[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 3749 Introduced in Senate (IS)]

<DOC>






116th CONGRESS
  2d Session
                                S. 3749

 To protect the privacy of health information during a national health 
                               emergency.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                              May 14, 2020

 Mr. Blumenthal (for himself and Mr. Warner) introduced the following 
  bill; which was read twice and referred to the Committee on Health, 
                     Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
 To protect the privacy of health information during a national health 
                               emergency.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Public Health Emergency Privacy 
Act''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Affirmative express consent.--The term ``affirmative 
        express consent'' means an affirmative act by an individual 
        that--
                    (A) clearly and conspicuously communicates the 
                individual's authorization of an act or practice;
                    (B) is made in the absence of any mechanism in the 
                user interface that has the purpose or substantial 
                effect of obscuring, subverting, or impairing decision 
                making or choice to obtain consent; and
                    (C) cannot be inferred from inaction.
            (2) Collect.--The term ``collect'', with respect to 
        emergency health data, means obtaining in any manner by a 
        covered organization.
            (3) Commission.--The term ``Commission'' means the Federal 
        Trade Commission.
            (4) Covered organization.--
                    (A) In general.--The term ``covered organization'' 
                means any person (including a government entity)--
                            (i) that collects, uses, or discloses 
                        emergency health data electronically or through 
                        communication by wire or radio; or
                            (ii) that develops or operates a website, 
                        web application, mobile application, mobile 
                        operating system feature, or smart device 
                        application for the purpose of tracking, 
                        screening, monitoring, contact tracing, or 
                        mitigation, or otherwise responding to the 
                        COVID-19 public health emergency.
                    (B) Exclusions.--The term ``covered organization'' 
                does not include--
                            (i) a health care provider;
                            (ii) a person engaged in a de minimis 
                        collection or processing of emergency health 
                        data;
                            (iii) a service provider;
                            (iv) a person acting in their individual or 
                        household capacity; or
                            (v) a public health authority.
            (5) Demographic data.--The term ``demographic data'' means 
        information relating to the actual or perceived race, color, 
        ethnicity, national origin, religion, sex, gender, gender 
        identity, sexual orientation, age, Tribal affiliation, 
        disability, domicile, employment status, familial status, 
        immigration status, or veteran status of an individual or group 
        of individuals.
            (6) Device.--The term ``device'' means any electronic 
        equipment that is primarily designed for or marketed to 
        consumers.
            (7) Disclosure.--The term ``disclosure'', with respect to 
        emergency health data, means the releasing, transferring, 
        selling, providing access to, licensing, or divulging in any 
        manner by a covered organization to a third party.
            (8) Emergency health data.--The term ``emergency health 
        data'' means data linked or reasonably linkable to an 
        individual or device, including data inferred or derived about 
        the individual or device from other collected data provided 
        such data is still linked or reasonably linkable to the 
        individual or device, that concerns the public COVID-19 health 
        emergency. Such data includes--
                    (A) information that reveals the past, present, or 
                future physical or behavioral health or condition of, 
                or provision of healthcare to, an individual, 
                including--
                            (i) data derived from the testing or 
                        examination of a body part or bodily substance, 
                        or a request for such testing;
                            (ii) whether or not an individual has 
                        contracted or been tested for, or an estimate 
                        of the likelihood that a particular individual 
                        may contract, such disease or disorder; and
                            (iii) genetic data, biological samples, and 
                        biometrics; and
                    (B) other data collected in conjunction with other 
                emergency health data or for the purpose of tracking, 
                screening, monitoring, contact tracing, or mitigation, 
                or otherwise responding to the COVID-19 public health 
                emergency, including--
                            (i) geolocation data, when such term means 
                        data capable of determining the past or present 
                        precise physical location of an individual at a 
                        specific point in time, taking account of 
                        population densities, including cell-site 
                        location information, triangulation data 
                        derived from nearby wireless or radio frequency 
                        networks, and global positioning system data;
                            (ii) proximity data, when such term means 
                        information that identifies or estimates the 
                        past or present physical proximity of one 
                        individual or device to another, including 
                        information derived from Bluetooth, audio 
                        signatures, nearby wireless networks, and near-
                        field communications;
                            (iii) demographic data;
                            (iv) contact information for identifiable 
                        individuals or a history of the individual's 
                        contacts over a period of time, such as an 
                        address book or call log; and
                            (v) any other data collected from a 
                        personal device.
            (9) Government entity.--The term ``government entity'' 
        includes a Federal agency, a State, a local government, and 
        other organizations, as such terms are defined in section 3371 
        of title 5, United States Code.
            (10) Health care provider.--The term ``health care 
        provider'' has the meaning given the term ``eligible health 
        care provider'' in title VIII of division B of the CARES Act 
        (Public Law 116-136).
            (11) HIPAA regulations.--The term ``HIPAA regulations'' 
        means parts 160 and 164 of title 45, Code of Federal 
        Regulations.
            (12) Public health authority.--The term ``public health 
        authority'' means an entity that is authorized by law to 
        collect or receive information for the purpose of preventing or 
        controlling disease, injury, or disability including, but not 
        limited to, the reporting of disease, injury, vital events such 
        as birth or death, and the conduct of public health 
        surveillance, public health investigations, and public health 
        interventions, and a person, such as a designated agency or 
        associate, acting under a grant of authority from, or under a 
        contract with, such public entity, including the employees or 
        agents of such entity or its contractors or persons or entities 
        to whom it has granted authority.
            (13) COVID-19 public health emergency.--The term ``COVID-19 
        public health emergency'' means the outbreak and public health 
        response pertaining to Coronavirus Disease 2019 (COVID-19), 
        associated with the emergency declared by the Secretary on 
        January 31, 2020, under section 319 of the Public Health 
        Service Act (42 U.S.C. 247d), and any renewals thereof and any 
        subsequent declarations by the Secretary related to the 
        coronavirus.
            (14) Secretary.--The term ``Secretary'' means the Secretary 
        of Health and Human Services.
            (15) Service provider.--
                    (A) In general.--The term ``service provider'' 
                means a person that collects, uses, or discloses 
                emergency health data for the sole purpose of, and only 
                to the extent that such entity is, conducting business 
                activities on behalf of, for the benefit of, under 
                instruction of, and under contractual agreement with a 
                covered organization.
                    (B) Limitation of application.--Such person shall 
                only be considered a service provider in the course of 
                activities described in subparagraph (A).
                    (C) Exclusions.--The term ``service provider'' 
                excludes a person that develops or operates a website, 
                web application, mobile application, or smart device 
                application for the purpose of tracking, screening, 
                monitoring, contact tracing, or mitigation, or 
                otherwise responding to the COVID-19 public health 
                emergency.
            (16) State.--The term ``State'' means each State of the 
        United States, the District of Columbia, each commonwealth, 
        territory, or possession of the United States, and each 
        federally recognized Indian Tribe.
            (17) Third party.--
                    (A) In general.--The term ``third party'' means, 
                with respect to a covered organization--
                            (i) another person to whom such covered 
                        organization disclosed emergency health data; 
                        and
                            (ii) a corporate affiliate or a related 
                        party of the covered organization that does not 
                        have a direct relationship with an individual 
                        with whom the emergency health data is linked 
                        or is reasonably linkable.
                    (B) Exclusion.--The term ``third party'' excludes, 
                with respect to a covered organization--
                            (i) a service provider of such covered 
                        organization; or
                            (ii) a public health authority.
            (18) Use.--The term ``use'', with respect to emergency 
        health data, means the processing, employment, application, 
        utilization, examination, or analysis of such data by a covered 
        organization that maintains such data.

SEC. 3. PROTECTING THE PRIVACY AND SECURITY OF EMERGENCY HEALTH DATA.

    (a) Right to Privacy.--A covered organization that collects 
emergency health data shall--
            (1) only collect, use, or disclose such data that is 
        necessary, proportionate, and limited for a good faith public 
        health purpose, including a service or feature to support such 
        a purpose;
            (2) take reasonable measures, where possible, to ensure the 
        accuracy of emergency health data and provide an effective 
        mechanism for an individual to correct inaccurate information;
            (3) adopt reasonable safeguards to prevent unlawful 
        discrimination on the basis of emergency health data; and
            (4) only disclose such data to a government entity when the 
        disclosure--
                    (A) is to a public health authority; and
                    (B) is made in solely for good faith public health 
                purposes and in direct response to exigent 
                circumstances.
    (b) Right to Security.--A covered organization or service provider 
that collects, uses, or discloses emergency health data shall establish 
and implement reasonable data security policies, practices, and 
procedures to protect the security and confidentiality of emergency 
health data.
    (c) Prohibited Uses.--A covered organization shall not collect, 
use, or disclose emergency health data for any purpose not authorized 
under this section, including--
            (1) commercial advertising, recommendation for e-commerce, 
        or the training of machine-learning algorithms related to, or 
        subsequently for use in, commercial advertising and e-commerce;
            (2) soliciting, offering, selling, leasing, licensing, 
        renting, advertising, marketing, or otherwise commercially 
        contracting for employment, finance, credit, insurance, 
        housing, or education opportunities in a manner that 
        discriminates or otherwise makes opportunities unavailable on 
        the basis of emergency health data; and
            (3) segregating, discriminating in, or otherwise making 
        unavailable the goods, services, facilities, privileges, 
        advantages, or accommodations of any place of public 
        accommodation (as such term is defined in section 301 of the 
        Americans With Disabilities Act of 1990 (42 U.S.C. 12181)), 
        except as authorized by a State or Federal Government entity 
        for a public health purpose notwithstanding subsection (g).
    (d) Consent.--
            (1) In general.--It shall be unlawful for a covered 
        organization to collect, use, or disclose emergency health 
        data, unless--
                    (A) the individual to whom the data pertains has 
                given affirmative express consent to such collection, 
                use, or disclosure;
                    (B) such collection, use, or disclosure is 
                necessary and for the sole purpose of--
                            (i) protecting against malicious, 
                        deceptive, fraudulent, or illegal activity; or
                            (ii) detecting, responding to, or 
                        preventing information security incidents or 
                        threats; or
                    (C) the covered organization is compelled to do so 
                by a legal obligation.
            (2) Revocation.--
                    (A) In general.--A covered organization shall 
                provide an effective mechanism for an individual to 
                revoke consent after it is given.
                    (B) Effect.--After an individual revokes consent, 
                the covered organization shall cease collecting, using, 
                or disclosing the individual's emergency health data as 
                soon as practicable, but in no case later than 15 days 
                after the receipt of the individual's revocation of 
                consent.
                    (C) Destruction.--Not later than 30 days after the 
                receipt of an individual's revocation of consent, a 
                covered organization shall destroy or render not 
                linkable that individuals emergency health data under 
                the same procedures in subsection (f).
    (e) Notice.--A covered organization that collects, uses, or 
discloses emergency health data shall provide to an individual a 
privacy policy that--
            (1) is disclosed in a clear and conspicuous manner, in the 
        language in which the individual typically interacts with the 
        covered organization, prior to or at the point of the 
        collection of emergency health data;
            (2) describes how and for what purposes the covered 
        organization collects, uses, and discloses emergency health 
        data, including the categories of recipients to whom it 
        discloses data and the purpose of disclosure for each category;
            (3) describes the covered organization's data retention and 
        data security policies and practices for emergency health data; 
        and
            (4) describes how an individual may exercise the rights 
        under this Act and how to contact the Commission to file a 
        complaint.
    (f) Public Reporting.--
            (1) In general.--A covered organization that collects, 
        uses, or discloses emergency health data of at least 100,000 
        individuals shall, at least once every 90 days, issue a public 
        report--
                    (A) stating in aggregate terms the number of 
                individuals whose emergency health data the covered 
                organization collected, used, or disclosed to the 
                extent practicable; and
                    (B) describing the categories of emergency health 
                data collected, used, or disclosed, the purposes for 
                which each such category of emergency health data was 
                collected, used, or disclosed, and the categories of 
                third parties to whom it was disclosed.
            (2) Rules of construction.--Nothing in this subsection 
        shall be construed to require a covered organization to--
                    (A) take an action that would convert data that is 
                not emergency health data into emergency health data;
                    (B) collect or maintain emergency health data that 
                the covered organization would otherwise not maintain; 
                or
                    (C) maintain emergency health data longer than the 
                covered organization would otherwise maintain such 
                data.
    (g) Required Data Destruction.--
            (1) In general.--A covered organization may not use or 
        maintain emergency health data of an individual after the later 
        of--
                    (A) the date that is 60 days after the termination 
                of the public health emergency declared by the 
                Secretary on January 31, 2020, pertaining to 
                Coronavirus Disease 2019 (COVID-19) under section 319 
                of the Public Health Service Act (42 U.S.C. 247d) and 
                any renewals thereof;
                    (B) the date that is 60 days after the termination 
                of a public health emergency declared by a governor or 
                chief executive of a State pertaining to Coronavirus 
                Disease 2019 (COVID-19) in which the individual 
                resides; or
                    (C) 60 days after collection.
            (2) Requirement.--For the requirements under paragraph (1), 
        data shall be destroyed or rendered not linkable in such a 
        manner that it is impossible or demonstrably impracticable to 
        identify any individual from the data.
            (3) Relation to certain requirements.--The provisions of 
        this subsection shall not supersede any requirements or 
        authorizations under--
                    (A) the Privacy Act of 1974 (Public Law 93-79);
                    (B) the HIPPA regulations; or
                    (C) Federal or State medical records retention and 
                health privacy laws or regulations, or other applicable 
                Federal or State laws.
    (h) Emergency Data Collected, Used, or Disclosed Before 
Enactment.--
            (1) Initiating a rulemaking.--Not later than 7 days after 
        the date of enactment of this Act, the Commission shall 
        initiate a public rulemaking to promulgate regulations to 
        ensure a covered organization that has collected, used, or 
        disclosed emergency health data before the date of enactment of 
        this Act is in compliance with this Act, to the degree 
        practicable.
            (2) Completing a rulemaking.--The Commission shall complete 
        the rulemaking within 45 days after the date of enactment of 
        this Act.
    (i) Non-Application to Manual Contact Tracing and Case 
Investigation.--Nothing in this Act shall be construed to limit or 
prohibit a public health authority from administering programs or 
activities to identify individuals who have contracted, or may have 
been exposed to, COVID-19 through interviews, outreach, case 
investigation, and other recognized investigatory measures by a public 
health authority or their designated agent by a public health authority 
or their designated agent intended to monitor and mitigate the 
transmission of a disease or disorder.
    (j) Research and Development.--This section shall not be construed 
to prohibit--
            (1) public health or scientific research associated with 
        the COVID-19 public health emergency by--
                    (A) a public health authority;
                    (B) a nonprofit organization, as described in 
                section 501(c)(3) of the Internal Revenue Code of 1986; 
                or
                    (C) an institution of higher education, as such 
                term is defined in section 101 of the Higher Education 
                Act of 1965 (20 U.S.C. 1001); or
            (2) research, development, manufacture, or distribution of 
        a drug, biological product, or vaccine that relates to a 
        disease or disorder that is associated or potentially 
        associated with a public health emergency.
    (k) Legal Requirements.--Notwithstanding subsection (a)(5), nothing 
in this Act shall be construed to prohibit a good faith response to, or 
compliance with, otherwise valid subpoenas, court orders, or other 
legal processes, or to prohibit storage or providing information as 
otherwise required by law.
    (l) Application to HIPAA Covered Entities.--
            (1) In general.--This Act does not apply to a ``covered 
        entity'' or a person acting as a ``business associate'' under 
        the HIPAA regulations (to the extent that such entities or 
        associates are acting in such capacity) or any health care 
        provider.
            (2) Guidance for consistency.--Not later than 30 days after 
        the date of enactment of this Act, the Secretary shall 
        promulgate guidance on the applicability of requirements, 
        similar to those in this section to ``covered entities'' and 
        persons acting as ``business associates'' under the HIPAA 
        regulations. In promulgating such guidance, the Secretary shall 
        reduce duplication of requirements and may exclude a 
        requirement of this section if such requirement is already a 
        requirement of the HIPAA regulations.

SEC. 4. PROTECTING THE RIGHT TO VOTE.

    (a) In General.--A government entity may not, and a covered 
organization may not knowingly facilitate, on the basis of an 
individual's emergency health data, medical condition, or participation 
or non-participation in a program to collect emergency health data--
            (1) deny, restrict, or interfere with the right to vote in 
        a Federal, State, or local election;
            (2) attempt to deny, restrict, or interfere with the right 
        to vote in a Federal, State, or local election; or
            (3) retaliate against an individual for voting in a 
        Federal, State, or local election.
    (b) Civil Action.--In the case of any violation of subsection (a), 
an individual may bring a civil action to obtain appropriate relief 
against a government entity in a Federal district court.

SEC. 5. REPORTS ON CIVIL RIGHTS IMPACTS.

    (a) Report Required.--The Secretary, in consultation with the 
United States Commission on Civil Rights and the Commission, shall 
prepare and submit to Congress reports that examines the civil rights 
impact of the collection, use, and disclosure of health information in 
response to the COVID-19 public health emergency.
    (b) Scope of Report.--Each report required under subsection (a) 
shall, at a minimum--
            (1) evaluate the impact of such practices on civil rights 
        and protections for individuals based on race, color, 
        ethnicity, national origin, religion, sex, gender, gender 
        identity, sexual orientation, age, Tribal affiliation, 
        disability, domicile, employment status, familial status, 
        immigration status, or veteran status;
            (2) analyze the impact, risks, costs, legal considerations, 
        disparate impacts, and other implications to civil rights of 
        policies to incentivize or require the adoption of digital 
        tools or apps used for contact tracing, exposure notification, 
        or health monitoring; and
            (3) include recommendations on preventing and addressing 
        undue or disparate impact, segregation, discrimination, or 
        infringements of civil rights in the collection and use of 
        health information, including during a national health 
        emergency.
    (c) Timing.--
            (1) Initial report.--The Secretary shall submit an initial 
        report under subsection (a) not sooner than 9 months, and not 
        later than 12 months after the date of enactment of this Act.
            (2) Subsequent reports.--The Secretary shall submit reports 
        annually after the initial report required under paragraph (1) 
        until 1 year after the termination of any public health 
        emergency pertaining to Coronavirus Disease 2019 (COVID-19) 
        under section 319 of the Public Health Service Act (42 U.S.C. 
        247d).

SEC. 6. ENFORCEMENT.

    (a) Federal Trade Commission.--
            (1) Unfair or deceptive acts or practices.--A violation of 
        this Act or a regulation promulgated under this Act shall be 
        treated as a violation of a rule defining an unfair or 
        deceptive act or practice under section 18(a)(1)(B) of the 
        Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding 
        unfair or deceptive acts or practices.
            (2) Powers of commission.--The Commission shall enforce 
        this Act and the regulations promulgated under this Act in the 
        same manner, by the same means, and with the same jurisdiction, 
        powers, and duties as though all applicable terms and 
        provisions of the Federal Trade Commission Act (15 U.S.C. 41 et 
        seq.) were incorporated into and made a part of this Act. Any 
        person who violates this Act or a regulation promulgated under 
        this Act shall be subject to the penalties and entitled to the 
        privileges and immunities provided in the Federal Trade 
        Commission Act. Provided, however, that, notwithstanding the 
        requirements of section 16(a) of the Federal Trade Commission 
        Act (15 U.S.C. 56(a)), the Commission shall have the exclusive 
        authority to commence or defend, and supervise the litigation 
        of, any action for a violation of this Act or a regulation 
        promulgated under this Act and any appeal of such action in its 
        own name by any of its attorneys designated by it for such 
        purpose, without first referring the matter to the Attorney 
        General.
            (3) Rulemaking authority.--
                    (A) In general.--The Commission shall have 
                authority under section 553 of title 5, United States 
                Code, to promulgate any regulations necessary to 
                implement this Act.
                    (B) Consultation.--In promulgating any regulations 
                under this Act, the Commission shall consult with the 
                Secretary.
            (4) Common carriers and nonprofit organizations.--
        Notwithstanding section 4, 5(a)(2), or 6 of the Federal Trade 
        Commission Act (15 U.S.C. 44; 45(a)(2); 46) or any 
        jurisdictional limitation of the Commission, the Commission 
        shall also enforce this Act, in the same manner provided in 
        paragraphs (1) and (2) of this paragraph, with respect to--
                    (A) common carriers subject to the Acts to regulate 
                commerce, air carriers, and foreign air carriers 
                subject to part A of subtitle VII of title 49, and 
                persons, partnerships, or corporations insofar as they 
                are subject to the Packers and Stockyards Act, 1921 (7 
                U.S.C. 181 et seq.), except as provided in section 
                406(b) of such Act (7 U.S.C. 227(b)); and
                    (B) organizations not organized to carry on 
                business for their own profit or that of their members.
    (b) Enforcement by States.--
            (1) In general.--In any case in which the attorney general 
        of a State has reason to believe that an interest of the 
        residents of the State has been or is threatened or adversely 
        affected by the engagement of any person subject to this Act in 
        a practice that violates such subsection, the attorney general 
        of the State may, as parens patriae, bring a civil action on 
        behalf of the residents of the State in an appropriate district 
        court of the United States to obtain appropriate relief.
            (2) Rights of the federal trade commission.--
                    (A) Notice to federal trade commission.--
                            (i) In general.--Except as provided in 
                        clause (iii), the attorney general of a State 
                        shall notify the Commission in writing that the 
                        attorney general intends to bring a civil 
                        action under paragraph (1) before initiating 
                        the civil action against a person subject to 
                        this Act.
                            (ii) Contents.--The notification required 
                        by clause (i) with respect to a civil action 
                        shall include a copy of the complaint to be 
                        filed to initiate the civil action.
                            (iii) Exception.--If it is not feasible for 
                        the attorney general of a State to provide the 
                        notification required by clause (i) before 
                        initiating a civil action under paragraph (1), 
                        the attorney general shall notify the 
                        Commission immediately upon instituting the 
                        civil action.
                    (B) Intervention by the federal trade commission.--
                The Commission may--
                            (i) intervene in any civil action brought 
                        by the attorney general of a State under 
                        paragraph (1); and
                            (ii) upon intervening--
                                    (I) be heard on all matters arising 
                                in the civil action; and
                                    (II) file petitions for appeal of a 
                                decision in the civil action.
                    (C) Investigatory powers.--Nothing in this 
                subsection may be construed to prevent the attorney 
                general of a State from exercising the powers conferred 
                on the attorney general by the laws of the State to 
                conduct investigations, to administer oaths or 
                affirmations, or to compel the attendance of witnesses 
                or the production of documentary or other evidence.
            (3) Action by the federal trade commission.--If the 
        Commission institutes a civil action with respect to a 
        violation of this Act, the attorney general of a State may not, 
        during the pendency of such action, bring a civil action under 
        paragraph (1) of this subsection against any defendant named in 
        the complaint of the Commission for the violation with respect 
        to which the Commission instituted such action.
            (4) Venue; service of process.--
                    (A) Venue.--Any action brought under paragraph (1) 
                may be brought in--
                            (i) the district court of the United States 
                        that meets applicable requirements relating to 
                        venue under section 1391 of title 28, United 
                        States Code; or
                            (ii) another court of competent 
                        jurisdiction.
                    (B) Service of process.--In an action brought under 
                paragraph (1), process may be served in any district in 
                which the defendant--
                            (i) is an inhabitant; or
                            (ii) may be found.
                    (C) Actions by other state officials.--
                            (i) In general.--In addition to civil 
                        actions brought by attorneys general under 
                        paragraph (1), any other officer of a State who 
                        is authorized by the State to do so may bring a 
                        civil action under paragraph (1), subject to 
                        the same requirements and limitations that 
                        apply under this subsection to civil actions 
                        brought by attorneys general.
                            (ii) Savings provision.--Nothing in this 
                        subsection may be construed to prohibit an 
                        authorized official of a State from initiating 
                        or continuing any proceeding in a court of the 
                        State for a violation of any civil or criminal 
                        law of the State.
    (c) Private Right of Action.--
            (1) Enforcement by individuals.--
                    (A) In general.--Any individual alleging a 
                violation of this Act may bring a civil action in any 
                court of competent jurisdiction, State or Federal.
                    (B) Relief.--In a civil action brought under 
                paragraph (1) in which the plaintiff prevails, the 
                court may award--
                            (i) an amount not less than $100 and not 
                        greater than $1,000 per violation against any 
                        person who negligently violates a provision of 
                        this Act;
                            (ii) an amount not less than $500 and not 
                        greater than $5,000 per violation against any 
                        person who recklessly, willfully, or 
                        intentionally violates a provision of this Act;
                            (iii) reasonable attorney's fees and 
                        litigation costs; and
                            (iv) any other relief, including equitable 
                        or declaratory relief, that the court 
                        determines appropriate.
                    (C) Injury in fact.--A violation of this Act with 
                respect to the emergency health data of an individual 
                constitutes a concrete and particularized injury in 
                fact to that individual.
            (2) Invalidity of pre-dispute arbitration agreements and 
        pre-dispute joint action waivers.--
                    (A) In general.--Notwithstanding any other 
                provision of law, no pre-dispute arbitration agreement 
                or pre-dispute joint action waiver shall be valid or 
                enforceable with respect to a dispute arising under 
                this Act.
                    (B) Applicability.--Any determination as to whether 
                or how this subsection applies to any dispute shall be 
                made by a court, rather than an arbitrator, without 
                regard to whether such agreement purports to delegate 
                such determination to an arbitrator.
                    (C) Definitions.--In this subsection:
                            (i) The term ``pre-dispute arbitration 
                        agreement'' means any agreement to arbitrate a 
                        dispute that has not arisen at the time of 
                        making the agreement.
                            (ii) The term ``pre-dispute joint-action 
                        waiver'' means an agreement, whether or not 
                        part of a pre-dispute arbitration agreement, 
                        that would prohibit, or waive the right of, one 
                        of the parties to the agreement to participate 
                        in a joint, class, or collective action in a 
                        judicial, arbitral, administration, or other 
                        forum, concerning a dispute that has not yet 
                        arisen at the time of making the agreement.
                            (iii) The term ``dispute'' means any claim 
                        related to an alleged violation of this Act and 
                        between an individual and a covered 
                        organization.

SEC. 7. NONPREEMPTION.

    Nothing in this Act shall preempt or supersede, or be interpreted 
to preempt or supersede, any Federal or State law or regulation, or 
limit the authority of the Commission or the Secretary under any other 
provision of law.

SEC. 8. EFFECTIVE DATE.

    (a) In General.--This Act shall apply beginning on the date that is 
30 days after the date of enactment of this Act.
    (b) Authority To Promulgate Regulations and Take Certain Other 
Actions.--Nothing in subsection (a) affects--
            (1) the authority of any person to take an action expressly 
        required by a provision of this Act before the effective date 
        described in such subsection; or
            (2) the authority of the Commission to promulgate 
        regulations to implement this Act or begin a rulemaking to 
        promulgate such regulations.
                                 <all>