H. R. 5559
IN THE HOUSE OF REPRESENTATIVES
June 8, 2006
Mr. Ryan of Wisconsin (for himself, Mr. Sessions, Mr. Moore of Kansas, and Mr. Herger) introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committee on Ways and Means, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
To improve the exchange of health information by encouraging the creation, use, and maintenance of lifetime electronic health records in independent health record banks, by using such records to build a nationwide health information technology infrastructure, and by promoting participation in health information exchanges by consumers through tax incentives.
This Act may be cited as the
Independent Health Record Bank Act of
It is the purpose of this Act to provide for the establishment of a nationwide health information technology network that—
improves health care quality, reduces medical errors, increases the efficiency of care, and advances the delivery of appropriate, evidence-based health care services;
promotes wellness, disease prevention, and the management of chronic illnesses by increasing the availability and transparency of information related to the health care needs of an individual;
ensures that appropriate information necessary to make medical decisions is available in a usable form at the time and in the location that the medical service involved is provided;
produces greater value for health care expenditures by reducing health care costs that result from inefficiency, medical errors, inappropriate care, and incomplete information;
promotes a more effective marketplace, greater competition, greater systems analysis, increased choice, enhanced quality, and improved outcomes in health care services;
improves the coordination of information and the provision of such services through an effective infrastructure for the secure and authorized exchange and use of health information; and
ensures that the confidentiality of individually identifiable health information of a patient is secure and protected.
In this Act:
The term account means an electronic health record of an individual contained in an independent health record bank.
Electronic health record
The term electronic health record means a longitudinal collection of personal health information concerning a single individual, entered or accepted by health care providers, and stored electronically.
Health care entity
The term health care entity includes health care consumers, health care providers, and health care payers, government agencies, pharmaceutical companies, laboratories, and health care research institutes.
The term HIPAA regulations means the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note).
Individually identifiable health information
The term individually identifiable health information has the meaning given such term in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)).
Nonidentifiable health information
The term nonidentifiable health information means any list, description, or other grouping of consumer information (including publicly available information pertaining to them) that is derived without using personally identifiable information that is not publicly available.
Partially identifiable health information
The term partially identifiable health information means any list, description, or other grouping of consumer information (including publicly available information pertaining to them) that is derived using any personally identifiable information that is not publicly available.
Protected health information
The term protected health information shall have the meaning given such term for purposes of HIPAA regulations.
Board of Governors
The term Board of Governors means the Board of Governors of the Federal Reserve System.
Independent health record banks
It is the purpose of this section to provide for the establishment of independent health record banks to achieve financial savings in the health care system and improvements in the provision of health care through—
the creation and storage of lifetime individual electronic health records for individuals that may contain health plan and debit card functionality and that serves the interests of all health care entities;
the utilization of a technological infrastructure with the goal of connecting health records to build a national health information network;
the provision of health information data sets, within distinct authorization boundaries, based on usage needs, including—
the sale of approved data for research and other consumer purposes as provided for under section 6(b);
the provision of data for emergency health care as provided for under section 6(c); and
the provision of data for all other health care needs determined appropriate by the Board of Governors (in accordance with the protections provided for under section 6);
the offering of incentives to employers that face rising employee health costs, to encourage employee participation in independent health record banks; and
the creation of a source of tax-free income to support the operations of the independent health record banks, and, through revenue sharing, to provide incentives to independent health record bank account holders, health care providers, and fee payers to contribute health information.
Not later than one year after the date of the enactment of this Act, the Board of Governors shall prescribe standards for the establishment and certification of independent health record banks to carry out the purpose described in subsection (a).
Requirement of non-profit entity
Under the standards under paragraph (1), a non-profit entity may establish an independent health record bank as a cooperative entity that operates for the benefit and in the interests of the membership of the bank as a whole. Such bank shall be owned and controlled by its members.
Under the standards under paragraph (1), a for-profit entity may not participate in the establishment and operation of an independent health record bank, except to the extent that such entity is by contract employed to assist in carrying out the operations of the bank.
Treatment as covered entity for purposes of HIPAA regulations
To the extent that an independent health record bank (or associated vendor) is engaged in receiving or transmitting protected health information, the bank shall be considered to be a HIPAA covered entity for purposes of HIPAA regulations with respect to such information.
To be eligible to be a member of an independent health record bank, an individual shall obtain or have obtained a product or service from a covered entity that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.
No limitation on membership
Nothing in this subsection shall be construed to permit an independent health record bank to restrict membership.
Rights relating to information in the bank
An individual who has a health record contained in an independent health record bank shall maintain ownership over the entire health record and shall have the right to review the contents of the entire record at any time during the normal business operating hours of the bank.
Additional information and limitation
An individual described in subparagraph (A) may add personal health information to the health record of that individual, except that such individual shall not falsify information and shall not alter information that is entered into the health record by a health care entity. Such an individual shall have the right to propose an amendment to information that is entered by a health care entity pursuant to standards prescribed by the Board of Governors for purposes of correcting such information.
Other health care entities
A health care entity (other than the individual who maintains ownership over the health record involved) shall serve as the custodian of only information that has been added by such entity to the health record. Such entity may be permitted to have access to other specified information contained in such health record (including the entire record if appropriate) if such access is granted by the independent health record bank and the individual involved (pursuant to standards prescribed by the Secretary relating to access to information).
Financing of activities
An independent health record bank may generate revenue to pay for the operations of the bank through—
charging health care entities, including individual account holders, account fees for use of the bank;
the sale of nonidentifiable and partially identifiable health information contained in the bank for research purposes (as provided for in section 6(b)); and
the conduct of any other activities determined appropriate by the Board of Governors.
Sharing of revenue
Revenue derived under paragraph (1)(B) shall be shared with independent health record bank account holders, and may be shared with health care providers and payers, in accordance with this Act.
Treatment of income
For purposes of the Internal Revenue Code of 1986, any revenue described in this subsection shall not be included in gross income of any independent health record bank, independent health record bank account holder, health care provider, or payer described in this subsection.
Health care clearinghouse activities
Application of section
This section shall apply to an independent health record bank (and associated vendors) with respect to activities undertaken by such bank in operating as a health care clearinghouse (as such term is defined in section 1171(2) of the Social Security Act (42 U.S.C. 1329d(2)).
To be eligible to carry out clearinghouse activities under this section, an independent health record bank (and associated vendors performing clearinghouse functions) shall be accredited by a national standards development organization, utilizing the criteria described in paragraph (2), that is properly authenticated and registered with the Attorney General and the Federal Trade Commission pursuant to the provisions of the National Cooperation Research and Production Act of 1993 (15 U.S.C. 4301 et seq.).
The criteria to be used by a national standards development organization in the accreditation of an independent health record bank under this section shall be designed to measure the competency, assets, practices, and procedures of the bank for purposes of conducting clearinghouse activities. Such criteria shall include—
the technical capacity and electronic facilities of the bank for the receipt, transmission, and handling of electronic health information transactions;
the ability of the bank to process transactions to which HIPAA regulations apply;
the backup and disaster recovery plans and capacity of the bank;
the privacy practices, procedures, and employee training programs of the bank consistent with HIPAA regulations; and
the security practices, procedures, and employee training programs of the bank consistent with HIPAA regulations, including compliance with the HIPAA regulations security rule that protected health information must only be viewable by the intended recipient.
An independent health record bank operated by an entity that has been certified under part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.) as a health care clearinghouse before the date of the enactment of this Act shall be considered to be accredited for purposes of paragraph (1).
An independent health record bank acting as a health care clearinghouse under this section shall ensure that reporting services are provided to individual consumers in a manner that includes the provision of lists of individuals or organizations that have accessed the health record account of the consumer or to whom health information disclosures concerning the consumer have been made in accordance with the requirements of HIPAA regulations.
Availability and use of health information in bank
Except as provided in this section, access to an individual’s electronic health record (or specified parts of such electronic health record) maintained by an independent health record bank shall only be provided with the prior authorization of the individual involved, as authenticated as provided for under the standards prescribed by the Board of Governors under section 8.
Availability of data for research and other activities
An independent health record bank may sell nonidentifiable and partially identifiable health information, with respect to an individual, only if—
the bank and the individual agree to the sale;
the agreement provided for under paragraph (1) includes parameters for the disclosure of information involved and a process for the authorization of the further disclosure of partially identifiable health information;
the data involved are to be used for research or other activities only as provided for in the agreement under paragraph (1);
the data involved do not identify the individual who is the subject of the data;
the revenue to be derived from the sale of the data is collected by the bank and equally divided between the bank and the individual involved, except that revenue may also be distributed to health care providers and payers as incentives to contribute additional data to the bank; and
the transaction otherwise meets the requirements and standards prescribed by the Board of Governors.
Availability of data for emergency health care
Congress finds that—
given the size and nature of visits to emergency departments in the United States, readily available health information could make the difference between life and death; and
because of the case mix and volume of patients treated in emergency departments, such departments are well positioned to provide information for public health surveillance, community risk assessment, research, education, training, quality improvement, and other uses.
Use of data
An independent health record bank may permit health care providers to access, during an emergency department visit, a limited, authenticated information set concerning an individual for emergency response purposes without the prior consent of the individual. Such limited information may include—
patient identification information, as determined appropriate by the individual involved;
provider identification that includes the use of unique provider identifiers as provided for in section 1173 of the Social Security Act (42 U.S.C. 1320d–2);
arrival and first assessment data;
information related to existing chronic problems and active clinical conditions of the individual;
information related to the individual's vitals, allergies, and medication history; and
information concerning physical examinations, procedures, results, and diagnosis information relating to the visit.
Ensuring privacy and security
Current Federal security and confidentiality standards and State security amd confidentiality laws shall apply to this Act (and the amendments made by this Act) until such time as Congress acts to amend such standards.
Application of HIPAA regulations and transactional standards
Nothing in this Act (or the amendments made by this Act) shall be construed to narrow the scope, substance, or applicability of part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.), or HIPAA regulations, as such provisions or regulations relate to individually identifiable health information maintained in an independent health record bank.
Treatment of State laws
Nothing in this Act (or the amendments made by this Act) shall be construed as preempting or otherwise affecting any provision of State law (or any State regulation) relating to the privacy and confidentiality of individually identifiable health information or to the security of such information, to the extent that such provision (or regulation)—
provides at least as much protection as otherwise provided under this Act and under HIPAA regulations; and
does not prohibit or restrict the exchange of health information across State borders.
For purposes of this section, the term State has the meaning given such term when used in title XI of the Social Security Act, as provided under section 1101(a) of such Act (42 U.S.C. 1301(a)).
In carrying out this Act, the Board of Governors, acting through the Under Secretary for Technology or other appropriate official, shall—
develop a program to certify entities to operate independent health record banks;
provide assistance to encourage the growth of independent health record banks;
track economic progress as it pertains to independent health record bank operators and individuals receiving non-taxable income with respect to accounts;
conduct public education activities regarding the creation and use of the independent health record banks;
establish an interagency council under subsection (b) to develop standards for Federal security auditing for entities operating independent health record banks; and
carry out any other activities determined appropriate by the Board of Governors.
Interagency council for security auditing
The Board of Governors, in consultation with the Secretary of Health and Human Services and other appropriate Federal officials, shall establish an interagency council to develop standards for Federal security auditing as it relates to data security, authentication, and authorization recommendations, and reviews of independent health record banks.
The interagency council established under paragraph (1) shall take into consideration the following factors when developing recommendations for security, authentication, and authorization of information in independent health record banks:
The number and type of factors used for the exchange of protected health information.
The requirement that individuals, who have health records that are maintained by the bank, be notified of a security breech with respect to such records, and any corrective action taken on behalf of the individual.
The requirement that information sent to, or received from, an independent health record bank that has been designated as high-risk should be authenticated through the use of methods such as the periodic changing of passwords, the use of biometrics, the use of tokens or other technology as determined appropriate by the council.
Recommendations for entities operating independent health record banks, including requiring analysis of the potential risk of health transaction security breaches based on set criteria.
The conduct of audits of independent health record banks to ensure that they are in compliance with the requirements and standards established under this Act.
The interagency council established under this subsection shall annually submit to the Board of Governors a report on compliance by independent health record banks with the requirements and standard under this Act. Such report shall be included in the corresponding annual report required under subsection (d).
Interagency memorandum of understanding
The Board of Governors and the Secretary of Health and Human Services, and other Federal officials that may be impacted by this Act, shall ensure, through the execution of an interagency memorandum of understanding among the Board, Secretary, and officials, that—
regulations, rulings, and interpretations issued by such Board, Secretary, or officials relating to the same matter over which two or more of such entities have responsibility under this Act are administered so as to have the same effect at all times; and
coordination of policies relating to enforcing the same requirements through the Board, Secretary, or officials in order to have a coordinated enforcement strategy that avoids duplication of enforcement efforts and assigns priorities in enforcement.
Not later than one year after the date of the enactment of this Act, and annually thereafter, the Secretary, acting through the Under Secretary for Technology, shall submit to the Committee on Energy and Commerce and the Committee on Ways and Means of the House of Representatives and the Committee on Health, Education, Labor, and Pensions and the Committee on Finance of the Senate, a report that—
describes individual owner or institution operator economic progress as achieved through the use of independent health record bank and existing barriers to such use;
describes progress in security auditing as provided for by the interagency security council under subsection (b); and
contains information on the other duties of the Board of Governors, as described in subsection (a).
Penalties for wrongful disclosure
The penalties provided for in subsection (a) of section 1177 of the Social Security Act (42 U.S.C. 1320d–6) shall apply to the wrongful disclosure of information collected, maintained, or made available by an independent health record bank under this Act, including disclosures by any employees or associates of any such bank or other health care entity using or disclosing such information, in the same manner as such penalties apply to a person in violation of subsection (a) of such section.
Treatment of employer-provided employee independent health record bank account fees
Section 162 of the Internal Revenue Code of 1986 (relating to trade or business expenses) is amended by redesignating subsection (q) as subsection (r) and by inserting after subsection (p) the following new subsection:
Treatment of employer-provided employee independent health record bank account fees
In the case of a taxpayer, there shall be allowed as a deduction under this section an amount equal to the independent health record bank account investment provided by such taxpayer during the taxable year.
Independent health record bank account investment
For purposes of this subsection, the term independent health record bank account investment means, with respect to each employee of the taxpayer for any taxable year, an amount equal to the the cost paid by the taxpayer during the taxable year for such employee to maintain an independent health record bank account.
Independent health record bank account
For purposes of this subsection, the term independent health record bank account has the meaning given to the term account under section 3(1) of the Independent Health Record Bank Act of 2006.
No credit or deduction (other than under this subsection) shall be allowed under this chapter with respect to any expense which is taken into account under paragraph (1) in determining the deduction under this subsection.
Each taxpayer shall make such reports to the Chairman of the Federal Reserve Board of Governors and to employees of the taxpayer regarding—
independent health record bank account investments made with respect to such employees during any calendar year, and
such other information as the Chairman may require.
Time for making reports
The reports required by this subsection—
shall be filed at such time and in such manner as the Chairman of the Federal Reserve Board of Governors prescribes, and
shall be furnished to employees—
not later than January 31 of the calendar year following the calendar year to which such reports relate, and
in such manner as the Chairman prescribes.
The Secretary may prescribe such regulations as may be necessary or appropriate to carry out this subsection.
Application of subsection
This subsection shall apply with respect to any independent health record bank account investments made by the taxpayer for the 5-taxable year period beginning with the first taxable year during which such investments are made by the taxpayer.
The amendment made by this section shall apply to taxable years beginning after the date of the enactment of this Act.
Additional incentive for consumers participating in IHRB
Revenue generated by an independent health record bank and received by an account holder, health care entity, or health care payer shall not be considered taxable income under the Internal Revenue Code of 1986.