
	
		II
		112th CONGRESS
		2d Session
		S. 3351
		IN THE SENATE OF THE UNITED STATES
		
			June 27, 2012
			Mr. Franken introduced
			 the following bill; which was read twice and referred to the
			 Committee on Health, Education, Labor,
			 and Pensions
		
		A BILL
		To amend the American Recovery and Reinvestment Act with
		  respect to the privacy of protected health information.
	
	
		1.Short
			 titleThis Act may be cited as
			 the Protect Our Health Privacy
			 Act.
		2.Reporting
			 requirements
			(a)Notification in
			 the case of breachParagraph (2) of section 13402(i) of division
			 A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17932(i)) is
			 amended to read as follows:
				
					(2)InformationThe
				information described in this paragraph regarding breaches specified in
				paragraph (1) shall include—
						(A)the number and
				nature of all such breaches, including a description of the types of unsecured
				protected health information that were involved in each breach;
						(B)the identity of
				the covered entity involved in each breach, or if the breach affected less than
				500 individuals, the kind of covered entity involved (such as a health plan,
				health care clearinghouse, or a health care provider who transmits any health
				information in electronic form in connection with a transaction covered by this
				subtitle); and
						(C)actions taken in
				response to such
				breaches.
						.
			(b)Report on
			 complianceSection 13424 of division A of the American Recovery
			 and Reinvestment Act of 2009 (42 U.S.C. 17954) is amended—
				(1)in subsection
			 (a)(1)—
					(A)by amending
			 subparagraph (B) to read as follows:
						
							(B)information about
				such complaints resolved informally, including—
								(i)the number of
				such complaints resolved informally;
								(ii)a summary of the
				types of complaints so resolved, including identification of the most common
				types complaints so resolved, categorized by the privacy and security rule
				allegedly violated;
								(iii)for each such
				category, the average amount of time between receipt of a complaint to
				resolution of such complaint;
								(iv)examples, with
				entity and patient names and other individually identifiable health information
				redacted, of complaints resolved informally and the Secretary’s rationale for
				resolving such complaints informally; and
								(v)the number of
				covered entities that received technical assistance from the Secretary during
				such year in order to achieve compliance with such provisions and the types of
				such technical assistance
				provided.
								;
					(B)in subparagraph
			 (E), by inserting and a summary of the outcome of such subpoenas or
			 inquiries after inquiries issued;
					(C)in subparagraph
			 (F), by striking following year; and and inserting
			 following year and enforcement priorities for the succeeding
			 year;;
					(D)in subparagraph
			 (G), by striking the period at the end and inserting a semicolon; and
					(E)by adding at the
			 end the following:
						
							(H)the number of
				State attorney general actions that were pursued under this subtitle and notice
				of which was provided to the Secretary pursuant to section 1176(d)(4) of the
				Social Security Act; and
							(I)the number of
				health privacy or health security or data breach complaints referred to the
				Attorney General, including—
								(i)whether the
				Attorney General declined enforcement; and
								(ii)the number of
				complaints referred to the Attorney General but returned to the Secretary for
				enforcement and a summary of enforcement actions taken by the Secretary with
				respect to such complaints, including informal resolutions, civil monetary
				penalties, resolution agreements or settlements, or voluntary compliance
				actions.
								;
				and
					(2)by adding at the
			 end the following:
					
						(g)Annual
				studies
							(1)In
				generalFor the first year beginning after the date of enactment
				of the Protect Our Health Privacy
				Act, and every year thereafter, the Attorney General shall submit
				to the Committee on the Judiciary of the Senate and the Committee on the
				Judiciary of the House of Representatives a report concerning complaints of
				alleged violations described in section 1177 of the Social Security Act,
				including violations of the provisions of this subtitle relating to privacy and
				security of health information, that were referred to the Department of Justice
				by the Department of Health and Human Services, the Federal Bureau of
				Investigation, or another State or Federal agency during the year for which the
				report is being prepared.
							(2)RequirementsEach
				report required under paragraph (1) shall—
								(A)be made available
				to the public on the websites of the Department of Justice and the Department
				of Health and Human Services; and
								(B)include, with
				respect to complaints received during the year for which the report is being
				prepared—
									(i)the total number
				of complaints received;
									(ii)the number of
				complaints received that were eligible for criminal enforcement; and
									(iii)of the
				complaints described in clause (ii), a summary of how each complaint was
				resolved that—
										(I)includes the
				rationale for declining enforcement, if applicable; and
										(II)does not
				identify the patients, individuals, or entities
				involved.
										.
				3.Encryption for
			 portable media
			(a)Guidance
			 regarding unsecured protected health information
				(1)In
			 generalSection 13402(h)(2) of division A of the American
			 Recovery and Reinvestment Act of 2009 (42 U.S.C. 17932(h)(2)) is amended by
			 inserting , including protected health information stored on portable
			 media (as defined by the Secretary, which shall include thumb drives, laptop
			 computers, tablet computers, and other similar devices), after
			 protected health information.
				(2)ApplicableThe
			 amendment made by paragraph (1) shall apply to updated guidance issued under
			 section 13402(h)(2) of division A of the American Recovery and Reinvestment Act
			 of 2009 (42 U.S.C. 17932(h)(2)) after the date of enactment of this Act.
				(b)Portable media
			 encryption requirement
				(1)In
			 generalSection 13401 of division A of the American Recovery and
			 Reinvestment Act of 2009 (42 U.S.C. 17931) is amended by adding at the end the
			 following:
					
						(d)Portable media
				encryption requirementNot later than 1 year after the date of
				enactment of the Protect Our Health Privacy
				Act, the Secretary shall issue regulations to require covered
				entities and business associates to render protected health information that is
				stored on portable media (as defined by the Secretary, which shall include
				thumb drives, laptop computers, tablet computers, and other similar devices)
				unusable, unreadable, or indecipherable to unauthorized
				individuals.
						.
				(2)Conforming
			 amendmentSection 13401(b) of such Act (42 U.S.C. 17931(b)) is
			 amended by inserting or (d) after subsection
			 (a).
				4.Use of data in
			 business associate contracts; application of minimum necessary standard to
			 business associates
			(a)In
			 generalSection 13404 of
			 division A of the American Recovery and Reinvestment Act (42 U.S.C. 17934) is
			 amended by adding at the end the following:
				
					(d)Use of data in
				business associate contracts; application of minimum necessary standard to
				business associates
						(1)Limitation on
				scope and use of protected health informationAs required by section 164.504(e) of title
				45, Code of Regulations (as in effect on the date of enactment of this
				subsection), any business associate agreement between a covered entity and a
				business associate shall limit the use of protected health information by such
				business associate—
							(A)to only such information as necessary for
				the performance of the service or function that the covered entity has
				contracted with the business associate to perform on behalf of the covered
				entity; and
							(B)to only those uses that are necessary for
				the performance of the service or function described in subparagraph
				(A).
							(2)Application of
				minimum necessary standard to business associatesSection
				164.502(b) of title 45, Code of Federal Regulations shall apply to a business
				associate of a covered entity in the same manner that such section applies to
				the covered entity. The additional requirements of this title that relate to
				the minimum necessary standard with respect to the use, disclosure, and request
				of protected health information that are made applicable with respect to
				covered entities shall also be applicable to such a business associate and
				shall be incorporated into the business associate agreement between the
				business associate and the covered
				entity.
						.
			(b)Conforming
			 amendmentSubsection (c) of such section 13404 (42 U.S.C. 17934)
			 is amended by striking (a) or (b) and inserting (a), (b),
			 or (d)(2).
			(c)ClarificationNothing
			 in subsection (d)(2) of section 13404 of division A of the American Recovery
			 and Reinvestment Act (42 U.S.C. 17934) (as amended by subsection (a)) affects
			 the application of the minimum necessary standard to business associates
			 pursuant to section 164.504(e) of title 45, Code of Federal Regulations
			 (relating to contracts and other arrangements between business associates and
			 covered entities) as in effect on the date of enactment of this Act.
			5.Health
			 information technology improvement initiativeTitle XXX of the Public Health Service Act
			 (42 U.S.C. 300jj et seq.) is amended by adding at the end the following:
			
				3022.Health
				information technology improvement initiative
					(a)In
				generalNot later than 18 months after the date of enactment of
				the Protect Our Health Privacy
				Act, the Secretary shall issue regulations to improve the safety,
				interoperability, and utility of health information technology systems.
					(b)ContentThe
				regulations issued under subsection (a) shall include—
						(1)a system to track
				the effect of health information technology on the health of patients;
				and
						(2)minimum quality
				and risk management requirements for health information technology
				vendors.
						(c)Health
				information technology adverse health event reporting
						(1)In
				generalThe Secretary shall designate an agency within the
				Department of Health and Human Services to promulgate regulations relating to a
				health information technology adverse health event reporting program and
				database. The Department shall consider definitions and standards developed by
				the National Quality Forum before promulgating such regulations.
						(2)ContentThe
				regulations promulgated under paragraph (1) shall include mandatory submission
				of adverse health event reports by health information technology vendors and
				voluntary submission of adverse health event reports by users of health
				information, including patients and their family caregivers.
						(3)Use of
				reportsThe agency designated under paragraph (1) shall analyze
				adverse health event reports and report findings and recommendations to the
				applicable industry and policymakers.
						(4)Protection of
				reportsThe agency designated under paragraph (1) shall remove
				identifying information if adverse health event reports are made public. An
				adverse health event report may not be admitted or used in any action in a
				Federal or State court or any Federal or State administrative proceeding as
				evidence of fault, liability, or occurrence of an adverse health event.
						(5)Annual
				reportThe agency designated under paragraph (1) shall use the
				database established under such paragraph to submit to Congress an annual
				report regarding the use and safety of health information
				technology.
						.
		
