[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 3530 Introduced in Senate (IS)]

<DOC>






114th CONGRESS
  2d Session
                                S. 3530

 To allow the use of claims, eligibility, and payment data to produce 
  reports, analyses, and presentations to benefit Medicare, and other 
 similar health insurance programs, entities, researchers, and health 
care providers, to help develop cost saving approaches, standards, and 
 reference materials and to support medical care and improved payment 
                                models.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            December 8, 2016

  Mr. Cassidy introduced the following bill; which was read twice and 
  referred to the Committee on Health, Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
 To allow the use of claims, eligibility, and payment data to produce 
  reports, analyses, and presentations to benefit Medicare, and other 
 similar health insurance programs, entities, researchers, and health 
care providers, to help develop cost saving approaches, standards, and 
 reference materials and to support medical care and improved payment 
                                models.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Ensuring Patient Access to 
Healthcare Records Act of 2016''.

SEC. 2. PROMOTION OF ACCESS TO DATA, VIA RESEARCH AND USER FRIENDLY 
              PRESENTATIONS AND APPLICATIONS.

    (a) In General.--Subtitle D of the Health Information Technology 
for Economic and Clinical Health Act (42 U.S.C. 17921 et seq.) is 
amended by adding at the end the following:

   ``PART 3--HEALTH CARE CLEARINGHOUSES; DATA PROCESSING TO EMPOWER 
              PATIENTS AND IMPROVE THE HEALTH CARE SYSTEM

``SEC. 13451. MODERNIZING THE ROLE OF CLEARINGHOUSES IN HEALTH CARE.

    ``(a) Efforts To Promote Access to and Leveraging of Health 
Information.--
            ``(1) In general.--The Secretary shall, through the 
        updating of existing policies and development of policies that 
        support dynamic technology solutions, promote patient access to 
        information related to their care, including real world 
        outcomes and economic data (including claims, eligibility, and 
        payment data), in a manner that would ensure that such 
        information is available in a form convenient for the patient, 
        in a reasonable manner, and without burdening the health care 
        provider involved.
            ``(2) Requirement.--Activities carried out under paragraph 
        (1) shall include the development of policies to enable covered 
        entities with access to health information to--
                    ``(A) provide patient access to information related 
                to their care, including real world outcomes and 
                economic data; and
                    ``(B) develop patient engagement tools, reports, 
                analyses, and presentations based on population health, 
                epidemiological, and health services outcomes data, 
                that may demonstrate a fiscal or treatment benefit to 
                the taxpayer.
    ``(b) Treatment as Covered Entity for Specified Functions.--
            ``(1) In general.--With respect to the use and disclosure 
        of protected health information, the Secretary shall--
                    ``(A) not consider health care clearinghouses that 
                engage in the functions described in paragraph (3) to 
                be business associates under HIPAA-related provisions 
                (as defined in subsection (j)(3)) regardless of the 
                role of such clearinghouses in collecting or receiving 
                the information; and
                    ``(B) consider such clearinghouses to be covered 
                entities under such provisions of law for all purposes.
        Such clearinghouses shall not be considered business associates 
        for data translation, analytic, cloud computing, or any other 
        purpose.
            ``(2) Data accuracy and security requirement.--In order to 
        use health data as authorized by this section, a clearinghouse 
        or other covered entity engaging in activities authorized under 
        this section shall be certified to have the necessary expertise 
        and technical infrastructure to ensure the accuracy and 
        security of such claims, eligibility, and payment data through 
        receipt of an accreditation by the Electronic Healthcare 
        Network Accreditation Commission, or by an equivalent 
        accreditation program determined appropriate by the Secretary.
            ``(3) Enhancing treatment, quality improvement, research, 
        public health efforts and other functions.--
                    ``(A) Equivalent authority to other covered 
                entities.--Subject to paragraph (2), a health care 
                clearinghouse shall--
                            ``(i) in addition to carrying out claims 
                        processing functions, be permitted to use and 
                        disclose protected health information in the 
                        same manner as other covered entities, 
                        including for purposes of treatment, payment, 
                        health care operations as permitted by section 
                        164.506 of title 45, Code of Federal 
                        Regulations, research, and public health as 
                        permitted by section 164.512 of title 45, Code 
                        of Federal Regulations, and creating de-
                        identified information as permitted by section 
                        164.502(d) of title 45, Code of Federal 
                        Regulations; and
                            ``(ii) use or disclose protected health 
                        information as required by section 
                        164.502(a)(2) of title 45, Code of Federal 
                        Regulations.
                    ``(B) Additional authority.--Subject to paragraph 
                (2), a health care clearinghouse and other covered 
                entity shall, in addition to claims processing 
                functions, be permitted to--
                            ``(i) provide individuals with access to 
                        their own protected health information as 
                        described in subsection (d);
                            ``(ii) subject to subsection (c)(2), and on 
                        behalf of both covered entities and non-covered 
                        entities, use and disclose protected health 
                        information for health care operations purposes 
                        (as defined by section 164.501 of title 45, 
                        Code of Federal Regulations) without respect to 
                        whether the recipient of the information has or 
                        had a relationship with the individual;
                            ``(iii) subject to subsection (c)(2), and 
                        upon the request of a covered entity, benchmark 
                        the operations of such covered entity against 
                        the operations of one or more other covered 
                        entities that have elected to participate in 
                        such benchmarking; and
                            ``(iv) subject to subsection (c)(2), use 
                        protected health information to facilitate 
                        clinical trial recruitment.
    ``(c) Authorities Relating to Data Processing.--
            ``(1) In general.--In carrying out HIPAA-related 
        provisions, the Secretary shall permit a health care 
        clearinghouse to aggregate protected health information that 
        the clearinghouse possesses in order to carry out the functions 
        described in subsection (b)(3). Subject to section 
        164.502(a)(5)(i) of title 45, Code of Federal Regulations, a 
        health care clearinghouse may carry out the functions described 
        in subsection (b)(3) without obtaining individual authorization 
        under section 164.508 of title 45, Code of Federal Regulations.
            ``(2) Privacy.--For purposes of clauses (ii) through (iv) 
        of subsection (b)(3)(B), with respect to any report, analysis, 
        or presentation provided by the clearinghouse to a third party, 
        such report, analysis, or presentation--
                    ``(A) shall include only de-identified data; or
                    ``(B) if containing protected health information, 
                shall include such data that is subject to a qualifying 
                data use agreement (as defined in subsection (j)).
            ``(3) Fee permitted.--Nothing in this paragraph shall be 
        construed to prohibit an individual's right to access claims 
        and payment records in HIPAA standard format for a reasonable, 
        cost-based fee pursuant to section 164.524(c)(4) of title 45, 
        Code of Federal Regulations. In requesting access to records 
        held by a health care clearinghouse, the individual shall 
        identify the health care provider or providers that rendered 
        care.
    ``(d) Comprehensive Records at the Request of an Individual.--
            ``(1) In general.--When a health care clearinghouse 
        receives a written request from an individual for the protected 
        health information of the individual, the clearinghouse shall 
        provide to the individual a comprehensive record of such 
        information (across health care providers and health plans and 
        longitudinal in scope), unless the clearinghouse determines in 
        its sole discretion that providing a comprehensive record is 
        not technologically feasible.
            ``(2) Purchase from other clearinghouses.--In preparing a 
        comprehensive record for an individual under paragraph (1), a 
        health care clearinghouse may, with the permission of the 
        individual, purchase the protected health information of the 
        individual from one or more other health clearinghouses (and 
        the cost of such purchase may be included in a fair-market fee 
        charged to the individual as provided for under paragraph (1)).
    ``(e) Situations Not Involving Direct Interaction With 
Individuals.--Sections 164.400 through 164.414 (relating to breach 
notification) and sections 164.520 through 164.528 (relating to 
individual rights) of title 45, Code of Federal Regulations, shall 
apply to a health care clearinghouse that engages in the functions 
described in subsection (b)(3) to the extent that such clearinghouse 
has current contact information pursuant to direct interaction with the 
individual involved. In the case of each other individual, the 
clearinghouse shall provide notice to the covered entity of any breach 
of unsecured protected health information and provide a notice of 
privacy practices on its website.
    ``(f) Transition.--
            ``(1) In general.--Nothing in this section shall be 
        construed to provide a health care clearinghouse greater 
        authority to use and disclose protected health information than 
        that provided to another covered entity.
            ``(2) Existing agreements.--With respect to agreements 
        entered into by a health care clearinghouse prior to the date 
        of enactment of this section, a provision of such an agreement 
        that conflicts with this section shall not have any legal force 
        or effect. The preceding sentence may not be construed as 
        affecting any provision of an agreement that does not conflict 
        with this section.
    ``(g) Safe Harbor and Clarification of Liability.--In the case of a 
health care clearinghouse that engages in a function described in 
subsection (b), only that clearinghouse may be held liable for a 
violation of a HIPAA-related provision (and a covered entity that 
provided data or data access to the clearinghouse shall not be liable 
for such violations).
    ``(h) Enforcement.--Section 13410(a)(2) shall apply to this section 
in the same manner as such section applies to parts 1 and 2.
    ``(i) Relation to Other Laws.--
            ``(1) Application of hitech rule.--Section 13421 shall 
        apply to this section in the same manner as such section 
        applies to parts 1 and 2, except to the extent that such 
        section 13421 concerns section 1178(a)(2)(B) of the Social 
        Security Act.
            ``(2) State laws regarding unfair or deceptive acts or 
        practices.--This part shall not be construed to preempt the law 
        of any State that prohibits unfair or deceptive acts or 
        practices.
    ``(j) Definitions.--In this part:
            ``(1) De-identified.--The term `de-identified', with 
        respect to health information, means such information that is 
        not individually identifiable as determined in accordance with 
        the standards under section 164.514(b) of title 45, Code of 
        Federal Regulations.
            ``(2) Health care clearinghouse.--The term `health care 
        clearinghouse' has the meaning given such term in section 1171 
        of the Social Security Act.
            ``(3) HIPAA-related provision.--The term `HIPAA-related 
        provision' means the provisions of each of the following:
                    ``(A) This subtitle.
                    ``(B) Part C of title XI of the Social Security 
                Act.
                    ``(C) Regulations promulgated pursuant to sections 
                262(a) and 264(c) of the Health Insurance Portability 
                and Accountability Act of 1996 or this subtitle.
            ``(4) Individual.--The term `individual', with respect to 
        protected health information, has the meaning applicable under 
        section 160.103 of title 45, Code of Federal Regulations.
            ``(5) Qualifying data use agreement.--The term `qualifying 
        data use agreement' means an agreement, which may be 
        electronic, that establishes the permitted uses and disclosures 
        of protected health information by the recipient consistent 
        with this paragraph. A qualifying data use agreement between 
        the health care clearinghouse and the data recipient shall--
                    ``(A) establish the permitted uses and disclosures 
                of such information by the recipient which shall be 
                limited to the original purpose of disclosure under 
                subsection (b)(3)(B); and
                    ``(B) provide that the data recipient will--
                            ``(i) not use or further disclose the 
                        information other than as permitted by the 
                        qualifying data use agreement or as otherwise 
                        required by law;
                            ``(ii) use appropriate safeguards to 
                        prevent use or disclosure of the information 
                        other than as provided for by the qualifying 
                        data use agreement; and
                            ``(iii) ensure that any agents to whom it 
                        provides the data agree to the same 
                        restrictions and conditions that apply to the 
                        data recipient with respect to such 
                        information.''.
    (b) Regulations.--Not later than 30 days after the date of the 
enactment of this Act, the Secretary of Health and Human Services shall 
promulgate regulations to carry out the amendment made by subsection 
(a).
    (c) Conforming Amendment.--Section 1171(2) of the Social Security 
Act (42 U.S.C. 1320d(2)) is amended by inserting before the period the 
following: ``or receives a standard transaction from another entity and 
processes or facilitates the processing of health information into 
nonstandard format or nonstandard data content for the receiving 
entity. Such term also includes an entity that carries out such 
processing functions, processes standard health care claims, processes 
health care claim payments or provides advice on such, and processes 
eligibility claims relating to health plan transactions on behalf of a 
HIPAA covered entity and in addition, engages in any of the functions 
described in subsection (a) of section 13451 of the Health Information 
Technology for Economic and Clinical Health Act''.
                                 <all>