[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 2062 Introduced in House (IH)]

<DOC>






116th CONGRESS
  1st Session
                                H. R. 2062

 To amend the Public Health Service Act to protect the confidentiality 
               of substance use disorder patient records.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             April 3, 2019

 Mr. Blumenauer (for himself, Mr. Mullin, Ms. DelBene, Mr. Walden, Mr. 
Peters, Mr. Carter of Georgia, Ms. Bonamici, Mr. Kelly of Pennsylvania, 
  Mr. Moulton, Mr. Joyce of Pennsylvania, Mr. Rouda, Mr. Wright, Mr. 
     Suozzi, Mr. Holding, Mr. Panetta, Mr. Crenshaw, Mr. Larsen of 
  Washington, Mr. Johnson of Ohio, Mr. Evans, Mr. Bilirakis, and Ms. 
Sewell of Alabama) introduced the following bill; which was referred to 
                  the Committee on Energy and Commerce

_______________________________________________________________________

                                 A BILL


 
 To amend the Public Health Service Act to protect the confidentiality 
               of substance use disorder patient records.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Overdose Prevention and Patient 
Safety Act''.

SEC. 2. CONFIDENTIALITY AND DISCLOSURE OF RECORDS RELATING TO SUBSTANCE 
              USE DISORDER.

    (a) Conforming Changes Relating to Substance Use Disorder.--
Subsections (a) and (h) of section 543 of the Public Health Service Act 
(42 U.S.C. 290dd-2) are each amended by striking ``substance abuse'' 
and inserting ``substance use disorder''.
    (b) Disclosures to Covered Entities Consistent With HIPAA.--
Paragraph (2) of section 543(b) of the Public Health Service Act (42 
U.S.C. 290dd-2(b)) is amended by adding at the end the following:
                    ``(D) To a covered entity or to a program or 
                activity described in subsection (a), for the purposes 
                of treatment, payment, and health care operations, so 
                long as such disclosure is made in accordance with 
                HIPAA privacy regulation. Any redisclosure of 
                information so disclosed may only be made in accordance 
                with this section.''.
    (c) Disclosures of De-Identified Health Information to Public 
Health Authorities.--Paragraph (2) of section 543(b) of the Public 
Health Service Act (42 U.S.C. 290dd-2(b)), as amended by subsection 
(b), is further amended by adding at the end the following:
                    ``(E) To a public health authority, so long as such 
                content meets the standards established in section 
                164.514(b) of title 45, Code of Federal Regulations (or 
                successor regulations) for creating de-identified 
                information.''.
    (d) Definitions.--Subsection (b) of section 543 of the Public 
Health Service Act (42 U.S.C. 290dd-2) is amended by adding at the end 
the following:
            ``(3) Definitions.--For purposes of this subsection:
                    ``(A) Covered entity.--The term `covered entity' 
                has the meaning given such term for purposes of HIPAA 
                privacy regulation.
                    ``(B) Health care operations.--The term `health 
                care operations' has the meaning given such term for 
                purposes of HIPAA privacy regulation.
                    ``(C) HIPAA privacy regulation.--The term `HIPAA 
                privacy regulation' has the meaning given such term 
                under section 1180(b)(3) of the Social Security Act.
                    ``(D) Individually identifiable health 
                information.--The term `individually identifiable 
                health information' has the meaning given such term for 
                purposes of HIPAA privacy regulation.
                    ``(E) Payment.--The term `payment' has the meaning 
                given such term for purposes of HIPAA privacy 
                regulation.
                    ``(F) Public health authority.--The term `public 
                health authority' has the meaning given such term for 
                purposes of HIPAA privacy regulation.
                    ``(G) Treatment.--The term `treatment' has the 
                meaning given such term for purposes of HIPAA privacy 
                regulation.''.
    (e) Use of Records in Criminal, Civil, or Administrative 
Investigations, Actions, or Proceedings.--Subsection (c) of section 543 
of the Public Health Service Act (42 U.S.C. 290dd-2) is amended to read 
as follows:
    ``(c) Use of Records in Criminal, Civil, or Administrative 
Contexts.--Except as otherwise authorized by a court order under 
subsection (b)(2)(C) or by the consent of the patient, a record 
referred to in subsection (a) may not, in connection with any 
investigation of, or criminal, civil, or administrative proceeding 
against, a patient--
            ``(1) be entered into evidence in any criminal prosecution 
        or civil action before a Federal or State court;
            ``(2) form part of the record for decision or otherwise be 
        taken into account in any proceeding before a Federal agency;
            ``(3) be used by any Federal, State, or local agency for a 
        law enforcement purpose or to conduct any law enforcement 
        investigation; or
            ``(4) be used in any application for a warrant.''.
    (f) Penalties.--Subsection (f) of section 543 of the Public Health 
Service Act (42 U.S.C. 290dd-2) is amended to read as follows:
    ``(f) Penalties.--The provisions of sections 1176 and 1177 of the 
Social Security Act shall apply to a violation of this section to the 
extent and in the same manner as such provisions apply to a violation 
of part C of title XI of such Act. In applying the previous sentence--
            ``(1) the reference to `this subsection' in subsection 
        (a)(2) of such section 1176 shall be treated as a reference to 
        `this subsection (including as applied pursuant to section 
        543(f) of the Public Health Service Act)'; and
            ``(2) in subsection (b) of such section 1176--
                    ``(A) each reference to `a penalty imposed under 
                subsection (a)' shall be treated as a reference to `a 
                penalty imposed under subsection (a) (including as 
                applied pursuant to section 543(f) of the Public Health 
                Service Act)'; and
                    ``(B) each reference to `no damages obtained under 
                subsection (d)' shall be treated as a reference to `no 
                damages obtained under subsection (d) (including as 
                applied pursuant to section 543(f) of the Public Health 
                Service Act)'.''.
    (g) Antidiscrimination.--Section 543 of the Public Health Service 
Act (42 U.S.C. 290dd-2) is amended by adding at the end the following:
    ``(i) Antidiscrimination.--
            ``(1) In general.--No entity shall discriminate against an 
        individual on the basis of information received by such entity 
        pursuant to a disclosure made under subsection (b) in--
                    ``(A) admission or treatment for health care;
                    ``(B) hiring or terms of employment;
                    ``(C) the sale or rental of housing; or
                    ``(D) access to Federal, State, or local courts.
            ``(2) Recipients of federal funds.--No recipient of Federal 
        funds shall discriminate against an individual on the basis of 
        information received by such recipient pursuant to a disclosure 
        made under subsection (b) in affording access to the services 
        provided with such funds.''.
    (h) Notification in Case of Breach.--Section 543 of the Public 
Health Service Act (42 U.S.C. 290dd-2), as amended by subsection (g), 
is further amended by adding at the end the following:
    ``(j) Notification in Case of Breach.--
            ``(1) Application of hitech notification of breach 
        provisions.--The provisions of section 13402 of the HITECH Act 
        (42 U.S.C. 17932) shall apply to a program or activity 
        described in subsection (a), in case of a breach of records 
        described in subsection (a), to the same extent and in the same 
        manner as such provisions apply to a covered entity in the case 
        of a breach of unsecured protected health information.
            ``(2) Definitions.--In this subsection, the terms `covered 
        entity' and `unsecured protected health information' have the 
        meanings given to such terms for purposes of such section 
        13402.''.
    (i) Sense of Congress.--It is the sense of the Congress that any 
person treating a patient through a program or activity with respect to 
which the confidentiality requirements of section 543 of the Public 
Health Service Act (42 U.S.C. 290dd-2) apply should access the 
applicable State-based prescription drug monitoring program as a 
precaution against substance use disorder.
    (j) Regulations.--
            (1) In general.--The Secretary of Health and Human 
        Services, in consultation with appropriate Federal agencies, 
        shall make such revisions to regulations as may be necessary 
        for implementing and enforcing the amendments made by this 
        section, such that such amendments shall apply with respect to 
        uses and disclosures of information occurring on or after the 
        date that is 12 months after the date of enactment of this Act.
            (2) Easily understandable notice of privacy practices.--Not 
        later than 1 year after the date of enactment of this Act, the 
        Secretary of Health and Human Services, in consultation with 
        appropriate experts, shall update section 164.520 of title 45, 
        Code of Federal Regulations, so that covered entities provide 
        notice, written in plain language, of privacy practices 
        regarding patient records referred to in section 543(a) of the 
        Public Health Service Act (42 U.S.C. 290dd-2(a)), including--
                    (A) a statement of the patient's rights, including 
                self-pay patients, with respect to protected health 
                information and a brief description of how the 
                individual may exercise these rights (as required by 
                paragraph (b)(1)(iv) of such section 164.520); and
                    (B) a description of each purpose for which the 
                covered entity is permitted or required to use or 
                disclose protected health information without the 
                patient's written authorization (as required by 
                paragraph (b)(2) of such section 164.520).
    (k) Rules of Construction.--Nothing in this Act or the amendments 
made by this Act shall be construed to limit--
            (1) a patient's right, as described in section 164.522 of 
        title 45, Code of Federal Regulations, or any successor 
        regulation, to request a restriction on the use or disclosure 
        of a record referred to in section 543(a) of the Public Health 
        Service Act (42 U.S.C. 290dd-2(a)) for purposes of treatment, 
        payment, or health care operations; or
            (2) a covered entity's choice, as described in section 
        164.506 of title 45, Code of Federal Regulations, or any 
        successor regulation, to obtain the consent of the individual 
        to use or disclose a record referred to in such section 543(a) 
        to carry out treatment, payment, or health care operation.
    (l) Sense of Congress.--It is the sense of the Congress that--
            (1) patients have the right to request a restriction on the 
        use or disclosure of a record referred to in section 543(a) of 
        the Public Health Service Act (42 U.S.C. 290dd-2(a)) for 
        treatment, payment, or health care operations; and
            (2) covered entities should make every reasonable effort to 
        the extent feasible to comply with a patient's request for a 
        restriction regarding such use or disclosure.
                                 <all>