26 May 1998
Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html

-------------------------------------------------------------------------

[DOCID: f:h3900ih.txt]

105th CONGRESS
  2d Session
                                H. R. 3900

 To establish Federal penalties for prohibited uses and disclosures of
 individually identifiable health information, to establish a right in
an individual to inspect and copy their own health information, and for
                            other purposes.

_______________________________________________________________________

                    IN THE HOUSE OF REPRESENTATIVES

                              May 19, 1998

  Mr. Shays (for himself and Mr. Barrett of Wisconsin) introduced the
following bill; which was referred to the Committee on Commerce, and in
addition to the Committees on Ways and Means, and Government Reform and
 Oversight, for a period to be subsequently determined by the Speaker,
 in each case for consideration of such provisions as fall within the
                jurisdiction of the committee concerned

_______________________________________________________________________

                                 A BILL


 To establish Federal penalties for prohibited uses and disclosures of
 individually identifiable health information, to establish a right in
an individual to inspect and copy their own health information, and for
                            other purposes.

    Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,

SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) Short Title.--This Act may be cited as the ``Consumer Health
and Research Technology (CHART) Protection Act''.
    (b) Table of Contents.--The table of contents for this Act is as
follows:

Sec. 1. Short title; table of contents.
              TITLE I--RESTRICTIONS ON USE AND DISCLOSURE

Sec. 101. General prohibitions and exceptions.
Sec. 102. Special rules for anonymized information.
Sec. 103. General requirements for authorization of disclosure of
                            information.
Sec. 104. Disclosure in civil proceedings.
Sec. 105. Disclosure for criminal law enforcement purposes.
Sec. 106. Disclosures for archival research.
                     TITLE II--INDIVIDUALS' RIGHTS

Sec. 201. Inspection and copying of health information.
Sec. 202. Amendment of individually identifiable health information.
Sec. 203. Notice of confidentiality practices.
                         TITLE III--ENFORCEMENT

Sec. 301. Criminal penalties.
Sec. 302. Civil action.
Sec. 303. Program exclusions.
                      TITLE IV--GENERAL PROVISIONS

Sec. 401. Standards for electronic disclosures.
Sec. 402. Authorized representatives.
Sec. 403. Relationship to other laws.
Sec. 404. Reports analyzing impact of Act.
Sec. 405. Effective date.
Sec. 406. Definitions.

              TITLE I--RESTRICTIONS ON USE AND DISCLOSURE

SEC. 101. GENERAL PROHIBITIONS AND EXCEPTIONS.

    Except as otherwise provided in this Act, and subject to the
following exceptions, the following prohibited actions and inactions on
the part of a person shall be considered a violation of this Act:
            (1) Disclosure in absence of, or inconsistent with,
        authorization.--
                    (A) In general.--Subject to the exceptions
                described in subparagraph (B)--
                            (i) a negligent or intentional disclosure
                        of individually identifiable health information
                        without an authorization with respect to the
                        information that satisfies the requirements of
                        section 103, is prohibited, unless the
                        disclosure is governed by section 104 or 105;
                        and
                            (ii) a negligent or intentional disclosure
                        of individually identifiable health
                        information, by a person granted authority
                        under an authorization with respect to the
                        information that satisfies the requirements of
                        section 103, that is inconsistent with the
                        provisions of the authorization, is prohibited.
                    (B) Exceptions.--A disclosure otherwise prohibited
                under subparagraph (A) is not prohibited when--
                            (i) made by an individual whose health or
                        health care is the subject of the information
                        (or an authorized representative of such an
                        individual, pursuant to section 402);
                            (ii) made for the purpose of providing, or
                        facilitating the provision of, health care to
                        an individual described in clause (i);
                            (iii) made for the purpose of facilitating
                        payment activities related to health care
                        provided to an individual described in clause
                        (i);
                            (iv) made pursuant to a specific
                        affirmative authorization, or a requirement,
                        under State or Federal law, for use in legally
                        authorized--
                                    (I) reporting of abuse, domestic
                                violence, or neglect information about
                                any individual;
                                    (II) disease or injury reporting
                                about any individual;
                                    (III) public health surveillance,
                                such as birth and death reporting;
                                    (IV) public health investigation or
                                intervention;
                                    (V) management audits, financial
                                audits, or program monitoring and
                                evaluation; or
                                    (VI) licensure, certification,
                                accreditation, utilization review,
                                quality assurance activities,
benchmarking, or outcomes management and assessment;
                            (v) made pursuant to an authorization
                        granted in a contract providing health care
                        benefits for an individual described in clause
                        (i), for the purpose of licensure,
                        certification, accreditation, utilization
                        review, quality assurance activities,
                        benchmarking, or outcomes management and
                        assessment;
                            (vi) made to a health researcher--
                                    (I) in accordance with a research
                                protocol approved by an institutional
                                review board; or
                                    (II) in accordance with section
                                106(a); or
                            (vii) made to a party to, or potential
                        party to, a merger or acquisition of a
                        commercial enterprise, in anticipation of, or
                        upon, the merger or acquisition.
            (2) Failure to provide for reasonable protections against
        prohibited disclosures.--
                    (A) In general.--Subject to the exception described
                in subparagraph (B), a negligent or intentional failure
                to provide for reasonable protections against
                disclosures of individually identifiable health
                information that are prohibited under this Act is
                prohibited, including--
                            (i) a failure to establish and enforce
                        reasonable and appropriate administrative,
                        technical, and physical safeguards--
                                    (I) to ensure the confidentiality
                                of individually identifiable health
                                information; and
                                    (II) to protect against--
                                            (aa) any reasonably
                                        anticipated threats or hazards
                                        to the security or integrity of
                                        such information; and
                                            (bb) unauthorized uses or
                                        disclosures of the information;
                            (ii) a failure to establish procedures for
                        determining a response to a subpoena, warrant,
                        court order, or other request from a government
                        authority for disclosure of such information;
                        and
                            (iii) a failure to provide for secure
                        destruction of such information, where
                        destruction of the information is desired.
                    (B) Exception.--A failure described in subparagraph
                (A) is not prohibited when it is by an individual whose
                health or health care is the subject of the information
                (or an authorized representative of such an individual,
                pursuant to section 402).
            (3) Failure to implement written policies for compliance.--
                    (A) In general.--Subject to the exception described
                in subparagraph (B), with respect to a person whose
                employees, agents, or contractors come in contact with
                individually identifiable health information in the
                course of their employment, agency, or contract
                execution, a negligent or intentional failure to
                establish and implement written policies concerning
                compliance with this Act is prohibited, including--
                            (i) a failure to establish procedures for
                        monitoring access to individually identifiable
                        health information;
                            (ii) a failure to establish rules limiting
                        access to such information to persons whose
                        duties require such access; and
                            (iii) a failure to provide for the
                        enforcement of such policies.
                    (B) Exception.--A failure described in subparagraph
                (A) is not prohibited when it is by an individual whose
                health or health care is the subject of the information
                (or an authorized representative of such an individual,
                pursuant to section 402).
            (4) Failure to enter into written agreement with business
        associates respecting compliance.--A negligent or intentional
        failure to enter into a written agreement with an agent,
        contractor, or other person to whom individually identifiable
        health information is disclosed for a business purpose (such as
        persons who encode or encrypt information, data management
        contractors, and utilization review and accreditation
        organizations), prior to such disclosure, specifying the
        limitations on their use and retention of such information and
        informing them of their responsibilities under this Act, is
        prohibited.
            (5) Compliance with research requirements.--A negligent or
        intentional action is prohibited where it consists of--
                    (A) a disclosure for health research purposes of
                individually identifiable health information that--
                            (i) has not been approved by an
                        institutional review board; or
                            (ii) does not satisfy the requirements of
                        section 106; or
                    (B) a use or disclosure of individually
                identifiable health information in violation of--
                            (i) a research protocol approved by an
                        institutional review board or any other
                        requirement or condition concerning such use or
                        disclosure established by such a review board;
                        or
                            (ii) any requirement or condition
                        concerning such use or disclosure established
                        by a person making, or approving, a disclosure
                        under section 106.
            (6) Anonymized information.--A use of anonymized
        information, or an encryption key or coding system used to
        anonymize information, in violation of section 102, is
        prohibited.
            (7) Civil proceeding.--A negligent or intentional
        disclosure of individually identifiable health information
        pursuant to a subpoena or discovery request related to a civil
        proceeding, in violation of section 104, is prohibited.
            (8) Criminal proceeding.--A negligent or intentional
        disclosure of individually identifiable health information for
        a criminal law enforcement purpose, in violation of section
        105, or a negligent or intentional use of information obtained
        pursuant to such section in violation of the section, is
        prohibited.
            (9) Sale or commercial publication.--
                    (A) In general.--Subject to the exceptions
                described in subparagraph (B), an intentional
                disclosure of individually identifiable health
                information that constitutes a sale or commercial
                publication of the information, is prohibited.
                    (B) Exceptions.--A disclosure otherwise prohibited
                under subparagraph (A) is not prohibited when--
                            (i) the disclosure is made by an individual
                        whose health or health care is the subject of
                        the information (or an authorized
                        representative of such an individual, pursuant
                        to section 402); or
                            (ii) the disclosure is made to a person
                        having a written authorization permitting the
                        disclosure that satisfies the requirements of
                        section 103.
            (10) Fraud or misrepresentation.--Use of fraud, duress,
        deceit, or misrepresentation to obtain access to individually
        identifiable health information is prohibited.

SEC. 102. SPECIAL RULES FOR ANONYMIZED INFORMATION.

    (a) Definition.--For purposes of this Act, the term ``anonymized
information'' means individually identifiable health information from
which personal identifiers and means of directly contacting any subject
of the information (including name, address, and social security
number), have been removed, encrypted, or replaced with a code, in a
manner such that the identity of any such subject is not apparent from
the facts contained in the information, but may, in the case of
encrypted or coded information, be determined by a person with access
to the encryption key or coding system. Such term does not include any
such encryption key or coding system.
    (b) Use.--
            (1) In general.--Subject to paragraph (2), a person may use
        anonymized information, or an encryption key or coding system
        described in subsection (c)(2), for any lawful purpose, if the
        person, in such use, does not--
                    (A) attempt to identify any individual with respect
                to whom information has been removed, encrypted, or
                replaced with a code; or
                    (B) intentionally use the anonymized information,
                the key, or the coding system in any way that results
                in the identification of any such individual.
            (2) Exceptions.--A use otherwise prohibited under paragraph
        (1) is not prohibited when any of the following circumstances
        apply:
                    (A) The use is by an individual whose health or
                health care is the subject of the information (or an
                authorized representative of such an individual,
                pursuant to section 402).
                    (B) The use is by a person having an authorization
                permitting the use that satisfies the requirements of
                section 103.
                    (C) The use is for the purpose of providing, or
                facilitating the provision of, health care to an
                individual described in subparagraph (A).
                    (D) The use is for the purpose of facilitating
                payment activities related to health care provided to
                an individual described in subparagraph (A).
                    (E) The use is pursuant to a specific affirmative
                authorization, or a requirement, under State or Federal
                law, for legally authorized--
                            (i) disease or injury reporting;
                            (ii) public health surveillance, such as
                        birth and death reporting, and reporting
                        incidents of abuse, domestic violence, or
                        neglect;
                            (iii) public health investigation or
                        intervention;
                            (iv) management audits, financial audits,
                        or program monitoring and evaluation; or
                            (v) licensure, certification,
                        accreditation, utilization review, quality
                        assurance activities, benchmarking, or outcomes
                        management and assessment.
                    (F) The use is pursuant to an authorization granted
                in a contract providing health care benefits for an
                individual described in subparagraph (A), for the
                purpose of licensure, certification, accreditation,
                utilization review, quality assurance activities,
benchmarking, or outcomes management and assessment.
                    (G) The use is by a health researcher and is--
                            (i) in accordance with a research protocol
                        approved by an institutional review board and
                        any other requirement or condition concerning
                        such use established by such a review board; or
                            (ii) in accordance with any requirement or
                        condition concerning such use established by a
                        person making, or approving, a disclosure under
                        section 106.
                    (H) The use is by a party to, or potential party
                to, a merger or acquisition of a commercial enterprise,
                in anticipation of, or upon, the merger or acquisition.
    (c) Disclosure.--
            (1) Anonymized information.--For purposes of this Act,
        disclosure of anonymized information shall not be considered
        disclosure of individually identifiable health information,
        unless it is disclosed with an encryption key or coding system
        described in paragraph (2) in manner such that the combined
        information satisfies the requirements of section 406(8).
            (2) Encryption key or code.--For purposes of this Act,
        disclosure of an encryption key or coding system that is used
        to determine the identity of any individual with respect to
        whom information has been removed, encrypted, or replaced with
        a code, in order to create anonymized information, shall not be
        considered disclosure of individually identifiable health
        information, unless it is disclosed with anonymized information
        in manner such that the combined information satisfies the
        requirements of section 406(8).
    (d) Decoded Information.--Formerly anonymized information that has
been manipulated to reveal a part of the information that had been
removed, encrypted, or replaced with a code in order to render it
anonymized information is individually identifiable health information
and is subject, beginning on the date of such manipulation, to all of
the requirements of this part relating to individually identifiable
information.

SEC. 103. GENERAL REQUIREMENTS FOR AUTHORIZATION OF DISCLOSURE OF
              INFORMATION.

    (a) In General.--For purposes of section 101, an authorization
satisfies the requirements of this section if it--
            (1) is in writing;
            (2) is executed by an individual whose health or health
        care is the subject of the information (or an authorized
        representative of such an individual, pursuant to section 402);
        and
            (3) satisfies the requirements of subsection (b).
    (b) Requirements.--An authorization satisfies the requirements in
this subsection if--
            (1) it includes the following:
                    (A) a general statement of the purposes for which
                the individually identifiable health information
                disclosed pursuant to the authorization may be used;
                    (B) a general description of the persons who are
                authorized to use such information;
                    (C) a valid signature of an individual whose health
                or health care is the subject of the information (or an
                authorized representative of such individual);
                    (D) the date of the signature;
                    (E) an expiration date upon which the authorization
                is no longer valid; and
                    (F) reasonable procedures permitting such
                individual or representative to revoke the
                authorization; and
            (2) in a case in which the purposes under paragraph (1)(A)
        include health research, the provisions of the authorization
        that relate to such research--
                    (A) include each of the elements described in
                paragraph (1);
                    (B) are set out separately from the remaining
                provisions and are independent from them; and
                    (C) are subject to separate revocation procedures,
                the use of which does not per se effect a revocation of
                the remaining provisions.
    (c) Effect of Good Faith Reliance on Authorization.--A person shall
not be liable, or subject to punishment under State or Federal law, for
a disclosure of individually identifiable health information, where the
disclosure--
            (1) was made in good faith reliance on an authorization
        executed by the individual that satisfies the requirements of
        this section; and
            (2) was consistent with the provisions of the
        authorization.

SEC. 104. DISCLOSURE IN CIVIL PROCEEDINGS.

    (a) In General.--A person may not disclose individually
identifiable health information for use in a civil law enforcement
investigation, a civil administrative action, or a civil action brought
in Federal or State court, in the absence of--
            (1) an otherwise valid discovery request, an administrative
        subpoena or summons, or a judicial subpoena; and
            (2) an order issued by the presiding judge or official upon
        a determination that the need for the information of the person
        requesting the disclosure substantially outweighs the privacy
        interest of each individual whose health or health care is the
        subject of the information.
    (b) Construction.--This section shall not be construed to supersede
any ground that may otherwise apply under Federal or State law for an
objection to the disclosure of individually identifiable health
information in any civil action.

SEC. 105. DISCLOSURE FOR CRIMINAL LAW ENFORCEMENT PURPOSES.

    (a) In General.--A person may not disclose individually
identifiable health information for a criminal law enforcement
purpose--
            (1) in the absence of--
                    (A) a subpoena issued under the authority of a
                grand jury;
                    (B) an administrative subpoena or summons or a
                judicial subpoena or warrant; or
                    (C) a request otherwise authorized by law from a
                law enforcement agency; and
            (2) in the case of a disclosure under subparagraph (B) or
        (C) of paragraph (1), in the absence of a court order issued
        upon a determination that the need for the information of the
        person requesting the disclosure substantially outweighs the
        privacy interest of each individual whose health or health care
        is the subject of the information.
    (b) Destruction or Return of Information.--When the proceeding for
which individually identifiable health information was disclosed is
concluded, including any derivative matters arising from such
proceeding, the person to whom the disclosure was made shall either
destroy the individually identifiable health information, or return it
to the person from whom it was obtained.
    (c) Redactions.--To the extent practicable, and consistent with the
requirements of due process, a criminal law enforcement agency shall
redact personally identifying information from individually
identifiable health information prior to the public disclosure of such
information in a judicial or administrative proceeding.
    (d) Use of Information.--Individually identifiable health
information obtained by a criminal law enforcement agency pursuant to
this section may only be used for purposes of a legitimate criminal law
enforcement activity.

SEC. 106. DISCLOSURES FOR ARCHIVAL RESEARCH.

    (a) In General.--A person described in subsection (b) may disclose
individually identifiable health information, that was previously
created or collected by the person and maintained by the person in an
archive or other repository, to a health researcher pursuant to this
subsection, if--
            (1) the disclosure is made for the purpose of permitting
        the health researcher to carry out health research that
        involves analysis of the information;
            (2) the disclosure has been reviewed and approved, by a
        board, committee, or other group formally designated by the
        person to review requests for such information, in accordance
        with written standards for confidentiality that specify
        permissible and impermissible uses of such information for
        health research;
            (3) the person enters into a written agreement with the
        health researcher that is consistent with this Act and
        specifies the permissible and impermissible future uses and
        disclosures of the information;
            (4) the person provides notice to the health researcher
        that any future use or disclosure of the information that is
        prohibited under this Act or the agreement described in
        paragraph (3) may provide a basis for a civil action against
        the researcher or may result in other adverse consequences for
        the researcher; and
            (5) the person maintains a permanent record documenting the
        scope and substance of the disclosure.
    (b) Persons Described.--A person described in this subsection is
any of the following:
            (1) A health care provider.
            (2) A health plan.
            (3) A public health authority.
            (4) An employer.
            (5) A health or life insurer.
            (6) A school or university.

                     TITLE II--INDIVIDUALS' RIGHTS

SEC. 201. INSPECTION AND COPYING OF HEALTH INFORMATION.

    (a) In General.--Subject to subsections (b) and (c), a person who
is a health care provider, health plan, employer, health or life
insurer, school, or university shall permit an individual who is the
subject of individually identifiable health information, or the
individual's designee, to inspect and copy individually identifiable
health information concerning the individual, including records created
under section 202, that the person maintains. The person may set forth
appropriate procedures to be followed for such inspection and copying
and may require an individual to pay reasonable fees associated with
such inspection and copying and may require an individual to provide
written authorization of a provider designated by such individual
through which the requested information will be made available.
    (b) Effect of Other Law.--
            (1) Disclosure prohibited by other law.--A person described
        in subsection (a) may not permit the inspection or copying of
        individually identifiable health information under such
        subsection, if such inspection or copying is prohibited by any
        provision of law other than this Act.
            (2) Disclosure limited by other law.--A person described in
        subsection (a) shall limit the inspection or copying of
        individually identifiable health information under such
        subsection to the extent required by, and consistent with, any
        limitation on such inspection or copying in any provision of
        law other than this Act that is applicable to the person.
    (c) Additional Exceptions.--A person described in subsection (a) is
not required to permit the inspection or copying of individually
identifiable health information if any of the following exceptions
apply:
            (1) Endangerment to life or safety.--The person determines
        that the disclosure of the information could reasonably be
        expected to endanger the life or physical safety of any
        individual.
            (2) Confidential source.--The information identifies, or
        could reasonably lead to the identification of, a person who
        provided information under a promise of confidentiality to a
        health care provider or life insurer concerning the individual
        who is the subject of the information.
            (3) Information compiled in anticipation of litigation.--
        The information is compiled principally--
                    (A) in the anticipation of a civil, criminal, or
                administrative action or proceeding; or
                    (B) for use in such action or proceeding.
            (4) Research purposes.--The information was collected for
        or during a clinical trial monitored by an institutional review
        board in which the individual was a participant.
    (d) Denial of a Request for Inspection or Copying.--If a person
described in subsection (a) denies an individual's request for
inspection or copying pursuant to subsection (b) or (c), the person
shall inform the individual of--
            (1) the reasons for the denial of the request for
        inspection or copying;
            (2) any procedures for further review of the denial; and
            (3) the individual's right to file with the person a
        concise statement setting forth the request for inspection or
        copying.
    (e) Statement Regarding Request.--If an individual has filed a
statement under subsection (d)(3), the person, in any subsequent
disclosure of the portion of the information requested under subsection
(a), shall include--
            (1) a notation that such individual has filed a request for
        inspection and that such request was denied; and
            (2) a concise statement of the reasons for denying the
        request for inspection or copying.
    (f) Deadline.--A person described in subsection (a) shall comply
with or deny, in accordance with subsection (d), a request for
inspection or copying of individually identifiable health information
under this section not later than 45 days after the date on which the
person receives the request.
    (g) Rules Governing Agents.--An agent of a person described in
subsection (a) shall not be required to provide for the inspection and
copying of individually identifiable health information, except where--
            (1) the individually identifiable health information is
        retained by the agent; and
            (2) the agent has been asked by the person to fulfill the
        requirements of this section.
    (h) Rule of Construction.--This section shall not be construed to
require a person described in subsection (a) to conduct a formal,
informal, or other hearing or proceeding concerning a request for
inspection or copying of individually identifiable health information.

SEC. 202. AMENDMENT OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.

    (a) In General.--Not later than 45 days after the date on which a
person who is a health care provider, health plan, employer, health or
life insurer, school, or university receives from an individual who is
a subject of individually identifiable health information a request in
writing to amend the information, the person--
            (1) shall make the amendment requested;
            (2) shall inform the individual of the amendment that has
        been made; and
            (3) shall make reasonable efforts to inform any person who
        is identified by the individual, who is not an officer,
        employer, or agent of the entity, and to whom the unamended
        portion of the information was disclosed during the preceding
        year, of any nontechnical amendment that has been made.
    (b) Refusal To Amend.--If a person described in subsection (a)
refuses to make an amendment requested by an individual under such
subsection, the person shall inform the individual of--
            (1) the reasons for the refusal to make the amendment;
            (2) any procedures for further review of the refusal; and
            (3) the individual's right to file with the person a
        concise statement setting forth the requested amendment and the
        individual's reasons for disagreeing with the refusal.
    (c) Statement of Disagreement.--If an individual has filed a
statement of disagreement with a person under subsection (b)(3), the
person, in any subsequent disclosure of the disputed portion of the
information--
            (1) shall include a notation that such individual has filed
        a statement of disagreement; and
            (2) may include a concise statement of the reasons for not
        making the requested amendment.
    (d) Rules Governing Agents.--The agent of a person described in
subsection (a) shall not be required to make amendments to individually
identifiable health information, except where--
            (1) the information is retained by the agent; and
            (2) the agent has been asked by such person to fulfill the
        requirements of this section.
    (e) Repeated Requests for Amendments.--If a person described in
subsection (a) receives a duplicative request for an amendment of
information as provided for in such subsection and a statement of
disagreement with respect to the request has been filed pursuant to
subsection (c), the person shall inform the individual of such filing
and shall not be required to carry out the procedures required under
this section.
    (f) Rule of Construction.--This section shall not be construed--
            (1) to require a person described in subsection (a) to
        conduct a formal, informal, or other hearing or proceeding
        concerning a request for an amendment to individually
        identifiable health information;
            (2) to require a person described in subsection (a) to make
        an amendment with which the person disagrees; or
            (3) to require the alteration of any arrangement, written
        agreement, or obligation with respect to the delivery of, or
        payment for, health care.

SEC. 203. NOTICE OF CONFIDENTIALITY PRACTICES.

    (a) Preparation of Written Notice.--A health care provider, health
plan, health oversight agency, public health authority, employer,
health or life insurer, health researcher, school, or university shall
post or provide, in writing and in a clear and conspicuous manner,
notice of the person's confidentiality practices, that shall include--
            (1) a description of an individual's rights with respect to
        individually identifiable health information;
            (2) the uses and disclosures of individually identifiable
        health information authorized under this Act;
            (3) the procedures established by the person for
        authorizing disclosures of individually identifiable health
        information and for revoking such authorizations;
            (4) the procedures established by the person for the
        exercise of the individual's rights; and
            (5) the procedures established by the person for providing
        copies of the notice.
    (b) Model Notice.--The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model notices of
confidentiality practices, for use under this section. Use of the model
notice developed by the Secretary shall serve as a complete defense in
any civil action to an allegation that a violation of this section has
occurred.

                         TITLE III--ENFORCEMENT

SEC. 301. CRIMINAL PENALTIES.

    (a) Offense.--A person who knowingly and in violation of this Act
obtains individually identifiable health information, uses such
information, or discloses such information to another person, knowing
that such obtaining, use, or disclosure is unlawful, shall be punished
as provided in subsection (b).
    (b) Penalties.--A person described in subsection (a) shall--
            (1) be fined not more than $50,000, imprisoned not more
        than 1 year, or both;
            (2) if the offense is committed under false pretenses, be
        fined not more than $100,000, imprisoned not more than 5 years,
        or both; and
            (3) if the offense is committed with intent to sell,
        transfer, or use individually identifiable health information
        for commercial advantage, personal gain, or malicious harm, be
        fined not more than $250,000, imprisoned not more than 10
        years, or both.

SEC. 302. CIVIL ACTION.

    (a) In General.--Any individual whose rights under this Act have
been knowingly or negligently violated may bring a civil action to
recover such preliminary and equitable relief as the court determines
to be appropriate.
    (b) Attorney's Fees.--In the case of a civil action brought under
subsection (a) in which the plaintiff has substantially prevailed, the
court may assess against the respondent a reasonable attorney's fee and
other litigation costs and expenses (including expert fees) reasonably
incurred.
    (c) Limitation.--No action may be commenced under this subsection
by an individual more than 2 years after the date on which the
violation was, or should reasonably have been, discovered by the
individual.
    (d) No Liability for Permissible Disclosures.--A person who makes a
disclosure of individually identifiable health information about an
individual that is permitted under this Act shall not be liable to the
individual for such disclosure under common law.

SEC. 303. PROGRAM EXCLUSIONS.

    (a) Exclusion From Participation in Federal and State Health Care
Programs.--Section 1128(b) of the Social Security Act (42 U.S.C. 1320a-
7(b)) is amended by adding at the end the following:
            ``(16) Failure lawfully to treat individually identifiable
        health information.--Any individual or entity that the
        Secretary determines has failed substantially to comply with a
        provision of the Consumer Health and Research Technology
        (CHART) Protection Act.''.
    (b) Exclusion of Providers From Participation in Federal Employees
Health Benefits Program.--Section 8902a(b) of title 5, United States
Code, is amended by adding at the end the following:
            ``(6) Any provider that the Secretary of Health and Human
        Services has determined has failed substantially to comply with
        a provision of the Consumer Health and Research Technology
        (CHART) Protection Act.''.

                      TITLE IV--GENERAL PROVISIONS

SEC. 401. STANDARDS FOR ELECTRONIC DISCLOSURES.

    The National Committee on Vital and Health Statistics, in
consultation with the National Science Foundation, shall promulgate
standards for disclosing, authorizing the use and disclosure of, and
authenticating, individually identifiable health information in
electronic form, in a manner consistent with this Act.

SEC. 402. AUTHORIZED REPRESENTATIVES.

    (a) In General.--Except as provided in subsections (b) and (c), a
person who is authorized by law, or by an instrument recognized under
law, to act as an agent, attorney, proxy, or other legal representative
for an individual, otherwise to exercise the rights of the individual,
may, to the extent so authorized, exercise and discharge the rights of
the individual under this Act.
    (b) Health Care Power of Attorney.--A person who is not described
in subsection (a), but is authorized by law or by an instrument
recognized under law to make decisions about the provision of health
care to an individual who is incapacitated, may exercise and discharge
the rights of the individual under this Act, to the extent necessary to
effectuate the terms or purposes of the grant of authority.
    (c) No Court Declaration.--If a health care provider determines
that an individual, who has not been declared to be legally
incompetent, suffers from a medical condition that prevents the
individual from acting knowingly or effectively on the individual's own
behalf, the right of the individual to authorize disclosure under this
Act may be exercised and discharged in the best interest of the
individual by--
            (1) a person described in subsection (b) with respect to
        the individual;
            (2) a person described in subsection (a) with respect to
        the individual, but only if a person described in paragraph (1)
        cannot be contacted after a reasonable effort;
            (3) the next of kin of the individual, but only if a person
        described in paragraph (1) or (2) cannot be contacted after a
        reasonable effort; or
            (4) the health care provider, but only if a person
        described in paragraph (1), (2), or (3) cannot be contacted
        after a reasonable effort.
    (d) Application to Deceased Individuals.--The provisions of this
Act shall continue to apply to individually identifiable health
information concerning a deceased individual for a period of 2 years
following the death of that individual.
    (e) Exercise of Rights on Behalf of a Deceased Individual.--A
person who is authorized by law or by an instrument recognized under
law, to act as an executor of the estate of a deceased individual, or
otherwise to exercise the rights of the deceased individual, may, to
the extent so authorized, exercise and discharge the rights of such
deceased individual under this Act for a period of 2 years following
the death of that individual. If no such designee has been authorized,
the rights of the deceased individual may be exercised as provided for
in subsection (c).

SEC. 403. RELATIONSHIP TO OTHER LAWS.

    (a) In General.--
            (1) State law.--Except as provided in subsections (b)
        through (f), the provisions of this Act shall preempt any State
        law that directly relates to matters covered by this Act.
            (2) Federal law.--This Act shall not be construed as
        repealing, explicitly or implicitly, other Federal laws or
        regulations relating to individually identifiable health
        information or relating to an individual's access to health
        care services.
    (b) Privileges.--This Act does not preempt or modify State common
or statutory law to the extent such law concerns a privilege of a
witness or person in a court of the State. This Act does not supersede
or modify Federal common or statutory law to the extent such law
concerns a privilege of a witness or person in a court of the United
States. The execution of an authorization pursuant to section 103 may
not be construed as a waiver of any such privilege.
    (c) Certain Duties Under Law.--Nothing in this Act shall be
construed to preempt, supersede, or modify the operation of any State
law that--
            (1) provides for the reporting of vital statistics such as
        birth or death information;
            (2) requires the reporting of abuse, domestic violence, or
        neglect information about any individual;
            (3) regulates information concerning an individual's mental
        health or communicable disease status; or
            (4) governs a minor's rights to access individually
        identifiable health information or health care services.
    (d) Relationship to Clinical Research and Reports.--This Act shall
not apply to individually identifiable health information that is
created, received, maintained, used, disclosed, or transmitted by any
person in connection with--
            (1) any activity conducted pursuant to an investigational
        new drug exemption, or for which approval of an institutional
        review board is required by the Food and Drug Administration;
        or
            (2) any record required to be maintained or report required
        to be filed by the Food and Drug Administration.
    (e) Federal Privacy Act.--
            (1) Medical exemptions.--Sections 552a of title 5, United
        States Code, is amended by adding at the end the following:
    ``(w) Medical Exemptions.--The head of an agency that is subject to
the Consumer Health and Research Technology (CHART) Protection Act
shall promulgate rules, in accordance with the requirements (including
general notice) of subsections (b)(1), (b)(2), (b)(3), (c), and (e) of
section 553 of this title, to exempt a system of records within the
agency, to the extent that the system of records contains individually
identifiable health information (as defined in section 406 of such
Act), from all provisions of this section except subsections (b)(6),
(d), (e)(1), (e)(2), subparagraphs (A) and (C) and (E) through (I) of
subsection (e)(4), and subsections (e)(5), (e)(6), (e)(9), (e)(12),
(l), (n), (o), (p), (r), and (u).''.
            (2) Technical amendment.--Section 552a(f)(3) of title 5,
        United States Code, is amended by striking ``pertaining to
        him,'' and all that follows through the semicolon and inserting
        ``pertaining to the individual;''.
    (f) Application to Certain Federal Agencies.--
            (1) Department of defense.--
                    (A) Exceptions.--The Secretary of Defense may, by
                regulation, establish exceptions to the requirements of
                this Act to the extent such Secretary determines that
                disclosure of individually identifiable health
                information relating to members of the Armed Forces
                from systems of records operated by the Department of
                Defense is necessary under circumstances different from
                those permitted under this Act for the proper conduct
                of national defense functions by members of the Armed
                Forces.
                    (B) Application to civilian employees.--The
                Secretary of Defense may, by regulation, establish for
                civilian employees of the Department of Defense and
                employees of Department of Defense contractors,
                limitations on the right of such persons to revoke or
                amend authorizations for disclosures under section 103
                when such authorizations were provided by such
                employees as a condition of employment and the
                disclosure is determined necessary by the Secretary of
                Defense to the proper conduct of national defense
                functions by such employees.
            (2) Department of transportation.--
                    (A) Exceptions.--The Secretary of Transportation
                may, with respect to members of the Coast Guard,
                exercise the same powers as the Secretary of Defense
                may exercise under paragraph (1)(A).
                    (B) Application to civilian employees.--The
                Secretary of Transportation may, with respect to
                civilian employees of the Coast Guard and Coast Guard
                contractors, exercise the same powers as the Secretary
of Defense may exercise under paragraph (1)(B).
            (3) Department of veterans affairs.--The limitations on use
        and disclosure of individually identifiable health information
        under this Act shall not be construed to prevent any exchange
        of such information within and among components of the
        Department of Veterans Affairs that determine eligibility for
        or entitlement to, or that provide, benefits under laws
        administered by the Secretary of Veteran Affairs.

SEC. 404. REPORTS ANALYZING IMPACT OF ACT.

    (a) Efforts To Combat Fraud and Abuse.--Beginning not later than 12
months after the effective date in section 405(a), the Inspector
General of the Department of Health and Human Services shall submit to
the Committee on Ways and Means and the Committee on Government Reform
and Oversight of the House of Representatives and the Committee on
Commerce, Science, and Transportation and the Committee on Finance of
the Senate an annual report containing the results of an annual study.
The study shall analyze whether this Act has had an adverse effect on
efforts to combat fraud and abuse undertaken under title XVIII, XIX, or
XXI of the Social Security Act.
    (b) Health Research.--Beginning not later than 12 months after the
effective date in section 405(a), the Secretary, in consultation with
the National Research Council of the National Academy of Sciences and
the Institute of Medicine, shall submit to the Congress an annual
report containing the results of an annual study. The study shall
analyze the effect of this Act on the quality and efficacy of health
research.
    (c) Administrative Simplification.--Not later than 12 months after
the effective date in section 405(a), the Comptroller General of the
United States shall submit to the Congress a report containing the
results of a study. The study shall analyze the effect of this Act on
the implementation of subtitle F of title II of the Health Insurance
Portability and Accountability Act of 1996 and part C of title XI of
the Social Security Act.

SEC. 405. EFFECTIVE DATE.

    (a) In General.--Except as provided in subsection (b), this Act
shall take effect on the date that is 18 months after the date of the
enactment of this Act.
    (b) Provisions Effective Immediately.--A provision of this Act
shall take effect on the date of the enactment of this Act if the
provision authorizes or requires the Secretary of Defense, the
Secretary of Transportation, or the Secretary of Health and Human
Services to develop, establish, or promulgate regulations or model
notices.
    (c) Deadline for Regulations.--The Secretary shall promulgate
regulations implementing this Act not later than the date that is 12
months after the date of the enactment of this Act.

SEC. 406. DEFINITIONS.

    As used in this Act:
            (1) Employer.--The term ``employer'' has the meaning given
        such term under section 3(5) of the Employee Retirement Income
        Security Act of 1974 (29 U.S.C. 1002(5)), except that such term
        shall include only employers of two or more employees.
            (2) Health care.--The term ``health care'' means--
                    (A) preventive, diagnostic, therapeutic,
                rehabilitative, maintenance, or palliative care,
                including appropriate assistance with disease or
                symptom management and maintenance, counseling,
                service, or procedure--
                            (i) with respect to the physical or mental
                        condition of an individual; or
                            (ii) affecting the structure or function of
                        the human body or any part of the human body,
                        including the banking of blood, sperm, organs,
                        or any other tissue; and
                    (B) any sale or dispensing of a drug, device,
                equipment, or other health care related item to an
                individual, or for the use of an individual, pursuant
                to a prescription.
            (3) Health care provider.--The term ``health care
        provider'' means a person, who with respect to a specific item
        of individually identifiable health information, receives,
        creates, uses, maintains, or discloses the information while
        acting in whole or in part in the capacity of--
                    (A) a person who is licensed, certified,
                registered, or otherwise authorized by Federal or State
                law to provide an item or service that constitutes
                health care in the ordinary course of business, or
                practice of a profession;
                    (B) a Federal, State, employer-sponsored or other
                privately sponsored program that directly provides
                items or services that constitute health care to
                beneficiaries; or
                    (C) an officer or employee of a person described in
                subparagraph (A) or (B).
            (4) Health or life insurer.--The term ``health or life
        insurer'' means a health insurance issuer as defined in section
        9805(b)(2) of the Internal Revenue Code of 1986 or a life
        insurance company as defined in section 816 of such Code.
            (5) Health oversight agency.--The term ``health oversight
        agency'' means a person who, with respect to a specific item of
        individually identifiable health information, receives,
        creates, uses, maintains, or discloses the information while
        acting in whole or in part in the capacity of--
                    (A) a person who performs or oversees the
                performance of an assessment, evaluation,
                determination, or investigation, relating to the
                licensing, accreditation, or credentialing of health
                care providers; or
                    (B) a person who--
                            (i) performs or oversees the performance of
                        an audit, assessment, evaluation,
                        determination, or investigation relating to the
                        effectiveness of, compliance with, or
                        applicability of, legal, fiscal, medical, or
                        scientific standards or aspects of performance
                        related to the delivery of, or payment
                        activities related to, health care; and
                            (ii) is a public agency, acting on behalf
                        of a public agency, acting pursuant to a
requirement of a public agency, or carrying out activities under a
Federal or State law governing the assessment, evaluation,
determination, investigation, or prosecution described in subparagraph
(A).
            (6) Health plan.--The term ``health plan'' means any health
        insurance plan, including any hospital or medical service plan,
        dental or other health service plan, health maintenance
        organization plan, plan offered by a provider-sponsored
        organization (as defined in section 1855(d) of the Social
        Security Act (42 U.S.C. 1395w-25(d))), or other program
        providing or arranging for the provision of health benefits,
        whether or not funded through the purchase of insurance.
            (7) Health researcher.--The term ``health researcher''
        means a person, or an officer, employee, or agent of a person,
        who receives individually identifiable health information as
        part of a research project that involves data with respect to
        human subjects.
            (8) Individually identifiable health information.--The term
        ``individually identifiable health information'' means any
        information, including demographic information, collected from
        an individual, whether oral or recorded in any form or medium,
        that--
                    (A) is created or received by a health care
                provider, health plan, health oversight agency, public
                health authority, employer, health or life insurer,
                school or university; and
                    (B)(i) relates to the past, present, or future
                physical or mental health or condition of an individual
                (including individual cells and their components), the
                provision of health care to an individual, or the past,
                present, or future payment activities related to the
                provision of health care to an individual; and
                    (ii)(I) identifies an individual;
                    (II) contains personal identifiers that provide a
                direct means of identifying the individual; or
                    (III) has been provided in an encrypted format that
                does not directly identify an individual, but that
                provides a method for decrypting the information.
            (9) Institutional review board.--The term ``institutional
        review board'' means an entity established to review proposed
        health research with respect to potential risks to human
        subjects pursuant to Federal regulations adopted under section
        1802(b) of the Public Health Service Act (42 U.S.C. 300v-1(b)).
            (10) Payment activities.--The term ``payment activities''--
                    (A) means activities undertaken--
                            (i) by, or on behalf of, a health plan to
                        determine its responsibility for coverage under
                        the plan; or
                            (ii) by a health care provider to obtain
                        payment for items or services provided to an
                        individual, provided under a health plan or
                        provided based on a determination by the health
                        plan of responsibility for coverage under the
                        plan; and
                    (B) includes the following activities, when
                performed in a manner consistent with subparagraph (A):
                            (i) Billing, claims management, medical
                        data processing, practice management, or other
                        administrative services and actual payment.
                            (ii) Determinations of coverage or
                        adjudication of health benefit claims and
                        subrogation claims.
                            (iii) Review of health care services with
                        respect to medical necessity, coverage under a
                        health plan, appropriateness of care, or
                        justification of charges.
            (11) Person.--The term ``person'' means a natural person, a
        government, governmental subdivision, agency or authority, a
        company, corporation, estate, firm, trust, partnership,
        association, joint venture, society, joint stock company, or
        any other legal entity.
            (12) Public health authority.--The term ``public health
        authority'' means an authority or instrumentality of the United
        States, a tribal government, a State, or a political
        subdivision of a State that is--
                    (A) primarily responsible for public health
                matters; and
                    (B) primarily engaged in activities such as injury
                reporting, public health surveillance, and public
                health investigation or intervention.
            (13) Quality assurance activities.--The term ``quality
        assurance activities'' means a formal methodology and set of
        activities designed to assess the quality of health care
        services provided to an individual. The term includes formal
        review of care, problem identification, corrective actions
        taken to remedy any deficiencies, and evaluation of actions
        taken. The term also includes activities undertaken by a
        quality control and peer review organization (as defined in
        section 1152 of the Social Security Act (42 U.S.C. 1320c-1)).
            (14) School or university.--The term ``school or
        university'' means an institution or place accredited or
        licensed for purposes of providing instruction or education,
        including an elementary school, secondary school, or
        institution of higher learning, a college, or an assemblage of
        colleges united under one corporate organization or government.
            (15) Secretary.--The term ``Secretary'' means the Secretary
        of Health and Human Services.
            (16) State.--The term ``State'' includes the District of
        Columbia, Puerto Rico, the Virgin Islands, Guam, American
        Samoa, and the Northern Mariana Islands.
            (17) Writing.--The term ``writing'' means writing in either
        a paper-based or computer-based form, including electronic
        signatures.
                                 <all>
