end the following:
                    ``(H) the number of State attorney general actions 
                that were pursued under this subtitle and notice of 
                which was provided to the Secretary pursuant to section 
                1176(d)(4) of the Social Security Act; and
                    ``(I) the number of health privacy or health 
                security or data breach complaints referred to the 
                Attorney General, including--
                            ``(i) whether the Attorney General declined 
                        enforcement; and
                            ``(ii) the number of complaints referred to 
                        the Attorney General but returned to the 
                        Secretary for enforcement and a summary of 
                        enforcement actions taken by the Secretary with 
                        respect to such complaints, including informal 
                        resolutions, civil monetary penalties, 
                        resolution agreements or settlements, or 
                        voluntary compliance actions.''; and
            (2) by adding at the end the following:
    ``(g) Annual Studies.--
            ``(1) In general.--For the first year beginning after the 
        date of enactment of the Protect Our Health Privacy Act, and 
        every year thereafter, the Attorney General shall submit to the 
        Committee on the Judiciary of the Senate and the Committee on 
        the Judiciary of the House of Representatives a report 
        concerning complaints of alleged violations described in 
        section 1177 of the Social Security Act, including violations 
        of the provisions of this subtitle relating to privacy and 
        security of health information, that were referred to the 
        Department of Justice by the Department of Health and Human 
        Services, the Federal Bureau of Investigation, or another State 
        or Federal agency during the year for which the report is being 
        prepared.
            ``(2) Requirements.--Each report required under paragraph 
        (1) shall--
                    ``(A) be made available to the public on the 
                websites of the Department of Justice and the 
                Department of Health and Human Services; and
                    ``(B) include, with respect to complaints received 
                during the year for which the report is being 
                prepared--
                            ``(i) the total number of complaints 
                        received;
                            ``(ii) the number of complaints received 
                        that were eligible for criminal enforcement; 
                        and
                            ``(iii) of the complaints described in 
                        clause (ii), a summary of how each complaint 
                        was resolved that--
                                    ``(I) includes the rationale for 
                                declining enforcement, if applicable; 
                                and
                                    ``(II) does not identify the 
                                patients, individuals, or entities 
                                involved.''.

SEC. 3. ENCRYPTION FOR PORTABLE MEDIA.

    (a) Guidance Regarding Unsecured Protected Health Information.--
            (1) In general.--Section 13402(h)(2) of division A of the 
        American Recovery and Reinvestment Act of 2009 (42 U.S.C. 
        17932(h)(2)) is amended by inserting ``, including protected 
        health information stored on portable media (as defined by the 
        Secretary, which shall include thumb drives, laptop computers, 
        tablet computers, and other similar devices),'' after 
        ``protected health information''.
            (2) Applicable.--The amendment made by paragraph (1) shall 
        apply to updated guidance issued under section 13402(h)(2) of 
        division A of the American Recovery and Reinvestment Act of 
        2009 (42 U.S.C. 17932(h)(2)) after the date of enactment of 
        this Act.
    (b) Portable Media Encryption Requirement.--
            (1) In general.--Section 13401 of division A of the 
        American Recovery and Reinvestment Act of 2009 (42 U.S.C. 
        17931) is amended by adding at the end the following:
    ``(d) Portable Media Encryption Requirement.--Not later than 1 year 
after the date of enactment of the Protect Our Health Privacy Act, the 
Secretary shall issue regulations to require covered entities and 
business associates to render protected health information that is 
stored on portable media (as defined by the Secretary, which shall 
include thumb drives, laptop computers, tablet computers, and other 
similar devices) unusable, unreadable, or indecipherable to 
unauthorized individuals.''.
            (2) Conforming amendment.--Section 13401(b) of such Act (42 
        U.S.C. 17931(b)) is amended by inserting ``or (d)'' after 
        ``subsection (a)''.

SEC. 4. USE OF DATA IN BUSINESS ASSOCIATE CONTRACTS; APPLICATION OF 
              MINIMUM NECESSARY STANDARD TO BUSINESS ASSOCIATES.

    (a) In General.--Section 13404 of division A of the American 
Recovery and Reinvestment Act (42 U.S.C. 17934) is amended by adding at 
the end the following:
    ``(d) Use of Data in Business Associate Contracts; Application of 
Minimum Necessary Standard to Business Associates.--
            ``(1) Limitation on scope and use of protected health 
        information.--As required by section 164.504(e) of title 45, 
        Code of Regulations (as in effect on the date of enactment of 
        this subsection), any business associate agreement between a 
        covered entity and a business associate shall limit the use of 
        protected health information by such business associate--
                    ``(A) to only such information as necessary for the 
                performance of the service or function that the covered 
                entity has contracted with the business associate to 
                perform on behalf of the covered entity; and
                    ``(B) to only those uses that are necessary for the 
                performance of the service or function described in 
                subparagraph (A).
            ``(2) Application of minimum necessary standard to business 
        associates.--Section 164.502(b) of title 45, Code of Federal 
        Regulations shall apply to a business associate of a covered 
        entity in the same manner that such section applies to the 
        covered entity. The additional requirements of this title that 
        relate to the minimum necessary standard with respect to the 
        use, disclosure, and request of protected health information 
        that are made applicable with respect to covered entities shall 
        also be applicable to such a business associate and shall be 
        incorporated into the business associate agreement between the 
        business associate and the covered entity.''.
    (b) Conforming Amendment.--Subsection (c) of such section 13404 (42 
U.S.C. 17934) is amended by striking ``(a) or (b)'' and inserting 
``(a), (b), or (d)(2)''.
    (c) Clarification.--Nothing in subsection (d)(2) of section 13404 
of division A of the American Recovery and Reinvestment Act (42 U.S.C. 
17934) (as amended by subsection (a)) affects the application of the 
minimum necessary standard to business associates pursuant to section 
164.504(e) of title 45, Code of Federal Regulations (relating to 
contracts and other arrangements between business associates and 
covered entities) as in effect on the date of enactment of this Act.

SEC. 5. HEALTH INFORMATION TECHNOLOGY IMPROVEMENT INITIATIVE.

    Title XXX of the Public Health Service Act (42 U.S.C. 300jj et 
seq.) is amended by adding at the end the following:

``SEC. 3022. HEALTH INFORMATION TECHNOLOGY IMPROVEMENT INITIATIVE.

    ``(a) In General.--Not later than 18 months after the date of 
enactment of the Protect Our Health Privacy Act, the Secretary shall 
issue regulations to improve the safety, interoperability, and utility 
of health information technology systems.
    ``(b) Content.--The regulations issued under subsection (a) shall 
include--
            ``(1) a system to track the effect of health information 
        technology on the health of patients; and
            ``(2) minimum quality and risk management requirements for 
        health information technology vendors.
    ``(c) Health Information Technology Adverse Health Event 
Reporting.--
            ``(1) In general.--The Secretary shall designate an agency 
        within the Department of Health and Human Services to 
        promulgate regulations relating to a health information 
        technology adverse health event reporting program and database. 
        The Department shall consider definitions and standards 
        developed by the National Quality Forum before promulgating 
        such regulations.
            ``(2) Content.--The regulations promulgated under paragraph 
        (1) shall include mandatory submission of adverse health event 
        reports by health information technology vendors and voluntary 
        submission of adverse health event reports by users of health 
        information, including patients and their family caregivers.
            ``(3) Use of reports.--The agency designated under 
        paragraph (1) shall analyze adverse health event reports and 
        report findings and recommendations to the applicable industry 
        and policymakers.
            ``(4) Protection of reports.--The agency designated under 
        paragraph (1) shall remove identifying information if adverse 
        health event reports are made public. An adverse health event 
        report may not be admitted or used in any action in a Federal 
        or State court or any Federal or State administrative 
        proceeding as evidence of fault, liability, or occurrence of an 
        adverse health event.
            ``(5) Annual report.--The agency designated under paragraph 
        (1) shall use the database established under such paragraph to 
        submit to Congress an annual report regarding the use and 
        safety of health information technology.''.
                                 <all>