IN THE SENATE OF THE UNITED STATES
June 6, 2006
Mr. Brownback (for himself and Mr. Talent) introduced the following bill; which was read twice and referred to the Committee on Finance
To amend the Internal Revenue Code of 1986 to improve the exchange of healthcare information through the use of technology, to encourage the creation, use and maintenance of lifetime electronic health records that may contain health plan and debit card functionality in independent health record banks, to use such records to build a nationwide health information technology infrastructure, and to promote participation in health information exchange by consumers through tax incentives and for other purposes.
This Act may be cited as
Independent Health Record Bank Act
It is the purpose of this Act to provide for the establishment of a nationwide health information technology network to—
improve healthcare quality, reduce medical errors, increase the efficiency of care, and advance the delivery of appropriate, evidence-based healthcare services;
promotes the wellness, disease prevention, and management of chronic illnesses by increasing the availability and transparency of information related to the healthcare needs of an individual;
ensure that appropriate information necessary to make medical decisions is available in a usable form at the time and in the location that the medical service involved is provided;
produces greater value for healthcare expenditures by reducing healthcare costs that result from inefficiency, medical errors, inappropriate care, and incomplete information;
promotes a more effective marketplace, greater competition, greater systems analysis, increased choice, enhanced quality, and improved outcomes in healthcare services;
improve the coordination of information and the provision of such services through an effective infrastructure for the secure and authorized exchange and use of healthcare information; and
ensure that the confidentiality of individually identifiable health information of a patient is secure and protected.
In this Act:
The term account means an electronic health record of an individual contained in an independent health record bank.
Electronic health record
The term electronic health record means a longitudinal collection of personal health information concerning a single individual, entered or accepted by healthcare providers, and stored electronically.
The term healthcare entity includes healthcare consumers, providers, and payers, government agencies, pharmaceutical companies, laboratories, and research institutes.
The term HIPAA means the regulations under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).
Individually identifiable health information
The term individually identifiable health information has the meaning given such term in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)).
Nonidentifiable health information
The term nonidentifiable health information means any list, description or other grouping of consumer information (including publicly available information pertaining to them) that is derived without using personally identifiable information that is not publicly available.
Partially identifiable health information
The term partially identifiable health information means any list, description, or other grouping of consumer information (and publicly available information pertaining to them) derived using any personally identifiable information that is not publicly available.
Protected health information
The term protected health information shall have the meaning given such term for purposes of HIPAA.
The term Secretary means the Secretary of Commerce.
Independent health record banks
It is the purpose of this section to provide for the establishment of independent health record banks to achieve a savings of money and lives in the healthcare system through—
the creation and storage of lifetime individual electronic health records for individuals that may contain health plan and debit card functionality and that serves the interests of all healthcare entities;
the utilization of technological infrastructure with the goal of connecting health records to build a national health information network;
the provision of health information data sets, within distinct authorization boundaries, based on usage needs, including—
the sale of approved data for research and other consumer purposes as provided for under section 6(b);
the provision of data for emergency healthcare as provided for under section 6(c); and
the provision of data for all other healthcare needs determined appropriate by the Secretary (in accordance with the protections provided for under section 6);
the offering of incentives to employers that face rising employee health costs, to encourage employee participation in independent health record banks; and
the creation of a source of tax-free income to support the operations of the independent health record banks, and, through revenue sharing, to provide incentives to independent health record bank account holders, healthcare providers, and fee payers to contribute health information.
Not later than 1 year after the date of enactment of this Act, the Secretary shall prescribe standards for the establishment and certification of independent health record banks to carry out the purposes described in subsection (a).
Requirement of non-profit entity
The standards under paragraph (1) shall permit a non-profit entity to establish an independent health record bank as a cooperative entity that operates for the benefit and in the interests of the membership of the bank as a whole. Such bank shall be owned and controlled by its members.
A for-profit entity may not participate in the establishment and operation of an independent health record bank, except to the extent that such entity is by contract employed to assist in carrying out the operations of the bank.
Treatment as covered entity for purposes of HIPAA
To the extent that an independent health record bank (or associated vendor) is engaged in transmitting protected health information, the bank shall be considered to be a covered entity for purposes of HIPAA with respect to such information.
To be eligible to be a member of an independent health record bank, an individual shall obtain or have obtained a product or service from a covered entity that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.
No limitation on membership
Nothing in this subsection shall be construed to permit an independent health record bank to restrict membership.
Rights relating to information in the bank
An individual who has a health record contained in an independent health record bank shall maintain ownership over the entire health record and shall have the right to review the contents of the record in its entirety at any time during the normal business operating hours of the bank.
Additional information and limitation
An individual described in subparagraph (A) may add personal health information to the health record of that individual, except that such individual shall not alter or falsify information that is entered into the health record by another healthcare entity. Such an individual shall have the right to propose an amendment to such information pursuant to standards prescribed by the Secretary relating to the correction of information contained in a health record.
Other healthcare entities
A healthcare entity (other than an individual) shall serve as the custodian of only that information that has been added by such entity to the health record of an individual that is maintained by an independent health record bank. Such entity may be permitted to have access to other specified information contained in such health record (including the entire record if appropriate) if such access is granted by the independent health record bank and the individual involved (pursuant to standards prescribed by the Secretary relating to access to information).
Financing of activities
An independent health record bank may generate revenue to pay for the operations of the bank through—
charging healthcare entities, including individual account holders, account fees for use of the bank;
the sale of nonidentifiable and partially identifiable health information contained in the bank for research purposes (as provided for in section 6(b)); and
the conduct of any other activities determined appropriate by the Secretary.
Sharing of revenue
Revenue derived under paragraph (1)(B) shall be shared with independent health record bank account holders, and may be shared with healthcare providers and payers, in accordance with this Act.
Treatment of income
For purposes of the Internal Revenue Code of 1986, any revenue described in this subsection shall not be included in gross income of any independent health record bank, independent health record bank account holder, healthcare provider, or payer described in this subsection.
Healthcare clearinghouse activities
Application of section
This section shall apply to an independent health record bank (and associated vendors) with respect to activities undertaken by such bank in operating as a health care clearinghouse (as such term is defined in section 1171(2) of the Social Security Act (42 U.S.C. 1329d(2)).
To be eligible to carry out clearinghouse activities under this section, an independent health record bank (and associated vendors performing clearinghouse functions) shall be accredited by a national standards development organization, utilizing the criteria described in paragraph (2), that is properly authenticated and registered with the Attorney General and the Federal Trade Commission pursuant to the provisions of the National Cooperation Research and Production Act of 1993 (15 U.S.C. 4301 et seq.).
The criteria to be used by a national standards development organization in the accreditation of an independent health record bank under this section shall be designed to measure the competency, assets, practices, and procedures of the bank for purposes of conducting clearinghouse activities. Such criteria shall include—
the technical capacity and electronic facilities of the bank for the receipt, transmission, and handling of electronic health information transactions;
the ability of the bank to process transactions to which HIPAA applies;
the backup and disaster recovery plans and capacity of the bank;
the privacy practices, procedures, and employee training programs of the bank consistent with HIPAA; and
the security practices, procedures, and employee training programs of the bank consistent with HIPAA, including compliance with the HIPAA security rule that protected health information must only be viewable by the intended recipient.
An independent health record bank operated by an entity that has been certified under part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.) as a health care clearinghouse prior to the date of enactment of this Act shall be considered to be accredited for purposes of paragraph (1).
An independent health record bank acting as a health care clearinghouse under this section shall ensure that reporting services are provided to individual consumers in a manner that includes the provision of lists of individuals or organizations that have accessed the health record account of the consumer or to whom health information disclosures concerning the consumer have been made in accordance with the requirements of HIPAA.
Availability and use of healthcare information in bank
Except as provided in this section, access to specified sections of, or an entire, electronic health record maintained by an independent health record bank concerning an individual shall only be provided with the prior authorization of the individual involved, as authenticated as provided for under the standards prescribed by the Secretary under section 8.
Availability of data for research and other activities
An independent health record bank may sell nonidentifiable and partially identifiable health information concerning and individual only if—
the bank and the individual involved agree to the sale;
the agreement provided for under paragraph (1) includes parameters with respect to the disclosure of information involved and a process for the authorization of the further disclosure of partially identifiable health information;
the data involved is to be used for research or other activities only as provided for in the agreement under paragraph (1);
the data involved does not identify the individual who is the subject of the data;
the revenue to be derived from the sale of the data is collected by the bank and equally divided between the bank and the individual involved, except that revenue may also be distributed to healthcare providers and payers as incentives to contribute additional data to the bank; and
the transaction otherwise meets the requirements and standards prescribed by the Secretary.
Availability of data for emergency healthcare
Congress finds that—
given the size and nature of visits to emergency departments in the United States, readily available health data could make the difference between life and death; and
due to the case mix and volume of patients treated, emergency departments are well positioned to provide data for public health surveillance, community risk assessment, research, education, training, quality improvement, and other uses.
Use of data
An independent health record bank may permit healthcare providers to access, during an emergency department visit, a limited, authenticated data set concerning an individual for emergency response purposes without the prior consent of the individual. Such limited data may include—
patient identification data, as determined appropriate by the individual involved;
provider identification that includes the use of a unique provider identifiers as provided for in section 1173 of the Social Security Act (42 U.S.C. 1320d–2);
arrival and first assessment data;
data related to the individual's vitals, allergies, and medication history;
data related to existing chronic problems and active clinical conditions of the individual; and
data concerning physical examinations, procedures, results, and diagnosis data relating to the visit.
Effect on HIPAA
Nothing in this Act shall be construed to affect the scope, substance, or applicability of the part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.) or HIPAA as such relates to individually identifiable health information maintained in an independent health record bank.
Application of Federal and State security and confidentiality standards
Existing Federal security and confidentiality standards and State security and confidentiality laws shall apply to this Act (and the amendments made by this Act) until such time as Congress acts to amend such standards.
Provision of information and informational provision
Designation of agency
Each State with an independent health records bank operating in the State shall designate a State agency to be responsible for addressing complaints by residents of the State with respect to health records contained in the bank.
Provision of information
An independent health record bank operating in a State shall provide the State authority designated under paragraph (1) with an informational filing that describes the policies of the bank, the types of information sold by the bank, and other relevant information determined appropriate by such authority.
An individual who has a health record maintained by an independent health record bank shall direct any concerns, problems, or questions related to such record directly to the appropriate State authority.
For purposes of this section:
State security and confidentiality laws
The term State security and confidentiality laws means State laws and regulations relating to the privacy and confidentiality of individually identifiable health information or to the security of such information.
Current Federal security and confidentiality standards
The term current Federal security and confidentiality standards means the Federal privacy standards established pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note) and security standards established under section 1173(d) of the Social Security Act.
The term State has the meaning given such term when used in title XI of the Social Security Act, as provided under section 1101(a) of such Act (42 U.S.C. 1301(a)).
In carrying out this Act, the Secretary, acting through the Under Secretary for Technology or other appropriate official, shall—
develop a program to certify entities to operate independent health record banks;
provide assistance to encourage the growth of independent health record banks;
track economic progress as it pertains to independent health records bank operators and individuals receiving non-taxable income with respect to accounts;
conduct public education activities regarding the creation and usage of the independent health records banks;
establish an interagency council under subsection (b) to develop standards for Federal security auditing for entities operating independent health record banks; and
carry out any other activities determined appropriate by the Secretary.
Interagency council for security auditing
The Secretary, in consultation with the Secretary of Health and Human Services and other appropriate Federal officials, shall establish an interagency council to develop standards for Federal security auditing as it relates to data security, authentication, and authorization recommendations, and reviews of independent health record banks.
The interagency council established under paragraph (1) shall take into consideration the following factors when developing recommendations for security, authentication, and authorization of data in independent health record banks:
The number and type of factors used for the exchange of protected health information.
Requiring that individuals, who have health records that are maintained by the bank, be notified of a security breech with respect to such records, and any corrective action taken on behalf of the individual.
Requiring that information sent to, or received from, an independent health record bank that has been designated as high-risk should be authenticated through the use of methods such as the periodic changing of passwords, the use of biometrics, the use of tokens or other technology as determined appropriate by the council.
Recommendations for entities operating independent health record banks, including requiring analysis of the potential risk of health transaction security breeches based on set criteria.
The conduct of audits of independent health record banks to ensure that they are in compliance with the requirements and standards established under this Act.
The interagency council established under this subsection shall annually submit to the Secretary a report on compliance by independent health record banks with the requirements and standard under this Act. Such report shall be included in the report required under subsection (d).
Interagency memorandum of understanding
The Secretary and the Secretary of Health and Human Services, and other Federal officials that may be impacted by this Act, shall ensure, through the execution of an interagency memorandum of understanding among such Secretaries, that—
regulations, rulings, and interpretations issued by such Secretaries or officials relating to the same matter over which 2 or more such Secretaries or officials have responsibility under this Act are administered so as to have the same effect at all times; and
coordination of policies relating to enforcing the same requirements through such Secretaries or officials in order to have coordinated enforcement strategy that avoids duplication of enforcement efforts and assigns priorities in enforcement.
Not later than 1 year after the date of enactment of this Act, and annually thereafter, the Secretary, acting through the Under Secretary for Technology, shall submit to Committee on Health, Education, Labor, and Pensions and the Committee on Finance of the Senate and the Committee on Energy and Commerce and the Committee on Ways and Means of the House of Representatives, a report that—
describes individual owner or institution operator economic progress as achieved through independent health record bank usage and existing barriers to such usage;
describes progress in security auditing as provided for by the interagency security council under subsection (b); and
contains information on the other core responsibilities of the Secretary as described in subsection (a).
Penalties for fraud and abuse
The penalties provided for in section 1177(b) of the Social Security Act (42 U.S.C. 1320d–6) shall apply to the wrongful disclosure of information collected, maintained, or made available by an independent health record bank under this Act, including disclosures by any employees or associates of any such bank or other healthcare entity using or disclosing such information.
Tax credit for employer-provided employee independent health record bank account fees
Allowance of credit
Subpart D of part IV of subchapter A of chapter 1 of the Internal Revenue Code of 1986 (relating to business related credits) is amended by adding at the end the following new section:
Employer-provided employee independent health record bank account fees
Determination of amount
For purposes of section 38, the independent health record bank account investment credit determined under this section with respect to any taxpayer for any taxable year is an amount equal to the independent health record bank account investment provided by such taxpayer during the taxable year.
Independent health record bank account investment
For purposes of this section, the term independent health record bank account investment means, with respect to each employee of the taxpayer for any taxable year, an amount equal to the lesser of—
50 percent of the cost for such employee to maintain an independent health record bank account paid by the taxpayer during the taxable year, or
Independent health record bank account
For purposes of this section, the term independent health record bank account has the meaning given to the term account under section 3(1) of the Independent Health Record Bank Act of 2006.
No deduction or credit (other than under this section) shall be allowed under this chapter with respect to any expense which is taken into account under subsection (a) in determining the credit under this section.
Each taxpayer shall make such reports to the Secretary and to employees of the taxpayer regarding—
independent health record bank account investments made with respect to such employee during any calendar year, and
such other information as the Secretary may require.
Time for making reports
The reports required by this subsection—
shall be filed at such time and in such manner as the Secretary prescribes, and
shall be furnished to employees—
not later than January 31 of the calendar year following the calendar year to which such reports relate, and
in such manner as the Secretary prescribes.
The Secretary may prescribe such regulations as may be necessary or appropriate to carry out this section.
Application of section
This section shall apply with respect to any independent health record bank account investments made by the taxpayer for the 5-taxable year period beginning with the first taxable year during which such investments are made by the taxpayer.
Credit treated as business credit
Section 38(b) of the Internal Revenue Code of
1986 (relating to current year business credit) is amended by striking
and at the end of paragraph (29), by striking the period at the
end of paragraph (30) and inserting
, plus, and by adding at the
end the following new paragraph:
the independent health record bank account investment credit determined under section 45N(a).
The table of sections for subpart C of part IV of subchapter A of chapter 1 of the Internal Revenue Code of 1986 is amended by adding at the end the following new item:
Sec. 45N. Employer-provided employee independent health record bank account fees.
The amendments made by this section shall apply to taxable years beginning after the date of the enactment of this Act.
Additional incentive for consumers participating in IHRB
Revenue generated by an independent health record bank and received by an account holder, healthcare entity, or healthcare payer shall not be considered taxable income under the Internal Revenue Code of 1986.