Wednesday, June 11, 2014

HIPAA as revised by the PPACA 2009

PPACA, HIPAA REVISIONS, 2009


___


Subtitle D—Privacy SEC. 13400. DEFINITIONS.

In this subtitle, except as specified otherwise: (1) BREACH.—

IN GENERAL.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.

EXCEPTIONS.—The term ‘‘breach’’ does not include— (i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity
or business associate if— (I) such acquisition, access, or use was made
in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and

(II) such information is not further acquired, accessed, used, or disclosed by any person; or (ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and

(iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person.

BUSINESS ASSOCIATE.—The term ‘‘business associate’’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

COVERED ENTITY.—The term ‘‘covered entity’’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.H. R. 1—145

DISCLOSE.—The terms ‘‘disclose’’ and ‘‘disclosure’’ have the meaning given the term ‘‘disclosure’’ in section 160.103 of title 45, Code of Federal Regulations.

ELECTRONIC HEALTH RECORD.—The term ‘‘electronic health record’’ means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff.

HEALTH CARE OPERATIONS.—The term ‘‘health care operation’’ has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations.
HEALTH CARE PROVIDER.—The term ‘‘health care provider’’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

HEALTH PLAN.—The term ‘‘health plan’’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

NATIONAL COORDINATOR.—The term ‘‘National Coordinator’’ means the head of the Office of the National Coordinator for Health Information Technology established under section 3001(a) of the Public Health Service Act, as added by section 13101.

PAYMENT.—The term ‘‘payment’’ has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations.

PERSONAL HEALTH RECORD.—The term ‘‘personal health record’’ means an electronic record of PHR identifiable health information (as defined in section 13407(f)(2)) on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.

PROTECTED HEALTH INFORMATION.—The term ‘‘protected health information’’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

SECRETARY.—The term ‘‘Secretary’’ means the Secretary of Health and Human Services.

SECURITY.—The term ‘‘security’’ has the meaning given such term in section
164.304 of title 45, Code of Federal Regulations.

STATE.—The term ‘‘State’’ means each of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

TREATMENT.—The term ‘‘treatment’’ has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations.

USE.—The term ‘‘use’’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations. (18) VENDOR OF PERSONAL HEALTH RECORDS.—The term ‘‘vendor of personal health records’’ means an entity, other than a covered entity (as defined in paragraph (3)), that offers
or maintains a personal health record.


PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS

SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES; ANNUAL GUIDANCE ON SECURITY PROVISIONS.


APPLICATION OF SECURITY PROVISIONS.—Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

APPLICATION OF CIVIL AND CRIMINAL PENALTIES.—In the case of a business associate that violates any security provision specified in subsection (a), sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business associate with respect to such violation in the same manner such sections apply to a covered entity that violates such security provision.

ANNUAL GUIDANCE.—For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary of Health and Human Services shall, after consultation with stakeholders, annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the sections referred to in subsection (a) and the security standards in subpart C of part 164 of title 45, Code of Federal Regulations, including the use of standards developed under section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by section 13101 of this Act, as such provisions are in effect as of the date before the enactment of this Act.

SEC. 13402. NOTIFICATION IN THE CASE OF BREACH.

IN GENERAL.—A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.

NOTIFICATION OF COVERED ENTITY BY BUSINESS ASSOCIATE.—A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. Such notice shall include
the identification of each individual whose unsecured protected health information has been, or is reasonably believed by the business associate to have been, accessed, acquired, or disclosed during such breach.

BREACHES TREATED AS DISCOVERED.—For purposes of this section, a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate, respectively, (including any person, other than the individual committing the breach, that is an employee, officer, or other agent of such entity or associate, respectively) or should reasonably have been known to such entity or associate (or person) to have occurred.

TIMELINESS OF NOTIFICATION.— (1) IN GENERAL.—Subject to subsection (g), all notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)).

(2) BURDEN OF PROOF.—The covered entity involved (or business associate involved in the case of a notification required under subsection (b)), shall have the burden of demonstrating that all notifications were made as required under this part, including evidence demonstrating the necessity of any delay. (e)

METHODS OF NOTICE.—

INDIVIDUAL NOTICE.—Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form:

Written notification by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.

In the case in which there is insufficient, or out-of-date contact information (including a phone number, email address, or any other form of appropriate communication) that precludes direct written (or, if specified by the individual under subparagraph (A), electronic) notification to the individual, a substitute form of notice shall be provided, including, in the case that there are 10 or more individuals for which there is insufficient or out-of-date contact information, a conspicuous posting for a period determined by the Secretary on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media or web posting will include a toll-free phone number where an individual can learn
whether or not the individual’s unsecured protected health information is possibly included in the breach.

In any case deemed by the covered entity involved to require urgency because of possible imminent misuse of unsecured protected health information, the covered entity, in addition to notice provided under subparagraph (A), may provide information to individuals by telephone or other means, as appropriate.

MEDIA NOTICE.—Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.

NOTICE TO SECRETARY.—Notice shall be provided to the Secretary by covered entities of unsecured protected health information that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals than such notice must be provided immediately. If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved.

POSTING ON HHS PUBLIC WEBSITE.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed.

CONTENT OF NOTIFICATION.—Regardless of the method by which notice is provided to individuals under this section, notice of a breach shall include, to the extent possible, the following: (1) A brief description of what happened, including the date of the breach and the date of the discovery of the breach,
if known.

A description of the types of unsecured protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).

The steps individuals should take to protect themselves from potential harm resulting from the breach.

A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.

Contact procedures for individuals to ask questions or learn additional information, which shall include a tollfree telephone number, an e-mail address, Web site, or postal address.


DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT PURPOSES.—If a law enforcement official determines that a notification, notice, or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed in the same manner as provided under section 164.528(a)(2) of title 45, Code of Federal Regulations, in the case of a disclosure covered under such section.

UNSECURED PROTECTED HEALTH INFORMATION.— (1) DEFINITION.—
IN GENERAL.—Subject to subparagraph (B), for purposes of this section, the term ‘‘unsecured protected health information’’ means protected health information that is not secured through the use of a technology or methodology specified by the Secretary in the guidance issued under paragraph (2).

EXCEPTION IN CASE TIMELY GUIDANCE NOT ISSUED.— In the case that the Secretary does not issue guidance under paragraph (2) by the date specified in such paragraph, for purposes of this section, the term ‘‘unsecured protected health information’’ shall mean protected health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

(2) GUIDANCE.—For purposes of paragraph (1) and section 13407(f)(3), not later than the date that is 60 days after the date of the enactment of this Act, the Secretary shall, after consultation with stakeholders, issue (and annually update) guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, including the use of standards developed under section 3002(b)(2)(B)(vi) of the Public Health Service Act, as added by section 13101 of this Act.

REPORT TO CONGRESS ON BREACHES.— (1) IN GENERAL.—Not later than 12 months after the date of the enactment of this Act and annually thereafter, the Secretary shall prepare and submit to the Committee on Finance and the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Ways and Means and the Committee on Energy and Commerce of the House of Representatives a report containing the information described in paragraph (2) regarding breaches for which notice was provided to the Secretary under subsection (e)(3).

INFORMATION.—The information described in this paragraph regarding breaches specified in paragraph (1) shall include—
the number and nature of such breaches; and

actions taken in response to such breaches.

REGULATIONS; EFFECTIVE DATE.—To carry out this section, the Secretary of Health and Human Services shall promulgate interim final regulations by not later than the date that is 180 days after the date of the enactment of this title. The provisions of this section shall apply to breaches that are discovered on or after the date that is 30 days after the date of publication of such interim final regulations.

SEC. 13403. EDUCATION ON HEALTH INFORMATION PRIVACY.

REGIONAL OFFICE PRIVACY ADVISORS.—Not later than 6 months after the date of the enactment of this Act, the Secretary shall designate an individual in each regional office of the Department of Health and Human Services to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to Federal privacy and security requirements for protected health information.

EDUCATION INITIATIVE ON USES OF HEALTH INFORMATION.— Not later than 12 months after the date of the enactment of this Act, the Office for Civil Rights within the Department of Health and Human Services shall develop and maintain a multi-faceted national education initiative to enhance public transparency regarding the uses of protected health information, including programs to educate individuals about the potential uses of their protected health information, the effects of such uses, and the rights of individuals with respect to such uses. Such programs shall be conducted in a variety of languages and present information in a clear and understandable manner.

SEC. 13404. APPLICATION OF PRIVACY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES.

APPLICATION OF CONTRACT REQUIREMENTS.—In the case of a business associate of a covered entity that obtains or creates protected health information pursuant to a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations, with such covered entity, the business associate may use and disclose such protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of section 164.504(e) of such title. The additional requirements of this subtitle that relate to privacy and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

APPLICATION OF KNOWLEDGE ELEMENTS ASSOCIATED WITH CONTRACTS.—Section 164.504(e)(1)(ii) of title 45, Code of Federal Regulations,
shall apply to a business associate described in subsection (a), with respect to compliance with such subsection, in the same manner that such section applies to a covered entity, with respect to compliance with the standards in sections 164.502(e) and 164.504(e) of such title, except that in applying such section 164.504(e)(1)(ii) each reference to the business associate, with respect to a contract, shall be treated as a reference to the covered entity involved in such contract.

APPLICATION OF CIVIL AND CRIMINAL PENALTIES.—In the case of a business associate that violates any provision of subsection (a) or (b), the provisions of sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d– 5, 1320d–6) shall apply to the business associate with respect to such violation in the same manner as such provisions apply to a person who violates a provision of part C of title XI of such Act.

SEC. 13405. RESTRICTIONS ON CERTAIN DISCLOSURES AND SALES OF HEALTH INFORMATION; ACCOUNTING OF CERTAIN PROTECTED HEALTH INFORMATION DISCLOSURES; ACCESS TO CERTAIN INFORMATION IN ELECTRONIC FORMAT.

REQUESTED RESTRICTIONS ON CERTAIN DISCLOSURES OF HEALTH INFORMATION.—In the case that an individual requests under paragraph (a)(1)(i)(A) of section 164.522 of title 45, Code of Federal Regulations, that a covered entity restrict the disclosure of the protected health information of the individual, notwithstanding paragraph (a)(1)(ii) of such section, the covered entity must comply with the requested restriction if—

except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and

the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.

DISCLOSURES REQUIRED TO BE LIMITED TO THE LIMITED DATA SET OR THE MINIMUM NECESSARY.— (1) IN GENERAL.—

IN GENERAL.—Subject to subparagraph (B), a covered entity shall be treated as being in compliance with section 164.502(b)(1) of title 45, Code of Federal Regulations, with respect to the use, disclosure, or request of protected health information described in such section, only if the covered entity limits such protected health information, to the extent practicable, to the limited data set (as defined in section 164.514(e)(2) of such title) or, if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively.
GUIDANCE.—Not later than 18 months after the date of the enactment of this section, the Secretary shall issue guidance on what constitutes ‘‘minimum necessary’’ for purposes of subpart E of part 164 of title 45, Code of Federal Regulation. In issuing such guidance the Secretary shall take into consideration the guidance under section 13424(c) and the information necessary to improve patient outcomes and to detect, prevent, and manage chronic disease.

SUNSET.—Subparagraph (A) shall not apply on and after the effective date on which the Secretary issues the guidance under subparagraph (B). (2)

DETERMINATION OF MINIMUM NECESSARY.—For purposes
of paragraph (1), in the case of the disclosure of protected health information, the covered entity or business associate disclosing such information shall determine what constitutes the minimum necessary to accomplish the intended purpose of such disclosure.

APPLICATION OF EXCEPTIONS.—The exceptions described in section 164.502(b)(2) of title 45, Code of Federal Regulations, shall apply to the requirement under paragraph (1) as of the effective date described in section 13423 in the same manner that such exceptions apply to section 164.502(b)(1) of such title before such date.

RULE OF CONSTRUCTION.—Nothing in this subsection shall be construed as affecting the use, disclosure, or request of protected health information that has been de-identified.

ACCOUNTING OF CERTAIN PROTECTED HEALTH INFORMATION DISCLOSURES REQUIRED IF COVERED ENTITY USES ELECTRONIC HEALTH RECORD.—

‘‘(1) IN GENERAL.—In applying section 164.528 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information—

‘‘(A) the exception under paragraph (a)(1)(i) of such section shall not apply to disclosures through an electronic health record made by such entity of such information; and

‘‘(B) an individual shall have a right to receive an accounting of disclosures described in such paragraph of such information made by such covered entity during only the three years prior to the date on which the accounting is requested.

‘‘(2) REGULATIONS.—The Secretary shall promulgate regulations on what information shall be collected about each disclosure referred to in paragraph (1), not later than 6 months after the date on which the Secretary adopts standards on accounting for disclosure described in the section 3002(b)(2)(B)(iv) of the Public Health Service Act, as added by section 13101. Such regulations shall only require such information to be collected through an electronic health record in a manner that takes into account the interests of the individuals in learning the circumstances under which their protected health information is being disclosed and takes into account the administrative burden of accounting for such disclosures.

‘‘(3) PROCESS.—In response to an request from an individual for an accounting, a covered entity shall elect to provide either an—

‘‘(A) accounting, as specified under paragraph (1), for disclosures of protected health information that are made by such covered entity and by a business associate acting on behalf of the covered entity; or

‘‘(B) accounting, as specified under paragraph (1), for disclosures that are made by such covered entity and provide a list of all business associates acting on behalf of the covered entity, including contact information for such associates (such as mailing address, phone, and email address).

A business associate included on a list under subparagraph (B) shall provide an accounting of disclosures (as required under paragraph (1) for a covered entity) made by the business associate upon a request made by an individual directly to the business associate for such an accounting.

‘‘(4) EFFECTIVE DATE.— ‘‘(A) CURRENT USERS OF ELECTRONIC RECORDS.—In the
case of a covered entity insofar as it acquired an electronic health record as of January 1, 2009, paragraph (1) shall apply to disclosures, with respect to protected health information, made by the covered entity from such a record on and after January 1, 2014.

‘‘(B) OTHERS.—In the case of a covered entity insofar as it acquires an electronic health record after January 1, 2009, paragraph (1) shall apply to disclosures, with respect to protected health information, made by the covered entity from such record on and after the later of the following:

‘‘(i) January 1, 2011; or

‘‘(ii) the date that it acquires an electronic health record.

‘‘(C) LATER DATE.—The Secretary may set an effective date that is later that the date specified under subparagraph (A) or (B) if the Secretary determines that such later date is necessary, but in no case may the date specified under—

‘‘(i) subparagraph (A) be later than 2016; or ‘‘(ii) subparagraph (B) be later than 2013.’’

PROHIBITION ON SALE OF ELECTRONIC HEALTH RECORDS OR PROTECTED HEALTH INFORMATION.—

IN GENERAL.—Except as provided in paragraph (2), a covered entity or business associate shall not directly or indirectly receive remuneration in exchange for any protected health information of an individual unless the covered entity obtained from the individual, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual.

EXCEPTIONS.—Paragraph (1) shall not apply in the following cases:

The purpose of the exchange is for public health activities (as described in section 164.512(b) of title 45, Code of Federal Regulations).

The purpose of the exchange is for research (as described in sections 164.501 and 164.512(i) of title 45, Code of Federal Regulations) and the price charged reflects the costs of preparation and transmittal of the data for such purpose.

The purpose of the exchange is for the treatment of the individual, subject to any regulation that the Secretary may promulgate to prevent protected health information from inappropriate access, use, or disclosure.

The purpose of the exchange is the health care operation specifically described in subparagraph (iv) of paragraph (6) of the definition of healthcare operations in section 164.501 of title 45, Code of Federal Regulations.

The purpose of the exchange is for remuneration that is provided by a covered entity to a business associate for activities involving the exchange of protected health information that the business associate undertakes on behalf of and at the specific request of the covered entity pursuant to a business associate agreement.

The purpose of the exchange is to provide an individual with a copy of the individual’s protected health information pursuant to section 164.524 of title 45, Code of Federal Regulations.

The purpose of the exchange is otherwise determined by the Secretary in regulations to be similarly necessary and appropriate as the exceptions provided in subparagraphs (A) through (F).

REGULATIONS.—Not later than 18 months after the date of enactment of this title, the Secretary shall promulgate regulations to carry out this subsection. In promulgating such regulations, the Secretary—
shall evaluate the impact of restricting the exception described in paragraph (2)(A) to require that the price charged for the purposes described in such paragraph reflects the costs of the preparation and transmittal of the data for such purpose, on research or public health activities, including those conducted by or for the use of the Food and Drug Administration; and

may further restrict the exception described in paragraph (2)(A) to require that the price charged for the purposes described in such paragraph reflects the costs of the preparation and transmittal of the data for such purpose, if the Secretary finds that such further restriction will not impede such research or public health activities.

EFFECTIVE DATE.—Paragraph (1) shall apply to exchanges occurring on or after the date that is 6 months after the date of the promulgation of final regulations implementing this subsection.

ACCESS TO CERTAIN INFORMATION IN ELECTRONIC FORMAT.— In applying section 164.524 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual—

the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific; and

notwithstanding paragraph (c)(4) of such section, any fee that the covered entity may impose for providing such individual with a copy of such information (or a summary or explanation of such information) if such copy (or summary or explanation) is in an electronic form shall not be greater than the entity’s labor costs in responding to the request for the copy (or summary or explanation).

SEC. 13406. CONDITIONS ON CERTAIN CONTACTS AS PART OF HEALTH CARE OPERATIONS.

MARKETING.— (1) IN GENERAL.—A communication by a covered entity or business associate that is about a product or service and that encourages recipients of the communication to purchase or use the product or service shall
not be considered a health care operation for purposes of subpart E of part 164 of title 45, Code of Federal Regulations, unless the communication is made as described in subparagraph (i), (ii), or (iii) of paragraph (1) of the definition of marketing in section 164.501 of such title.

PAYMENT FOR CERTAIN COMMUNICATIONS.—A communication by a covered entity or business associate that is described in subparagraph (i), (ii), or
(iii) of paragraph (1) of the definition of marketing in section 164.501 of title 45,
Code of Federal Regulations, shall not be considered a health care operation for purposes of subpart E of part 164 of title 45, Code of Federal Regulations if the covered entity receives or has received direct or indirect payment in exchange for making such communication, except where—

(A)(i) such communication describes only a drug or biologic that is currently being prescribed for the recipient of the communication; and

(ii) any payment received by such covered entity in exchange for making a communication described in clause (i) is reasonable in amount;

each of the following conditions apply—

the communication is made by the covered entity; and

the covered entity making such communication obtains from the recipient of the communication, in accordance with section 164.508 of title 45, Code of Federal Regulations, a valid authorization (as described in paragraph (b) of such section) with respect to such communication; or

each of the following conditions apply—

the communication is made by a business associate on behalf of the covered entity; and

the communication is consistent with the written contract (or other written arrangement described in section 164.502(e)(2) of such title) between such business associate and covered entity.

REASONABLE IN AMOUNT DEFINED.—For purposes of paragraph (2), the term ‘‘reasonable in amount’’ shall have the meaning given such term by the Secretary by regulation.

DIRECT OR INDIRECT PAYMENT.—For purposes of paragraph (2), the term ‘‘direct or indirect payment’’ shall not include any payment for treatment (as defined in section 164.501 of title 45, Code of Federal Regulations) of an individual.

OPPORTUNITY TO OPT OUT OF FUNDRAISING.—The Secretary shall by rule provide that any written fundraising communication that is a
healthcare operation as defined under section 164.501 of title 45, Code of Federal Regulations, shall, in a clear and conspicuous manner, provide an opportunity for the recipient of the communications to elect not to receive any further such communication. When an individual elects not to receive any further such communication, such election shall be treated as a revocation of authorization under section 164.508 of title 45, Code of Federal Regulations.
EFFECTIVE DATE.—This section shall apply to written communications occurring on or after the effective date specified under section 13423.

SEC. 13407. TEMPORARY BREACH NOTIFICATION REQUIREMENT FOR VENDORS OF PERSONAL HEALTH RECORDS AND OTHER NON-HIPAA COVERED ENTITIES.

IN GENERAL.—In accordance with subsection (c), each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each entity described in clause (ii), (iii), or (iv) of section 13424(b)(1)(A), following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall—

notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security; and

notify the Federal Trade Commission.

NOTIFICATION BY THIRD PARTY SERVICE PROVIDERS.—A third party service provider that provides services to a vendor of personal health records or to an entity described in clause (ii), (iii). or (iv) of section 13424(b)(1)(A) in connection with the offering or maintenance of a personal health record or a related product or service and that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured PHR identifiable health information in such a record as a result of such services shall, following the discovery of a breach of security of such information, notify such vendor or entity, respectively, of such breach. Such notice shall include the identification of each individual whose unsecured PHR identifiable health information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach.

APPLICATION OF REQUIREMENTS FOR TIMELINESS, METHOD, AND CONTENT OF NOTIFICATIONS.—Subsections (c), (d), (e), and (f) of section 13402 shall apply to a notification required under subsection (a) and a vendor of personal health records, an entity described in subsection (a) and a third party service provider described in subsection (b), with respect to a breach of security under subsection (a) of unsecured PHR identifiable health information in such records maintained or offered by such vendor, in a manner specified by the Federal Trade Commission.

NOTIFICATION OF THE SECRETARY.—Upon receipt of a notification of a breach of security under subsection (a)(2), the Federal Trade Commission shall notify the Secretary of such breach.
ENFORCEMENT.—A violation of subsection (a) or (b) shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

DEFINITIONS.—For purposes of this section:

BREACH OF SECURITY.—The term ‘‘breach of security’’ means, with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual.

PHR IDENTIFIABLE HEALTH INFORMATION.—The term ‘‘PHR identifiable health information’’ means individually identifiable health information, as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and includes, with respect to an individual, information—

that is provided by or on behalf of the individual; and

that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

UNSECURED PHR IDENTIFIABLE HEALTH INFORMATION.—

IN GENERAL.—Subject to subparagraph (B), the term ‘‘unsecured PHR identifiable health information’’ means PHR identifiable health information that is not protected through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2).

EXCEPTION IN CASE TIMELY GUIDANCE NOT ISSUED.— In the case that the Secretary does not issue guidance under section 13402(h)(2) by the date specified in such section, for purposes of this section, the term ‘‘unsecured PHR identifiable health information’’ shall mean PHR identifiable health information that is not secured by a technology standard that renders protected health information unusable, unreadable, or indecipherable to unauthorized individuals and that is developed or endorsed by a standards developing organization that is accredited by the American National Standards Institute.

REGULATIONS; EFFECTIVE DATE; SUNSET.—

REGULATIONS; EFFECTIVE DATE.—To carry out this section, the Federal Trade Commission shall promulgate interim final regulations by not later than the date that is 180 days after the date of the enactment of this section. The provisions of this section shall apply to breaches of security that are discovered on or after the date that is 30 days after the date of publication of such interim final regulations.
SUNSET.—If Congress enacts new legislation establishing requirements for notification in the case of a breach of security, that apply to entities that are not covered entities or business associates, the provisions of this section shall not apply to breaches of security discovered on or after the effective date of regulations implementing such legislation.

SEC. 13408. BUSINESS ASSOCIATE CONTRACTS REQUIRED FOR CERTAIN ENTITIES.
Each organization, with respect to a covered entity, that provides data transmission of protected health information to such entity (or its business associate) and that requires access on a routine basis to such protected health information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is required to enter into a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations and a written contract (or other arrangement) described in section 164.308(b) of such title, with such entity and shall be treated as a business associate of the covered entity for purposes of the provisions of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this title.

SEC. 13409. CLARIFICATION OF APPLICATION OF WRONGFUL DISCLOSURES CRIMINAL PENALTIES.

Section 1177(a) of the Social Security Act (42 U.S.C. 1320d– 6(a)) is amended by adding at the end the following new sentence: ‘‘For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization.’’.

SEC. 13410. IMPROVED ENFORCEMENT.

IN GENERAL.—

NONCOMPLIANCE DUE TO WILLFUL NEGLECT.—Section 1176 of the Social Security Act (42 U.S.C. 1320d–5) is amended—
in subsection (b)(1), by striking ‘‘the act constitutes an offense punishable under section 1177’’ and inserting ‘‘a penalty has been imposed under section 1177 with respect to such act’’; and

by adding at the end the following new subsection:

‘‘(c) NONCOMPLIANCE DUE TO WILLFUL NEGLECT.—

‘‘(1) IN GENERAL.—A violation of a provision of this part due to willful neglect is a violation for which the Secretary is required to impose a penalty under subsection (a)(1).

‘‘(2) REQUIRED INVESTIGATION.—For purposes of paragraph (1), the Secretary shall formally investigate any complaint of a violation of a provision of this part if a preliminary investigation of the facts of the complaint indicate such a possible violation due to willful neglect.’’.

ENFORCEMENT UNDER SOCIAL SECURITY ACT.—Any violation by a covered entity under thus subtitle is subject to enforcement and penalties under section 1176 and 1177 of the Social Security Act.

EFFECTIVE DATE; REGULATIONS.—

The amendments made by subsection (a) shall apply to penalties imposed on or after the date that is 24 months after the date of the enactment of this title.

Not later than 18 months after the date of the enactment of this title, the Secretary of Health and Human Services shall promulgate regulations to implement such amendments.

DISTRIBUTION OF CERTAIN CIVIL MONETARY PENALTIES COLLECTED.—

IN GENERAL.—Subject to the regulation promulgated pursuant to paragraph (3), any civil monetary penalty or monetary settlement collected with respect to an offense punishable under this subtitle or section 1176 of the Social Security Act (42 U.S.C. 1320d–5) insofar as such section relates to privacy or security shall be transferred to the Office for Civil Rights of the Department of Health and Human Services to be used for purposes of enforcing the provisions of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act.

GAO REPORT.—Not later than 18 months after the date of the enactment of this title, the Comptroller General shall submit to the Secretary a report including recommendations for a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph (1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.

ESTABLISHMENT OF METHODOLOGY TO DISTRIBUTE PERCENTAGE OF CMPS COLLECTED TO HARMED INDIVIDUALS.—
Not later than 3 years after the date of the enactment of this title, the Secretary shall establish by regulation and based on the recommendations submitted under paragraph

(2), a methodology under which an individual who is harmed by an act that constitutes an offense referred to in paragraph

(1) may receive a percentage of any civil monetary penalty or monetary settlement collected with respect to such offense.

(4) APPLICATION OF METHODOLOGY.—

The methodology under paragraph (3) shall be applied with respect to civil monetary penalties or monetary settlements imposed on or after the effective date of the regulation.

TIERED INCREASE IN AMOUNT OF CIVIL MONETARY PENALTIES.—

IN GENERAL.—Section 1176(a)(1) of the Social Security Act (42 U.S.C. 1320d–5(a)(1)) is amended by striking ‘‘who violates a provision of this part a penalty of not more than’’ and all that follows and inserting the following: ‘‘who violates a provision of this part—

‘‘(A) in the case of a violation of such provision in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D);

‘‘(B) in the case of a violation of such provision in which it is established that the violation was due to reasonable cause and not to willful neglect, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D); and

‘‘(C) in the case of a violation of such provision in which it is established that the violation was due to willful neglect—

‘‘(i) if the violation is corrected as described in subsection (b)(3)(A), a penalty in an amount that is at least the amount described in paragraph (3)(C) but not to exceed the amount described in paragraph (3)(D); and

‘‘(ii) if the violation is not corrected as described in such subsection, a penalty in an amount that is at least the amount described in paragraph (3)(D).
In determining the amount of a penalty under this section for a violation, the Secretary shall base such determination on the nature and extent of the violation and the nature and extent of the harm resulting from such violation.’’.

TIERS OF PENALTIES DESCRIBED.—Section 1176(a) of such Act (42 U.S.C. 1320d–5(a)) is further amended by adding at the end the following new paragraph:


‘‘(3) TIERS OF PENALTIES DESCRIBED.—For purposes of paragraph (1), with respect to a violation by a person of a provision of this part—

‘‘(A) the amount described in this subparagraph is $100 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed
$25,000;

‘‘(B) the amount described in this subparagraph is $1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed
$100,000;

‘‘(C) the amount described in this subparagraph is $10,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000; and

‘‘(D) the amount described in this subparagraph is $50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.’’. (3) CONFORMING AMENDMENTS.—Section 1176(b)
of such Act (42 U.S.C. 1320d–5(b)) is amended— (A) by striking paragraph (2) and redesignating paragraphs (3) and (4) as paragraphs (2) and (3), respectively; and

(B) in paragraph (2), as so redesignated— (i) in subparagraph (A), by striking ‘‘in subparagraph (B), a penalty may not be imposed under subsection (a) if’’ and all that follows through ‘‘the failure to comply is corrected’’ and inserting ‘‘in subparagraph (B) or subsection (a)(1)(C), a penalty may not be imposed under subsection (a) if the failure to comply is corrected’’; and

(ii) in subparagraph (B), by striking ‘‘(A)(ii)’’ and inserting ‘‘(A)’’ each place it appears.

(4) EFFECTIVE DATE.—The amendments made by this subsection shall apply to violations occurring after the date of the enactment of this title.

ENFORCEMENT THROUGH STATE ATTORNEYS GENERAL.—
IN GENERAL.—Section 1176 of the Social Security Act (42 U.S.C. 1320d–5) is amended by adding at the end the following new subsection:

‘‘(d) ENFORCEMENT BY STATE ATTORNEYS GENERAL.—

‘‘(1) CIVIL ACTION.—Except as provided in subsection (b), in any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction—

‘‘(A) to enjoin further such violation by the defendant; or

‘(B) to obtain damages on behalf of such residents of the State, in an amount equal to the amount determined under paragraph (2).

‘‘(2) STATUTORY DAMAGES.—

‘‘(A) IN GENERAL.—For purposes of paragraph (1)(B), the amount determined under this paragraph is the amount calculated by multiplying the number of violations by up to $100. For purposes of the preceding sentence, in the case of a continuing violation, the number of violations shall be determined consistent with the HIPAA privacy regulations (as defined in section 1180(b)(3)) for violations of subsection (a).

‘‘(B) LIMITATION.—The total amount of damages imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

‘‘(C) REDUCTION OF DAMAGES.—In assessing damages under subparagraph (A), the court may consider the factors the Secretary may consider in determining the amount of a civil money penalty under subsection (a) under the HIPAA privacy regulations.

‘‘(3) ATTORNEY FEES.—In the case of any successful action under paragraph (1), the court, in its discretion, may award the costs of the action and reasonable attorney fees to the State.

‘‘(4) NOTICE TO SECRETARY.—The State shall serve prior written notice of any action under paragraph (1) upon the Secretary and provide the Secretary with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Secretary shall have the right—

‘‘(A) to intervene in the action;
‘‘(B) upon so intervening, to be heard on all matters arising therein; and ‘‘(C) to file petitions for appeal.
‘‘(5) CONSTRUCTION.—For purposes of bringing any civil
action under paragraph (1), nothing in this section shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State.

‘‘(6) VENUE; SERVICE OF PROCESS.— ‘‘(A) VENUE.—Any action brought
under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28, United States Code.

‘‘(B) SERVICE OF PROCESS.—In an action brought under paragraph (1), process may be served in any district in which the defendant—

‘‘(i) is an inhabitant; or

‘‘(ii) maintains a physical place of business.

‘‘(7) LIMITATION ON STATE ACTION WHILE FEDERAL ACTION IS
PENDING.—If the Secretary has instituted an action against a person under subsection (a) with respect to a specific violation of this part, no State attorney general may bring an action under this subsection against the person with respect to such violation during the pendency of that action.

‘‘(8) APPLICATION OF CMP STATUTE OF LIMITATION.—A civil
action may not be instituted with respect to a violation of this part unless an action to impose a civil money penalty may be instituted under subsection (a) with respect to such violation consistent with the second sentence of section 1128A(c)(1).’’.

CONFORMING AMENDMENTS.—Subsection (b) of such section, as amended by subsection (d)(3), is amended—

in paragraph (1), by striking ‘‘A penalty may not be imposed under subsection (a)’’ and inserting ‘‘No penalty may be imposed under subsection (a) and no damages obtained under subsection (d)’’;

in paragraph (2)(A)— (i) after ‘‘subsection (a)(1)(C),’’, by striking ‘‘a pen-  alty may not be imposed under subsection (a)’’ and inserting ‘‘no penalty may be imposed under subsection (a) and no damages obtained under subsection (d)’’; and

(ii) in clause (ii), by inserting ‘‘or damages’’ after ‘‘the penalty’’;
in paragraph (2)(B)(i), by striking ‘‘The period’’ and inserting ‘‘With respect to the imposition of a penalty by the Secretary under subsection (a), the period’’; and

in paragraph (3), by inserting ‘‘and any damages under subsection (d)’’ after ‘‘any penalty under subsection (a)’’. (3) EFFECTIVE DATE.—The amendments made by this subsection shall apply to violations occurring after the date of the enactment of this Act.

ALLOWING CONTINUED USE OF CORRECTIVE ACTION.—Such section is further amended by adding at the end the following new subsection:

‘‘(e) ALLOWING CONTINUED USE OF CORRECTIVE ACTION.— Nothing in
this section shall be construed as preventing the Office for Civil Rights of the Department of Health and Human Services from continuing, in its discretion, to use corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) of the violation involved.’’.

SEC. 13411. AUDITS.

The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements.

PART 2—RELATIONSHIP TO OTHER LAWS; REGULATORY REFERENCES; EFFECTIVE DATE; REPORTS

SEC. 13421. RELATIONSHIP TO OTHER LAWS.

APPLICATION OF HIPAA STATE PREEMPTION.—Section 1178 of the Social Security Act (42 U.S.C. 1320d–7) shall apply to a provision or requirement under this subtitle in the same manner that such section applies to a provision or requirement under part C of title XI of such Act or a standard or implementation specification adopted or established under sections 1172 through 1174 of such Act.


HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT.—The standards governing the privacy and security of individually identifiable health information promulgated by the Secretary under sections 262(a) and 264 of the Health Insurance Portability and Accountability Act of 1996 shall remain in effect to the extent that they are consistent with this subtitle. The Secretary shall by rule amend such Federal regulations as required to make such regulations consistent with this subtitle.
CONSTRUCTION.—Nothing in this subtitle shall constitute a waiver of any privilege otherwise applicable to an individual with respect to the protected health information of such individual.

SEC. 13422. REGULATORY REFERENCES.

Each reference in this subtitle to a provision of the Code of Federal Regulations refers to such provision as in effect on the date of the enactment of this title (or to the most recent update of such provision).

SEC. 13423. EFFECTIVE DATE.
Except as otherwise specifically provided, the provisions of part I shall take effect on the date that is 12 months after the date of the enactment of this title.

SEC. 13424. STUDIES, REPORTS, GUIDANCE.
REPORT ON COMPLIANCE.—

IN GENERAL.—For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary shall prepare and submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Ways and Means and the Committee on Energy and Commerce of the House of Representatives a report concerning complaints of alleged violations of law, including the provisions of this subtitle as well as the provisions of subparts C and E of part 164 of title 45, Code of Federal Regulations, (as such provisions are in effect as of the date of enactment of this Act) relating to privacy and security of health information that are received by the Secretary during the year for which the report is being prepared. Each such report shall include, with respect to such complaints received during the year—

the number of such complaints;

the number of such complaints resolved informally, a summary of the types of such complaints so resolved, and the number of covered entities that received technical assistance from the Secretary during such year in order to achieve compliance with such provisions and the types of such technical assistance provided;

the number of such complaints that have resulted in the imposition of civil monetary penalties or have been resolved through monetary settlements, including the nature of the complaints involved and the amount paid in each penalty or settlement;

the number of compliance reviews conducted and the outcome of each such review;

the number of subpoenas or inquiries issued;

the Secretary’s plan for improving compliance with and enforcement of such provisions for the following year; and

the number of audits performed and a summary of audit findings pursuant to section 13411. (2) AVAILABILITY TO PUBLIC.—Each report under paragraph

(1) shall be made available to the public on the Internet website of the Department of Health and Human Services.

STUDY AND REPORT ON APPLICATION OF PRIVACY AND SECURITY REQUIREMENTS TO NON-HIPAA COVERED ENTITIES.—

STUDY.—Not later than one year after the date of the enactment of this title, the Secretary, in consultation with the Federal Trade Commission, shall conduct a study, and submit a report under paragraph (2), on privacy and security requirements for entities that are not covered entities or business associates as of the date of the enactment of this title, including—

requirements relating to security, privacy, and notification in the case of a breach of security or privacy (including the applicability of an exemption to notification in the case of individually identifiable health information that has been rendered unusable, unreadable, or indecipherable through technologies or methodologies recognized by appropriate professional organization or standard setting bodies to provide effective security for the information) that should be applied to—

vendors of personal health records;

entities that offer products or services through the website of a vendor of personal health records;

entities that are not covered entities and that offer products or services through the websites of covered entities that offer individuals personal health records;

entities that are not covered entities and that access information in a personal health record or send information to a personal health record; and

third party service providers used by a vendor or entity described in clause (i), (ii), (iii), or (iv) to assist in providing personal health record products or services;

a determination of which Federal government agency is best equipped to enforce such requirements recommended to be applied to such vendors, entities, and service providers under subparagraph (A); and

a timeframe for implementing regulations based on such findings.

REPORT.—The Secretary shall submit to the Committee on Finance, the Committee on Health, Education, Labor, and Pensions, and the Committee on Commerce of the Senate and the Committee on Ways and Means and the Committee on Energy and Commerce of the House of Representatives a report on the findings of the study under paragraph (1) and shall include in such report recommendations on the privacy and security requirements described in such paragraph.

GUIDANCE ON IMPLEMENTATION SPECIFICATION TO DE-IDENTIFY PROTECTED HEALTH INFORMATION.—Not later than 12 months after the date of the enactment of this title, the Secretary shall, in consultation with
stakeholders, issue guidance on how best to implement the requirements for the de-identification of protected health information under section 164.514(b) of title 45, Code of Federal Regulations.

GAO REPORT ON TREATMENT DISCLOSURES.—Not later than one year after the date of the enactment of this title, the Comptroller General of the United States shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Ways and Means and the Committee on Energy and Commerce of the House of Representatives a report on the best practices related to the disclosure among health care providers of protected health information of an individual for purposes of treatment of such individual. Such report shall include an examination of the best practices implemented by States and by other entities, such as health information exchanges and regional health information organizations, an examination of the extent to which such best practices are successful with respect to the quality of the resulting health care provided to the individual and with respect to the ability of the health care provider to manage such best practices, and an examination of the use of electronic informed consent for disclosing protected health information for treatment, payment, and health care operations.

REPORT REQUIRED.—Not later than 5 years after the date of enactment of this section, the Government Accountability Office shall submit to Congress and the Secretary of Health and Human Services a report on the impact of any of the provisions of this Act on health insurance premiums, overall health care costs, adoption of electronic health records by providers, and reduction in medical errors and other quality improvements.

STUDY.—The Secretary shall study the definition of ‘‘psychotherapy notes’’ in section 164.501 of title 45, Code of Federal Regulations, with regard to including test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation, as determined by the mental health professional providing treatment or evaluation in such definitions and may, based on such study, issue regulations to revise such definition.

The Original 1996 HIPAA law, Subtitle F, "Administrative Simplification"

MP3 audio podcast:
Full text of the original 1996 HIPAA Law Subtitle F


 
SEC. 261.  PURPOSE.

    It is the purpose of this subtitle to improve the Medicare program
under title XVIII of the Social Security Act, the medicaid program under
title XIX of such Act, and the efficiency and effectiveness of the
health care system, by encouraging the development of a health
information system through the establishment of standards and
requirements for the electronic transmission of certain health
information.

SEC. 262. ADMINISTRATIVE SIMPLIFICATION.

    (a) In General.--Title XI (42 U.S.C. 1301 et seq.) is amended by
adding at the end the following:

                 ``Part C--Administrative Simplification

                              ``definitions

    ``Sec. 1171. For purposes of this part:
            ``(1) Code set.--The term `code set' means any set of codes
        used for encoding data elements, such as tables of terms,
        medical concepts, medical diagnostic codes, or medical procedure
        codes.
            ``(2) Health care clearinghouse.--The term `health care
        clearinghouse' means a public or private entity that processes
        or facilitates the processing of nonstandard data elements of
        health information into standard data elements.
            ``(3) Health care provider.--The term `health care provider'
        includes a provider of services (as defined in section 1861(u)),
        a provider of medical or other health services (as defined in
        section 1861(s)), and any other person furnishing health care
        services or supplies.
            ``(4) Health information.--The term `health information'
        means any information, whether oral or recorded in any form or
        medium, that--
                    ``(A) is created or received by a health care
                provider, health plan, public health authority,
                employer, life insurer, school or university, or health
                care clearinghouse; and
                    ``(B) relates to the past, present, or future
                physical or mental health or condition of an individual,
                the provision of health care to an individual, or the
                past, present, or future payment for the provision of
                health care to an individual.
            ``(5) Health plan.--The term `health plan' means an
        individual or group plan that provides, or pays the cost of,
        medical care (as such term is defined in section 2791 of the
        Public Health Service Act). Such term includes the following,
        and any combination thereof:
                    ``(A) A group health plan (as defined in section
                2791(a) of the Public Health Service Act), but only if
                the plan--
                          ``(i) has 50 or more participants (as defined
                      in section 3(7) of the Employee Retirement Income
                      Security Act of 1974); or
                          ``(ii) is administered by an entity other than
                      the employer who established and maintains the
                      plan.
                    ``(B) A health insurance issuer (as defined in
                section 2791(b) of the Public Health Service Act).
                    ``(C) A health maintenance organization (as defined
                in section 2791(b) of the Public Health Service Act).
                    ``(D) Part A or part B of the Medicare program under
                title XVIII.
                    ``(E) The medicaid program under title XIX.
                    ``(F) A Medicare supplemental policy (as defined in
                section 1882(g)(1)).
                    ``(G) A long-term care policy, including a nursing
                home fixed indemnity policy (unless the Secretary
                determines that such a policy does not provide
                sufficiently comprehensive coverage of a benefit so that
                the policy should be treated as a health plan).
                    ``(H) An employee welfare benefit plan or any other
                arrangement which is established or maintained for the
                purpose of offering or providing health benefits to the
                employees of 2 or more employers.
                    ``(I) The health care program for active military
                personnel under title 10, United States Code.
                    ``(J) The veterans health care program under chapter
                17 of title 38, United States Code.
                    ``(K) The Civilian Health and Medical Program of the
                Uniformed Services (CHAMPUS), as defined in section
                1072(4) of title 10, United States Code.
                    ``(L) The Indian health service program under the
                Indian Health Care Improvement Act (25 U.S.C. 1601 et
                seq.).
                    ``(M) The Federal Employees Health Benefit Plan
                under chapter 89 of title 5, United States Code.
            ``(6) Individually identifiable health information.--The
        term `individually identifiable health information' means any
        information, including demographic information collected from an
        individual, that--
                    ``(A) is created or received by a health care
                provider, health plan, employer, or health care
                clearinghouse; and
                    ``(B) relates to the past, present, or future
                physical or mental health or condition of an individual,
                the provision of health care to an individual, or the
                past, present, or future payment for the provision of
                health care to an individual, and--
                          ``(i) identifies the individual; or
                          ``(ii) with respect to which there is a
                      reasonable basis to believe that the information
                      can be used to identify the individual.
            ``(7) Standard.--The term `standard', when used with
        reference to a data element of health information or a
        transaction referred to in section 1173(a)(1), means any such
        data element or transaction that meets each of the standards and
        implementation specifications adopted or established by the
        Secretary with respect to the data element or transaction under
        sections 1172 through 1174.
            ``(8) Standard setting organization.--The term `standard
        setting organization' means a standard setting organization
        accredited by the American National Standards Institute,
        including the National Council for Prescription Drug Programs,
        that develops standards for information transactions, data
        elements, or any other standard that is necessary to, or will
        facilitate, the implementation of this part.

            ``general requirements for adoption of standards

    ``Sec. 1172. (a) Applicability.--Any standard adopted under this part shall apply, in whole or in part, to
the following persons:
            ``(1) A health plan.
            ``(2) A health care clearinghouse.
            ``(3) A health care provider who transmits any health
        information in electronic form in connection with a transaction
        referred to in section 1173(a)(1).

    ``(b) Reduction of Costs.--Any standard adopted under this part
shall be consistent with the objective of reducing the administrative
costs of providing and paying for health care.
    ``(c) Role of Standard Setting Organizations.--
            ``(1) In general.--Except as provided in paragraph (2), any
        standard adopted under this part shall be a standard that has
        been developed, adopted, or modified by a standard setting
        organization.
            ``(2) Special rules.--
                    ``(A) Different standards.--The Secretary may adopt
                a standard that is different from any standard
                developed, adopted, or modified by a standard setting
                organization, if--
                          ``(i) the different standard will
                      substantially reduce administrative costs to
                      health care providers and health plans compared to
                      the alternatives; and
                          ``(ii) the standard is promulgated in
                      accordance with the rulemaking procedures of
                      subchapter III of chapter 5 of title 5, United
                      States Code.
                    ``(B) No standard by standard setting
                organization.--If no standard setting organization has
                developed, adopted, or modified any standard relating to
                a standard that the Secretary is authorized or required
                to adopt under this part--
                          ``(i) paragraph (1) shall not apply; and
                          ``(ii) subsection (f) shall apply.
            ``(3) Consultation requirement.--
                    ``(A) In general.--A standard may not be adopted
                under this part unless--
                          ``(i) in the case of a standard that has been
                      developed, adopted, or modified by a standard
                      setting organization, the organization consulted
                      with each of the organizations described in
                      subparagraph (B) in the course of such
                      development, adoption, or modification; and
                          ``(ii) in the case of any other standard, the
                      Secretary, in complying with the requirements of
                      subsection (f), consulted with each of the
                      organizations described in subparagraph (B) before
                      adopting the standard.
                    ``(B) Organizations described.--The organizations
                referred to in subparagraph (A) are the following:
                          ``(i) The National Uniform Billing Committee.
                          ``(ii) The National Uniform Claim Committee.
                          ``(iii) The Workgroup for Electronic Data
                      Interchange.
                          ``(iv) The American Dental Association.

    ``(d) Implementation Specifications.--The Secretary shall establish
specifications for implementing each of the standards adopted under this
part.
    ``(e) Protection of Trade Secrets.--Except as otherwise required by
law, a standard adopted under this part shall not require disclosure of
trade secrets or confidential commercial information by a person
required to comply with this part.
    ``(f) Assistance to the Secretary.--In complying with the
requirements of this part, the Secretary shall rely on the
recommendations of the National Committee on Vital and Health Statistics
established under section 306(k) of the Public Health Service Act (42
U.S.C. 242k(k)), and shall consult with appropriate Federal and State
agencies and private organizations. The Secretary shall publish in the Federal Register any recommendation of the National Committee on Vital and Health Statistics regarding the adoption of a standard under this part.

    ``(g) Application to Modifications of Standards.--This section shall
apply to a modification to a standard (including an addition to a
standard) adopted under section 1174(b) in the same manner as it applies
to an initial standard adopted under section 1174(a).

       ``standards for information transactions and data elements

    ``Sec. 1173. (a) Standards To Enable Electronic Exchange.--
            ``(1) In general.--The Secretary shall adopt standards for
        transactions, and data elements for such transactions, to enable
        health information to be exchanged electronically, that are
        appropriate for--
                    ``(A) the financial and administrative transactions
                described in paragraph (2); and
                    ``(B) other financial and administrative
                transactions determined appropriate by the Secretary,
                consistent with the goals of improving the operation of
                the health care system and reducing administrative
                costs.
            ``(2) Transactions.--The transactions referred to in
        paragraph (1)(A) are transactions with respect to the following:
                    ``(A) Health claims or equivalent encounter
                information.
                    ``(B) Health claims attachments.
                    ``(C) Enrollment and disenrollment in a health plan.
                    ``(D) Eligibility for a health plan.
                    ``(E) Health care payment and remittance advice.
                    ``(F) Health plan premium payments.
                    ``(G) First report of injury.
                    ``(H) Health claim status.
                    ``(I) Referral certification and authorization.
            ``(3) Accommodation of specific providers.--The
        standards adopted by the Secretary under paragraph (1) shall
        accommodate the needs of different types of health care
        providers.

    ``(b) Unique Health Identifiers.--
            ``(1) In general.--The Secretary shall adopt standards
        providing for a standard unique health identifier for each
        individual, employer, health plan, and health care provider for
        use in the health care system. In carrying out the preceding
        sentence for each health plan and health care provider, the
        Secretary shall take into account multiple uses for identifiers
        and multiple locations and specialty classifications for health
        care providers.
            ``(2) Use of identifiers.--The standards adopted under
        paragraph (1) shall specify the purposes for which a unique
        health identifier may be used.

    ``(c) Code Sets.--
            ``(1) In general.--The Secretary shall adopt standards
        that--
                    ``(A) select code sets for appropriate data elements
                for the transactions referred to in subsection (a)(1)
                from among the code sets that have been developed by
                private and public entities; or
                    ``(B) establish code sets for such data elements if
                no code sets for the data elements have been developed.
            ``(2) Distribution.--The Secretary shall establish efficient
        and low-cost procedures for distribution (including electronic
        distribution) of code sets and modifications made to such code
        sets under section 1174(b).

    ``(d) Security Standards for Health Information.--
            ``(1) Security standards.--The Secretary shall adopt
        security standards that--
                    ``(A) take into account--
                          ``(i) the technical capabilities of record
                      systems used to maintain health information;
                          ``(ii) the costs of security measures;
                          ``(iii) the need for training persons who have
                      access to health information;
                          ``(iv) the value of audit trails in
                      computerized record systems; and
                          ``(v) the needs and capabilities of small
                      health care providers and rural health care
                      providers (as such providers are defined by the
                      Secretary); and
                    ``(B) ensure that a health care clearinghouse, if it
                is part of a larger organization, has policies and
                security procedures which isolate the activities of the
                health care clearinghouse with respect to processing
                information in a manner that prevents unauthorized
                access to such information by such larger organization.
            ``(2) Safeguards.--Each person described in section 1172(a)
        who maintains or transmits health information shall maintain
        reasonable and appropriate administrative, technical, and
        physical safeguards--
                    ``(A) to ensure the integrity and confidentiality of
                the information;
                    ``(B) to protect against any reasonably
                anticipated--
                          ``(i) threats or hazards to the security or
                      integrity of the information; and
                          ``(ii) unauthorized uses or disclosures of the
                      information; and
                    ``(C) otherwise to ensure compliance with this part
                by the officers and employees of such person.

    ``(e) Electronic Signature.--
            ``(1) Standards.--The Secretary, in coordination with the
        Secretary of Commerce, shall adopt standards specifying
        procedures for the electronic transmission and authentication of
        signatures with respect to the transactions referred to in
        subsection (a)(1).
            ``(2) Effect of compliance.--Compliance with the standards
        adopted under paragraph (1) shall be deemed to satisfy Federal
        and State statutory requirements for written signatures with
        respect to the transactions referred to in subsection (a)(1).

    ``(f) Transfer of Information Among Health Plans.--The Secretary
shall adopt standards for transferring among health plans appropriate
standard data elements needed for the coordination of benefits, the
sequential processing of claims, and other data elements for individuals
who have more than one health plan.

                 ``timetables for adoption of standards

    ``Sec. 1174. (a) Initial  Standards.--The
Secretary shall carry out section 1173 not later than 18 months after
the date of the enactment of the Health Insurance Portability and
Accountability Act of 1996, except that standards relating to claims
attachments shall be adopted not later than 30 months after such date.

    ``(b) Additions and Modifications to Standards.--
            ``(1) In general.--Except as provided in paragraph (2), the
        Secretary shall review the standards adopted under section 1173,
        and shall adopt modifications to the standards (including
        additions to the standards), as determined appropriate, but not
        more frequently than once every 12 months. Any addition or
        modification to a standard shall be completed in a manner which
        minimizes the disruption and cost of compliance.
            ``(2) Special rules.--
                    ``(A) First 12-month period.--Except with respect to
                additions and modifications to code sets under
                subparagraph (B), the Secretary may not adopt any
                modification to a standard adopted under this part
                during the 12-month period beginning on the date the
                standard is initially adopted, unless the Secretary
                determines that the modification is necessary in order
                to permit compliance with the standard.
                    ``(B) Additions and modifications to code sets.--
                          ``(i) In general.--The Secretary shall ensure
                      that procedures exist for the routine maintenance,
                      testing, enhancement, and expansion of code sets.
                          ``(ii) Additional rules.--If a code set is
                      modified under this subsection, the modified code
                      set shall include instructions on how data
                      elements of health information that were encoded
                      prior to the modification may be converted or
                      translated so as to preserve the informational
                      value of the data elements that existed before the
                      modification. Any modification to a code set under
                      this subsection shall be implemented in a manner
                      that minimizes the disruption and cost of
                      complying with such modification.

                             ``requirements

    ``Sec. 1175. (a) Conduct of Transactions
by Plans.--
            ``(1) In general.--If a person desires to conduct a
        transaction referred to in section 1173(a)(1) with a health plan
        as a standard transaction--
                    ``(A) the health plan may not refuse to conduct such
                transaction as a standard transaction;
                    ``(B) the insurance plan may not delay such
                transaction, or otherwise adversely affect, or attempt
                to adversely affect, the person or the transaction on
                the ground that the transaction is a standard
                transaction; and
                    ``(C) the information transmitted and received in
                connection with the transaction shall be in the form of
                standard data elements of health information.
            ``(2) Satisfaction of requirements.--A health plan may
        satisfy the requirements under paragraph (1) by--
                    ``(A) directly transmitting and receiving standard
                data elements of health information; or
                    ``(B) submitting nonstandard data elements to a
                health care clearinghouse for processing into standard
                data elements and transmission by the health care
                clearinghouse, and receiving standard data elements
                through the health care clearinghouse.
            ``(3) Timetable for compliance.--Paragraph (1) shall not be
        construed to require a health plan to comply with any standard,
        implementation specification, or modification to a standard or
        specification adopted or established by the Secretary under
        sections 1172 through 1174 at any time prior to the date on
        which the plan is required to comply with the standard or
        specification under subsection (b).

    ``(b) Compliance With Standards.--
            ``(1) Initial compliance.--
                    ``(A) In general.--Not later than 24 months after
                the date on which an initial standard or implementation
                specification is adopted or established under sections
                1172 and 1173, each person to whom the standard or
                implementation specification applies shall comply with
                the standard or specification.
                    ``(B) Special rule for small health plans.--In the
                case of a small health plan, paragraph (1) shall be
                applied by substituting `36 months' for `24 months'. For
                purposes of this subsection, the Secretary shall
                determine the plans that qualify as small health plans.
            ``(2) Compliance with modified standards.--If the Secretary
        adopts a modification to a standard or implementation
        specification under this part, each person to whom the standard
        or implementation specification applies shall comply with the
        modified standard or implementation specification at such time
        as the Secretary determines appropriate, taking into account the
        time needed to comply due to the nature and extent of the
        modification. The time determined appropriate under the
        preceding sentence may not be earlier than the last day of the
        180-day period beginning on the date such modification is
        adopted. The Secretary may extend the time for compliance for
        small health plans, if the Secretary determines that such
        extension is appropriate.
            ``(3) Construction.--Nothing in this subsection shall be
        construed to prohibit any person from complying with a standard
        or specification by--
                    ``(A) submitting nonstandard data elements to a
                health care clearinghouse for processing into standard
                data elements and transmission by the health care
                clearing-
                house; or
                    ``(B) receiving standard data elements through a
                health care clearinghouse.

 ``general penalty for failure to comply with requirements and standards

    ``Sec. 1176. (a) General Penalty.--
            ``(1) In general.--Except as provided in subsection (b), the
        Secretary shall impose on any person who violates a provision of
        this part a penalty of not more than $100 for each such
        violation, except that the total amount imposed on the person
        for all violations of an identical requirement or prohibition
        during a calendar year may not exceed $25,000.
            ``(2) Procedures.--The provisions of section 1128A (other
        than subsections (a) and (b) and the second sentence of
        subsection (f)) shall apply to the imposition of a civil money
        penalty under this subsection in the same manner as such
        provisions apply to the imposition of a penalty under such
        section 1128A.

    ``(b) Limitations.--
            ``(1) Offenses otherwise punishable.--A penalty may not be
        imposed under subsection (a) with respect to an act if the act
        constitutes an offense punishable under section 1177.
            ``(2) Noncompliance not discovered.--A penalty may not be
        imposed under subsection (a) with respect to a provision of this
        part if it is established to the satisfaction of the Secretary
        that the person liable for the penalty did not know, and by
        exercising reasonable diligence would not have known, that such
        person violated the provision.
            ``(3) Failures due to reasonable cause.--
                    ``(A) In general.--Except as provided in
                subparagraph (B), a penalty may not be imposed under
                subsection
                (a) if--
                          ``(i) the failure to comply was due to
                      reasonable cause and not to willful neglect; and
                          ``(ii) the failure to comply is corrected
                      during the 30-day period beginning on the first
                      date the person liable for the penalty knew, or by
                      exercising reasonable diligence would have known,
                      that the failure to comply occurred.
                    ``(B) Extension of period.--
                          ``(i) No penalty.--The period referred to in
                      subparagraph (A)(ii) may be extended as determined
                      appropriate by the Secretary based on the nature
                      and extent of the failure to comply.
                          ``(ii) Assistance.--If the Secretary
                      determines that a person failed to comply because
                      the person was unable to comply, the Secretary may
                      provide technical assistance to the person during
                      the period described in subparagraph (A)(ii). Such
                      assistance shall be provided in any manner
                      determined appropriate by the Secretary.
            ``(4) Reduction.--In the case of a failure to comply which
        is due to reasonable cause and not to willful neglect, any
        penalty under subsection (a) that is not entirely waived under
        paragraph (3) may be waived to the extent that the payment of
        such penalty would be excessive relative to the compliance
        failure involved.

  ``wrongful disclosure of individually identifiable health information

    ``Sec. 1177. (a) Offense.--A person who
knowingly and in violation of this part--
            ``(1) uses or causes to be used a unique health identifier;
            ``(2) obtains individually identifiable health information
        relating to an individual; or
            ``(3) discloses individually identifiable health information
        to another person,

shall be punished as provided in subsection (b).
    ``(b) Penalties.--A person described in subsection (a) shall--
            ``(1) be fined not more than $50,000, imprisoned not more
        than 1 year, or both;
            ``(2) if the offense is committed under false pretenses, be
        fined not more than $100,000, imprisoned not more than 5 years,
        or both; and
            ``(3) if the offense is committed with intent to sell,
        transfer, or use individually identifiable health information
        for commercial advantage, personal gain, or malicious harm, be
        fined not more than $250,000, imprisoned not more than 10 years,
                                    or both.

    ``Sec. 1178. (a) General Effect.--
            ``(1) General rule.--Except as provided in paragraph (2), a
        provision or requirement under this part, or a standard or
        implementation specification adopted or established under
        sections 1172 through 1174, shall supersede any contrary
        provision of State law, including a provision of State law that
        requires medical or health plan records (including billing
        information) to be maintained or transmitted in written rather
        than electronic form.
            ``(2) Exceptions.--A provision or requirement under this
        part, or a standard or implementation specification adopted or
        established under sections 1172 through 1174, shall not
        supersede a contrary provision of State law, if the provision of
        State law--
                    ``(A) is a provision the Secretary determines--
                          ``(i) is necessary--
                                    ``(I) to prevent fraud and abuse;
                                    ``(II) to ensure appropriate State
                                regulation of insurance and health
                                plans;
                                    ``(III) for State reporting on
                                health care delivery or costs; or
                                    ``(IV) for other purposes; or
                          ``(ii) addresses controlled substances; or
                    ``(B) subject to section 264(c)(2) of the Health
                Insurance Portability and Accountability Act of 1996,
                relates to the privacy of individually identifiable
                health information.

    ``(b) Public Health.--Nothing in this part shall be construed to
invalidate or limit the authority, power, or procedures established
under any law providing for the reporting of disease or injury, child
abuse, birth, or death, public health surveillance, or public health
investigation or intervention.
    ``(c) State Regulatory Reporting.--Nothing in this part shall limit
the ability of a State to require a health plan to report, or to provide
access to, information for management audits, financial audits, program
monitoring and evaluation, facility licensure or certification, or
individual licensure or certification.

       ``processing payment transactions by financial institutions

    ``Sec. 1179. To the extent that an entity
is engaged in activities of a financial institution (as defined in
section 1101 of the Right to Financial Privacy Act of 1978), or is
engaged in authorizing, processing, clearing, settling, billing,
transferring, reconciling, or collecting payments, for a financial
institution, this part, and any standard adopted under this part, shall
not apply to the entity with respect to such activities, including the
following:
            ``(1) The use or disclosure of information by the entity for
        authorizing, processing, clearing, settling, billing,
        transferring, reconciling or collecting, a payment for, or
        related to, health plan premiums or health care, where such
        payment is made by any means, including a credit, debit, or
        other payment card, an account, check, or electronic funds
        transfer.
            ``(2) The request for, or the use or disclosure of,
        information by the entity with respect to a payment described in
        para-
        graph (1)--
                    ``(A) for transferring receivables;
                    ``(B) for auditing;
                    ``(C) in connection with--
                          ``(i) a customer dispute; or
                          ``(ii) an inquiry from, or to, a customer;
                    ``(D) in a communication to a customer of the entity
                regarding the customer's transactions, payment card,
                account, check, or electronic funds transfer;
                    ``(E) for reporting to consumer reporting agencies;
                or
                    ``(F) for complying with--
                          ``(i) a civil or criminal subpoena; or
                          ``(ii) a Federal or State law regulating the
                      entity.''.

    (b) Conforming Amendments.--
            (1) Requirement for medicare providers.--Section 1866(a)(1)
        (42 U.S.C. 1395cc(a)(1)) is amended--
                    (A) by striking ``and'' at the end of subparagraph
                (P);
                    (B) by striking the period at the end of
                subparagraph (Q) and inserting ``; and''; and
                    (C) by inserting immediately after subparagraph (Q)
                the following new subparagraph:
            ``(R) to contract only with a health care clearinghouse (as
        defined in section 1171) that meets each standard and
        implementation specification adopted or established under part C
        of title XI on or after the date on which the health care
        clearinghouse is required to comply with the standard or
        specification.''.
            (2) Title heading.--Title XI (42 U.S.C. 1301 et seq.) is
        amended by striking the title heading and inserting the
        following:

    ``TITLE XI--GENERAL PROVISIONS, PEER REVIEW, AND ADMINISTRATIVE  SIMPLIFICATION''.

SEC. 263. CHANGES IN MEMBERSHIP AND DUTIES OF NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS.

    Section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k))
is amended--
            (1) in paragraph (1), by striking ``16'' and inserting
        ``18'';
            (2) by amending paragraph (2) to read as follows:

    ``(2) The members of the Committee shall be appointed from among
persons who have distinguished themselves in the fields of health
statistics, electronic interchange of health care information, privacy
and security of electronic information, population-based public health,
purchasing or financing health care services, integrated computerized
health information systems, health services research, consumer interests
in health information, health data standards, epidemiology, and the
provision of health services. Members of the Committee shall be
appointed for terms of 4 years.'';
            (3) by redesignating paragraphs (3) through (5) as
        paragraphs (4) through (6), respectively, and inserting after
        paragraph (2) the following:

    ``(3) Of the members of the Committee--
            ``(A) 1 shall be appointed, not later than 60 days after the
        date of the enactment of the Health Insurance Portability and
        Accountability Act of 1996, by the Speaker of the House of
        Representatives after consultation with the Minority Leader of
        the House of Representatives;
            ``(B) 1 shall be appointed, not later than 60 days after the
        date of the enactment of the Health Insurance Portability and
        Accountability Act of 1996, by the President pro tempore of the
        Senate after consultation with the Minority Leader of the
        Senate; and
            ``(C) 16 shall be appointed by the Secretary.'';
            (4) by amending paragraph (5) (as so redesignated) to read
        as follows:

    ``(5) The Committee--
            ``(A) shall assist and advise the Secretary--
                    ``(i) to delineate statistical problems bearing on
                health and health services which are of national or
                international interest;
                    ``(ii) to stimulate studies of such problems by
                other organizations and agencies whenever possible or to
                make investigations of such problems through
                subcommittees;
                    ``(iii) to determine, approve, and revise the terms,
                definitions, classifications, and guidelines for
                assessing health status and health services, their
                distribution and costs, for use (I) within the
                Department of Health and Human Services, (II) by all
                programs administered or funded by the Secretary,
                including the Federal-State-local cooperative health
                statistics system referred to in subsection (e), and
                (III) to the extent possible as determined by the head
                of the agency involved, by the Department of Veterans
                Affairs, the Department of Defense, and other Federal
                agencies concerned with health and health services;
                    ``(iv) with respect to the design of and approval of
                health statistical and health information systems
                concerned with the collection, processing, and
                tabulation of health statistics within the Department of
                Health and Human Services, with respect to the
                Cooperative Health Statistics System established under
                subsection (e), and with respect to the standardized
                means for the collection of health information and
                statistics to be established by the Secretary under
                subsection (j)(1);
                    ``(v) to review and comment on findings and
                proposals developed by other organizations and agencies
                and to make recommendations for their adoption or
                implementation by local, State, national, or
                international agencies;
                    ``(vi) to cooperate with national committees of
                other countries and with the World Health Organization
                and other national agencies in the studies of problems
                of mutual interest;
                    ``(vii) to issue <<NOTE: Reports.>>  an annual
                report on the state of the Nation's health, its health
                services, their costs and distributions, and to make
                proposals for improvement of the Nation's health
                statistics and health information systems; and
                    ``(viii) in complying with the requirements imposed
                on the Secretary under part C of title XI of the Social
                Security Act;
            ``(B) shall study the issues related to the adoption of
        uniform data standards for patient medical record information
        and the electronic exchange of such information;
            ``(C) shall <<NOTE: Reports.>>  report to the Secretary not
        later than 4 years after the date of the enactment of the Health
        Insurance Portability and Accountability Act of 1996
        recommendations and legislative proposals for such standards and
        electronic exchange; and
            ``(D) shall be responsible generally for advising the
        Secretary and the Congress on the status of the implementation
        of part C of title XI of the Social Security Act.''; and
            (5) by adding at the end the following:

    ``(7)Not later than 1 year after the date of
the enactment of the Health Insurance Portability and Accountability Act
of 1996, and annually thereafter, the Committee shall submit to the
Congress, and make public, a report regarding the implementation of part
C of title XI of the Social Security Act. Such report shall address the
following subjects, to the extent that the Committee determines
appropriate:
            ``(A) The extent to which persons required to comply with
        part C of title XI of the Social Security Act are cooperating in
        implementing the standards adopted under such part.
            ``(B) The extent to which such entities are meeting the
        security standards adopted under such part and the types of
        penalties assessed for noncompliance with such standards.
            ``(C) Whether the Federal and State Governments are
        receiving information of sufficient quality to meet their
        responsibilities under such part.
            ``(D) Any problems that exist with respect to implementation
        of such part.
            ``(E) The extent to which timetables under such part are
        being met.''.

SEC. 264. RECOMMENDATIONS WITH RESPECT TO PRIVACY OF CERTAIN HEALTH INFORMATION.

    (a) In General.--Not later than the date that is 12 months after the
date of the enactment of this Act, the Secretary of
Health and Human Services shall submit to the Committee on Labor and
Human Resources and the Committee on Finance of the Senate and the
Committee on Commerce and the Committee on Ways and Means of the House
of Representatives detailed
recommendations on standards with respect to the privacy of individually
identifiable health information.
    (b) Subjects for Recommendations.--The recommendations under
subsection (a) shall address at least the following:
            (1) The rights that an individual who is a subject of
        individually identifiable health information should have.
            (2) The procedures that should be established for the
        exercise of such rights.
            (3) The uses and disclosures of such information that should
        be authorized or required.

    (c) Regulations.--
            (1) In general.--If legislation
        governing standards with respect to the privacy of individually
        identifiable health information transmitted in connection with
        the transactions described in section 1173(a) of the Social
        Security Act (as added by section 262) is not enacted by the
        date that is 36 months after the date of the enactment of this
        Act, the Secretary of Health and Human Services shall promulgate
        final regulations containing such standards not later than the
        date that is 42 months after the date of the enactment of this
        Act. Such regulations shall address at least the subjects
        described in subsection (b).
            (2) Preemption.--A regulation promulgated under paragraph
        (1) shall not supercede a contrary provision of State law, if
        the provision of State law imposes requirements, standards, or
        implementation specifications that are more stringent than the
        requirements, standards, or implementation specifications
        imposed under the regulation.

    (d) Consultation.--In carrying out this section, the Secretary of
Health and Human Services shall consult with--
            (1) the National Committee on Vital and Health Statistics
        established under section 306(k) of the Public Health Service
        Act (42 U.S.C. 242k(k)); and
            (2) the Attorney General.