[Congressional Bills 115th Congress]
[From the U.S. Government Publishing Office]
[H.R. 4613 Introduced in House (IH)]

<DOC>






115th CONGRESS
  1st Session
                                H. R. 4613

 To allow the use of claims, eligibility, and payment data to produce 
  reports, analyses, and presentations to benefit Medicare, and other 
 similar health insurance programs, entities, researchers, and health 
care providers, to help develop cost saving approaches, standards, and 
 reference materials and to support medical care and improved payment 
                                models.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           December 11, 2017

  Mrs. McMorris Rodgers (for herself, Mr. Kelly of Pennsylvania, Mr. 
Hudson, Mrs. Blackburn, Mr. Long, Mr. Bishop of Michigan, Mr. Paulsen, 
   and Mr. Krishnamoorthi) introduced the following bill; which was 
 referred to the Committee on Energy and Commerce, and in addition to 
   the Committee on Ways and Means, for a period to be subsequently 
   determined by the Speaker, in each case for consideration of such 
 provisions as fall within the jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 
 To allow the use of claims, eligibility, and payment data to produce 
  reports, analyses, and presentations to benefit Medicare, and other 
 similar health insurance programs, entities, researchers, and health 
care providers, to help develop cost saving approaches, standards, and 
 reference materials and to support medical care and improved payment 
                                models.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Ensuring Patient Access to 
Healthcare Records Act of 2017''.

SEC. 2. PROMOTION OF ACCESS TO DATA, VIA RESEARCH AND USER FRIENDLY 
              PRESENTATIONS AND APPLICATIONS.

    (a) In General.--Subtitle D of the Health Information Technology 
for Economic and Clinical Health Act (42 U.S.C. 17921 et seq.) is 
amended by adding at the end the following:

   ``PART 3--HEALTH CARE CLEARINGHOUSES; DATA PROCESSING TO EMPOWER 
              PATIENTS AND IMPROVE THE HEALTH CARE SYSTEM

``SEC. 13451. MODERNIZING THE ROLE OF CLEARINGHOUSES IN HEALTH CARE.

    ``(a) Efforts To Promote Access to and Leveraging of Health 
Information.--
            ``(1) In general.--The Secretary shall, through the 
        updating of existing policies and development of policies that 
        support dynamic technology solutions, promote patient access to 
        information related to their care, including real world 
        outcomes and economic data (including claims, eligibility, and 
        payment data), in a manner that would ensure that such 
        information is available in a form convenient for the patient, 
        in a reasonable manner, and without burdening the health care 
        provider involved.
            ``(2) Requirement.--Activities carried out under paragraph 
        (1) shall include the development of policies to enable covered 
        entities with access to health information to--
                    ``(A) provide patient access to information related 
                to their care, including real world outcomes and 
                economic data;
                    ``(B) develop, in accordance with HIPAA-related 
                provisions (as defined in subsection (j)), patient 
                engagement tools, reports, analyses, and presentations 
                based on population health, epidemiological, and health 
                services outcomes data, that may demonstrate a fiscal 
                or treatment benefit to patients and health plan 
                enrollees; and
                    ``(C) promote transparency regarding the use and 
                disclosure of health information by health care 
                clearinghouses in accordance with the notice provisions 
                of subsection (e).
    ``(b) Treatment as Covered Entity for Specified Functions.--
            ``(1) In general.--With respect to the use and disclosure 
        of protected health information, the Secretary shall--
                    ``(A) not consider health care clearinghouses that 
                engage in the functions described in paragraph (3) to 
                be business associates, including subcontractor 
                business associates, under HIPAA-related provisions (as 
                defined in subsection (j)(3)) regardless of the role of 
                such clearinghouses in collecting or receiving the 
                information; and
                    ``(B) consider such clearinghouses to be covered 
                entities under such provisions of law for all purposes.
        Such clearinghouses shall not be considered business 
        associates, or subcontractor business associates, for 
        translation of data into and out of standard format, analytic, 
        cloud computing, or any other purpose.
            ``(2) Data accuracy and security requirement.--In order to 
        use health data as authorized by this section, a clearinghouse 
        or other covered entity engaging in activities authorized under 
        this section shall be certified to have the necessary expertise 
        and technical infrastructure to ensure the accuracy and 
        security of such claims, eligibility, and payment data through 
        receipt of an accreditation by the Electronic Healthcare 
        Network Accreditation Commission, or by an equivalent 
        accreditation program determined appropriate by the Secretary.
            ``(3) Enhancing treatment, quality improvement, research, 
        public health efforts and other functions.--
                    ``(A) Equivalent authority to other covered 
                entities.--Subject to paragraph (2), a health care 
                clearinghouse shall--
                            ``(i) in addition to carrying out claims 
                        processing functions, be permitted to use and 
                        disclose protected health information without 
                        obtaining individual authorization to the same 
                        extent as other covered entities, including for 
                        purposes of treatment, payment, health care 
                        operations as permitted by section 164.506 of 
                        title 45, Code of Federal Regulations, 
                        research, and public health as permitted by 
                        section 164.512 of title 45, Code of Federal 
                        Regulations, and creating de-identified 
                        information as permitted by section 164.502(d) 
                        of title 45, Code of Federal Regulations; and
                            ``(ii) use or disclose protected health 
                        information as required by section 
                        164.502(a)(2) of title 45, Code of Federal 
                        Regulations.
                    ``(B) Additional authority.--
                            ``(i) A health care clearinghouse shall be 
                        permitted to provide an individual or the 
                        personal representative of such individual 
                        access to the protected health information of 
                        such individual as described in subsection (d).
                            ``(ii) All covered entities, including a 
                        health care clearinghouse, shall, subject to 
                        subsection (c)(2), be permitted to--
                                    ``(I) on behalf of covered 
                                entities, use and disclose protected 
                                health information for health care 
                                operations purposes (as defined by 
                                section 164.501 of title 45, Code of 
                                Federal Regulations) without respect to 
                                whether the recipient of the 
                                information has or had a relationship 
                                with the individual;
                                    ``(II) upon the request of a 
                                covered entity, benchmark (as defined 
                                by the Secretary pursuant to 
                                rulemaking) the operations of such 
                                covered entity against the operations 
                                of one or more other covered entities 
                                that have elected to participate in 
                                such benchmarking; and
                                    ``(III) use and disclose protected 
                                health information to facilitate 
                                clinical trial recruitment, except that 
                                in the case the covered entity provides 
                                a consumer-facing portal or website 
                                that informs individuals of clinical 
                                trials conducted by the covered entity, 
                                the covered entity shall secure opt-in 
                                consent from the individual, or the 
                                individual's personal representative, 
                                prior to contacting an individual 
                                regarding such clinical trials unless 
                                such covered entity already has a 
                                relationship with the individual.
                    ``(C) Clarification.--Nothing in this paragraph 
                shall expand the authority of a health care 
                clearinghouse or any other covered entity to use or 
                disclose protected health information for marketing 
                purposes under sections 164.501 and 164.508(a)(3) of 
                title 45, Code of Federal Regulations.
    ``(c) Authorities Relating to Data Processing.--
            ``(1) In general.--In carrying out HIPAA-related 
        provisions, the Secretary shall permit a health care 
        clearinghouse to aggregate protected health information, within 
        the clearinghouse and among other clearinghouses, that the 
        clearinghouse possesses in order to carry out the functions 
        described in subsection (b)(3). Subject to section 
        164.502(a)(5)(i) of title 45, Code of Federal Regulations, a 
        health care clearinghouse may carry out the functions described 
        in subsection (b)(3) without obtaining individual authorization 
        under section 164.508 of title 45, Code of Federal Regulations.
            ``(2) Privacy.--For purposes of clauses (ii) through (iv) 
        of subsection (b)(3)(B), with respect to any report, analysis, 
        or presentation provided by the covered entity to a third 
        party, such report, analysis, or presentation--
                    ``(A) shall include only de-identified data; or
                    ``(B) shall include, subject to a qualifying data 
                use agreement (as defined in subsection (j)), protected 
                health information.
            ``(3) Clarification; fee permitted.--
                    ``(A) In general.--Nothing in this paragraph shall 
                be construed as affecting an individual's right to 
                access claims and payment records in HIPAA standard 
                format, in accordance with section 164.524 of title 45, 
                Code of Federal Regulations.
                    ``(B) Fee permitted.--If an individual or a 
                personal representative of the individual requests a 
                copy of records in HIPAA standard format a health care 
                clearinghouse may charge a reasonable, cost-based fee 
                so far as such fee is in accordance with section 
                164.524(c)(4) of title 45, Code of Federal Regulations.
    ``(d) Comprehensive Records at the Request of an Individual.--
            ``(1) In general.--When a health care clearinghouse 
        receives a written request from an individual or the personal 
        representative of the individual for the protected health 
        information of the individual, the clearinghouse shall provide 
        to the individual a comprehensive record of such information 
        (across health care providers and health plans and longitudinal 
        in scope), unless the clearinghouse determines in its sole 
        discretion that providing a comprehensive record is not 
        technologically feasible.
            ``(2) Purchase from other clearinghouses.--In preparing a 
        comprehensive record for an individual under paragraph (1), a 
        health care clearinghouse may, with the permission of the 
        individual, purchase the protected health information of the 
        individual from one or more other health clearinghouses (and 
        the amount of such purchase may be included in a fee that is 
        fair market value, as defined in subsection (j)(2), charged to 
        the individual.
    ``(e) Situations Not Involving Direct Interaction With 
Individuals.--Sections 164.400 through 164.414 (relating to breach 
notification) and sections 164.520 through 164.528 (relating to 
individual rights) of title 45, Code of Federal Regulations, shall 
apply to a health care clearinghouse that engages in the functions 
described in subsection (b)(3) to the extent that such clearinghouse 
has current contact information pursuant to direct interaction with the 
individual involved. If the clearinghouse does not have direct 
interaction with the individual involved, the clearinghouse shall 
provide notice of any breach of unsecured protected health information 
to the covered entity that does have direct interaction with the 
individual involved. The clearinghouse shall not be required to report 
a breach if the protected health information is rendered unusable, 
unreadable, or indecipherable to unauthorized persons through the use 
of a technology or methodology specified by the Secretary in the 
guidance issued under section 13402(h)(2). The clearinghouse shall also 
provide a notice of privacy practices on its website.
    ``(f) Transition.--
            ``(1) In general.--Except where specifically stated, 
        nothing in this section shall be construed to apply to 
        clearinghouses to the exclusion of other covered entities or to 
        provide a health care clearinghouse greater authority to use 
        and disclose protected health information than that provided to 
        another covered entity.
            ``(2) Existing agreements.--With respect to agreements 
        entered into by a health care clearinghouse prior to the date 
        of enactment of this section, a provision of such an agreement 
        that conflicts with this section shall not have any legal force 
        or effect. The preceding sentence may not be construed as 
        affecting any provision of an agreement that does not conflict 
        with this section.
    ``(g) Safe Harbor and Clarification of Liability.--In the case of a 
health care clearinghouse that engages in a function described in 
subsection (b), only that clearinghouse may be held liable for a 
violation of a HIPAA-related provision (and a covered entity that 
provided data or data access to the clearinghouse shall not be liable 
for such violations).
    ``(h) Enforcement.--Section 13410(a)(2) shall apply to this section 
in the same manner as such section applies to parts 1 and 2.
    ``(i) Relation to Other Laws.--
            ``(1) Application of hitech rule.--Section 13421 shall 
        apply to this section in the same manner as such section 
        applies to parts 1 and 2, except to the extent that such 
        section 13421 concerns section 1178(a)(2)(B) of the Social 
        Security Act.
            ``(2) State laws regarding unfair or deceptive acts or 
        practices.--This part shall not be construed to preempt the law 
        of any State that prohibits unfair or deceptive acts or 
        practices or limit the authority of State attorneys general to 
        enforce such laws.
    ``(j) Definitions.--In this part:
            ``(1) De-identified.--The term `de-identified', with 
        respect to health information, means such information that is 
        not individually identifiable as determined in accordance with 
        the standards under section 164.514(b) of title 45, Code of 
        Federal Regulations.
            ``(2) Fair market value.--The term `fair market value' 
        means the price that a person reasonably knowledgeable and 
        interested in buying a given product or service would pay to a 
        person reasonably knowledgeable and interested in selling the 
        product or service.
            ``(3) Health care clearinghouse.--The term `health care 
        clearinghouse' has the meaning given such term in section 1171 
        of the Social Security Act.
            ``(4) HIPAA-related provision.--The term `HIPAA-related 
        provision' means the provisions of each of the following:
                    ``(A) This subtitle.
                    ``(B) Part C of title XI of the Social Security 
                Act.
                    ``(C) Regulations promulgated pursuant to sections 
                262(a) and 264(c) of the Health Insurance Portability 
                and Accountability Act of 1996 or this subtitle.
            ``(5) Individual.--The term `individual', with respect to 
        protected health information, has the meaning applicable under 
        section 160.103 of title 45, Code of Federal Regulations.
            ``(6) Qualifying data use agreement.--The term `qualifying 
        data use agreement' means an agreement, which may be 
        electronic, that--
                    ``(A) establishes the permitted uses and 
                disclosures of protected health information by the 
                recipient;
                    ``(B) limits such uses and disclosures to the 
                original purpose of disclosure under subsection 
                (b)(3)(B); and
                    ``(C) provides that the data recipient will--
                            ``(i) not use or further disclose the 
                        information other than as permitted by the 
                        qualifying data use agreement or as otherwise 
                        required by law;
                            ``(ii) use appropriate safeguards to 
                        prevent use or disclosure of the information 
                        other than as provided for by the qualifying 
                        data use agreement; and
                            ``(iii) ensure that any agents to whom it 
                        provides the data agree to the same 
                        restrictions and conditions that apply to the 
                        data recipient with respect to such 
                        information.''.
    (b) Regulations.--Not later than 180 days after the date of the 
enactment of this Act, the Secretary of Health and Human Services shall 
promulgate regulations to carry out the amendment made by subsection 
(a).
    (c) Conforming Amendment.--Section 1171(2) of the Social Security 
Act (42 U.S.C. 1320d(2)) is amended by inserting before the period the 
following: ``or receives a standard transaction from another entity and 
processes or facilitates the processing of health information into 
nonstandard format or nonstandard data content for the receiving 
entity. Such term also includes an entity that carries out such 
processing functions, transmits standard health care claims, transmits 
health care claim payments or provides advice on such, and transmits 
any standard transactions on behalf of a HIPAA-covered entity and in 
addition, engages in any authority of such entity described in 
subsection (b)(3) of section 13451 of the Health Information Technology 
for Economic and Clinical Health Act''.
                                 <all>