
	

114 S3530 IS: Ensuring Patient Access to Healthcare Records Act of 2016
U.S. Senate
2016-12-08
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.



		II
		114th CONGRESS2d Session
		S. 3530
		IN THE SENATE OF THE UNITED STATES
		
			December 8, 2016
			Mr. Cassidy introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions
		
		A BILL
		To allow the use of claims, eligibility, and payment data to produce reports, analyses, and
			 presentations to benefit Medicare, and other similar health insurance
			 programs, entities, researchers, and health care providers, to help
			 develop cost saving approaches, standards, and reference materials and to
			 support medical care and improved payment models. 
	
	
		1.Short title
 This Act may be cited as the Ensuring Patient Access to Healthcare Records Act of 2016.
		2.Promotion of access to data, via research and user friendly presentations and applications
 (a)In generalSubtitle D of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17921 et seq.) is amended by adding at the end the following:
				
					3Health care clearinghouses; data processing to empower patients and improve the health care system
						13451.Modernizing the role of clearinghouses in health care
							(a)Efforts To promote access to and leveraging of health information
 (1)In generalThe Secretary shall, through the updating of existing policies and development of policies that support dynamic technology solutions, promote patient access to information related to their care, including real world outcomes and economic data (including claims, eligibility, and payment data), in a manner that would ensure that such information is available in a form convenient for the patient, in a reasonable manner, and without burdening the health care provider involved.
 (2)RequirementActivities carried out under paragraph (1) shall include the development of policies to enable covered entities with access to health information to—
 (A)provide patient access to information related to their care, including real world outcomes and economic data; and
 (B)develop patient engagement tools, reports, analyses, and presentations based on population health, epidemiological, and health services outcomes data, that may demonstrate a fiscal or treatment benefit to the taxpayer.
									(b)Treatment as covered entity for specified functions
 (1)In generalWith respect to the use and disclosure of protected health information, the Secretary shall— (A)not consider health care clearinghouses that engage in the functions described in paragraph (3) to be business associates under HIPAA-related provisions (as defined in subsection (j)(3)) regardless of the role of such clearinghouses in collecting or receiving the information; and
 (B)consider such clearinghouses to be covered entities under such provisions of law for all purposes. Such clearinghouses shall not be considered business associates for data translation, analytic, cloud computing, or any other purpose.(2)Data accuracy and security requirementIn order to use health data as authorized by this section, a clearinghouse or other covered entity engaging in activities authorized under this section shall be certified to have the necessary expertise and technical infrastructure to ensure the accuracy and security of such claims, eligibility, and payment data through receipt of an accreditation by the Electronic Healthcare Network Accreditation Commission, or by an equivalent accreditation program determined appropriate by the Secretary.
								(3)Enhancing treatment, quality improvement, research, public health efforts and other functions
 (A)Equivalent authority to other covered entitiesSubject to paragraph (2), a health care clearinghouse shall— (i)in addition to carrying out claims processing functions, be permitted to use and disclose protected health information in the same manner as other covered entities, including for purposes of treatment, payment, health care operations as permitted by section 164.506 of title 45, Code of Federal Regulations, research, and public health as permitted by section 164.512 of title 45, Code of Federal Regulations, and creating de-identified information as permitted by section 164.502(d) of title 45, Code of Federal Regulations; and
 (ii)use or disclose protected health information as required by section 164.502(a)(2) of title 45, Code of Federal Regulations.
 (B)Additional authoritySubject to paragraph (2), a health care clearinghouse and other covered entity shall, in addition to claims processing functions, be permitted to—
 (i)provide individuals with access to their own protected health information as described in subsection (d);
 (ii)subject to subsection (c)(2), and on behalf of both covered entities and non-covered entities, use and disclose protected health information for health care operations purposes (as defined by section 164.501 of title 45, Code of Federal Regulations) without respect to whether the recipient of the information has or had a relationship with the individual;
 (iii)subject to subsection (c)(2), and upon the request of a covered entity, benchmark the operations of such covered entity against the operations of one or more other covered entities that have elected to participate in such benchmarking; and
 (iv)subject to subsection (c)(2), use protected health information to facilitate clinical trial recruitment.
										(c)Authorities relating to data processing
 (1)In generalIn carrying out HIPAA-related provisions, the Secretary shall permit a health care clearinghouse to aggregate protected health information that the clearinghouse possesses in order to carry out the functions described in subsection (b)(3). Subject to section 164.502(a)(5)(i) of title 45, Code of Federal Regulations, a health care clearinghouse may carry out the functions described in subsection (b)(3) without obtaining individual authorization under section 164.508 of title 45, Code of Federal Regulations.
 (2)PrivacyFor purposes of clauses (ii) through (iv) of subsection (b)(3)(B), with respect to any report, analysis, or presentation provided by the clearinghouse to a third party, such report, analysis, or presentation—
 (A)shall include only de-identified data; or (B)if containing protected health information, shall include such data that is subject to a qualifying data use agreement (as defined in subsection (j)).
 (3)Fee permittedNothing in this paragraph shall be construed to prohibit an individual’s right to access claims and payment records in HIPAA standard format for a reasonable, cost-based fee pursuant to section 164.524(c)(4) of title 45, Code of Federal Regulations. In requesting access to records held by a health care clearinghouse, the individual shall identify the health care provider or providers that rendered care.
								(d)Comprehensive records at the request of an individual
 (1)In generalWhen a health care clearinghouse receives a written request from an individual for the protected health information of the individual, the clearinghouse shall provide to the individual a comprehensive record of such information (across health care providers and health plans and longitudinal in scope), unless the clearinghouse determines in its sole discretion that providing a comprehensive record is not technologically feasible.
 (2)Purchase from other clearinghousesIn preparing a comprehensive record for an individual under paragraph (1), a health care clearinghouse may, with the permission of the individual, purchase the protected health information of the individual from one or more other health clearinghouses (and the cost of such purchase may be included in a fair-market fee charged to the individual as provided for under paragraph (1)).
 (e)Situations not involving direct interaction with individualsSections 164.400 through 164.414 (relating to breach notification) and sections 164.520 through 164.528 (relating to individual rights) of title 45, Code of Federal Regulations, shall apply to a health care clearinghouse that engages in the functions described in subsection (b)(3) to the extent that such clearinghouse has current contact information pursuant to direct interaction with the individual involved. In the case of each other individual, the clearinghouse shall provide notice to the covered entity of any breach of unsecured protected health information and provide a notice of privacy practices on its website.
							(f)Transition
 (1)In generalNothing in this section shall be construed to provide a health care clearinghouse greater authority to use and disclose protected health information than that provided to another covered entity.
 (2)Existing agreementsWith respect to agreements entered into by a health care clearinghouse prior to the date of enactment of this section, a provision of such an agreement that conflicts with this section shall not have any legal force or effect. The preceding sentence may not be construed as affecting any provision of an agreement that does not conflict with this section.
 (g)Safe harbor and clarification of liabilityIn the case of a health care clearinghouse that engages in a function described in subsection (b), only that clearinghouse may be held liable for a violation of a HIPAA-related provision (and a covered entity that provided data or data access to the clearinghouse shall not be liable for such violations).
 (h)EnforcementSection 13410(a)(2) shall apply to this section in the same manner as such section applies to parts 1 and 2.
							(i)Relation to other laws
 (1)Application of HITECH ruleSection 13421 shall apply to this section in the same manner as such section applies to parts 1 and 2, except to the extent that such section 13421 concerns section 1178(a)(2)(B) of the Social Security Act.
 (2)State laws regarding unfair or deceptive acts or practicesThis part shall not be construed to preempt the law of any State that prohibits unfair or deceptive acts or practices.
 (j)DefinitionsIn this part: (1)De-identifiedThe term de-identified, with respect to health information, means such information that is not individually identifiable as determined in accordance with the standards under section 164.514(b) of title 45, Code of Federal Regulations.
 (2)Health care clearinghouseThe term health care clearinghouse has the meaning given such term in section 1171 of the Social Security Act. (3)HIPAA-related provisionThe term HIPAA-related provision means the provisions of each of the following:
 (A)This subtitle. (B)Part C of title XI of the Social Security Act.
 (C)Regulations promulgated pursuant to sections 262(a) and 264(c) of the Health Insurance Portability and Accountability Act of 1996 or this subtitle.
 (4)IndividualThe term individual, with respect to protected health information, has the meaning applicable under section 160.103 of title 45, Code of Federal Regulations.
 (5)Qualifying data use agreementThe term qualifying data use agreement means an agreement, which may be electronic, that establishes the permitted uses and disclosures of protected health information by the recipient consistent with this paragraph. A qualifying data use agreement between the health care clearinghouse and the data recipient shall—
 (A)establish the permitted uses and disclosures of such information by the recipient which shall be limited to the original purpose of disclosure under subsection (b)(3)(B); and
 (B)provide that the data recipient will— (i)not use or further disclose the information other than as permitted by the qualifying data use agreement or as otherwise required by law;
 (ii)use appropriate safeguards to prevent use or disclosure of the information other than as provided for by the qualifying data use agreement; and
 (iii)ensure that any agents to whom it provides the data agree to the same restrictions and conditions that apply to the data recipient with respect to such information..
 (b)RegulationsNot later than 30 days after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate regulations to carry out the amendment made by subsection (a).
 (c)Conforming amendmentSection 1171(2) of the Social Security Act (42 U.S.C. 1320d(2)) is amended by inserting before the period the following: or receives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity. Such term also includes an entity that carries out such processing functions, processes standard health care claims, processes health care claim payments or provides advice on such, and processes eligibility claims relating to health plan transactions on behalf of a HIPAA covered entity and in addition, engages in any of the functions described in subsection (a) of section 13451 of the Health Information Technology for Economic and Clinical Health Act.
			
