[Congressional Record Volume 145, Number 58 (Tuesday, April 27, 1999)]
[Senate]
[Pages S4257-S4266]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. BENNETT (for himself, Mr. Mack, Mr. Murkowski, and Mr. 
        Santorum):
  S. 881. A bill to ensure confidentiality with respect to medical 
records and health care-related information, and for other purposes; to 
the Committee on Health, Education, Labor, and Pensions.


             the medical information protection act of 1999

  Mr. BENNETT. Mr. President, I rise today to introduce the Medical 
Information Protection Act of 1999. Trying to find the right balance 
between legitimate uses of health care data and the need for privacy 
has been a very difficult road to go down; however, I feel that great 
progress has been made and that the legislation that I am introducing 
strikes the right balance between the desire the patient has for 
increased confidentiality and the need our health care system has for 
information that will enable it to provide a higher quality of care. I 
am pleased that Senators Mack, Murkowski and Santorum have joined me as 
co-sponsors of this legislation and I am hopeful that a number of other 
senators will soon join us as well. In addition, I am pleased to 
include in the record a list of groups that have come out in support of 
this legislation. I am grateful for the many comments and suggestions I 
have received from a wide variety of organizations and individuals.
  Most of us wrongly assume that our personal health information is 
protected under federal law. It is not. Federal law protects the 
confidentiality of our video rental records, and federal law ensures us 
access to information about us such as our credit history. However, 
there is no current federal law which will protect the confidentiality 
of our medical information against unauthorized use and ensure us 
access to that same sensitive information about us. This is a 
circumstance that I believe should and must change.
  At this time, the only protection of an individual's personal medical 
information is under state law. These state laws, where they exist, are 
incomplete, inconsistent and in most cases inadequate. At last check, 
there were approximately 35 states with 35 unique laws governing the 
use and disclosure of medical information. Even in those states where 
there are existing laws, there is no penalty for releasing and 
disseminating the most private information about our health and the 
health care we have received.

  As our health care delivery systems continue to expand across state 
lines, efficiency, research advances and the delivery of the highest 
quality of care possible depend upon the flow of information. This year 
alone, a large number of states have either considered passing new 
legislation or have attempted to modify existing laws. As states act to 
meet the concerns of their residents, the patchwork of state laws 
become ever more complex. If this trend continues, the high quality 
care and research breakthroughs we have come to expect and demand from 
our health care system would be jeopardized because health care 
organizations would be forced to track and comply with multiple, 
conflicting and increasingly complex state laws.
  Clearly, in today's world, health information must be permitted to 
flow across state lines if we are to expect the highest level of health 
care. For example, in Utah, Intermountain Health Care (IHC), the 
largest care provider based in my state also provides care in four 
other western states. IHC currently maintains secure databases of 
patient information which each of its member facilities in Utah, 
Nevada, Idaho and Wyoming draw upon to provide and improve care. 
Requiring them to comply with multiple state laws does not add to the 
quality of health care they provide, but does add to the cost of health 
care they provide. Many IHC patients live in one state yet their 
closest hospital, clinic or physicians office is in another state. I am 
sure this example appears throughout the country in one form or another 
given the consolidation of the health care industry and the large 
percentage of us who live near state lines.
  In addition, we are seeing an emergence of telemedicine and health 
care services over the internet that adds another degree of complexity 
to this entire circumstance. Technology is not only improving the 
quality of care and improving patient access to services, it is also 
making the need for one strong federal law more critical. The majority 
of providers, insurers, health care professionals, researchers and 
patients agree that there is an increasingly urgent need for uniformity 
in our laws that govern access to and disclosure of personal health 
information.
  Mr. President, I remind my colleagues that if we do not act by August 
of 1999 the Health Insurance Portability and Accountability Act of 1996 
(HIPAA) requires the Secretary of Health and Human Services (HHS) to 
put in to place regulations governing health information in an 
electronic format. Thus, we could have a circumstance where paper based 
records and electronic based records are treated differently. I do not 
believe Congress wants to protect one form of medical records and not 
another, and I do not think that we should permit the Secretary of 
Health and Human Services to implement regulations without further 
direction from the Congress. Congress should not neglect its 
responsibility and duty to legislate and provide appropriate direction 
to the executive branch. I urge my colleagues to work with me to pass 
legislation that would give HHS clear direction and provide each 
American with greater protection of their health information.
  Mr. President, I ask unanimous consent that the bill and a list of 
groups supporting this legislation be included in the Record.
  There being no objection, the material was ordered to be printed in 
the Record, as follows:

                                 S. 881

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

       (a) Short Title.--This Act may be cited as the ``Medical 
     Information Protection Act of 1999''.
       (b) Table of Contents.--The table of contents for this Act 
     is as follows:

Sec. 1. Short title; table of contents.
Sec. 2. Findings.
Sec. 3. Purposes.
Sec. 4. Definitions.

                      TITLE I--INDIVIDUAL'S RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

Sec. 101. Inspection and copying of protected health information.
Sec. 102. Amendment of protected health information.
Sec. 103. Notice of confidentiality practices.

                Subtitle B--Establishment of Safeguards

Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.

              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

Sec. 201. General rules regarding use and disclosure.

[[Page S4258]]

Sec. 202. Procurement of authorizations for use and disclosure of 
              protected health information for treatment, payment, and 
              health care operations.
Sec. 203. Authorizations for use or disclosure of protected health 
              information other than for treatment, payment, and health 
              care operations.
Sec. 204. Next of kin and directory information.
Sec. 205. Emergency circumstances.
Sec. 206. Oversight.
Sec. 207. Public health.
Sec. 208. Health research.
Sec. 209. Disclosure in civil, judicial, and administrative procedures.
Sec. 210. Disclosure for law enforcement purposes.
Sec. 211. Payment card and electronic payment transaction. 
Sec. 212. Individual representatives.
Sec. 213. No liability for permissible disclosures.
Sec. 214. Sale of business, mergers, etc.

                          TITLE III--SANCTIONS

                    Subtitle A--Criminal Provisions

Sec. 301. Wrongful disclosure of protected health information.

                      Subtitle B--Civil Sanctions

Sec. 311. Civil penalty violation.
Sec. 312. Procedures for imposition of penalties.
Sec. 313. Enforcement by State insurance commissioners.

                        TITLE IV--MISCELLANEOUS

Sec. 401. Relationship to other laws.
Sec. 402. Conforming amendment.
Sec. 403. Study by Institute of Medicine.
Sec. 405. Effective date.

     SEC. 2. FINDINGS.

       The Congress finds that--
       (1) individuals have a right of confidentiality with 
     respect to their personal health information and records;
       (2) with respect to information about medical care and 
     health status, the traditional right of confidentiality is at 
     risk;
       (3) an erosion of the right of confidentiality may reduce 
     the willingness of patients to confide in physicians and 
     other practitioners, thus jeopardizing quality health care;
       (4) an individual's confidentiality right means that an 
     individual's consent is needed to disclose his or her 
     protected health information, except in limited circumstances 
     required by the public interest;
       (5) any disclosure of protected health information should 
     be limited to that information or portion of the medical 
     record necessary to fulfill the purpose of the disclosure;
       (6) the availability of timely and accurate personal health 
     data for the delivery of health care services throughout the 
     Nation is needed;
       (7) personal health care data is essential for medical 
     research;
       (8) public health uses of personal health data are critical 
     to both personal health as well as public health; and
       (9) confidentiality of an individual's health information 
     must be assured without jeopardizing the pursuit of clinical 
     and epidemiological research undertaken to improve health 
     care and health outcomes and to assure the quality and 
     efficiency of health care.

     SEC. 3. PURPOSES.

       The purpose of this Act is to--
       (1) establish strong and effective mechanisms to protect 
     against the unauthorized and inappropriate disclosure of 
     protected health information that is created or maintained as 
     part of health care treatment, diagnosis, enrollment, 
     payment, plan administration, testing, or research processes;
       (2) promote the efficiency and security of the health 
     information infrastructure so that members of the health care 
     community may more effectively exchange and transfer health 
     information in a manner that will ensure the confidentiality 
     of protected health information without impeding the delivery 
     of high quality health care; and
       (3) establish strong and effective remedies for violations 
     of this Act.

     SEC. 4. DEFINITIONS.

       As used in this Act:
       (1) Accrediting body.--The term ``accrediting body'' means 
     a national body, committee, organization, or institution 
     (such as the Joint Commission on Accreditation of Health Care 
     Organizations or the National Committee for Quality 
     Assurance) that has been authorized by law or is recognized 
     by a health care regulating authority as an accrediting 
     entity or any other entity that has been similarly authorized 
     or recognized by law to perform specific accreditation, 
     licensing or credentialing activities.
       (2) Agent.--The term ``agent'' means a person, including a 
     contractor, who represents and acts for another under the 
     contract or relation of agency, or whose function is to bring 
     about, modify, effect, accept performance of, or terminate 
     contractual obligations between the principal and a third 
     person.
       (3) Common rule.--The term ``common rule'' means the 
     Federal policy for protection of human subjects from research 
     risks originally published as 56 Federal Register 28.025 
     (1991) as adopted and implemented by a Federal department or 
     agency.
       (4) Disclose and disclosure.--
       (A) Disclose.--The term ``disclose'' means to release, 
     transfer, provide access to, or otherwise divulge protected 
     health information to any person other than the individual 
     who is the subject of such information.
       (B) Disclosure.--
       (i) In general.--The term ``disclosure'' refers to a 
     release, transfer, provision for access to, or communication 
     of information as described in subparagraph (A).
       (ii) Use.--The use of protected health information by an 
     authorized person and its agents shall not be considered a 
     disclosure for purposes of this Act if the use is consistent 
     with the purposes for which the information was lawfully 
     obtained. Using or providing access to health information in 
     the form of nonidentifiable health information shall not be 
     construed as a disclosure of protected health information.
       (5) Employer.--The term ``employer'' has the meaning given 
     such term under section 3(5) of the Employee Retirement 
     Income Security Act of 1974 (29 U.S.C. 1002(5)), except that 
     such term shall include only employers of two or more 
     employees.
       (6) Health care.--The term ``health care'' means--
       (A) preventive, diagnostic, therapeutic, rehabilitative, 
     maintenance, or palliative care, including appropriate 
     assistance with disease or symptom management and 
     maintenance, counseling, assessment, service, or procedure--
       (i) with respect to the physical or mental condition of an 
     individual; or
       (ii) affecting the structure or function of the human body 
     or any part of the human body, including the banking of 
     blood, sperm, organs, or any other tissue; or
       (B) pursuant to a prescription or medical order any sale or 
     dispensing of a drug, device, equipment, or other health care 
     related item to an individual, or for the use of an 
     individual.
       (7) Health care operations.--The term ``health care 
     operations'' means services provided by or on behalf of a 
     health plan or health care provider for the purpose of 
     carrying out the management functions of a health care 
     provider or health plan, or implementing the terms of a 
     contract for health plan benefits, including--
       (A) coordinating health care, including health care 
     management of the individual through risk assessment and case 
     management;
       (B) conducting quality assessment and improvement 
     activities, including outcomes evaluation, clinical guideline 
     development, and improvement;
       (C) reviewing the competence or qualifications of health 
     care professionals, evaluating provider performance, and 
     conducting health care education, accreditation, 
     certification, licensing, or credentialing activities;
       (D) carrying out utilization review activities, including 
     precertification and preauthorization of services, and health 
     plan rating and insurance activities, including underwriting, 
     experience rating and reinsurance; and
       (E) conducting or arranging for auditing services, 
     including fraud detection and compliance programs.
       (8) Health care provider.--The term ``health care 
     provider'' means a person, who with respect to a specific 
     item of protected health information, receives, creates, 
     uses, maintains, or discloses the information while acting in 
     whole or in part in the capacity of--
       (A) a person who is licensed, certified, registered, or 
     otherwise authorized by Federal or State law to provide an 
     item or service that constitutes health care in the ordinary 
     course of business, or practice of a profession;
       (B) a Federal, State, employer sponsored or other privately 
     sponsored program that directly provides items or services 
     that constitute health care to beneficiaries; or
       (C) an officer or employee of a person described in 
     subparagraph (A) or (B).
       (9) Health oversight agency.--The term ``health oversight 
     agency'' means a person who, with respect to a specific item 
     of protected health information, receives, creates, uses, 
     maintains, or discloses the information while acting in whole 
     or in part in the capacity of--
       (A) a person who performs or oversees the performance of an 
     assessment, evaluation, determination, or investigation, 
     relating to the licensing, accreditation, certification, or 
     credentialing of health care providers; or
       (B) a person who--
       (i) performs or oversees the performance of an audit, 
     assessment, evaluation, determination, or investigation 
     relating to the effectiveness of, compliance with, or 
     applicability of, legal, fiscal, medical, or scientific 
     standards or aspects of performance related to the delivery 
     of health care; and
       (ii) is a public agency, acting on behalf of a public 
     agency, acting pursuant to a requirement of a public agency, 
     or carrying out activities under a Federal or State law 
     governing the assessment, evaluation, determination, 
     investigation, or prosecution described in subparagraph (A).
       (10) Health plan.--The term ``health plan'' means any 
     health insurance issuer, health insurance plan, including any 
     hospital or medical service plan, dental or other health 
     service plan or health maintenance organization plan, 
     provider sponsored organization, or other program providing 
     or arranging for the provision of health benefits. Such term 
     does not include any policy, plan or program to the extent 
     that it provides, arranges or administers health benefits 
     pursuant to a program of workers compensation or automobile 
     insurance.

[[Page S4259]]

       (11) Health research and health researcher.--
       (A) Health research.--The term ``health research'' means a 
     systematic investigation of health (including basic 
     biological processes and structures), health care, or its 
     delivery and financing, including research development, 
     testing and evaluation, designed to develop or contribute to 
     generalizable knowledge concerning human health, health care, 
     or health care delivery.
       (B) Health researcher.--The term ``health researcher'' 
     means a person involved in health research, or an officer, 
     employee, or agent of such person.
       (12) Key.--The term ``key'' means a method or procedure 
     used to transform nonidentifiable health information that is 
     in a coded or encrypted form into protected health 
     information.
       (13) Law enforcement inquiry.--The term ``law enforcement 
     inquiry'' means a lawful investigation or official proceeding 
     inquiring into a violation of, or failure to comply with, any 
     criminal or civil statute or any regulation, rule, or order 
     issued pursuant to such a statute.
       (14) Life insurer.--The term ``life insurer'' means life 
     insurance company as defined in section 816 of the Internal 
     Revenue Code of 1986 .
       (15) Nonidentifiable health information.--The term 
     ``nonidentifiable health information'' means protected health 
     information from which personal identifiers, that directly 
     reveal the identity of the individual who is the subject of 
     such information or provide a direct means of identifying the 
     individual (such as name, address, and social security 
     number), have been removed, encrypted, or replaced with a 
     code, such that the identity of the individual is not evident 
     without (in the case of encrypted or coded information) use 
     of key.
       (16) Originating provider.--The term ``originating 
     provider'' means a health care provider who initiates a 
     treatment episode, such as prescribing a drug, ordering a 
     diagnostic test, or admitting an individual to a health care 
     facility. A hospital or nursing facility is the originating 
     provider with respect to protected health information created 
     or received as part of inpatient or outpatient treatment 
     provided in such settings.
       (17) Payment.--The term ``payment'' means--
       (A) the activities undertaken by--
       (i) or on behalf of a health plan to determine its 
     responsibility for coverage under the plan; or
       (ii) a health care provider to obtain payment for items or 
     services provided to an individual, provided under a health 
     plan, or provided based on a determination by the health plan 
     of responsibility for coverage under the plan; and
       (B) activities undertaken as described in subparagraph (A) 
     including--
       (i) billing, claims management, medical data processing, 
     other administrative services, and actual payment;
       (ii) determinations of coverage or adjudication of health 
     benefit or subrogation claims; and
       (iii) review of health care services with respect to 
     coverage under a health plan or justification of charges.
       (18) Person.--The term ``person'' means a government, 
     governmental subdivision, agency or authority; corporation; 
     company; association; firm; partnership; society; estate; 
     trust; joint venture; individual; individual representative; 
     tribal government; and any other legal entity.
       (19) Protected health information.--The term ``protected 
     health information'' with respect to the individual who is 
     the subject of such information means any information which 
     identifies such individual, whether oral or recorded in any 
     form or medium, that--
       (A) is created or received by a health care provider, 
     health plan, health oversight agency, public health 
     authority, employer, life insurer, school or university;
       (B) relates to the past, present, or future physical or 
     mental health or condition of an individual (including 
     individual cells and their components);
       (C) is derived from--
       (i) the provision of health care to the individual; or
       (ii) payment for the provision of health care to the 
     individual; and
       (D) is not nonidentifiable health information.
       (20) Public health authority.--The term ``public health 
     authority'' means an authority or instrumentality of the 
     United States, a tribal government, a State, or a political 
     subdivision of a State that is--
       (A) primarily responsible for health or welfare matters; 
     and
       (B) primarily engaged in activities such as incidence 
     reporting, public health surveillance, and investigation or 
     intervention.
       (21) School or university.--The term ``school or 
     university'' means an institution or place accredited or 
     licensed for purposes of providing for instruction or 
     education, including an elementary school, secondary school, 
     or institution of higher learning, a college, or an 
     assemblage of colleges united under one corporate 
     organization or government.
       (22) Secretary.--The term ``Secretary'' means the Secretary 
     of Health and Human Services.
       (23) Signed.--The term ``signed'' refers to documentation 
     of assent in any medium, whether ink, digital or biometric 
     signatures, or recorded oral authorizations.
       (24) State.--The term ``State'' includes the District of 
     Columbia, Puerto Rico, the Virgin Islands, Guam, American 
     Samoa, and the Northern Mariana Islands.
       (25) Treatment.--The term ``treatment'' means the provision 
     of health care by a health care provider.
       (26) Writing and written.--
       (A) Writing.--The term ``writing'' means any form of 
     documentation, whether paper, electronic, digital, biometric 
     or tape recorded.
       (B) Written.--The term ``written'' includes paper, 
     electronic, digital, biometric and tape-recorded formats.

                      TITLE I--INDIVIDUAL'S RIGHTS

 Subtitle A--Review of Protected Health Information by Subjects of the 
                              Information

     SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH 
                   INFORMATION.

       (a) General Rules.--
       (1) Compliance with section.--At the request of an 
     individual who is the subject of protected health information 
     and except as provided in subsection (c), a health care 
     provider, a health plan, employer, life insurer, school, or 
     university shall arrange for inspection or copying of 
     protected health information concerning the individual, 
     including records created under section 102, as provided for 
     in this section.
       (2) Availability of information through originating 
     provider.--Protected health information that is created or 
     received by a health plan or health care provider as part of 
     treatment or payment shall be made available for inspection 
     or copying as provided for in this title through the 
     originating provider.
       (3) Other entities.--An employer, life insurer, school, or 
     university that creates or receives protected health 
     information in performing any function other than providing 
     treatment, payment, or health care operations with respect to 
     the individual who is the subject of such information, shall 
     make such information available for inspection or copying as 
     provided for in this title, or through any provider 
     designated by the individual.
       (4) Procedures.--The person providing access to information 
     under this title may set forth appropriate procedures to be 
     followed for such inspection or copying and may require an 
     individual to pay reasonable costs associated with such 
     inspection or copying.
       (b) Special Circumstances.--If an originating provider, its 
     agent, or contractor no longer maintains the protected health 
     information sought by an individual pursuant to subsection 
     (a), a health plan or another health care provider that 
     maintains such information shall arrange for inspection or 
     copying.
       (c) Exceptions.--Unless ordered by a court of competent 
     jurisdiction, a person acting pursuant to subsection (a) or 
     (b) is not required to permit the inspection or copying of 
     protected health information if any of the following 
     conditions are met:
       (1) Endangerment to life or safety.--The person determines 
     that the disclosure of the information could reasonably be 
     expected to endanger the life or physical safety of any 
     individual.
       (2) Confidential source.--The information identifies, or 
     could reasonably lead to the identification of, a person who 
     provided information under a promise of confidentiality to a 
     health care provider concerning the individual who is the 
     subject of the information.
       (3) Information compiled in anticipation of or in 
     connection with a fraud investigation or litigation.--The 
     information is compiled principally--
       (A) in anticipation of or in connection with a fraud 
     investigation, an investigation of material misrepresentation 
     in connection with an insurance policy, a civil, criminal, or 
     administrative action or proceeding; or
       (B) for use in such action or proceeding.
       (4) Investigational information.--The protected health 
     information was created, received or maintained by a health 
     researcher as provided in section 208.
       (d) Denial of a Request for Inspection or Copying.--If a 
     person described in subsection (a) or (b) denies a request 
     for inspection or copying pursuant to subsection (c), the 
     person shall inform the individual in writing of--
       (1) the reasons for the denial of the request for 
     inspection or copying;
       (2) the availability of procedures for further review of 
     the denial; and
       (3) the individual's right to file with the person a 
     concise statement setting forth the request for inspection or 
     copying.
       (e) Statement Regarding Request.--If an individual has 
     filed a statement under subsection (d)(3), the person in any 
     subsequent disclosure of the portion of the information 
     requested under subsection (a) or (b)--
       (1) shall include a notation concerning the individual's 
     statement; and
       (2) may include a concise statement of the reasons for 
     denying the request for inspection or copying.
       (f) Inspection and Copying of Segregable Portion.--A person 
     described in subsection (a) or (b) shall permit the 
     inspection and copying of any reasonably segregable portion 
     of a record after deletion of any portion that is exempt 
     under subsection (c).
       (g) Deadline.--A person described in subsection (a) or (b) 
     shall comply with or deny, in accordance with subsection (d), 
     a request for inspection or copying of protected health 
     information under this section not later than 60 days after 
     the date on which the person receives the request.

[[Page S4260]]

       (h) Rules of Construction.--
       (1) Agents.--An agent of a person described in subsection 
     (a) or (b) shall not be required to provide for the 
     inspection and copying of protected health information, 
     except where--
       (A) the protected health information is retained by the 
     agent; and
       (B) the agent has been asked in writing by the person 
     involved to fulfill the requirements of this section.
       (2) No requirement for hearing.--This section shall not be 
     construed to require a person described in subsection (a) or 
     (b) to conduct a formal, informal, or other hearing or 
     proceeding concerning a request for inspection or copying of 
     protected health information.

     SEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.

       (a) Right to amend.--
       (1) In general.--Protected health information shall be 
     subject to amendment as provided for in this section.
       (2) Compliance with request.--Except as provided in 
     subsection (c), not later than 45 days after the date on 
     which an originating provider, employer, life insurer, 
     school, or university receives from an individual a request 
     in writing to amend protected health information, such person 
     shall--
       (A) make the amendment requested;
       (B) inform the individual of the amendment that has been 
     made; and
       (C) inform any person identified by the individual in the 
     request for amendment and--
       (i) who is not an officer, employee, or agent of the 
     person; and
       (ii) to whom the unamended portion of the information was 
     disclosed within the previous year by sending a notice to the 
     individual's last known address that there has been a 
     substantive amendment to the protected health information of 
     such individual.
       (b) Request of Originating Providers.--
       (1) In general.--Protected health information that is 
     created or received by a health plan or health care provider 
     as part of treatment or payment shall be subject to amendment 
     as provided for in this section upon a written request made 
     to the originating provider.
       (2) Special circumstances.--If an originating provider, its 
     agent, or contractor no longer maintains the protected health 
     information sought to be amended by an individual pursuant to 
     paragraph (1), a health plan or another health care provider 
     that maintains such information may arrange for amendment 
     consistent with this section.
       (c) Refusal To Amend.--If a person described in subsection 
     (a)(2) refuses to make the amendment requested under such 
     subsection, the person shall inform the individual in writing 
     of--
       (1) the reasons for the refusal to make the amendment;
       (2) the availability of procedures for further review of 
     the refusal; and
       (3) the procedures by which the individual may file with 
     the person a concise statement setting forth the requested 
     amendment and the individual's reasons for disagreeing with 
     the refusal.
       (d) Statement of Disagreement.--If an individual has filed 
     a statement of disagreement under subsection (c)(3), the 
     person involved, in any subsequent disclosure of the disputed 
     portion of the information--
       (1) shall include a notation concerning the individual's 
     statement; and
       (2) may include a concise statement of the reasons for not 
     making the requested amendment.
       (e) Rules Governing Agents.--The agent of a person 
     described in subsection (a)(2) shall not be required to make 
     amendments to protected health information, except where--
       (1) the protected health information is retained by the 
     agent; and
       (2) the agent has been asked in writing by such person to 
     fulfill the requirements of this section.
       (f) Repeated Requests for Amendments.--If a person 
     described in subsection (a)(2) receives a request for an 
     amendment of information as provided for in such subsection 
     and a statement of disagreement has been filed pursuant to 
     subsection (d), the person shall inform the individual of 
     such filing and shall not be required to carry out the 
     procedures required under this section.
       (g) Rules of Construction.--This section shall not be 
     construed to--
       (1) require that a person described in subsection (a)(2) 
     conduct a formal, informal, or other hearing or proceeding 
     concerning a request for an amendment to protected health 
     information;
       (2) require a provider to amend an individual's protected 
     health information as to the type, duration, or quality of 
     treatment the individual believes he or she should have been 
     provided; or
       (3) permit any deletions or alterations of the original 
     information.

     SEC. 103. NOTICE OF CONFIDENTIALITY PRACTICES.

       (a) Preparation of Written Notice.--A health care provider, 
     health plan, health oversight agency, public health 
     authority, employer, life insurer, health researcher, school, 
     or university shall post or provide, in writing and in a 
     clear and conspicuous manner, notice of the person's 
     confidentiality practices, that shall include--
       (1) a description of an individual's rights with respect to 
     protected health information;
       (2) the uses and disclosures of protected health 
     information authorized under this Act;
       (3) the procedures for authorizing disclosures of protected 
     health information and for revoking such authorizations;
       (4) the procedures established by the person for the 
     exercise of the individual's rights; and
       (5) the right to obtain a copy of the notice of the 
     confidentiality practices required under this Act.
       (b) Model Notice.--The Secretary, after notice and 
     opportunity for public comment, shall develop and disseminate 
     model notices of confidentiality practices, using the advice 
     of the National Committee on Vital Health Statistics, for use 
     under this section. Use of the model notice shall serve as an 
     absolute defense against claims of receiving inappropriate 
     notice.

                Subtitle B--Establishment of Safeguards

     SEC. 111. ESTABLISHMENT OF SAFEGUARDS.

       (a) In General.--A health care provider, health plan, 
     health oversight agency, public health authority, employer, 
     life insurer, health researcher, law enforcement official, 
     school, or university shall establish and maintain 
     appropriate administrative, technical, and physical 
     safeguards to protect the confidentiality, security, 
     accuracy, and integrity of protected health information 
     created, received, obtained, maintained, used, transmitted, 
     or disposed of by such person.
       (b) Fundamental Safeguards.--The safeguards established 
     pursuant to subsection (a) shall address the following 
     factors:
       (1) The purpose for which protected health information is 
     needed and whether that purpose can be accomplished with 
     nonidentifiable health information.
       (2) Appropriate procedures for maintaining the security of 
     protected health information and assuring the appropriate use 
     of any key used in creating nonidentifiable health 
     information.
       (3) The categories of personnel who will have access to 
     protected health information and appropriate training, 
     supervision and sanctioning of such personnel with respect to 
     their use of protected health information and adherence to 
     established safeguards.
       (4) Appropriate limitations on access to individual 
     identifiers.
       (5) Appropriate mechanisms for limiting disclosures of 
     protected information to the information necessary to respond 
     to the request for disclosure.
       (6) Procedures for handling requests for protected health 
     information by persons other than the individual who is the 
     subject of such information, including relatives and 
     affiliates of such individual, law enforcement officials, 
     parties in civil litigation, health care providers, and 
     health plans.

     SEC. 112. ACCOUNTING FOR DISCLOSURES.

       (a) In General.--A health care provider, health plan, 
     health oversight agency, public health authority, employer, 
     life insurer, health researcher, law enforcement official, 
     school, or university shall establish and maintain a process 
     for documenting the disclosure of protected health 
     information by any such person through the recording of the 
     name and address of the recipient of the information, or 
     through the recording of another mean of contacting the 
     recipient, and the purpose of the disclosure.
       (b) Record of Disclosure.--A record (or other means of 
     documentation) established under subsection (a) shall be 
     maintained for not less than 7 years.
       (c) Identification of Disclosed Information as Protected 
     Health Information.--Except as otherwise provided in this 
     title, protected health information shall be clearly 
     identified as protected health information that is subject to 
     this Act.

              TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

     SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.

       (a) Disclosure Prohibited.--A health care provider, health 
     plan, health oversight agency, public health authority, 
     employer, life insurer, health researcher, law enforcement 
     official, school, or university, or any agents of such a 
     person, may not disclose protected health information except 
     as authorized under this Act or as authorized by the 
     individual who is the subject of such information.
       (b) Applicability to Agents.--
       (1) In general.--A person described in subsection (a) may 
     use an agent, including a contractor, to carry out an 
     otherwise lawful activity using protected health information 
     maintained by such person if the person specifies the 
     activities for which the agent is authorized to use such 
     protected health information and prohibits the agent from 
     using or disclosing protected health information for purposes 
     other than carrying out the specified activities.
       (2) Limitation on liability.--Notwithstanding any other 
     provision of this Act, a person who has limited the 
     activities of an agent as provided for in paragraph (1), 
     shall not be liable for the actions or disclosures of the 
     agent that are not in fulfillment of those activities.
       (3) Limitations on agents.--An agent who receives protected 
     health information from a person described in subsection (a) 
     shall, in its own right, be subject to the applicable 
     provisions of this Act.
       (c) Applicability to Employers.--
       (1) In general.--An employer may use an employee or agent 
     to create, receive, or maintain protected health information 
     in order to carry out an otherwise lawful activity so long 
     as--

[[Page S4261]]

       (A) the disclosure of the protected employee health 
     information within the entity is compatible with the purpose 
     for which the information was obtained and limited to 
     information necessary to accomplish the purpose of the 
     disclosure; and
       (B) the employer prohibits the release, transfer or 
     communication of the protected health information to 
     officers, employees, or agents responsible for hiring, 
     promotion, and making work assignment decisions with respect 
     to the subject of the information.
       (2) Determination.--For purposes of paragraph (1)(A), the 
     determination of what constitutes information necessary to 
     accomplish the purpose for which the information is obtained 
     shall be made by a health care provider, except in situations 
     involving payment for health plan operations undertaken by 
     the employer.
       (d) Creation of Nonidentifiable Health Information.--A 
     person described in subsection (a) may use protected health 
     information for the purpose of creating nonidentifiable 
     health information.
       (e) Individual Authorization.--To be valid, an 
     authorization to disclose protected health information under 
     this title shall--
       (1) identify the individual who is the subject of the 
     protected health information;
       (2) describe the nature of the information to be disclosed;
       (3) identify the type of person to whom the information is 
     to be disclosed;
       (4) describe the purpose of the disclosure;
       (5) be subject to revocation by the individual and indicate 
     that the authorization is valid until revocation by the 
     individual; and
       (6) be in writing, dated, and signed by the individual, a 
     family member or other authorized representative.
       (f) Manipulation of Nonidentifiable Health Information.--
     Any person who manipulates nonidentifiable health information 
     in order to identify an individual, or uses a key to identify 
     an individual without authorization, is deemed to have 
     disclosed protected health information.

     SEC. 202. PROCUREMENT OF AUTHORIZATIONS FOR USE AND 
                   DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR 
                   TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS.

       (a) Authorizations.--
       (1) In general.--With respect to each individual, a single 
     authorization that substantially complies with section 201(e) 
     must be secured to permit the use and disclosure of protected 
     health information concerning such individual for treatment, 
     payment, and health care operations, as provided for in this 
     subsection.
       (2) Employers.--Every employer offering a health plan to 
     its employees shall, at the time of, and as a condition of 
     enrollment in the health plan, obtain a signed, written 
     authorization that is a legal, informed authorization 
     concerning the use and disclosure of protected health 
     information for treatment, payment, and health care 
     operations with respect to each individual who is eligible to 
     receive care under the health plan.
       (3) Health plans.--Every health plan offering enrollment to 
     individuals or non-employer groups shall, at the time of, and 
     as a condition of enrollment in the health plan, obtain a 
     signed, written authorization that is a legal, informed 
     authorization concerning the use and disclosure of protected 
     health information for treatment, payment, and health care 
     operations, with respect to each individual who is eligible 
     to receive care under the plan.
       (4) Uninsured.--An originating provider providing health 
     care to an uninsured individual, shall obtain a signed, 
     written authorization to use and disclose protected health 
     information with respect to such individual for treatment, 
     payment, and health care operations of such provider, and in 
     arranging for treatment and payment from other providers.
       (5) Providers.--Any health care provider providing health 
     care to an individual may, in connection with providing such 
     care, obtain a signed, written authorization that is a legal, 
     informed authorization concerning the use and disclosure of 
     protected health information with respect to such individual 
     for treatment, payment, and health care operations of such 
     provider.
       (b) Revocation of Authorization.--
       (1) In general.--An individual may revoke an authorization 
     under this section at any time, by sending written notice to 
     the person who obtained such authorization, unless the 
     disclosure that is the subject of the authorization is 
     required to complete a course of treatment, effectuate 
     payment, or conduct health care operations for health care 
     that has been provided to the individual.
       (2) Health plans.--With respect to a health plan, the 
     authorization of an individual is deemed to be revoked at the 
     time of the cancellation or non-renewal of enrollment in the 
     health plan, except as may be necessary to conduct health 
     care operations and complete payment requirements related to 
     the individual's period of enrollment.
       (3) Termination of plan.--With respect to the revocation of 
     an authorization under this section by an enrollee in a 
     health plan, the health plan may terminate the coverage of 
     such enrollee under such plan if the health plan determines 
     that the revocation has resulted in the inability of the plan 
     to provide care for the enrollee or conduct health care 
     operations.
       (c) Record of Individual's Authorizations and 
     Revocations.--Each person who obtains or is required to 
     obtain an authorization under this section shall maintain a 
     record for a period of 7 years of each such authorization of 
     an individual and revocation thereof.
       (d) Model Authorizations.--The Secretary, after notice and 
     opportunity for public comment, shall develop and disseminate 
     model written authorizations of the type described in 
     subsection (a). The Secretary shall consult with the National 
     Committee on Vital and Health Statistics in developing such 
     authorizations. An authorization obtained on a model 
     authorization form developed by the Secretary pursuant to the 
     preceding sentence shall be deemed to meet the authorization 
     requirements of this section.
       (e) Rules of Construction.--
       (1) Single authorizations.--An employer or health plan 
     shall be deemed to meet the requirements of subsection (a) 
     with respect to a spouse, child, or other eligible dependent 
     if, at the time of enrollment, a single authorization under 
     subsection (a) is obtained from the employee or other 
     individual who accepts responsibility for health plan 
     enrollment.
       (2) Requirement for separate authorization.--An 
     authorization for the disclosure of protected health 
     information for treatment, payment, and health care 
     operations shall not directly or indirectly authorize the 
     disclosure of such information for any other purpose. Any 
     other such disclosures shall require a separate authorization 
     under section 203.

     SEC. 203. AUTHORIZATIONS FOR USE OR DISCLOSURE OF PROTECTED 
                   HEALTH INFORMATION OTHER THAN FOR TREATMENT, 
                   PAYMENT, AND HEALTH CARE OPERATIONS.

       (a) In General.--An individual who is the subject of 
     protected health information may authorize any person to 
     disclose or use such information for any purpose. An 
     authorization under this section shall not be valid if the 
     signing of such authorization by the individual is a 
     prerequisite for the signing of an authorization under 
     section 202.
       (b) Written Authorizations.--A person may disclose and use 
     protected health information, for purposes other than those 
     authorized under section 202, pursuant to a written 
     authorization signed by the individual who is the subject of 
     the information that meets the requirements of section 
     201(e). An authorization under this section shall be separate 
     from any authorization provided under section 202.
       (c) Limitation on Authorizations.--
       (1) In general.--Notwithstanding any other provision of 
     Federal law, life insurers, and any other entity that offers 
     disability income or long term care insurance under the laws 
     of any State, shall meet the requirements of section 201(a) 
     with respect to an individual for purposes of life, 
     disability income or long term care insurance, by obtaining 
     the authorization of the individual under this section.
       (2) During period of coverage.--Notwithstanding paragraph 
     (1), an authorization obtained in the ordinary course of 
     business in connection with life, disability income or long-
     term care insurance under this section shall remain in effect 
     during the term of the individual's insurance coverage and as 
     may be necessary to enable the issuer to meet its obligations 
     with respect to such individual under the terms of the 
     policy, plan or program.
       (3) Other authorizations.--An authorization obtained from 
     an individual in connection with an application that does not 
     result in coverage with respect to such individual shall 
     expire the earlier of the date specified in the individual's 
     authorization or the effective date of any revocation under 
     subsection (d).
       (d) Revocation or Amendment of Authorization.--
       (1) In general.--Except as otherwise provided for in this 
     section, an individual may revoke or amend an authorization 
     described in this section by providing written notice to the 
     person who obtained such authorization unless the disclosure 
     that is the subject of the authorization is related to the 
     evaluation of an application for life, disability income or 
     long-term care insurance coverage or a claim for life, 
     disability income or long-term care insurance benefits.
       (2) Notice of revocation.--A person that discloses 
     protected health information pursuant to an authorization 
     that has been revoked under paragraph (1) shall not be 
     subject to any liability or penalty under this title if that 
     person had no actual notice of the revocation.
       (e) Disclosure for Purpose Only.--A recipient of protected 
     health information pursuant to an authorization under 
     subsection (b) may disclose such information only to carry 
     out the purposes for which the information was authorized to 
     be disclosed.
       (f) Model Authorizations.--
       (1) In general.--The Secretary, after notice and 
     opportunity for public comment, shall develop and disseminate 
     model written authorizations of the type described in 
     subsection (b). The Secretary shall consult with the National 
     Committee on Vital and Health Statistics in developing such 
     authorizations.
       (2) Authority of insurance commissioner.--Notwithstanding 
     paragraph (1), the insurance commissioner of the State of 
     domicile of a life insurer may exercise exclusive authority 
     in developing and disseminating model written authorizations 
     for purposes of subsection (c).
       (3) Compliance with requirements.--An authorization 
     obtained using a model authorization promulgated under this 
     subsection shall be deemed to meet the authorization 
     requirements of this section.

[[Page S4262]]

       (g) Authorizations for Research.--This section applies to 
     health research only where such research is not governed by 
     section 208.

     SEC. 204. NEXT OF KIN AND DIRECTORY INFORMATION.

       (a) Next of Kin.--A health care provider, or a person who 
     receives protected health information under section 205, may 
     disclose protected health information regarding an individual 
     to the individual's spouse, parent, child, sister, brother, 
     next of kin, or to another person whom the individual has 
     identified, if--
       (1) the individual who is the subject of the information--
       (A) has been notified of the individual's right to object 
     to such disclosure and the individual has not objected to the 
     disclosure; or
       (B) is in a physical or mental condition such that the 
     individual is not capable of objecting, and there are no 
     prior indications that the individual would object;
       (2) the information disclosed relates to health care 
     currently being provided to that individual; and
       (3) the disclosure of the protected health information is 
     consistent with good medical or professional practice.
       (b) Directory Information.--
       (1) Disclosure.--
       (A) In general.--Except as provided in paragraph (2), a 
     person described in subsection (a) may disclose the 
     information described in subparagraph (B) to any person if 
     the individual who is the subject of the information--
       (i) has been notified of the individual's right to object 
     and the individual has not objected to the disclosure; or
       (ii) is in a physical or mental condition such that the 
     individual is not capable of objecting, the individual's next 
     of kin has not objected, and there are no prior indications 
     that the individual would object.
       (B) Information.--Information described in this 
     subparagraph is information that consists only of 1 or more 
     of the following items:
       (i) The name of the individual who is the subject of the 
     information.
       (ii) The general health status of the individual, described 
     as critical, poor, fair, stable, or satisfactory or in terms 
     denoting similar conditions.
       (iii) The location of the individual on premises controlled 
     by a provider.
       (2) Exception.--
       (A) Location.--Paragraph (1)(B)(iii) shall not apply if 
     disclosure of the location of the individual would reveal 
     specific information about the physical or mental condition 
     of the individual, unless the individual expressly authorizes 
     such disclosure.
       (B) Directory or next of kin information.--A disclosure may 
     not be made under this section if the health care provider 
     involved has reason to believe that the disclosure of 
     directory or next of kin information could lead to the 
     physical or mental harm of the individual, unless the 
     individual expressly authorizes such disclosure.

     SEC. 205. EMERGENCY CIRCUMSTANCES.

       Any person who creates or receives protected health 
     information under this title may disclose protected health 
     information in emergency circumstances when necessary to 
     protect the health or safety of the individual who is the 
     subject of such information from serious, imminent harm. No 
     disclosure made in the good faith belief that the disclosure 
     was necessary to protect the health or safety of an 
     individual from serious, imminent harm shall be in violation 
     of, or punishable under, this Act.

     SEC. 206. OVERSIGHT.

       (a) In General.--Any person may disclose protected health 
     information to an accrediting body or public health 
     authority, a health oversight agency, or a State insurance 
     department, for purposes of an oversight function authorized 
     by law.
       (b) Protection from Further Disclosure.--Protected health 
     information this is disclosed under this section shall not be 
     further disclosed by an accrediting body or public health 
     authority, a health oversight agency, a State insurance 
     department, or their agents for any purpose unrelated to the 
     authorized oversight function. Notwithstanding any other 
     provision of law, protected health information disclosed 
     under this section shall be protected from further disclosure 
     by an accrediting body or public health authority, a health 
     oversight agency, a State insurance department, or their 
     agents pursuant to a subpoena, discovery request, 
     introduction as evidence, testimony, or otherwise.
       (c) Authorization by a Supervisor.--For purposes of this 
     section, the individual with authority to authorize the 
     oversight function involved shall provide to the person 
     described in subsection (a) a statement that the protected 
     health information is being sought for a legally authorized 
     oversight function.
       (d) Use in Action Against Individuals.--Protected health 
     information about an individual that is disclosed under this 
     section may not be used by the recipient in, or disclosed by 
     the recipient to any person for use in, an administrative, 
     civil, or criminal action or investigation directed against 
     the individual who is the subject of the protected health 
     information unless the action or investigation arises out of 
     and is directly related to--
       (1) the receipt of health care or payment for health care; 
     or
       (2) a fraudulent claim related to health care, or a 
     fraudulent or material misrepresentation of the health of the 
     individual.

     SEC. 207. PUBLIC HEALTH.

       (a) In General.--A health care provider, health plan, 
     public health authority, health researcher, employer, life 
     insurer, law enforcement official, school, or university may 
     disclose protected health information to a public health 
     authority or other person authorized by law for use in a 
     legally authorized--
       (1) disease or injury report;
       (2) public health surveillance;
       (3) public health investigation or intervention;
       (4) vital statistics report, such as birth or death 
     information;
       (5) report of abuse or neglect information about any 
     individual; or
       (6) report of information concerning a communicable disease 
     status.
       (b) Identification of Deceased Individual.--Any person may 
     disclose protected health information if such disclosure is 
     necessary to assist in the identification or safe handling of 
     a deceased individual.
       (c) Requirement To Release Protected Health Information to 
     Coroners and Medical Examiners.--
       (1) In general.--When a Coroner or a Medical Examiner, or 
     the duly appointed deputy of a Coroner or Medical Examiner, 
     seeks protected health information for the purpose of inquiry 
     into and determination of, the cause, manner, and 
     circumstances of a death, the health care provider, health 
     plan, health oversight agency, public health authority, 
     employer, life insurer, health researcher, law enforcement 
     official, school, or university involved shall provide the 
     protected health information to the Coroner or Medical 
     Examiner or to the duly appointed deputy without undue delay.
       (2) Production of additional information.--If a Coroner or 
     Medical Examiner, or the duly appointed deputy of a Coroner 
     or Medical Examiner, receives health information from a 
     person referred to in paragraph (1), such health information 
     shall remain as protected health information unless the 
     health information is attached to or otherwise made a part of 
     a Coroner's or Medical Examiner's official report, in which 
     case it shall no longer be protected.
       (3) Exemption.--Health information attached to or otherwise 
     made a part of a Coroner's or Medical Examiner's official 
     report, shall be exempt from the provisions of this Act.

     SEC. 208. HEALTH RESEARCH.

       (a) In General.--A person lawfully in possession of 
     protected health information may disclose such information to 
     a health researcher under any of the following arrangements:
       (1) Research governed by the common rule.--A person 
     identified in subsection (a) may disclose protected health 
     information to a health researcher if the research project 
     has been approved by an institutional review board pursuant 
     to the requirements of the common rule as implemented by a 
     Federal agency.
       (2) Analyses of health care records and medical archives.--
     A person identified in subsection (a) may disclose protected 
     health information to a health researcher if--
       (A) consistent with the safeguards established pursuant to 
     section 111 and the person's policies and procedures 
     established under this section, the health research has been 
     reviewed by a board, committee, or other group formally 
     designated by such person to review research programs;
       (B) the health research involves analysis of protected 
     health information previously created or collected by the 
     person;
       (C) the person that maintains the protected health 
     information to be used in the analyses has in place a written 
     policy and procedure to assure the security and 
     confidentiality of protected health information and to 
     specify permissible and impermissible uses of such 
     information for health research;
       (D) the person that maintains the protected health 
     information to be used in the analyses enters into a written 
     agreement with the recipient health researcher that specifies 
     the permissible and impermissible uses of the protected 
     health information and provides notice to the researcher that 
     any misuse or further disclosure of the information to other 
     persons is prohibited and may provide a basis for action 
     against the health researcher under this Act; and
       (E) the person keeps a record of health researchers to whom 
     protected health information has been disclosed.
       (3) Safety and efficacy reports.--A person may disclose 
     protected health information to a manufacturer of a drug, 
     biologic or medical device, in connection with any monitoring 
     activity or reports made to such manufacturer for use in 
     verifying the safety or efficacy of such manufacturer's 
     approved product in special populations or for long term use.
       (b) Oversight.--On the advice of the National Committee on 
     Vital and Health Statistics, the Secretary shall report to 
     the Congress not later than 18 months after the effective 
     date of this section concerning the adequacy of the policies 
     and procedures implemented pursuant to subsection (a)(2) for 
     protecting the confidentiality of protected health 
     information while promoting its use in research concerning 
     health care outcomes, the epidemiology and etiology of 
     diseases and conditions and the safety, efficacy and cost 
     effectiveness of health care interventions. Based on the 
     conclusions of such report, the Secretary may promulgate 
     model

[[Page S4263]]

     language for written agreements deemed to comply with 
     subsection (a)(2)(C).
       (c) Statutory Assurance of Confidentiality.--
       (1) In general.--Protected health information obtained by a 
     health researcher pursuant to this section shall be used and 
     maintained in confidence, consistent with the confidentiality 
     practices established by the health researcher pursuant to 
     section 111.
       (2) Limitation on compelled disclosure.--A health 
     researcher may not be compelled in any Federal, State, or 
     local civil, criminal, administrative, legislative, or other 
     proceeding to disclose protected health information created, 
     maintained or received under this section. Nothing in this 
     paragraph shall be construed to prevent an audit or lawful 
     investigation pursuant to the authority of a Federal 
     department or agency, of a research project conducted, 
     supported or subject to regulation by such department or 
     agency.
       (3) Limitation on further use or disclosure.--
     Notwithstanding any other provision of law, information 
     disclosed by a health researcher to a Federal department or 
     agency under this subsection may not be further used or 
     disclosed by the department or agency for a purpose unrelated 
     to the department's or agency's oversight or investigation.

     SEC. 209. DISCLOSURE IN CIVIL, JUDICIAL, AND ADMINISTRATIVE 
                   PROCEDURES.

       (a) In General.--A health care provider, health plan, 
     public health authority, employer, life insurer, law 
     enforcement official, school, or university may disclose 
     protected health information pursuant to a discovery request 
     or subpoena in a civil action brought in a Federal or State 
     court or a request or subpoena related to a Federal or State 
     administrative proceeding if such discovery request or 
     subpoena is made through or pursuant to a court order as 
     provided for in subsection (b).
       (b) Court Orders.--
       (1) Standard for issuance.--In considering a request for a 
     court order regarding the disclosure of protected health 
     information under subsection (a), the court shall issue such 
     order if the court determines that without the disclosure of 
     such information, the person requesting the order would be 
     impaired from establishing a claim or defense.
       (2) Requirements.--An order issued under paragraph (1) 
     shall--
       (A) provide that the protected health information involved 
     is subject to court protection;
       (B) specify to whom the information may be disclosed;
       (C) specify that such information may not otherwise be 
     disclosed or used; and
       (D) meet any other requirements that the court determines 
     are needed to protect the confidentiality of the information.
       (c) Applicability.--This section shall not apply in a case 
     in which the protected health information sought under such 
     discovery request or subpoena relates to a party to the 
     litigation or an individual whose medical condition is at 
     issue.
       (d) Effect of Section.--This section shall not be construed 
     to supersede any grounds that may apply under Federal or 
     State law for objecting to turning over the protected health 
     information.

     SEC. 210. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.

       A person who receives protected health information pursuant 
     to sections 202 through 207, may disclose such information to 
     a State or Federal law enforcement agency if such disclosure 
     is pursuant to--
       (1) a subpoena issued under the authority of a grand jury;
       (2) an administrative or judicial subpoena or summons;
       (3) a warrant issued upon a showing of probable cause;
       (4) a Federal or State law requiring the reporting of 
     specific medical information to law enforcement authorities;
       (5) a written consent or waiver of privilege by an 
     individual allowing access to the individual's protected 
     health information; or
       (6) by other court order.

     SEC. 211. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTION.

       (a) Payment for Health Care Through Card or Electronic 
     Means.--If an individual pays for health care by presenting a 
     debit, credit, or other payment card or account number, or by 
     any other payment means, the person receiving the payment may 
     disclose to a person described in subsection (b) only such 
     protected health information about the individual as is 
     necessary in connection with activities described in 
     subsection (b), including the processing of the payment 
     transaction or the billing or collection of amounts charged 
     to, debited from, or otherwise paid by, the individual using 
     the card, number, or other means.
       (b) Transaction Processing.--A person who is a debit, 
     credit, or other payment card issuer, a payment system 
     operator, a financial institution participant in a payment 
     system or is an entity assisting such an issuer, operator, or 
     participant in connection with activities described in this 
     subsection, may use or disclose protected health information 
     about an individual in connection with--
       (1) the authorization, settlement, billing, processing, 
     clearing, transferring, reconciling, or collection of amounts 
     charged, debited or otherwise paid using a debit, credit, or 
     other payment card or account number, or by other payment 
     means;
       (2) the transfer of receivables, accounts, or interest 
     therein;
       (3) the audit of the debit, credit, or other payment 
     information;
       (4) compliance with Federal, State, or local law;
       (5) compliance with a properly authorized civil, criminal, 
     or regulatory investigation by Federal, State, or local 
     authorities as governed by the requirements of this section; 
     or
       (6) fraud protection, risk control, resolving customer 
     disputes or inquiries, communicating with the person to whom 
     the information relates, or reporting to consumer reporting 
     agencies.
       (c) Specific Prohibitions.--A person described in 
     subsection (b) may not disclose protected health information 
     for any purpose that is not described in subsection (b). 
     Notwithstanding any other provision of law, any health care 
     provider, health plan, health oversight agency, health 
     researcher, employer, life insurer, school or university who 
     makes a good faith disclosure of protected health information 
     to an entity and for the purposes described in subsection (b) 
     shall not be liable for subsequent disclosures by such 
     entity.
       (d) Scope.--
       (1) In general.--The use of protected health information by 
     a person described in subsection (b) and its agents shall not 
     be considered a disclosure for purposes of this Act, so long 
     as the use involved is consistent with the activities 
     authorized in subsection (b) or other purposes for which the 
     information was lawfully obtained.
       (2) Regulated institutions.--A person who is subject to 
     enforcement pursuant to section 8 of the Federal Deposit 
     Insurance Act or who is a Federal credit union or State 
     credit union as defined in the Federal Credit Union Act or 
     who is registered pursuant to the Securities and Exchange 
     Act, or who is an entity assisting such a person--
       (A) shall not be subject to this Act to the extent that 
     such person or entity is described in subsection (b) and to 
     the extent that such person or entity is engaged in 
     activities authorized in that subsection; and
       (B) shall be subject to enforcement exclusively under 
     section 8 of the Federal Deposit Insurance Act, the Federal 
     Credit Union Act, or the Securities and Exchange Act, as 
     applicable, to the extent that such person or entity is 
     engaged in activities other than those permitted under 
     subsection (b).
       (3) Rule of Construction.--Nothing in this subsection shall 
     be construed to exempt entities described in paragraph (2) 
     from the prohibition set forth in subsection (c).

     SEC. 212. INDIVIDUAL REPRESENTATIVES.

       (a) In General.--Except as provided in subsections (b) and 
     (c), a person who is authorized by law (based on grounds 
     other than the individual being a minor), or by an instrument 
     recognized under law, to act as an agent, attorney, proxy, or 
     other legal representative of a protected individual, may, to 
     the extent so authorized, exercise and discharge the rights 
     of the individual under this Act.
       (b) Health Care Power of Attorney.--A person who is 
     authorized by law (based on grounds other than being a 
     minor), or by an instrument recognized under law, to make 
     decisions about the provision of health care to an individual 
     who is incapacitated, may exercise and discharge the rights 
     of the individual under this Act to the extent necessary to 
     effectuate the terms or purposes of the grant of authority.
       (c) No Court Declaration.--If a health care provider 
     determines that an individual, who has not been declared to 
     be legally incompetent, suffers from a medical condition that 
     prevents the individual from acting knowingly or effectively 
     on the individual's own behalf, the right of the individual 
     to authorize disclosure under this Act may be exercised and 
     discharged in the best interest of the individual by--
       (1) a person described in subsection (b) with respect to 
     the individual;
       (2) a person described in subsection (a) with respect to 
     the individual, but only if a person described in paragraph 
     (1) cannot be contacted after a reasonable effort;
       (3) the next of kin of the individual, but only if a person 
     described in paragraph (1) or (2) cannot be contacted after a 
     reasonable effort; or
       (4) the health care provider, but only if a person 
     described in paragraph (1), (2), or (3) cannot be contacted 
     after a reasonable effort.
       (d) Application to Deceased Individuals.--The provisions of 
     this Act shall continue to prevent disclosure of protected 
     health information concerning a deceased individual.
       (e) Exercise of Rights on Behalf of a Deceased 
     Individual.--
       (1) In general.--A person who is authorized by law or by an 
     instrument recognized under law, to act as an executor of the 
     estate of a deceased individual, or otherwise to exercise the 
     rights of the deceased individual, may, to the extent so 
     authorized, exercise and discharge the rights of such 
     deceased individual under this Act for a period of 2 years 
     following the death of such individual. If no such designee 
     has been authorized, the rights of the deceased individual 
     may be exercised as provided for in subsection (c).
       (2) Insured individuals.--In the case of an individual who 
     is deceased and who was the insured under an insurance policy 
     or policies, the right to authorize disclosure of protected 
     health information may be exercised by the beneficiary or 
     beneficiaries of such insurance policy or policies.

[[Page S4264]]

       (f) Rights of Minors.--The rights of minors under this Act 
     shall be exercised by a parent, the minor or other person as 
     provided under applicable state law.

     SEC. 213. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.

       A health care provider, health plan, health oversight 
     agency, health researcher, employer, life insurer, school, or 
     university, or an agent of any such person, that makes a 
     disclosure of protected health information about an 
     individual that is permitted by this Act shall not be liable 
     to the individual for such disclosure under common law.

     SEC. 214. SALE OF BUSINESS, MERGERS, ETC.

       (a) In General.--A health care provider, health plan, 
     health oversight agency, employer, life insurer, school, or 
     university may disclose protected health information to a 
     person or persons for purposes of enabling business decisions 
     to be made about or in connection with the purchase, 
     transfer, merger, or sale of a business or businesses.
       (b) No Further Use or Disclosure.--A person or persons who 
     receive protected health information under this section shall 
     make no further use or disclosure of such information unless 
     otherwise authorized under this Act.

                          TITLE III--SANCTIONS

                    Subtitle A--Criminal Provisions

     SEC. 301. WRONGFUL DISCLOSURE OF PROTECTED HEALTH 
                   INFORMATION.

       (a) In General.--Part I of title 18, United States Code, is 
     amended by adding at the end the following:

   ``CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION

     ``SEC. 2801. WRONGFUL DISCLOSURE OF PROTECTED HEALTH 
                   INFORMATION.

       ``(a) Offense.--The penalties described in subsection (b) 
     shall apply to a person that knowingly and intentionally--
       ``(1) obtains protected health information relating to an 
     individual from a health care provider, health plan, health 
     oversight agency, public health authority, employer, life 
     insurer, health researcher, law enforcement official, school, 
     or university except as provided in title II of the Medical 
     Information Protection Act of 1999; or
       ``(2) discloses protected health information to another 
     person in a manner other than that which is permitted under 
     title II of the Medical Information Protection Act of 1999.
       ``(b) Penalties.--A person described in subsection (a) 
     shall--
       ``(1) be fined not more than $50,000, imprisoned not more 
     than 1 year, or both;
       ``(2) if the offense is committed under false pretenses, be 
     fined not more than $100,000, imprisoned not more than 5 
     years, or both; or
       ``(3) if the offense is committed with the intent to sell, 
     transfer, or use protected health information for monetary 
     gain or malicious harm, be fined not more than $250,000, 
     imprisoned not more than 10 years, or both.
       ``(c) Subsequent Offenses.--In the case of a person 
     described in subsection (a), the maximum penalties described 
     in subsection (b) shall be doubled for every subsequent 
     conviction for an offense arising out of a violation or 
     violations related to a set of circumstances that are 
     different from those involved in the previous violation or 
     set of related violations described in such subsection 
     (a).''.
       (b) Clerical Amendment.--The table of chapters for part I 
     of title 18, United States Code, is amended by inserting 
     after the item relating to chapter 123 the following new 
     item:

``124. Wrongful disclosure of protected health information..2801''.....

                      Subtitle B--Civil Sanctions

     SEC. 311. CIVIL PENALTY VIOLATION.

       A person who the Secretary, in consultation with the 
     Attorney General, determines has substantially and materially 
     failed to comply with this Act shall be subject, in addition 
     to any other penalties that may be prescribed by law--
       (1) in a case in which the violation relates to title I, to 
     a civil penalty of not more than $500 for each such 
     violation, but not to exceed $5,000 in the aggregate for 
     multiple violations arising from the same failure to comply 
     with the Act;
       (2) in a case in which the violation relates to title II, 
     to a civil penalty of not more than $10,000 for each such 
     violation, but not to exceed $50,000 in the aggregate for 
     multiple violations arising from the same failure to comply 
     with the Act; or
       (3) in a case in which the Secretary finds that such 
     violations have occurred with such frequency as to constitute 
     a general business practice, to a civil penalty of not more 
     than $100,000.

     SEC. 312. PROCEDURES FOR IMPOSITION OF PENALTIES.

       (a) Initiation of Proceedings.--
       (1) In general.--The Secretary, in consultation with the 
     Attorney General, may initiate a proceeding to determine 
     whether to impose a civil money penalty under section 311. 
     The Secretary may not initiate an action under this section 
     with respect to any violation described in section 311 after 
     the expiration of the 6-year period beginning on the date on 
     which such violation was alleged to have occurred. The 
     Secretary may initiate an action under this section by 
     serving notice of the action in any manner authorized by Rule 
     4 of the Federal Rules of Civil Procedure.
       (2) Notice and opportunity for hearing.--The Secretary 
     shall not make a determination adverse to any person under 
     paragraph (1) until the person has been given written notice 
     and an opportunity for the determination to be made on the 
     record after a hearing at which the person is entitled to be 
     represented by counsel, to present witnesses, and to cross-
     examine witnesses against the person.
       (3) Sanctions for failure to comply.--The official 
     conducting a hearing under this section may sanction a 
     person, including any party or attorney, for failing to 
     comply with an order or procedure, failing to defend an 
     action, or other misconduct as would interfere with the 
     speedy, orderly, or fair conduct of the hearing. Such 
     sanction shall reasonably relate to the severity and nature 
     of the failure or misconduct. Such sanction may include--
       (A) in the case of refusal to provide or permit discovery, 
     drawing negative factual inferences or treating such refusal 
     as an admission by deeming the matter, or certain facts, to 
     be established;
       (B) prohibiting a party from introducing certain evidence 
     or otherwise supporting a particular claim or defense;
       (C) striking pleadings, in whole or in part;
       (D) staying the proceedings;
       (E) dismissal of the action;
       (F) entering a default judgment;
       (G) ordering the party or attorney to pay attorneys' fees 
     and other costs caused by the failure or misconduct; and
       (H) refusing to consider any motion or other action which 
     is not filed in a timely manner.
       (b) Scope of Penalty.--In determining the amount or scope 
     of any penalty imposed pursuant to section 311, the Secretary 
     shall take into account--
       (1) the nature of claims and the circumstances under which 
     they were presented;
       (2) the degree of culpability, history of prior offenses, 
     and financial condition of the person presenting the claims;
       (3) evidence of good faith endeavor to protect the 
     confidentiality of protected health information; and
       (4) such other matters as justice may require.
       (c) Review of Determination.--
       (1) In general.--Any person adversely affected by a 
     determination of the Secretary under this section may obtain 
     a review of such determination in the United States Court of 
     Appeals for the circuit in which the person resides, or in 
     which the claim was presented, by filing in such court 
     (within 60 days following the date the person is notified of 
     the determination of the Secretary) a written petition 
     requesting that the determination be modified or set aside.
       (2) Filing of record.--A copy of the petition filed under 
     paragraph (1) shall be forthwith transmitted by the clerk of 
     the court to the Secretary, and thereupon the Secretary shall 
     file in the Court the record in the proceeding as provided in 
     section 2112 of title 28, United States Code. Upon such 
     filing, the court shall have jurisdiction of the proceeding 
     and of the question determined therein, and shall have the 
     power to make and enter upon the pleadings, testimony, and 
     proceedings set forth in such record a decree affirming, 
     modifying, remanding for further consideration, or setting 
     aside, in whole or in part, the determination of the 
     Secretary and enforcing the same to the extent that such 
     order is affirmed or modified.
       (3) Consideration of objections.--No objection that has not 
     been raised before the Secretary with respect to a 
     determination described in paragraph (1) shall be considered 
     by the court, unless the failure or neglect to raise such 
     objection shall be excused because of extraordinary 
     circumstances.
       (4) Findings.--The findings of the Secretary with respect 
     to questions of fact in an action under this subsection, if 
     supported by substantial evidence on the record considered as 
     a whole, shall be conclusive. If any party shall apply to the 
     court for leave to adduce additional evidence and shall show 
     to the satisfaction of the court that such additional 
     evidence is material and that there were reasonable grounds 
     for the failure to adduce such evidence in the hearing before 
     the Secretary, the court may order such additional evidence 
     to be taken before the Secretary and to be made a part of the 
     record. The Secretary may modify findings as to the facts, or 
     make new findings, by reason of additional evidence so taken 
     and filed, and shall file with the court such modified or new 
     findings, and such findings with respect to questions of 
     fact, if supported by substantial evidence on the record 
     considered as a whole, and the recommendations of the 
     Secretary, if any, for the modification or setting aside of 
     the original order, shall be conclusive.
       (5) Exclusive jurisdiction.--Upon the filing of the record 
     with the court under paragraph (2), the jurisdiction of the 
     court shall be exclusive and its judgment and decree shall be 
     final, except that the same shall be subject to review by the 
     Supreme Court of the United States, as provided for in 
     section 1254 of title 28, United States Code.
       (d) Recovery of Penalties.--
       (1) In general.--Civil money penalties imposed under this 
     subtitle may be compromised by the Secretary and may be 
     recovered in a civil action in the name of the United States 
     brought in United States district court for the district 
     where the claim was presented, or where the claimant resides, 
     as determined by the Secretary. Amounts recovered under this 
     section shall be paid to the Secretary and deposited as

[[Page S4265]]

     miscellaneous receipts of the Treasury of the United States.
       (2) Deduction from amounts owing.--The amount of any 
     penalty, when finally determined under this section, or the 
     amount agreed upon in compromise under paragraph (1), may be 
     deducted from any sum then or later owing by the United 
     States or a State to the person against whom the penalty has 
     been assessed.
       (e) Determination Final.--A determination by the Secretary 
     to impose a penalty under section 311 shall be final upon the 
     expiration of the 60-day period referred to in subsection 
     (c)(1). Matters that were raised or that could have been 
     raised in a hearing before the Secretary or in an appeal 
     pursuant to subsection (c) may not be raised as a defense to 
     a civil action by the United States to collect a penalty 
     under section 311.
       (f) Subpoena Authority.--
       (1) In general.--For the purpose of any hearing, 
     investigation, or other proceeding authorized or directed 
     under this section, or relative to any other matter within 
     the jurisdiction of the Attorney General hereunder, the 
     Attorney General, acting through the Secretary shall have the 
     power to issue subpoenas requiring the attendance and 
     testimony of witnesses and the production of any evidence 
     that relates to any matter under investigation or in question 
     before the Secretary. Such attendance of witnesses and 
     production of evidence at the designated place of such 
     hearing, investigation, or other proceeding may be required 
     from any place in the United States or in any Territory or 
     possession thereof.
       (2) Service.--Subpoenas of the Secretary under paragraph 
     (1) shall be served by anyone authorized by the Secretary by 
     delivering a copy thereof to the individual named therein.
       (3) Proof of service.--A verified return by the individual 
     serving the subpoena under this subsection setting forth the 
     manner of service shall be proof of service.
       (4) Fees.--Witnesses subpoenaed under this subsection shall 
     be paid the same fees and mileage as are paid witnesses in 
     the district court of the United States.
       (5) Refusal to obey.--In case of contumacy by, or refusal 
     to obey a subpoenaed duly served upon, any person, any 
     district court of the United States for the judicial district 
     in which such person charged with contumacy or refusal to 
     obey is found or resides or transacts business, upon 
     application by the Secretary, shall have jurisdiction to 
     issue an order requiring such person to appear and give 
     testimony, or to appear and produce evidence, or both. Any 
     failure to obey such order of the court may be punished by 
     the court as contempt thereof.
       (g) Injunctive Relief.--Whenever the Secretary has reason 
     to believe that any person has engaged, is engaging, or is 
     about to engage in any activity which makes the person 
     subject to a civil monetary penalty under section 311, the 
     Secretary may bring an action in an appropriate district 
     court of the United States (or, if applicable, a United 
     States court of any territory) to enjoin such activity, or to 
     enjoin the person from concealing, removing, encumbering, or 
     disposing of assets which may be required in order to pay a 
     civil monetary penalty if any such penalty were to be imposed 
     or to seek other appropriate relief.
       (h) Agency.--A principal is liable for penalties under 
     section 311 for the actions of the principal's agent acting 
     within the scope of the agency.

     SEC. 313. ENFORCEMENT BY STATE INSURANCE COMMISSIONERS.

       (a) State Penalties.--Subject to section 401, and 
     notwithstanding any other provision of this title, the 
     insurance commissioner of the State of residence of an 
     insured under a life, disability income or long-term care 
     insurance policy may exercise exclusive authority to impose 
     any penalties on a life insurer for violations of this Act in 
     connection with life, disability income or long-term care 
     insurance pursuant to the administrative procedures provided 
     under that State's insurance laws.
       (b) Fail-Safe Federal Authority.--In the case of a State 
     that fails to substantially enforce the requirements of title 
     I or title II of this Act with respect to life insurers 
     regulated by such State, the provisions of this title shall 
     apply with respect to a life insurer in the same way that 
     they apply to other persons subject to the Act.

                        TITLE IV--MISCELLANEOUS

     SEC. 401. RELATIONSHIP TO OTHER LAWS.

       (a) State and Federal Law.--Except as provided in this 
     section, the provisions of this Act shall preempt any State 
     law that relates to matters covered by this Act. Nothing in 
     this Act shall be construed to preempt, modify, repeal or 
     affect the interpretation of a provision of Federal or State 
     law that relates to the disclosure of protected health 
     information or any other information about a minor to a 
     parent or guardian of such minor. This Act shall not be 
     construed as repealing, explicitly or implicitly, other 
     Federal laws or regulations relating to protected health 
     information or relating to an individual's access to 
     protected health information or health care services.
       (b) Privileges.--Nothing in this title shall be construed 
     to preempt or modify any provisions of State statutory or 
     common law to the extent that such law concerns a privilege 
     of a witness or person in a court of that State. This title 
     shall not be construed to supersede or modify any provision 
     of Federal statutory or common law to the extent such law 
     concerns a privilege of a witness or person in a court of the 
     United States. Authorizations pursuant to sections 202 and 
     203 shall not be construed as a waiver of any such privilege.
       (c) Reports Concerning Federal Privacy Act.--Not later than 
     1 year after the date of enactment of this Act, the head of 
     each Federal agency shall prepare and submit to Congress a 
     report concerning the effect of this Act on each such agency. 
     Such reports shall include recommendations for legislation to 
     address concerns relating to the Federal Privacy Act.
       (d) Application to Certain Federal Agencies.--
       (1) Department of defense.--
       (A) Exceptions.--The Secretary of Defense may, by 
     regulation, establish exceptions to the disclosure 
     requirements of this Act to the extent such Secretary 
     determines that disclosure of protected health information 
     relating to members of the armed forces from systems of 
     records operated by the Department of Defense is necessary 
     under circumstances different from those permitted under this 
     Act for the proper conduct of national defense functions by 
     members of the armed forces.
       (B) Application to civilian employees.--The Secretary of 
     Defense may, by regulation, establish for civilian employees 
     of the Department of Defense and employees of Department of 
     Defense contractors, limitations on the right of such persons 
     to revoke or amend authorizations for disclosures under 
     section 203 when such authorizations were provided by such 
     employees as a condition of employment and the disclosure is 
     determined necessary by the Secretary of Defense to the 
     proper conduct of national defense functions by such 
     employees.
       (2) Department of transportation.--
       (A) Exceptions.--The Secretary of Transportation may, with 
     respect to members of the Coast Guard, exercise the same 
     powers as the Secretary of Defense may exercise under 
     paragraph (1)(A).
       (B) Application to civilian employees.--The Secretary of 
     Transportation may, with respect to civilian employees of the 
     Coast Guard and Coast Guard contractors, exercise the same 
     powers as the Secretary of Defense may exercise under 
     paragraph (1)(B).
       (3) Department of veterans affairs.--The limitations on use 
     and disclosure of protected health information under this Act 
     shall not be construed to prevent any exchange of such 
     information within and among components of the Department of 
     Veterans Affairs that determine eligibility for or 
     entitlement to, or that provide, benefits under laws 
     administered by the Secretary of Veteran Affairs.

     SEC. 402. CONFORMING AMENDMENT.

       Section 1171(6) of the Social Security Act (42 U.S.C. 
     1320d(6)) is amended to read as follows:
       ``(6) Individually identifiable health information.--The 
     term `individually identifiable health information' has the 
     same meaning given the term `protected health information' by 
     section 4 of the Medical Information Protection Act of 
     1999.''.

     SEC. 403. STUDY BY INSTITUTE OF MEDICINE.

       Not later than 2 years after the date of enactment of this 
     Act, the National Research Council in conjunction with the 
     Institute of Medicine of the National Academy of Sciences 
     shall conduct a study to examine research issues relating to 
     protected health information, such as the quality and 
     uniformity of institutional review boards and their practices 
     with respect to data management for both researchers and 
     institutional review boards, as well as current and proposed 
     protection of health information in relation to the 
     legitimate needs of law enforcement. The Council shall 
     prepare and submit to Congress a report concerning the 
     results of such study.

     SEC. 405. EFFECTIVE DATE.

       (a) Effective Date.--Except as provided in subsection (b), 
     this Act shall take effect on the date that is 12 months 
     after the date on which regulations are promulgated as 
     required under subsection (c).
       (b) Applicability.--The provisions of this Act shall only 
     apply to protected health information collected and disclosed 
     12 months after the date on which regulations are promulgated 
     as required under subsection (c).
       (c) Regulations.--Not later than 12 months after the date 
     of enactment of this Act, the Secretary shall, in 
     consultation with the National Committee on Vital and Health 
     Statistics, promulgate regulations implementing this Act.
       (d) Exception.--If, not later than 18 months after the date 
     of enactment of this Act, the Secretary has not promulgated 
     the regulations required under subsection (c), the effective 
     date for purposes of subsections (a) and (b) shall be the 
     date that is 30 months after the date of enactment of this 
     Act or 12 months after the promulgation of such regulations, 
     whichever is earlier.
                                  ____


    Groups Supporting the Medical Information Protection Act of 1999

       American Medical Informatics Association (AMIA).
       Joint Healthcare Information Technology Alliance (JHITA).
       Intermountain Health Care (IHC).
       Premier Institute.
       Association of American Medical Colleges (AAMC).
       American Health Information Management Association (AHIMA).
       Healthcare Leadership Council (HLC).
       Federation of American Health Systems.

[[Page S4266]]

       National Association of Chain Drug Stores (NACDS).
       PCS Health Systems.
       Academy of Managed Care Pharmacy.
       Genentech.
       Baxter Healthcare Corporation.
       Biotechnology Industry Organization (BIO).
       Eli Lilly and Co.
       Pan Am and Wausau Insurance.
       SmithKline Beecham.
       Leukemia Society of America.
       Kidney Cancer Foundation.
       Mutual of Omaha.
       American Hospital Association (AHA).
       American Association of Health Plans (AAHP).
       Cleveland Clinic Foundation.
       First Health Group Corporation.
       Health Insurance Association of America (HIAA).
       Knoll Pharmaceuticals Co.
       Lahey Clinic.
       Mayo Foundation.
       Pharmaceutical Research and Manufacturers Association 
     (PhRMA).
       American Society of Consultant Pharmacists.
       Association for Electronic Health Care Transactions.
       CIGNA.
       Cleveland Clinic Foundation.
       Express Scripts/ValueRx.
       First Health Group Corporation.
       Food Marketing Institute.
       Humana, Inc.
       Knoll Pharmaceuticals.
       National Association of Manufacturers.
       Pharmaceutical Care Management Association.
       VHA Inc.
       WellPoint Networks, Inc.
       Blue Cross Blue Shield Association.
       American Association of Occupational Health Nurses.
       Merck & Co., Inc.
                                 ______