26 May 1998 Source: http://www.access.gpo.gov/su_docs/aces/aaces002.html ------------------------------------------------------------------------- [DOCID: f:h3900ih.txt] 105th CONGRESS 2d Session H. R. 3900 To establish Federal penalties for prohibited uses and disclosures of individually identifiable health information, to establish a right in an individual to inspect and copy their own health information, and for other purposes. _______________________________________________________________________ IN THE HOUSE OF REPRESENTATIVES May 19, 1998 Mr. Shays (for himself and Mr. Barrett of Wisconsin) introduced the following bill; which was referred to the Committee on Commerce, and in addition to the Committees on Ways and Means, and Government Reform and Oversight, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned _______________________________________________________________________ A BILL To establish Federal penalties for prohibited uses and disclosures of individually identifiable health information, to establish a right in an individual to inspect and copy their own health information, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) Short Title.--This Act may be cited as the ``Consumer Health and Research Technology (CHART) Protection Act''. (b) Table of Contents.--The table of contents for this Act is as follows: Sec. 1. Short title; table of contents. TITLE I--RESTRICTIONS ON USE AND DISCLOSURE Sec. 101. General prohibitions and exceptions. Sec. 102. Special rules for anonymized information. Sec. 103. General requirements for authorization of disclosure of information. Sec. 104. Disclosure in civil proceedings. Sec. 105. Disclosure for criminal law enforcement purposes. Sec. 106. Disclosures for archival research. TITLE II--INDIVIDUALS' RIGHTS Sec. 201. Inspection and copying of health information. Sec. 202. Amendment of individually identifiable health information. Sec. 203. Notice of confidentiality practices. TITLE III--ENFORCEMENT Sec. 301. Criminal penalties. Sec. 302. Civil action. Sec. 303. Program exclusions. TITLE IV--GENERAL PROVISIONS Sec. 401. Standards for electronic disclosures. Sec. 402. Authorized representatives. Sec. 403. Relationship to other laws. Sec. 404. Reports analyzing impact of Act. Sec. 405. Effective date. Sec. 406. Definitions. TITLE I--RESTRICTIONS ON USE AND DISCLOSURE SEC. 101. GENERAL PROHIBITIONS AND EXCEPTIONS. Except as otherwise provided in this Act, and subject to the following exceptions, the following prohibited actions and inactions on the part of a person shall be considered a violation of this Act: (1) Disclosure in absence of, or inconsistent with, authorization.-- (A) In general.--Subject to the exceptions described in subparagraph (B)-- (i) a negligent or intentional disclosure of individually identifiable health information without an authorization with respect to the information that satisfies the requirements of section 103, is prohibited, unless the disclosure is governed by section 104 or 105; and (ii) a negligent or intentional disclosure of individually identifiable health information, by a person granted authority under an authorization with respect to the information that satisfies the requirements of section 103, that is inconsistent with the provisions of the authorization, is prohibited. (B) Exceptions.--A disclosure otherwise prohibited under subparagraph (A) is not prohibited when-- (i) made by an individual whose health or health care is the subject of the information (or an authorized representative of such an individual, pursuant to section 402); (ii) made for the purpose of providing, or facilitating the provision of, health care to an individual described in clause (i); (iii) made for the purpose of facilitating payment activities related to health care provided to an individual described in clause (i); (iv) made pursuant to a specific affirmative authorization, or a requirement, under State or Federal law, for use in legally authorized-- (I) reporting of abuse, domestic violence, or neglect information about any individual; (II) disease or injury reporting about any individual; (III) public health surveillance, such as birth and death reporting; (IV) public health investigation or intervention; (V) management audits, financial audits, or program monitoring and evaluation; or (VI) licensure, certification, accreditation, utilization review, quality assurance activities, benchmarking, or outcomes management and assessment; (v) made pursuant to an authorization granted in a contract providing health care benefits for an individual described in clause (i), for the purpose of licensure, certification, accreditation, utilization review, quality assurance activities, benchmarking, or outcomes management and assessment; (vi) made to a health researcher-- (I) in accordance with a research protocol approved by an institutional review board; or (II) in accordance with section 106(a); or (vii) made to a party to, or potential party to, a merger or acquisition of a commercial enterprise, in anticipation of, or upon, the merger or acquisition. (2) Failure to provide for reasonable protections against prohibited disclosures.-- (A) In general.--Subject to the exception described in subparagraph (B), a negligent or intentional failure to provide for reasonable protections against disclosures of individually identifiable health information that are prohibited under this Act is prohibited, including-- (i) a failure to establish and enforce reasonable and appropriate administrative, technical, and physical safeguards-- (I) to ensure the confidentiality of individually identifiable health information; and (II) to protect against-- (aa) any reasonably anticipated threats or hazards to the security or integrity of such information; and (bb) unauthorized uses or disclosures of the information; (ii) a failure to establish procedures for determining a response to a subpoena, warrant, court order, or other request from a government authority for disclosure of such information; and (iii) a failure to provide for secure destruction of such information, where destruction of the information is desired. (B) Exception.--A failure described in subparagraph (A) is not prohibited when it is by an individual whose health or health care is the subject of the information (or an authorized representative of such an individual, pursuant to section 402). (3) Failure to implement written policies for compliance.-- (A) In general.--Subject to the exception described in subparagraph (B), with respect to a person whose employees, agents, or contractors come in contact with individually identifiable health information in the course of their employment, agency, or contract execution, a negligent or intentional failure to establish and implement written policies concerning compliance with this Act is prohibited, including-- (i) a failure to establish procedures for monitoring access to individually identifiable health information; (ii) a failure to establish rules limiting access to such information to persons whose duties require such access; and (iii) a failure to provide for the enforcement of such policies. (B) Exception.--A failure described in subparagraph (A) is not prohibited when it is by an individual whose health or health care is the subject of the information (or an authorized representative of such an individual, pursuant to section 402). (4) Failure to enter into written agreement with business associates respecting compliance.--A negligent or intentional failure to enter into a written agreement with an agent, contractor, or other person to whom individually identifiable health information is disclosed for a business purpose (such as persons who encode or encrypt information, data management contractors, and utilization review and accreditation organizations), prior to such disclosure, specifying the limitations on their use and retention of such information and informing them of their responsibilities under this Act, is prohibited. (5) Compliance with research requirements.--A negligent or intentional action is prohibited where it consists of-- (A) a disclosure for health research purposes of individually identifiable health information that-- (i) has not been approved by an institutional review board; or (ii) does not satisfy the requirements of section 106; or (B) a use or disclosure of individually identifiable health information in violation of-- (i) a research protocol approved by an institutional review board or any other requirement or condition concerning such use or disclosure established by such a review board; or (ii) any requirement or condition concerning such use or disclosure established by a person making, or approving, a disclosure under section 106. (6) Anonymized information.--A use of anonymized information, or an encryption key or coding system used to anonymize information, in violation of section 102, is prohibited. (7) Civil proceeding.--A negligent or intentional disclosure of individually identifiable health information pursuant to a subpoena or discovery request related to a civil proceeding, in violation of section 104, is prohibited. (8) Criminal proceeding.--A negligent or intentional disclosure of individually identifiable health information for a criminal law enforcement purpose, in violation of section 105, or a negligent or intentional use of information obtained pursuant to such section in violation of the section, is prohibited. (9) Sale or commercial publication.-- (A) In general.--Subject to the exceptions described in subparagraph (B), an intentional disclosure of individually identifiable health information that constitutes a sale or commercial publication of the information, is prohibited. (B) Exceptions.--A disclosure otherwise prohibited under subparagraph (A) is not prohibited when-- (i) the disclosure is made by an individual whose health or health care is the subject of the information (or an authorized representative of such an individual, pursuant to section 402); or (ii) the disclosure is made to a person having a written authorization permitting the disclosure that satisfies the requirements of section 103. (10) Fraud or misrepresentation.--Use of fraud, duress, deceit, or misrepresentation to obtain access to individually identifiable health information is prohibited. SEC. 102. SPECIAL RULES FOR ANONYMIZED INFORMATION. (a) Definition.--For purposes of this Act, the term ``anonymized information'' means individually identifiable health information from which personal identifiers and means of directly contacting any subject of the information (including name, address, and social security number), have been removed, encrypted, or replaced with a code, in a manner such that the identity of any such subject is not apparent from the facts contained in the information, but may, in the case of encrypted or coded information, be determined by a person with access to the encryption key or coding system. Such term does not include any such encryption key or coding system. (b) Use.-- (1) In general.--Subject to paragraph (2), a person may use anonymized information, or an encryption key or coding system described in subsection (c)(2), for any lawful purpose, if the person, in such use, does not-- (A) attempt to identify any individual with respect to whom information has been removed, encrypted, or replaced with a code; or (B) intentionally use the anonymized information, the key, or the coding system in any way that results in the identification of any such individual. (2) Exceptions.--A use otherwise prohibited under paragraph (1) is not prohibited when any of the following circumstances apply: (A) The use is by an individual whose health or health care is the subject of the information (or an authorized representative of such an individual, pursuant to section 402). (B) The use is by a person having an authorization permitting the use that satisfies the requirements of section 103. (C) The use is for the purpose of providing, or facilitating the provision of, health care to an individual described in subparagraph (A). (D) The use is for the purpose of facilitating payment activities related to health care provided to an individual described in subparagraph (A). (E) The use is pursuant to a specific affirmative authorization, or a requirement, under State or Federal law, for legally authorized-- (i) disease or injury reporting; (ii) public health surveillance, such as birth and death reporting, and reporting incidents of abuse, domestic violence, or neglect; (iii) public health investigation or intervention; (iv) management audits, financial audits, or program monitoring and evaluation; or (v) licensure, certification, accreditation, utilization review, quality assurance activities, benchmarking, or outcomes management and assessment. (F) The use is pursuant to an authorization granted in a contract providing health care benefits for an individual described in subparagraph (A), for the purpose of licensure, certification, accreditation, utilization review, quality assurance activities, benchmarking, or outcomes management and assessment. (G) The use is by a health researcher and is-- (i) in accordance with a research protocol approved by an institutional review board and any other requirement or condition concerning such use established by such a review board; or (ii) in accordance with any requirement or condition concerning such use established by a person making, or approving, a disclosure under section 106. (H) The use is by a party to, or potential party to, a merger or acquisition of a commercial enterprise, in anticipation of, or upon, the merger or acquisition. (c) Disclosure.-- (1) Anonymized information.--For purposes of this Act, disclosure of anonymized information shall not be considered disclosure of individually identifiable health information, unless it is disclosed with an encryption key or coding system described in paragraph (2) in manner such that the combined information satisfies the requirements of section 406(8). (2) Encryption key or code.--For purposes of this Act, disclosure of an encryption key or coding system that is used to determine the identity of any individual with respect to whom information has been removed, encrypted, or replaced with a code, in order to create anonymized information, shall not be considered disclosure of individually identifiable health information, unless it is disclosed with anonymized information in manner such that the combined information satisfies the requirements of section 406(8). (d) Decoded Information.--Formerly anonymized information that has been manipulated to reveal a part of the information that had been removed, encrypted, or replaced with a code in order to render it anonymized information is individually identifiable health information and is subject, beginning on the date of such manipulation, to all of the requirements of this part relating to individually identifiable information. SEC. 103. GENERAL REQUIREMENTS FOR AUTHORIZATION OF DISCLOSURE OF INFORMATION. (a) In General.--For purposes of section 101, an authorization satisfies the requirements of this section if it-- (1) is in writing; (2) is executed by an individual whose health or health care is the subject of the information (or an authorized representative of such an individual, pursuant to section 402); and (3) satisfies the requirements of subsection (b). (b) Requirements.--An authorization satisfies the requirements in this subsection if-- (1) it includes the following: (A) a general statement of the purposes for which the individually identifiable health information disclosed pursuant to the authorization may be used; (B) a general description of the persons who are authorized to use such information; (C) a valid signature of an individual whose health or health care is the subject of the information (or an authorized representative of such individual); (D) the date of the signature; (E) an expiration date upon which the authorization is no longer valid; and (F) reasonable procedures permitting such individual or representative to revoke the authorization; and (2) in a case in which the purposes under paragraph (1)(A) include health research, the provisions of the authorization that relate to such research-- (A) include each of the elements described in paragraph (1); (B) are set out separately from the remaining provisions and are independent from them; and (C) are subject to separate revocation procedures, the use of which does not per se effect a revocation of the remaining provisions. (c) Effect of Good Faith Reliance on Authorization.--A person shall not be liable, or subject to punishment under State or Federal law, for a disclosure of individually identifiable health information, where the disclosure-- (1) was made in good faith reliance on an authorization executed by the individual that satisfies the requirements of this section; and (2) was consistent with the provisions of the authorization. SEC. 104. DISCLOSURE IN CIVIL PROCEEDINGS. (a) In General.--A person may not disclose individually identifiable health information for use in a civil law enforcement investigation, a civil administrative action, or a civil action brought in Federal or State court, in the absence of-- (1) an otherwise valid discovery request, an administrative subpoena or summons, or a judicial subpoena; and (2) an order issued by the presiding judge or official upon a determination that the need for the information of the person requesting the disclosure substantially outweighs the privacy interest of each individual whose health or health care is the subject of the information. (b) Construction.--This section shall not be construed to supersede any ground that may otherwise apply under Federal or State law for an objection to the disclosure of individually identifiable health information in any civil action. SEC. 105. DISCLOSURE FOR CRIMINAL LAW ENFORCEMENT PURPOSES. (a) In General.--A person may not disclose individually identifiable health information for a criminal law enforcement purpose-- (1) in the absence of-- (A) a subpoena issued under the authority of a grand jury; (B) an administrative subpoena or summons or a judicial subpoena or warrant; or (C) a request otherwise authorized by law from a law enforcement agency; and (2) in the case of a disclosure under subparagraph (B) or (C) of paragraph (1), in the absence of a court order issued upon a determination that the need for the information of the person requesting the disclosure substantially outweighs the privacy interest of each individual whose health or health care is the subject of the information. (b) Destruction or Return of Information.--When the proceeding for which individually identifiable health information was disclosed is concluded, including any derivative matters arising from such proceeding, the person to whom the disclosure was made shall either destroy the individually identifiable health information, or return it to the person from whom it was obtained. (c) Redactions.--To the extent practicable, and consistent with the requirements of due process, a criminal law enforcement agency shall redact personally identifying information from individually identifiable health information prior to the public disclosure of such information in a judicial or administrative proceeding. (d) Use of Information.--Individually identifiable health information obtained by a criminal law enforcement agency pursuant to this section may only be used for purposes of a legitimate criminal law enforcement activity. SEC. 106. DISCLOSURES FOR ARCHIVAL RESEARCH. (a) In General.--A person described in subsection (b) may disclose individually identifiable health information, that was previously created or collected by the person and maintained by the person in an archive or other repository, to a health researcher pursuant to this subsection, if-- (1) the disclosure is made for the purpose of permitting the health researcher to carry out health research that involves analysis of the information; (2) the disclosure has been reviewed and approved, by a board, committee, or other group formally designated by the person to review requests for such information, in accordance with written standards for confidentiality that specify permissible and impermissible uses of such information for health research; (3) the person enters into a written agreement with the health researcher that is consistent with this Act and specifies the permissible and impermissible future uses and disclosures of the information; (4) the person provides notice to the health researcher that any future use or disclosure of the information that is prohibited under this Act or the agreement described in paragraph (3) may provide a basis for a civil action against the researcher or may result in other adverse consequences for the researcher; and (5) the person maintains a permanent record documenting the scope and substance of the disclosure. (b) Persons Described.--A person described in this subsection is any of the following: (1) A health care provider. (2) A health plan. (3) A public health authority. (4) An employer. (5) A health or life insurer. (6) A school or university. TITLE II--INDIVIDUALS' RIGHTS SEC. 201. INSPECTION AND COPYING OF HEALTH INFORMATION. (a) In General.--Subject to subsections (b) and (c), a person who is a health care provider, health plan, employer, health or life insurer, school, or university shall permit an individual who is the subject of individually identifiable health information, or the individual's designee, to inspect and copy individually identifiable health information concerning the individual, including records created under section 202, that the person maintains. The person may set forth appropriate procedures to be followed for such inspection and copying and may require an individual to pay reasonable fees associated with such inspection and copying and may require an individual to provide written authorization of a provider designated by such individual through which the requested information will be made available. (b) Effect of Other Law.-- (1) Disclosure prohibited by other law.--A person described in subsection (a) may not permit the inspection or copying of individually identifiable health information under such subsection, if such inspection or copying is prohibited by any provision of law other than this Act. (2) Disclosure limited by other law.--A person described in subsection (a) shall limit the inspection or copying of individually identifiable health information under such subsection to the extent required by, and consistent with, any limitation on such inspection or copying in any provision of law other than this Act that is applicable to the person. (c) Additional Exceptions.--A person described in subsection (a) is not required to permit the inspection or copying of individually identifiable health information if any of the following exceptions apply: (1) Endangerment to life or safety.--The person determines that the disclosure of the information could reasonably be expected to endanger the life or physical safety of any individual. (2) Confidential source.--The information identifies, or could reasonably lead to the identification of, a person who provided information under a promise of confidentiality to a health care provider or life insurer concerning the individual who is the subject of the information. (3) Information compiled in anticipation of litigation.-- The information is compiled principally-- (A) in the anticipation of a civil, criminal, or administrative action or proceeding; or (B) for use in such action or proceeding. (4) Research purposes.--The information was collected for or during a clinical trial monitored by an institutional review board in which the individual was a participant. (d) Denial of a Request for Inspection or Copying.--If a person described in subsection (a) denies an individual's request for inspection or copying pursuant to subsection (b) or (c), the person shall inform the individual of-- (1) the reasons for the denial of the request for inspection or copying; (2) any procedures for further review of the denial; and (3) the individual's right to file with the person a concise statement setting forth the request for inspection or copying. (e) Statement Regarding Request.--If an individual has filed a statement under subsection (d)(3), the person, in any subsequent disclosure of the portion of the information requested under subsection (a), shall include-- (1) a notation that such individual has filed a request for inspection and that such request was denied; and (2) a concise statement of the reasons for denying the request for inspection or copying. (f) Deadline.--A person described in subsection (a) shall comply with or deny, in accordance with subsection (d), a request for inspection or copying of individually identifiable health information under this section not later than 45 days after the date on which the person receives the request. (g) Rules Governing Agents.--An agent of a person described in subsection (a) shall not be required to provide for the inspection and copying of individually identifiable health information, except where-- (1) the individually identifiable health information is retained by the agent; and (2) the agent has been asked by the person to fulfill the requirements of this section. (h) Rule of Construction.--This section shall not be construed to require a person described in subsection (a) to conduct a formal, informal, or other hearing or proceeding concerning a request for inspection or copying of individually identifiable health information. SEC. 202. AMENDMENT OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION. (a) In General.--Not later than 45 days after the date on which a person who is a health care provider, health plan, employer, health or life insurer, school, or university receives from an individual who is a subject of individually identifiable health information a request in writing to amend the information, the person-- (1) shall make the amendment requested; (2) shall inform the individual of the amendment that has been made; and (3) shall make reasonable efforts to inform any person who is identified by the individual, who is not an officer, employer, or agent of the entity, and to whom the unamended portion of the information was disclosed during the preceding year, of any nontechnical amendment that has been made. (b) Refusal To Amend.--If a person described in subsection (a) refuses to make an amendment requested by an individual under such subsection, the person shall inform the individual of-- (1) the reasons for the refusal to make the amendment; (2) any procedures for further review of the refusal; and (3) the individual's right to file with the person a concise statement setting forth the requested amendment and the individual's reasons for disagreeing with the refusal. (c) Statement of Disagreement.--If an individual has filed a statement of disagreement with a person under subsection (b)(3), the person, in any subsequent disclosure of the disputed portion of the information-- (1) shall include a notation that such individual has filed a statement of disagreement; and (2) may include a concise statement of the reasons for not making the requested amendment. (d) Rules Governing Agents.--The agent of a person described in subsection (a) shall not be required to make amendments to individually identifiable health information, except where-- (1) the information is retained by the agent; and (2) the agent has been asked by such person to fulfill the requirements of this section. (e) Repeated Requests for Amendments.--If a person described in subsection (a) receives a duplicative request for an amendment of information as provided for in such subsection and a statement of disagreement with respect to the request has been filed pursuant to subsection (c), the person shall inform the individual of such filing and shall not be required to carry out the procedures required under this section. (f) Rule of Construction.--This section shall not be construed-- (1) to require a person described in subsection (a) to conduct a formal, informal, or other hearing or proceeding concerning a request for an amendment to individually identifiable health information; (2) to require a person described in subsection (a) to make an amendment with which the person disagrees; or (3) to require the alteration of any arrangement, written agreement, or obligation with respect to the delivery of, or payment for, health care. SEC. 203. NOTICE OF CONFIDENTIALITY PRACTICES. (a) Preparation of Written Notice.--A health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, health researcher, school, or university shall post or provide, in writing and in a clear and conspicuous manner, notice of the person's confidentiality practices, that shall include-- (1) a description of an individual's rights with respect to individually identifiable health information; (2) the uses and disclosures of individually identifiable health information authorized under this Act; (3) the procedures established by the person for authorizing disclosures of individually identifiable health information and for revoking such authorizations; (4) the procedures established by the person for the exercise of the individual's rights; and (5) the procedures established by the person for providing copies of the notice. (b) Model Notice.--The Secretary, after notice and opportunity for public comment, shall develop and disseminate model notices of confidentiality practices, for use under this section. Use of the model notice developed by the Secretary shall serve as a complete defense in any civil action to an allegation that a violation of this section has occurred. TITLE III--ENFORCEMENT SEC. 301. CRIMINAL PENALTIES. (a) Offense.--A person who knowingly and in violation of this Act obtains individually identifiable health information, uses such information, or discloses such information to another person, knowing that such obtaining, use, or disclosure is unlawful, shall be punished as provided in subsection (b). (b) Penalties.--A person described in subsection (a) shall-- (1) be fined not more than $50,000, imprisoned not more than 1 year, or both; (2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and (3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both. SEC. 302. CIVIL ACTION. (a) In General.--Any individual whose rights under this Act have been knowingly or negligently violated may bring a civil action to recover such preliminary and equitable relief as the court determines to be appropriate. (b) Attorney's Fees.--In the case of a civil action brought under subsection (a) in which the plaintiff has substantially prevailed, the court may assess against the respondent a reasonable attorney's fee and other litigation costs and expenses (including expert fees) reasonably incurred. (c) Limitation.--No action may be commenced under this subsection by an individual more than 2 years after the date on which the violation was, or should reasonably have been, discovered by the individual. (d) No Liability for Permissible Disclosures.--A person who makes a disclosure of individually identifiable health information about an individual that is permitted under this Act shall not be liable to the individual for such disclosure under common law. SEC. 303. PROGRAM EXCLUSIONS. (a) Exclusion From Participation in Federal and State Health Care Programs.--Section 1128(b) of the Social Security Act (42 U.S.C. 1320a- 7(b)) is amended by adding at the end the following: ``(16) Failure lawfully to treat individually identifiable health information.--Any individual or entity that the Secretary determines has failed substantially to comply with a provision of the Consumer Health and Research Technology (CHART) Protection Act.''. (b) Exclusion of Providers From Participation in Federal Employees Health Benefits Program.--Section 8902a(b) of title 5, United States Code, is amended by adding at the end the following: ``(6) Any provider that the Secretary of Health and Human Services has determined has failed substantially to comply with a provision of the Consumer Health and Research Technology (CHART) Protection Act.''. TITLE IV--GENERAL PROVISIONS SEC. 401. STANDARDS FOR ELECTRONIC DISCLOSURES. The National Committee on Vital and Health Statistics, in consultation with the National Science Foundation, shall promulgate standards for disclosing, authorizing the use and disclosure of, and authenticating, individually identifiable health information in electronic form, in a manner consistent with this Act. SEC. 402. AUTHORIZED REPRESENTATIVES. (a) In General.--Except as provided in subsections (b) and (c), a person who is authorized by law, or by an instrument recognized under law, to act as an agent, attorney, proxy, or other legal representative for an individual, otherwise to exercise the rights of the individual, may, to the extent so authorized, exercise and discharge the rights of the individual under this Act. (b) Health Care Power of Attorney.--A person who is not described in subsection (a), but is authorized by law or by an instrument recognized under law to make decisions about the provision of health care to an individual who is incapacitated, may exercise and discharge the rights of the individual under this Act, to the extent necessary to effectuate the terms or purposes of the grant of authority. (c) No Court Declaration.--If a health care provider determines that an individual, who has not been declared to be legally incompetent, suffers from a medical condition that prevents the individual from acting knowingly or effectively on the individual's own behalf, the right of the individual to authorize disclosure under this Act may be exercised and discharged in the best interest of the individual by-- (1) a person described in subsection (b) with respect to the individual; (2) a person described in subsection (a) with respect to the individual, but only if a person described in paragraph (1) cannot be contacted after a reasonable effort; (3) the next of kin of the individual, but only if a person described in paragraph (1) or (2) cannot be contacted after a reasonable effort; or (4) the health care provider, but only if a person described in paragraph (1), (2), or (3) cannot be contacted after a reasonable effort. (d) Application to Deceased Individuals.--The provisions of this Act shall continue to apply to individually identifiable health information concerning a deceased individual for a period of 2 years following the death of that individual. (e) Exercise of Rights on Behalf of a Deceased Individual.--A person who is authorized by law or by an instrument recognized under law, to act as an executor of the estate of a deceased individual, or otherwise to exercise the rights of the deceased individual, may, to the extent so authorized, exercise and discharge the rights of such deceased individual under this Act for a period of 2 years following the death of that individual. If no such designee has been authorized, the rights of the deceased individual may be exercised as provided for in subsection (c). SEC. 403. RELATIONSHIP TO OTHER LAWS. (a) In General.-- (1) State law.--Except as provided in subsections (b) through (f), the provisions of this Act shall preempt any State law that directly relates to matters covered by this Act. (2) Federal law.--This Act shall not be construed as repealing, explicitly or implicitly, other Federal laws or regulations relating to individually identifiable health information or relating to an individual's access to health care services. (b) Privileges.--This Act does not preempt or modify State common or statutory law to the extent such law concerns a privilege of a witness or person in a court of the State. This Act does not supersede or modify Federal common or statutory law to the extent such law concerns a privilege of a witness or person in a court of the United States. The execution of an authorization pursuant to section 103 may not be construed as a waiver of any such privilege. (c) Certain Duties Under Law.--Nothing in this Act shall be construed to preempt, supersede, or modify the operation of any State law that-- (1) provides for the reporting of vital statistics such as birth or death information; (2) requires the reporting of abuse, domestic violence, or neglect information about any individual; (3) regulates information concerning an individual's mental health or communicable disease status; or (4) governs a minor's rights to access individually identifiable health information or health care services. (d) Relationship to Clinical Research and Reports.--This Act shall not apply to individually identifiable health information that is created, received, maintained, used, disclosed, or transmitted by any person in connection with-- (1) any activity conducted pursuant to an investigational new drug exemption, or for which approval of an institutional review board is required by the Food and Drug Administration; or (2) any record required to be maintained or report required to be filed by the Food and Drug Administration. (e) Federal Privacy Act.-- (1) Medical exemptions.--Sections 552a of title 5, United States Code, is amended by adding at the end the following: ``(w) Medical Exemptions.--The head of an agency that is subject to the Consumer Health and Research Technology (CHART) Protection Act shall promulgate rules, in accordance with the requirements (including general notice) of subsections (b)(1), (b)(2), (b)(3), (c), and (e) of section 553 of this title, to exempt a system of records within the agency, to the extent that the system of records contains individually identifiable health information (as defined in section 406 of such Act), from all provisions of this section except subsections (b)(6), (d), (e)(1), (e)(2), subparagraphs (A) and (C) and (E) through (I) of subsection (e)(4), and subsections (e)(5), (e)(6), (e)(9), (e)(12), (l), (n), (o), (p), (r), and (u).''. (2) Technical amendment.--Section 552a(f)(3) of title 5, United States Code, is amended by striking ``pertaining to him,'' and all that follows through the semicolon and inserting ``pertaining to the individual;''. (f) Application to Certain Federal Agencies.-- (1) Department of defense.-- (A) Exceptions.--The Secretary of Defense may, by regulation, establish exceptions to the requirements of this Act to the extent such Secretary determines that disclosure of individually identifiable health information relating to members of the Armed Forces from systems of records operated by the Department of Defense is necessary under circumstances different from those permitted under this Act for the proper conduct of national defense functions by members of the Armed Forces. (B) Application to civilian employees.--The Secretary of Defense may, by regulation, establish for civilian employees of the Department of Defense and employees of Department of Defense contractors, limitations on the right of such persons to revoke or amend authorizations for disclosures under section 103 when such authorizations were provided by such employees as a condition of employment and the disclosure is determined necessary by the Secretary of Defense to the proper conduct of national defense functions by such employees. (2) Department of transportation.-- (A) Exceptions.--The Secretary of Transportation may, with respect to members of the Coast Guard, exercise the same powers as the Secretary of Defense may exercise under paragraph (1)(A). (B) Application to civilian employees.--The Secretary of Transportation may, with respect to civilian employees of the Coast Guard and Coast Guard contractors, exercise the same powers as the Secretary of Defense may exercise under paragraph (1)(B). (3) Department of veterans affairs.--The limitations on use and disclosure of individually identifiable health information under this Act shall not be construed to prevent any exchange of such information within and among components of the Department of Veterans Affairs that determine eligibility for or entitlement to, or that provide, benefits under laws administered by the Secretary of Veteran Affairs. SEC. 404. REPORTS ANALYZING IMPACT OF ACT. (a) Efforts To Combat Fraud and Abuse.--Beginning not later than 12 months after the effective date in section 405(a), the Inspector General of the Department of Health and Human Services shall submit to the Committee on Ways and Means and the Committee on Government Reform and Oversight of the House of Representatives and the Committee on Commerce, Science, and Transportation and the Committee on Finance of the Senate an annual report containing the results of an annual study. The study shall analyze whether this Act has had an adverse effect on efforts to combat fraud and abuse undertaken under title XVIII, XIX, or XXI of the Social Security Act. (b) Health Research.--Beginning not later than 12 months after the effective date in section 405(a), the Secretary, in consultation with the National Research Council of the National Academy of Sciences and the Institute of Medicine, shall submit to the Congress an annual report containing the results of an annual study. The study shall analyze the effect of this Act on the quality and efficacy of health research. (c) Administrative Simplification.--Not later than 12 months after the effective date in section 405(a), the Comptroller General of the United States shall submit to the Congress a report containing the results of a study. The study shall analyze the effect of this Act on the implementation of subtitle F of title II of the Health Insurance Portability and Accountability Act of 1996 and part C of title XI of the Social Security Act. SEC. 405. EFFECTIVE DATE. (a) In General.--Except as provided in subsection (b), this Act shall take effect on the date that is 18 months after the date of the enactment of this Act. (b) Provisions Effective Immediately.--A provision of this Act shall take effect on the date of the enactment of this Act if the provision authorizes or requires the Secretary of Defense, the Secretary of Transportation, or the Secretary of Health and Human Services to develop, establish, or promulgate regulations or model notices. (c) Deadline for Regulations.--The Secretary shall promulgate regulations implementing this Act not later than the date that is 12 months after the date of the enactment of this Act. SEC. 406. DEFINITIONS. As used in this Act: (1) Employer.--The term ``employer'' has the meaning given such term under section 3(5) of the Employee Retirement Income Security Act of 1974 (29 U.S.C. 1002(5)), except that such term shall include only employers of two or more employees. (2) Health care.--The term ``health care'' means-- (A) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, including appropriate assistance with disease or symptom management and maintenance, counseling, service, or procedure-- (i) with respect to the physical or mental condition of an individual; or (ii) affecting the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs, or any other tissue; and (B) any sale or dispensing of a drug, device, equipment, or other health care related item to an individual, or for the use of an individual, pursuant to a prescription. (3) Health care provider.--The term ``health care provider'' means a person, who with respect to a specific item of individually identifiable health information, receives, creates, uses, maintains, or discloses the information while acting in whole or in part in the capacity of-- (A) a person who is licensed, certified, registered, or otherwise authorized by Federal or State law to provide an item or service that constitutes health care in the ordinary course of business, or practice of a profession; (B) a Federal, State, employer-sponsored or other privately sponsored program that directly provides items or services that constitute health care to beneficiaries; or (C) an officer or employee of a person described in subparagraph (A) or (B). (4) Health or life insurer.--The term ``health or life insurer'' means a health insurance issuer as defined in section 9805(b)(2) of the Internal Revenue Code of 1986 or a life insurance company as defined in section 816 of such Code. (5) Health oversight agency.--The term ``health oversight agency'' means a person who, with respect to a specific item of individually identifiable health information, receives, creates, uses, maintains, or discloses the information while acting in whole or in part in the capacity of-- (A) a person who performs or oversees the performance of an assessment, evaluation, determination, or investigation, relating to the licensing, accreditation, or credentialing of health care providers; or (B) a person who-- (i) performs or oversees the performance of an audit, assessment, evaluation, determination, or investigation relating to the effectiveness of, compliance with, or applicability of, legal, fiscal, medical, or scientific standards or aspects of performance related to the delivery of, or payment activities related to, health care; and (ii) is a public agency, acting on behalf of a public agency, acting pursuant to a requirement of a public agency, or carrying out activities under a Federal or State law governing the assessment, evaluation, determination, investigation, or prosecution described in subparagraph (A). (6) Health plan.--The term ``health plan'' means any health insurance plan, including any hospital or medical service plan, dental or other health service plan, health maintenance organization plan, plan offered by a provider-sponsored organization (as defined in section 1855(d) of the Social Security Act (42 U.S.C. 1395w-25(d))), or other program providing or arranging for the provision of health benefits, whether or not funded through the purchase of insurance. (7) Health researcher.--The term ``health researcher'' means a person, or an officer, employee, or agent of a person, who receives individually identifiable health information as part of a research project that involves data with respect to human subjects. (8) Individually identifiable health information.--The term ``individually identifiable health information'' means any information, including demographic information, collected from an individual, whether oral or recorded in any form or medium, that-- (A) is created or received by a health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, school or university; and (B)(i) relates to the past, present, or future physical or mental health or condition of an individual (including individual cells and their components), the provision of health care to an individual, or the past, present, or future payment activities related to the provision of health care to an individual; and (ii)(I) identifies an individual; (II) contains personal identifiers that provide a direct means of identifying the individual; or (III) has been provided in an encrypted format that does not directly identify an individual, but that provides a method for decrypting the information. (9) Institutional review board.--The term ``institutional review board'' means an entity established to review proposed health research with respect to potential risks to human subjects pursuant to Federal regulations adopted under section 1802(b) of the Public Health Service Act (42 U.S.C. 300v-1(b)). (10) Payment activities.--The term ``payment activities''-- (A) means activities undertaken-- (i) by, or on behalf of, a health plan to determine its responsibility for coverage under the plan; or (ii) by a health care provider to obtain payment for items or services provided to an individual, provided under a health plan or provided based on a determination by the health plan of responsibility for coverage under the plan; and (B) includes the following activities, when performed in a manner consistent with subparagraph (A): (i) Billing, claims management, medical data processing, practice management, or other administrative services and actual payment. (ii) Determinations of coverage or adjudication of health benefit claims and subrogation claims. (iii) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges. (11) Person.--The term ``person'' means a natural person, a government, governmental subdivision, agency or authority, a company, corporation, estate, firm, trust, partnership, association, joint venture, society, joint stock company, or any other legal entity. (12) Public health authority.--The term ``public health authority'' means an authority or instrumentality of the United States, a tribal government, a State, or a political subdivision of a State that is-- (A) primarily responsible for public health matters; and (B) primarily engaged in activities such as injury reporting, public health surveillance, and public health investigation or intervention. (13) Quality assurance activities.--The term ``quality assurance activities'' means a formal methodology and set of activities designed to assess the quality of health care services provided to an individual. The term includes formal review of care, problem identification, corrective actions taken to remedy any deficiencies, and evaluation of actions taken. The term also includes activities undertaken by a quality control and peer review organization (as defined in section 1152 of the Social Security Act (42 U.S.C. 1320c-1)). (14) School or university.--The term ``school or university'' means an institution or place accredited or licensed for purposes of providing instruction or education, including an elementary school, secondary school, or institution of higher learning, a college, or an assemblage of colleges united under one corporate organization or government. (15) Secretary.--The term ``Secretary'' means the Secretary of Health and Human Services. (16) State.--The term ``State'' includes the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands. (17) Writing.--The term ``writing'' means writing in either a paper-based or computer-based form, including electronic signatures.