Patient Protection Act of 1998 (Engrossed in House )
TITLE V--CONFIDENTIALITY OF HEALTH INFORMATION
(a) IN GENERAL- Title XI of the Social Security Act (42 U.S.C. 1301 et seq.) is amended by adding at the end the following:
SEC. 1181. (a) IN GENERAL- Subject to the succeeding provisions of this section, upon the request of an individual who is the subject of protected health information, a person who is a health care provider, health plan, employer, health or life insurer, or educational institution shall make available to the individual (or, in the discretion of the person, to a health care provider designated by the individual), for inspection and copying, protected health information concerning the individual that the person maintains, including records created under section 1182.
(b) ACCESS THROUGH ORIGINATING PROVIDER- Protected health information that is created by an originating provider, and subsequently received by another health care provider or a health plan as part of treatment or payment activities, shall be made available for inspection and copying as provided in this section through the originating provider, rather than the receiving health care provider or health plan, unless the originating provider does not maintain the information.
(c) INVESTIGATIONAL INFORMATION- With respect to protected health information that was created as part of the requesting individual's participation in a clinical trial monitored by an institutional review board established to review health research with respect to potential risks to human subjects pursuant to Federal regulations adopted under section 1802(b) of the Public Health Service Act (42 U.S.C. 300v-1(b)) and the notice (informally referred to as the Common Rule') promulgated in the Federal Register at 56 Fed. Reg. 28003), a request under subsection (a) shall be granted only to the extent and in a manner consistent with such regulations.
(d) OTHER EXCEPTIONS- Unless ordered by a court of competent jurisdiction, a person to whom a request under subsection (a) is made is not required to grant the request, if--
(1) the person determines that the disclosure of the information could reasonably be expected to endanger the life or physical safety of, or cause substantial harm to, any individual; or
(2) the information is compiled principally--
(A) in anticipation of a civil, criminal, or administrative action or proceeding; or
(B) for use in such action or proceeding.
(e) DENIAL OF REQUEST FOR INSPECTION OR COPYING- If a person to whom a request under subsection (a) is made denies a request for inspection or copying pursuant to this section, the person shall inform the individual making the request, in writing, of--
(1) the reasons for the denial of the request;
(2) the availability of procedures for further review of the denial; and
(3) the individual's right to file with the person a concise statement setting forth the request.
(f) STATEMENT REGARDING REQUEST- If an individual has filed with a person a statement under subsection (e)(3) with respect to protected health information, the person, in any subsequent disclosure of the information--
(1) shall include a notation concerning the individual's statement; and
(2) may include a concise statement of the reasons for denying the request for inspection or copying.
(g) PROCEDURES- A person providing access to protected health information for inspection or copying under this section may set forth appropriate procedures to be followed for such inspection or copying and may require an individual to pay reasonable costs associated with such inspection or copying.
(h) INSPECTION AND COPYING OF SEGREGABLE PORTION- A person to whom a request under subsection (a) is made shall permit the inspection and copying of any reasonably segregable portion of a record after deletion of any portion that the person is not required to disclose under this section.
(i) DEADLINE- A person described in subsection (a) shall comply with or deny, in accordance with this section, a request for inspection or copying of protected health information under this section not later than 30 days after the date on which the person receives the request.
(j) RULES GOVERNING AGENTS- An agent of a person described in subsection (a) shall not be required to provide for the inspection and copying of protected health information, except where--
(1) the protected health information is retained by the agent; and
(2) the agent has been asked by the person to fulfill the requirements of this section.
SEC. 1182. (a) IN GENERAL- Subject to subsection (b), not later than 45 days after the date on which a person who is a health care provider, health plan, employer, health or life insurer, or educational institution receives, from an individual who is a subject of protected health information that is maintained by the person, a request in writing to amend the information by adding a concise written supplement to it, the person--
(1) shall make the amendment requested;
(2) shall inform the individual of the amendment that has been made; and
(3) shall make reasonable efforts to inform any person who is identified by the individual, who is not an officer, employer, or agent of the person receiving the request, and to whom the unamended portion of the information was disclosed during the preceding year, by sending a notice to the person's last known address that an amendment, consisting of the addition of a supplement, has been made to the protected health information of the individual.
(b) REFUSAL TO AMEND- If a person described in subsection (a) refuses to make an amendment requested by an individual under such subsection, the person shall inform the individual, in writing, of--
(1) the reasons for the refusal to make the amendment;
(2) any procedures for further review of the refusal; and
(3) the individual's right to file with the person a concise statement setting forth the requested amendment and the individual's reasons for disagreeing with the refusal.
(c) STATEMENT OF DISAGREEMENT- If an individual has filed a statement of disagreement with a person under subsection (b)(3), the person, in any subsequent disclosure of the disputed portion of the information--
(1) shall include a notation that such individual has filed a statement of disagreement; and
(2) may include a concise statement of the reasons for not making the requested amendment.
(d) RULES GOVERNING AGENTS- The agent of a person described in subsection (a) shall not be required to make amendments to individually identifiable health information, except where--
(1) the information is retained by the agent; and
(2) the agent has been asked by such person to fulfill the requirements of this section.
(e) DUPLICATIVE REQUESTS FOR AMENDMENTS- If a person described in subsection (a) receives a duplicative request for an amendment of information as provided for in such subsection and a statement of disagreement with respect to the request has been filed pursuant to subsection (c), the person shall inform the individual of such filing and shall not be required to carry out the procedures under this section.
(f) RULE OF CONSTRUCTION- This section shall not be construed--
(1) to permit an individual to modify statements in his or her record that document the factual observations of another individual or state the results of diagnostic tests; or
(2) to permit an individual to amend his or her record as to the type, duration, or quality of treatment the individual believes he or she should have been provided.
SEC. 1183. (a) PREPARATION OF WRITTEN NOTICE- A person who is a health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, health researcher, or educational institution shall post or provide, in writing and in a clear and conspicuous manner, notice of the person's protected health information confidentiality practices. The notice shall include--
(1) a description of an individual's rights with respect to protected health information;
(2) the intended uses and disclosures of protected health information;
(3) the procedures established by the person for the exercise of an individual's rights with respect to protected health information; and
(4) the procedures established by the person for obtaining copies of the notice.
(b) MODEL NOTICE- The Secretary, after notice and opportunity for public comment, and based on the advice of the National Committee on Vital and Health Statistics established under section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k)), shall develop and disseminate, not later than 6 months after the date of the enactment of the Patient Protection Act of 1998, model notices of confidentiality practices, for use under this section. Use of a model notice developed by the Secretary shall serve as a complete defense in any civil action to an allegation that a violation of this section has occurred.
SEC. 1184. (a) IN GENERAL- A person who is a health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, health researcher, or educational institution shall establish, maintain, and enforce reasonable and appropriate administrative, technical, and physical safeguards to protect the confidentiality, security, accuracy, and integrity of protected health information created, received, obtained, maintained, used, transmitted, or disposed of by the person.
(b) FACTORS TO BE CONSIDERED- A person subject to subsection (a) shall consider the following factors in establishing safeguards under such subsection:
(1) The need for protected health information.
(2) The categories of personnel who will have access to protected health information.
(3) The feasibility of limiting access to individual identifiers.
(4) The appropriateness of the policy or procedure to the person, and to the medium in which protected health information is stored and transmitted.
(5) The value of audit trails in computerized records.
(c) RELATIONSHIP TO PART C REQUIREMENT- Any safeguard established under this section shall be consistent with the requirement in section 1173(d)(2).
(d) CONVERSION TO NONIDENTIFIABLE HEALTH INFORMATION- A person subject to subsection (a) shall, to the extent practicable and consistent with the purpose for which protected health information is maintained, convert such information into nonidentifiable health information.
SEC. 1185. (a) DISCLOSURE- Any person who maintains protected health information may disclose the information to a health care provider or a health plan for the purpose of permitting the provider or plan to conduct health care operations.
(b) USE- A health care provider or a health plan that maintains protected health information may use it for the purposes described in subsection (a).
(c) LIMITATION ON SALE OR BARTER- Notwithstanding subsection (b), no health care provider or health plan may, as part of conducting health care operations, sell or barter protected health information.
SEC. 1186. (a) STATE LAW-
(1) IN GENERAL- Except as provided in paragraphs (2) and (3), the provisions of this part shall preempt a provision of State law to the extent that such provision--
(A) otherwise would be preempted as inconsistent with this part under article VI of the Constitution of the United States;
(B) relates to authorization for the use or disclosure of--
(i) protected health information for health care operations; or
(ii) nonidentifiable health information; or
(C) relates to any of the following:
(i) Inspection or copying of protected health information by a person who is a subject of the information.
(ii) Amendment of protected health information by a person who is a subject of the information.
(iii) Notice of confidentiality practices with respect to protected health information.
(iv) Establishment of safeguards for protected health information.
(2) EXCEPTIONS- Nothing in this part shall be construed to preempt or modify a provision of State law to the extent that such provision relates to protected health information and--
(A) the confidentiality of the records maintained by a licensed mental health professional;
(B) the provision of health care to a minor, or the disclosure of information about a minor to a parent or guardian of the minor;
(C) condition-specific limitations on disclosure;
(D) the use or disclosure of information for use in legally authorized--
(i) disease or injury reporting;
(ii) public health surveillance, investigation, or intervention;
(iii) vital statistics reporting, such as reporting of birth or death information;
(iv) reporting of abuse or neglect information;
(v) reporting of information concerning a communicable disease status; or
(vi) reporting concerning the safety or effectiveness of a biological product regulated under section 351 of the Public Health Service Act (42 U.S.C. 262) or a drug or device regulated under the Federal Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.);
(E) the disclosure to a person by a health care provider of information about an individual, in any case in which the provider has determined--
(i) in the provider's reasonable medical judgment, that the individual is unconscious, incompetent, or otherwise incapable of deciding whether to authorize disclosure of the protected health information; and
(ii) in the provider's reasonable judgment, that the person is a spouse, relative, guardian, or close friend of the individual's; or
(F) the use of information by, or the disclosure of information to, a person holding a valid and applicable power of attorney that includes the authority to make health care decisions on behalf of an individual who is a subject of the information.
(3) PRIVILEGES- Nothing in this part shall be construed to preempt or modify a provision of State law to the extent that such provision relates to a privilege of a witness or other person in a court of that State.
(b) FEDERAL LAW- Nothing in this part shall be construed to preempt, modify, or repeal a provision of any other Federal law relating to protected health information or relating to an individual's access to protected health information or health care services. Nothing in this part shall be construed to preempt, modify, or repeal a provision of Federal law to the extent that such provision relates to a privilege of a witness or other person in a court of the United States.
SEC. 1187. (a) VIOLATION- A person who the Secretary determines has substantially and materially failed to comply with this part shall be subject, in addition to any other penalties that may be prescribed by law--
(1) in a case in which the violation relates to section 1181 or 1182, to a civil penalty of not more than $500 for each such violation but not to exceed $5,000 in the aggregate for all violations of an identical requirement or prohibition during a calendar year;
(2) in the case in which the violation relates to section 1183 or 1184, to a civil penalty of not more than $10,000 for each such violation, but not to exceed $50,000 in the aggregate for all violations of an identical requirement or prohibition during a calendar year; or
(3) in a case in which the Secretary finds that such violations have occurred with such frequency as to constitute a general business practice, to a civil penalty of not more than $100,000.
(b) PROCEDURES FOR IMPOSITION OF PENALTIES- Section 1128A, other than subsections (a) and (b) and the second sentence of subsection (f) of that section, shall apply to the imposition of a civil or monetary penalty under this section in the same manner as such provisions apply with respect to the imposition of a penalty under section 1128A.
SEC. 1188. As used in this part:
(1) AGENT- The term agent' means a person, including a contractor, who represents and acts for another under the contract or relation of agency, or whose function is to bring about, modify, affect, accept performance of, or terminate contractual obligations between the principal and a third person.
(2) CONDITION-SPECIFIC LIMITATIONS ON DISCLOSURE- The term condition-specific limitations on disclosure' means State laws that prohibit the disclosure of protected health information relating to a health condition or disease that has been identified by the Secretary as posing a public health threat.
(3) DISCLOSE- The term disclose' means to release, transfer, provide access to, or otherwise divulge protected health information to any person other than an individual who is the subject of such information.
(4) EDUCATIONAL INSTITUTION- The term educational institution' means an institution or place accredited or licensed for purposes of providing for instruction or education, including an elementary school, secondary school, or institution of higher learning, a college, or an assemblage of colleges united under one corporate organization or government.
(5) EMPLOYER- The term employer' has the meaning given such term under section 3(5) of the Employee Retirement Income Security Act of 1974 (29 U.S.C. 1002(5)), except that such term shall include only employers of two or more employees.
(6) HEALTH CARE- The term health care' means--
(A) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, including appropriate assistance with disease or symptom management and maintenance, counseling, service, or procedure--
(i) with respect to the physical or mental condition of an individual; or
(ii) affecting the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs, or any other tissue; or
(B) any sale or dispensing, pursuant to a prescription or medical order, of a drug, device, equipment, or other health care-related item to an individual, or for the use of an individual.
(7) HEALTH CARE OPERATIONS- The term health care operations' means services, provided directly by or on behalf of a health plan or health care provider or by its agent, for any of the following purposes:
(A) Coordinating health care, including health care management of the individual through risk assessment, case management, and disease management.
(B) Conducting quality assessment and improvement activities, including outcomes evaluation, clinical guideline development and improvement, and health promotion.
(C) Carrying out utilization review activities, including precertification and preauthorization of services, and health plan rating activities, including underwriting and experience rating.
(D) Conducting or arranging for auditing services.
(8) HEALTH CARE PROVIDER- The term health care provider' means a person, who with respect to a specific item of protected health information, receives, creates, uses, maintains, or discloses the information while acting in whole or in part in the capacity of--
(A) a person who is licensed, certified, registered, or otherwise authorized by Federal or State law to provide an item or service that constitutes health care in the ordinary course of business, or practice of a profession;
(B) a Federal, State, or employer-sponsored or any other privately-sponsored program that directly provides items or services that constitute health care to beneficiaries; or
(C) an officer or employee of a person described in subparagraph (A) or (B).
(9) HEALTH OR LIFE INSURER- The term health or life insurer' means a health insurance issuer, as defined in section 9832(b)(2) of the Internal Revenue Code of 1986, or a life insurance company, as defined in section 816 of such Code.
(10) HEALTH PLAN- The term health plan' means any health insurance plan, including any hospital or medical service plan, dental or other health service plan, health maintenance organization plan, plan offered by a provider-sponsored organization (as defined in section 1855(d)), or other program providing or arranging for the provision of health benefits.
(11) HEALTH RESEARCHER- The term health researcher' means a person (or an officer, employee, or agent of a person) who is engaged in systematic investigation, including research development, testing, data analysis, and evaluation, designed to develop or contribute to generalizable knowledge relating to basic biomedical processes, health, health care, health care delivery, or health care cost.
(12) NONIDENTIFIABLE HEALTH INFORMATION- The term nonidentifiable health information' means protected health information from which personal identifiers that reveal the identity of the individual who is the subject of such information or provide a direct means of identifying the individual (such as name, address, and social security number) have been removed, encrypted, or replaced with a code, such that the identity of the individual is not evident without (in the case of encrypted or coded information) use of a key.
(13) ORIGINATING PROVIDER- The term originating provider', when used with respect to protected health information, means the health care provider who takes an action that initiates the treatment episode to which that information relates, such as prescribing a drug, ordering a diagnostic test, or admitting an individual to a health care facility. A hospital or nursing facility is the originating provider with respect to protected health information created or received as part of inpatient or outpatient treatment provided in the hospital or facility.
(14) PAYMENT ACTIVITIES- The term payment activities' means--
(A) activities undertaken--
(i) by, or on behalf of, a health plan to determine its responsibility for coverage under the plan; or
(ii) by a health care provider to obtain payment for items or services provided to an individual, provided under a health plan, or provided based on a determination by the health plan of responsibility for coverage under the plan; and
(B) includes the following activities, when performed in a manner consistent with subparagraph (A):
(i) Billing, claims management, medical data processing, other administrative services, and actual payment.
(ii) Determinations of coverage or adjudication of health benefit or subrogation claims.
(iii) Review of health care services with respect to coverage under a health plan or justification of charges.
(15) PERSON- The term person' means--
(A) a natural person;
(B) a government or governmental subdivision, agency, or authority;
(C) a company, corporation, estate, firm, trust, partnership, association, joint venture, society, or joint stock company; or
(D) any other legal entity.
(16) PROTECTED HEALTH INFORMATION- The term protected health information', when used with respect to an individual who is a subject of information means any information (including genetic information) that identifies the individual, whether oral or recorded in any form or medium, and that--
(A) is created or received by a health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, or educational institution;
(B) relates to the past, present, or future physical or mental health or condition of an individual (including individual cells and their components);
(C) is derived from--
(i) the provision of health care to an individual; or
(ii) payment for the provision of health care to an individual; and
(D) is not nonidentifiable health information.
(17) STATE- The term State' includes the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.
(18) TREATMENT- The term treatment' means the provision of health care by a health care provider.
(19) WRITING- The term writing' means writing either in a paper-based, computer-based, or electronic form, including electronic signatures.'.
(b) ENFORCEMENT OF PROVISIONS THROUGH CONDITIONS ON PARTICIPATION-
(1) PARTICIPATING PHYSICIANS AND SUPPLIERS- Section 1842(h) of the Social Security Act (42 U.S.C. 1395u(h)) is amended by adding at the end the following:
(9) The Secretary may refuse to enter into an agreement with a physician or supplier under this subsection, or may terminate or refuse to renew such agreement, in the event that such physician or supplier has been found to have violated a provision of part D of title XI.'.
(2) MEDICARE+CHOICE ORGANIZATIONS- Section 1852(h) of the Social Security Act (42 U.S.C. 1395w-22(h)) is amended--
(A) in the matter preceding paragraph (1), by striking procedures--' and inserting procedures, consistent with sections 1181 through 1185--'; and
(B) in paragraph (1), by striking privacy of any individually identifiable enrollee information;' and inserting confidentiality of protected health information concerning enrollees;'.
(3) MEDICARE PROVIDERS- Section 1866(a)(1) of the Social Security Act (42 U.S.C. 1395cc(a)(1)) is amended--
(A) by inserting a semicolon at the end of subparagraph (R);
(B) by striking the period at the end of subparagraph (S) and inserting ; and'; and
(C) by inserting immediately after subparagraph (S) the following new subparagraph:
(T) to comply with sections 1181 through 1184.'.
(4) HEALTH MAINTENANCE ORGANIZATIONS WITH RISK-SHARING CONTRACTS- Section 1876(k)(4) of the Social Security Act (42 U.S.C. 1395mm(k)(4)) of the Social Security Act is amended by adding at the end the following:
(E) The confidentiality and accuracy procedure requirements under section 1852(h).'.
(c) CONFORMING AMENDMENTS-
(1) TITLE HEADING- Title XI of the Social Security Act (42 U.S.C. 1301 et seq.) is amended by striking the title heading and inserting the following:
(2) NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS- Section 306(k)(5) of the Public Health Service Act (42 U.S.C. 242(k)(5)) is amended--
(A) in subparagraphs (A)(viii) and (D), by striking `part C' and inserting `parts C and D';
(B) in subparagraph (C), by striking `and' at the end;
(C) in subparagraph (D), by striking the period at the end and inserting `; and'; and
(D) by adding at the end the following:
(E) shall study the issues relating to section 1184 of the Social Security Act (as added by the Patient Protection Act of 1998), and, not later than 1 year after the date of the enactment of the Patient Protection Act of 1998, shall report to the Congress on such section.'.
(d) EFFECTIVE DATE- The amendments made by this section shall take effect on the date that is 1 year after the date of the enactment of this Act, except that subsection (c)(2), and section 1183(b) of the Social Security Act (as added by subsection (a)), shall take effect on the date of the enactment of this Act.
Not later than 1 year after the date of the enactment of this Act, the Comptroller General of the United States shall prepare and submit to the Congress a report containing the results of a study on the effect of State laws on health-related research subject to review by an institutional review board or institutional review committee with respect to the protection of human subjects.
(a) IN GENERAL- Not later than 9 months after the date of the enactment of this Act, the Comptroller General of the United States shall prepare and submit to the Congress a report containing the results of a study--
(1) compiling State laws on the confidentiality of protected health information (as defined in section 1188 of the Social Security Act, as added by section 5001 of this Act); and
(2) analyzing the effect of such laws on the provision of health care and securing payment for such care.
(b) MODIFICATION OF DEADLINE- Section 264(c)(1) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 2033) is amended by striking `36 months after the date of the enactment of this Act,' and inserting `6 months after the date on which the Comptroller General of the United States submits to the Congress a report under section 5003(a) of the Patient Protection Act of 1998,'.
(a) PROTECTION OF CERTAIN INFORMATION- Notwithstanding any other provision of Federal or State law, health care response information shall be exempt from any disclosure requirement (regardless of whether the requirement relates to subpoenas, discovery, introduction of evidence, testimony, or any other form of disclosure), in connection with a civil or administrative proceeding under Federal or State law, to the same extent as information developed by a health care provider with respect to any of the following:
(1) Peer review.
(2) Utilization review.
(3) Quality management or improvement.
(4) Quality control.
(5) Risk management.
(6) Internal review for purposes of reducing mortality, morbidity, or for improving patient care or safety.
(b) NO WAIVER OF PROTECTION THROUGH INTERACTION WITH ACCREDITING BODY- Notwithstanding any other provision of Federal or State law, the protection of health care response information from disclosure provided under subsection (a) shall not be deemed to be modified or in any way waived by--
(1) the development of such information in connection with a request or requirement of an accrediting body; or
(2) the transfer of such information to an accrediting body.
(c) DEFINITIONS- For purposes of this section:
(1) The term `accrediting body' means a national, not-for-profit organization that--
(A) accredits health care providers; and
(B) is recognized as an accrediting body by statute or by a Federal or State agency that regulates health care providers.
(2) The term `health care provider' has the meaning given such term in section 1188 of the Social Security Act (as added by section 5001 of this Act).
(3) The term `health care response information' means information (including any data, report, record, memorandum, analysis, statement, or other communication) developed by, or on behalf of, a health care provider in response to a serious, adverse, patient-related event--
(A) during the course of analyzing or studying the event and its causes; and
(B) for purposes of--
(i) reducing mortality or morbidity; or
(ii) improving patient care or safety (including the provider's notification to an accrediting body and the provider's plans of action in response to such event).
(5) The term `State' has the meaning given such term in section 1188 of the Social Security Act (as added by section 5001 of this Act).
Section 1174 of the Social Security Act (42 U.S.C. 1320d-3) is amended by adding at the end the following:
(c) UNIQUE HEALTH IDENTIFIERS- Notwithstanding subsections (a) and (b), the Secretary may not promulgate or adopt a final standard under section 1173(b) providing for a unique health identifier for an individual (except in an individual's capacity as an employer or a health care provider), until legislation is enacted specifically approving the standard or containing provisions consistent with the standard.'.
Passed the House of Representatives July 24, 1998.
Attest:
Clerk.