[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4805 Introduced in House (IH)]

<DOC>






114th CONGRESS
  2d Session
                                H. R. 4805

 To amend the Health Information Technology for Economic and Clinical 
      Health Act to provide that information held by health care 
clearinghouses is subject to privacy protections that are equivalent to 
   the protections that apply to information held by other types of 
 covered entities under the HIPAA Privacy Rule, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             March 17, 2016

   Mrs. McMorris Rodgers (for herself and Mr. Byrne) introduced the 
   following bill; which was referred to the Committee on Energy and 
  Commerce, and in addition to the Committee on Ways and Means, for a 
 period to be subsequently determined by the Speaker, in each case for 
consideration of such provisions as fall within the jurisdiction of the 
                          committee concerned

_______________________________________________________________________

                                 A BILL


 
 To amend the Health Information Technology for Economic and Clinical 
      Health Act to provide that information held by health care 
clearinghouses is subject to privacy protections that are equivalent to 
   the protections that apply to information held by other types of 
 covered entities under the HIPAA Privacy Rule, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Ensuring Patient Access to 
Healthcare Records Act of 2016''.

SEC. 2. FINDINGS.

    The Congress finds as follows:
            (1) The Health Insurance Portability and Accountability Act 
        of 1996 (``HIPAA''), through certain of its implementing 
        regulations known as the Privacy Rule, protects the health 
        information of enrollees of health plans and other individuals 
        (in this section referred to as ``protected health 
        information'').
            (2) The HIPAA Privacy Rule applies to protected health 
        information held by health care providers, plans, and 
        clearinghouses, which are known as ``covered entities''. Such 
        Rule also applies to vendors that perform certain functions for 
        covered entities and thereby come into possession of protected 
        health information. The HIPAA Privacy Rule refers to these 
        vendors as ``business associates''.
            (3) The HIPAA Privacy Rule applies both to the internal use 
        of protected health information by covered entities and their 
        business associates and to the disclosure of such information 
        to other parties.
            (4) Covered entities and their business associates are 
        subject to substantial civil and criminal penalties if they use 
        or disclose protected health information in violation of the 
        HIPAA Privacy Rule.
            (5) Clearinghouses play a unique, central role in the 
        health care system, interacting with both health care providers 
        and plans. Clearinghouses convert information from providers 
        into claims-processing standard electronic formats and then 
        submit the claims to the plans and finally send providers the 
        plan payments.
            (6) Claims and other data held by clearinghouses could be 
        analyzed longitudinally and geographically, providing powerful 
        analytical tools that could benefit the overall health care 
        system and facilitate medical innovation in the 21st Century.
            (7) Clearinghouses are unable to unlock the benefits of 
        such claims and other data because the HIPAA Privacy Rule 
        assigns clearinghouses a dual role. Such clearinghouses are not 
        only covered entities, but are also business associates. The 
        latter role substantially restricts the ability of 
        clearinghouses to analyze claims data.
            (8) Clearinghouses should not be considered business 
        associates and should instead have the same ability to use and 
        disclose health-related data as other types of covered 
        entities.
            (9) Eliminating the business-associate role of 
        clearinghouses would not affect the applicability of the civil 
        and criminal penalties that enforce the HIPAA Privacy Rule. 
        Clearinghouses would continue to be subject to such penalties 
        in their role as covered entities.
            (10) In addition to the uses of health-related information 
        that the HIPAA Privacy Rule currently authorizes for covered 
        entities, there are several particular analytical uses that 
        should be authorized specifically for clearinghouses because of 
        the unique benefits that would result from authorizing those 
        uses. Although these particular new analytical uses should be 
        authorized for clearinghouses, the disclosure of health 
        information pursuant to these uses should be subject to the 
        protection principles currently underlying the HIPAA Privacy 
        Rule, including enforcement principles.

SEC. 3. TREATMENT OF CERTAIN HIPAA-RELATED ACTIVITIES OF HEALTH CARE 
              CLEARINGHOUSES.

    (a) In General.--Subtitle D of the Health Information Technology 
for Economic and Clinical Health Act (42 U.S.C. 17921 et seq.) is 
amended by adding at the end the following:

   ``PART 5--HEALTH CARE CLEARINGHOUSES; ANALYTICAL FUNCTIONS TOWARD 
                    IMPROVING THE HEALTH CARE SYSTEM

``SEC. 13451. AUTHORITY REGARDING ANALYTICAL FUNCTIONS TOWARD IMPROVING 
              THE HEALTH CARE SYSTEM.

    ``(a) In General.--With respect to the use and disclosure of 
protected health information, the Secretary--
            ``(1) shall not consider health care clearinghouses to be 
        business associates under this subtitle, part C of title XI of 
        the Social Security Act, or the regulations promulgated 
        pursuant to section 264(c) of the Health Insurance Portability 
        and Accountability Act of 1996 for purposes of carrying out 
        activities described in section 1171(2) of the Social Security 
        Act and subsections (b) and (c) of this section; and
            ``(2) shall consider such clearinghouses to be covered 
        entities under such provisions of law for such purposes.
    ``(b) Certain Functions.--The functions that may be carried out by 
a health care clearinghouse pursuant to subsection (a) include the 
following:
            ``(1) Promptly upon the request of individuals, providing 
        such individuals with access to their protected health 
        information as permitted by section 164.502(a)(1)(i) of title 
        45, Code of Federal Regulations. In carrying out the previous 
        sentence, the clearinghouse may charge such an individual a 
        fee, not to exceed the fair market value, for preparing the 
        record of such information involved.
            ``(2) Promptly upon the request of individuals, providing 
        such individuals with access to their protected health 
        information as required by section 164.502(a)(2)(i) of title 
        45, Code of Federal Regulations. In carrying out the previous 
        sentence, the clearinghouse may charge such an individual a 
        fee, not to exceed the fair market value, for preparing the 
        record of such information involved.
            ``(3) With respect to the access of patients to 
        experimental treatments and diagnostics, notifying patients 
        that they may be appropriate candidates as subjects in clinical 
        research, and conducting research to identify such patients, 
        pursuant to the preparatory-research provisions of section 
        164.512(i) of title 45, Code of Federal Regulations, and 
        pursuant to the regulations referred to in paragraph (1) of 
        this subsection.
            ``(4) Making public health disclosures authorized by 
        sections 164.512(b) or 164.514(e) of title 45, Code of Federal 
        Regulations, including notifying manufacturers of drugs or 
        devices about adverse events related to their products pursuant 
        to such section 164.512(b).
            ``(5) Research as authorized by sections 164.512(i) or 
        164.514(e) of title 45, Code of Federal Regulations.
            ``(6) Consistent with the applicable requirements of 
        section 164.514 of title 45, Code of Federal Regulations, 
        creating de-identified health information or a limited data 
        set.
    ``(c) Additional Functions.--
            ``(1) In general.--In addition to the functions that may be 
        carried out by a health care clearinghouse pursuant to 
        subsection (a), such a clearinghouse may, subject only to the 
        privacy protections under paragraph (2), aggregate, use, and 
        disclose data the clearinghouse possesses in order to carry out 
        the following functions:
                    ``(A) Prepare reports, analyses, and presentations 
                on the quality and costs of health care services, 
                including in specific geographic areas, in order to 
                assist individuals select health care services and 
                providers.
                    ``(B) Prepare reports, analyses, and presentations 
                of health-services outcomes data, including 
                presentations addressing outcomes of various types of 
                approaches to a particular disease, disorder, or other 
                adverse health condition.
                    ``(C) Prepare reports, analyses, and presentations 
                of epidemiological data to assist decisionmaking in 
                development programs for new treatments or diagnostics.
                    ``(D) Prepare reports, analyses, and presentations 
                on costs and charges for health care products and 
                services.
                    ``(E) Upon the request of a covered entity, prepare 
                reports, analyses, and presentations that benchmark the 
                operations of such covered entity against the 
                operations of one or more other covered entities that 
                have elected to participate in such benchmarking.
            ``(2) Privacy.--A health care clearinghouse may carry out 
        the functions described in paragraph (1) without obtaining any 
        authorizations under section 164.508 of title 45, Code of 
        Federal Regulations. For purposes of such paragraph, with 
        respect to any report, analysis, or presentation provided by 
        the clearinghouse to a third party, such report, analysis, or 
        presentation--
                    ``(A) shall include only de-identified data; or
                    ``(B) if containing protected health information, 
                shall include such data that is--
                            ``(i) subject to a qualifying data use 
                        agreement (as defined in subsection (i)); or
                            ``(ii) provided to the Food and Drug 
                        Administration for purposes authorized by law 
                        for such Administration, subject to protected 
                        health information being disclosed to such 
                        Administration only to the extent necessary for 
                        such purposes.
    ``(d) Relevant Information.--In the case of a health care 
clearinghouse, the authority under subsections (a) through (c) includes 
applicability with respect to protected health information collected 
from other covered entities and includes applicability with respect to 
the aggregation of such information between covered entities.
    ``(e) Comprehensive Records Per Request of Individual.--For 
purposes of subsection (b)(2), when a health care clearinghouse 
receives a request from an individual for the protected health 
information of the individual, the clearinghouse shall provide to the 
individual a comprehensive record of such information (across health 
care providers and health plans), unless the clearinghouse determines 
in its discretion that providing a comprehensive record is not 
technologically feasible. In preparing such record for the individual, 
the clearinghouse may, with the permission of the individual, purchase 
the protected health care information of the individual from one or 
more other health care clearinghouses (and the cost of such purchase 
may be included in the fee charged to the individual).
    ``(f) Situations Not Involving Direct Interaction With 
Individuals.--Sections 164.400 through 164.414, sections 164.520 
through 164.528, and 164.530 of title 45, Code of Federal Regulations, 
apply to a clearinghouse to the extent that it has current contact 
information pursuant to direct interaction with the individual. In the 
case of each other individual, the clearinghouse shall carry out its 
functions under this subtitle, part C of title XI of the Social 
Security Act, and the regulations promulgated pursuant to section 
264(c) of the Health Insurance Portability and Accountability Act of 
1996 as if the clearinghouse were a business associate. The individuals 
to whom the preceding sentence applies includes individuals with 
respect to whom the sole clearinghouse function is to process or 
facilitate the processing of nonstandard data elements of health 
information into standard data elements.
    ``(g) Transition.--With respect to agreements entered into by a 
health care clearinghouse before the effective date of this section, a 
provision of an agreement that conflicts with this section shall not 
have any legal force or effect. The preceding sentence may not be 
construed as affecting any provision of an agreement that does not 
conflict with this section. A health care clearinghouse shall provide 
notice of this subsection to each entity with which the clearinghouse 
has an agreement that is affected by this subsection.
    ``(h) Enforcement.--Section 13410(a)(2) applies to this part in the 
same manner as such section applies to parts 1 and 2.
    ``(i) Definitions.--For purposes of this part:
            ``(1) The term `de-identified', with respect to health 
        information, means such information that is not individually 
        identifiable as determined in accordance with the standards 
        under section 164.514(b) of title 45, Code of Federal 
        Regulations.
            ``(2) The term `health care clearinghouse' has the meaning 
        given such term in section 1171 of the Social Security Act.
            ``(3) The term `individual', with respect to protected 
        health information, has the meaning that applies under section 
        160.103 of title 45, Code of Federal Regulations.
            ``(4) The term `qualifying data use agreement' means an 
        agreement that establishes the permitted uses and disclosures 
        of protected health information by the recipient for one or 
        more functions described in subsection (c)(1) and restricts the 
        use and disclosure of the information by the recipient in the 
        same manner as applies under paragraphs (e)(4)(ii)(B) and 
        (e)(4)(ii)(C) (1)-(4) of section 164.514 of title 45, Code of 
        Federal Regulations, but without regard to the references to 
        limited data sets.
    ``(j) Relation to Other Laws.--Section 13421 applies to this part 
in the same manner as such section applies to parts 1 and 2, except to 
the extent that such section concerns section 1178(a)(2)(B) of the 
Social Security Act.''.
    (b) Regulations.--Not later than the expiration of the 90-day 
period beginning on the date of the enactment of this Act, the 
Secretary of Health and Human Services shall promulgate regulations to 
carry out the amendment made by subsection (a).
    (c) Conforming Amendment.--Section 1171(2) of the Social Security 
Act (42 U.S.C. 1320d(2)) is amended by inserting before the period the 
following: ``, or that carries out such processing function and in 
addition any of the functions authorized in section 13451 of the Health 
Information Technology for Economic and Clinical Health Act''.
                                 <all>