|
AUG. 21, 1996
HEALTH INSURANCE PORTABILITY AND
ACCOUNTABILITY ACT OF 1996
Public Law 104-191
104th Congress
An
Act
To amend the
Internal Revenue Code of 1986 to
improve portability and continuity
of health insurance coverage in
the group and individual markets,
to combat waste, fraud, and abuse
in health insurance and health care
delivery, to promote the use of
medical savings accounts, to improve
access to long-term care services
and coverage, to simplify the administration
of health insurance, and for other
purposes.
Be it enacted
by the Senate and House of Representatives
of the United States of America
in Congress assembled,
SECTION 1.
SHORT TITLE; TABLE OF CONTENTS.
(a) SHORT
TITLE.--This Act may be cited
as the "Health Insurance Portability
and Accountability Act of 1996".
(b) TABLE
OF CONTENTS.--The table of contents
of this Act is as follows:
Sec. 1.
Short title; table of contents.
TITLE I--HEALTH
CARE ACCESS, PORTABILITY, AND RENEWABILITY
...
TITLE II--PREVENTING
HEALTH CARE FRAUD AND ABUSE; ADMINISTRATIVE
SIMPLIFICATION; MEDICAL LIABILITY
REFORM
...
Subtitle F--Administrative Simplification
• "Sec.
261. Purpose."
• "Sec.
262. Administrative simplification."
Part
C--Administrative Simplification
• "Sec.
1171. Definitions."
• "Sec.
1172. General requirements for adoption
of standards."
• "Sec.
1173. Standards for information
transactions and data elements."
• "Sec.
1174. Timetables for adoption of
standards."
• "Sec.
1175. Requirements."
• "Sec.
1176. General penalty for failure
to comply with requirements and
standards."
• "Sec.
1177. Wrongful disclosure of individually
identifiable health information."
• "Sec.
1178. Effect on State law."
• "Sec.
1179. Processing payment transactions."
• Sec.
263. Changes in membership and duties
of National Committee on Vital and
Health Statistics."
• Sec.
264. Recommendations with respect
to privacy of certain health information."
...
Subtitle F--Administrative Simplification
SEC.
261. PURPOSE.
It is the purpose
of this subtitle to improve the
Medicare program under title XVIII
of the Social Security Act, the
medicaid program under title XIX
of such Act, and the efficiency
and effectiveness of the health
care system, by encouraging the
development of a health information
system through the establishment
of standards and requirements for
the electronic transmission of certain
health information.
SEC.
262. ADMINISTRATIVE SIMPLIFICATION.
(a) IN GENERAL.--Title
XI (42 U.S.C. 1301 et seq.) is amended
by adding at the end the following:
"PART
C--ADMINISTRATIVE SIMPLIFICATION"
"DEFINITIONS
"SEC.
1171. For purposes of this part:
"(1)
CODE SET.--The term 'code set' means
any set of codes used for encoding
data elements, such as tables of
terms, medical concepts, medical
diagnostic codes, or medical procedure
codes.
"(2)
HEALTH CARE CLEARINGHOUSE.--The
term 'health care clearinghouse'
means a public or private entity
that processes or facilitates the
processing of nonstandard data elements
of health information into standard
data elements.
"(3)
HEALTH CARE PROVIDER.--The term
'health care provider' includes
a provider of services (as defined
in section 1861(u)), a provider
of medical or other health services
(as defined in section 1861(s)),
and any other person furnishing
health care services or supplies.
"(4)
HEALTH INFORMATION.--The term 'health
information' means any information,
whether oral or recorded in any
form or medium, that--
"(A)
is created or received by a health
care provider, health plan, public
health authority, employer, life
insurer, school or university, or
health care clearinghouse; and
"(B)
relates to the past, present, or
future physical or mental health
or condition of an individual, the
provision of health care to an individual,
or the past, present, or future
payment for the provision of health
care to an individual.
"(5)
HEALTH PLAN.--The term 'health plan'
means an individual or group plan
that provides, or pays the cost
of, medical care (as such term is
defined in section 2791 of the Public
Health Service Act). Such term includes
the following, and any combination
thereof:
"(A)
A group health plan (as defined
in section 2791(a) of the Public
Health Service Act), but only if
the plan--
"(i)
has 50 or more participants (as
defined in section 3(7) of the Employee
Retirement Income Security Act of
1974); or
"(ii)
is administered by an entity other
than the employer who established
and maintains the plan.
"(B)
A health insurance issuer (as defined
in section 2791(b) of the Public
Health Service Act).
"(C)
A health maintenance organization
(as defined in section 2791(b) of
the Public Health Service Act).
"(D)
Part A or part B of the Medicare
program under title XVIII.
"(E)
The medicaid program under title
XIX.
"(F)
A Medicare supplemental policy (as
defined in section 1882(g)(1)).
"(G)
A long-term care policy, including
a nursing home fixed indemnity policy
(unless the Secretary determines
that such a policy does not provide
sufficiently comprehensive coverage
of a benefit so that the policy
should be treated as a health plan).
"(H)
An employee welfare benefit plan
or any other arrangement which is
established or maintained for the
purpose of offering or providing
health benefits to the employees
of 2 or more employers.
"(I)
The health care program for active
military personnel under title 10,
United States Code.
"(J)
The veterans health care program
under chapter 17 of title 38, United
States Code.
"(K)
The Civilian Health and Medical
Program of the Uniformed Services
(CHAMPUS), as defined in section
1072(4) of title 10, United States
Code.
"(L)
The Indian health service program
under the Indian Health Care Improvement
Act (25 U.S.C. 1601 et seq.).
"(M)
The Federal Employees Health Benefit
Plan under chapter 89 of title 5,
United States Code.
"(6)
INDIVIDUALLY IDENTIFIABLE HEALTH
INFORMATION.--The term 'individually
identifiable health information'
means any information, including
demographic information collected
from an individual, that--
"(A)
is created or received by a health
care provider, health plan, employer,
or health care clearinghouse; and
"(B)
relates to the past, present, or
future physical or mental health
or condition of an individual, the
provision of health care to an individual,
or the past, present, or future
payment for the provision of health
care to an individual, and--
"(i)
identifies the individual; or
"(ii)
with respect to which there is a
reasonable basis to believe that
the information can be used to identify
the individual.
"(7)
STANDARD.--The term 'standard',
when used with reference to a data
element of health information or
a transaction referred to in section
1173(a)(1), means any such data
element or transaction that meets
each of the standards and implementation
specifications adopted or established
by the Secretary with respect to
the data element or transaction
under sections 1172 through 1174.
"(8)
STANDARD SETTING ORGANIZATION.--The
term 'standard setting organization'
means a standard setting organization
accredited by the American National
Standards Institute, including the
National Council for Prescription
Drug Programs, that develops standards
for information transactions, data
elements, or any other standard
that is necessary to, or will facilitate,
the implementation of this part.
"GENERAL
REQUIREMENTS FOR ADOPTION OF STANDARDS
"SEC.
1172. (a) APPLICABILITY.--Any
standard adopted under this part
shall apply, in whole or in part,
to the following persons:
"(1)
A health plan.
"(2)
A health care clearinghouse.
"(3)
A health care provider who transmits
any health information in electronic
form in connection with a transaction
referred to in section 1173(a)(1).
"(b)
REDUCTION OF COSTS.--Any standard
adopted under this part shall be
consistent with the objective of
reducing the administrative costs
of providing and paying for health
care.
"(c)
ROLE OF STANDARD SETTING ORGANIZATIONS.--
"(1)
IN GENERAL.--Except as provided
in paragraph (2), any standard adopted
under this part shall be a standard
that has been developed, adopted,
or modified by a standard setting
organization.
"(2)
SPECIAL RULES.--
"(A)
DIFFERENT STANDARDS.--The Secretary
may adopt a standard that is different
from any standard developed, adopted,
or modified by a standard setting
organization, if--
"(i)
the different standard will substantially
reduce administrative costs to health
care providers and health plans
compared to the alternatives; and
"(ii)
the standard is promulgated in accordance
with the rulemaking procedures of
subchapter III of chapter 5 of title
5, United States Code.
"(B)
NO STANDARD BY STANDARD SETTING
ORGANIZATION.--If no standard setting
organization has developed, adopted,
or modified any standard relating
to a standard that the Secretary
is authorized or required to adopt
under this part--
"(i)
paragraph (1) shall not apply; and
"(ii)
subsection (f) shall apply.
(3) CONSULTATION
REQUIREMENT.--
"(A)
IN GENERAL.--A standard may not
be adopted under this part unless--
"(i)
in the case of a standard that has
been developed, adopted, or modified
by a standard setting organization,
the organization consulted with
each of the organizations described
in subparagraph (B) in the course
of such development, adoption, or
modification; and
"(ii)
in the case of any other standard,
the Secretary, in complying with
the requirements of subsection (f),
consulted with each of the organizations
described in subparagraph (B) before
adopting the standard.
"(B)
ORGANIZATIONS DESCRIBED.--The organizations
referred to in subparagraph (A)
are the following:
"(i)
The National Uniform Billing Committee.
"(ii)
The National Uniform Claim Committee.
"(iii)
The Workgroup for Electronic Data
Interchange.
"(iv)
The American Dental Association.
"(d)
IMPLEMENTATION SPECIFICATIONS.--The
Secretary shall establish
specifications
for implementing each of the standards
adopted under this
part.
"(e)
PROTECTION OF TRADE SECRETS.--Except
as otherwise required by law, a
standard adopted under this part
shall not require disclosure of
trade secrets or confidential commercial
information by a person required
to comply with this part.
"(f)
ASSISTANCE TO THE SECRETARY.--In
complying with the requirements
of this part, the Secretary shall
rely on the recommendations of the
National Committee on Vital and
Health Statistics established under
section 306(k) of the Public Health
Service Act (42 U.S.C. 242k(k)),
and shall consult with appropriate
Federal and State agencies and private
organizations. The Secretary shall
publish in the Federal Register
any recommendation of the National
Committee on Vital and Health Statistics
regarding the adoption of a standard
under this part.
(g) APPLICATION
TO MODIFICATIONS OF STANDARDS.--This
section shall apply to a modification
to a standard (including an addition
to a standard) adopted under section
1174(b) in the same manner as it
applies to an initial standard adopted
under section 1174(a).
"STANDARDS
FOR INFORMATION TRANSACTIONS AND
DATA ELEMENTS
"SEC.
1173. (a) STANDARDS TO ENABLE
ELECTRONIC EXCHANGE.--
"(1)
IN GENERAL.--The Secretary shall
adopt standards for transactions,
and data elements for such transactions,
to enable health information to
be exchanged electronically, that
are appropriate for--
"(A)
the financial and administrative
transactions described in paragraph
(2); and
"(B)
other financial and administrative
transactions determined appropriate
by the Secretary, consistent with
the goals of improving the operation
of the health care system and reducing
administrative costs.
"(2)
TRANSACTIONS.--The transactions
referred to in paragraph (1)(A)
are transactions with respect to
the following:
"(A)
Health claims or equivalent encounter
information.
"(B)
Health claims attachments.
"(C)
Enrollment and disenrollment in
a health plan.
"(D)
Eligibility for a health plan.
"(E)
Health care payment and remittance
advice.
"(F)
Health plan premium payments.
"(G)
First report of injury.
"(H)
Health claim status.
"(I)
Referral certification and authorization.
"(3)
ACCOMMODATION OF SPECIFIC PROVIDERS.--The
standards adopted by the Secretary
under paragraph (1) shall accommodate
the needs of different types of
health care providers.
(b) UNIQUE HEALTH
IDENTIFIERS.--
"(1)
IN GENERAL.--The Secretary shall
adopt standards providing for a
standard unique health identifier
for each individual, employer, health
plan, and health care provider for
use in the health care system. In
carrying out the preceding sentence
for each health plan and health
care provider, the Secretary shall
take into account multiple uses
for identifiers and multiple locations
and specialty classifications for
health care providers.
"(2)
USE OF IDENTIFIERS.--The standards
adopted under paragraph (1) shall
specify the purposes for which a
unique health identifier may be
used.
(c) CODE SETS.--
"(1)
IN GENERAL.--The Secretary shall
adopt standards that--
"(A)
select code sets for appropriate
data elements for the transactions
referred to in subsection (a)(1)
from among the code sets that have
been developed by private and public
entities; or
"(B)
establish code sets for such data
elements if no code sets for the
data elements have been developed.
"(2)
DISTRIBUTION.--The Secretary shall
establish efficient and low-cost
procedures for distribution (including
electronic distribution) of code
sets and modifications made to such
code sets under section 1174(b).
(d) SECURITY
STANDARDS FOR HEALTH INFORMATION.--
"(1)
SECURITY STANDARDS.--The Secretary
shall adopt security standards that--
"(A)
take into account--
"(i)
the technical capabilities of record
systems used to maintain health
information;
"(ii)
the costs of security measures;
"(iii)
the need for training persons who
have access to health information;
"(iv)
the value of audit trails in computerized
record systems; and
"(v)
the needs and capabilities of small
health care providers and rural
health care providers (as such providers
are defined by the Secretary); and
"(B)
ensure that a health care clearinghouse,
if it is part of a larger organization,
has policies and security procedures
which isolate the activities of
the health care clearinghouse with
respect to processing information
in a manner that prevents unauthorized
access to such information by such
larger organization.
"(2)
SAFEGUARDS.--Each person described
in section 1172(a) who maintains
or transmits health information
shall maintain reasonable and appropriate
administrative, technical, and physical
safeguards--
"(A)
to ensure the integrity and confidentiality
of the information;
"(B)
to protect against any reasonably
anticipated--
"(i)
threats or hazards to the security
or integrity of the information;
and
"(ii)
unauthorized uses or disclosures
of the information; and
"(C)
otherwise to ensure compliance with
this part by the officers and employees
of such person.
(e) ELECTRONIC
SIGNATURE.--
"(1)
STANDARDS.--The Secretary, in coordination
with the Secretary of Commerce,
shall adopt standards specifying
procedures for the electronic transmission
and authentication of signatures
with respect to the transactions
referred to in subsection (a)(1).
"(2)
EFFECT OF COMPLIANCE.--Compliance
with the standards adopted under
paragraph (1) shall be deemed to
satisfy Federal and State statutory
requirements for written signatures
with respect to the transactions
referred to in subsection (a)(1).
(f) TRANSFER
OF INFORMATION AMONG HEALTH PLANS.--The
Secretary shall adopt standards
for transferring among health plans
appropriate standard data elements
needed for the coordination of benefits,
the sequential processing of claims,
and other data elements for individuals
who have more than one health plan.
"TIMETABLES
FOR ADOPTION OF STANDARDS
"SEC.
1174. (a) INITIAL STANDARDS.--The
Secretary shall carry out section
1173 not later than 18 months after
the date of the enactment of the
Health Insurance Portability and
Accountability Act of 1996, except
that standards relating to claims
attachments shall be adopted not
later than 30 months after such
date.
"(b)
ADDITIONS AND MODIFICATIONS TO STANDARDS.--
"(1)
IN GENERAL.--Except as provided
in paragraph (2), the Secretary
shall review the standards adopted
under section 1173, and shall adopt
modifications to the standards (including
additions to the standards), as
determined appropriate, but not
more frequently than once every
12 months. Any addition or modification
to a standard shall be completed
in a manner which minimizes the
disruption and cost of compliance.
"(2)
SPECIAL RULES.--
"(A)
FIRST 12-MONTH PERIOD.--Except with
respect to additions and modifications
to code sets under subparagraph
(B), the Secretary may not adopt
any modification to a standard adopted
under this part during the 12-month
period beginning on the date the
standard is initially adopted, unless
the Secretary determines that the
modification is necessary in order
to permit compliance with the standard.
"(B)
ADDITIONS AND MODIFICATIONS TO CODE
SETS.--
"(i)
IN GENERAL.--The Secretary shall
ensure that procedures exist for
the routine maintenance, testing,
enhancement, and expansion of code
sets.
"(ii)
Additional rules.--If a code set
is modified under this subsection,
the modified code set shall include
instructions on how data elements
of health information that were
encoded prior to the modification
may be converted or translated so
as to preserve the informational
value of the data elements that
existed before the modification.
Any modification to a code set under
this subsection shall be implemented
in a manner that minimizes the disruption
and cost of complying with such
modification.
"REQUIREMENTS
"SEC.
1175. (a) CONDUCT OF TRANSACTIONS
BY PLANS.--
"(1)
IN GENERAL.--If a person desires
to conduct a transaction referred
to in section 1173(a)(1) with a
health plan as a standard transaction--
"(A)
the health plan may not refuse to
conduct such transaction as a standard
transaction;
"(B)
the insurance plan may not delay
such transaction, or otherwise adversely
affect, or attempt to adversely
affect, the person or the transaction
on the ground that the transaction
is a standard transaction; and
"(C)
the information transmitted and
received in connection with the
transaction shall be in the form
of standard data elements of health
information.
"(2)
SATISFACTION OF REQUIREMENTS.--A
health plan may satisfy the requirements
under paragraph (1) by--
"(A)
directly transmitting and receiving
standard data elements of health
information; or
"(B)
submitting nonstandard data elements
to a health care clearinghouse for
processing into standard data elements
and transmission by the health care
clearinghouse, and receiving standard
data elements through the health
care clearinghouse.
"(3)
TIMETABLE FOR COMPLIANCE.--Paragraph
(1) shall not be construed to require
a health plan to comply with any
standard, implementation specification,
or modification to a standard or
specification adopted or established
by the Secretary under sections
1172 through 1174 at any time prior
to the date on which the plan is
required to comply with the standard
or specification under subsection
(b).
"(b)
COMPLIANCE WITH STANDARDS.--
"(1)
INITIAL COMPLIANCE.--
"(A)
IN GENERAL.--Not later than 24 months
after the date on which an initial
standard or implementation specification
is adopted or established under
sections 1172 and 1173, each person
to whom the standard or implementation
specification applies shall comply
with the standard or specification.
"(B)
SPECIAL RULE FOR SMALL HEALTH PLANS.--In
the case of a small health plan,
paragraph (1) shall be applied by
substituting '36 months' for '24
months'. For purposes of this subsection,
the Secretary shall determine the
plans that qualify as small health
plans.
"(2)
COMPLIANCE WITH MODIFIED STANDARDS.--If
the Secretary adopts a modification
to a standard or implementation
specification under this part, each
person to whom the standard or implementation
specification applies shall comply
with the modified standard or implementation
specification at such time as the
Secretary determines appropriate,
taking into account the time needed
to comply due to the nature and
extent of the modification. The
time determined appropriate under
the preceding sentence may not be
earlier than the last day of the
180-day period beginning on the
date such modification is adopted.
The Secretary may extend the time
for compliance for small health
plans, if the Secretary determines
that such extension is appropriate.
"(3)
CONSTRUCTION.--Nothing in this subsection
shall be construed to prohibit any
person from complying with a standard
or specification by--
"(A)
submitting nonstandard data elements
to a health care clearinghouse for
processing into standard data elements
and transmission by the health care
clearinghouse; or
"(B)
receiving standard data elements
through a health care clearinghouse.
"GENERAL
PENALTY FOR FAILURE TO COMPLY WITH
REQUIREMENTS AND STANDARDS
"SEC.
1176. (a) GENERAL PENALTY.--
"(1)
IN GENERAL.--Except as provided
in subsection (b), the Secretary
shall impose on any person who violates
a provision of this part a penalty
of not more than $100 for each such
violation, except that the total
amount imposed on the person for
all violations of an identical requirement
or prohibition during a calendar
year may not exceed $25,000.
"(2)
PROCEDURES.--The provisions of section
1128A (other than subsections (a)
and (b) and the second sentence
of subsection (f)) shall apply to
the imposition of a civil money
penalty under this subsection in
the same manner as such provisions
apply to the imposition of a penalty
under such section 1128A.
"(b)
LIMITATIONS.--
"(1)
OFFENSES OTHERWISE PUNISHABLE.--A
penalty may not be imposed under
subsection (a) with respect to an
act if the act constitutes an offense
punishable under section 1177.
"(2)
NONCOMPLIANCE NOT DISCOVERED.--A
penalty may not be imposed under
subsection (a) with respect to a
provision of this part if it is
established to the satisfaction
of the Secretary that the person
liable for the penalty did not know,
and by exercising reasonable diligence
would not have known, that such
person violated the provision.
"(3)
FAILURES DUE TO REASONABLE CAUSE.--
"(A)
IN GENERAL.--Except as provided
in subparagraph (B), a penalty may
not be imposed under subsection
(a) if--
"(i)
the failure to comply was due to
reasonable cause and not to willful
neglect; and
"(ii)
the failure to comply is corrected
during the 30-day period beginning
on the first date the person liable
for the penalty knew, or by exercising
reasonable diligence would have
known, that the failure to comply
occurred.
"(B)
EXTENSION OF PERIOD.--
"(i)
NO PENALTY.--The period referred
to in subparagraph (A)(ii) may be
extended as determined appropriate
by the Secretary based on the nature
and extent of the failure to comply.
"(ii)
ASSISTANCE.--If the Secretary determines
that a person failed to comply because
the person was unable to comply,
the Secretary may provide technical
assistance to the person during
the period described in subparagraph
(A)(ii). Such assistance shall be
provided in any manner determined
appropriate by the Secretary.
"(4)
REDUCTION.--In the case of a failure
to comply which is due to reasonable
cause and not to willful neglect,
any penalty under subsection (a)
that is not entirely waived under
paragraph (3) may be waived to the
extent that the payment of such
penalty would be excessive relative
to the compliance failure involved.
"WRONGFUL
DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE
HEALTH INFORMATION
"SEC.
1177. (a) OFFENSE.--A person
who knowingly and in violation of
this part--
"(1)
uses or causes to be used a unique
health identifier;
"(2)
obtains individually identifiable
health information relating to an
individual; or
"(3)
discloses individually identifiable
health information to another person,
shall be punished
as provided in subsection (b).
"(b)
PENALTIES.--A person described in
subsection (a) shall--
"(1)
be fined not more than $50,000,
imprisoned not more than 1 year,
or both;
"(2)
if the offense is committed under
false pretenses, be fined not more
than $100,000, imprisoned not more
than 5 years, or both; and
"(3)
if the offense is committed with
intent to sell, transfer, or use
individually identifiable health
information for commercial advantage,
personal gain, or malicious harm,
be fined not more than $250,000,
imprisoned not more than 10 years,
or both.
"EFFECT
ON STATE LAW
"SEC.
1178. (a) GENERAL EFFECT.--
"(1)
GENERAL RULE.--Except as provided
in paragraph (2), a provision or
requirement under this part, or
a standard or implementation specification
adopted or established under sections
1172 through 1174, shall supersede
any contrary provision of State
law, including a provision of State
law that requires medical or health
plan records (including billing
information) to be maintained or
transmitted in written rather than
electronic form.
"(2)
EXCEPTIONS.--A provision or requirement
under this part, or a standard or
implementation specification adopted
or established under sections 1172
through 1174, shall not supersede
a contrary provision of State law,
if the provision of State law--
"(A)
is a provision the Secretary determines--
"(i)
is necessary--
"(I)
to prevent fraud and abuse;
"(II)
to ensure appropriate State regulation
of insurance and health plans;
"(III)
for State reporting on health care
delivery or costs; or
"(IV)
for other purposes; or
"(ii)
addresses controlled substances;
or
"(B)
subject to section 264(c)(2) of
the Health Insurance Portability
and Accountability Act of 1996,
relates to the privacy of individually
identifiable health information.
"(b)
PUBLIC HEALTH.--Nothing in this
part shall be construed to invalidate
or limit the authority, power, or
procedures established under any
law providing for the reporting
of disease or injury, child abuse,
birth, or death, public health surveillance,
or public health investigation or
intervention.
"(c)
STATE REGULATORY REPORTING.--Nothing
in this part shall limit the ability
of a State to require a health plan
to report, or to provide access
to, information for management audits,
financial audits, program monitoring
and evaluation, facility licensure
or certification, or individual
licensure or certification.
"PROCESSING
PAYMENT TRANSACTIONS BY FINANCIAL
INSTITUTIONS
"SEC.
1179. To the extent that an
entity is engaged in activities
of a financial institution (as defined
in section 1101 of the Right to
Financial Privacy Act of 1978),
or is engaged in authorizing, processing,
clearing, settling, billing,
transferring,
reconciling, or collecting payments,
for a financial institution, this
part, and any standard adopted under
this part, shall not apply to the
entity with respect to such activities,
including the following:
"(1)
The use or disclosure of information
by the entity for authorizing, processing,
clearing, settling, billing, transferring,
reconciling or collecting, a payment
for, or related to, health plan
premiums or health care, where such
payment is made by any means, including
a credit, debit, or other payment
card, an account, check, or electronic
funds transfer.
"(2)
The request for, or the use or disclosure
of, information by the entity with
respect to a payment described in
paragraph (1)--
"(A)
for transferring receivables;
"(B)
for auditing;
"(C)
in connection with--
"(i)
a customer dispute; or
"(ii)
an inquiry from, or to, a customer;
"(D)
in a communication to a customer
of the entity regarding the customer's
transactions, payment card, account,
check, or electronic funds transfer;
"(E)
for reporting to consumer reporting
agencies; or
"(F)
for complying with--
"(i)
a civil or criminal subpoena; or
"(ii)
a Federal or State law regulating
the entity.".
(b) CONFORMING
AMENDMENTS.--
(1) REQUIREMENT
FOR MEDICARE PROVIDERS.--Section
1866(a)(1) (42 U.S.C. 1395cc(a)(1))
is amended--
(A) by striking
``and" at the end of subparagraph
(P);
(B) by striking
the period at the end of subparagraph
(Q) and inserting "; and";
and
(C) by inserting
immediately after subparagraph (Q)
the following new subparagraph:
"(R)
to contract only with a health care
clearinghouse (as defined in section
1171) that meets each standard and
implementation specification adopted
or established under part C of title
XI on or after the date on which
the health care clearinghouse is
required to comply with the standard
or specification.".
(2) TITLE HEADING.--Title
XI (42 U.S.C. 1301 et seq.) is amended
by striking the title heading and
inserting the following:
"TITLE
XI--GENERAL PROVISIONS, PEER REVIEW,
AND ADMINISTRATIVE SIMPLIFICATION".
SEC.
263. CHANGES IN MEMBERSHIP AND DUTIES
OF NATIONAL COMMITTEE ON VITAL AND
HEALTH STATISTICS.
Section 306(k)
of the Public Health Service Act
(42 U.S.C. 242k(k))
is amended--
(1) in paragraph
(1), by striking "16"
and inserting "18";
(2) by amending
paragraph (2) to read as follows:
"(2)
The members of the Committee shall
be appointed from among persons
who have distinguished themselves
in the fields of health statistics,
electronic interchange of health
care information, privacy and security
of electronic information, population-based
public health, purchasing or financing
health care services, integrated
computerized health information
systems, health services research,
consumer interests in health information,
health data standards, epidemiology,
and the provision of health services.
Members of the Committee shall be
appointed for terms of 4 years.";
(3) by redesignating
paragraphs (3) through (5) as paragraphs
(4) through (6), respectively, and
inserting after paragraph (2) the
following:
"(3)
Of the members of the Committee--
"(A)
1 shall be appointed, not later
than 60 days after the date of the
enactment of the Health Insurance
Portability and Accountability Act
of 1996, by the Speaker of the House
of Representatives after consultation
with the Minority Leader of the
House of Representatives;
"(B)
1 shall be appointed, not later
than 60 days after the date of the
enactment of the Health Insurance
Portability and Accountability Act
of 1996, by the President pro tempore
of the Senate after consultation
with the Minority Leader of the
Senate; and
"(C)
16 shall be appointed by the Secretary.";
(4) by amending
paragraph (5) (as so redesignated)
to read as follows:
"(5)
The Committee--
"(A)
shall assist and advise the Secretary--
"(i)
to delineate statistical problems
bearing on health and health services
which are of national or international
interest;
"(ii)
to stimulate studies of such problems
by other organizations and agencies
whenever possible or to make investigations
of such problems through subcommittees;
"(iii)
to determine, approve, and revise
the terms, definitions, classifications,
and guidelines for assessing health
status and health services, their
distribution and costs, for use
(I) within the Department of Health
and Human Services, (II) by all
programs administered or funded
by the Secretary, including the
Federal-State-local cooperative
health statistics system referred
to in subsection (e), and (III)
to the extent possible as determined
by the head of the agency involved,
by the Department of Veterans Affairs,
the Department of Defense, and other
Federal agencies concerned with
health and health services;
"(iv)
with respect to the design of and
approval of health statistical and
health information systems concerned
with the collection, processing,
and tabulation of health statistics
within the Department of Health
and Human Services, with respect
to the Cooperative Health Statistics
System established under subsection
(e), and with respect to the standardized
means for the collection of health
information and statistics to be
established by the Secretary under
subsection (j)(1);
"(v)
to review and comment on findings
and proposals developed by other
organizations and agencies and to
make recommendations for their adoption
or implementation by local, State,
national, or international agencies;
"(vi)
to cooperate with national committees
of other countries and with the
World Health Organization and other
national agencies in the studies
of problems of mutual interest;
"(vii)
to issue an annual report on the
state of the Nation's health, its
health services, their costs and
distributions, and to make proposals
for improvement of the Nation's
health statistics and health information
systems; and
"(viii)
in complying with the requirements
imposed on the Secretary under part
C of title XI of the Social Security
Act;
"(B)
shall study the issues related to
the adoption of uniform data standards
for patient medical record information
and the electronic exchange of such
information;
"(C)
shall report to the Secretary not
later than 4 years after the date
of the enactment of the Health Insurance
Portability and Accountability Act
of 1996 recommendations and legislative
proposals for such standards and
electronic exchange; and
"(D)
shall be responsible generally for
advising the Secretary and the Congress
on the status of the implementation
of part C of title XI of the Social
Security Act."; and
(5) by adding
at the end the following:
"(7)
Not later than 1 year after the
date of the enactment of the Health
Insurance Portability and Accountability
Act of 1996, and annually thereafter,
the Committee shall submit to the
Congress, and make public, a report
regarding the implementation of
part C of title XI of the Social
Security Act. Such report shall
address the following subjects,
to the extent that the Committee
determines appropriate:
"(A)
The extent to which persons required
to comply with part C of title XI
of the Social Security Act are cooperating
in implementing the standards adopted
under such part.
"(B)
The extent to which such entities
are meeting the security standards
adopted under such part and the
types of penalties assessed for
noncompliance with such standards.
"(C)
Whether the Federal and State Governments
are receiving information of sufficient
quality to meet their responsibilities
under such part.
"(D)
Any problems that exist with respect
to implementation of such part.
"(E)
The extent to which timetables under
such part are being met.".
SEC.
264. RECOMMENDATIONS WITH RESPECT
TO PRIVACY OF CERTAIN HEALTH INFORMATION.
(a) IN GENERAL.--Not
later than the date that is 12 months
after the date of the enactment
of this Act, the Secretary of Health
and Human Services shall submit
to the Committee on Labor and Human
Resources and the Committee on Finance
of the Senate and the Committee
on Commerce and the Committee on
Ways and Means of the House of Representatives
detailed recommendations on standards
with respect to the privacy of individually
identifiable health information.
(b) SUBJECTS
FOR RECOMMENDATIONS.--The recommendations
under subsection (a) shall address
at least the following:
(1) The rights
that an individual who is a subject
of individually identifiable health
information should have.
(2) The procedures
that should be established for the
exercise of such rights.
(3) The uses
and disclosures of such information
that should be authorized or required.
(c) REGULATIONS.--
(1) IN GENERAL.--If
legislation governing standards
with respect to the privacy of individually
identifiable health information
transmitted in connection with the
transactions described in section
1173(a) of the Social Security Act
(as added by section 262) is not
enacted by the date that is 36 months
after the date of the enactment
of this Act, the Secretary of Health
and Human Services shall promulgate
final regulations containing such
standards not later than the date
that is 42 months after the date
of the enactment of this Act. Such
regulations shall address at least
the subjects described in subsection
(b).
(2) PREEMPTION.--A
regulation promulgated under paragraph
(1) shall not supercede a contrary
provision of State law, if the provision
of State law imposes requirements,
standards, or implementation specifications
that are more stringent than the
requirements, standards, or implementation
specifications imposed under the
regulation.
(d) CONSULTATION.--In
carrying out this section, the Secretary
of Health and Human Services shall
consult with--
(1) the National
Committee on Vital and Health Statistics
established under section 306(k)
of the Public Health Service Act
(42 U.S.C. 242k(k)); and
(2) the Attorney
General.
|
