MP3 audio podcast:
Full text of the original 1996 HIPAA Law Subtitle F
Full text of the original 1996 HIPAA Law Subtitle F
SEC. 261. PURPOSE.
It is the purpose of this subtitle to improve the Medicare program
under title XVIII of the Social Security Act, the medicaid program under
title XIX of such Act, and the efficiency and effectiveness of the
health care system, by encouraging the development of a health
information system through the establishment of standards and
requirements for the electronic transmission of certain health
information.
SEC. 262. ADMINISTRATIVE SIMPLIFICATION.
(a) In General.--Title XI (42 U.S.C. 1301 et seq.) is amended by
adding at the end the following:
``Part C--Administrative Simplification
``definitions
``Sec. 1171. For purposes of this part:
``(1) Code set.--The term `code set' means any set of codes
used for encoding data elements, such as tables of terms,
medical concepts, medical diagnostic codes, or medical procedure
codes.
``(2) Health care clearinghouse.--The term `health care
clearinghouse' means a public or private entity that processes
or facilitates the processing of nonstandard data elements of
health information into standard data elements.
``(3) Health care provider.--The term `health care provider'
includes a provider of services (as defined in section 1861(u)),
a provider of medical or other health services (as defined in
section 1861(s)), and any other person furnishing health care
services or supplies.
``(4) Health information.--The term `health information'
means any information, whether oral or recorded in any form or
medium, that--
``(A) is created or received by a health care
provider, health plan, public health authority,
employer, life insurer, school or university, or health
care clearinghouse; and
``(B) relates to the past, present, or future
physical or mental health or condition of an individual,
the provision of health care to an individual, or the
past, present, or future payment for the provision of
health care to an individual.
``(5) Health plan.--The term `health plan' means an
individual or group plan that provides, or pays the cost of,
medical care (as such term is defined in section 2791 of the
Public Health Service Act). Such term includes the following,
and any combination thereof:
``(A) A group health plan (as defined in section
2791(a) of the Public Health Service Act), but only if
the plan--
``(i) has 50 or more participants (as defined
in section 3(7) of the Employee Retirement Income
Security Act of 1974); or
``(ii) is administered by an entity other than
the employer who established and maintains the
plan.
``(B) A health insurance issuer (as defined in
section 2791(b) of the Public Health Service Act).
``(C) A health maintenance organization (as defined
in section 2791(b) of the Public Health Service Act).
``(D) Part A or part B of the Medicare program under
title XVIII.
``(E) The medicaid program under title XIX.
``(F) A Medicare supplemental policy (as defined in
section 1882(g)(1)).
``(G) A long-term care policy, including a nursing
home fixed indemnity policy (unless the Secretary
determines that such a policy does not provide
sufficiently comprehensive coverage of a benefit so that
the policy should be treated as a health plan).
``(H) An employee welfare benefit plan or any other
arrangement which is established or maintained for the
purpose of offering or providing health benefits to the
employees of 2 or more employers.
``(I) The health care program for active military
personnel under title 10, United States Code.
``(J) The veterans health care program under chapter
17 of title 38, United States Code.
``(K) The Civilian Health and Medical Program of the
Uniformed Services (CHAMPUS), as defined in section
1072(4) of title 10, United States Code.
``(L) The Indian health service program under the
Indian Health Care Improvement Act (25 U.S.C. 1601 et
seq.).
``(M) The Federal Employees Health Benefit Plan
under chapter 89 of title 5, United States Code.
``(6) Individually identifiable health information.--The
term `individually identifiable health information' means any
information, including demographic information collected from an
individual, that--
``(A) is created or received by a health care
provider, health plan, employer, or health care
clearinghouse; and
``(B) relates to the past, present, or future
physical or mental health or condition of an individual,
the provision of health care to an individual, or the
past, present, or future payment for the provision of
health care to an individual, and--
``(i) identifies the individual; or
``(ii) with respect to which there is a
reasonable basis to believe that the information
can be used to identify the individual.
``(7) Standard.--The term `standard', when used with
reference to a data element of health information or a
transaction referred to in section 1173(a)(1), means any such
data element or transaction that meets each of the standards and
implementation specifications adopted or established by the
Secretary with respect to the data element or transaction under
sections 1172 through 1174.
``(8) Standard setting organization.--The term `standard
setting organization' means a standard setting organization
accredited by the American National Standards Institute,
including the National Council for Prescription Drug Programs,
that develops standards for information transactions, data
elements, or any other standard that is necessary to, or will
facilitate, the implementation of this part.
``general requirements for adoption of standards
``Sec. 1172. (a) Applicability.--Any standard adopted under this part shall apply, in whole or in part, to
the following persons:
``(1) A health plan.
``(2) A health care clearinghouse.
``(3) A health care provider who transmits any health
information in electronic form in connection with a transaction
referred to in section 1173(a)(1).
``(b) Reduction of Costs.--Any standard adopted under this part
shall be consistent with the objective of reducing the administrative
costs of providing and paying for health care.
``(c) Role of Standard Setting Organizations.--
``(1) In general.--Except as provided in paragraph (2), any
standard adopted under this part shall be a standard that has
been developed, adopted, or modified by a standard setting
organization.
``(2) Special rules.--
``(A) Different standards.--The Secretary may adopt
a standard that is different from any standard
developed, adopted, or modified by a standard setting
organization, if--
``(i) the different standard will
substantially reduce administrative costs to
health care providers and health plans compared to
the alternatives; and
``(ii) the standard is promulgated in
accordance with the rulemaking procedures of
subchapter III of chapter 5 of title 5, United
States Code.
``(B) No standard by standard setting
organization.--If no standard setting organization has
developed, adopted, or modified any standard relating to
a standard that the Secretary is authorized or required
to adopt under this part--
``(i) paragraph (1) shall not apply; and
``(ii) subsection (f) shall apply.
``(3) Consultation requirement.--
``(A) In general.--A standard may not be adopted
under this part unless--
``(i) in the case of a standard that has been
developed, adopted, or modified by a standard
setting organization, the organization consulted
with each of the organizations described in
subparagraph (B) in the course of such
development, adoption, or modification; and
``(ii) in the case of any other standard, the
Secretary, in complying with the requirements of
subsection (f), consulted with each of the
organizations described in subparagraph (B) before
adopting the standard.
``(B) Organizations described.--The organizations
referred to in subparagraph (A) are the following:
``(i) The National Uniform Billing Committee.
``(ii) The National Uniform Claim Committee.
``(iii) The Workgroup for Electronic Data
Interchange.
``(iv) The American Dental Association.
``(d) Implementation Specifications.--The Secretary shall establish
specifications for implementing each of the standards adopted under this
part.
``(e) Protection of Trade Secrets.--Except as otherwise required by
law, a standard adopted under this part shall not require disclosure of
trade secrets or confidential commercial information by a person
required to comply with this part.
``(f) Assistance to the Secretary.--In complying with the
requirements of this part, the Secretary shall rely on the
recommendations of the National Committee on Vital and Health Statistics
established under section 306(k) of the Public Health Service Act (42
U.S.C. 242k(k)), and shall consult with appropriate Federal and State
agencies and private organizations. The Secretary shall publish in the Federal Register any recommendation of the National Committee on Vital and Health Statistics regarding the adoption of a standard under this part.
``(g) Application to Modifications of Standards.--This section shall
apply to a modification to a standard (including an addition to a
standard) adopted under section 1174(b) in the same manner as it applies
to an initial standard adopted under section 1174(a).
``standards for information transactions and data elements
``Sec. 1173. (a) Standards To Enable Electronic Exchange.--
``(1) In general.--The Secretary shall adopt standards for
transactions, and data elements for such transactions, to enable
health information to be exchanged electronically, that are
appropriate for--
``(A) the financial and administrative transactions
described in paragraph (2); and
``(B) other financial and administrative
transactions determined appropriate by the Secretary,
consistent with the goals of improving the operation of
the health care system and reducing administrative
costs.
``(2) Transactions.--The transactions referred to in
paragraph (1)(A) are transactions with respect to the following:
``(A) Health claims or equivalent encounter
information.
``(B) Health claims attachments.
``(C) Enrollment and disenrollment in a health plan.
``(D) Eligibility for a health plan.
``(E) Health care payment and remittance advice.
``(F) Health plan premium payments.
``(G) First report of injury.
``(H) Health claim status.
``(I) Referral certification and authorization.
``(3) Accommodation of specific providers.--The
standards adopted by the Secretary under paragraph (1) shall
accommodate the needs of different types of health care
providers.
``(b) Unique Health Identifiers.--
``(1) In general.--The Secretary shall adopt standards
providing for a standard unique health identifier for each
individual, employer, health plan, and health care provider for
use in the health care system. In carrying out the preceding
sentence for each health plan and health care provider, the
Secretary shall take into account multiple uses for identifiers
and multiple locations and specialty classifications for health
care providers.
``(2) Use of identifiers.--The standards adopted under
paragraph (1) shall specify the purposes for which a unique
health identifier may be used.
``(c) Code Sets.--
``(1) In general.--The Secretary shall adopt standards
that--
``(A) select code sets for appropriate data elements
for the transactions referred to in subsection (a)(1)
from among the code sets that have been developed by
private and public entities; or
``(B) establish code sets for such data elements if
no code sets for the data elements have been developed.
``(2) Distribution.--The Secretary shall establish efficient
and low-cost procedures for distribution (including electronic
distribution) of code sets and modifications made to such code
sets under section 1174(b).
``(d) Security Standards for Health Information.--
``(1) Security standards.--The Secretary shall adopt
security standards that--
``(A) take into account--
``(i) the technical capabilities of record
systems used to maintain health information;
``(ii) the costs of security measures;
``(iii) the need for training persons who have
access to health information;
``(iv) the value of audit trails in
computerized record systems; and
``(v) the needs and capabilities of small
health care providers and rural health care
providers (as such providers are defined by the
Secretary); and
``(B) ensure that a health care clearinghouse, if it
is part of a larger organization, has policies and
security procedures which isolate the activities of the
health care clearinghouse with respect to processing
information in a manner that prevents unauthorized
access to such information by such larger organization.
``(2) Safeguards.--Each person described in section 1172(a)
who maintains or transmits health information shall maintain
reasonable and appropriate administrative, technical, and
physical safeguards--
``(A) to ensure the integrity and confidentiality of
the information;
``(B) to protect against any reasonably
anticipated--
``(i) threats or hazards to the security or
integrity of the information; and
``(ii) unauthorized uses or disclosures of the
information; and
``(C) otherwise to ensure compliance with this part
by the officers and employees of such person.
``(e) Electronic Signature.--
``(1) Standards.--The Secretary, in coordination with the
Secretary of Commerce, shall adopt standards specifying
procedures for the electronic transmission and authentication of
signatures with respect to the transactions referred to in
subsection (a)(1).
``(2) Effect of compliance.--Compliance with the standards
adopted under paragraph (1) shall be deemed to satisfy Federal
and State statutory requirements for written signatures with
respect to the transactions referred to in subsection (a)(1).
``(f) Transfer of Information Among Health Plans.--The Secretary
shall adopt standards for transferring among health plans appropriate
standard data elements needed for the coordination of benefits, the
sequential processing of claims, and other data elements for individuals
who have more than one health plan.
``timetables for adoption of standards
``Sec. 1174. (a) Initial Standards.--The
Secretary shall carry out section 1173 not later than 18 months after
the date of the enactment of the Health Insurance Portability and
Accountability Act of 1996, except that standards relating to claims
attachments shall be adopted not later than 30 months after such date.
``(b) Additions and Modifications to Standards.--
``(1) In general.--Except as provided in paragraph (2), the
Secretary shall review the standards adopted under section 1173,
and shall adopt modifications to the standards (including
additions to the standards), as determined appropriate, but not
more frequently than once every 12 months. Any addition or
modification to a standard shall be completed in a manner which
minimizes the disruption and cost of compliance.
``(2) Special rules.--
``(A) First 12-month period.--Except with respect to
additions and modifications to code sets under
subparagraph (B), the Secretary may not adopt any
modification to a standard adopted under this part
during the 12-month period beginning on the date the
standard is initially adopted, unless the Secretary
determines that the modification is necessary in order
to permit compliance with the standard.
``(B) Additions and modifications to code sets.--
``(i) In general.--The Secretary shall ensure
that procedures exist for the routine maintenance,
testing, enhancement, and expansion of code sets.
``(ii) Additional rules.--If a code set is
modified under this subsection, the modified code
set shall include instructions on how data
elements of health information that were encoded
prior to the modification may be converted or
translated so as to preserve the informational
value of the data elements that existed before the
modification. Any modification to a code set under
this subsection shall be implemented in a manner
that minimizes the disruption and cost of
complying with such modification.
``requirements
``Sec. 1175. (a) Conduct of Transactions
by Plans.--
``(1) In general.--If a person desires to conduct a
transaction referred to in section 1173(a)(1) with a health plan
as a standard transaction--
``(A) the health plan may not refuse to conduct such
transaction as a standard transaction;
``(B) the insurance plan may not delay such
transaction, or otherwise adversely affect, or attempt
to adversely affect, the person or the transaction on
the ground that the transaction is a standard
transaction; and
``(C) the information transmitted and received in
connection with the transaction shall be in the form of
standard data elements of health information.
``(2) Satisfaction of requirements.--A health plan may
satisfy the requirements under paragraph (1) by--
``(A) directly transmitting and receiving standard
data elements of health information; or
``(B) submitting nonstandard data elements to a
health care clearinghouse for processing into standard
data elements and transmission by the health care
clearinghouse, and receiving standard data elements
through the health care clearinghouse.
``(3) Timetable for compliance.--Paragraph (1) shall not be
construed to require a health plan to comply with any standard,
implementation specification, or modification to a standard or
specification adopted or established by the Secretary under
sections 1172 through 1174 at any time prior to the date on
which the plan is required to comply with the standard or
specification under subsection (b).
``(b) Compliance With Standards.--
``(1) Initial compliance.--
``(A) In general.--Not later than 24 months after
the date on which an initial standard or implementation
specification is adopted or established under sections
1172 and 1173, each person to whom the standard or
implementation specification applies shall comply with
the standard or specification.
``(B) Special rule for small health plans.--In the
case of a small health plan, paragraph (1) shall be
applied by substituting `36 months' for `24 months'. For
purposes of this subsection, the Secretary shall
determine the plans that qualify as small health plans.
``(2) Compliance with modified standards.--If the Secretary
adopts a modification to a standard or implementation
specification under this part, each person to whom the standard
or implementation specification applies shall comply with the
modified standard or implementation specification at such time
as the Secretary determines appropriate, taking into account the
time needed to comply due to the nature and extent of the
modification. The time determined appropriate under the
preceding sentence may not be earlier than the last day of the
180-day period beginning on the date such modification is
adopted. The Secretary may extend the time for compliance for
small health plans, if the Secretary determines that such
extension is appropriate.
``(3) Construction.--Nothing in this subsection shall be
construed to prohibit any person from complying with a standard
or specification by--
``(A) submitting nonstandard data elements to a
health care clearinghouse for processing into standard
data elements and transmission by the health care
clearing-
house; or
``(B) receiving standard data elements through a
health care clearinghouse.
``general penalty for failure to comply with requirements and standards
``Sec. 1176. (a) General Penalty.--
``(1) In general.--Except as provided in subsection (b), the
Secretary shall impose on any person who violates a provision of
this part a penalty of not more than $100 for each such
violation, except that the total amount imposed on the person
for all violations of an identical requirement or prohibition
during a calendar year may not exceed $25,000.
``(2) Procedures.--The provisions of section 1128A (other
than subsections (a) and (b) and the second sentence of
subsection (f)) shall apply to the imposition of a civil money
penalty under this subsection in the same manner as such
provisions apply to the imposition of a penalty under such
section 1128A.
``(b) Limitations.--
``(1) Offenses otherwise punishable.--A penalty may not be
imposed under subsection (a) with respect to an act if the act
constitutes an offense punishable under section 1177.
``(2) Noncompliance not discovered.--A penalty may not be
imposed under subsection (a) with respect to a provision of this
part if it is established to the satisfaction of the Secretary
that the person liable for the penalty did not know, and by
exercising reasonable diligence would not have known, that such
person violated the provision.
``(3) Failures due to reasonable cause.--
``(A) In general.--Except as provided in
subparagraph (B), a penalty may not be imposed under
subsection
(a) if--
``(i) the failure to comply was due to
reasonable cause and not to willful neglect; and
``(ii) the failure to comply is corrected
during the 30-day period beginning on the first
date the person liable for the penalty knew, or by
exercising reasonable diligence would have known,
that the failure to comply occurred.
``(B) Extension of period.--
``(i) No penalty.--The period referred to in
subparagraph (A)(ii) may be extended as determined
appropriate by the Secretary based on the nature
and extent of the failure to comply.
``(ii) Assistance.--If the Secretary
determines that a person failed to comply because
the person was unable to comply, the Secretary may
provide technical assistance to the person during
the period described in subparagraph (A)(ii). Such
assistance shall be provided in any manner
determined appropriate by the Secretary.
``(4) Reduction.--In the case of a failure to comply which
is due to reasonable cause and not to willful neglect, any
penalty under subsection (a) that is not entirely waived under
paragraph (3) may be waived to the extent that the payment of
such penalty would be excessive relative to the compliance
failure involved.
``wrongful disclosure of individually identifiable health information
``Sec. 1177. (a) Offense.--A person who
knowingly and in violation of this part--
``(1) uses or causes to be used a unique health identifier;
``(2) obtains individually identifiable health information
relating to an individual; or
``(3) discloses individually identifiable health information
to another person,
shall be punished as provided in subsection (b).
``(b) Penalties.--A person described in subsection (a) shall--
``(1) be fined not more than $50,000, imprisoned not more
than 1 year, or both;
``(2) if the offense is committed under false pretenses, be
fined not more than $100,000, imprisoned not more than 5 years,
or both; and
``(3) if the offense is committed with intent to sell,
transfer, or use individually identifiable health information
for commercial advantage, personal gain, or malicious harm, be
fined not more than $250,000, imprisoned not more than 10 years,
or both.
``Sec. 1178. (a) General Effect.--
``(1) General rule.--Except as provided in paragraph (2), a
provision or requirement under this part, or a standard or
implementation specification adopted or established under
sections 1172 through 1174, shall supersede any contrary
provision of State law, including a provision of State law that
requires medical or health plan records (including billing
information) to be maintained or transmitted in written rather
than electronic form.
``(2) Exceptions.--A provision or requirement under this
part, or a standard or implementation specification adopted or
established under sections 1172 through 1174, shall not
supersede a contrary provision of State law, if the provision of
State law--
``(A) is a provision the Secretary determines--
``(i) is necessary--
``(I) to prevent fraud and abuse;
``(II) to ensure appropriate State
regulation of insurance and health
plans;
``(III) for State reporting on
health care delivery or costs; or
``(IV) for other purposes; or
``(ii) addresses controlled substances; or
``(B) subject to section 264(c)(2) of the Health
Insurance Portability and Accountability Act of 1996,
relates to the privacy of individually identifiable
health information.
``(b) Public Health.--Nothing in this part shall be construed to
invalidate or limit the authority, power, or procedures established
under any law providing for the reporting of disease or injury, child
abuse, birth, or death, public health surveillance, or public health
investigation or intervention.
``(c) State Regulatory Reporting.--Nothing in this part shall limit
the ability of a State to require a health plan to report, or to provide
access to, information for management audits, financial audits, program
monitoring and evaluation, facility licensure or certification, or
individual licensure or certification.
``processing payment transactions by financial institutions
``Sec. 1179. To the extent that an entity
is engaged in activities of a financial institution (as defined in
section 1101 of the Right to Financial Privacy Act of 1978), or is
engaged in authorizing, processing, clearing, settling, billing,
transferring, reconciling, or collecting payments, for a financial
institution, this part, and any standard adopted under this part, shall
not apply to the entity with respect to such activities, including the
following:
``(1) The use or disclosure of information by the entity for
authorizing, processing, clearing, settling, billing,
transferring, reconciling or collecting, a payment for, or
related to, health plan premiums or health care, where such
payment is made by any means, including a credit, debit, or
other payment card, an account, check, or electronic funds
transfer.
``(2) The request for, or the use or disclosure of,
information by the entity with respect to a payment described in
para-
graph (1)--
``(A) for transferring receivables;
``(B) for auditing;
``(C) in connection with--
``(i) a customer dispute; or
``(ii) an inquiry from, or to, a customer;
``(D) in a communication to a customer of the entity
regarding the customer's transactions, payment card,
account, check, or electronic funds transfer;
``(E) for reporting to consumer reporting agencies;
or
``(F) for complying with--
``(i) a civil or criminal subpoena; or
``(ii) a Federal or State law regulating the
entity.''.
(b) Conforming Amendments.--
(1) Requirement for medicare providers.--Section 1866(a)(1)
(42 U.S.C. 1395cc(a)(1)) is amended--
(A) by striking ``and'' at the end of subparagraph
(P);
(B) by striking the period at the end of
subparagraph (Q) and inserting ``; and''; and
(C) by inserting immediately after subparagraph (Q)
the following new subparagraph:
``(R) to contract only with a health care clearinghouse (as
defined in section 1171) that meets each standard and
implementation specification adopted or established under part C
of title XI on or after the date on which the health care
clearinghouse is required to comply with the standard or
specification.''.
(2) Title heading.--Title XI (42 U.S.C. 1301 et seq.) is
amended by striking the title heading and inserting the
following:
``TITLE XI--GENERAL PROVISIONS, PEER REVIEW, AND ADMINISTRATIVE SIMPLIFICATION''.
SEC. 263. CHANGES IN MEMBERSHIP AND DUTIES OF NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS.
Section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k))
is amended--
(1) in paragraph (1), by striking ``16'' and inserting
``18'';
(2) by amending paragraph (2) to read as follows:
``(2) The members of the Committee shall be appointed from among
persons who have distinguished themselves in the fields of health
statistics, electronic interchange of health care information, privacy
and security of electronic information, population-based public health,
purchasing or financing health care services, integrated computerized
health information systems, health services research, consumer interests
in health information, health data standards, epidemiology, and the
provision of health services. Members of the Committee shall be
appointed for terms of 4 years.'';
(3) by redesignating paragraphs (3) through (5) as
paragraphs (4) through (6), respectively, and inserting after
paragraph (2) the following:
``(3) Of the members of the Committee--
``(A) 1 shall be appointed, not later than 60 days after the
date of the enactment of the Health Insurance Portability and
Accountability Act of 1996, by the Speaker of the House of
Representatives after consultation with the Minority Leader of
the House of Representatives;
``(B) 1 shall be appointed, not later than 60 days after the
date of the enactment of the Health Insurance Portability and
Accountability Act of 1996, by the President pro tempore of the
Senate after consultation with the Minority Leader of the
Senate; and
``(C) 16 shall be appointed by the Secretary.'';
(4) by amending paragraph (5) (as so redesignated) to read
as follows:
``(5) The Committee--
``(A) shall assist and advise the Secretary--
``(i) to delineate statistical problems bearing on
health and health services which are of national or
international interest;
``(ii) to stimulate studies of such problems by
other organizations and agencies whenever possible or to
make investigations of such problems through
subcommittees;
``(iii) to determine, approve, and revise the terms,
definitions, classifications, and guidelines for
assessing health status and health services, their
distribution and costs, for use (I) within the
Department of Health and Human Services, (II) by all
programs administered or funded by the Secretary,
including the Federal-State-local cooperative health
statistics system referred to in subsection (e), and
(III) to the extent possible as determined by the head
of the agency involved, by the Department of Veterans
Affairs, the Department of Defense, and other Federal
agencies concerned with health and health services;
``(iv) with respect to the design of and approval of
health statistical and health information systems
concerned with the collection, processing, and
tabulation of health statistics within the Department of
Health and Human Services, with respect to the
Cooperative Health Statistics System established under
subsection (e), and with respect to the standardized
means for the collection of health information and
statistics to be established by the Secretary under
subsection (j)(1);
``(v) to review and comment on findings and
proposals developed by other organizations and agencies
and to make recommendations for their adoption or
implementation by local, State, national, or
international agencies;
``(vi) to cooperate with national committees of
other countries and with the World Health Organization
and other national agencies in the studies of problems
of mutual interest;
``(vii) to issue <<NOTE: Reports.>> an annual
report on the state of the Nation's health, its health
services, their costs and distributions, and to make
proposals for improvement of the Nation's health
statistics and health information systems; and
``(viii) in complying with the requirements imposed
on the Secretary under part C of title XI of the Social
Security Act;
``(B) shall study the issues related to the adoption of
uniform data standards for patient medical record information
and the electronic exchange of such information;
``(C) shall <<NOTE: Reports.>> report to the Secretary not
later than 4 years after the date of the enactment of the Health
Insurance Portability and Accountability Act of 1996
recommendations and legislative proposals for such standards and
electronic exchange; and
``(D) shall be responsible generally for advising the
Secretary and the Congress on the status of the implementation
of part C of title XI of the Social Security Act.''; and
(5) by adding at the end the following:
``(7)Not later than 1 year after the date of
the enactment of the Health Insurance Portability and Accountability Act
of 1996, and annually thereafter, the Committee shall submit to the
Congress, and make public, a report regarding the implementation of part
C of title XI of the Social Security Act. Such report shall address the
following subjects, to the extent that the Committee determines
appropriate:
``(A) The extent to which persons required to comply with
part C of title XI of the Social Security Act are cooperating in
implementing the standards adopted under such part.
``(B) The extent to which such entities are meeting the
security standards adopted under such part and the types of
penalties assessed for noncompliance with such standards.
``(C) Whether the Federal and State Governments are
receiving information of sufficient quality to meet their
responsibilities under such part.
``(D) Any problems that exist with respect to implementation
of such part.
``(E) The extent to which timetables under such part are
being met.''.
SEC. 264. RECOMMENDATIONS WITH RESPECT TO PRIVACY OF CERTAIN HEALTH INFORMATION.
(a) In General.--Not later than the date that is 12 months after the
date of the enactment of this Act, the Secretary of
Health and Human Services shall submit to the Committee on Labor and
Human Resources and the Committee on Finance of the Senate and the
Committee on Commerce and the Committee on Ways and Means of the House
of Representatives detailed
recommendations on standards with respect to the privacy of individually
identifiable health information.
(b) Subjects for Recommendations.--The recommendations under
subsection (a) shall address at least the following:
(1) The rights that an individual who is a subject of
individually identifiable health information should have.
(2) The procedures that should be established for the
exercise of such rights.
(3) The uses and disclosures of such information that should
be authorized or required.
(c) Regulations.--
(1) In general.--If legislation
governing standards with respect to the privacy of individually
identifiable health information transmitted in connection with
the transactions described in section 1173(a) of the Social
Security Act (as added by section 262) is not enacted by the
date that is 36 months after the date of the enactment of this
Act, the Secretary of Health and Human Services shall promulgate
final regulations containing such standards not later than the
date that is 42 months after the date of the enactment of this
Act. Such regulations shall address at least the subjects
described in subsection (b).
(2) Preemption.--A regulation promulgated under paragraph
(1) shall not supercede a contrary provision of State law, if
the provision of State law imposes requirements, standards, or
implementation specifications that are more stringent than the
requirements, standards, or implementation specifications
imposed under the regulation.
(d) Consultation.--In carrying out this section, the Secretary of
Health and Human Services shall consult with--
(1) the National Committee on Vital and Health Statistics
established under section 306(k) of the Public Health Service
Act (42 U.S.C. 242k(k)); and
(2) the Attorney General.
No comments:
Post a Comment