|
|
107th CONGRESS
1st Session
H. R. 1215
To ensure confidentiality with respect to medical records
and health care-related information, and for other purposes.
IN THE HOUSE OF REPRESENTATIVES
March 27, 2001
Mr. GREENWOOD introduced the following bill; which was referred
to the Committee on Energy and Commerce, and in addition to the
Committee on the Judiciary, for a period to be subsequently determined
by the Speaker, in each case for consideration of such provisions
as fall within the jurisdiction of the committee concerned
A BILL
To ensure confidentiality with respect to medical records
and health care-related information, and for other purposes.
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT TITLE- This Act may be cited as the `Medical Information
Protection and Research Enhancement Act of 2001'.
(b) TABLE OF CONTENTS- The table of contents for this Act is as
follows:
Sec. 1. Short title; table of contents.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects
of the Information
Sec. 101. Inspection and copying of protected health information.
Sec. 102. Amendment of protected health information.
Sec. 103. Notice of confidentiality practices.
Subtitle B--Establishment of Safeguards
Sec. 111. Establishment of safeguards.
Sec. 112. Accounting for disclosures.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
Sec. 201. General rules regarding use and disclosure.
Sec. 202. General rules regarding use and disclosure of health
care information.
Sec. 203. Authorizations for use or disclosure of protected health
information other than for treatment, payment, health care operations,
or health research.
Sec. 204. Next of kin and directory information.
Sec. 205. Emergency circumstances.
Sec. 208. Health research.
Sec. 209. Disclosure in civil, judicial, and administrative procedures.
Sec. 210. Disclosure for law enforcement purposes.
Sec. 211. Payment card and electronic payment transaction.
Sec. 212. Individual representatives.
Sec. 213. No liability for permissible disclosures.
Sec. 214. Sale of business, mergers, etc.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
Sec. 301. Wrongful disclosure of protected health information.
Subtitle B--Civil Sanctions
Sec. 311. Civil penalty violation.
Sec. 312. Procedures for imposition of penalties.
Sec. 313. Enforcement by State insurance commissioners.
TITLE IV--MISCELLANEOUS
Sec. 401. Relationship to other laws.
Sec. 402. Conforming amendment.
Sec. 403. Study by Institute of Medicine.
Sec. 404. Effective date.
SEC. 2. DEFINITIONS.
(1) ACCREDITING BODY- The term `accrediting body' means a national
body, committee, organization, or institution (such as the Joint
Commission on Accreditation of Health Care Organizations or the
National Committee for Quality Assurance) that has been authorized
by law or is recognized by a health care regulating authority
as an accrediting entity or any other entity that has been similarly
authorized or recognized by law to perform specific accreditation,
licensing or credentialing activities.
(2) AGENT- The term `agent' means a person, including a contractor,
who represents and acts for another under the contract or relation
of agency, or whose function is to bring about, modify, effect,
accept performance of, or terminate contractual obligations between
the principal and a third person.
(3) COMMON RULE- The term `common rule' means the Federal policy
for protection of human subjects from research risks originally
published as 56 Federal Register 28.025 (1991) as adopted and
implemented by a Federal department or agency.
(4) DISCLOSE/DISCLOSURE- The term `disclose' means to release,
transfer, provide access to, or otherwise divulge protected health
information to any person other than the individual who is the
subject of such information. The term `disclosure' refers to such
a release, transfer, provisions for access to, or communication
of such information. The use of protected health information by
an authorized person and its agents shall not be considered a
disclosure for purposes of this Act, provided that the use is
consistent with the purposes for which the information was lawfully
obtained. Using or providing access to health information in the
form of nonidentifiable health information shall not be construed
as a disclosure of protected health information.
(5) EMPLOYER- The term `employer' has the meaning given such term
under section 3(5) of the Employee Retirement Income Security
Act of 1974 (29 U.S.C. 1002(5)), except that such term shall include
only employers of two or more employees.
(6) HEALTH CARE- The term `health care' means--
(A) preventive, diagnostic, therapeutic, rehabilitative, maintenance,
or palliative care, including appropriate assistance with disease
or symptom management and maintenance, counseling, service,
or procedure--
(i) with respect to the physical or mental condition of an
individual; or
(ii) affecting the structure or function of the human body
or any part of the human body, including the banking of blood,
sperm, organs, or any other tissue; or
(B) pursuant to a prescription or medical order any sale or
dispensing of a drug, device, equipment, or other health care
related item to an individual, or for the use of an individual.
(7) HEALTH CARE OPERATIONS- The term `health care operations'
means services provided by or on behalf of a health plan or health
care provider for the purpose of carrying out the management functions
of a health care provider or health plan, or implementing the
terms of a contract for health plan benefits, including--
(A) coordinating health care, including health care management
of the individual through risk assessment and case management;
(B) conducting quality assessment and improvement activities,
including outcomes evaluation, clinical guideline development,
and improvement;
(C) reviewing the competence or qualifications of health care
professionals, evaluating provider performance, and conducting
health care education, accreditation, certification, licensing,
or credentialing activities;
(D) carrying out utilization review activities, including precertification
and preauthorization of services, and health plan rating and
insurance activities, including underwriting, experience rating
and reinsurance; and
(E) conducting or arranging for auditing services, including
fraud detection and compliance programs.
(8) HEALTH CARE PROVIDER- The term `health care provider' means
a person, who with respect to a specific item of protected health
information, receives, creates, uses, maintains, or discloses
the information while acting in whole or in part in the capacity
of--
(A) a person who is licensed, certified, registered, or otherwise
authorized by Federal or State law to provide an item or service
that constitutes health care in the ordinary course of business,
or practice of a profession;
(B) a Federal, State, employer sponsored or other privately
sponsored program that directly provides items or services that
constitute health care to beneficiaries; or
(C) an officer or employee of a person described in subparagraph
(A) or (B).
Such term does not include a person that provides no health care
and that provides only a religious method for healing.
(9) HEALTH OVERSIGHT AGENCY- The term `health oversight agency'
means a person who, with respect to a specific item of protected
health information, receives, creates, uses, maintains, or discloses
the information while acting in whole or in part in the capacity
of--
(A) a person who performs or oversees the performance of an
assessment, evaluation, determination, or investigation, relating
to the licensing, accreditation, certification, or credentialing
of health care providers; or
(i) performs or oversees the performance of an audit, assessment,
evaluation, determination, or investigation relating to the
effectiveness of, compliance with, or applicability of, legal,
fiscal, medical, or scientific standards or aspects of performance
related to the delivery of health care; and
(ii) is a public agency, acting on behalf of a public agency,
acting pursuant to a requirement of a public agency, or carrying
out activities under a Federal or State law governing the
assessment, evaluation, determination, investigation, or prosecution
described in subparagraph (A).
(10) HEALTH PLAN- The term `health plan' means has the meaning
given such term in section 1171(5) of the Social Security Act
(42 U.S.C. 1320d(5)) and includes any health insurance issuer,
health insurance plan (including any hospital or medical service
plan, dental or other health service plan, or health maintenance
organization plan), provider sponsored organization, or other
program providing or arranging for the provision of health benefits.
Such term does not include any policy, plan, or program to the
extent that it provides, arranges, supports, or administers
any excepted benefits (as defined in section 2791(c)(1) of the
Public Health Service Act (42 U.S.C. 300gg-91(c)(1))).
(11) HEALTH RESEARCH/HEALTH RESEARCHER- The term `health research'
means a systematic investigation of health (including but not
limited to basic biological processes and structures), health
care, or its delivery and financing, including research development,
testing and evaluation, designed to develop or contribute to generalizable
knowledge concerning human health, health care, or health care
delivery. The term `health researcher' means a person involved
in health research, or an officer, employee, or agent of such
person.
(12) KEY- The term `key' means a method or procedure used to transform
nonidentifiable health information that is in a coded or encrypted
form into protected health information.
(13) LAW ENFORCEMENT INQUIRY- The term `law enforcement inquiry'
means a lawful investigation or official proceeding inquiring
into a violation of, or failure to comply with, any criminal or
civil statute or any regulation, rule, or order issued pursuant
to such a statute.
(14) LIFE INSURER- The term `life insurer' means life insurance
company as defined in section 816 of the Internal Revenue Code
of 1986.
(15) NONIDENTIFIABLE HEALTH INFORMATION- The term `nonidentifiable
health information' means protected health information from which
personal identifiers, that directly reveal the identity of the
individual who is the subject of such information or provide a
direct means of identifying the individual (such as name, address,
and social security number), have been removed, encrypted, or
replaced with a code, such that the identity of the individual
is not evident without (in the case of encrypted or coded information)
use of key.
(16) ORIGINATING PROVIDER- The term `originating provider' means
a health care provider who initiates a treatment episode, such
as prescribing a drug, ordering a diagnostic test, or admitting
an individual to a health care facility. A hospital or nursing
facility is the originating provider with respect to protected
health information created or received as part of inpatient or
outpatient treatment provided in such settings.
(17) PAYMENT- The term `payment' means--
(A) the activities undertaken by--
(i) or on behalf of a health plan to determine its responsibility
for coverage under the plan; or
(ii) a health care provider to obtain payment for items or
services provided to an individual, provided under a health
plan, or provided based on a determination by the health plan
of responsibility for coverage under the plan; and
(B) activities undertaken as described in subparagraph (A) including--
(i) billing, claims management, medical data processing, other
administrative services, and actual payment;
(ii) determinations of coverage or adjudication of health
benefit or subrogation claims; and
(iii) review of health care services with respect to coverage
under a health plan or justification of charges.
(18) PERSON- The term `person' means a government, governmental
subdivision, agency or authority; corporation; company; association;
firm; partnership; society; estate; trust; joint venture; individual;
individual representative; tribal government; and any other legal
entity.
(19) PROTECTED HEALTH INFORMATION- The term `protected health
information' with respect to the individual who is the subject
of such information means any information which identifies such
individual, whether oral or recorded in any form or medium, that--
(A) is created or received by a health care provider, health
plan, health oversight agency, public health authority, employer,
life insurer, school or university;
(B) relates to the past, present, or future physical or mental
health or condition of an individual (including individual cells
and their components);
(i) the provision of health care to the individual; or
(ii) payment for the provision of health care to the individual;
and
(D) is not nonidentifiable health information.
(20) PUBLIC HEALTH AUTHORITY- The term `public health authority'
means an authority or instrumentality of the United States, a
tribal government, a State, or a political subdivision of a State
that is--
(A) primarily responsible for health and/or welfare matters;
and
(B) primarily engaged in activities such as incidence reporting,
public health surveillance, and investigation or intervention.
(21) SCHOOL OR UNIVERSITY- The term `school or university' means
an institution or place accredited or licensed for purposes of
providing for instruction or education, including an elementary
school, secondary school, or institution of higher learning, a
college, or an assemblage of colleges united under one corporate
organization or government.
(22) SECRETARY- The term `Secretary' means the Secretary of Health
and Human Services.
(23) SIGNED- The term `signed' refers to documentation of assent
in any medium, whether ink, digital or biometric signatures, or
recorded oral authorizations.
(24) STATE- The term `State' includes the District of Columbia,
Puerto Rico, the Virgin Islands, Guam, American Samoa, and the
Northern Mariana Islands.
(25) TREATMENT- The term `treatment' means the provision of health
care by a health care provider.
(26) WRITING/WRITTEN- The term `writing' means any form of documentation,
whether paper, electronic, digital, biometric or tape recorded.
The term `written' includes paper, electronic, digital, biometric
and tape-recorded formats.
TITLE I--INDIVIDUAL'S RIGHTS
Subtitle A--Review of Protected Health Information by Subjects
of the Information
SEC. 101. INSPECTION AND COPYING OF PROTECTED HEALTH INFORMATION.
(1) COMPLIANCE WITH SECTION- At the request of an individual who
is the subject of protected health information and except as provided
in subsection (c), a health care provider, a health plan, employer,
life insurer, school, or university shall arrange for inspection
or copying of protected health information concerning the individual,
including records created under section 102, as provided for in
this section.
(2) AVAILABILITY OF INFORMATION THROUGH ORIGINATING PROVIDER-
Protected health information that is created or received by a
health plan or health care provider as part of treatment or payment
shall be made available for inspection or copying as provided
for in this title through the originating provider.
(3) OTHER ENTITIES- An employer, life insurer, school, or university
that creates or receives protected health information in performing
any function other than providing treatment, payment, or health
care operations with respect to the individual who is the subject
of such information, shall make such information available for
inspection or copying as provided for in this title, or through
any provider designated by the individual.
(4) PROCEDURES- The person providing access to information under
this title may set forth appropriate procedures to be followed
for such inspection or copying and may require an individual to
pay reasonable costs associated with such inspection or copying.
(b) SPECIAL CIRCUMSTANCES- If an originating provider, its agent,
or contractor no longer maintains the protected health information
sought by an individual pursuant to subsection (a), a health plan
or another health care provider that maintains such information
shall arrange for inspection or copying.
(c) EXCEPTIONS- Unless ordered by a court of competent jurisdiction,
a person acting pursuant to subsection (a) or (b) is not required
to permit the inspection or copying of protected health information
if any of the following conditions are met:
(1) ENDANGERMENT TO LIFE OR SAFETY- The person determines that
the disclosure of the information could reasonably be expected
to endanger the life or physical safety of any individual.
(2) CONFIDENTIAL SOURCE- The information identifies, or could
reasonably lead to the identification of, a person who provided
information under a promise of confidentiality to a health care
provider concerning the individual who is the subject of the information.
(3) INFORMATION COMPILED IN ANTICIPATION OF OR IN CONNECTION WITH
A FRAUD INVESTIGATION OR LITIGATION- The information is compiled
principally--
(A) in anticipation of or in connection with a fraud investigation,
an investigation of material misrepresentation in connection
with an insurance policy, a civil, criminal, or administrative
action or proceeding; or
(B) for use in such action or proceeding.
(4) INVESTIGATIONAL INFORMATION- The protected health information
was created, received or maintained by a health researcher as
provided in section 208.
(d) DENIAL OF A REQUEST FOR INSPECTION OR COPYING- If a person described
in subsection (a) or (b) denies a request for inspection or copying
pursuant to subsection (c), the person shall inform the individual
in writing of--
(1) the reasons for the denial of the request for inspection or
copying;
(2) the availability of procedures for further review of the denial;
and
(3) the individual's right to file with the person a concise statement
setting forth the request for inspection or copying.
(e) STATEMENT REGARDING REQUEST- If an individual has filed a statement
under subsection (d)(3), the person in any subsequent disclosure
of the portion of the information requested under subsection (a)
or (b)--
(1) shall include a notation concerning the individual's statement;
and
(2) may include a concise statement of the reasons for denying
the request for inspection or copying.
(f) INSPECTION AND COPYING OF SEGREGABLE PORTION- A person described
in subsection (a) or (b) shall permit the inspection and copying
of any reasonably segregable portion of a record after deletion
of any portion that is exempt under subsection (c).
(g) DEADLINE- A person described in subsection (a) or (b) shall
comply with or deny, in accordance with subsection (d), a request
for inspection or copying of protected health information under
this section not later than 60 days after the date on which the
person receives the request.
(h) RULES OF CONSTRUCTION-
(1) AGENTS- An agent of a person described in subsection (a) or
(b) shall not be required to provide for the inspection and copying
of protected health information, except where--
(A) the protected health information is retained by the agent;
and
(B) the agent has been asked in writing by the person involved
to fulfill the requirements of this section.
(2) NO REQUIREMENT FOR HEARING- This section shall not be construed
to require a person described in subsection (a) or (b) to conduct
a formal, informal, or other hearing or proceeding concerning
a request for inspection or copying of protected health information.
SEC. 102. AMENDMENT OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- Protected health information shall be subject to
amendment as provided for in this section. Protected health information
that is created or received by a health plan or health care provider
as part of treatment or payment shall be subject to amendment as
provided in this section upon request to the originating provider.
Except as provided in subsection (b), not later than 45 days after
the date on which an originating provider, employer, life insurer,
school, or university receives from an individual a request in writing
to amend protected health information, such person shall--
(1) make the amendment requested;
(2) inform the individual of the amendment that has been made;
and
(3) inform any person identified by the individual in the request
for amendment and--
(A) who is not an officer, employee, or agent of the person;
and
(B) to whom the unamended portion of the information was disclosed
within the previous yearby sending a notice to the individual's
last known address that there has been a substantive amendment
to the protected health information of such individual.
(b) SPECIAL CIRCUMSTANCES- If an originating provider, its agent,
or contractor no longer maintains the protected health information
sought to be amended by an individual pursuant to subsection (a),
a health plan or another health care provider that maintains such
information may arrange for amendment consistent with this section.
(c) REFUSAL TO AMEND- If a person described in subsection (a) refuses
to make the amendment requested under such subsection, the person
shall inform the individual in writing of--
(1) the reasons for the refusal to make the amendment;
(2) the availability of procedures for further review of the refusal;
and
(3) the procedures by which the individual may file with the person
a concise statement setting forth the requested amendment and
the individual's reasons for disagreeing with the refusal.
(d) STATEMENT OF DISAGREEMENT- If an individual has filed a statement
of disagreement under subsection (c)(3), the person involved, in
any subsequent disclosure of the disputed portion of the information--
(1) shall include a notation concerning the individual's statement;
and
(2) may include a concise statement of the reasons for not making
the requested amendment.
(e) RULES GOVERNING AGENTS- The agent of a person described in subsection
(a) shall not be required to make amendments to protected health
information, except where--
(1) the protected health information is retained by the agent;
and
(2) the agent has been asked in writing by such person to fulfill
the requirements of this section.
(f) REPEATED REQUESTS FOR AMENDMENTS- If a person described in subsection
(a) receives a request for an amendment of information as provided
for in such subsection and a statement of disagreement has been
filed pursuant to subsection (d), the person shall inform the individual
of such filing and shall not be required to carry out the procedures
required under this section.
(g) RULES OF CONSTRUCTION- This section shall not be construed to--
(1) require that a person described in subsection (a) conduct
a formal, informal, or other hearing or proceeding concerning
a request for an amendment to protected health information;
(2) require a provider to amend an individual's protected health
information as to the type, duration, or quality of treatment
the individual believes he or she should have been provided; or
(3) permit any deletions or alterations of the original information.
SEC. 103. NOTICE OF CONFIDENTIALITY PRACTICES.
(a) PREPARATION OF WRITTEN NOTICE- A health care provider, health
plan, health oversight agency, public health authority, employer,
life insurer, health researcher, school, or university shall post
or provide, in writing and in a clear and conspicuous manner, notice
of the person's confidentiality practices, that shall include--
(1) a description of an individual's rights with respect to protected
health information;
(2) the uses and disclosures of protected health information authorized
under this Act;
(3) the procedures for authorizing disclosures of protected health
information and for revoking such authorizations;
(4) the procedures established by the person for the exercise
of the individual's rights; and
(5) the right to obtain a copy of the notice of the confidentiality
practices required under this Act.
(b) MODEL NOTICE- The Secretary, after notice and opportunity for
public comment, shall develop and disseminate model notices of confidentiality
practices, using the advice of the National Committee on Vital Health
Statistics, for use under this section. Use of the model notice
shall serve as an absolute defense against claims of receiving inappropriate
notice.
Subtitle B--Establishment of Safeguards
SEC. 111. ESTABLISHMENT OF SAFEGUARDS.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, public health authority, employer, life insurer, health
researcher, law enforcement official, school, or university shall
establish and maintain appropriate administrative, technical, and
physical safeguards to protect the confidentiality, security, accuracy,
and integrity of protected health information created, received,
obtained, maintained, used, transmitted, or disposed of by such
person.
(b) FUNDAMENTAL SAFEGUARDS- The safeguards established pursuant
to subsection (a) shall address the following factors:
(1) The need for protected health information and whether the
purpose can be accomplished with nonidentifiable health information.
(2) Appropriate procedures for maintaining the security and assuring
appropriate use of any key used in creating nonidentifiable health
information.
(3) The categories of personnel who will have access to protected
health information and appropriate training, supervision and sanctioning
of such persons with respect to their use of protected health
information and adherence to established safeguards.
(4) Appropriate limitations on access to individual identifiers.
(5) Appropriate mechanism for limiting disclosures to the protected
health information necessary to respond to the request for disclosure.
(6) Procedures for handling requests for protected health information
by persons other than the individual who is the subject of such
information, including but not limited to relatives and affiliates
of such individual, law enforcement officials, parties in civil
litigation, health care providers, and health plans.
SEC. 112. ACCOUNTING FOR DISCLOSURES.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, public health authority, employer, life insurer, health
researcher, law enforcement official, school, or university shall
establish and maintain a process for documenting its disclosures
of protected health information by recording the name and address
or other means of contacting the recipient, and the purpose of the
disclosure.
(b) RECORD OF DISCLOSURE- A record established under subsection
(a) shall be maintained for not less than 7 years.
(c) IDENTIFICATION OF DISCLOSED INFORMATION AS PROTECTED HEALTH
INFORMATION- Except as otherwise provided in this title, protected
health information shall be clearly identified as protected health
information that is subject to this Act.
TITLE II--RESTRICTIONS ON USE AND DISCLOSURE
SEC. 201. GENERAL RULES REGARDING USE AND DISCLOSURE.
(a) DISCLOSURE PROHIBITED- A health care provider, health plan,
health oversight agency, public health authority, employer, life
insurer, health researcher, law enforcement official, school, or
university, or any of their agents may not disclose protected health
information except as authorized under this Act or as authorized
by the individual who is the subject of such information.
(b) APPLICABILITY TO AGENTS- A person described in subsection (a)
may use an agent, including a contractor, to carry out an otherwise
lawful activity using protected health information maintained by
such person, provided that the person specifies the activities for
which the agent is authorized and prohibits the agent from using
or disclosing protected health information for purposes other than
carrying out the specified activities.
(1) Notwithstanding any other provision of this Act, a person
who has limited the activities of an agent as provided in this
subsection, shall not be liable for the actions or disclosures
of the agent that are not in fulfillment of the agent's specified
activities.
(2) An agent who receives protected health information from a
person described in subsection (a) shall in its own right be subject
to the applicable provisions of this Act.
(c) CREATION OF NONIDENTIFIABLE HEALTH INFORMATION- A person described
in subsection (a) may use protected health information for the purpose
of creating nonidentifiable health information.
(d) INDIVIDUAL AUTHORIZATION- To be valid, an authorization to disclose
protected health information under this title shall--
(1) identify the individual who is the subject of the protected
health information;
(2) describe the nature of the information to be disclosed;
(3) identify the type of person to whom the information is to
be disclosed;
(4) describe the purpose of the disclosure;
(5) be subject to revocation by the individual and indicate that
the authorization is valid until revocation by the individual;
and
(6) be in writing, dated, and signed by the individual, a family
member or other authorized representative.
(e) MANIPULATION OF NONIDENTIFIABLE HEALTH INFORMATION- Any person
who manipulates nonidentifiable health information in order to identify
an individual, or uses a key to identify an individual without authorization,
is deemed to have disclosed protected health information.
SEC. 202. GENERAL RULES REGARDING USE AND DISCLOSURE OF HEALTH
CARE INFORMATION.
(a) IN GENERAL- An individual who furnishes protected health information
in the context of obtaining health care or health care benefits
has a justifiable expectation that such information will not be
misused and that its confidentiality will be maintained. Protected
health information in possession or control of a health care provider
or health plan shall be available--
(1) for use by a health plan or a health care provider in furnishing
health care to an individual who is the subject of such information,
including arrangements for treatment, payment, and health care
operations; and
(2) for use in health research that is not inconsistent with the
requirements of other applicable Federal laws.
(3) LIMITATION- For purposes of subsection (b), use of protected
health information in activities described in this subsection
is not a disclosure of such information by persons lawfully engaged
in such activities.
(b) PROHIBITION- A health care provider, health plan, health oversight
agency, public health authority, employer, health or life insurer,
health researcher, law enforcement official, school, or university
may not disclose protected health information except as authorized
under this title.
(1) RULES OF CONSTRUCTION-
(A) Disclosure of health information in the form of nonidentifiable
health information shall not be construed as a disclosure of
protected health information.
(B) Arrangements by a person and its agents for carrying out
an authorized use of protected health information, including
uses authorized under subsection (a), shall not be considered
disclosures for purposes of this Act, provided that the use
is consistent with the purposes for which the information was
lawfully obtained by such person.
(C) Nothing in this title shall be construed to require disclosure
by a health care provider or a health plan.
(2) DISCLOSURE BY AGENTS- An agent who receives protected health
information from a person described in subsection (b) shall be
subject to all rules of disclosure and safeguard requirements
under this title.
(c) SCOPE OF DISCLOSURE- Every disclosure of protected health information
by a person under this title shall be limited to the information
necessary to accomplish the purpose for which the information is
disclosed.
(d) IDENTIFICATION OF DISCLOSED INFORMATION AS PROTECTED HEALTH
INFORMATION- Except as otherwise provided in this title, protected
health information may not be disclosed unless such information
is clearly identified as protected health information that is subject
to this Act.
(e) CREATION OF NONIDENTIFIABLE HEALTH INFORMATION- A person described
in subsection (b) may use protected health information for the purpose
of creating nonidentifiable health information, if the person prohibits
the employee or agent creating the nonidentifiable health information
from using or disclosing the protected health information for purposes
other than the sole purpose of creating nonidentifiable health information
as specified by the person.
(f) DISCLOSURE USING THE KEY- Any person who manipulates nonidentifiable
health information in order to identity an individual, without lawfully
using the key, is deemed to have disclosed protected health information.
SEC. 203. AUTHORIZATIONS FOR USE OR DISCLOSURE OF PROTECTED HEALTH
INFORMATION OTHER THAN FOR TREATMENT, PAYMENT, HEALTH CARE OPERATIONS,
OR HEALTH RESEARCH.
(a) IN GENERAL- An individual who is the subject of protected health
information may authorize any person to disclose or use such information
for any purpose. An authorization under this section is not valid
if its signing by the individual is a prerequisite for signing an
authorization under section 202.
(b) WRITTEN AUTHORIZATIONS- A person may disclose and use protected
health information, for purposes other than those authorized under
section 202, pursuant to a written authorization signed by the individual
who is the subject of the information that meets the requirements
of section 201(d). An authorization under this section shall be
separate from any authorization provided under section 202.
(c) LIMITATION ON AUTHORIZATIONS- Notwithstanding any other provision
of Federal law, life insurers, and other entities issuing disability
income or long-term care insurance under the laws of any State,
shall meet the requirements of section 201(a) with respect to an
individual for purposes of life, disability income or long-term
care insurance, by obtaining authorization of such individual under
this section 203.
(1) Notwithstanding subsection (d), an authorization obtained
in the ordinary course of business by a life insurer under this
section shall remain in effect during the term of the individual's
insurance coverage and as may be necessary for the issuer to meet
its obligations with respect to such individual under the terms
of the policy, plan or program.
(2) An authorization obtained from an individual in connection
with an application that does not result in coverage with respect
to such individual shall expire the earlier of the date specified
in the individual's authorization or the effective date of any
revocation under subsection (d).
(d) REVOCATION OR AMENDMENT OF AUTHORIZATION-
(1) IN GENERAL- Except as otherwise provided in this section,
an individual may revoke or amend an authorization described in
this section by providing written notice to the person who obtained
such authorization unless the disclosure that is the subject of
the authorization is related to the evaluation of an application
for life insurance coverage or a claim for life insurance benefits.
(2) NOTICE OF REVOCATION- A person that discloses protected health
information pursuant to an authorization that has been revoked
under paragraph (1) shall not be subject to any liability or penalty
under this title if that person had no actual notice of the revocation.
(e) DISCLOSURE FOR PURPOSE ONLY- A recipient of protected health
information pursuant to an authorization under section 203(b) may
disclose such information only to carry out the purposes for which
the information was authorized to be disclosed.
(f) MODEL AUTHORIZATIONS-
(1) The Secretary, after notice and opportunity for public comment,
shall develop and disseminate model written authorizations of
the type described in subsection (b). The Secretary shall consult
with the National Committee on Vital and Health Statistics in
developing such authorizations.
(2) Notwithstanding paragraph (1), the insurance commissioner
of the State of domicile of a life insurer may exercise exclusive
authority in developing and disseminating model written authorizations
for purposes of subsection (c).
(3) Any authorization obtained using a model authorization promulgated
under this subsection shall be deemed to meet the authorization
requirements of this section.
(g) AUTHORIZATIONS FOR RESEARCH- This section applies to health
research only where such research is not governed by section 208.
SEC. 204. NEXT OF KIN AND DIRECTORY INFORMATION.
(a) NEXT OF KIN- A health care provider, or a person who receives
protected health information under section 205, may disclose protected
health information regarding an individual to the individual's spouse,
parent, child, sister, brother, next of kin, or to another person
whom the individual has identified, if--
(1) the individual who is the subject of the information--
(A) has been notified of the individual's right to object to
such disclosure and the individual has not objected to the disclosure;
or
(B) is in a physical or mental condition such that the individual
is not capable of objecting, and there are no prior indications
that the individual would object;
(2) the information disclosed relates to health care currently
being provided to that individual; and
(3) the disclosure of the protected health information is consistent
with good medical or professional practice.
(b) DIRECTORY INFORMATION-
(A) IN GENERAL- Except as provided in paragraph (2), a person
described in subsection (a) may disclose the information described
in subparagraph (B) to any person if the individual who is the
subject of the information--
(i) has been notified of the individual's right to object
and the individual has not objected to the disclosure; or
(ii) is in a physical or mental condition such that the individual
is not capable of objecting, the individual's next of kin
has not objected, and there are no prior indications that
the individual would object.
(B) INFORMATION- Information described in this subparagraph
is information that consists only of 1 or more of the following
items:
(i) The name of the individual who is the subject of the information.
(ii) The general health status of the individual, described
as critical, poor, fair, stable, or satisfactory or in terms
denoting similar conditions.
(iii) The location of the individual on premises controlled
by a provider.
(A) LOCATION- Paragraph (1)(B)(iii) shall not apply if disclosure
of the location of the individual would reveal specific information
about the physical or mental condition of the individual, unless
the individual expressly authorizes such disclosure.
(B) DIRECTORY OR NEXT OF KIN INFORMATION- A disclosure may not
be made under this section if the health care provider involved
has reason to believe that the disclosure of directory or next
of kin information could lead to the physical or mental harm
of the individual, unless the individual expressly authorizes
such disclosure.
SEC. 205. EMERGENCY CIRCUMSTANCES.
Any person who creates or receives protected health information
under this title may disclose protected health information in emergency
circumstances when necessary to protect the health or safety of
the individual who is the subject of such information from serious,
imminent harm. No disclosure made in the good faith belief that
the disclosure was necessary to protect the health or safety of
an individual from serious, imminent harm shall be in violation
of, or punishable under, this Act.
SEC. 206. OVERSIGHT.
(a) IN GENERAL- Any person may disclose protected health information
to an accrediting body or public health authority, a health oversight
agency, or a State insurance department, for purposes of an oversight
function authorized by law.
(b) PROTECTION FROM FURTHER DISCLOSURE- Protected health information
disclosed under this section shall not be further disclosed by an
accrediting body or public health authority, a health oversight
agency, a State insurance department, or their agents for any purpose
unrelated to the authorized oversight function. Notwithstanding
any other provision of law, protected health information disclosed
under this section shall be protected from further disclosure by
an accrediting body or public health authority, a health oversight
agency, a State insurance department, or their agents pursuant to
a subpoena, discovery request, introduction as evidence, testimony,
or otherwise.
(c) AUTHORIZATION BY A SUPERVISOR- For purposes of this section,
the individual with authority to authorize the oversight function
involved shall provide to the person described in subsection (a)
a statement that the protected health information is being sought
for a legally authorized oversight function.
(d) USE IN ACTION AGAINST INDIVIDUALS- Protected health information
about an individual that is disclosed under this section may not
be used by the recipient in, or disclosed by the recipient to any
person for use in, an administrative, civil, or criminal action
or investigation directed against the individual who is the subject
of the protected health information unless the action or investigation
arises out of and is directly related to--
(1) the receipt of health care or payment for health care; or
(2) a fraudulent claim related to health care, or a fraudulent
or material misrepresentation of the health of the individual.
SEC. 207. PUBLIC HEALTH.
(a) IN GENERAL- A health care provider, health plan, public health
authority, health researcher, employer, life insurer, law enforcement
official, school, or university may disclose protected health information
to a public health authority or other person authorized by law for
use in a legally authorized--
(1) disease or injury report;
(2) public health surveillance;
(3) public health investigation or intervention;
(4) vital statistics report, such as birth or death information;
(5) report of abuse or neglect information about any individual;
or
(6) report of information concerning a communicable disease status.
(b) IDENTIFICATION OF DECEASED INDIVIDUAL- Any person may disclose
protected health information if such disclosure is necessary to
assist in the identification or safe handling of a deceased individual.
(c) REQUIREMENT TO RELEASE PROTECTED HEALTH INFORMATION TO CORONERS
AND MEDICAL EXAMINERS-
(1) IN GENERAL- When a Coroner or Medical Examiner or their duly
appointed deputies seek protected health information for the purpose
of inquiry into and determination of, the cause, manner, and circumstances
of a death, the health care provider, health plan, health oversight
agency, public health authority, employer, life insurer, health
researcher,
law enforcement official, school, or university involved shall
provide the protected health information to the Coroner or Medical
Examiner or to the duly appointed deputies without undue delay.
(2) PRODUCTION OF ADDITIONAL INFORMATION- If a Coroner or Medical
Examiner or their duly appointed deputies receives health information
from a person referred to in paragraph (1), such health information
shall remain as protected health information unless the health
information is attached to or otherwise made a part of a Coroner's
or Medical Examiner's official report, in which case it shall
no longer be protected.
(3) EXEMPTION- Health information attached to or otherwise made
a part of a Coroner's or Medical Examiner's official report, shall
be exempt from the provisions of this Act.
SEC. 208. HEALTH RESEARCH.
(a) IN GENERAL- A person lawfully in possession of protected health
information may disclose such information to a health researcher
under any of the following arrangements:
(1) RESEARCH GOVERNED BY THE COMMON RULE- A person identified
in subsection (a) may disclose protected health information to
a health researcher if the research project has been approved
by an institutional review board pursuant to the requirements
of the common rule as implemented by a Federal agency.
(2) ANALYSES OF HEALTH CARE RECORDS AND MEDICAL ARCHIVES- A person
identified in subsection (a) may disclose protected health information
to a health researcher if--
(A) consistent with the safeguards established pursuant to section
111 and the person's policies and procedures established under
this section, the health research has been reviewed by a board,
committee, or other group formally designated by such person
to review research programs;
(B) the health research involves analysis of protected health
information previously created or collected by the person;
(C) the person that maintains the protected health information
to be used in the analyses has in place a written policy and
procedure to assure the security and confidentiality of protected
health information and to specify permissible and impermissible
uses of such information for health research;
(D) the person that maintains the protected health information
to be used in the analyses enters into a written agreement with
the recipient health researcher that specifies the permissible
and impermissible uses of the protected health information and
provides notice to the researcher that any misuse or further
disclosure of the information to other persons is prohibited
and may provide a basis for action against the health researcher
under this Act; and
(E) the person keeps a record of health researchers to whom
protected health information has been disclosed.
(3) SAFETY AND EFFICACY REPORTS- A person may disclose protected
health information to a manufacturer of a drug, biologic or medical
device, in connection with any monitoring activity or reports
made to such manufacturer for use in verifying the safety or efficacy
of such manufacturer's approved product in special populations
or for long-term use.
(b) OVERSIGHT- On the advice of the National Committee on Vital
and Health Statistics, the Secretary shall report to the Congress
not later than 18 months after the effective date of this section
concerning the adequacy of the policies and procedures implemented
pursuant to subsection (a)(2) for protecting the confidentiality
of protected health information while promoting its use in research
concerning health care outcomes, the epidemiology and etiology of
diseases and conditions and the safety, efficacy and cost effectiveness
of health care interventions. Based on the conclusions of such report,
the Secretary may promulgate model language for written agreements
deemed to comply with subsection (a)(2)(C).
(c) STATUTORY ASSURANCE OF CONFIDENTIALITY-
(1) Protected health information obtained by a health researcher
pursuant to this section shall be used and maintained in confidence,
consistent with the confidentiality practices established by the
health researcher pursuant to section 111.
(2) A recipient health researcher may not be compelled in any
Federal, State, or local civil, criminal, administrative, legislative,
or other proceeding to disclose protected health information created,
maintained or received under this section, provided that nothing
in this paragraph shall be construed to prevent an audit or lawful
investigation pursuant to the authority of a Federal department
or agency, of a research project conducted, supported or subject
to regulation by such department or agency.
(3) Notwithstanding any other provision of law, information disclosed
by a health researcher to a Federal agency under this subsection
may not be further used or disclosed by the agency for a purpose
unrelated to the agency's oversight or investigation.
SEC. 209. DISCLOSURE IN CIVIL, JUDICIAL, AND ADMINISTRATIVE PROCEDURES.
(a) IN GENERAL- A health care provider, health plan, public health
authority, employer, life insurer, law enforcement official, school,
or university may disclose protected health information--
(1) pursuant to a discovery request or subpoena in a civil action
brought in a Federal or State court or a request or subpoena related
to a Federal or State administrative proceeding, provided that
(2) such discovery request or subpoena is made through or pursuant
to a court order as provided for in subsection (b).
(1) STANDARD FOR ISSUANCE- In considering a request for a court
order regarding the disclosure of protected health information
under subsection (a),
the court shall issue such order if the court determines that without
the disclosure of such information, the person requesting the order
would be impaired from establishing a claim or defense.
(2) REQUIREMENTS- An order issued under paragraph (1) shall--
(A) provide that the protected health information involved is
subject to court protection;
(B) specify to whom the information may be disclosed;
(C) specify that such information may not otherwise be disclosed
or used; and
(D) meet any other requirements that the court determines are
needed to protect the confidentiality of the information.
(c) APPLICABILITY- This section shall not apply in a case in which
the protected health information sought under such discovery request
or subpoena relates to a party to the litigation or an individual
whose medical condition is at issue.
(d) EFFECT OF SECTION- This section shall not be construed to supersede
any grounds that may apply under Federal or State law for objecting
to turning over the protected health information.
SEC. 210. DISCLOSURE FOR LAW ENFORCEMENT PURPOSES.
(1) IN GENERAL- A person who receives protected health information
pursuant to sections 202 through 207, may disclose such information
to a State or Federal law enforcement agency if such disclosure
is pursuant to--
(A) a subpoena issued under the authority of a grand jury;
(B) an administrative subpoena or summons or a judicial subpoena
or warrant if the determination described in paragraph (2) has
been made;
(C) a warrant issued upon a showing of probable cause if the
determination described in paragraph (2) has been made;
(D) a Federal or state law requiring the reporting of specific
medical information to law enforcement authorities;
(E) a written consent or waiver of privilege by an individual
allowing access to the individual's protected health information;
or
(F) by other court order if the determination described in paragraph
(2) has been made.
(2) HIGHER STANDARD FOR DISCLOSURE OF CERTAIN INFORMATION- The
determination under this paragraph is a determination, by the
court or administrative body issuing the subpoena, summons, warrant,
or order involved, that the need of the person requesting the
disclosure for the information substantially outweighs the privacy
interest of each individual whose health or health care is the
subject of the information.
(b) REDACTIONS- To the extent practicable and consistent with the
requirements of due process, in the case of information disclosed
under subsection (a) the State or Federal law enforcement agency
to which the information is disclosed shall react personal identifiers
from protected health information prior to the public disclosure
of such information in a judicial or administrative proceeding.
(c) USE OF INFORMATION- Protected health information obtained by
a State or Federal law enforcement agency under subsection (a) may
only be used for purposes of a legitimate law enforcement activity.
(d) EXCEPTION IN EXIGENT CIRCUMSTANCES- Subsection (a) shall not
be construed to limit or restrict the ability of State or Federal
law enforcement agencies to gain protected health information if
exigent circumstances exist.
SEC. 211. PAYMENT CARD AND ELECTRONIC PAYMENT TRANSACTION.
(a) PAYMENT FOR HEALTH CARE THROUGH CARD OR ELECTRONIC MEANS- If
an individual pays for health care by presenting a debit, credit,
or other payment card or account number, or by any other payment
means, the person receiving the payment may disclose to a person
described in subsection (b) only such protected health information
about the individual as is necessary in connection with activities
described in subsection (b), including the processing of the payment
transaction or the billing or collection of amounts charged to,
debited from, or otherwise paid by, the individual using the card,
number, or other means.
(b) TRANSACTION PROCESSING- A person who is a debit, credit, or
other payment card issuer, a payment system operator, a financial
institution participant in a payment system or is an entity assisting
such an issuer, operator, or participant in connection with activities
described in this subsection, may use or disclose protected health
information about an individual in connection with--
(1) the authorization, settlement, billing, processing, clearing,
transferring, reconciling, or collection of amounts charged, debited
or otherwise paid using a debit, credit, or other payment card
or account number, or by other payment means;
(2) the transfer of receivables, accounts, or interest therein;
(3) the audit of the debit, credit, or other payment information;
(4) compliance with Federal, State, or local law;
(5) compliance with a properly authorized civil, criminal, or
regulatory investigation by Federal, State, or local authorities
as governed by the requirements of this section; or
(6) fraud protection, risk control, resolving customer disputes
or inquiries, communicating with the person to whom the information
relates, or reporting to consumer reporting agencies.
(c) SPECIFIC PROHIBITIONS- A person described in subsection (b)
may not disclose protected health information for any purpose that
is not described in subsection (b). Notwithstanding any other provision
of law, any health care provider, health plan, health oversight
agency, health researcher, employer, life insurer, school or university
who makes a good faith disclosure of protected health information
to an entity and for the purposes described
in subsection (b) shall not be liable for subsequent disclosures
by such entity.
(1) IN GENERAL- The use of protected health information by a person
described in subsection (b) and its agents shall not be considered
a disclosure for purposes of this Act, so long as the use involved
is consistent with the activities authorized in subsection (b)
or other purposes for which the information was lawfully obtained.
(2) REGULATED INSTITUTIONS- A person who is subject to enforcement
pursuant to section 8 of the Federal Deposit Insurance Act or
who is a Federal credit union or State credit union as defined
in the Federal Credit Union Act or who is registered pursuant
to the Securities and Exchange Act, or who is an entity assisting
such a person--
(A) shall not be subject to this Act to the extent that such
person or entity is described in subsection (b) and to the extent
that such person or entity is engaged in activities authorized
in that subsection; and
(B) shall be subject to enforcement exclusively under section
8 of the Federal Deposit Insurance Act, the Federal Credit Union
Act, or the Securities and Exchange Act, as applicable, to the
extent that such person or entity is engaged in activities other
than those permitted under subsection (b).
(3) RULE OF CONSTRUCTION- Nothing in this subsection shall be
deemed to exempt entities described in paragraph (2) from the
prohibition set forth in subsection (c).
SEC. 212. INDIVIDUAL REPRESENTATIVES.
(a) IN GENERAL- Except as provided in subsections (b) and (c), a
person who is authorized by law (based on grounds other than the
individual being a minor), or by an instrument recognized under
law, to act as an agent, attorney, proxy, or other legal representative
of a protected individual, may, to the extent so authorized, exercise
and discharge the rights of the individual under this Act.
(b) HEALTH CARE POWER OF ATTORNEY- A person who is authorized by
law (based on grounds other than being a minor), or by an instrument
recognized under law, to make decisions about the provision of health
care to an individual who is incapacitated, may exercise and discharge
the rights of the individual under this Act to the extent necessary
to effectuate the terms or purposes of the grant of authority.
(c) NO COURT DECLARATION- If a health care provider determines that
an individual, who has not been declared to be legally incompetent,
suffers from a medical condition that prevents the individual from
acting knowingly or effectively on the individual's own behalf,
the right of the individual to authorize disclosure under this Act
may be exercised and discharged in the best interest of the individual
by--
(1) a person described in subsection (b) with respect to the individual;
(2) a person described in subsection (a) with respect to the individual,
but only if a person described in paragraph (1) cannot be contacted
after a reasonable effort;
(3) the next of kin of the individual, but only if a person described
in paragraph (1) or (2) cannot be contacted after a reasonable
effort; or
(4) the health care provider, but only if a person described in
paragraph (1), (2), or
(5) cannot be contacted after a reasonable effort.
(d) APPLICATION TO DECEASED INDIVIDUALS- The provisions of this
Act shall continue to prevent disclosure of protected health information
concerning a deceased individual.
(e) EXERCISE OF RIGHTS ON BEHALF OF A DECEASED INDIVIDUAL-
(1) IN GENERAL- A person who is authorized by law or by an instrument
recognized under law, to act as an executor of the estate of a
deceased individual, or otherwise to exercise the rights of the
deceased individual, may, to the extent so authorized, exercise
and discharge the rights of such deceased individual under this
Act for a period of 2 years following the death of such individual.
If no such designee has been authorized, the rights of the deceased
individual may be exercised as provided for in subsection (c).
(2) INSURED INDIVIDUALS- In the case of an individual who is deceased
and who was the insured under an insurance policy or policies,
the right to authorize disclosure of protected health information
may be exercised by the beneficiary or beneficiaries of such insurance
policy or policies.
(f) RIGHTS OF MINORS- The rights of minors under this Act shall
be exercised by a parent, the minor or other person as provided
under applicable state law.
SEC. 213. NO LIABILITY FOR PERMISSIBLE DISCLOSURES.
A health care provider, health plan, health oversight agency, health
researcher, employer, life insurer, school, or university, or an
agent of such persons, that makes a disclosure of protected health
information about an individual that is permitted by this Act shall
not be liable to the individual for such disclosure under common
law.
SEC. 214. SALE OF BUSINESS, MERGERS, ETC.
(a) IN GENERAL- A health care provider, health plan, health oversight
agency, employer, life insurer, school, or university may disclose
protected health information to a person or persons for purposes
of enabling business decisions to be made about or in connection
with the purchase, transfer, merger, or sale of a business or businesses.
(b) NO FURTHER DISCLOSURE- A person or persons who receive protected
health information under this section shall make no further use
or disclosure of such information unless otherwise authorized under
this Act.
TITLE III--SANCTIONS
Subtitle A--Criminal Provisions
SEC. 301. WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION.
(a) IN GENERAL- Part I of title 18, United States Code, is amended
by adding at the end the following:
`CHAPTER 124--WRONGFUL DISCLOSURE OF PROTECTED HEALTH INFORMATION
`Sec. 2801. Wrongful disclosure of protected health information
`(a) OFFENSE- The penalties described in subsection (b) shall apply
to a person that knowingly and intentionally--
`(1) obtains protected health information relating to an individual
from a health care provider, health plan, health oversight agency,
public health authority, employer, life insurer, health researcher,
law enforcement official, school, or university except as provided
in title II of the Medical Information Protection Act of 2001;
or
`(2) discloses protected health information to another person
in a manner other than that which is permitted under title II
of the Medical Information Protection Act of 2001.
`(b) PENALTIES- A person described in subsection (a) shall--
`(1) be fined not more than $50,000, imprisoned not more than
1 year, or both;
`(2) if the offense is committed under false pretenses, be fined
not more than $100,000, imprisoned not more than 5 years, or both;
or
`(3) if the offense is committed with the intent to sell, transfer,
or use protected health information for monetary gain or malicious
harm, be fined not more than $250,000, imprisoned not more than
10 years, or both.
`(c) SUBSEQUENT OFFENSES- In the case of a person described in subsection
(a), the maximum penalties described in subsection (b) shall be
doubled for every subsequent conviction for an offense arising out
of a violation or violations related to a set of circumstances that
are different from those involved in the previous violation or set
of related violations described in such subsection (a).'.
(b) CLERICAL AMENDMENT- The table of chapters for part I of title
18, United States Code, is amended by inserting after the item relating
to chapter 123 the following new item:
`Sec. 2801. Wrongful disclosure of protected health information.'.
Subtitle B--Civil Sanctions
SEC. 311. CIVIL PENALTY VIOLATION.
A person who the Secretary, in consultation with the Attorney General,
determines has substantially and materially failed to comply with
this Act shall be subject, in addition to any other penalties that
may be prescribed by law--
(1) in a case in which the violation relates to title I, to a
civil penalty of not more than $500 for each such violation, but
not to exceed $5,000 in the aggregate for multiple violations
arising from the same failure to comply with the Act;
(2) in a case in which the violation relates to title II, to a
civil penalty of not more than $10,000 for each such violation,
but not to exceed $50,000 in the aggregate for multiple violations
arising from the same failure to comply with the Act; or
(3) in a case in which the Secretary finds that such violations
have occurred with such frequency as to constitute a general business
practice, to a civil penalty of not more than $100,000.
SEC. 312. PROCEDURES FOR IMPOSITION OF PENALTIES.
(a) INITIATION OF PROCEEDINGS-
(1) IN GENERAL- The Secretary, in consultation with the Attorney
General, may initiate a proceeding to determine whether to impose
a civil money penalty under section 311. The Secretary may not
initiate an action under this section with respect to any violation
described in section 311 after the expiration of the 6-year period
beginning on the date on which such violation was alleged to have
occurred. The Secretary may initiate an action under this section
by serving notice of the action in any manner authorized by Rule
4 of the Federal Rules of Civil Procedure.
(2) NOTICE AND OPPORTUNITY FOR HEARING- The Secretary shall not
make a determination adverse to any person under paragraph (1)
until the person has been given written notice and an opportunity
for the determination to be made on the record after a hearing
at which the person is entitled to be represented by counsel,
to present witnesses, and to cross-examine witnesses against the
person.
(3) SANCTIONS FOR FAILURE TO COMPLY- The official conducting a
hearing under this section may sanction a person, including any
party or attorney, for failing to comply with an order or procedure,
failing to defend an action, or other misconduct as would interfere
with the speedy, orderly, or fair conduct of the hearing. Such
sanction shall reasonably relate to the severity and nature of
the failure or misconduct. Such sanction may include--
(A) in the case of refusal to provide or permit discovery, drawing
negative factual inferences or treating such refusal as an admission
by deeming the matter, or certain facts, to be established;
(B) prohibiting a party from introducing certain evidence or
otherwise supporting a particular claim or defense;
(C) striking pleadings, in whole or in part;
(D) staying the proceedings;
(E) dismissal of the action;
(F) entering a default judgment;
(G) ordering the party or attorney to pay attorneys' fees and
other costs caused by the failure or misconduct; and
(H) refusing to consider any motion or other action which is
not filed in a timely manner.
(b) SCOPE OF PENALTY- In determining the amount or scope of any
penalty imposed pursuant to section 311, the Secretary shall take
into account--
(1) the nature of claims and the circumstances under which they
were presented;
(2) the degree of culpability, history of prior offenses, and
financial condition of the person presenting the claims;
(3) evidence of good faith endeavor to protect the confidentiality
of protected health information; and
(4) such other matters as justice may require.
(c) REVIEW OF DETERMINATION-
(1) IN GENERAL- Any person adversely affected by a determination
of the Secretary under this section may obtain a review of such
determination in the United States Court of Appeals for the circuit
in which the person resides, or in which the claim was presented,
by filing in such court (within 60 days following the date the
person is notified of the determination of the Secretary) a written
petition requesting that the determination be modified or set
aside.
|
