H. R. 2991
IN THE HOUSE OF REPRESENTATIVES
July 11, 2007
Mr. Moore of Kansas (for himself, Mr. Ryan of Wisconsin, Mr. Barrow, Mrs. Blackburn, Mr. Boustany, Mr. Boyd of Florida, Mrs. Boyda of Kansas, Mr. Clay, Mr. Cleaver, Mr. Cooper, Mr. Crowley, Mr. Davis of Alabama, Mr. Lincoln Davis of Tennessee, Mr. Delahunt, Mr. Dicks, Mrs. Emerson, Mr. Etheridge, Mr. Graves, Mr. Heller of Nevada, Mr. Herger, Mr. Hill, Mr. Holden, Mr. Holt, Mrs. Jones of Ohio, Mr. Larson of Connecticut, Mrs. McCarthy of New York, Mr. Mitchell, Mr. Moran of Kansas, Mr. Putnam, Mrs. McMorris Rodgers, Mr. Sensenbrenner, Mr. Sessions, Mr. Smith of Washington, Mrs. Tauscher, Mr. Tiahrt, and Mr. Baird) introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committee on Ways and Means, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
To improve the availability of health information and the provision of health care by encouraging the creation, use, and maintenance of lifetime electronic health records of individuals in independent health record trusts and by providing a secure and privacy-protected framework in which such records are made available only by the affirmative consent of such individuals and are used to build a nationwide health information technology infrastructure.
Short title; table of contents
This Act may be cited
Independent Health Record Trust
Act of 2007.
Table of contents
The table of contents of this Act is as follows:
Sec. 1. Short title; table of contents.
Sec. 2. Purpose.
Sec. 3. Definitions.
Sec. 4. Establishment, certification, and membership of independent health record trusts.
Sec. 5. Duties of IHRT to IHRT participants.
Sec. 6. Availability and use of information from records in IHRT consistent with privacy protections and agreements.
Sec. 7. Voluntary nature of trust participation and information sharing.
Sec. 8. Financing of activities.
Sec. 9. Regulatory oversight.
It is the purpose of this Act to provide for the establishment of a nationwide health information technology network that—
improves health care quality, reduces medical errors, increases the efficiency of care, and advances the delivery of appropriate, evidence-based health care services;
promotes wellness, disease prevention, and the management of chronic illnesses by increasing the availability and transparency of information related to the health care needs of an individual;
ensures that appropriate information necessary to make medical decisions is available in a usable form at the time and in the location that the medical service involved is provided;
produces greater value for health care expenditures by reducing health care costs that result from inefficiency, medical errors, inappropriate care, and incomplete information;
promotes a more effective marketplace, greater competition, greater systems analysis, increased choice, enhanced quality, and improved outcomes in health care services;
improves the coordination of information and the provision of such services through an effective infrastructure for the secure and authorized exchange and use of health information; and
ensures that the health information privacy, security, and confidentiality of individually identifiable health information is protected.
In this Act:
The term access means, with respect to an electronic health record, entering information into such account as well as retrieving information from such account.
The term account means an electronic health record of an individual contained in an independent health record trust.
The term affirmative consent means, with respect to an electronic health record of an individual contained in an IHRT, express consent given by the individual for the use of such record in response to a clear and conspicuous request for such consent or at the individual’s own initiative.
Authorized EHR data user
The term authorized EHR data user means, with respect to an electronic health record of an IHRT participant contained as part of an IHRT, any entity (other than the participant) authorized (in the form of affirmative consent) by the participant to access the electronic health record.
The term confidentiality means, with respect to individually identifiable health information of an individual, the obligation of those who receive such information to respect the health information privacy of the individual.
Electronic health record
The term electronic health record means a longitudinal collection of information concerning a single individual, including medical records and personal health information, that is stored electronically.
Health information privacy
The term health information privacy means, with respect to individually identifiable health information of an individual, the right of such individual to control the acquisition, uses, or disclosures of such information.
The term health plan means a group health plan (as defined in section 2208(1) of the Public Health Service Act (42 U.S.C. 300bb–8(1))) as well as a plan that offers health insurance coverage in the individual market.
HIPAA privacy regulations
The term HIPAA privacy regulations means the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).
Independent health record trust; IHRT
The terms independent health record trust and IHRT mean a legal arrangement under the administration of an IHRT operator that meets the requirements of this Act with respect to electronic health records of individuals participating in the trust or IHRT.
The term IHRT operator means, with respect to an IHRT, the organization that is responsible for the administration and operation of the IHRT in accordance with this Act.
The term IHRT participant means, with respect to an IHRT, an individual who has a participation agreement in effect with respect to the maintenance of the individual’s electronic health record by the IHRT.
Individually identifiable health information
The term individually identifiable health information has the meaning given such term in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)).
The term security means, with respect to individually identifiable health information of an individual, the physical, technological, or administrative safeguards or tools used to protect such information from unwarranted access or disclosure.
Establishment, certification, and membership of independent health record trusts
Not later than one year after the date of the enactment of this Act, the Federal Trade Commission, in consultation with the National Committee on Vital and Health Statistics, shall prescribe standards for the establishment, certification, operation, and interoperability of IHRTs to carry out the purposes described in section 2 in accordance with the provisions of this Act.
Certification by FTC
The Federal Trade Commission shall provide for the certification of IHRTs. No IHRT may be certified unless the IHRT is determined to meet the standards for certification established under subsection (a).
The Federal Trade Commission shall establish a process for the revocation of certification of an IHRT under this section in the case that the IHRT violates the standards established under subsection (a).
To be eligible to be a participant in an IHRT, an individual shall—
submit to the IHRT information as required by the IHRT to establish an electronic health record with the IHRT; and
enter into a privacy protection agreement described in section 6(b)(1) with the IHRT.
No limitation on membership
Nothing in this subsection shall be construed to permit an IHRT to restrict membership, including on the basis of health condition.
Duties of IHRT to IHRT participants
Fiduciary duty of IHRT; penalties for violations of fiduciary duty
With respect to the electronic health record of an IHRT participant maintained by an IHRT, the IHRT shall have a fiduciary duty to act for the benefit and in the interests of such participant and of the IHRT as a whole. Such duty shall include obtaining the affirmative consent of such participant prior to the release of information in such participant’s electronic health record in accordance with the requirements of this Act.
If the IHRT knowingly or recklessly breaches the fiduciary duty described in paragraph (1), the IHRT shall be subject to the following penalties:
Loss of certification of the IHRT.
A fine that is not in excess of $50,000.
A term of imprisonment for the individuals involved of not more than 5 years.
Electronic health record deemed To be held in trust by IHRT
With respect to an individual, an electronic health record maintained by an IHRT shall be deemed to be held in trust by the IHRT for the benefit of the individual and the IHRT shall have no legal or equitable interest in such electronic health record.
Availability and use of information from records in IHRT consistent with privacy protections and agreements
Protected electronic health records use and access
General rights regarding uses of information
With respect to the electronic health record of an IHRT participant maintained by an IHRT, subject to paragraph (2)(C), primary uses and secondary uses (described in subparagraphs (B) and (C), respectively) of information within such record (other than by such participant) shall be permitted only upon the authorization of such use, prior to such use, by such participant.
For purposes of subparagraph (A) and with respect to an electronic health record of an individual, a primary use is a use for purposes of the individual’s self-care or care by health care professionals.
For purposes of subparagraph (B) and with respect to an electronic health record of an individual, a secondary use is any use not described in subparagraph (B) and includes a use for purposes of public health research or other related activities. Additional authorization is required for a secondary use extending beyond the original purpose of the secondary use authorized by the IHRT participant involved. Nothing in this paragraph shall be construed as requiring authorization for every secondary use that is within the authorized original purpose.
Rules for primary use of records for health care purposes
With respect to the electronic health record of an IHRT participant (or specified parts of such electronic health record) maintained by an IHRT standards for access to such record shall provide for the following:
Access by IHRT participants to their electronic health records
The participant maintains ownership over the entire electronic health record (and all portions of such record) and shall have the right to electronically access and review the contents of the entire record (and any portion of such record) at any time, in accordance with this subparagraph.
Addition of personal information
The participant may add personal health information to the health record of that participant, except that such participant shall not alter information that is entered into the electronic health record by any authorized EHR data user. Such participant shall have the right to propose an amendment to information that is entered by an authorized EHR data user pursuant to standards prescribed by the Federal Trade Commission for purposes of amending such information.
Identification of information entered by participant
Any additions or amendments made by the participant to the health record shall be identified and disclosed within such record as being made by such participant.
Access by entities other than IHRT participant
Authorized access only
Except as provided under subparagraph (C) and paragraph (4), access to the electronic health record (or any portion of the record)—
may be made only by authorized EHR data users and only to such portions of the record as specified by the participant; and
may be limited by the participant for purposes of entering information into such record, retrieving information from such record, or both.
Identification of entity that enters information
Any information that is added by an authorized EHR data user to the health record shall be identified and disclosed within such record as being made by such user.
Satisfaction of HIPAA privacy regulations
In the case of a record of a covered entity (as defined for purposes of HIPAA privacy regulations), with respect to an individual, if such individual is an IHRT participant with an independent health record trust and such covered entity is an authorized EHR data user, the requirement under the HIPAA privacy regulations for such entity to provide the record to the participant shall be deemed met if such entity, without charge to the IHRT or the participant—
forwards to the trust an appropriately formatted electronic copy of the record (and updates to such records) for inclusion in the electronic health record of the participant maintained by the trust;
enters such record into the electronic health record of the participant so maintained; or
otherwise makes such record available for electronic access by the IHRT or the individual in a manner that permits such record to be included in the account of the individual contained in the IHRT.
Notification of sensitive information
Any information, with respect to the participant, that is sensitive information, as specified by the Federal Trade Commission, shall not be forwarded or entered by an authorized EHR data user into the electronic health record of the participant maintained by the trust unless the user certifies that the participant has been notified of such information.
Deemed authorization for access for emergency health care
Congress finds that—
given the size and nature of visits to emergency departments in the United States, readily available health information could make the difference between life and death; and
because of the case mix and volume of patients treated, emergency departments are well positioned to provide information for public health surveillance, community risk assessment, research, education, training, quality improvement, and other uses.
Use of information
With respect to the electronic health record of an IHRT participant (or specified parts of such electronic health record) maintained by an IHRT, the participant shall be deemed as providing authorization (in the form of affirmative consent) for health care providers to access, in connection with providing emergency care services to the participant, a limited, authenticated information set concerning the participant for emergency response purposes, unless the participant specifies that such information set (or any portion of such information set) may not be so accessed. Such limited information set may include information—
patient identification data, as determined appropriate by the participant;
provider identification that includes the use of unique provider identifiers;
information related to the individual’s vitals, allergies, and medication history;
information related to existing chronic problems and active clinical conditions of the participant; and
information concerning physical examinations, procedures, results, and diagnosis data.
Rules for secondary uses of records for research and other purposes
With respect to the electronic health record of an IHRT participant (or specified parts of such electronic health record) maintained by an IHRT, the IHRT may sell such record (or specified parts of such record) only if—
the transfer is authorized by the participant pursuant to an agreement between the participant and the IHRT and is in accordance with the privacy protection agreement described in subsection (b)(1) entered into between such participant and such IHRT;
such agreement includes parameters with respect to the disclosure of information involved and a process for the authorization of the further disclosure of information in such record;
the information involved is to be used for research or other activities only as provided for in the agreement;
the recipient of the information provides assurances that the information will not be further transferred or reused in violation of such agreement; and
the transfer otherwise meets the requirements and standards prescribed by the Federal Trade Commission.
Treatment of public health reporting
Nothing in this paragraph shall be construed as prohibiting or limiting the use of health care information of an individual, including an individual who is an IHRT participant, for public health reporting (or other research) purposes prior to the inclusion of such information in an electronic health record maintained by an IHRT.
Law enforcement clarification
Nothing in this Act shall prevent an IHRT from disclosing information contained in an electronic health record maintained by the IHRT when required for purposes of a lawful investigation or official proceeding inquiring into a violation of, or failure to comply with, any criminal or civil statute or any regulation, rule, or order issued pursuant to such a statute.
Rule of construction
Nothing in this section shall be construed to require a health care provider that does not utilize electronic methods or appropriate levels of health information technology on the date of the enactment of this Act to adopt such electronic methods or technology as a requirement for participation or compliance under this Act.
Privacy protection agreement; treatment of State privacy and security laws
Privacy protection agreement
A privacy protection agreement described in this subsection is an agreement, with respect to an electronic health record of an IHRT participant to be maintained by an independent health record trust, between the participant and the trust—
that is consistent with the standards described in subsection (a)(2);
under which the participant specifies the portions of the record that may be accessed, under what circumstances such portions may be accessed, any authorizations for indicated authorized EHR data users to access information contained in the record, and the purposes for which the information (or portions of the information) in the record may be used;
which provides a process for the authorization of the transfer of information contained in the record to a third party, including for the sale of such information for purposes of research, by an authorized EHR data user and reuse of such information by such third party, including a provision requiring that such transfer and reuse is not in violation of any privacy or transfer restrictions placed by the participant on the independent health record of such participant; and
under which the trust provides assurances that the trust will not transfer, disclose, or provide access to the record (or any portion of the record) in violation of the parameters established in the agreement or to any person or entity who has not agreed to use and transfer such record (or portion of such record) in accordance with such agreement.
Treatment of State laws
Except as provided under subparagraph (B), the provisions of a privacy protection agreement entered into between an IHRT and an IHRT participant shall preempt any provision of State law (or any State regulation) relating to the privacy and confidentiality of individually identifiable health information or to the security of such health information.
Exception for privileged information
The provisions of a privacy protection agreement shall not preempt any provision of State law (or any State regulation) that recognizes privileged communications between physicians, health care practitioners, and patients of such physicians or health care practitioners, respectively.
For purposes of this section, the term State has the meaning given such term when used in title XI of the Social Security Act, as provided under section 1101(a) of such Act (42 U.S.C. 1301(a)).
Voluntary nature of trust participation and information sharing
Participation in an independent health record trust, or authorizing access to information from such a trust, is voluntary. No employer, health insurance issuer, group health plan, health care provider, or other person may require, as a condition of employment, issuance of a health insurance policy, coverage under a group health plan, the provision of health care services, payment for such services, or otherwise, that an individual participate in, or authorize access to information from, an independent health record trust.
The penalties provided for in subsection (a) of section 1177 of the Social Security Act (42 U.S.C. 1320d–6) shall apply to a violation of subsection (a) in the same manner as such penalties apply to a person in violation of subsection (a) of such section.
Financing of activities
Except as provided in subsection (b), an IHRT may generate revenue to pay for the operations of the IHRT through—
charging IHRT participants account fees for use of the trust;
charging authorized EHR data users for accessing electronic health records maintained in the trust;
the sale of information contained in the trust (as provided for in section 6(a)(3)(A)); and
any other activity determined appropriate by the Federal Trade Commission.
Prohibition against access fees for health care providers
For purposes of providing incentives to health care providers to access information maintained in an IHRT, as authorized by the IHRT participants involved, the IHRT may not charge a fee for services specified by the IHRT. Such services shall include the transmittal of information from a health care provider to be included in an independent electronic health record maintained by the IHRT (or permitting such provider to input such information into the record), including the transmission of or access to information described in section 6(a)(2)(C)(ii) by appropriate emergency responders.
The sources and amounts of revenue derived under subsection (a) for the operations of an IHRT shall be fully disclosed to each IHRT participant of such IHRT and to the public.
Treatment of income
For purposes of the Internal Revenue Code of 1986, any revenue described in subsection (a) shall not be included in gross income of any IHRT, IHRT participant, or authorized EHR data user.
In carrying out this Act, the Federal Trade Commission shall promulgate regulations for independent health record trusts.
Establishment of Interagency Steering Committee
The Secretary of Health and Human Services shall establish an Interagency Steering Committee in accordance with this subsection.
The Secretary of Health and Human Services shall serve as the chairperson of the Interagency Steering Committee.
The members of the Interagency Steering Committee shall consist of the Attorney General, the Chairperson of the Federal Trade Commission, the Chairperson for the National Committee for Vital and Health Statistics, a representative of the Federal Reserve, and other Federal officials determined appropriate by the Secretary of Health and Human Services.
The Interagency Steering Committee shall coordinate the implementation of this Act, including the implementation of policies described in subsection (d) based upon the recommendations provided under such subsection, and regulations promulgated under this Act.
Federal advisory committee
The National Committee for Vital and Health Statistics shall serve as an advisory committee for the IHRTs. The membership of such advisory committee shall include a representative from the Federal Trade Commission and the chairperson of the Interagency Steering Committee. Not less than 60 percent of such membership shall consist of representatives of nongovernment entities, at least one of whom shall be a representative from an organization representing health care consumers.
The National Committee for Vital and Health Statistics shall issue periodic reports and review policies concerning IHRTs based on each of the following factors:
Privacy and security policies.
Policies recommended by Federal Trade Commission
The Federal Trade Commission, in consultation with the National Committee for Vital and Health Statistics, shall recommend policies to—
provide assistance to encourage the growth of independent health record trusts;
track economic progress as it pertains to operators of independent health records trusts and individuals receiving nontaxable income with respect to accounts;
conduct public education activities regarding the creation and usage of the independent health records trusts;
establish standards for the interoperability of health information technology to ensure that information contained in such record may be shared between the trust involved, the participant, and authorized EHR data users, including for the standardized collection and transmission of individual health records (or portions of such records) to authorized EHR data users through a common interface and for the portability of such records among independent health record trusts; and
carry out any other activities determined appropriate by the Federal Trade Commission.
Regulations promulgated by Federal Trade Commission
The Federal Trade Commission shall promulgate regulations based on, at a minimum, the following factors:
Requiring that an IHRT participant, who has an electronic health record that is maintained by an IHRT, be notified of a security breech with respect to such record, and any corrective action taken on behalf of the participant.
Requiring that information sent to, or received from, an IHRT that has been designated as high-risk should be authenticated through the use of methods such as the periodic changing of passwords, the use of biometrics, the use of tokens or other technology as determined appropriate by the council.
Requiring a delay in releasing sensitive health care test results and other similar information to patients directly in order to give physicians time to contact the patient.
Recommendations for entities operating IHRTs, including requiring analysis of the potential risk of health transaction security breeches based on set criteria.
The conduct of audits of IHRTs to ensure that they are in compliance with the requirements and standards established under this Act.
Disclosure to IHRT participants of the means by which such trusts are financed, including revenue from the sale of patient data.
Prevention of certification of an entity seeking independent heath record trust certification based on—
the potential for conflicts between the interests of such entity and the security of the health information involved; and
the involvement of the entity in any activity that is contrary to the best interests of a patient.
Prevention of the use of revenue sources that are contrary to a patient’s interests.
Public disclosure of audits in a manner similar to financial audits required for publicly traded stock companies.
Requiring notification to a participating entity that the information contained in such record may not be representative of the complete or accurate electronic health record of such account holder.
Not later than 1 year after the date of the enactment of this Act, and annually thereafter, the Commission shall submit to the Committee on Health, Education, Labor, and Pensions and the Committee on Finance of the Senate and the Committee on Energy and Commerce and the Committee on Ways and Means of the House of Representatives, a report on compliance by and progress of independent health record trusts with this Act. Such report shall describe the following:
The number of complaints submitted about independent health record trusts, which shall be divided by complaints related to security breaches, and complaints not related to security breaches, and may include other categories as the Interagency Steering Committee established under section (b) determines appropriate.
The number of enforcement actions undertaken by the Commission against independent health record trusts in response to complaints under paragraph (1), which shall be divided by enforcement actions related to security breaches and enforcement actions not related to security breaches and may include other categories as the Interagency Steering Committee established under section (b) determines appropriate.
The economic progress of the individual owner or institution operator as achieved through independent health record trust usage and existing barriers to such usage.
The progress in security auditing as provided for by the Interagency Steering Committee council under subsection (b).
The other core responsibilities of the Commission as described in subsection (a).
Interagency memorandum of understanding
The Interagency Steering Committee shall ensure, through the execution of an interagency memorandum of understanding, that—
regulations, rulings, and interpretations issued by Federal officials relating to the same matter over which 2 or more such officials have responsibility under this Act are administered so as to have the same effect at all times; and
the memorandum provides for the coordination of policies related to enforcing the same requirements through such officials in order to have coordinated enforcement strategy that avoids duplication of enforcement efforts and assigns priorities in enforcement.