FILE s1360.is S 1360 IS 104th CONGRESS 1st Session To ensure personal privacy with respect to medical records and health care-related information, and for other purposes. IN THE SENATE OF THE UNITED STATES October 24, 1995 Mr. BENNETT (for himself, Mr. DOLE, Mr. LEAHY, Mrs. KASSEBAUM, Mr. KENNEDY, Mr. FRIST, Mr. SIMON, Mr. HATCH, Mr. GREGG, Mr. STEVENS, Mr. JEFFORDS, Mr. KOHL, Mr. DASCHLE, and Mr. FEINGOLD) introduced the following bill; which was read twice and referred to the Committee on Labor and Human Resources A BILL To ensure personal privacy with respect to medical records and health care-related information, and for other purposes. [Italic->] Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, [<-Italic] SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) SHORT TITLE- This Act may be cited as the `Medical Records Confidentiality Act of 1995'. (b) TABLE OF CONTENTS- The table of contents for this Act is as follows: Sec. 1. Short title; table of contents. Sec. 2. Purpose. Sec. 3. Definitions. TITLE I--INDIVIDUAL'S RIGHTS SUBTITLE A--REVIEW OF PROTECTED HEALTH INFORMATION BY SUBJECTS OF THE INFORMATION Sec. 101. Inspection and copying of protected health information. Sec. 102. Correction or amendment of protected health information. Sec. 103. Notice of information practices. SUBTITLE B--ESTABLISHMENT OF SAFEGUARDS Sec. 111. Establishment of safeguards. Sec. 112. Accounting for disclosures. TITLE II--RESTRICTIONS ON USE AND DISCLOSURE Sec. 201. General rules regarding use and disclosure. Sec. 202. Authorizations for disclosure of protected health information for treatment or payment. Sec. 203. Authorizations for disclosure of protected health information, other than for treatment or payment. Sec. 204. Health information services. Sec. 205. Next of kin and directory information. Sec. 206. Emergency circumstances. Sec. 207. Oversight. Sec. 208. Public health. Sec. 209. Health research. Sec. 210. Judicial and administrative purposes. Sec. 211. Non-law enforcement subpoenas. Sec. 212. Law enforcement. Sec. 213. Standards for electronic disclosures. TITLE III--SANCTIONS SUBTITLE A--CIVIL SANCTIONS Sec. 301. Civil penalty. Sec. 302. Civil action. SUBTITLE B--CRIMINAL SANCTIONS Sec. 311. Wrongful disclosure of protected health information. TITLE IV--MISCELLANEOUS Sec. 401. Relationship to other laws. Sec. 402. No liability for permissible disclosures. Sec. 403. Effective date. SEC. 2. PURPOSE. The purpose of this Act is to-- (1) establish strong and effective mechanisms to protect the privacy of persons with respect to personally identifiable health care information that is created or maintained as part of health treatment, diagnosis, enrollment, payment, testing, or research processes; (2) promote the efficiency and security of the health information infrastructure so that members of the health care community may more effectively exchange and transfer health information in a manner that will ensure the confidentiality of personally identifiable health information; and (3) establish strong and effective remedies for violations of this Act. SEC. 3. DEFINITIONS. As used in this Act: (1) CERTIFIED HEALTH INFORMATION SERVICE- The term `certified health information service' means a health information service that receives personally identifiable health information for the purpose of creating nonidentifiable health information and has been certified by the Secretary pursuant to section 204(b). (2) CERTIFIED INSTITUTIONAL REVIEW BOARD- The term `certified institutional review board' means an institutional review board that has been certified by the Secretary pursuant to section 209(d). (3) DISCLOSE- The term `disclose' means to release, transfer, or otherwise divulge protected health information to any person other than the individual who is the subject of such information. (4) HEALTH CARE- The term `health care' means-- (A)(i) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure-- (I) with respect to the physical or mental condition of an individual; or (II) affecting the structure or function of the human body or any part of the human body; or (ii) any sale or dispensing of a drug, device, equipment, or other item to an individual, or for the use of an individual, pursuant to a prescription. (5) HEALTH CARE PROVIDER- The term `health care provider' means a person who, with respect to a specific item of protected health information, receives, creates, uses, maintains, or discloses the information while acting in whole or in part in the capacity of-- (A) a person who is licensed, certified, registered, or otherwise authorized by law to provide an item or service that constitutes health care, in the ordinary course of business or practice of a profession; (B) a Federal or State program that directly provides items or services that constitute health care to beneficiaries; or (C) an officer or employee of a person described in subparagraph (A) or (B). (6) HEALTH INFORMATION SERVICE- The term `health information service' means a person that-- (A) uses protected health information to provide services to health information trustees for purposes authorized under the Act; (B) facilitates the transfer and exchange of protected health information between health information trustees; (C) processes protected health information into standard format for transfer and exchanges between health information trustees; (D) facilitates authorized access to protected health information; or (E) transforms protected health information into nonidentifiable health information. (7) Health information trustee- (A) IN GENERAL- The term `health information trustee' means-- (i) a health care provider, health plan, health oversight agency, health researcher, public health authority, employer, insurer, school or university, or health information service insofar as it creates, receives, obtains, maintains, uses, or transmits protected health information; (ii) any person who obtains protected health information under sections 206, 207, 208, 209, 210, 211, or 212; or (iii) any employee, agent, or contractor of a person covered under clause (i) or (ii) insofar as such employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information. (B) DUTIES AND RESPONSIBILITIES- The duties and responsibilities of a health information trustee shall be negotiated between the trustee and any agent or contractor of the trustee. (8) HEALTH OVERSIGHT AGENCY- The term `health oversight agency' means a person who-- (A) performs or oversees the performance of an assessment, evaluation, determination, or investigation relating to the licensing, accreditation, or certification of health care providers; or (B)(i) performs or oversees the performance of an assessment, evaluation, determination, investigation, or prosecution relating to compliance with legal, fiscal, medical, or scientific standards relating to-- (I) the delivery of or payment for, health care, health services or equipment, or health research; or (II) health care fraud or fraudulent claims regarding health care, health services or equipment, or related activities and items; and (ii) is a public agency, acting on behalf of a public agency, acting pursuant to a requirement of a public agency, or carrying out activities under a Federal or State law governing the assessment, evaluation, determination, investigation, or prosecution described in clause (i). (9) HEALTH PLAN- The term `health plan' means any health insurance plan, including any hospital or medical service plan, dental or other health service plan or health maintenance organization plan, or other program providing health benefits, whether or not funded through the purchase of insurance. (10) HEALTH RESEARCHER- The term `health researcher' means a person who, with respect to a specific item of protected health information, receives the information-- (A) pursuant to section 209 (relating to health research); or (B) while acting in whole or in part in the capacity of an officer or employee of a person described in subparagraph (A). (11) INDIVIDUAL REPRESENTATIVE- The term `individual representative' means any individual legally empowered to make decisions concerning the provision of health care to an individual (where the individual lacks the legal capacity under State law to make such decisions) or the administrator or executor of the estate of a deceased individual. (12) LAW ENFORCEMENT INQUIRY- The term `law enforcement inquiry' means a lawful investigation or official proceeding inquiring into a violation of, or failure to comply with, any criminal or civil statute or any regulation, rule, or order issued pursuant to such a statute. (13) PERSON- The term `person' means a government, governmental subdivision, agency or authority; corporation; company; association; firm; partnership; society; estate; trust; joint venture; individual; individual representative; and any other legal entity. (14) PROTECTED HEALTH INFORMATION- The term `protected health information' means any information, including demographic information collected from an individual, whether oral or recorded in any form or medium, that-- (A) is created or received by a health information trustee; and (B)(i) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and (ii)(I) identifies an individual; or (II) with respect to which there is a reasonable basis to believe that the information can be used to identify an individual. (15) PUBLIC HEALTH AUTHORITY- The term `public health authority' means an authority or instrumentality of the United States, a State, or a political subdivision of a State that is-- (A) responsible for public health matters; and (B) engaged in such activities as injury reporting, public health, surveillance, and public health investigation or intervention. (16) SECRETARY- The term `Secretary' means the Secretary of Health and Human Services. (17) STATE- The term `State' includes the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands. (18) WRITING- The term `writing' means writing in either a paper-based or computer-based form, including electronic signatures. TITLE I--INDIVIDUAL'S RIGHTS SUBTITLE A--REVIEW OF PROTECTED HEALTH INFORMATION BY SUBJECTS OF THE INFORMATION SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION. (a) IN GENERAL- Except as provided in subsection (b), a health information trustee shall permit an individual who is the subject of protected health information or the individual's designee, to inspect and copy protected health information concerning the individual, including records created under section 102 that the trustee maintains. A health information trustee may require an individual to reimburse the trustee for the cost of such inspection and copying. (b) EXCEPTIONS- A health information trustee is not required by this section to permit inspection or copying of protected health information if any of the following conditions are met: (1) ENDANGERMENT TO LIFE OR SAFETY- The trustee determines that disclosure of the information could reasonably be expected to endanger the life or physical safety of any individual. (2) CONFIDENTIAL SOURCE- The information identifies or could reasonably lead to the identification of a person who provided information under a promise of confidentiality to a health care provider concerning the individual who is the subject of the information. (3) ADMINISTRATIVE PURPOSES- The information-- (A) is used by the trustee solely for administrative purposes and not in the provision of health care or the administration of benefits to the individual who is the subject of the information; and (B) has not been disclosed by the health information trustee to any other person. (c) INSPECTION AND COPYING OF SEGREGABLE PORTION- A health information trustee shall permit inspection and copying under subsection (a) of any reasonably segregable portion of a record after deletion of any portion that is exempt under subsection (b). (d) DEADLINE- A health information trustee shall comply with or deny (with a statement of the reasons for such denial) a request for inspection or copying of protected health information under this section within the 30-day period beginning on the date on which the trustee receives the request. SEC. 102. CORRECTION OR AMENDMENT OF PROTECTED HEALTH INFORMATION. (a) IN GENERAL- A health information trustee shall within the 45-day period beginning on the date on which the trustee receives from an individual a written request to correct or amend information-- (1) make the correction or amendment requested; (2) inform the individual of the correction or amendment that has been made; and (3) make reasonable efforts to inform any person who is identified by the individual, who is not an officer, employer, or agent of the trustee, and to whom the uncorrected or unamended portion of the information was previously disclosed, of the correction or amendment that has been made. (b) REFUSAL TO CORRECT OR AMEND- If the health information trustee refuses to make the correction or amendment, the trustee shall inform the individual of-- (1) the reasons for the refusal to make the correction or amendment; (2) any procedures for further review of the refusal; and (3) the individual's right to file with the trustee a concise statement setting forth the requested correction or amendment and the individual's reasons for disagreeing with the refusal. (c) STATEMENT OF DISAGREEMENT- After an individual has filed a statement of disagreement under subsection (b)(3), the health information trustee in any subsequent disclosure of the disputed portion of the information-- (1) shall include a copy of the individual's statement; and (2) may include a concise statement of the reasons for not making the requested correction or amendment. (d) RULE OF CONSTRUCTION- This section shall not be construed to require a health information trustee to conduct a formal, informal, or other hearing or proceeding concerning a request for a correction or amendment to protected health information. (e) CORRECTION- For purposes of subsection (a), a correction is deemed to have been made to protected health information when information that has been disputed by an individual has been corrected, clearly marked as incorrect, or supplemented by correct information. SEC. 103. NOTICE OF INFORMATION PRACTICES. (a) PREPARATION OF WRITTEN NOTICE- A health information trustee other than a health information service shall provide, in a clear and conspicuous manner, written notice of the trustee's information practices, including a description of the trustee's health information practices, including notice of individual rights with respect to protected health information. (b) MODEL NOTICE- The Secretary, after notice and opportunity for public comment, shall develop and disseminate model notices of information practices for use under this section. SUBTITLE B--ESTABLISHMENT OF SAFEGUARDS SEC. 111. ESTABLISHMENT OF SAFEGUARDS. (a) IN GENERAL- A health information trustee shall establish and maintain appropriate administrative, technical, and physical safeguards to ensure the confidentiality, security, accuracy, and integrity of protected health information created, received, obtained, maintained, used or transmitted by the trustee. (b) Regulations- (1) Promulgation- (A) IN GENERAL- In promulgating regulations under this Act, the Secretary shall follow the procedures authorized under sections 581 through 590 of title 5, United States Code. (B) Advisory group- (i) DETERMINATION BY THE SECRETARY- If the Secretary determines that a negotiated rulemaking committee shall not be established as permitted by section 583 of title 5, United States Code, the Secretary shall appoint and consult with an advisory group of knowledgeable individuals. (ii) MEMBERSHIP- The advisory group shall consist of at least 7 but no more than 12 individuals including representatives of-- (I) health care professionals and health care entities; (II) health care consumers; (III) third party payors/administrators; and (IV) privacy advocates. (iii) RESPONSIBILITIES- The advisory group shall review all proposed rules and regulations and submit recommendations to the Secretary. The advisory group shall also assist the Secretary in establishing the standards for compliance with rules and regulations, in developing an annual report to the Congress on the status of the requirements set forth in this Act, their cost impact, and any recommendations for modifications in order to ensure efficient and confidential electronic data interchange of individually identifiable health care information. (2) CONSULTATION- The Secretary may promulgate regulations in consultation with privacy, industry, and consumer groups. SEC. 112. ACCOUNTING FOR DISCLOSURES. (a) IN GENERAL- A health information trustee shall create and maintain, with respect to any protected health information disclosure that is not related to treatment, a record of the disclosure in accordance with regulations issued by the Secretary. (b) RECORD OF DISCLOSURE PART OF PROTECTED HEALTH INFORMATION- A record created and maintained under subsection (a) shall be maintained as protected health information for not less than 7 years. TITLE II--RESTRICTIONS ON USE AND DISCLOSURE SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE. (a) GENERAL RULE- A health information trustee may not disclose protected health information except as authorized under this title. (b) Scope of Disclosure- (1) COMPATIBILITY TO PURPOSE- Protected health information may not be used or disclosed to any person unless the use or disclosure is compatible with and related to the purposes for which the information was obtained. (2) LIMITATION ON INFORMATION- Every disclosure of protected health information by a health information trustee shall be limited to the minimum amount of information necessary to accomplish the purpose for which the information is disclosed. (c) NO GENERAL REQUIREMENT TO DISCLOSE- Nothing in this title that permits a disclosure of health information shall be construed to require such disclosure. (d) IDENTIFICATION OF DISCLOSED INFORMATION AS PROTECTED INFORMATION- Except as provided in this title, a health information trustee may not disclose protected health information unless such information is clearly identified as protected health information that is subject to this title. (e) INFORMATION IN WHICH PROVIDERS ARE IDENTIFIED- The Secretary shall issue regulations protecting information identifying providers in order to promote the availability of health care services. SEC. 202. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION FOR TREATMENT OR PAYMENT. (a) WRITTEN AUTHORIZATIONS- A health information trustee may disclose protected health information for purposes of treatment or payment pursuant to an authorization executed by the individual who is the subject of the information (or a person acting for the individual pursuant to State law) if each of the following requirements is met: (1) WRITING- The authorization is in writing or electronically authenticated, signed by the individual who is the subject of the information, and dated. (2) SEPARATE FORM- Separate forms authorizing disclosures for treatment and payment processes are provided to the individual. (3) INFORMATION DESCRIBED- The information to be disclosed is specified, or is described in the authorization. (4) TRUSTEE DESCRIBED- The trustee who is authorized to disclose such information is specifically identified, or is described in the authorization. (5) RECIPIENT DESCRIBED- The person to whom the information is to be disclosed is specifically identified, or is described in the authorization. (6) RIGHT TO REVOKE OR AMEND- The authorization contains an acknowledgement that the individual who is the subject of the information has the right to revoke or amend the authorization. (7) STATEMENT OF INTENDED DISCLOSURES- The authorization contains an acknowledgment that the individual who is the subject of the information has read a statement of the disclosures that the person who receives the protected health information intends to make. (8) INFORMATION RESTRICTED- The authorization includes a proviso that the information will be disclosed solely for a purpose that is compatible with and related to the purposes for which the information was collected or received by the trustee. (9) EXPIRATION DATE SPECIFIED- The authorization specifies a date or event at which the authorization expires. (b) Revocation or Amendment of Authorization- (1) IN GENERAL- The authorization contains an acknowledgment that the individual may in writing revoke or amend an authorization described in subsection (a), at any time, except that with respect to disclosure of protected health information to permit validation of expenditures for health care that has previously been authorized the authorization may not be revoked. (2) NOTICE OF REVOCATION- A health information trustee who discloses protected health information pursuant to an authorization described in subsection (a) that has been revoked shall not be subject to any liability or penalty under this Act if the trustee had no actual or constructive notice of the revocation. (c) MODEL AUTHORIZATIONS- The Secretary, after notice and opportunity for public comment, shall develop and disseminate model written authorizations of the type described in subsection (a) and model statements of intended disclosures of the type described in subsection (a)(6). (d) COPY- A health information trustee who discloses protected health information pursuant to an authorization under this section shall maintain a copy of the authorization. SEC. 203. AUTHORIZATIONS FOR DISCLOSURE OF PROTECTED HEALTH INFORMATION, OTHER THAN FOR TREATMENT OR PAYMENT. (a) WRITTEN AUTHORIZATIONS- A health information trustee may disclose protected health information pursuant to an authorization executed by the individual who is the subject of the information if the following conditions are met: (1) GENERAL REQUIREMENTS- The requirements of section 202(a) (1) through (6) are met. (2) STATEMENT OF INTENDED DISCLOSURES- The statement of intended disclosure shall be in writing, on a form that is separate from the authorization for disclosure, and shall be received by the individual authorizing the disclosure on or before the date the authorization is executed. (3) AUTHORIZATION NOT REQUESTED IN CONNECTION WITH PROVISION OF HEALTH CARE- The authorization is not requested on a day on which the trustee provides health care to the individual requested to provide the authorization. (4) EXPIRATION DATE SPECIFIED- The authorization specifies a date or event upon which the authorization expires, which shall not exceed 1 year from the date of the execution of the authorization. (b) LIMITATION ON AUTHORIZATIONS- A health information trustee may not condition delivery of treatment or payment for services on the receipt of an authorization described in subsection (a). (c) REVOCATION OR AMENDMENT OF AUTHORIZATION- (1) IN GENERAL- An individual may in writing revoke or amend an authorization described in subsection (a). (2) NOTICE OF REVOCATION- A health information trustee who discloses protected health information pursuant to an authorization that has been revoked shall not be subject to any liability or penalty under this title if the trustee had no actual or constructive notice of the revocation. (d) MODEL AUTHORIZATIONS- The Secretary, after notice and opportunity for public comment, shall develop and disseminate model written authorizations of the type described in subsection (a) and model statements of the intended disclosures of the type described in subsection (a)(2). (e) AUTHORIZATION NOT REQUIRED- This section does not apply to sections 204, 205, 206, 207, 208, 209, 210, 211, and 212. SEC. 204. CREATION OF NONIDENTIFIABLE INFORMATION. (a) CREATION OF NONIDENTIFIABLE INFORMATION- A health information trustee may disclose protected health information to a certified health information service for the purpose of creating nonidentifiable health information. (b) Certification of Health Information Services- (1) REGULATIONS- The Secretary, after notice and opportunity for public comment, shall issue regulations establishing certification requirements for health information services under this title. Such regulations shall include requirements that the health information service establish and maintain appropriate administrative, technical, and physical safeguards to ensure the confidentiality, security, accuracy, and integrity of protected health information. (2) CERTIFICATION- The Secretary shall certify a health information service that meets the certification requirements established by the Secretary under paragraph (1). SEC. 205. NEXT OF KIN AND DIRECTORY INFORMATION. (a) NEXT OF KIN- A health care provider, or a person who receives protected health information under section 206, may disclose protected health information regarding an individual to the individual's next of kin, to an individual representative of the individual, or to an individual with whom that individual has a significant personal relationship if-- (1) the individual who is the subject of the information-- (A) has been notified of the individual's right to object and has not objected to the disclosure; (B) is not competent to be notified about the right to object; or (C) exigent circumstances exist such that it would not be practicable to notify the individual of the right to object; and (2) the information disclosed relates to health care currently being provided to that individual. (b) Directory Information- (1) DISCLOSURE- Except as provided in paragraph (2), a health information trustee may disclose the information described in subparagraph (B) to any person if-- (A) the individual who is the subject of the information-- (i) has been notified of the individual's right to object and has not objected to the disclosure; (ii) is not competent to be notified about the right to object; or (iii) exigent circumstances exist such that it would not be practicable to notify the individual of the right to object; and (B) the information consists only of 1 or more of the following items: (i) the name of the individual who is the subject of the information; (ii) the general health status of the individual, described as critical, poor, fair, stable, or satisfactory or in terms denoting similar conditions; and (iii) the location of the individual on premises controlled by a provider. (2) EXCEPTION- If disclosure of the location of the individual reveals specific information about the physical or mental condition of the individual, the individual must expressly authorize such disclosure. (c) Deceased Individual- (1) IDENTIFICATION- A health information trustee may disclose protected health information if necessary to assist in the identification of a deceased individual. (2) REGULATIONS- The Secretary shall develop and establish through regulation a procedure for obtaining protected health information relating to a deceased individual when there is no individual representative for such individual. SEC. 206. EMERGENCY CIRCUMSTANCES. Any person who receives protected health information under this title may disclose protected health information in emergency circumstances when necessary to protect the health or safety of an individual from serious, imminent harm. SEC. 207. OVERSIGHT. (a) IN GENERAL- A health information trustee may disclose protected health information to a health oversight agency for an oversight function authorized by law. (b) USE IN ACTION AGAINST INDIVIDUALS- Protected health information about an individual that is disclosed under this section may not be used in, or disclosed to any person for use in, an administrative, civil, or criminal action or investigation directed against the individual unless the action or investigation arises out of and is directly related to-- (1) receipt of health care or payment for health care; or (2) an action involving a fraudulent claim related to health. SEC. 208. PUBLIC HEALTH. A health care provider, health plan, health researcher, public health authority, employer, insurer, school or university, or certified health information network service, or person who receives protected health information under section 206, may disclose protected health information to a public health authority or other person authorized by law for use in a legally authorized-- (1) disease or injury report; (2) public health surveillance; or (3) public health investigation or intervention. SEC. 209. HEALTH RESEARCH. (a) IN GENERAL- A health information trustee may disclose protected health information to a health researcher if a certified institutional review board determines that the research project engaged in by the health researcher-- (1) requires use of the protected health information for the effectiveness of the project; and (2) is of sufficient importance to outweigh the intrusion into the privacy of the individual who is the subject of the information that would result from the disclosure. (b) OBLIGATIONS OF RECIPIENT- A person who receives protected health information pursuant to subsection (a)-- (1) shall remove or destroy, at the earliest opportunity consistent with the purposes of the project, information that would enable an individual to be identified, unless-- (A) a certified institutional review board has determined that there is a health or research justification for retention of such identifiers; and (B) there is an adequate plan to protect the identifiers from disclosure that is inconsistent with this section; and (2) shall use protected health information solely for purposes of the health research project for which disclosure was authorized by a certified institutional review board under subsection (a). (c) SPECIAL RULE FOR RESEARCHERS OTHER THAN ACADEMIC CENTERS OR HEALTH CARE FACILITIES- If a health researcher is not located in an academic center, a health care facility or public health agency, the determinations required by a certified institutional review board shall be approved by the Secretary before the determination is issued. (d) CERTIFICATION OF INSTITUTIONAL REVIEW BOARDS- (1) REGULATIONS- The Secretary, after notice and opportunity for public comment, shall issue regulations establishing certification requirements for institutional review boards under this title. Such regulations shall be based on regulations issued under section 491(a) of the Public Health Service Act. The regulations shall ensure that institutional review boards certified under this paragraph have the qualifications to assess and protect the confidentiality of research subjects. (2) CERTIFICATION- The Secretary shall certify an institutional review board that meets the certification requirements established by the Secretary under paragraph (1). SEC. 210. JUDICIAL AND ADMINISTRATIVE PURPOSES. (a) IN GENERAL- A health care provider, health plan, health oversight agency, employer, school, university, insurer, or person who receives protected health information under section 206, may disclose protected health information-- (1) pursuant to the Federal Rules of Civil Procedure, the Federal Rules of Criminal Procedure, or comparable rules of other courts or administrative agencies, in connection with litigation or proceedings to which the individual who is the subject of the information is a party and in which the individual has placed his or her physical or mental condition at issue; (2) to a court, and to others ordered by the court, if the protected health information is developed in response to a court-ordered physical or mental examination; or (3) pursuant to a law requiring the reporting of specific medical information to law enforcement authorities. (b) OBLIGATIONS OF RECIPIENT- A person seeking protected health information pursuant to subsection (a)-- (1) shall notify the individual or the individual's attorney of the request for the information; (2) shall provide the health information trustee with a signed document attesting-- (A) that the individual has placed his or her physical or mental condition at issue in litigation or proceedings in which the individual is a party; and (B) the date on which the individual or the individual's attorney was notified under paragraph (1); and (3) shall not accept any requested protected health information from the trustee until the termination of the 10-day period beginning on the date notice was given under paragraph (1). SEC. 211. NON-LAW ENFORCEMENT SUBPOENAS. (a) IN GENERAL- A health care provider, health plan, health oversight agency, employer, insurer, school or university, or person who receives protected health information under section 206, may disclose protected health information under this section if the disclosure is pursuant to a subpoena issued on behalf of a party who has complied with the access provisions of subsection (b). (b) ACCESS PROCEDURES- A person may not obtain protected health information about an individual pursuant to a subpoena unless-- (1) a copy of the subpoena together with a notice of the individual's right to challenge the subpoena in accordance with subsection (c), has been served upon the individual on or before the date of return of the subpoena; and-- (2)(A) 15 days have passed since the date of service on the individual, and within that time period the individual has not indicated a challenge in accordance with subsection (c)(1); or (B) disclosure is ordered by a court under subsection (c)(2). (c) Challenge Procedures- (1) MOTION TO QUASH SUBPOENA- After service of a copy of the subpoena seeking protected health information under subsection (b), the individual who is the subject of the protected health information may file in any court of competent jurisdiction a motion to quash the subpoena. (2) Standard for decision- (A) IN GENERAL- The court shall grant a motion under paragraph (1) unless the respondent demonstrates that-- (i) there is reasonable ground to believe the information is relevant to a lawsuit or other judicial or administrative proceeding; and (ii) the need of the respondent for the information outweighs the privacy interest of the individual. (B) CRITERIA FOR DECISION- In determining whether the need of the respondent for the information outweighs the privacy interest of the individual, the court shall consider-- (i) the particular purpose for which the information was collected; (ii) the degree to which disclosure of the information would embarrass, injure, or invade the privacy of the individual; (iii) the effect of the disclosure on the individual's future health care; (iv) the importance of the information to the lawsuit or proceeding; and (v) any other relevant factor. (3) ATTORNEY'S FEES- In the case of a motion brought under paragraph (1) in which the individual has substantially prevailed, the court may assess against the respondent a reasonable attorney's fee and other litigation costs and expenses (including expert fees) reasonably incurred. SEC. 212. LAW ENFORCEMENT. (a) Government Subpoenas and Warrants- (1) IN GENERAL- A health information trustee shall disclose protected health information under this section if the disclosure is pursuant to-- (A) a subpoena issued under the authority of a grand jury; or (B) an administrative subpoena or summons or a judicial subpoena or warrant, which meets the conditions of paragraph (2). (2) PROBABLE CAUSE REQUIREMENT- A government authority may not obtain protected health information about an individual under paragraph (1) for use in a law enforcement inquiry unless there is probable cause to believe that the information is relevant to a legitimate law enforcement inquiry being conducted by the government authority. (3) WARRANTS- A government authority that obtains protected health information about an individual pursuant to a warrant shall, not later than 30 days after the date the warrant was executed, serve the individual with, or mail to the last known address of the individual, a notice that protected health information about the individual was obtained, together with a notice of the individual's right to challenge the warrant. (4) SUBPOENA OR SUMMONS- Except as provided in paragraph (5), a government authority may not obtain protected health information about an individual pursuant to a subpoena or summons unless a copy of the subpoena or summons has been served on the individual, if the identity of the individual is known, on or before the date of the return of the subpoena or summons, together with notice of the individual's right to challenge the subpoena or summons. If the identity of the individual is not known at the time the subpoena or summons is served, the individual shall be served not later than 30 days thereafter, with notice that protected health information about the individual was obtained together with notice of the individual's right to challenge the subpoena or summons. (5) Application for delay- (A) IN GENERAL- A government authority may apply ex parte and under seal to an appropriate court to delay (for an initial period of not longer than 90 days) service of the notice regarding execution of the warrant as required under paragraph (3) or a copy of the subpoena as required under paragraph (4). The government authority may apply to the court for extensions of the delay. (B) EX PARTE ORDER- The court shall enter an ex parte order delaying or extending the delay of notice, an order prohibiting the disclosure of the request for, or the disclosure of, the protected health information, and an order requiring the disclosure of the protected health information if the court finds that-- (i) the inquiry being conducted is within the lawful jurisdiction of the government authority seeking the protected health information; (ii) there is probable cause to believe that the protected health information being sought is relevant to a legitimate law enforcement inquiry; (iii) the government authority's need for the information outweighs the privacy interest of the individual who is the subject of the information; and (iv) there is reasonable ground to believe that receipt of notice by the individual will result in-- (I) endangering the life or physical safety of any individual; (II) flight from prosecution; (III) destruction of or tampering with evidence or the information being sought; (IV) intimidation of potential witnesses; or (V) disclosure of the existence or nature of a confidential law enforcement investigation or grand jury investigation that is likely to seriously jeopardize such investigation. (6) INFORMATION IN RESPONSE TO LAW ENFORCEMENT INQUIRY- Protected health information about an individual that is disclosed under this section may not be used in, or disclosed to any person for use in any administrative, civil or criminal action or investigation directed against the individual unless the action or investigation arises out of or is directly related to the law enforcement inquiry for which the information was obtained. (b) Challenge Procedures for Law Enforcement Warrants, Subpoenas, and Summonses- (1) MOTION TO QUASH- Within 15 days after the date of service of a notice of execution of a warrant or a copy of a subpoena or summons, of a government authority seeking protected health information about an individual under subsection (a), the individual may file a motion to quash. (2) STANDARD FOR DECISION- The court shall grant a motion under paragraph (1) unless the government demonstrates there is probable cause to believe the protected health information is relevant to a legitimate law enforcement inquiry being conducted by the government authority and the government authority's need for the information outweighs the privacy interest of the individual. (3) ATTORNEY'S FEES- In the case of a motion brought under paragraph (1) in which the individual has substantially prevailed, the court may assess against the government authority reasonable attorney's fees and other litigation costs (including expert fees) reasonably incurred. (4) NO INTERLOCUTORY APPEAL- A ruling denying a motion to quash under this section shall not be deemed to be a final order, and no interlocutory appeal may be taken therefrom by the individual. (c) EXCEPTIONS- A health information trustee may disclose protected health information to a law enforcement agency if the information is requested for use-- (1) in an investigation or prosecution of a health information trustee; (2) in the identification of a victim or witness in a law enforcement inquiry; or (3) in connection with the investigation of criminal activity committed against the trustee or on premises controlled by the trustee. SEC. 213. STANDARDS FOR ELECTRONIC DISCLOSURES. The Secretary shall promulgate standards for disclosing, authorizing and authenticating protected health information in electronic form in accordance with this title. TITLE III--SANCTIONS SUBTITLE A--CIVIL SANCTIONS SEC. 301. CIVIL PENALTY. (a) VIOLATION- Any health information trustee who the Secretary determines has substantially and materially failed to comply with this Act shall be subject, in addition to any other penalties that may be prescribed by law, to-- (1) a civil penalty of not more than $10,000 for each such violation, but not to exceed $50,000 in the aggregate for multiple violations; and (2) a civil penalty of not more than $250,000 or exclusion from participation in medicare and medicaid, or any other federally funded health care programs, if the Secretary finds that such violations have occurred with such frequency as to constitute a general business practice. (b) PROCEDURES FOR IMPOSITION OF PENALTIES- Section 1128A of the Social Security Act, other than subsections (a) and (b) and the second sentence of subsection (f) of that section, shall apply to the imposition of a civil, monetary, or exclusionary penalty under this section in the same manner as such provisions apply with respect to the imposition of a penalty under section 1128A of such Act. SEC. 302. CIVIL ACTION. (a) IN GENERAL- An individual who is aggrieved by conduct in violation of this title may bring a civil action to recover-- (1) such preliminary and equitable relief as the court determines to be appropriate; (2) the greater of actual damages or liquidated damages of $5,000; and (3) punitive damages. (b) ATTORNEY'S FEES- In the case of a civil action brought under subsection (a) in which the individual has substantially prevailed, the court may assess against the respondent a reasonable attorney's fee and other litigation costs and expenses (including expert fees) reasonably incurred. (c) LIMITATION- No action may be commenced under this section more than 3 years after the date on which the violation was or should reasonably have been discovered. SUBTITLE B--CRIMINAL SANCTIONS SEC. 311. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION. (a) OFFENSE- A person who knowingly-- (1) obtains protected health information relating to an individual in violation of this title; or (2) discloses protected health information to another person in violation of this title, shall be punished as provided in subsection (b). (b) PENALTIES- A person described in subsection (a) shall-- (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $250,000, imprisoned not more than 5 years, excluded from participation in medicare and medicaid, or any other federally funded health care programs, or any combination of such penalties; and (3) if the offense is committed with intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm, be fined not more than $500,000, imprisoned not more than 10 years, excluded from participation in medicare and medicaid, or any other federally funded health care programs, or any combination of such penalties. TITLE IV--MISCELLANEOUS SEC. 401. RELATIONSHIP TO OTHER LAWS. (a) STATE LAW- Except as provided in subsections (b), (c), and (d), this Act preempts State law. (b) PRIVILEGES- Nothing in this title shall be construed to preempt or modify State common or statutory law to the extent such law concerns a privilege of a witness or person in a court of the State. This title shall not be construed to supersede or modify Federal common or statutory law to the extent such law concerns a privilege of a witness or person in a court of the United States. Authorizations pursuant to sections 202 and 203 shall not be construed as a waiver of any such privilege. (c) CERTAIN DUTIES UNDER STATE OR FEDERAL LAW- Nothing in this title shall be construed to preempt, supersede, or modify the operation of-- (1) any law that provides for the reporting of vital statistics such as birth or death information; (2) any law requiring the reporting of abuse or neglect information about any individual; (3) any State law relating to public or mental health that prevents or otherwise restricts disclosure of protected health information otherwise allowed under this title; (4) any law that governs a minor's rights to access protected health information; (5) subpart II of part E of title XXVI of the Public Health Service Act (relating to notifications of emergency response employees of possible exposure to infectious diseases); (6) any Federal law or regulation governing confidentiality of alcohol and drug patient records; (7) the Americans With Disabilities Act of 1990; or (8) any Federal or State statute that establishes a privilege for records used in health professional peer review activities. SEC. 402. NO LIABILITY FOR PERMISSIBLE DISCLOSURES. A health information trustee who makes a disclosure of protected health information about an individual that is permitted by this title shall not be liable to the individual for such disclosure under common law. SEC. 403. EFFECTIVE DATE. (a) EFFECTIVE DATE- This Act shall take effect 12 months after the date of enactment of this Act. (b) REGULATIONS- The Secretary shall promulgate regulations implementing this Act not later than 6 months after the date of enactment of this Act.