REPORT TITLE:
Health Care Info Privacy


DESCRIPTION:
Protects privacy of health care information by stipulating
conditions under which information can be disclosed.  Provides
penalties.  (HB351 CD1)

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                        351
HOUSE OF REPRESENTATIVES                H.B. NO.           H.D. 2
TWENTIETH LEGISLATURE, 1999                                S.D. 1
STATE OF HAWAII                                            C.D. 1
                                                             
________________________________________________________________
________________________________________________________________


                   A  BILL  FOR  AN  ACT

RELATING TO PRIVACY OF HEALTH CARE INFORMATION.



BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  The legislature finds that individuals have a
 
 2 constitutional right to privacy with respect to their personal
 
 3 health information and records, and with respect to information
 
 4 about their medical care and health status. 
 
 5      Traditionally, the primary health care relationship existed
 
 6 only between the patient and the doctor, and was founded upon the
 
 7 principle that all information transmitted between the patient
 
 8 and the doctor was confidential.  With advancements in modern
 
 9 technology and systematic changes in health care practices, the
 
10 patient-doctor relationship has expanded into a multi-party
 
11 relationship that includes employers, health plans, consulting
 
12 physicians and other health care providers, laboratories and
 
13 hospitals, researchers and data organizations, and various
 
14 governmental and private oversight agencies.  These multiple
 
15 relationships have fundamentally changed the handling and use of
 
16 medical information.  The legislature acknowledges that
 
17 individuals are often unaware of how their medical information is
 
18 being used and disclosed in the modern health care delivery
 
19 system.  Currently, there is no statute that comprehensively
 
20 governs the disclosure of medical records.  Most individuals sign
 

 
Page 2                                                     351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 a one-time blanket consent to release their medical records when
 
 2 they sign up for medical insurance, and doctors, hospitals, and
 
 3 insurance companies share these records as they see fit.  Thus,
 
 4 the legislature believes that an individual's right to privacy of
 
 5 their medical records is currently unclear and at risk.
 
 6      However, the legislature also recognizes that there are
 
 7 strong public policy justifications for encouraging health care
 
 8 quality through the review of medical information.  First, these
 
 9 reviews help to improve the quality of health care in Hawaii by
 
10 providing assessments of the results or outcomes of certain modes
 
11 of treatment, thereby giving patients more information with which
 
12 to make better medical choices.  Second, medical information
 
13 review helps to ferret out and prevent fraud and abuse in the
 
14 health care delivery system.  It is estimated that approximately
 
15 $100 billion of the $1 trillion spent on health care nationally
 
16 can be attributed to health care fraud.  This drives up health
 
17 care costs and takes needed health care dollars away from
 
18 deserving patients.  Third, clinical and epidemiological research
 
19 based on medical information helps to promote the quality,
 
20 efficiency, and effectiveness of the modern health care delivery
 
21 system, and leads to new treatments which relieve suffering and
 
22 save lives.
 

 
 
 
Page 3                                                     351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      Therefore, the legislature firmly believes that encouraging
 
 2 affordable quality health care, facilitating effective medical
 
 3 research, and preventing fraud and abuse are necessary to the
 
 4 health and safety of our citizens.  These are compelling state
 
 5 interests, that may be furthered by allowing the sharing of
 
 6 medical information for limited purposes, without eliminating the
 
 7 confidentiality of the patient-doctor relationship.
 
 8      The purpose of this Act is to:
 
 9      (1)  Implement the right of the people to privacy
 
10           established under section 6, article I of the
 
11           Constitution of the State of Hawaii which provides that
 
12           the legislature shall take affirmative steps to ensure
 
13           protection of the right to privacy through legislation;
 
14      (2)  Protect individuals from the adverse effects of the
 
15           improper disclosure of protected medical record health
 
16           information;
 
17      (3)  Establish strong and effective mechanisms to protect
 
18           against the unauthorized and inappropriate use of
 
19           protected health information that is created or
 
20           maintained as part of health care treatment, diagnosis,
 
21           enrollment, payment, plan administration, testing, or
 
22           research processes;
 

 
 
 
Page 4                                                     351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (4)  Promote the health and welfare of the public by
 
 2           encouraging the effective exchange and transfer of
 
 3           health information in a manner that will ensure the
 
 4           confidentiality of protected health information without
 
 5           impeding the delivery of high quality healthcare;
 
 6      (5)  Promote the public health and welfare by allowing,
 
 7           where appropriate, the transfer of personal health
 
 8           information into nonidentifiable health information for
 
 9           oversight, health research, public health, law
 
10           enforcement, judicial, and administrative purposes;
 
11      (6)  Discourage litigation by establishing a standard set of
 
12           procedures that may be complied with to provide courts
 
13           with strong evidence that medical information was
 
14           properly handled and disclosed; and
 
15      (7)  Establish remedies for violations of this Act.
 
16      SECTION 2.  The Hawaii Revised Statutes is amended by adding
 
17 a new chapter to be appropriately designated and to read as
 
18 follows:
 
19                             "CHAPTER
 
20                PRIVACY OF HEALTH CARE INFORMATION
 
21                    PART I.  GENERAL PROVISIONS
 
22         -1  Definitions.  As used in this chapter, except as
 
23 otherwise specifically provided:
 

 
Page 5                                                     351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      "Accrediting body" means a committee, organization, or
 
 2 institution that has been authorized by law or is recognized by a
 
 3 health care regulating authority as an accrediting entity or any
 
 4 other entity that has been similarly authorized or recognized by
 
 5 law to perform specific accreditation, licensing, or
 
 6 credentialing activities.
 
 7      "Agent" means a person who represents and acts for another
 
 8 under a contract or relationship of agency, or whose function is
 
 9 to bring about, modify, affect, accept performance of, or
 
10 terminate contractual obligations between the principal and a
 
11 third person, including a contractor.
 
12      "Commissioner" means the insurance commissioner.
 
13      "Disclose" means to release, transfer, provide access to,
 
14 share, or otherwise divulge protected health information to any
 
15 person other than the individual who is the subject of the
 
16 information.  The term includes the initial disclosure and any
 
17 subsequent redisclosures of protected health information.
 
18      "Educational institution" means an institution or place for
 
19 instruction or education including any public or private
 
20 elementary school, secondary school, vocational school,
 
21 correspondence school, business school, junior college, teachers
 
22 college, college, normal school, professional school, university,
 
23 or scientific or technical institution, or other institution
 
24 furnishing education for children and adults.
 

 
Page 6                                                     351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      "Employer" means any individual or type of organization,
 
 2 including any partnership, association, trust, estate, joint
 
 3 stock company, insurance company, or corporation, whether
 
 4 domestic or foreign, a debtor in possession or receiver or
 
 5 trustee in bankruptcy, or a legal representative of a deceased
 
 6 person, who has one or more regular individuals in his or her
 
 7 employment.
 
 8      "Employment" means services performed for wages under any
 
 9 contract of hire, written or oral, expressed or implied, with an
 
10 employer.
 
11      "Entity" means a health care provider, health care data
 
12 organization, health plan, health oversight agency, public health
 
13 authority, employer, insurer, health researcher, law enforcement
 
14 official, or educational institution, except as otherwise defined
 
15 for purposes of a particular section only.
 
16      "Health care" means:
 
17      (1)  Preventive, diagnostic, therapeutic, rehabilitative,
 
18           palliative, or maintenance services:
 
19           (A)  With respect to the physical or mental condition
 
20                of an individual; or
 
21           (B)  Affecting the structure or function of the human
 
22                body or any part of the human body, including the
 

 
 
 
Page 7                                                     351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1                banking of blood, sperm, organs, or any other
 
 2                tissue;
 
 3           or
 
 4      (2)  Any sale or dispensing of a drug, device, equipment, or
 
 5           other health care-related item to an individual, or for
 
 6           the use of an individual pursuant to a prescription or
 
 7           order by a health care provider.
 
 8      "Health care data organization" means an entity that engages
 
 9 primarily in the business of collecting, analyzing, and
 
10 disseminating identifiable and nonidentifiable patient
 
11 information.  A health care data organization is not a health
 
12 care provider, an insurer, a health researcher, or a health
 
13 oversight agency.
 
14      "Health care provider" means a person who, with respect to
 
15 any protected health information, receives, creates, uses,
 
16 maintains, or discloses the protected health information while
 
17 acting in whole or in part in the capacity of:
 
18      (1)  A person who is licensed, certified, registered, or
 
19           otherwise authorized by federal or state law to provide
 
20           an item or service that constitutes health care in the
 
21           ordinary course of business, or practice of a
 
22           profession;
 

 
 
 
Page 8                                                     351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (2)  A federal, state, or employer-sponsored program that
 
 2           directly provides items or services that constitute
 
 3           health care to beneficiaries; or
 
 4      (3)  An officer, employee, or agent of a person described in
 
 5           paragraph (1) or (2).
 
 6      "Health oversight agency" means a person who, with respect
 
 7 to any protected health information, receives, creates, uses,
 
 8 maintains, or discloses the information while acting in whole or
 
 9 in part in the capacity of:
 
10      (1)  A person who performs or oversees the performance of an
 
11           assessment, evaluation, determination, or
 
12           investigation, relating to the licensing,
 
13           accreditation, or credentialing of health care
 
14           providers; or
 
15      (2)  A person who:
 
16           (A)  Performs or oversees the performance of an audit,
 
17                assessment, evaluation, determination, or
 
18                investigation relating to the effectiveness of,
 
19                compliance with, or applicability of, legal,
 
20                fiscal, medical, or scientific standards or
 
21                aspects of performance related to the delivery of,
 
22                or payment for, health care; and
 

 
 
 
Page 9                                                     351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1           (B)  Is a public agency, acting on behalf of a public
 
 2                agency, acting pursuant to a requirement of a
 
 3                public agency, or carrying out activities under a
 
 4                federal or state law governing the assessment,
 
 5                evaluation, determination, investigation, or
 
 6                prosecution for violations of paragraph (1).
 
 7      "Health plan" means any health insurance plan, including any
 
 8 hospital or medical service plan, dental or other health service
 
 9 plan or health maintenance organization plan, provider-sponsored
 
10 organization, or other program providing or arranging for the
 
11 provision of health benefits, whether or not funded through the
 
12 purchase of insurance.
 
13      "Health researcher" means a person, or an officer, employee
 
14 or independent contractor of a person, who receives protected
 
15 health information as part of a systematic investigation,
 
16 testing, or evaluation designed to develop or contribute to
 
17 generalized scientific and clinical knowledge.
 
18      "Individual's designated representative" means a person who
 
19 is authorized by law (based on grounds other than the minority of
 
20 an individual), or by an instrument recognized under law, to act
 
21 as an agent, attorney, guardian, proxy, or other legal
 
22 representative of a protected individual.  The term includes a
 
23 health care power of attorney.
 

 
Page 10                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      "Institutional review board" means a research committee
 
 2 established and operating in accord with Title 45 C.F.R. 46
 
 3 sections 107, 108, 109, and 115.
 
 4      "Insurer" means any person regulated under chapter 432D,
 
 5 article 1 of chapter 432, any group that has purchased a group
 
 6 insurance policy issued by a person regulated under chapter 432D,
 
 7 and any person regulated under article 10A of chapter 431, other
 
 8 than a life insurer, disability income insurer, or long-term care
 
 9 insurer.
 
10      "Law enforcement inquiry" means a lawful investigation
 
11 conducted by an appropriate government agency or official
 
12 inquiring into a violation of, or failure to comply with, any
 
13 civil or administrative statute or any regulation, rule, or order
 
14 issued pursuant to such a statute.  It does not include a lawful
 
15 criminal investigation or prosecution conducted by the county
 
16 prosecutors or the department of the attorney general.
 
17      "Nonidentifiable health information" means any information
 
18 that would otherwise be protected health information except that
 
19 the information does not reveal the identity of the individual
 
20 whose health or health care is the subject of the information and
 
21 there is no reasonable basis to believe that the information
 
22 could be used, either alone or with other information that is, or
 
23 should reasonably be, known to be available to recipients of the
 
24 information, to reveal the identity of that individual.
 

 
Page 11                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      "Office of information practices" shall be as defined by
 
 2 chapter 92F.
 
 3      "Person" means a government, governmental subdivision,
 
 4 agency or authority, corporation, company, association, firm,
 
 5 partnership, insurer, estate, trust, joint venture, individual,
 
 6 individual representative, and any other legal entity.
 
 7      "Protected health information" means any information,
 
 8 identifiable to an individual, including demographic information,
 
 9 whether or not recorded in any form or medium that relates
 
10 directly or indirectly to the past, present, or future:
 
11      (1)  Physical or mental health or condition of a person,
 
12           including tissue and genetic information;
 
13      (2)  Provision of health care to an individual; or
 
14      (3)  Payment for the provision of health care to an
 
15           individual.
 
16      "Public health authority" means the department of health.
 
17      "Qualified health care operations" means:
 
18      (1)  Only those activities conducted by or on behalf of a
 
19           health plan or health care provider for the purpose of
 
20           carrying out the management functions of a health care
 
21           provider or health plan, or implementing the terms of a
 
22           contract for health plan benefits as follows:
 

 
 
 
Page 12                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1           (A)  Payment, which means the activities undertaken by
 
 2                a health plan or provider which are reasonably
 
 3                necessary to determine responsibility for
 
 4                coverage, services, and the actual payment for
 
 5                services, if any;
 
 6           (B)  Conducting quality assurance activities or
 
 7                outcomes assessments;
 
 8           (C)  Reviewing the competence or qualifications of
 
 9                health care professionals;
 
10           (D)  Performing accreditation, licensing, or
 
11                credentialing activities;
 
12           (E)  Analyzing health plan claims or health care
 
13                records data;
 
14           (F)  Evaluating provider clinical performance;
 
15           (G)  Carrying out utilization management; or
 
16           (H)  Conducting or arranging for auditing services in
 
17                accordance with statute, rule, or accreditation
 
18                requirements;
 
19      (2)  A qualified health care operation shall:
 
20           (A)  Be an operation which cannot be carried on with
 
21                reasonable effectiveness and efficiency without
 
22                identifiable patient information;
 

 
 
 
Page 13                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1           (B)  Be limited to only that protected health
 
 2                information collected under the terms of the
 
 3                contract for health plan benefits and without
 
 4                which the operation cannot be carried on with
 
 5                reasonable effectiveness and efficiency;
 
 6           (C)  Be limited to the minimum amount of protected
 
 7                health information, including the minimum number
 
 8                of records and the minimum number of documents
 
 9                within each patient's record, necessary to carry
 
10                on the operation with reasonable effectiveness and
 
11                efficiency; and
 
12           (D)  Limit the handling and examination of protected
 
13                health information to those persons who are
 
14                reasonably well qualified, by training,
 
15                credentials, or experience, to conduct the phase
 
16                of the operation in which they are involved.
 
17      "Surrogate" means a person, other than an individual's
 
18 designated representative or relative, who is authorized to make
 
19 a health-care decision for the individual.
 
20      "Treatment" means the provision of health care by, or the
 
21 coordination of health care among, health care providers, or the
 
22 referral of a patient from one provider to another, or
 
23 coordination of health care or other services among health care
 

 
Page 14                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 providers and third parties authorized by the health plan or the
 
 2 plan member.
 
 3      "Unique patient identifier" means a number or alpha-numeric
 
 4 string assigned to an individual, which can be or is used to
 
 5 identify an individual's protected health information.
 
 6      "Writing" means a written form that is either paper- or
 
 7 computer-based, and includes electronic signatures.
 
 8                   PART II.  INDIVIDUAL'S RIGHTS
 
 9         -11  Inspection and copying of protected health
 
10 information.(a)  For the purposes of this section only,
 
11 "entity" means a health care provider, health plan, employer,
 
12 health care data organization, insurer, or educational
 
13 institution.
 
14      (b)  At the request in writing of an individual and except
 
15 as provided in subsection (c), an entity shall permit an
 
16 individual who is the subject of protected health information or
 
17 the individual's designee, to inspect and copy protected health
 
18 information concerning the individual, including records created
 
19 under section    -12, that the entity maintains.  The entity
 
20 shall adopt appropriate procedures to be followed for the
 
21 inspection or copying and may require an individual to pay
 
22 reasonable costs associated with the inspection or copying.
 

 
 
 
Page 15                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (c)  Unless ordered by a court of competent jurisdiction, an
 
 2 entity is not required to permit the inspection or copying of
 
 3 protected health information if any of the following conditions
 
 4 are met:
 
 5      (1)  The entity determines that the disclosure of the
 
 6           information could reasonably be expected to endanger
 
 7           the life or physical safety of, or cause substantial
 
 8           mental harm to, the individual who is the subject of
 
 9           the record;
 
10      (2)  The information identifies, or could reasonably lead to
 
11           the identification of, a person who provided
 
12           information under a promise of confidentiality
 
13           concerning the individual who is the subject of the
 
14           information unless the confidential source can be
 
15           protected by redaction or other similar means;
 
16      (3)  The information is protected from discovery as provided
 
17           in section 624-25.5; or
 
18      (4)  The information was collected for or during a clinical
 
19           trial monitored by an institutional review board, the
 
20           trial is not complete, and the researcher reasonably
 
21           believes that access would harm the conduct of the
 
22           trial.
 

 
 
 
Page 16                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (d)  If an entity denies a request for inspection or copying
 
 2 pursuant to subsection (c), the entity shall inform the
 
 3 individual in writing of:
 
 4      (1)  The reasons for the denial of the request for
 
 5           inspection or copying;
 
 6      (2)  Any procedures for further review of the denial; and
 
 7      (3)  The individual's right to file with the entity a
 
 8           concise statement setting forth the request for
 
 9           inspection or copying.
 
10      (e)  If an individual has filed a statement under subsection
 
11 (d)(3), the entity in any subsequent disclosure of the portion of
 
12 the information requested under subsection (b) shall include:
 
13      (1)  A copy of the individual's statement; and
 
14      (2)  A concise statement of the reasons for denying the
 
15           request for inspection or copying.
 
16      (f)  An entity shall permit the inspection and copying under
 
17 subsection (b) of any reasonably segregable portion of a record
 
18 after deletion of any portion that is exempt under subsection
 
19 (c).
 
20      (g)  An entity shall comply with or deny, in accordance with
 
21 subsection (d), a request for inspection or copying of protected
 
22 health information under this section not later than thirty days
 
23 after the date on which the entity or agent receives the request.
 

 
Page 17                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (h)  An agent of an entity shall not be required to provide
 
 2 for the inspection and copying of protected health information,
 
 3 except where:
 
 4      (1)  The protected health information is retained by the
 
 5           agent; and
 
 6      (2)  The agent has received in writing a request from the
 
 7           entity involved to fulfill the requirements of this
 
 8           section, at which time this information shall be
 
 9           provided to the individual.  The agent shall comply
 
10           with subsection (g) with respect to any such
 
11           information.
 
12      (i)  The entity shall afford at least one level of appeal by
 
13 parties not involved in the original decision.
 
14      (j)  This section shall not be construed to require that an
 
15 entity described in subsection (a) conduct a formal, informal, or
 
16 other hearing or proceeding concerning a request for inspection
 
17 or copying of protected health information.
 
18      (k)  If an entity denies an individual's request for copying
 
19 pursuant to subsection (c), or if an individual so requests, the
 
20 entity shall permit the inspection or copying of the requested
 
21 protected health information by the individual's designated
 
22 representative, upon presentation of a proper authorization
 
23 signed by the individual, unless it is patently clear that doing
 

 
Page 18                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 so would defeat the purpose for which the entity originally
 
 2 denied the individual's request for inspection and copying.
 
 3         -12  Additions to protected health information.  A
 
 4 health care provider is the owner of the medical records in the
 
 5 health care provider's possession that were created by the health
 
 6 care provider in treating a patient.  An individual or the
 
 7 individual's authorized representative may request in writing
 
 8 that a health care provider that generated certain health care
 
 9 information append additional information to the record in order
 
10 to improve the accuracy or completeness of the information;
 
11 provided that appending this information does not erase or
 
12 obliterate any of the original information.  A health care
 
13 provider shall do one of the following:
 
14      (1)  Append the information as requested; or
 
15      (2)  Notify the individual that the request has been denied,
 
16           the reason for the denial, and that the individual may
 
17           file a statement of reasonable length explaining the
 
18           correctness or relevance of existing information or as
 
19           to the addition of new information.  The statement or
 
20           copies shall be appended to the medical record and at
 
21           all times accompany that part of the information in
 
22           contention.
 

 
 
 
Page 19                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1         -13  Notice of confidentiality practices; forms of
 
 2 notices.(a)  For the purposes of this section only, "entity"
 
 3 means health care provider, health care data organization, health
 
 4 plan, health oversight agency, public health authority, employer,
 
 5 insurer, health researcher, or educational institution.
 
 6      (b)  An entity shall prominently post or provide the current
 
 7 notice of the entity's confidentiality practices.  The notice
 
 8 shall be printed in clear type and composed in plain language.
 
 9 This notice shall be given pursuant to the requirements of
 
10 section   -22.  For the purpose of informing each individual of
 
11 the importance of the notice and educating the individual about
 
12 the individual's rights under this chapter, the notice shall
 
13 contain the following language, placed prominently at the
 
14 beginning:
 
15           IMPORTANT:  THIS NOTICE DEALS WITH THE SHARING OF
 
16           INFORMATION FROM YOUR MEDICAL RECORDS.  PLEASE READ IT
 
17           CAREFULLY.  This notice describes your confidentiality
 
18           rights as they relate to information from your medical
 
19           records and explains the circumstances under which
 
20           information from your medical records may be shared
 
21           with others.  This information in this notice also
 
22           applies to others covered under your health plan, such
 
23           as your spouse or children.  If you do not understand
 

 
Page 20                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1           the terms of this notice, please ask for further
 
 2           explanation.
 
 3 In addition, as shall be appropriate to the size and nature of
 
 4 the entity, the notice shall include information about: 
 
 5      (1)  A description of an individual's rights with respect to
 
 6           protected health information which shall contain at a
 
 7           minimum, the following:
 
 8           (A)  An individual's right to inspect and copy their
 
 9                record;
 
10           (B)  An individual's right to request that a health
 
11                care provider append information to their medical
 
12                record; and
 
13           (C)  An individual's right to receive this notice by
 
14                each health plan upon enrollment, annually, and
 
15                when confidentiality practices are substantially
 
16                amended.
 
17      (2)  The uses and disclosures of protected health
 
18           information authorized under this chapter including
 
19           information about:
 
20           (A)  Payment;
 
21           (B)  Conducting quality assurance activities or
 
22                outcomes assessments;
 
23           (C)  Reviewing the competence or qualifications of
 
24                health care professionals;
 

 
Page 21                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1           (D)  Performing accreditation, licensing, or
 
 2                credentialing activities;
 
 3           (E)  Analyzing health plan claims or health care
 
 4                records data;
 
 5           (F)  Evaluating provider clinical performance;
 
 6           (G)  Carrying out utilization management; or
 
 7           (H)  Conducting or arranged for auditing services in
 
 8                accordance with statute, rule or accreditation
 
 9                requirements;
 
10      (3)  The right of the individual to limit disclosure of
 
11           protected health information by deciding not to utilize
 
12           any health insurance or other third party payment as
 
13           payment for the service, as set forth in section
 
14              -21(c);
 
15      (4)  The procedures for giving consent to disclosures of
 
16           protected health information and for revoking the
 
17           consent to disclose;
 
18      (5)  The description of procedures established by the entity
 
19           for the exercise of the individual's rights required
 
20           under this chapter; and
 
21      (6)  The right to obtain a copy of the notice of
 
22           confidentiality practices required under this chapter.
 

 
 
 
Page 22                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (b)  The actual procedures established by the entities for
 
 2 the exercise of individual rights under this part shall be
 
 3 available in writing upon request.
 
 4         -14  Establishment of safeguards.(a)  An entity shall
 
 5 establish and maintain administrative, technical, and physical
 
 6 safeguards that are appropriate to the size and nature of the
 
 7 entity establishing the safeguards, and that are appropriate to
 
 8 protect the confidentiality, security, accuracy, and integrity of
 
 9 protected health information created, received, obtained,
 
10 maintained, used, transmitted, or disposed of by the entity.
 
11      (b)  The office of information practices shall adopt rules
 
12 pursuant to chapter 91 to implement subsection (a).
 
13           PART III.  RESTRICTIONS ON USE AND DISCLOSURE
 
14         -21  General rules regarding use and disclosure.(a)
 
15 An entity shall not use or disclose protected health information
 
16 except as authorized under this part and under part IV.
 
17 Disclosure of health information in the form of nonidentifiable
 
18 health information shall not be construed as a disclosure of
 
19 protected health information.
 
20      (b)  For the purpose of treatment or qualified health care
 
21 operations, an entity may only use or disclose protected health
 
22 information within the entity if the use or disclosure is
 
23 properly noticed pursuant to sections    -13 and    -22.  For all
 

 
Page 23                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 other uses and disclosures, an entity may only use or disclose
 
 2 protected health information, if the use or disclosure is
 
 3 properly consented to pursuant to section    -23.  Disclosure to
 
 4 agents of an entity described in subsection (a) shall be
 
 5 considered as a disclosure within an entity.
 
 6      (c)  If an individual does not want protected health
 
 7 information released pursuant to section (b), the individual
 
 8 shall advise the provider prior to the delivery of services that
 
 9 the relevant protected health information shall not be disclosed
 
10 pursuant to subsection (b), and the individual shall pay the
 
11 health care provider directly for health care services.  A health
 
12 plan may decline to cover particular health care services if an
 
13 individual has refused to allow the release of protected health
 
14 care information pertaining to those particular health care
 
15 services.  Protected health information related to health care
 
16 services paid for directly by the individual shall not be
 
17 disclosed without a consent.
 
18      (d)  An agent who receives protected health information from
 
19 an entity shall be subject to all rules of disclosure and
 
20 safeguard requirements under this part.
 
21      (e)  Every use and disclosure of protected health
 
22 information shall be limited to the purpose for which it was
 
23 collected.  Any other use without a valid consent to disclose
 
24 shall be an unauthorized disclosure.
 

 
Page 24                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (f)  Nothing in this part permitting the disclosure of
 
 2 protected health information shall be construed to require
 
 3 disclosure.
 
 4      (g)  An entity may disclose protected health information to
 
 5 an employee or agent of the entity not otherwise authorized to
 
 6 receive such information for purposes of creating nonidentifiable
 
 7 information, if the entity prohibits the employee or agent of the
 
 8 entity from using or disclosing the protected health information
 
 9 for purposes other than the sole purpose of creating
 
10 nonidentifiable information, as specified by the entity.
 
11      (h)  Any individual or entity who manipulates or uses
 
12 nonidentifiable health information to identify an individual,
 
13 shall be deemed to have disclosed protected health information.
 
14 The disclosure or transmission of a unique patient identifier
 
15 shall be deemed to be a disclosure of protected health
 
16 information.
 
17         -22  Giving notice regarding disclosure of protected
 
18 health information for treatment or qualified health care
 
19 operations.(a)  The notice required by section    -13 shall be:
 
20      (1)  Given by each health plan upon enrollment, annually,
 
21           and when confidentiality practices are substantially
 
22           amended, to each individual who is eligible to receive
 
23           care under the health plan, or to the individual's
 

 
Page 25                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1           parent or guardian if the individual is a minor or
 
 2           incompetent; and
 
 3      (2)  Posted in a conspicuous place or provided by an entity
 
 4           other than a health plan.
 
 5      (b)  For each new enrollment or re-enrollment by an
 
 6 individual in a health plan, on or after the effective date of
 
 7 this Act, a health plan shall make reasonable efforts to obtain
 
 8 the individual's signature on the notice of confidentiality
 
 9 practices.  The notice to be signed shall state that the
 
10 individual is signing on behalf of the individual and all others
 
11 covered by the individual's health plan.  If the plan is unable
 
12 to obtain the aforementioned signature, the plan shall note the
 
13 reason for the failure to obtain said signature.  The lack of a
 
14 signed notice of confidentiality practices shall not justify a
 
15 denial of coverage of a claim, nor shall it limit a health plan's
 
16 access to information necessary for treatment and qualified
 
17 health care operations; provided that the individual may elect to
 
18 keep the records from being disclosed by paying for the subject
 
19 health care services, as provided under section     -21(c).
 
20      (c)  Except as provided in this chapter, the notice required
 
21 by this section and section     -13 shall not be construed as a
 
22 waiver of any rights that the individual has under other federal
 
23 or state laws, rules of evidence, or common law.
 

 
Page 26                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (d)  For the purposes of this subsection, "reasonable
 
 2 efforts" may include but are not limited to requiring the
 
 3 employer to present the notice to the individual and to request a
 
 4 signature, or mailing the notice to the individual with
 
 5 instructions to sign and return the notice within a specified
 
 6 period of time.
 
 7         -23  Authorization to disclose protected health
 
 8 information other than for treatment, payment, or qualified
 
 9 health care operations.(a)  An entity may disclose protected
 
10 health information for purposes other than those noticed under
 
11 section    -22, pursuant to a separate written authorization to
 
12 disclose executed by the individual who is the subject of the
 
13 information.  The authorization must meet the requirements of
 
14 subsection (b).
 
15      (b)  To be valid, an authorization shall be separate from
 
16 any other notice or authorization required by this part, shall be
 
17 either in writing, dated, and signed by the individual, or in
 
18 electronic form, dated, and authenticated by the individual using
 
19 a unique identifier, shall not have been revoked, and shall do
 
20 the following:
 
21      (1)  Identify the person or entity authorized to disclose
 
22           protected health information;
 

 
 
 
Page 27                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (2)  Identify the individual who is the subject of the
 
 2           protected health information;
 
 3      (3)  Describe the nature of and the time span of the
 
 4           protected health information to be disclosed;
 
 5      (4)  Identify the person to whom the information is to be
 
 6           disclosed;
 
 7      (5)  Describe the purpose of the disclosure;
 
 8      (6)  State that it is subject to revocation by the
 
 9           individual and indicate that the consent to disclose is
 
10           valid until revocation by the individual; and
 
11      (7)  Include the date at which the consent to disclose ends.
 
12      (c)  An individual may revoke in writing an authorization
 
13 under this section at any time.  An authorization obtained by a
 
14 health plan under this section is deemed to be revoked at the
 
15 time of the cancellation or nonrenewal of enrollment in the
 
16 health plan.  An entity that discloses protected health
 
17 information pursuant to an authorization that has been revoked
 
18 under this subsection shall not be subject to any liability or
 
19 penalty under this part for the disclosure if that entity acted
 
20 in good faith and had no actual or constructive notice of the
 
21 revocation.
 
22      (d)  Sections    -31 to    -39 provide for exceptions to the
 
23 requirement for the authorization.
 

 
Page 28                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (e)  A recipient of protected health information pursuant to
 
 2 an authorization under this section may use the information
 
 3 solely to carry out the purpose for which the information was
 
 4 authorized for release.
 
 5      (f)  Each entity collecting or storing protected health
 
 6 information shall maintain for seven years, as part of an
 
 7 individual's protected health information, a record of each
 
 8 authorization by the individual and any revocation of
 
 9 authorization by the individual.
 
10              PART IV.  EXCEPTED USES AND DISCLOSURES
 
11         -31  Coroner or medical examiner.  When a coroner or
 
12 medical examiner or one of their duly appointed deputies seek
 
13 protected health information for the purpose of inquiry into and
 
14 determination of the cause, manner, and circumstances of a death,
 
15 any person shall provide the requested protected health
 
16 information to the coroner or medical examiner or to the duly
 
17 appointed deputies without undue delay.  If a coroner or medical
 
18 examiner or their duly appointed deputies receives protected
 
19 health information, this protected health information shall
 
20 remain protected health information unless it is attached to or
 
21 otherwise made a part of a coroner's or medical examiner's
 
22 official report.  Health information attached to or otherwise
 
23 made a part of a coroner's or medical examiner's official report
 
24 shall be exempt from this chapter.
 

 
Page 29                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1         -32  Individual's designated representative, relative,
 
 2 or surrogate, and directory information.(a)  A health care
 
 3 provider, or a person who receives protected health information
 
 4 under subsection (b), may disclose protected health information
 
 5 regarding an individual to an individual's designated
 
 6 representative, relative, or surrogate if:
 
 7      (1)  The individual who is the subject of the information:
 
 8           (A)  Has been notified of the individual's right to
 
 9                object to the disclosure and the individual has
 
10                not objected to the disclosure; or
 
11           (B)  Is in a physical or mental condition such that
 
12                the individual is not capable of objecting, and
 
13                there are no prior indications that the
 
14                individual would object; and
 
15      (2)  The information disclosed is for the purpose of
 
16           providing health care to that individual; or
 
17      (3)  The disclosure of the protected health information is
 
18           consistent with good medical or professional practice.
 
19      (b)  Except as provided in subsection (d), a health care
 
20 provider may disclose the information described in subsection (c)
 
21 to any other person if the individual who is the subject of the
 
22 information:
 

 
 
 
Page 30                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (1)  Has been notified of the individual's right to object
 
 2           and the individual has not objected to the disclosure;
 
 3           or
 
 4      (2)  Is in a physical or mental condition such that the
 
 5           individual is not capable of objecting; and
 
 6           (A)  The individual's designated representative,
 
 7                relative, or surrogate has not objected; and
 
 8           (B)  There are no prior indications that the individual
 
 9                would object.
 
10      (c)  Information that may be disclosed in subsection (b) is
 
11 only that information that consists of any of the following
 
12 items:
 
13      (1)  The name of the individual who is the subject of the
 
14           information;
 
15      (2)  The general health status of the individual, described
 
16           as critical, poor, fair, stable, or satisfactory or in
 
17           terms denoting similar conditions; or
 
18      (3)  The location of the individual on premises controlled
 
19           by a provider.  This disclosure shall not be made if
 
20           the information would reveal specific information about
 
21           the physical or mental condition of the individual,
 
22           unless the individual expressly authorizes the
 
23           disclosure.
 

 
Page 31                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (d)  A disclosure shall not be made under this section if
 
 2 the health care provider involved has reason to believe that the
 
 3 disclosure of this information could lead to physical or mental
 
 4 harm to the individual, unless the individual expressly
 
 5 authorizes the disclosure.
 
 6         -33  Identification of deceased individuals.  A health
 
 7 care provider may disclose protected health information if the
 
 8 disclosure is necessary to assist in the identification or safe
 
 9 handling of a deceased individual.
 
10         -34  Emergency circumstances.  Any person who creates or
 
11 receives protected health information under this chapter may use
 
12 or disclose protected health information in emergency
 
13 circumstances when the use or disclosure is necessary to protect
 
14 the health or safety of the individual who is the subject of the
 
15 information from serious, imminent harm.  A disclosure made in
 
16 the good faith belief that the use or disclosure was necessary to
 
17 protect the health or safety of an individual from serious,
 
18 imminent harm shall not be a violation of this chapter.
 
19         -35  Disclosures for health oversight.(a)  Any person
 
20 may disclose protected health information to a health oversight
 
21 agency for purposes of an oversight function authorized by law.
 
22      (b)  For purposes of this section, the individual with
 
23 authority to authorize the health oversight function involved
 

 
Page 32                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 shall provide to the person described in subsection (a) a
 
 2 statement that the protected health information is being sought
 
 3 for a legally authorized oversight function.
 
 4      (c)  Protected health information about an individual that
 
 5 was obtained under this section may not be used in, or disclosed
 
 6 to any person for use in, an administrative, civil, or criminal
 
 7 action or investigation directed against the individual unless
 
 8 the action or investigation arises out of and is directly related
 
 9 to:
 
10      (1)  The receipt of health care or payment for health care;
 
11      (2)  An action involving a fraudulent claim related to
 
12           health; or
 
13      (3)  An action involving oversight of a public health
 
14           authority or a health researcher.
 
15      (d)  Protected health information disclosed for purposes of
 
16 this section remains protected health information and shall not
 
17 be further disclosed by the receiving health oversight agency,
 
18 except as permitted under this section.
 
19         -36  Public health.(a)  Any person or entity may
 
20 disclose protected health information to a public health
 
21 authority or other person authorized by law, for use in a legally
 
22 authorized:
 

 
 
 
Page 33                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (1)  Disease or injury report;
 
 2      (2)  Public health surveillance;
 
 3      (3)  Public health investigation or intervention; or
 
 4      (4)  Health or disease registry.
 
 5      (b)  The disclosure of protected health information,
 
 6 pursuant this section, to a public health authority or other
 
 7 person authorized by law shall not be a violation of this part.
 
 8      (c)  Protected health information disclosed for purposes of
 
 9 this section remains protected health information and shall not
 
10 be further disclosed by the receiving authority or person, except
 
11 as permitted under this section.
 
12         -37  Health research.(a)  A health care provider,
 
13 health plan, public health authority, employer, insurer, or
 
14 educational institution may disclose protected health information
 
15 to a health researcher if the following requirements are met:
 
16      (1)  The research shall have been approved by an
 
17           institutional review board.  In evaluating a research
 
18           proposal, an institutional review board shall require
 
19           that the proposal demonstrate a clear purpose,
 
20           scientific integrity, and a realistic plan for
 
21           maintaining the confidentiality of protected health
 
22           information;
 

 
 
 
Page 34                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (2)  The health care provider, health plan, public health
 
 2           authority, employer, insurer, or educational
 
 3           institution shall only disclose protected health
 
 4           information which it has previously created or
 
 5           collected; and 
 
 6      (3)  The holder of protected health information shall keep a
 
 7           record of all health researchers to whom protected
 
 8           health information has been made available.
 
 9      (b)  A health researcher who receives protected health
 
10 information shall remove and destroy, at the earliest opportunity
 
11 consistent with the purposes of the project involved, any
 
12 information that would enable an individual to be identified.
 
13      (c)  A health researcher who receives protected health
 
14 information shall not disclose or use the protected health
 
15 information for any purposes obtained, except that the health
 
16 researcher may disclose the information pursuant to section
 
17         -35(a).
 
18         -38  Disclosure in civil, judicial, and administrative
 
19 procedures.(a)  Protected health information may be disclosed
 
20 pursuant to a discovery request or subpoena in a civil action
 
21 brought in a state court or a request or subpoena related to a
 
22 state administrative proceeding, only if the disclosure is made
 
23 pursuant to a court order as provided for in subsection (b) or to
 
24 a written authorization under section    -23.
 

 
Page 35                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (b)  A court order issued under this section shall:
 
 2      (1)  Provide that the protected health information involved
 
 3           is subject to court protection;
 
 4      (2)  Specify to whom the information may be disclosed;
 
 5      (3)  Specify that the information may not otherwise be
 
 6           disclosed or used; and
 
 7      (4)  Meet any other requirements that the court determines
 
 8           are needed to protect the confidentiality of the
 
 9           information.
 
10      (c)  This section shall not apply in a case in which the
 
11 protected health information sought under the discovery request
 
12 or subpoena is:
 
13      (1)  Nonidentifiable health information; and
 
14      (2)  Related to a party to the litigation whose medical
 
15           condition is at issue.
 
16      (d)  The release of any protected health information under
 
17 this section shall not violate this part.
 
18         -39  Disclosure for civil or administrative law
 
19 enforcement purposes.(a)  For the purposes of this subsection
 
20 only, "entity" means a health care provider, health plan, health
 
21 oversight agency, employer, insurer, and educational institution.
 
22      (b)  Except as to disclosures to a health oversight agency,
 
23 which are governed by section    -35, an entity or person who
 

 
Page 36                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 receives protected health information pursuant to sections    -23
 
 2 and    -31 through    -37, may disclose protected health
 
 3 information under this section, if the disclosure is pursuant to:
 
 4      (1)  An administrative subpoena or summons or judicial
 
 5           subpoena;
 
 6      (2)  Consent in accordance with section   -23; or
 
 7      (3)  A court order.
 
 8      (c)  A subpoena or summons for a disclosure under subsection
 
 9 (b)(1) shall only be issued if the civil or administrative law
 
10 enforcement agency involved shows that there is probable cause to
 
11 believe that the information is relevant to a legitimate law
 
12 enforcement inquiry.
 
13      (d)  When the matter or need for which protected health
 
14 information was disclosed to a civil or administrative law
 
15 enforcement agency under subsection (b) has concluded, including
 
16 any derivative matters arising from the matter or need, the civil
 
17 or administrative law enforcement agency shall either destroy the
 
18 protected health information, or return all of the protected
 
19 health information to the person from whom it was obtained.
 
20      (e)  To the extent practicable, and consistent with the
 
21 requirements of due process, a civil or administrative law
 
22 enforcement agency shall redact personally identifying
 
23 information from protected health information prior to the public
 

 
Page 37                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 disclosure of the protected information in a judicial or
 
 2 administrative proceeding.
 
 3      (f)  Protected health information obtained by a civil or
 
 4 administrative law enforcement agency pursuant to this section
 
 5 may only be used for purposes of a legitimate law enforcement
 
 6 activity.
 
 7      (g)  If protected health information is obtained without
 
 8 meeting the requirements of subsection (b)(1), (2), or (3), any
 
 9 information that is unlawfully obtained shall be excluded from
 
10 court proceedings unless the defendant requests otherwise.
 
11         -40  Payment card and electronic payment transaction.
 
12 (a)  If an individual pays for health care by presenting a debit,
 
13 credit, or other payment card or account number, or by any other
 
14 electronic payment means, the entity receiving payment may
 
15 disclose to a person described in subsection (b) only such
 
16 protected health information about the individual as is necessary
 
17 for the processing of the payment transaction or the billing or
 
18 collection of amounts charged to, debited from, or otherwise paid
 
19 by, the individual using the card, number, or other electronic
 
20 means.
 
21      (b)  A person who is a debit, credit, or other payment card
 
22 issuer, or is otherwise directly involved in the processing of
 
23 payment transactions involving such cards or other electronic
 

 
Page 38                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 payment transactions, or is otherwise directly involved in the
 
 2 billing or collection of amounts paid through these means, may
 
 3 use or disclose protected health information about an individual
 
 4 that has been disclosed in accordance with subsection (a) only
 
 5 when necessary for:
 
 6      (1)  The settlement, billing, or collection of amounts
 
 7           charged to, debited from, or otherwise paid by the
 
 8           individual using a debit, credit, or other payment card
 
 9           or account number, or by other electronic payment
 
10           means;
 
11      (2)  The transfer of receivables, accounts, or interest
 
12           therein;
 
13      (3)  The internal audit of the debit, credit, or other
 
14           payment card account information;
 
15      (4)  Compliance with federal, state, or county law; or
 
16      (5)  Compliance with a properly authorized civil, criminal,
 
17           or regulatory investigation by federal, state, or
 
18           county authorities as governed by the requirements of
 
19           this section.
 
20         -41  Standards for electronic disclosures.  The office
 
21 of information practices shall adopt rules to establish standards
 
22 for disclosing, authorizing, and authenticating, protected health
 
23 information in electronic form consistent with this part.
 

 
Page 39                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1         -42  Rights of minors.(a)  In the case of an
 
 2 individual who is eighteen years of age or older, all rights of
 
 3 an individual under this chapter shall be exercised by the
 
 4 individual.
 
 5      (b)  In the case of an individual of any age who, acting
 
 6 alone, can obtain a type of health care without violating any
 
 7 applicable federal or state law, and who has sought this care,
 
 8 the individual shall exercise all rights of an individual under
 
 9 this chapter with respect to health care.
 
10      (c)  Except as provided in subsection (b), in the case of an
 
11 individual who is:
 
12      (1)  Under fourteen years of age, all of the individual's
 
13           rights under this chapter shall be exercised only
 
14           through the parent or legal guardian; or
 
15      (2)  At least fourteen but under eighteen years of age, the
 
16           rights of inspection and amendment, and the right to
 
17           authorize use and disclosure of protected health
 
18           information of the individual may be exercised by the
 
19           individual, or by the parent or legal guardian of the
 
20           individual.  If the individual and the parent or legal
 
21           guardian do not agree as to whether to authorize the
 
22           use or disclosure of protected health information of
 
23           the individual, the individual's authorization or
 
24           revocation of authorization shall control.
 

 
Page 40                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1         -43  Deceased individuals.  This chapter shall continue
 
 2 to apply to protected health information concerning a deceased
 
 3 individual following the death of that individual.  A person who
 
 4 is authorized by law or by an instrument recognized under law, to
 
 5 act as a personal representative of the estate of a deceased
 
 6 individual, or otherwise to exercise the rights of the deceased
 
 7 individual, to the extent so authorized, may exercise and
 
 8 discharge the rights of the deceased individual under this
 
 9 chapter.
 
10                        PART V.  SANCTIONS
 
11         -51  Wrongful disclosure of protected health
 
12 information.(a)  A person who knowingly or intentionally
 
13 obtains protected health information relating to an individual or
 
14 discloses protected health information to another person in
 
15 violation of this chapter shall be guilty of a class C felony.
 
16      (b)  A person who knowingly or intentionally sells,
 
17 transfers, or uses protected health information for commercial
 
18 advantage, personal gain, or malicious harm, in violation of this
 
19 chapter shall be guilty of a class B felony.
 
20         -52  Civil actions by individuals.(a)  Any individual
 
21 whose rights under this chapter have been violated may bring a
 
22 civil action against the person or entity responsible for the
 
23 violation.
 

 
Page 41                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (b)  In any civil action brought under this section, if the
 
 2 court finds a violation of an individual's rights under this
 
 3 chapter, the court may award:
 
 4      (1)  Injunctive relief, including enjoining a person or
 
 5           entity from engaging in a practice that violates this
 
 6           chapter;
 
 7      (2)  Equitable relief;
 
 8      (3)  Compensatory damages for injuries suffered by the
 
 9           individual.  Injuries compensable under this section
 
10           may include, but are not limited to, personal injury
 
11           including emotional distress, reputational injury,
 
12           injury to property, and consequential damages;
 
13      (4)  Punitive damages, as appropriate;
 
14      (5)  Costs of the action;
 
15      (6)  Attorneys' fees, as appropriate; and
 
16      (7)  Any other relief the court finds appropriate.
 
17      (c)  No action may be commenced under this section after the
 
18 time period stated in section 657-7.
 
19         -53  Cease and desist orders; civil penalty.(a)  A
 
20 court shall issue and cause to be served upon a person, who has
 
21 violated any provision of this chapter, a copy of the court's
 
22 findings and an order requiring the person to cease and desist
 
23 from violating this chapter, or to otherwise comply with the
 

 
Page 42                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 requirements of this chapter.  The court may also order any one
 
 2 or more of the following:
 
 3      (1)  For any violation of this chapter, payment of a civil
 
 4           penalty of not more than $500 for each and every act or
 
 5           violation but not to exceed $5,000 in the aggregate for
 
 6           multiple violations;
 
 7      (2)  For a knowing violation of this chapter, payment of a
 
 8           civil penalty of not more than $25,000 for each and
 
 9           every act or violation but not to exceed $100,000 in
 
10           the aggregate for multiple violations; and
 
11      (3)  For violations of this chapter that have occurred with
 
12           such frequency as to constitute a general business
 
13           practice, a civil penalty of $100,000.
 
14      (b)  Any person who violates a cease and desist order or
 
15 injunction issued under this section may be subject to a civil
 
16 penalty of not more than $10,000 for each and every act in
 
17 violation of the cease and desist order.
 
18      (c)  No order or injunction issued under this section shall
 
19 in any way relieve or absolve any person affected by the order
 
20 from any other liability, penalty, or forfeiture required by law.
 
21      (d)  Any civil penalties collected under this section shall
 
22 be deposited into the general fund.
 

 
 
 
Page 43                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1         -54  Prevention and deterrence.  To promote the
 
 2 prevention and deterrence of acts or omissions that violate laws
 
 3 designed to safeguard the protected health information in a
 
 4 manner consistent with this chapter, the director of the office
 
 5 of information practices, with any other appropriate individual,
 
 6 organization, or agency, may provide advice, training, technical
 
 7 assistance, and guidance regarding ways to prevent improper
 
 8 disclosure of protected health information.
 
 9         -55  Relationship to other laws.  (a)  Nothing in this
 
10 chapter shall be construed to preempt or modify any provisions of
 
11 state law concerning a privilege of a witness or person in a
 
12 court of the State.  Receipt of notice pursuant to section   -22
 
13 or consent to disclose pursuant to section    -23 shall not be
 
14 construed as a waiver of these privileges.
 
15      (b)  Nothing in this chapter shall be construed to preempt,
 
16 supersede, or modify the operation of any state law that:
 
17      (1)  Provides for the reporting of vital statistics such as
 
18           birth or death information;
 
19      (2)  Requires the reporting of abuse or neglect information
 
20           about any individual;
 
21      (3)  Relates to public or mental health and that prevents or
 
22           otherwise restricts disclosure of information otherwise
 
23           permissible under this chapter, except that if this
 

 
Page 44                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1           chapter is more protective of information, it shall
 
 2           prevail;
 
 3      (4)  Governs a minor's right to access protected health
 
 4           information or health care services; or
 
 5      (5)  Meets any other requirements that the court determines
 
 6           are needed to protect the confidentiality of the
 
 7           information."
 
 8      SECTION 3.  Section 334-5, Hawaii Revised Statutes, is
 
 9 amended to read as follows:
 
10      "334-5 Confidentiality of records.  All certificates,
 
11 applications, records, and reports made for the purposes of this
 
12 chapter and directly or indirectly identifying a person subject
 
13 hereto shall be kept confidential and shall not be disclosed by
 
14 any person except so far as:
 
15      (1)  [as the] The person identified, or the person's legal
 
16           guardian, consents[, or];
 
17      (2)  [as disclosure] Disclosure may be deemed necessary by
 
18           the director of health or by the administrator of a
 
19           private psychiatric or special treatment facility to
 
20           carry out this chapter[, or];
 
21      (3)  [as a] A court may direct upon its determination that
 
22           disclosure is necessary for the conduct of proceedings
 
23           before it and that failure to make the disclosure would
 
24           be contrary to the public interest[, or]
 

 
Page 45                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (4)  [as disclosure] Disclosure may be deemed necessary
 
 2           under the federal Protection and Advocacy for Mentally
 
 3           Ill Individuals Act of 1986, Public Law 99-319, to
 
 4           protect and advocate the rights of persons with mental
 
 5           illness who reside in facilities providing treatment or
 
 6           care[.]; or
 
 7      (5)  Disclosure is made to the patient's health care insurer
 
 8           to obtain reimbursement for services rendered to the
 
 9           patient; provided that release shall be limited to the
 
10           information necessary to effectuate reimbursement and
 
11           facilitate other qualified health care operations as
 
12           defined in chapter       ; provided further that
 
13           disclosure shall not be made if, after being informed
 
14           that a claim will be made to an insurer, the patient
 
15           refuses to consent to the disclosure after being
 
16           afforded the opportunity to make reimbursement and by
 
17           actually making direct reimbursement.
 
18      For the purposes of this section, "facilities" shall
 
19 include, but not be limited to, hospitals, nursing homes,
 
20 community facilities for mentally ill individuals, boarding
 
21 homes, and care homes.
 
22      Nothing in this section shall preclude disclosure, upon
 
23 proper inquiry, of any information relating to a particular
 

 
Page 46                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 patient and not clearly adverse to the interests of the patient,
 
 2 to the patient, the patient's family, legal guardian, or
 
 3 relatives, nor, except as provided above, affect the application
 
 4 of any other rule or statute of confidentiality.  The use of the
 
 5 information disclosed shall be limited to the purpose for which
 
 6 the information was furnished."
 
 7      SECTION 4.  Section 622-52, Hawaii Revised Statutes, is
 
 8 amended to read as follows:
 
 9      "622-52  Subpoena duces tecum for medical records,
 
10 compliance.  (a)  [Whenever a subpoena duces tecum is served upon
 
11 the custodian of medical records or other qualified witness from
 
12 a medical facility, in an action or other proceeding on a claim
 
13 for personal injuries in which the custodian or the custodian's
 
14 employer is neither a party to the action or proceeding nor is it
 
15 alleged that the claim arose at the medical facility, and such
 
16 subpoena requires the production in court, or before an officer,
 
17 board, commission, or tribunal, of all or any part of the medical
 
18 records of a patient who is or has been cared for or treated at
 
19 the medical facility, it shall be sufficient compliance therewith
 
20 if the custodian or other qualified witness within five days
 
21 after receipt of such subpoena, delivers by registered or
 
22 certified mail or by messenger a true and correct copy (which may
 
23 be by any method described in rule 1001(4), Hawaii rules of
 

 
Page 47                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 evidence) of all the medical records described in such subpoena
 
 2 to the clerk of the court or the clerk's deputy authorized to
 
 3 issue it, together with the affidavit described in section
 
 4 622-53.]  A subpoena duces tecum or discovery request for
 
 5 protected health information is valid only if accompanied by
 
 6 either a court order, or a written authorization signed in
 
 7 accordance with section    -23.  An order issued under this
 
 8 section shall:
 
 9      (1)  Provide that the protected health information involved
 
10           is subject to court protection;
 
11      (2)  Specify to whom the information may be disclosed;
 
12      (3)  Specify that the information may not be disclosed or
 
13           used except as provided in the order; and
 
14      (4)  Meet any other requirements that the court determines
 
15           are needed to protect the confidentiality of the
 
16           information.
 
17      (b)  Whenever a subpoena duces tecum is served upon the
 
18 custodian of medical records or other qualified witness from a
 
19 health care provider, health plan, public health authority,
 
20 employer, insurer, law enforcement official, educational
 
21 institution, health oversight agency, health researcher, or
 
22 medical facility, in a civil action or other proceeding in which
 
23 the custodian or the custodian's employer is neither a party to
 

 
Page 48                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 the action or proceeding nor is it alleged that the claim arose
 
 2 at the office, facility, or institution to which the request for
 
 3 information is directed, and such subpoena requires the
 
 4 production in court, or before an officer, board, commission, or
 
 5 tribunal, of all or any part of the medical records of a patient
 
 6 who is or has been cared for or treated at the office, facility,
 
 7 or institution, it shall be sufficient compliance if the
 
 8 custodian or other qualified witness within five days after
 
 9 receipt of such subpoena, delivers by registered or certified
 
10 mail or by messenger, a true and correct copy (which may be by
 
11 any method described in rule 1001(4), Hawaii Rules of Evidence),
 
12 of all the medical records described in such subpoena to the
 
13 clerk of the court or the clerk's deputy authorized to issue it,
 
14 together with the affidavit described in section 622-53.
 
15      [(b)] (c)  The copy of the medical records shall be
 
16 separately enclosed in an inner envelope or wrapper, sealed, with
 
17 the title and number of the action, name of the custodian or
 
18 other qualified witness, and date of the subpoena clearly
 
19 inscribed thereon; the sealed envelope or wrapper shall then be
 
20 enclosed in an outer envelope or wrapper, sealed, and directed as
 
21 follows:
 
22      (1)  If the subpoena directs attendance in court, to the
 
23           clerk of such court or the clerk's deputy authorized to
 
24           issue it, at the courthouse[.]; and
 

 
Page 49                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      (2)  In other cases, to the officer, board, commission, or
 
 2           tribunal conducting the hearing, at the place
 
 3           designated in the subpoena.
 
 4      [(c)] (d)  The copy of the medical records shall remain
 
 5 sealed and shall be opened only at the time of trial, or other
 
 6 hearing, upon the direction of the judge, officer, board,
 
 7 commission, or tribunal conducting the proceeding, in the
 
 8 presence of all parties who have appeared in person or by counsel
 
 9 at such trial, or hearing, unless the parties or counsel in the
 
10 proceeding otherwise agree, or unless the sealed envelope or
 
11 wrapper is returned to the custodian or other qualified witness
 
12 who is to appear personally.  Copies of medical records [which]
 
13 that are not introduced in evidence or required as part of the
 
14 record shall be returned by registered or certified mail or by
 
15 messenger to the person or entity from whom received.  If the
 
16 copies of the medical records are introduced in evidence or are
 
17 required as part of the record, they shall be returned by
 
18 registered or certified mail or messenger to the person or entity
 
19 from whom received as soon as their use is no longer needed,
 
20 after the trial, or other hearing.
 
21      (e)  This section shall not be construed to supercede any
 
22 grounds that may apply under federal or state law for objecting
 
23 to turning over the protected health information."
 

 
Page 50                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      SECTION 5.  The office of information practices shall submit
 
 2 a status report to the legislature on the adoption of rules
 
 3 required by this Act and regarding existing licensure,
 
 4 certification, and regulatory mechanisms for the imposition of
 
 5 sanctions or penalties for the wrongful disclosure of protected
 
 6 health information, no later than twenty days prior to the
 
 7 convening of the 2000 regular session.
 
 8      SECTION 6.  Life insurers, disability income insurers, and
 
 9 long-term care insurers regulated under article 10A of chapter
 
10 431, and property and casualty insurers shall submit to the
 
11 legislature a report and recommendations for proposed legislation
 
12 governing the treatment of protected health information,
 
13 including but not limited to the National Association of
 
14 Insurance Commissioners Insurance Information and Privacy
 
15 Protection Act, or substantially similar legislation, no later
 
16 than twenty days prior to the convening of the 2000 regular
 
17 session.
 
18      SECTION 7.  The legislative reference bureau shall conduct a
 
19 study to determine the most appropriate method by which this Act
 
20 may be implemented and enforced.  The legislative reference
 
21 bureau shall consider, but not limit its consideration of
 
22 agencies to the insurance division and the regulated industries
 
23 complaints office of the department of commerce and consumer
 

 
Page 51                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1 affairs, and the office of information practices, and shall also
 
 2 propose and evaluate cooperative arrangements between agencies.
 
 3 The factors to be considered by the legislative reference bureau
 
 4 in conducting its study shall include but not be limited to:
 
 5      (1)  Experience and expertise in the area to be regulated;
 
 6      (2)  Ability to work cooperatively with regulated entities,
 
 7           and to educate entities as to the requirements under
 
 8           this Act;
 
 9      (3)  Independence and neutrality of the agency with regard
 
10           to its relationship with regulated entities;
 
11      (4)  Existing agency resources; and
 
12      (5)  Experience and expertise of the agency in conducting
 
13           enforcement activities.
 
14      The legislative reference bureau shall submit a report of
 
15 its findings and recommendations to the legislature no later than
 
16 twenty days prior to the convening of the 2000 regular session.
 
17      SECTION 8.  If any provision of this Act, or the application
 
18 thereof to any person or circumstance is held invalid, the
 
19 invalidity does not affect other provisions or applications of
 
20 this Act which can be given affect without the invalid provision
 
21 or application, and to this end the provisions of this Act are
 
22 severable.
 

 
 
 
Page 52                                                    351
                                     H.B. NO.           H.D. 1
                                                        S.D. 1
                                                        C.D. 1

 
 1      SECTION 9.  Statutory material to be repealed is bracketed.
 
 2 New statutory material is underscored.
 
 3      SECTION 10.  This Act shall take effect on July 1, 2000;
 
 4 provided that sections 5, 6, and 7 shall take effect upon its
 
 5 approval.