Section-by-Section Analysis of The Medical Records Confidentiality Act of 1995

The Medical Records Confidentiality Act of 1995 Section by Section Analysis

This bill establishes federal privacy protection for protected health information whether in paper or electronic form.

Selected Definitions:

Health Information Trustee means a health care provider, health care plan, health oversight agency, public health authority, and other entities that create, receive, or use health information.
Protected Health Information means any health-related information created or received by a health information trustee that relates to an individual's health condition, care or payment and can identify the individual.

TITLE I - INDIVIDUAL'S RIGHTS

This title establishes a set of rules to allow individuals access to their protected health information and the opportunity to correct or amend such information.

Inspection and Copying of Protected Health Information:

Sec. 101 (a): Health information trustees must allow an individual to inspect and copy protected health information pertaining to the individual. The trustee may require reimbursement for the cost of the inspection and copying.

Sec. 101 (b): The trustee is not required to allow the individual access to his or her protected health information if:

The trustee determines that disclosure would endanger the life or physical safety of any individual;
The information in the records could identify a confidential source of information; or
The information is used only for administrative purposes and has not been disclosed to any other person.

Sec. 101 (c): If a portion of the individual's information meets one of the exceptions described above, the trustee is required to allow the individual access to the portion of the records that is not covered by the exception.

Sec. 101 (d): The trustee is required, within 30 days, to comply with or deny an individual's request to inspect and copy protected health information.

Correction or Amendment of Protected Health Information:

Sec. 102 (a): After an individual submits a written request to correct or amend protected health information, the trustee has 45 days to make the change, inform the individual that the change has been made, and make reasonable efforts to inform other persons identified by the individual and to whom the corrected information has been disclosed, of the change.

Sec. 102 (b): If the trustee refuses to make the change, the trustee must inform the individual of the reasons for the refusal, of any procedures for further review of the refusal, and of the individual's right to file a statement of disagreement with the refusal.

Sec. 102 (c): When the trustee discloses this portion of the individual's records, the trustee must include a copy of the individual's statement of disagreement and may include a statement explaining why the requested change was not made.

Sec. 102 (d): The trustee is not required to conduct a formal proceeding in response to a request for a correction or amendment.

Sec. 102 (e): A correction is deemed to be made when the disputed information is corrected, when it is clearly marked as incorrect, or when it is supplemented by correct information.

Notice of Information Practices:

Sec. 103 (a): A trustee, except for health information services, must provide clear and conspicuous written notice to individuals of their rights to access protected health information, and a description of the trustees' information practices.

Sec. 103 (b): The Secretary is mandated to develop and provide a model notice of information practices for use by trustees.

Safeguards:

Sec. 111(a): Trustees are required to establish safeguards that are sufficient to effectively protect the confidentiality of an individual's protected health information.

Sec. 111 (b): The Secretary may promulgate regulations using the general principles of the Administrative Procedures Act and in consultation with knowledgeable individuals to ensure the confidentiality, security, accuracy, and integrity of protected health information.

Accounting for Disclosures:

Sec. 112 (a): The trustee is required to keep a record of all disclosures of protected health information except for disclosures related to treatment.

Sec. 112 (b): The record of disclosure must be maintained as part of the individual's protected health information for a minimum of 10 years.

TITLE II - RESTRICTIONS ON USE AND DISCLOSURE

This title establishes a system in which an individual's protected health information may not be disclosed without the individual's permission, except in limited circumstances as provided in the bill.

General Rules Regarding Use and Disclosure:

Sec. 201 (a): Trustees may not use or disclose an individual's protected health information unless such use or disclosure is authorized under this title.

Sec. 201 (b): The scope of the use or disclosure of protected health information must be limited to the minimum amount of information necessary to accomplish the purpose of the disclosure.

Sec. 201 (c): Permission to disclose protected health information under this title shall not be interpreted to mean that disclosure is required.

Sec. 201 (d): When the trustee discloses an individual's protected health information, such information must be clearly identified as protected health information.

Sec. 201 (e): The Secretary is mandated to issue regulations protecting information identifying providers in order to promote the availability of health care services.

Authorizations for Disclosure of Protected Health Information for Treatment or Payment:

Sec. 202 (a): A trustee may disclose an individual's protected health information for treatment or payment purposes if the individual authorizes such disclosure. The authorization must meet the following requirements:

The authorization is written or electronically authenticated, signed and dated by the individual;
The authorization form is separate from other health-related forms given to the individual to sign;
The information that will be disclosed is clearly identified in the authorization;
The authorization contains an acknowledgment that the individual who is the subject of the information has the right to revoke or amend the authorization
The trustee whom the individual authorizes to disclose the information is identified in the authorization;
The person who will receive the disclosed information is identified in the authorization;
The authorization contains a statement that ensures the individual has read the authorization and intends to allow disclosure of the information;
The authorization states that the information will be disclosed only for purposes that are compatible with or related to the purpose for which the information is being collected or received by the trustee, and
The authorization specifies a date or event which terminates the authorization.

Sec. 202 (b) (1): An individual may provide a written statement to revoke or amend the authorization at any time, except when the authorization has been relied on by the trustee to receive payment for health care.

Sec. 202 (b) (2): If the trustee had no notice of the revocation, the trustee will not be held liable if the trustee discloses protected health information pursuant to an authorization in subsection (a).

Sec. 202 (c): The Secretary is mandated to develop model written authorizations and model statements of intended disclosures.

Sec. 202 (d): A trustee who discloses information pursuant to an individual's authorization must keep a copy of the authorization.

Authorizations for Disclosure of Protected Health Information, Other than for Treatment or Payment:

Sec. 203 (a): A trustee may disclose protected health information for any purpose if the individual authorizes such disclosure. This authorization must meet the following requirements:

All of the requirements of Sec. 202 (a) above;
The authorization contains a statement that the individual has read the authorization and intends to allow disclosure of the information, and this statement is signed by the individual on a form separate from the authorization form;
The authorization for disclosure is not requested on the same day which the trustee provides health care to the individual; and
The authorization specifies a date or event which terminates the authorization, which may not exceed 1 year.

Sec. 203 (b): A trustee may not condition delivery of treatment or payment for services on the receipt of an authorization described in this section.

Sec. 203 (c) (1): An individual may in writing, revoke or amend the authorization.

Sec. 203 (c) (2): If the trustee had no notice of the revocation, the trustee will not be held liable if the trustee discloses protected health information pursuant to the authorization.

Sec. 203 (d): The Secretary will develop model written authorizations and model statements of intended disclosures.

Creation of Non-Identifiable Health Information:

A certified health information service means a health information service that receives personally identifiable health information for the purpose of creating non-identifiable health information and has been certified by the Secretary as qualified to protect the confidentiality and integrity of protected health information.

Sec. 204 (a): A trustee may disclose protected health information to a certified health information service for the purpose of removal of personal identifiers from the information and for the subsequent creation of nonidentifiable health information.

Sec. 204 (b) (1): The Secretary is mandated to issue regulations establishing certification requirements for health information services.

Sec. 204 (b) (2): The Secretary shall certify those health information services that meet the requirements established by the regulations.

Next of Kin and Directory Information:

Sec. 205 (a): A health care provider or a person who receives protected health information under emergency circumstances may disclose an individual's protected health information to the individual's next of kin, the individual's representative, or to an individual with whom that individual has a significant personal relationship if:

The individual has been notified of the right to object and has not objected; or
The individual is not competent to be notified of the right to object; or
Exigent circumstances exist that make it impractical to have notified the individual of the right to object; and
The information disclosed relates to health care currently being provided to the individual.

Sec. 205 (b): A health information trustee may disclose the following information regarding an individual:

Name;
General health status; and
Location or premises controlled by the provider.

This information may be disclosed if:

The individual has been notified of his or her right to object and has not objected to the disclosure; or
The individual is not competent; or
Exigent circumstances exist that make it impractical to notify the individual of the right to object.

If disclosure of the individual s location would reveal specific information about the individual's physical or mental condition, the individual must expressly authorize the disclosure.

Sec. 205 (c) (1): A health information trustee may disclose protected health information to identify a deceased individual.

Sec. 205 (c) (2): The Secretary is mandated to develop regulations establishing a procedure for obtaining protected health information relating to a deceased individual when there is no individual representative for the deceased.

Emergency Circumstances:

Sec. 206: Any person who receives protected health information under this title may disclose such information in emergency circumstances when necessary to protect the health or safety of an individual from serious, imminent harm.

Oversight:

Health oversight agency means a person who performs or oversees the performance of an investigation relating to:

certification of health care providers; or
compliance with legal, fiscal, medical or scientific standards; or
is a public agency acting under federal or state law.

Sec. 207 (a): A health information trustee may disclose protected health information to a health oversight agency for lawful oversight purposes.

Sec. 207 (b): Protected health information disclosed for oversight purposes may not be used in a legal action or investigation against the individual unless the action or investigation arises out of and is directly related to receipt or payment of health care, or an action involving a fraudulent claim related to health.

Public Health:

Sec. 208: A health information trustee, other than a health oversight agency, may disclose protected health information to a public health authority for use in a legally authorized disease or injury report, public health surveillance, or public health investigation or intervention.

Health Research:

Sec. 209 (a): A trustee may disclose an individual's protected health information to a health researcher if a certified institutional review board ("IRB") determines that the research project requires use of this information, and the importance of the use of the information outweighs the individual's privacy intrusion.

Sec. 209 (b): A health researcher is required to remove or destroy, at the earliest possible time consistent with the needs of the research project, any information that would identify the individual. Such information may be retained, however, if an IRB determines there is a justification for maintaining the information and there is an adequate plan to protect the confidentiality of that information. In addition, the researcher is precluded from using this information for any research project other than the project authorized by the IRB under (a).

Sec. 209 (c): If a health researcher is not located in an academic setting, a health care facility or a public health agency, the Secretary is required to approve the determinations made by a certified IRB before the determination is issued.

Sec. 209 (d) (1): The Secretary is required to issue regulations establishing certification requirements for institutional review boards.

Sec. 209 (d) (2): The Secretary is required to certify those institutional review boards that meet the requirements established by the Secretary in (1).

Judicial and Administrative Purposes:

Sec. 210 (a): A trustee, other than a health researcher, public health authority or health information service, may disclose protected health information:

Pursuant to the Federal Rules of Civil and Criminal Procedure or comparable rules of other courts, where the individual is a party and has placed his or her physical or mental condition at issue;
To a court if such information is developed in response to a court-ordered physical or mental examination and other orders by the court; or
Pursuant to a law requiring the reporting of specific medical information to law enforcement agencies.

Sec. 210 (b): The recipient of this information is required to:

Notify the individual or the individual's attorney of the request for the information; and
Provide the trustee with a signed document that the individual has placed his mental or physical condition at issue; and
Not accept any information from the trustee until 10 days after notice was given.

Non-Law Enforcement Subpoenas:

Sec. 211 (a): A trustee, other than a health researcher, public health authority, or health information service, may disclose protected health information in response to a subpoena issued on behalf of a party who has complied with access provisions in the bill (see below).

Access Provisions:

Sec. 211 (b): A party may not obtain an individual's protected health information pursuant to a subpoena unless:

The individual seeking the protected health information has served upon the individual a copy of the subpoena, together with a notice of the individual's right to challenge the subpoena; and

15 days have passed since the date of service on the individual and during that time the individual has not challenged the subpoena; or disclosure is ordered by a court.

Sec. 211 (c) (1): After service of a copy of the subpoena seeking protected health information, the individual may file a motion to quash the subpoena.

Sec. 211 (c) (2): The court shall grant a motion to quash unless the respondent demonstrates that there is reasonable ground to believe the information is relevant to a lawsuit, or other proceeding; and the respondent's need for the information outweighs the individual's privacy interest. In weighing the need for the information and the individual's privacy interest, the court shall consider:

The purpose for which the information was collected;
The impact of disclosure on the individual's privacy;
The effect of the disclosure on the individual's future health care;
The importance of the information to the lawsuit or proceeding; and
Other relevant factors.

Sec. 211 (c) (3): Where the individual prevails in a motion to quash the subpoena, the court may assess against the respondent a reasonable attorney's fee and other litigation costs and expenses.

Law Enforcement:

Government Subpoenas and Warrants:

Sec. 212 (a) (1): A trustee shall disclose protected health information if the disclosure is pursuant to:

A subpoena issued under the authority of a grand jury; or

An administrative subpoena or summons which meets the conditions of probable cause; or

A judicial subpoena or warrant which meets the conditions of probable cause.

Sec. 212 (a) (2): A government authority may not obtain protected health information for use in a law enforcement inquiry unless there is probable cause to believe that the information is relevant to a legitimate law enforcement inquiry being conducted by the government authority.

Sec. 212 (a) (3): A government authority that obtains protected health information about an individual pursuant to a warrant, shall, within 30 days, serve the individual with notice that the information was obtained and notice of the individual's right to challenge the warrant.

Sec. 212 (a) (4): If the individual s identity is known, in order for a government authority to obtain protected health information pursuant to a subpoena or summons, a copy of the subpoena or summons must be served on the individual on or before the date of the return of the subpoena or summons, with notice of the right to challenge the subpoena or summons.

If the individual's identity is unknown at the time the subpoena or summons is served, the individual shall be served no later than 30 days later, with notice that protected health information was obtained and notice of the right to challenge the subpoena or summons.

Sec. 212 (a) (5): A government authority may apply ex parte and under seal to an appropriate court to delay service of the notice regarding execution of the warrant or a copy of the subpoena. The government authority may apply to the court for extensions of the delay.

The court shall enter an ex parte order delaying or extending the delay of notice, an order prohibiting the disclosure of the request for, or the disclosure of, the protected health information, and an order requiring the disclosure of the protected health information, if the court finds that:

The inquiry being conducted is within the lawful jurisdiction of the government authority seeking the protected health information;
There is probable cause to believe that the protected health information being sought is relevant to a legitimate law enforcement inquiry;
The government authority's need for the information outweighs the privacy interest of the individual who is the subject of the information; and
There is reasonable ground to believe that receipt of notice by the individual will result in:
- Endangering the life or physical safety of any individual;
- Flight from prosecution;
- Destruction of or tampering with evidence or the information being sought;
- Intimidation of potential witnesses; or
- Disclosure of the existence or nature of a confidential law enforcement investigation or grand jury investigation that is likely to seriously jeopardize such investigation.

Sec. 212 (a) (6): Protected health information disclosed under this section may not be used in any administrative, civil or criminal action or investigation directed against the individual unless the action or investigation arises out of or is directly related to the law enforcement inquiry for which the information was obtained.

Challenge Procedures for Law Enforcement Warrants, Subpoenas, and Summonses:

Sec. 212 (b) (1): The individual may file a motion to quash within 15 days after the date of service of a notice of execution of a warrant or a copy of a subpoena or summons, of a government authority seeking protected health information under subsection (a).

Sec. 212 (b) (2): The court shall grant the motion unless the government demonstrates there is probable cause to believe the protected health information is relevant to a legitimate law enforcement inquiry being conducted by the government authority and the government authority's need for the information outweighs the privacy interest of the individual.

Sec. 212 (b) (3): When the individual prevails on the motion to quash, the court may assess against the government authority reasonable attorney's fees and other litigation costs reasonably incurred.

Sec. 212 (b) (4): A ruling denying a motion to quash under this section shall not be deemed to be a final order and no interlocutory appeal may be taken by the individual.

Sec. 212 (c): A trustee may disclose protected health information to a law enforcement agency if the information is requested for use in:

An investigation or prosecution of a trustee;
The identification of a victim or witness in a law enforcement inquiry; or
Connection with the investigation of criminal activity committed against the trustee or on premises controlled by the trustee.

Sec. 213: The Secretary is required to promulgate standards for electronic disclosure, authorization and authentication of protected health information.

TITLE III - SANCTIONS

Civil Penalty:

Sec. 301 (a): Where the Secretary determines that a trustee has violated this Act, the trustee shall be subject to a civil penalty of not more than $10,000 for each violation, but not to exceed $50,000 in the aggregate for multiple violations.

In addition, if the Secretary finds that violations have occurred with such frequency as to constitute a general business practice, a civil penalty may be imposed of:

Not more than $250,000, or
Exclusion from participation in Medicare, Medicaid, or any other federally funded health care programs.

Sec. 301 (b): Section 1128A of the Social Security Act shall apply to the imposition of a civil monetary penalty under this section.

Civil Action:

Sec. 302 (a): An individual who is aggrieved by conduct in violation of this title may bring a civil action to recover:

Such preliminary and equitable relief as the court determines to be appropriate;
The greater of actual damages or liquidated damages of $5,000; and

Punitive damages.

Sec. 302 (b): If the aggrieved individual prevails, the court may assess against the respondent a reasonable attorney's fee and other litigation costs and expenses reasonably incurred.

Sec. 302 (c): An action under this section must be commenced within 3 years after the date on which the violation was or should reasonably have been discovered.

Criminal Penalty:

Sec. 311: A person who knowingly obtains a individual's protected health information in violation of this title, or discloses protected health information to another person in violation of this title, shall be fined not more than $50,000, imprisoned not more than 1 year, or both.

If the offense is committed under false pretenses, the individual shall be fined:

Not more than $250,000;
Imprisoned not more than 5 years;
Excluded from participation in Medicare or Medicaid or any other federally funded health care programs; or
Any combination of these penalties.

If the offense is committed with intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm, the individual shall be fined:

Not more than $500,000;

Imprisoned not more than 10 years;

Excluded from participation in Medicare or Medicaid or any other federally funded health care programs; or

Any combination of these penalties.

TITLE IV - MISCELLANEOUS

Preemption:

Sec. 401 (a): In general, this Act preempts State law.

Sec. 401 (b): The Act does not preempt a State common or statutory law concerning a privilege of a witness or person in a court of the State. The Act does not supersede or modify Federal common or statutory law concerning a privilege of a witness or person in a court of the United States.

Sec. 401 (c): The Act does not preempt, supersede or modify the operation of:

Any law that provides for the reporting of vital statistics such as birth or death information;
Any law requiring the reporting of abuse or neglect information about any individual;
Any State law relating to public or mental health that prevents or restricts disclosure of protected health information otherwise allowed under this title;
Any law that governs a minor's rights to access protected health information;
Subpart II of part E of title XXVI of the Public Health Service Act (relating to notifications of emergency response employees of possible exposure to infectious diseases);
Any Federal law or regulation governing confidentiality of alcohol and drug individual records;
The Americans with Disabilities Act of 1990; or
Any Federal or State statute that establishes a privilege for records used in health professional peer review activities.

No Liability for Permissible Disclosures:

Sec. 402: A trustee who makes a permitted disclosure of a individual's protected health information shall not be liable to the individual for the disclosure under common law.

Effective Date:

Sec. 403: The Secretary is mandated to promulgate regulations implementing this Act not later than six months after the date of enactment. This Act will take effect twelve months after the date of enactment of this Act.