Return to Home PageContact Senator LeahySenator Leahy's Privacy PolicySearch Senator Leahy's Website
Vermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick LeahyVermont's US Senator, Patrick Leahy
Vermont's US Senator, Patrick LeahyWelcome Audio MessageimageVideo MessageVideo Messageimage
Press Releases & Statements Senator Leahy's Biography Constituent Services Major Issues For Vermonters Senator Leahy's Office


Image


Medical Information Privacy and Security Act Section by Section Analysis

S. 1368

105th CONGRESS

Senators Leahy and Kennedy introduced the Medical Information Privacy and Security Act (MIPSA) on November 4, 1997 which was referred to the Committee on Labor and Human Resources. The purpose of MIPSA is to provide individuals with access to health information of which they are the subject, ensure personal privacy with respect to personal medical records and health care-related information, impose criminal and civil penalties for unauthorized use of personal health information, and to provide for the strong enforcement of these rights.

Findings

Sec. 2.  Congress finds that:

  • individuals have a right of privacy with respect to their personal medical information, including genetic information, and records;

  • with respect to information about medical care and health status, the traditional right of confidentiality (between a health care provider and a patient) is at risk. This may reduce the willingness of patients to confide in physicians and other practitioners and may inhibit such patients from seeking care;

  • the use of electronic medical records offers many potential advantages compared to traditional paper-based systems if encompassed with strong privacy safeguards;

  • the European Union has adopted a directive that provides that electronic medical records can not be sent from Union member nations to other nations, such as the United States, unless the non-member country assures the security and confidentiality of medical records under its national laws and practices;

  • a right to privacy means that the individual's consent is needed to disclose his or her personally identifiable health information and that the individual has a right of access to that health information. Any disclosure of personally identifiable health information should be limited to that information or portion of the medical record necessary to fulfill the immediate and specific purpose of the disclosure;

  • an individual's health information is currently accessible to many people who do not need the information to provide health care to the individual, often without the individual's knowledge or consent;

  • the March 1997 National Research Council report concluded that few penalties or controls exist to prevent the improper disclosure of protected health information, and that a national office of privacy should be established to educate and empower health care consumers;

  • medical research often depends on access to both identifiable and nonidentifiable patient medical records and medical research is critically important to the health and well-being of all Americans;

  • currently, there is technology available which can ease the process by which identifiable data can be stripped of all patient identifiers to support the necessary balance between medical research and privacy protections for individuals;

  • the American Medical Association Council on Ethical Affairs has concluded that a patient and a physician should be advised about the existence of computerized data bases in which medical information concerning the patient is stored, and that there should be approval by the patient prior to the disclosure of personally identifiable health information outside the medical care environment;

  • genetic information contains the uniquely private and personal genetic information of an individual which is rapidly being deciphered and understood; and research in genetics continues to provide immense health benefits to individuals and their families, however, the improper use and unauthorized disclosure of genetic information may cause significant harm to individuals, including stigmatization and discrimination;

  • the Supreme Court found in Jaffee v. Redmond (116 S.Ct.1923 (1996)) that there is an imperative need for confidence and trust between a psychotherapist and a patient which can only be established by an assurance of confidentiality and that preservation of such trust and confidentiality serves the public interest by facilitating the provision of appropriate treatment for individuals; and

  • the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note) establishes a deadline that Congress enact legislation, within 36 months after the date of enactment of such Act, to protect the privacy of personal health information.

Purposes

Sec. 3. It is the purpose of this Act to:

  • recognize that there is a right to privacy with respect to health information, including genetic information, and that this right must be protected;

  • establish an Office of Health Information Privacy within the Department of Health and Human Services to protect that right of privacy;

  • provide individuals with access to health information of which they are the subject, the right to supplement records if the information in such record is inaccurate or incomplete and the right to limit the use and disclosure of such information; (personally identifiable information);

  • create incentives to turn personal health information into nonidentifiable health information for oversight, health research, public health, law enforcement, judicial, and administrative purposes;

  • establish strong and effective mechanisms to protect against the unauthorized and inappropriate use of personally identifiable health information; and to establish strong and effective remedies for violations of this Act.

Selected Definitions

Sec.4(3) Disclose - The term `disclose' means to release, transfer, permit access to, or otherwise divulge protected health information to any person other than the individual who is the subject of such information. Such term includes the initial disclosure and any subsequent redisclosures of individually identifiable health care information;

Sec.4(12) Nonidentifiable Health Information - The term `nonidentifiable health information' means any information that would otherwise be protected health information except that it does not reveal the identity of the individual whose health or health care is the subject of the information and there is no reasonable basis to believe that the information could be used to identify that individual;

Sec.4(15) Protected Health Information - The term `protected health information' means any information, including genetic information, demographic information, and tissue samples collected from an individual, whether oral or recorded in any form or medium, that:

  • is created or received by a health care provider, health researcher, health plan, health oversight agency, public health authority, employer, health or life insurer, school or university;

  • relates to the past, present, or future physical or mental health or condition of an individual (including individual cells and their components), the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and

  • identifies an individual; or with respect to which there is a reasonable basis to believe that the information can be used to identify an individual.

Title I–Individual's Rights

Subtitle A – Access to Protected Health Information by Subjects of the Information

This subtitle permits individuals to have access to their protected health information for purposes of inspection, copying and supplementing.

Inspection and Copying of Protected Health Information

Sec.101(a)  Right of Individual A health care provider, health researcher, health plan, employer, health or life insurer, school, or university, or the agent of any such individual or entity, shall permit an individual (or his or her designee) to inspect and copy protected health information concerning the individual that such entity maintains and establish procedures to be followed for inspection and copying. The entity may require reimbursement for not more than the actual costs associated with copying unless such fees would have the effect of prohibiting an individual from gaining access to the information involved.

Sec.101(b)  Deadline An entity described in subsection (a) shall comply with a request for inspection or copying of protected health information under this section within 15 business days after the date on which the entity receives the request.

Sec.101(c)  Rules Governing Agents  An agent of an entity shall provide for the inspection and copying of protected health information if it is retained by the agent; and the agent has been asked by the entity involved to fulfill the requirements of this section.

Supplements to Protected Health Information.

Sec.102(a)  In General   Within 45 days of receiving a written request from an individual to supplement information, a health care provider, health researcher, health plan, employer, health or life insurer, school, or university, must add the supplement requested to the records; inform the individual of the supplement that has been added; and make reasonable efforts to inform any person to whom the portion of the unsupplemented information was previously disclosed, of any nontechnical supplement that has been made.

Sec.102(b)  Refusal to Supplement   If an entity declines to make the supplement requested under such subsection, the entity shall inform the individual in writing of the reasons for declining to make the supplement; any procedures for further review; and the right to file a concise statement on the requested supplement and reasons for disagreeing with the declining entity and the right to include a copy of this refusal in his or her health record.

Sec.102(c)  Statement of Disagreement   If an individual has filed a statement of disagreement under subsection (b), the entity involved, in any subsequent disclosure of the disputed portion of the information shall include, at the individual's request, a copy of the individual's statement; and may include a concise statement of the reasons for not making the requested supplement.

Sec.102(d)  Rules Governing Agents   The agent of an entity described in subsection (a) shall not be required to make supplements to protected health information, except where the protected health information is retained by the agent and has been asked by such entity to fulfill the requirements of this section.

Notice of Privacy Practices

Sec.103(a)  Preparation of Written Notice  A health care provider, health plan, health oversight agency, public health authority, employer, health researcher, health or life insurer, school, or university shall prepare a written notice of the privacy practices of the entity that shall include:

  • the procedures for an individual to authorize disclosures of protected health information, and the procedures to object to, modify, and revoke such authorizations;

  • the right of an individual to inspect, copy, and supplement the protected health information;

  • the right of an individual not to have employment or the receipt of services conditioned upon the execution by the individual of an authorization for disclosure;

  • a description of the categories or types of employees, by general category or by general job description, who have access to or use of protected health information within the entity;

  • a simple, concise description of any information systems used to store or transmit protected health information, including a description of any linkages made with other electronic systems or databases outside the entity;

  • the right of the individual to request segregation of protected health information and to restrict the use of such information by employees, agents, and contractors of an entity;

  • the circumstances under which the information may be used or disclosed without an authorization executed by the individual; and

  • a statement that an individual may self pay for health care in order that no identifying information be disclosed to anyone other than the health care provider unless such disclosure is related to the medical treatment or is authorized by mandatory reporting requirements or other similar information collection duties as required by law.

Sec.103(b)  Provision and Posting of Written Notice  An entity described in subsection (a) shall provide a copy of the written notice of privacy practices at the time an authorization is sought for disclosure of protected health information; and upon the request of an individual. An entity described in subsection (a) shall post, in a clear and conspicuous manner, a brief summary of the privacy practices of the entity.

Sec.103(c)  Model Notice  The director of the Office of Health Information Privacy, after notice and opportunity for public comment, shall develop and disseminate model notices of privacy practices, and model summary notices for posting, for use under this section.

SUBTITLE B--ESTABLISHMENT OF SAFEGUARDS

Establishment of Safeguards

Sec.111(a)  In General  A health care provider, health plan, health oversight agency, public health authority, employer, health researcher, law enforcement official, health or life insurer, school, or university, or the agent of any such individual or entity, shall establish and maintain appropriate administrative, organizational, technical, and physical safeguards and procedures to ensure the confidentiality, security, accuracy, and integrity of protected health information created, received, obtained, maintained, used, transmitted, or disposed of by such entity.

Sec.111(b)  Model Guidelines  The Director of the Office of Health Information Privacy at HHS after a public comment period shall develop and disseminate model guidelines for the establishment of safeguards for use under this section.

Accounting for Disclosures

Sec.112(a)  In General  A health care provider, health plan, health oversight agency, public health authority, employer, health researcher, law enforcement official, health or life insurer, school, or university, or the agent of any such individual or entity is required to keep a record of all disclosures of protected health information that is not related to payment or treatment, in accordance with regulations issued by the director of the Office of Health Information Privacy.

Sec.112(b)  Maintenance of Record  A record established under subsection (a) shall be maintained for not less than 7 years.

Sec.112(c)  Electronic Records  An entity described in subsection (a) must maintain an electronic record, or the ability to generate such a record, concerning each attempt that is made by such an entity, or by any other person, whether authorized or unauthorized, successful or unsuccessful, to access protected health information that the entity holds in electronic form. The record must include the identity of the specific individual attempting to gain such access, or a way to identify that individual, and other appropriate information, and information sufficient to identify the information sought.

TITLE II--RESTRICTIONS ON USE AND DISCLOSURE

SUBTITLE A--GENERAL RESTRICTION

General Rule Regarding Use and Disclosure

Sec.201  A health care provider, health plan, health oversight agency, public health authority, employer, health researcher, law enforcement official, health or life insurer, school, or university, or the agent of any such individual or entity, may not disclose protected health information except as authorized under this title.

Authorizations For Disclosure of Protected Health Information

Sec. 202(a)  Written Authorization  An entity described in section 201 may not disclose protected health information except as authorized under this title – (law enforcement is out of this list)

Sec.202(b)  Requirements for Individual Authorization  To be valid, an authorization must:

  • identify the type of person (by title, general job description, or other functional description) or entity authorized to disclose protected health information;

  • describe the nature of the health care information to be disclosed;

  • identify the type of person or entity (including identification made with respect to employees through use of a job description, title, or other functional description) to whom the information is to be disclosed, including individuals employed by or operating within the entity;

  • describe the purpose of the disclosure;

  • provide the means by which an individual may indicate that a particular person or entity listed on the authorization is not authorized to receive protected health information concerning the individual, except that a physician directly responsible for providing necessary medical care, and those directly assisting such physician, shall be permitted access to files related to providing that medical care;

  • permit individual to indicate that some of the individual's protected health information should be segregated;

  • permit an individual to indicate that protected health information, other than administrative billing information, shall not be transmitted outside the entity in a computerized, digital, optical, or other electronic format;

  • be subject to revocation by the individual and indicate that the authorization is valid until revocation by the individual or until an event or date specified; and

  • be either in writing, dated, and signed by the individual or in electronic form, dated and authenticated by the individual using a unique identifier; and not have been revoked.

Sec.202(c)  (1) Limitation on Authorizations.   In GeneralSubject to (3) and (4), an entity described in subsection (a) that seeks an authorization under such subsection may not condition the delivery of treatment or payment for services on the receipt of an authorization.

Sec.202(c)  (2) Limitation on Authorizations.   Authorization for Payment PurposesAn entity described in subsection (a) that seeks an authorization may not condition delivery of health care or payment for services upon receipt of an authorization to link, aggregate, match, index or associate protected health information contained within a computerized, digital, optical or other electronic format with other such information held by another entity.

Sec.202(c)  (3) Limitation on Authorizations.   Right to Require Self PaymentIf an individual has refused to provide an authorization of disclosure of administrative billing information to a person or entity and such authorization is necessary for a health care provider to receive payment for services delivered, the person or entity seeking the authorization may require the individual to self-pay for the services.

Sec.202(c)  (4) Limitation on Authorizations .   Authorization for Treatment PurposesIf a health care provider that is seeking an authorization for disclosure of an individual's protected health information believes that the disclosure of such information is necessary so as not to endanger the health or treatment of the individual, the health care provider may condition the provision of services upon the execution of the authorization by the individual.

Sec.202(d)  Model Authorizations   The Secretary, after notice and opportunity for public comment, shall develop and disseminate model written authorizations and model statements of the limitations on authorizations. Any authorization obtained on a model authorization form developed by the Secretary pursuant to the preceding sentence shall be deemed to meet the authorization requirements of this section.

Sec.202(e)  Scope of Disclosure   The disclosure of protected health information under an authorization provided under this section shall be limited to the minimum amount of information necessary to accomplish the purpose for which the authorization was executed. A recipient of such information may use or disclose such information solely to carry out the purpose for which it was authorized for release. Nothing in this section permitting the disclosure of protected health information shall be construed to require such disclosure. Protected health information disclosed pursuant to an authorization under this section shall be clearly identified as protected health information that is subject to this Act.

Sec.202(f)  Segregation of Files   An entity described in subsection (a) shall comply with the request of an individual who is the subject of protected health information to:

  • segregate any type or amount of protected health information, other than administrative billing information, held by the entity;

  • limit the use or disclosure of the segregated health information within the entity to those persons specifically designated by the subject of the protected health information; and

  • maintain such information outside any networked computerized, digital, optical or other electronic system.

Sec.202 (g)(1)  Revocation of Authorization.   In General--An individual may in writing revoke or amend an authorization under this section at any time, unless the disclosure that is the subject of the authorization is required to effectuate payment for health care that has been provided to the individual.

Sec.202(g)(2)  Revocation of Authorization.   Health Plans--With respect to a health plan, the authorization of an individual is deemed to be revoked at the time of the cancellation or non-renewal of enrollment in the health plan, except as may be necessary to complete plan administration and payment requirements related to the individual's period of enrollment.

Sec.202(g)(3)  Revocation of Authorization.   Actions--An individual may not maintain an action against a person for disclosure of personally identifiable health information if the disclosure was made based on a good faith reliance on the individual's authorization at the time disclosure was made; in a case in which the authorization is revoked, if the disclosing entity had no actual or constructive notice of the revocation; or if the disclosure was for the purpose of protecting another individual from imminent physical harm, if authorized under section 211 regarding emergency circumstances.

Sec.202(h)  Record of Individual's Authorizations and Revocations  Each person collecting or storing personally identifiable health information shall maintain a record for a period of 7 years of each authorization of an individual and any revocation thereof, and such record shall become part of the personally identifiable health information concerning such individual.

Sec.202(i)  No Waiver  Except as provided for in this Act, an authorization to disclose personally identifiable health information by an individual shall not be construed as a waiver of any rights that the individual has under other Federal or State laws, the rules of evidence, or common law.

Sec.202(j)  Rule of Construction  Except as provided in subsection (a), nothing in this section shall be construed to prevent the electronic or computerized exchange of administrative billing information for the purpose of a claims payment.

Sec.202(k)  Definition  The term `segregate' means to place a designated subset of protected health information in a location or computer file that is separate from the location or computer file used to store general protected health information and where access to or use of any information so segregated may be effectively limited to those individuals who are authorized to access or use such information; and the terms `signed' refers to both signatures in ink and electronic signatures, and `written' refers to both paper and computerized formats.

Subtitle B–Limited Circumstances Providing For Disclosure Without Authorization Emergency Circumstances

Sec.211(a)  General Rule  In the event of a threat of imminent physical or mental harm to the subject of protected health information, any person may, in order to allay or remedy such threat, disclose protected health information about such subject to a health care practitioner, health care facility, law enforcement authority, or emergency medical personnel to protect the health or safety of such subject.

Sec.211(b)  Harm to Others  In the event of a threat of harm to an individual other than the subject of protected health information, any person may disclose protected health information about such subject where there is an identifiable threat of serious injury or death to an identifiable individual or group of individuals; the subject of the protected health information has the ability to carry out such threat; and the release of such information is necessary to prevent or significantly reduce the possibility of such threat.

Sec.211(c)  Limitations  Every disclosure of protected health information under this section shall be limited to the minimum amount of information necessary to achieve the purposes of this section. A recipient of information pursuant to this section may use or disclose such information solely to carry out the purposes of this section. Protected health information disclosed under this section must be clearly identified as protected health information that is subject to this Act.

Public Health

Sec.212(a)  General Rule  An entity covered by this Act may disclose protected health information concerning an individual to a public health authority where there is a specific nexus between the individual's identity and a threat of a specific disease, death, or injury to any individual or to the public health; and the individual's identity would allow such public health authority to prevent or significantly reduce the possibility of injury or death to any individual or the public health, such as the creation and use of disease registries established under Federal or State law.

Sec.212 (b)  Exception  An entity shall not be liable for the disclosure of protected health information to a public health authority based upon a good faith belief and credible representation made by such authority that such information was required to protect an individual or the public health from a threat of a specific disease, injury, or death; or if such disclosure is made pursuant to Federal or state laws which are designed to protect the public health or safety.

Protection and Advocacy Agencies

Sec.213(a)  General Rule  Any person who creates or receives protected health information under this title may disclose protected health information to an agency charged by law to protect the health and safety of individuals when such agency can establish that there is probable cause to believe that an individual who is the subject of the protected health information is vulnerable to abuse or neglect by an entity providing health or social services to such individual.

Sec.213(b)  Limitations  -Every disclosure of protected health information under this section shall be limited to the minimum amount of information necessary to achieve the purposes of this section. A recipient of information pursuant to this section may use or disclose such information solely to achieve the purposes of this section. Protected health information disclosed under this section must be clearly identified as protected health information that is subject to this Act.

Oversight

Sec.214(a)  General Rule  An entity covered by this Act may disclose protected health information concerning an individual to a health oversight agency to enable the agency to perform a health oversight function authorized by law only if the agency:

  • does not record the name, social security number, or other identifying information of the individual from patient or client files;

  • identifies the individual in all workpapers and electronic records by either relying upon a unit record number contained in the file or by using another formula to scramble or otherwise safeguard the identifying information; and

  • does not remove protected health information from the premises, custody or control of such entity.

Sec.214(b)  Nonidentifiable Information  An entity described in subsection (a) may disclose health information concerning an individual to a health oversight agency to perform a health oversight function authorized by law when any information that could reasonably be expected to identify the individual has been removed or concealed.

Sec.214(c)  Prohibition in Use in Action Against Individuals  Protected health information about an individual that is disclosed under this section may not be used in, or disclosed to any person for use in, an administrative, civil, or criminal action or investigation directed against the individual.

Sec.214(d)  Authorization by a Supervisor  For purposes of this section, the individual with authority to authorize the oversight function involved shall provide to the entity described in subsections (a) or (b) a statement that the protected health information is being sought for a legally authorized oversight function.

Sec.214(e)  Limitations  Every disclosure of protected health information shall be limited to the minimum amount of information necessary to achieve the purposes of this section. A recipient of information may use or disclose such information solely to achieve the purposes of this section. Nothing in this section permitting the disclosure of protected health information shall be construed to require such disclosure. Protected health information disclosed under this section must be clearly identified as protected health information that is subject to this Act.

Disclosure for Law Enforcement Purposes

Sec.215(a)  Law Enforcement Access to Protected Health Information  A health care provider, health researcher, health plan, health oversight agency, employer, health or life insurer, school, university, or the agent of any such individual or entity, or person who receives protected health information pursuant to section 211, may disclose protected health information to a law enforcement authority only if the disclosure is made pursuant to a court order issued by a court of competent jurisdiction in accordance with subsections (b) and (c) or otherwise ordered by a Court of competent jurisdiction.

Sec.215(b)  Court Orders for Access to Protected Health Information  A court order for the disclosure of protected health information under subsection (a) may be issued only if the law enforcement authority involved submits a written application upon oath or affirmation and demonstrates by clear and convincing evidence that the protected health information sought is necessary to a legitimate law enforcement inquiry into a particular violation of criminal law being conducted by the authority; the investigative or evidentiary needs of the law enforcement authority cannot be satisfied by nonidentifiable health information or by any other information; and the law enforcement need for the information outweighs the privacy interest of the individual to whom the information pertains.

Sec.215(c)(1)  Notice  Except as provided in paragraph (2), no order for the disclosure of protected health information about an individual may be issued by a court under this section unless notice of the application for the order has been served on the individual who is the subject of the information involved and the individual has been afforded an opportunity to oppose the issuance of the order.

Sec.215(c)(2)  Notice Not Required  An order for the disclosure of protected health information about an individual may be issued without notice to the individual if the court finds, by clear and convincing evidence, that notice would be impractical because the name and address of the individual are unknown; or notice would risk destruction or unavailability of the evidence.

Sec.215(d)  Conditions  Upon the granting of an order for disclosure of protected health information the court shall impose appropriate safeguards to ensure the confidentiality of such information and to protect against unauthorized or improper use or disclosure.

Sec.215(e)  Limitation on Use and Disclosure for Other Law Enforcement Inquiries  Protected health information about an individual that is disclosed under this section may not be used in, or disclosed to any person for use in, any administrative, civil, or criminal action or investigation directed against the individual, unless the action or investigation arises out of, or is directly related to, the law enforcement inquiry for which the information was obtained.

Sec.215(f)  Destruction or Return of Information  When the matter or need for which protected health information was disclosed to a law enforcement agency or grand jury has concluded, including any derivative matters arising from such matter or need, the law enforcement agency or grand jury shall either destroy the protected health information, or return it to the person from whom it was obtained.

Sec.215(g)  Redactions  To the extent practicable, and consistent with the requirements of due process, a law enforcement agency shall redact personally identifying information from protected health information prior to the public disclosure of such protected information in a judicial or administrative proceeding.

Sec.215(h)  Limitations  Every disclosure of protected health information shall be limited to the minimum amount of information necessary to fulfill the purposes of this section. A recipient of information may use or disclose such information solely to fulfill the purposes of this section. Protected health information disclosed under this section must be clearly identified as protected health information that is subject to this Act.

Sec.215(i)  Exception  This section shall not be construed to limit or restrict the ability of law enforcement authorities to gain information while in hot pursuit of a suspect or if other exigent circumstances exist.

Subtitle C--Special Rules Governing Disclosure

Next of Kin and Directory Information

Sec.221(a)  Next of Kin  A health care provider, or a person who receives protected health information under section 211, may not disclose protected health information regarding an individual to the individual's next of kin, or to another person whom the individual has identified, unless at the time of the treatment of the individual:

  • the individual who is the subject of the information has been notified of the individual's right to object to such disclosure and the individual has not objected to the disclosure; or

  • is in a physical or mental condition such that the individual is not capable of objecting, and there are no prior indications that the individual would object; and

  • the information disclosed relates to health care currently being provided to that individual.

Sec.221(b)  Directory Information  Except as provided in this section an entity described in subsection (a) may not disclose the information to any person unless, at the time of the admission of the individual who is the subject of the information to a facility, the individual:

  • has been notified of the individual's right to object and the individual has not objected to the disclosure; or

  • is in a physical or mental condition such that the individual is not capable of objecting and there are no prior indications that the individual would object.

If disclosure of the individual's location would reveal specific information about the individual's physical or mental condition, such disclosure may not be made unless the individual expressly authorizes it. In addition, a disclosure may not be made if the health care provider has reason to believe that the disclosure of the directory or next of kin information could lead to the physical or mental harm of the individual, unless the individual expressly authorizes such disclosure.

Sec.221(c)  Identification of Deceased Individual  An entity described in subsection (a) may disclose protected health information if such disclosure is necessary to assist in the identification of a deceased individual.

Sec.221(d)  Rights of Minors  For individuals, who are 18 years of age or older, all rights of the individual shall be exercised by the individual; or who, acting alone, can obtain a type of health care without violating any applicable law, and who has sought such care, the individual shall exercise all rights of an individual under this title with respect to protected health information relating to such health care. In the case of an individual who is under 14 years of age, all of the individual's rights under this title shall be exercised through the parent or legal guardian; or 14 through 17 years of age, the rights of inspection and supplementation, and the right to authorize use and disclosure of protected health information of the individual shall be exercised by the individual, or by the parent or legal guardian of the individual.

Sec.221(e)  General Rules  Every disclosure of protected health information under this section shall be limited to the minimum amount of information necessary to achieve the purposes of this section. Nothing in this section permitting the disclosure of protected health information shall be construed to require such disclosure.

Health Research

Sec.222(a)  In General  The section applies the current Federal requirements and protections provided for Federally funded research to research conducted by all research facilities using personally identifiable health information. The Secretary shall promulgate regulations to implement this subsection through notice and comment rulemaking.

Sec.222(b)  Evaluation  Not later than1 year after the date of enactment of this Act, the Secretary shall prepare and submit to Congress detailed recommendations on whether written informed consent should be required, and if so, under what circumstances, before personally identifiable data can be used for medical research.

Sec.222(c)  Recommendations  The recommendations required to be submitted under subsection (b) shall include:

  • a detailed explanation of current institutional review board practices, including under what circumstances informed consent is being waived and the extent to which the privacy of individuals is taken into account as a factor before allowing waivers;

    • a summary of how technology could be used to strip identifying data for the purposes of research;

    • an analysis of the risks and benefits of requiring informed consent versus the waiving of informed consent; and

    • an analysis of the risks and benefits of using protected health information for research purposes other than the health research project for which such information was obtained.

Sec.222(d)  Compliance with Deadline  Notwithstanding any other provision of law, if the Secretary does not submit the recommendations to Congress by the date described in subsection (b), the authority of the Secretary to permit the conduct of medical research using personally identifiable data without written informed consent shall be terminated.

Sec.222(e)  Consultation  In carrying out this section, the Secretary shall consult with individuals who have distinguished themselves in the fields of health research, privacy, related technology, consumer interests in health information, health data standards, and the provision of health services.

Sec.222(f)  Congressional Notice  Not later than 6 months after the date on which the Secretary submits to Congress the recommendations required under subsection (b), the Secretary shall propose to implement such recommendations through notice and comment rulemaking and shall advise Congress of such proposal.

Sec.222(g)  Termination of Inconsistent Authority  Notwithstanding any other provision of law, if the Secretary determines that prior written informed consent is appropriate for some or all research using personally identifiable health information, the authority of the Secretary to promulgate regulations inconsistent with that determination shall be terminated 6 months after the date on which such determination is made pursuant to this Act.

Sec.222(h)(1)  Other Requirements.   Obligations of the Recipient–At the earliest opportunity consistent with the purposes of the project involved, information that would enable an individual to be identified shall be removed or destroyed, unless an institutional review board has determined that there is a health or research justification for the retention of such identifiers; and there is an adequate plan to protect the identifiers from disclosure consistent with this section; and

Sec.222(h)(2)  Other Requirements.   Periodic Review and Technical Assistance--Any institutional review board that authorizes research under this section shall provide the Secretary with the names and addresses of the institutional review board members. The Secretary may provide technical assistance to institutional review boards. The Secretary shall periodically monitor institutional review boards. Not later than 3 years after the date of enactment of this Act, the Secretary shall report to Congress regarding the activities of institutional review boards described in this subsection.

Sec.222(i)  Limitation  Nothing in this section shall be construed to permit personally identifiable health information that is received by a researcher under this section to be accessed for purposes other than research or as authorized by the individual.

Judicial and Administrative Purposes

Sec.223(a)  In General  A health care provider, health plan, health oversight agency, employer, health or life insurer, school or university, or the agent of any such individual or entity, or person who receives protected health information under section 211, may disclose protected health information:

  • pursuant to the standards and procedures established in the Federal Rules of Civil Procedure, the Federal Rules of Criminal Procedure, or comparable rules of other courts or administrative agencies, in connection with litigation or proceedings to which the individual who is the subject of the information is a party and in which the individual has placed his or her physical or mental condition at issue;

  • to a court, and to others ordered by the court, if in response to a court order issued by a court of competent jurisdiction in accordance with subsections (b) and (c); or

  • if necessary to present to a court an application regarding the provision of treatment of an individual or the appointment of a guardian pursuant to a law requiring the reporting of specific medical information to law enforcement authorities.

Sec.223(b)  Court Orders for Access to Protected Health Information  A court order for the disclosure of protected health information under subsection (a) may be issued only if the person seeking disclosure submits a written application upon oath or affirmation and demonstrates by clear and convincing evidence that:

  • the protected health information sought is necessary for the adjudication of a material fact in dispute in a civil or criminal proceeding;

  • the adjudicative need cannot be satisfied by nonidentifiable health information or by any other information; and

  • the need for the information outweighs the privacy interest of the individual to whom the information pertains.

Sec.223(c)(1)  Notice. In General  Except as provided in paragraph (2), no order for the disclosure of protected health information about an individual may be issued by a court unless notice of the application for the order has been served on the individual and the individual has been afforded an opportunity to oppose the issuance of the order.

Sec.223(c)(2)  Notice. Notice Not Required  An order for the disclosure of protected health information about an individual may be issued without notice to the individual if the court finds, by clear and convincing evidence, that notice would be impractical because the name and address of the individual are unknown; or notice would risk destruction or unavailability of the evidence.

Sec.223(d)(1)  Obligations of Recipient. In General  A person seeking protected health information pursuant to paragraph (1) of subsection (a):

  • must notify the individual or the individual's attorney of the request for the information;

  • must provide the health care provider, health plan, health oversight agency, employer, insurer, health or life insurer, school or university, or agent, or person involved with a signed document attesting that the individual has placed his or her physical or mental condition at issue in litigation or proceedings in which the individual is a party; and the date on which the individual or the individual's attorney was notified; and

  • must not accept any requested protected health information from the health care provider, health plan, health oversight agency, employer, insurer, health or life insurer, school or university, or agent, or person until the termination of the 10-day period beginning on the date notice was given.

Sec.223(d)(2)  Obligations of Recipient.   Disclosure for Purpose Only--A person who receives protected health information pursuant to subsection (a) may disclose the information only to accomplish the purpose for which the protected health information was obtained.

Sec.223(e)  Limitations  Every disclosure of protected health information shall be limited to the minimum amount of information necessary to achieve the purposes of this section. Nothing in this section permitting the disclosure of protected health information shall be construed to require such disclosure. Protected health information disclosed under this section must be clearly identified as protected health information that is subject to this Act.

Individual Representatives

Sec.224(a)  In General  Except as provided in subsections (b) and (c), a person who is authorized by law (based on grounds other than the individual being a minor), or by an instrument recognized under law, to act as an agent, attorney, proxy, or other legal representative of a protected individual, may, to the extent so authorized, exercise and discharge the rights of the individual under this Act.

Sec.224(b)  Health Care Power of Attorney  A person who is authorized by law (based on grounds other than being a minor), or by an instrument recognized under law, to make decisions about the provision of health care to an individual who is incapacitated, may exercise and discharge the rights of the individual under this Act to the extent necessary to effectuate the terms or purposes of the grant of authority.

Sec.224(c)  No Court Declaration  If a physician or other health care provider determines that an individual, who has not been declared to be legally incompetent, suffers from a medical condition that prevents the individual from acting knowingly or effectively on the individual's own behalf, the right of the individual to authorize disclosure under this Act may be exercised and discharged in the best interest of the individual by a person described in subsection (b) with respect to the individual; a person described in subsection (a) with respect to the individual, but only if a person described in paragraph cannot be contacted after a reasonable effort; the next of kin of the individual, but only if a person described in paragraph cannot be contacted after a reasonable effort; or the health care provider, but only if a person described in paragraph cannot be contacted after a reasonable effort.

Sec.224(d)  Application to Deceased Individuals  The provisions of this Act shall continue to apply to protected health information concerning a deceased individual for a period of 2 years following the death of that individual.

Sec.224(e)  Exercise of Rights on Behalf of a Deceased Individual  A person who is authorized by law or by an instrument recognized under law, to act as an executor of the estate of a deceased individual, or otherwise to exercise the rights of the deceased individual, may, to the extent so authorized, exercise and discharge the rights of such deceased individual under this Act for a period of 2 years following the death of that individual. If no such designee has been authorized, the rights of the deceased individual may be exercised as provided for in subsection (c).

Prohibition Against Retaliation.

Sec.325  A health care provider, health researcher, health plan, health oversight agency, employer, health or life insurer, school or university, or the agent of any such individual or entity, or person who receives protected health information under section 211 may not adversely affect another person, directly or indirectly, because such person has exercised a right under this Act, disclosed information relating to a possible violation of this Act, or associated with, or assisted a person in the exercise of a right under this Act.

Title III–Office of Health Information Privacy of The Department of Health and Human Services

Subtitle A–Establishment

Establishment.

Sec.301(a)  In General  There is established within the Department of Health and Human Services an office to be known as the Office of Health Information Privacy. The Office shall be headed by a director, who shall be appointed by the Secretary.

Sec.301(b)  Duties  The Director of the Office of Health Information Privacy shall:

  • receive and investigate complaints of alleged violations of this Act;

  • provide for the conduct of audits where appropriate;

  • provide guidance to the Secretary in the implementation of this Act;

  • prepare and submit the report described in subsection (c);

  • consult with, and provide recommendation to, the Secretary concerning improvements in the privacy and security of protected health information and concerning medical privacy research needs; and

  • carry out any other activities determined appropriate by the Secretary.

Sec.301(c)  Report on Compliance  Not later than January 1, 1999, and every January 1 thereafter, the Director of the Office of Health Information Privacy shall prepare and submit to Congress a report concerning the number of complaints of alleged violations of this Act that are received during the year for which the report is being prepared. Such report shall describe the complaints and any remedial action taken concerning such complaints.

Subtitle B-- Enforcement

Chapter 1-- Criminal Provisions

Wrongful Disclosure of Protected Health Information.

Sec.311  This section amends Part I of title 18, United States Code. The amendment provides that a person that knowingly and intentionally obtains or discloses protected health information relating to an individual in violation of title II of this Act shall:

  • be fined not more than $50,000, imprisoned not more than 1 year, or both;

  • be fined not more than $250,000, imprisoned not more than 5 years, or any combination of such penalties, if the offense is committed under false pretenses;

  • be fined not more than $500,000, imprisoned not more than 10 years, excluded from participation in any Federally funded health care programs, or any combination of such penalties, if the offense is committed with the intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.

These penalties shall be doubled for every subsequent violation.

Debarment for Crimes.

Sec.312(a)  Purpose  The purpose of this section is to promote the prevention and deterrence of instances of intentional criminal actions which violate criminal laws which are designed to protect the privacy of protected health information in a manner consistent with this Act.

Sec.312(b)  Debarment  Within 270 days after the date of enactment of this Act, the Attorney General, in consultation with the Secretary, shall promulgate regulations and establish procedures to permit the debarment of health care providers, health researchers, health or life insurers, or schools or universities from receiving benefits under any Federal health programs if the managers or officers of such entities are:

  • found guilty of violating section 2801 of title 18, United States Code;

  • found liable in any civil or administrative proceeding concerning the illegal disclosure of protected health information; or

  • found guilty of making a false statement or obstructing justice related to attempting to conceal or concealing such illegal disclosure.

  • Such regulations shall take into account the need for continuity of medical care and may provide for a delay of any debarment imposed under this section to take into account the medical needs of patients.

Sec.312(c)  Consultation  The Attorney General shall consult with a wide range of groups representing different interests before promulgating regulations under subsection (b).

Sec.312(d)  Report  The Attorney General shall annually prepare and submit to the Committee on the Judiciary of the House and Senate a report concerning the activities and debarment actions taken under this section.

Sec.312(e)  Assistance to Prevent Criminal Violations  The Attorney General may provide advice, training, technical assistance, and guidance regarding ways to reduce the incidence of improper disclosure of protected health information.

Sec.312(f)  Relationship to Other Authorities  A debarment imposed under this section shall not reduce or diminish the authority of a Federal, State, or local governmental agency or court to penalize, imprison, fine, suspend, debar, or take other adverse action against a person, in a civil, criminal, or administrative proceeding.

Chapter 2-- Civil Sanctions

Civil Penalty.

Sec.321(a)  Violation  Where the Office of Health Information Privacy determines that there has been a violation of this act, the entity shall be subject:

  • in a case in which the violation relates to title I, to a civil penalty of not more than $500 for each such violation, but not to exceed $5000 in the aggregate for multiple violations;

  • in a case in which the violation relates to title II, to a civil penalty of not more than $10,000 for each such violation, but not to exceed $50,000 in the aggregate for multiple violations; or

  • in a case in which the Office finds that such violations have occurred with such frequency as to constitute a general business practice, to a civil penalty of not more than $100,000.

Sec.321(b)  Procedures for Imposition of Penalties  Section 1128A of the Social Security Act, other than subsections (a) and (b) and the second sentence of subsection (f) of that section, shall apply to the imposition of a civil, monetary, or exclusionary penalty under this section in the same manner as such provisions apply with respect to the imposition of a penalty under section 1128A of such Act.

Procedures for Imposition of Penalties.

Sec.322(a)  Initiation of Proceedings  The director of the Office of Health Information Privacy, in consultation with the Attorney General, may initiate a proceeding to determine whether to impose a civil money penalty.

[The rest of this section outlines the procedures the direction must follow in order to impose a civil penalty.]

Civil Action by Individuals.

Sec.323(a) In General   Any individual whose rights under this Act have been knowingly or negligently violated may bring a civil action to recover such preliminary and equitable relief as the court determines to be appropriate; and the greater of compensatory damages or liquidated damages of $5,000.

Sec.323(b)  Punitive Damages   For a knowing violation of this Act, the court may award punitive damages.

Sec.323(c)  Attorney's Fees  In the case of a civil action brought under subsection (a) in which the individual has substantially prevailed, the court may assess against the respondent a reasonable attorney's fee and other litigation costs and expenses (including expert fees) reasonably incurred.

   

Sec.323(d) Limitation- No action may be commenced under this section more than 3 years after the date on which the violation was or should reasonably have been discovered.

Title IV--Miscellaneous

Relationship to Other Laws.

Sec.401(a)  Federal and State Laws  Nothing in this Act shall be construed as preempting, superseding or repealing, explicitly or implicitly, other Federal or State laws or regulations relating to protected health information or relating to an individual's access to protected health information or health care services if such laws or regulations provide protections for the rights of individuals to the privacy of, and access to, their health information that are greater than those provided for in this Act.

Sec.401(b)  Privileges  Nothing in this Act shall be construed to preempt or modify any provisions of State statutory or common law to the extent that such law concerns a privilege of a witness or person in a court of that State. This Act shall not be construed to supersede or modify any provision of Federal statutory or common law to the extent such law concerns a privilege of a witness or person in a court of the United States. Authorizations pursuant to section 202 shall not be construed as a waiver of any such privilege.

Sec.401(c)  Certain Duties Under Law  Nothing in this Act shall be construed to preempt, supersede, or modify the operation of any State law that:

  • provides for the reporting of vital statistics such as birth or death information;

  • requires the reporting of abuse or neglect information about any individual;

  • regulates the disclosure or reporting of information concerning an individual's mental health or communicable disease status otherwise permissible under this Act; or

  • governs a minor's rights to access protected health information or health care services.

Sec.401(d)  Federal Privacy Act  The Federal Privacy Act is amended to allow for the promulgation of rules in accordance with this Act.

Sec.401(e)  Constitution  Nothing in this Act shall be construed to alter, diminish, or otherwise weaken existing legal standards under the Constitution regarding the confidentiality of protected health information.

Effective Date.

Sec.402  Effective Date  Unless specifically provided for otherwise, this Act shall take effect on the date that is 12 months after the promulgation of the regulations required under subsection (b) but in no event later than the date that is 30 months after the date of enactment of this Act or 6 months after the promulgation of such regulations, whichever is earlier. Not later than 12 months after the date of enactment of this Act, or as specifically provided for otherwise, the director of the Office of Health Information Privacy shall promulgate regulations implementing this Act.

Back
U.S. Postal Address Please select a destination: