< Back to H.R. 6357 (110th Congress, 2007–2009)

Text of the PRO(TECH)T Act of 2008

This bill was introduced on July 23, 2008, in a previous session of Congress, but was not enacted. The text of the bill below is as of Jun 24, 2008 (Introduced).

Download PDF

Source: GPO

I

110th CONGRESS

2d Session

H. R. 6357

IN THE HOUSE OF REPRESENTATIVES

June 24, 2008

(for himself, Mr. Barton of Texas, Mr. Pallone, Mr. Deal of Georgia, Mr. Gordon of Tennessee, Mr. Hall of Texas, Mr. Towns, Mr. Upton, Mr. Engel, Mrs. Wilson of New Mexico, Mr. Gonzalez, Mr. Gingrey, and Mrs. Biggert) introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committees on Science and Technology and Ways and Means, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL

To amend the Public Health Service Act to promote the adoption of health information technology, and for other purposes.

1.

Short title; table of contents

(a)

Short title

This Act may be cited as the Protecting Records, Optimizing Treatment, and Easing Communication through Healthcare Technology Act of 2008 or the PRO(TECH)T Act of 2008.

(b)

Table of contents

The table of contents of this Act is as follows:

Sec. 1. Short title; table of contents.

Title I—Health Information Technology

Subtitle A—Promotion of Health Information Technology

Part I—Improving health care quality, safety, and efficiency

Sec. 101. ONCHIT; standards development and adoption; health information technology resource center.

Title XXX—Health Information Technology and Quality

Sec. 3000. Definitions.

Subtitle A—Promotion of Health Information Technology

Sec. 3001. Office of the National Coordinator for Health Information Technology.

Sec. 3002. HIT Policy Committee.

Sec. 3003. HIT Standards Committee.

Sec. 3004. Process for adoption of endorsed recommendations.

Sec. 3005. Application and use of adopted standards and implementation specifications by Federal agencies.

Sec. 3006. Voluntary application and use of adopted standards and implementation specifications by private entities.

Sec. 3007. Health Information Technology Resource Center.

Sec. 102. Transitions.

Part II—Application and use of adopted health information technology standards; reports

Sec. 111. Coordination of Federal activities with adopted standards and implementation specifications.

Sec. 112. Application to private entities.

Sec. 113. Reports.

Subtitle B—Incentives for the Use of Health Information Technology

Sec. 121. Grant, loan, and demonstration programs.

Subtitle B—Incentives for the Use of Health Information Technology

Sec. 3011. Grants and loans to facilitate the widespread adoption of qualified health information technology.

Sec. 3012. Demonstration program to integrate information technology into clinical education.

Title II—Testing of Health Information Technology

Sec. 201. National Institute for Standards and Technology testing.

Sec. 202. Research and development programs.

Title III—Privacy and security provisions

Sec. 300. Definitions.

Subtitle A—Security provisions

Sec. 301. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions.

Sec. 302. Notification in the case of breach.

Sec. 303. Education on Health Information Privacy and report on compliance.

Subtitle B—Improved privacy provisions and additional security provisions

Sec. 311. Application of penalties to business associates of covered entities for violations of privacy contract requirements.

Sec. 312. Restrictions on certain disclosures of health information; accounting of certain protected health information disclosures.

Sec. 313. Conditions on certain contacts as part of health care operations.

Sec. 314. Study on application of privacy and security requirements to vendors of personal health records.

Sec. 315. Temporary breach notification requirement for vendors of personal health records.

Sec. 316. Business associate contracts required for certain entities.

Sec. 317. Guidance on implementation specification to de-identify protected health information.

Sec. 318. GAO report on treatment disclosures.

Sec. 319. Clarification of application of wrongful disclosures criminal penalties.

Subtitle C—Relationship to other laws; clarification; effective date

Sec. 321. Relationship to other laws.

Sec. 322. Effective date.

I

Health Information Technology

A

Promotion of Health Information Technology

I

Improving health care quality, safety, and efficiency

101.

ONCHIT; standards development and adoption; health information technology resource center

(a)

In general

The Public Health Service Act (42 U.S.C. 201 et seq.) is amended by adding at the end the following:

XXX

Health Information Technology and Quality

3000.

Definitions

In this title:

(1)

Enterprise integration

The term enterprise integration means the electronic linkage of health care providers, health plans, the government, and other interested parties, to enable the electronic exchange and use of health information among all the components in the health care infrastructure in accordance with applicable law, and such term includes related application protocols and other related standards.

(2)

Health care provider

The term health care provider means a hospital, skilled nursing facility, nursing facility, home health entity, health care clinic, Federally qualified health center, group practice (as defined in section 1877(h)(4) of the Social Security Act), a pharmacist, a pharmacy, a laboratory, a physician (as defined in section 1861(r) of the Social Security Act), a practitioner (as described in section 1842(b)(18)(C) of the Social Security Act), a provider operated by, or under contract with, the Indian Health Service or by an Indian tribe (as defined in the Indian Self-Determination and Education Assistance Act), tribal organization, or urban Indian organization (as defined in section 4 of the Indian Health Care Improvement Act), a rural health clinic, and any other category of facility or clinician determined appropriate by the Secretary.

(3)

Health information

The term health information has the meaning given such term in section 1171(4) of the Social Security Act.

(4)

Health information technology

The term health information technology means hardware, software, license, right, intellectual property, equipment, or other information technology (including new versions, upgrades, and connectivity) designed or provided primarily for the electronic creation, maintenance, or exchange of health information to coordinate care or improve health care quality, efficiency, or research.

(5)

Health plan

The term health plan has the meaning given such term in section 1171(5) of the Social Security Act.

(6)

HIT Policy Committee

The term HIT Policy Committee means such Committee established under section 3002(a).

(7)

HIT Standards Committee

The term HIT Standards Committee means such Committee established under section 3003(a).

(8)

Individually identifiable health information

The term individually identifiable health information has the meaning given such term in section 1171(6) of the Social Security Act.

(9)

Laboratory

The term laboratory has the meaning given such term in section 353(a).

(10)

National Coordinator

The term National Coordinator means the head of the Office of the National Coordinator for Health Information Technology established under section 3001(a).

(11)

Pharmacist

The term pharmacist has the meaning given such term in section 804(2) of the Federal Food, Drug, and Cosmetic Act.

(12)

State

The term State means each of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

A

Promotion of Health Information Technology

3001.

Office of the National Coordinator for Health Information Technology

(a)

Establishment

There is established within the Department of Health and Human Services an Office of the National Coordinator for Health Information Technology (referred to in this section as the Office). The Office shall be headed by a National Coordinator who shall be appointed by the Secretary and shall report directly to the Secretary.

(b)

Purpose

The National Coordinator shall perform the duties under subsection (c) in a manner consistent with the development of a nationwide interoperable health information technology infrastructure that—

(1)

ensures that each patient’s health information is secure and protected, in accordance with applicable law;

(2)

improves health care quality, reduces medical errors, and advances the delivery of patient-centered medical care;

(3)

reduces health care costs resulting from inefficiency, medical errors, inappropriate care, duplicative care, and incomplete information;

(4)

ensures that appropriate information to help guide medical decisions is available at the time and place of care;

(5)

ensures the inclusion of meaningful public input in such development of such infrastructure;

(6)

improves the coordination of care and information among hospitals, laboratories, physician offices, and other entities through an effective infrastructure for the secure and authorized exchange of health care information;

(7)

improves public health reporting and facilitates the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks;

(8)

facilitates health and clinical research and health care quality;

(9)

promotes prevention of chronic diseases;

(10)

promotes a more effective marketplace, greater competition, greater systems analysis, increased consumer choice, and improved outcomes in health care services; and

(11)

improves efforts to reduce health disparities.

(c)

Duties of the National Coordinator

(1)

Standards

The National Coordinator shall review and determine whether to endorse each standard, implementation specification, and certification criterion for the electronic exchange and use of health information that is recommended by the HIT Standards Committee under section 3003 for purposes of adoption under section 3004(b). The Coordinator shall make such determination, and report to the Secretary such determination, not later than 90 days after the date the recommendation is received by the Coordinator.

(2)

HIT policy coordination

The National Coordinator shall coordinate health information technology policy and programs of the Department with those of other relevant executive branch agencies with a goal of avoiding duplication of efforts and of helping to ensure that each agency undertakes health information technology activities primarily within the areas of its greatest expertise and technical capability.

(3)

Strategic plan

(A)

In general

The National Coordinator shall, in consultation with other appropriate Federal agencies (including the National Institute of Standards and Technology), maintain and update a strategic plan with specific objectives, milestones, and metrics for the following:

(i)

The electronic exchange and use of health information and the enterprise integration of such information.

(ii)

The utilization of an electronic health record for each person in the United States by 2014.

(iii)

The incorporation of privacy and security protections for the electronic exchange of an individual’s individually identifiable health information.

(iv)

Ensuring security methods to ensure appropriate authorization, electronic authentication, and encryption of health information.

(v)

Specifying a framework for coordination and flow of recommendations and policies under this subtitle among the Secretary, the National Coordinator, the HIT Policy Committee, the HIT Standards Committee, and other health information exchanges and other relevant entities.

(vi)

Methods to foster the public understanding of health information technology.

(vii)

Strategies to enhance the use of health information technology in improving the quality of health care, reducing medical errors, reducing health disparities, and in improving the continuity of care among health care settings.

(B)

Collaboration

The strategic plan shall be developed and updated through collaboration of public and private interests.

(C)

Measurable outcome goals

The strategic plan shall include measurable outcome goals.

(D)

Publication

The National Coordinator shall publish the strategic plan, including all updates.

(4)

Website

The National Coordinator shall maintain and frequently update an Internet website on which there is posted information that includes the following:

(A)

The schedule developed by the HIT Standards Committee under section 3003(b)(3).

(B)

The recommendations of the HIT Policy Committee under section 3002.

(C)

Recommendations of the HIT Standards Committee under section 3003.

(D)

Sources of Federal grant funds and technical assistance that are available to facilitate the purchase of, or enhance the utilization of, health information technology systems.

(E)

The report prepared by the National Coordinator under paragraph (5).

(F)

The assessment by the National Coordinator under paragraph (6).

(G)

The evaluation by the National Coordinator under paragraph (7).

(H)

The annual estimate of resources required under paragraph (8).

(5)

Implementation report

The National Coordinator shall prepare a report that identifies lessons learned from major public and private health care systems in their implementation of health information technology systems, including information on whether the systems and practices developed by such systems may be applicable to and usable in whole or in part by other health care providers.

(6)

Assessment of impact of HIT on communities with health disparities and uninsured, underinsured, and medically underserved areas

The National Coordinator shall assess and publish the impact of health information technology in communities with health disparities and in areas that serve uninsured, underinsured, and medically underserved individuals (including urban and rural areas) and identify practices to increase the adoption of such technology by health care providers in such communities.

(7)

Evaluation of benefits and costs of the electronic use and exchange of health information

The National Coordinator shall evaluate and publish evidence on the benefits and costs of the electronic use and exchange of health information and assess to whom these benefits and costs accrue.

(8)

Resource requirements

The National Coordinator shall estimate and publish resources required annually to reach the goal of utilization of an electronic health record for each person in the United States by 2014, including the required level of Federal funding, expectations for regional, State, and private investment, and the expected contributions by volunteers to activities for the utilization of such records.

(9)

Certification

(A)

In general

The National Coordinator, in consultation with the Director of the National Institute of Standards and Technology, shall develop a program (either directly or by contract) for the voluntary certification of health information technology as being in compliance with applicable certification criteria adopted under this subtitle. Such program shall include testing of the technology in accordance with section 201(b) of the PRO(TECH)T Act of 2008.

(B)

Certification criteria described

In this title, the term certification criteria means, with respect to standards and implementation specifications for health information technology, criteria to establish that the technology meets such standards and implementation specifications.

(d)

Detail of Federal Employees

(1)

In general

Upon the request of the National Coordinator, the head of any Federal agency is authorized to detail, with or without reimbursement from the Office, any of the personnel of such agency to the Office to assist it in carrying out its duties under this section.

(2)

Effect of detail

Any detail of personnel under paragraph (1) shall—

(A)

not interrupt or otherwise affect the civil service status or privileges of the Federal employee; and

(B)

be in addition to any other staff of the Department employed by the National Coordinator.

(3)

Acceptance of detailees

Notwithstanding any other provision of law, the Office may accept detailed personnel from other Federal agencies without regard to whether the agency described under paragraph (1) is reimbursed.

(e)

Authorization of Appropriations

There are authorized to be appropriated to carry out this section $66,000,000 for fiscal year 2009.

3002.

HIT Policy Committee

(a)

Establishment

There is established a HIT Policy Committee to make policy recommendations to the National Coordinator relating to the implementation of a nationwide health information technology infrastructure, including implementation of the strategic plan described in section 3001(c)(3).

(b)

Duties

(1)

Recommendations on health information technology infrastructure

Not later than 1 year after the date of the enactment of this title, the HIT Policy Committee shall recommend a policy framework for the development and adoption of a nationwide health information technology infrastructure that permits the electronic exchange and use of health information as is consistent with the strategic plan under section 3001(c)(3) and that includes the recommendations under paragraph (2). Annually thereafter the Committee shall update such recommendations and make new recommendations as appropriate.

(2)

Specific areas of standard development

(A)

In general

The HIT Policy Committee shall recommend the areas in which standards, implementation specifications, and certification criteria are needed for the electronic exchange and use of health information for purposes of adoption under section 3004(b) and shall recommend an order of priority for the development, harmonization, and recognition of such standards, specifications, and criteria among the areas so recommended. Such standards and implementation specifications shall include named standards, architectures, and software schemes for the authentication and security of individually identifiable health information and other information as needed to ensure the reproducible development of common solutions across disparate entities.

(B)

Areas required for consideration

In making recommendations under subparagraph (A), the HIT Policy Committee shall consider at least the following areas:

(i)

Technologies that protect the privacy of health information and promote security, including for the protection from disclosure of specific individually identifiable health information, in accordance with applicable law, and for the use and disclosure of limited data sets (as defined for purposes of regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996) of such information.

(ii)

A nationwide interoperable health information technology infrastructure that permits the electronic exchange and use of health information.

(iii)

The utilization of an electronic health record for each person in the United States by 2014.

(C)

Other areas for consideration

In making recommendations under subparagraph (A), the HIT Policy Committee may consider the following additional areas:

(i)

The appropriate uses of a nationwide health information infrastructure, including for purposes of—

(I)

the collection of quality data and public reporting;

(II)

biosurveillance and public health;

(III)

medical and clinical research; and

(IV)

drug safety.

(ii)

Self-service technologies that facilitate the use and exchange of patient information and reduce wait times.

(iii)

Telemedicine technologies, in order to reduce travel requirements for patients in remote areas.

(iv)

Technologies that facilitate home health care and the monitoring of patients recuperating at home.

(v)

Technologies that help reduce medical errors.

(vi)

Technologies that facilitate the continuity of care among health settings.

(vii)

Technologies that meet the needs of diverse populations.

(viii)

Any other technology that the HIT Policy Committee finds to be among the technologies with the greatest potential to improve the quality and efficiency of health care.

(3)

Forum

The HIT Policy Committee shall serve as a forum for broad stakeholder input with specific expertise in policies relating to the matters described in paragraphs (1) and (2).

(4)

Website

The HIT Policy Committee shall develop and maintain an Internet website on which there is posted information that includes the following:

(A)

Established governance rules.

(B)

A business plan.

(C)

Meeting notices at least 14 days prior to each meeting.

(D)

Meeting agendas at least 7 days prior to each meeting.

(E)

Meeting materials at least 3 days prior to each meeting.

(c)

Membership

(1)

Appointments

The HIT Policy Committee shall be composed of members to be appointed as follows:

(A)

3 members shall be appointed by the Secretary, 1 of whom shall be appointed to represent the Department of Health and Human Services and 1 of whom shall be a public health official.

(B)

1 member shall be appointed by the majority leader of the Senate.

(C)

1 member shall be appointed by the minority leader of the Senate.

(D)

1 member shall be appointed by the Speaker of the House of Representatives.

(E)

1 member shall be appointed by the minority leader of the House of Representatives.

(F)

Such other members as shall be appointed by the President as representatives of other relevant Federal agencies.

(G)

11 members shall be appointed by the Comptroller General of the United States of whom—

(i)

1 member shall be an advocate for patients or consumers;

(ii)

2 members shall represent health care providers, one of which shall be a physician;

(iii)

1 member shall be from a labor organization representing health care workers;

(iv)

1 member shall have expertise in privacy and security;

(v)

1 member shall have expertise in improving the health of vulnerable populations;

(vi)

1 member shall be from the research community;

(vii)

1 member shall represent health plans or other third-party payers;

(viii)

1 member shall represent information technology vendors;

(ix)

1 member shall represent purchasers or employers; and

(x)

1 member shall have expertise in health care quality measurement and reporting.

(2)

National Coordinator

The National Coordinator shall be a member of the HIT Policy Committee and act as a liaison among the HIT Policy Committee, the HIT Standards Committee, and the Federal Government.

(3)

Chairperson and vice chairperson

The HIT Policy Committee shall designate 1 member to serve as the chairperson and 1 member to serve as the vice chairperson of the HIT Policy Committee.

(4)

Participation

The members of the HIT Policy Committee appointed under paragraph (1) shall represent a balance among various sectors of the health care system so that no single sector unduly influences the recommendations of such Committee.

(5)

Terms

(A)

In general

The terms of members of the HIT Policy Committee appointed under paragraph (1) shall be 3 years except that the Comptroller General of the United States shall designate staggered terms for the members first appointed under paragraph (1)(G).

(B)

Vacancies

Any member appointed to fill a vacancy in the membership of the HIT Policy Committee that occurs prior to the expiration of the term for which the member’s predecessor was appointed shall be appointed only for the remainder of that term. A member may serve after the expiration of that member’s term until a successor has been appointed. A vacancy in the HIT Policy Committee shall be filled in the manner in which the original appointment was made.

(6)

Outside involvement

The HIT Policy Committee shall ensure an adequate opportunity for the participation in activities of the Committee of outside advisors, including individuals with expertise in the development of policies for the electronic exchange and use of health information, including in the areas of health information privacy and security.

(7)

Quorum

Ten members of the HIT Policy Committee shall constitute a quorum for purposes of voting, but a lesser number of members may meet and hold hearings.

(d)

Application of FACA

The Federal Advisory Committee Act (5 U.S.C. App.), other than section 14 of such Act, shall apply to the HIT Policy Committee.

(e)

Publication

The Secretary shall provide for publication in the Federal Register and the posting on the Internet website of the Office of the National Coordinator for Health Information Technology of all policy recommendations made by the HIT Policy Committee under this section.

3003.

HIT Standards Committee

(a)

Establishment

There is established a committee to be known as the HIT Standards Committee to recommend to the National Coordinator standards, implementation specifications, and certification criteria for the electronic exchange and use of health information for purposes of adoption under section 3004(b), consistent with the implementation of the strategic plan described in section 3001(c)(3).

(b)

Duties

(1)

Standard development

(A)

In general

Beginning not later than 1 year after the date of the enactment of this title, the HIT Standards Committee shall recommend to the National Coordinator standards, implementation specifications, and certification criteria described in subsection (a) that have been developed, harmonized, or recognized by the Committee. Annually thereafter the Committee shall update such recommendations and make new recommendations as appropriate, including in response to a notification sent under section 3004(b)(2). Such recommendations shall be consistent with the latest recommendations made by the HIT Policy Committee.

(B)

Pilot testing of standards and implementation specifications

In the development, harmonization, or recognition of standards and implementation specifications, the HIT Standards Committee, as appropriate, shall provide for the testing of such standards and specifications by the National Institute for Standards and Technology under section 201 of the PRO(TECH)T Act of 2008.

(C)

Consistency

The standards, implementation specifications, and certification criteria recommended under this subsection shall be consistent with the standards for information transactions and data elements adopted pursuant to section 1173 of the Social Security Act.

(2)

Forum

The HIT Standards Committee shall serve as a forum for the participation of a broad range of stakeholders to provide input on the development, harmonization, and recognition of standards, implementation specifications, and certification criteria necessary for the development and adoption of a nationwide interoperable health information technology infrastructure.

(3)

Schedule

Not later than 90 days after the date of the enactment of this title, the HIT Standards Committee shall develop a schedule for the assessment of policy recommendations developed by the HIT Policy Committee under section 3002. The HIT Standards Committee shall update such schedule annually. The Secretary shall publish such schedule in the Federal Register.

(4)

Public input

The HIT Standards Committee shall conduct open public meetings and develop a process to allow for public comment on the schedule described in paragraph (3) and recommendations described in this subsection. Under such process comments shall be submitted in a timely manner after the date of publication of a recommendation under this subsection.

(5)

Website

The HIT Standards Committee shall develop and maintain an Internet website on which there is posted information that includes the following:

(A)

Established governance rules.

(B)

A business plan.

(C)

Meeting notices at least 14 days prior to each meeting.

(D)

Meeting agendas at least 7 days prior to each meeting.

(E)

Meeting materials at least 3 days prior to each meeting.

(6)

Requirement to integrate recommendations

In carrying out the activities under this section, the HIT Standards Committee shall integrate the recommendations of the HIT Policy Committee.

(c)

Membership

(1)

Appointments

The HIT Standards Committee shall be composed of members to be appointed as follows:

(A)

2 members shall be appointed by the Secretary.

(B)

1 member shall be appointed by the majority leader of the Senate.

(C)

1 member shall be appointed by the minority leader of the Senate.

(D)

1 member shall be appointed by the Speaker of the House of Representatives.

(E)

1 member shall be appointed by the minority leader of the House of Representatives.

(F)

9 members shall be appointed by the Comptroller General of the United States of whom—

(i)

1 member shall be a representative of consumer or patient organizations;

(ii)

1 member shall be a representative of organizations with expertise in privacy;

(iii)

1 member shall be a representative of organizations with expertise in security;

(iv)

2 members shall be a representative of health care providers, one of which shall be a physician;

(v)

1 member shall be a representative of health plans or other third party payers;

(vi)

1 member shall be a representative of information technology vendors;

(vii)

1 member shall be a representative of purchasers or employers; and

(viii)

1 member shall be a representative of the health research community.

(G)

1 member shall be appointed by the Director of the National Institute for Standards and Technology.

(2)

National coordinator

The National Coordinator shall be a member of the HIT Standards Committee and act as a liaison among the HIT Standards Committee, the HIT Policy Committee, and the Federal government.

(3)

Chairperson and vice chairperson

The HIT Standards Committee shall designate 1 member to serve as the chairperson and 1 member to serve as the vice chairperson of the Committee.

(4)

Participation

The members of the HIT Standards Committee appointed under paragraph (1) shall represent a balance among various sectors of the health care system so that no single sector unduly influences the recommendations of such Committee.

(5)

Terms

(A)

In general

The terms of members of the HIT Standards Committee appointed under paragraph (1) shall be 3 years except that the Comptroller General of the United States shall designate staggered terms for the members first appointed under paragraph (1)(F).

(B)

Vacancies

Any member appointed to fill a vacancy in the membership of the HIT Standards Committee that occurs prior to the expiration of the term for which the member’s predecessor was appointed shall be appointed only for the remainder of that term. A member may serve after the expiration of that member’s term until a successor has been appointed. A vacancy in the HIT Standards Committee shall be filled in the manner in which the original appointment was made.

(6)

Outside involvement

The HIT Standards Committee shall ensure an adequate opportunity for the participation in activities of the Committee of outside advisors, including individuals with expertise in the development of standards for the electronic exchange and use of health information, including in the areas of health information privacy and security.

(7)

Quorum

Eight members of the HIT Standards Committee shall constitute a quorum for purposes of voting, but a lesser number of members may meet and hold hearings.

(d)

Application of FACA

The Federal Advisory Committee Act (5 U.S.C. App.), other than section 14, shall apply to the HIT Standards Committee.

(e)

Publication

The Secretary shall provide for publication in the Federal Register and the posting on the Internet website of the Office of the National Coordinator for Health Information Technology of all recommendations made by the HIT Standards Committee under this section.

3004.

Process for adoption of endorsed recommendations

(a)

Review of endorsed standards, specifications, and criteria

Not later than 90 days after the date of receipt of standards, implementation specifications, or certification criteria endorsed under section 3001(c), the Secretary, in consultation with representatives of other relevant Federal agencies, shall jointly review such standards, specifications, or criteria and shall determine whether or not to propose adoption of such standards, specifications, or criteria.

(b)

Determination to adopt standards, specifications, and criteria

If the Secretary determines—

(1)

to propose adoption of any grouping of such standards, specifications, or criteria, the Secretary shall, through a rulemaking process, determine whether or not to adopt such grouping of standards, specifications, or criteria; or

(2)

not to propose adoption of any grouping of standards, specifications, or criteria, the Secretary shall notify the National Coordinator and the HIT Standards Committee in writing of such determination and the reasons for not proposing the adoption of such recommendation.

(c)

Publication

The Secretary shall provide for publication in the Federal Register of all determinations made by the Secretary under subsection (a).

3005.

Application and use of adopted standards and implementation specifications by Federal agencies

For requirements relating to the application and use by Federal agencies of the standards and implementation specifications adopted under section 3004(b), see section 111 of the PRO(TECH)T Act of 2008.

3006.

Voluntary application and use of adopted standards and implementation specifications by private entities

(a)

In general

Except as provided under section 112 of the PRO(TECH)T Act of 2008, any standard or implementation specification adopted under section 3004(b) shall be voluntary with respect to private entities.

(b)

Rule of construction

Nothing in this subtitle shall be construed to require that a private entity that enters into a contract with the Federal Government apply or use the standards and implementation specifications adopted under section 3004(b) with respect to activities not related to the contract.

3007.

Health Information Technology Resource Center

(a)

Development

(1)

In general

The National Coordinator shall develop a Health Information Technology Resource Center to provide technical assistance and develop best practices to support and accelerate efforts to adopt, implement, and effectively use health information technology that allows for the electronic exchange and use of information in compliance with standards, implementation specifications, and certification criteria adopted under section 3004(b).

(2)

Purposes

The purpose of the Center is to—

(A)

provide a forum for the exchange of knowledge and experience;

(B)

accelerate the transfer of lessons learned from existing public and private sector initiatives, including those currently receiving Federal financial support;

(C)

assemble, analyze, and widely disseminate evidence and experience related to the adoption, implementation, and effective use of health information technology that allows for the electronic exchange and use of information;

(D)

provide technical assistance for the establishment and evaluation of regional and local health information networks to facilitate the electronic exchange of information across health care settings and improve the quality of health care;

(E)

provide technical assistance for the development and dissemination of solutions to barriers to the exchange of electronic health information;

(F)

learn about effective strategies to adopt and utilize health information technology in medically underserved communities;

(G)

conduct other activities identified by the States, local or regional health information networks, or health care stakeholders as a focus for developing and sharing best practices; and

(H)

provide technical assistance to promote adoption and utilization of health information technology by health care providers, including in medically underserved communities.

(b)

Technical Assistance Telephone Number or Website

The National Coordinator shall establish a toll-free telephone number or Internet website to provide health care providers with a single point of contact to—

(1)

learn about Federal grants and technical assistance services related to interoperable health information technology;

(2)

learn about standards, implementation specifications, and certification criteria adopted under section 3004(b);

(3)

learn about regional and local health information networks for assistance with health information technology; and

(4)

disseminate additional information determined by the National Coordinator.

.

102.

Transitions

(a)

ONCHIT

To the extent consistent with section 3001 of the Public Health Service Act, as added by section 101, all functions, personnel, assets, liabilities, and administrative actions applicable to the National Coordinator for Health Information Technology appointed under Executive Order 13335 or the Office of such National Coordinator on the date before the date of the enactment of this Act shall be transferred to the National Coordinator appointed under section 3001(a) of such Act and the Office of such National Coordinator as of the date of the enactment of this Act.

(b)

AHIC

(1)

To the extent consistent with sections 3002 and 3003 of the Public Health Service Act, as added by section 101, all functions, personnel, assets, and liabilities applicable to the American Health Information Community created in response to Executive Order 13335 as of the day before the date of the enactment of this Act shall be transferred to the HIT Policy Committee or the HIT Standards Committee, established under section 3002(a) or 3003(a) of such Act, as appropriate, as of the date of the enactment of this Act.

(2)

In carrying out section 3003(b)(1)(A) of the Public Health Service Act, as so added, until recommendations are made by the HIT Policy Committee, recommendations of the HIT Standards Committee shall be consistent with the most recent recommendations made by the American Health Information Community.

(c)

Rules of construction

(1)

ONCHIT

Nothing in section 3001 of the Public Health Service Act, as added by section 101, or subsection (a) shall be construed as requiring the creation of a new entity to the extent that the Office of the National Coordinator for Health Information Technology established pursuant to Executive Order 13335 is consistent with the provisions of such section 3001.

(2)

AHIC

Nothing in sections 3002 or 3003 of the Public Health Service Act, as added by section 101, or subsection (b) shall be construed as requiring the creation of a new entity to the extent that the American Health Information Community created in response to Executive Order 13335 is consistent with the provisions of such sections 3002 and 3003.

II

Application and use of adopted health information technology standards; reports

111.

Coordination of Federal activities with adopted standards and implementation specifications

(a)

Spending on health information technology systems

As each agency (as defined in the Executive Order issued on August 22, 2006, relating to promoting quality and efficient health care in Federal government administered or sponsored health care programs) implements, acquires, or upgrades health information technology systems used for the direct exchange of individually identifiable health information between agencies and with non-Federal entities, it shall utilize, where available, health information technology systems and products that meet standards and implementation specifications adopted under section 3004(b) of the Public Health Service Act, as added by section 101.

(b)

Federal information collection activities

With respect to a standard or implementation specification adopted under section 3004(b) of the Public Health Service Act, as added by section 101, the President shall take measures to ensure that Federal activities involving the broad collection and submission of health information are consistent with such standard or specification, respectively, within three years after the date of such adoption.

(c)

Application of definitions

The definitions contained in section 3000 of the Public Health Service Act, as added by section 101, shall apply for purposes of this part.

112.

Application to private entities

Each agency (as defined in such Executive Order issued on August 22, 2006, relating to promoting quality and efficient health care in Federal government administered or sponsored health care programs) shall require in contracts or agreements with health care providers, health plans, or health insurance issuers that as each provider, plan, or issuer implements, acquires, or upgrades health information technology systems, it shall utilize, where available, health information technology systems and products that meet standards and implementation specifications adopted under section 3004(b) of the Public Health Service Act, as added by section 101.

113.

Reports

(a)

In general

The Secretary of Health and Human Services shall submit to the Committee on Health, Education, Labor, and Pensions and the Committee on Commerce, Science, and Transportation of the Senate and the Committee on Energy and Commerce and the Committee on Science and Technology of the House of Representatives, on an annual basis, a report that—

(1)

describes the specific actions that have been taken by the Federal Government and private entities to facilitate the adoption of an interoperable nationwide system for the electronic exchange of health information;

(2)

describes barriers to the adoption of such a nationwide system; and

(3)

contains recommendations to achieve full implementation of such a nationwide system.

(b)

Reimbursement incentive study

The Secretary of Health and Human Services shall carry out, or contract with a private entity to carry out, a study that examines methods to create efficient reimbursement incentives for improving health care quality in Federally qualified health centers, rural health clinics, and free clinics.

B

Incentives for the Use of Health Information Technology

121.

Grant, loan, and demonstration programs

Title XXX of the Public Health Service Act, as added by section 101, is amended by adding at the end the following new subtitle:

B

Incentives for the Use of Health Information Technology

3011.

Grants and loans To facilitate the widespread adoption of qualified health information technology

(a)

Competitive grants To facilitate the widespread adoption of health information technology

(1)

In general

The National Coordinator may award competitive grants to eligible entities to purchase qualified health information technology.

(2)

Qualified health information technology

For purposes of this section, the term qualified health information technology means health information technology that consists of hardware, software, or the provision of support services and that—

(A)

enables the protection of health information, in accordance with applicable law;

(B)

is (or is necessary for the operation of) an electronic health records system, including the provision of decision support and physician order entry for medications;

(C)

has the ability to allow timely and permissible access to patient information and to transmit and exchange health information among providers, patients, or insurers; and

(D)

is certified under the program developed under section 3001(c)(9) to be in compliance with any applicable standards and implementation specifications adopted under section 3004(b).

(3)

Eligibility

To be eligible to receive a grant under paragraph (1) an entity shall—

(A)

submit to the National Coordinator an application at such time and in such manner as the National Coordinator may require, and containing—

(i)

a plan on how the entity intends to maintain and support the qualified health information technology that would be purchased with amounts under such grant, including the type of resources expected to be involved; and

(ii)

such other information as the National Coordinator may require;

(B)

submit to the National Coordinator a strategic plan for the electronic exchange and use of health information;

(C)

be—

(i)

a not for profit hospital or a Federally qualified health center (as defined in section 1861(aa)(4) of the Social Security Act);

(ii)

an individual or group practice; or

(iii)

another health care provider not described in clause (i) or (ii);

(D)

demonstrate significant financial need;

(E)

agree to notify individuals in accordance with section 302 of the PRO(TECH)T Act of 2008 if their individually identifiable health information is accessed or acquired as a result of a breach; and

(F)

provide matching funds in accordance with paragraph (5).

(4)

Use of funds

Amounts received under a grant under this subsection shall be used to facilitate the purchase of qualified health information technology.

(5)

Matching requirement

To be eligible for a grant under this subsection an entity shall contribute non-Federal contributions to the costs of carrying out the activities for which the grant is awarded in an amount equal to $1 for each $3 of Federal funds provided under the grant.

(6)

Preference in awarding grants

In awarding grants under this subsection the National Coordinator shall give preference to the following eligible entities:

(A)

Small health care providers.

(B)

Entities that are located in rural, frontier, and other areas that serve uninsured, underinsured, and medically underserved individuals (regardless of whether such area is urban, rural, or frontier).

(C)

Entities that will link, to the extent practicable, to local or regional health information plan or plans.

(D)

Nonprofit health care providers.

(7)

Additional sources of funding for health information technology

Funding made available under this subsection is in addition to funding which may be used toward the acquisition and utilization of health information technology under other law, which includes the following:

(A)

Medicaid transformation grants under section 1903(z) of the Social Security Act.

(B)

Grants or funding available through the Agency for Healthcare Research and Quality.

(C)

Grants or funding that may be available through the Health Resources and Services Administration for investment in health information technologies or telehealth.

(D)

Grants or funding that may be available through the Department of Agriculture’s Rural Development Telecommunications Program for investment in telemedicine.

(b)

Competitive Grants to States and Indian tribes for the Development of Loan Programs To Facilitate the Widespread Adoption of qualified Health Information Technology

(1)

In general

The National Coordinator may award competitive grants to eligible entities for the establishment of programs for loans to health care providers to purchase qualified health information technology.

(2)

Eligible entity defined

For purposes of this subsection, the term eligible entity means a State or Indian tribe (as defined in the Indian Self-Determination and Education Assistance Act) that—

(A)

submits to the National Coordinator an application at such time, in such manner, and containing such information as the National Coordinator may require;

(B)

submits to the National Coordinator a strategic plan in accordance with paragraph (4) and provides to the National Coordinator assurances that the entity will update such plan annually in accordance with such paragraph;

(C)

provides assurances to the National Coordinator that the entity will establish a Loan Fund in accordance with paragraph (3);

(D)

provides assurances to the National Coordinator that the entity will not provide a loan from the Loan Fund to a health care provider unless the provider meets each of the conditions described in paragraph (5); and

(E)

agrees to provide matching funds in accordance with paragraph (9).

(3)

Establishment of fund

For purposes of paragraph (3)(C), an eligible entity shall establish a qualified health information technology loan fund (referred to in this subsection as a Loan Fund) and comply with the other requirements contained in this section. A grant to an eligible entity under this subsection shall be deposited in the Loan Fund established by the eligible entity. No funds authorized by other provisions of this subtitle to be used for other purposes specified in this subtitle shall be deposited in any Loan Fund.

(4)

Strategic plan

(A)

In general

For purposes of paragraph (3)(B), a strategic plan of an eligible entity under this paragraph shall identify the intended uses of amounts available to the Loan Fund of such entity.

(B)

Contents

A strategic plan under subparagraph (A), with respect to a Loan Fund of an eligible entity, shall include for a year the following:

(i)

A list of the projects to be assisted through the Loan Fund during such year.

(ii)

A description of the criteria and methods established for the distribution of funds from the Loan Fund during the year.

(iii)

A description of the financial status of the Loan Fund as of the date of submission of the plan.

(iv)

The short-term and long-term goals of the Loan Fund.

(5)

Health care provider conditions for receipt of loans

For purposes of paragraph (2)(D), the conditions described in this paragraph, with respect to a health care provider that seeks a loan from a Loan Fund established under this subsection, are the following:

(A)

The health care provider links, to the extent practicable, to a local or regional health information network.

(B)

The health care provider consults with the Health Information Technology Resource Center established under section 3007 to access the knowledge and experience of existing initiatives regarding the successful implementation and effective use of health information technology.

(C)

The health care provider agrees to notify individuals in accordance with section 302 of the PRO(TECH)T Act of 2008 if their individually identifiable health information is accessed or acquired as a result of a breach.

(D)

The health care provider submits to the State or Indian tribe involved a plan on how the health care provider intends to maintain and support the qualified health information technology that would be purchased with such loan, including the type of resources expected to be involved and any such other information as the State or Indian Tribe, respectively, may require.

(6)

Use of funds

(A)

In general

Amounts deposited in a Loan Fund, including loan repayments and interest earned on such amounts, shall be used only for awarding loans or loan guarantees, or as a source of reserve and security for leveraged loans, the proceeds of which are deposited in the Loan Fund established under paragraph (1). Loans under this section may be used by a health care provider to purchase qualified health information technology.

(B)

Limitation

Amounts received by an eligible entity under this subsection may not be used—

(i)

for the purchase or other acquisition of any health information technology system that is not a qualified health information technology;

(ii)

to conduct activities for which Federal funds are expended under this title; or

(iii)

for any purpose other than making loans to health care providers in accordance with this section.

(7)

Types of assistance

Except as otherwise limited by applicable State law, amounts deposited into a Loan Fund under this subsection may only be used for the following:

(A)

To award loans that comply with the following:

(i)

The interest rate for each loan shall not exceed the market interest rate.

(ii)

The principal and interest payments on each loan shall commence not later than 1 year after the date the loan was awarded, and each loan shall be fully amortized not later than 10 years after the date of the loan.

(iii)

The Loan Fund shall be credited with all payments of principal and interest on each loan awarded from the Loan Fund.

(B)

To guarantee, or purchase insurance for, a local obligation (all of the proceeds of which finance a project eligible for assistance under this subsection) if the guarantee or purchase would improve credit market access or reduce the interest rate applicable to the obligation involved.

(C)

As a source of revenue or security for the payment of principal and interest on revenue or general obligation bonds issued by the eligible entity if the proceeds of the sale of the bonds will be deposited into the Loan Fund.

(D)

To earn interest on the amounts deposited into the Loan Fund.

(8)

Administration of Loan Funds

(A)

Combined financial administration

An eligible entity may (as a convenience and to avoid unnecessary administrative costs) combine, in accordance with applicable State law, the financial administration of a Loan Fund established under this subsection with the financial administration of any other revolving fund established by the entity if otherwise not prohibited by the law under which the Loan Fund was established.

(B)

Cost of administering fund

Each eligible entity may annually use not to exceed 4 percent of the funds provided to the entity under a grant under this subsection to pay the reasonable costs of the administration of the programs under this section, including the recovery of reasonable costs expended to establish a Loan Fund which are incurred after the date of the enactment of this title.

(C)

Guidance and regulations

The National Coordinator shall publish guidance and promulgate regulations as may be necessary to carry out the provisions of this subsection, including—

(i)

provisions to ensure that each eligible entity commits and expends funds allotted to the entity under this subsection as efficiently as possible in accordance with this title and applicable State laws; and

(ii)

guidance to prevent waste, fraud, and abuse.

(D)

Private sector contributions

(i)

In general

A Loan Fund established under this subsection may accept contributions from private sector entities, except that such entities may not specify the recipient or recipients of any loan issued under this subsection. An eligible entity may agree to reimburse a private sector entity for any contribution made under this subparagraph, except that the amount of such reimbursement may not be greater than the principal amount of the contribution made.

(ii)

Availability of information

An eligible entity shall make publicly available the identity of, and amount contributed by, any private sector entity under clause (i) and may issue letters of commendation or make other awards (that have no financial value) to any such entity.

(9)

Matching requirements

(A)

In general

The National Coordinator may not make a grant under paragraph (1) to an eligible entity unless the entity agrees to make available (directly or through donations from public or private entities) non-Federal contributions in cash to the costs of carrying out the activities for which the grant is awarded in an amount equal to not less than $1 for each $1 of Federal funds provided under the grant.

(B)

Determination of amount of non-federal contribution

In determining the amount of non-Federal contributions that an eligible entity has provided pursuant to subparagraph (A), the National Coordinator may not include any amounts provided to the entity by the Federal Government.

(10)

Reports

The National Coordinator shall annually submit to the Committee on Health, Education, Labor, and Pensions and the Committee on Finance of the Senate, and the Committee on Energy and Commerce of the House of Representatives, a report summarizing the reports received by the National Coordinator from each eligible entity that receives a grant under this subsection.

(c)

Competitive Grants for the Implementation of Regional or Local Health Information Technology Plans

(1)

In general

The National Coordinator may award competitive grants to eligible entities to implement regional or local health information plans to improve health care quality and efficiency through the electronic exchange and use of health information.

(2)

Eligibility

To be eligible to receive a grant under paragraph (1) an entity shall—

(A)

facilitate the electronic exchange and use of health information within the local or regional area and among local and regional areas;

(B)

demonstrate financial need to the National Coordinator;

(C)

demonstrate that one of its principal missions or purposes is to use information technology to improve health care quality and efficiency;

(D)

adopt bylaws, memoranda of understanding, or other charter documents that demonstrate that the governance structure and decisionmaking processes of such entity allow for participation on an ongoing basis by multiple stakeholders within a community, including—

(i)

physicians (as defined in section 1861(r) of the Social Security Act), including physicians that provide services to low income populations and populations that are uninsured, underinsured, and medically underserved (including such populations in urban and rural areas);

(ii)

hospitals (including hospitals that provide services to low income and underserved populations);

(iii)

pharmacists and pharmacies;

(iv)

health plans;

(v)

health centers (as defined in section 330(b)) and Federally qualified health centers (as defined in section 1861(aa)(4) of the Social Security Act);

(vi)

rural health clinics (as defined in section 1861(aa) of the Social Security Act);

(vii)

patient or consumer organizations that reflect the population to be served;

(viii)

employers;

(ix)

public health agencies; and

(x)

such other health care providers or other entities, as determined appropriate by the National Coordinator;

(E)

demonstrate the participation, to the extent practicable, of stakeholders in the electronic exchange and use of health information within the local or regional health information plan pursuant to subparagraph (D);

(F)

adopt nondiscrimination and conflict of interest policies that demonstrate a commitment to open, fair, and nondiscriminatory participation in the regional or local health information plan by all stakeholders;

(G)

comply with applicable standards and implementation specifications adopted under subtitle A of this title;

(H)

prepare and submit to the National Coordinator an application in accordance with paragraph (3); and

(I)

agree to provide matching funds in accordance with paragraph (6).

(3)

Application

(A)

In general

To be eligible to receive a grant under paragraph (1), an entity shall submit to the National Coordinator an application at such time, in such manner, and containing such information (in addition to information required under subparagraph (B), as the National Coordinator may require.

(B)

Required information

At a minimum, an application submitted under this paragraph shall include—

(i)

clearly identified short-term and long-term objectives of the regional or local health information plan;

(ii)

an estimate of costs of the hardware, software, training, and other services necessary to implement the regional or local health information plan;

(iii)

a strategy that includes initiatives to improve health care quality and efficiency;

(iv)

a plan that describes provisions to encourage the electronic exchange and use of health information by all physicians, including single physician practices and small physician groups, participating in the health information plan;

(v)

a plan to ensure the privacy and security of individually identifiable health information that is consistent with applicable Federal and State law;

(vi)

a governance plan that defines the manner in which the stakeholders shall jointly make policy and operational decisions on an ongoing basis;

(vii)

a financial or business plan that describes—

(I)

the sustainability of the plan;

(II)

the financial costs and benefits of the plan; and

(III)

the entities to which such costs and benefits will accrue;

(viii)

a plan on how the entity involved intends to maintain and support the regional or local health information plan, including the type of resources expected to be involved; and

(ix)

in the case of an applicant that is unable to demonstrate the participation of all stakeholders pursuant to paragraph (2)(D), the justification from the entity for any such nonparticipation.

(4)

Use of funds

Amounts received under a grant under paragraph (1) shall be used to establish and implement a regional or local health information plan in accordance with this subsection.

(5)

Preference

In awarding grants under paragraph (1), the Secretary shall give preference to eligible entities that intend to use amounts received under a grant to establish or implement a regional or local health information plan that encompasses communities with health disparities or areas that serve uninsured, underinsured, and medically underserved individuals (including urban and rural areas).

(6)

Matching requirement

(A)

In general

The National Coordinator may not make a grant under this subsection to an entity unless the entity agrees that, with respect to the costs of carrying out the activities for which the grant is awarded, the entity will make available (directly or through donations from public or private entities) non-Federal contributions toward such costs in an amount equal to not less than 50 percent of such costs ($1 for each $2 of Federal funds provided under the grant).

(B)

Determination of amount contributed

Non-Federal contributions required under subparagraph (A) may be in cash or in kind, fairly evaluated, including equipment, technology, or services. Amounts provided by the Federal Government, or services assisted or subsidized to any significant extent by the Federal Government, may not be included in determining the amount of such non-Federal contributions.

(d)

Reports

Not later than 1 year after the date on which the first grant is awarded under this section, and annually thereafter during the grant period, an entity that receives a grant under this section shall submit to the National Coordinator a report on the activities carried out under the grant involved. Each such report shall include—

(1)

a description of the financial costs and benefits of the project involved and of the entities to which such costs and benefits accrue;

(2)

an analysis of the impact of the project on health care quality and safety;

(3)

a description of any reduction in duplicative or unnecessary care as a result of the project involved;

(4)

a description of the efforts of recipients under this section to facilitate secure patient access to health information;

(5)

an analysis of the effectiveness of the project involved on ensuring the privacy and security of individually identifiable health information in accordance with applicable Federal and State law; and

(6)

other information as required by the National Coordinator.

(e)

Requirement To improve quality of care and decrease in costs

The National Coordinator shall annually evaluate the activities conducted under this section and shall, in awarding grants, implement the lessons learned from such evaluation in a manner so that awards made subsequent to each such evaluation are made in a manner that, in the determination of the National Coordinator, will result in the greatest improvement in quality of care and decrease in costs.

(f)

Limitation

An eligible entity may only receive one non-renewable grant under subsection (a), one non-renewable grant under subsection (b), and one non-renewable grant under subsection (c).

(g)

Small health care provider

For purposes of this section, the term small health care provider means a health care provider that has an average of 10 or fewer full-time equivalent employees during the period involved.

(h)

Authorization of Appropriations

(1)

In general

For the purpose of carrying out subsections (a) through (d), there is authorized to be appropriated $115,000,000 for each of the fiscal years 2009 through 2013.

(2)

Availability

Amounts appropriated under paragraph (1) shall remain available through fiscal year 2013.

3012.

Demonstration program to integrate information technology into clinical education

(a)

In General

The Secretary may award grants under this section to carry out demonstration projects to develop academic curricula integrating qualified health information technology in the clinical education of health professionals. Such awards shall be made on a competitive basis and pursuant to peer review.

(b)

Eligibility

To be eligible to receive a grant under subsection (a), an entity shall—

(1)

submit to the Secretary an application at such time, in such manner, and containing such information as the Secretary may require;

(2)

submit to the Secretary a strategic plan for integrating qualified health information technology in the clinical education of health professionals to reduce medical errors and enhance health care quality;

(3)

be—

(A)

a school of medicine, osteopathic medicine, dentistry, or pharmacy, or a graduate program in behavioral or mental health;

(B)

a graduate school of nursing or physician assistant studies;

(C)

a consortium of two or more schools described in subparagraph (A) or (B); or

(D)

an institution with a graduate medical education program in medicine, osteopathic medicine, dentistry, pharmacy, nursing, or physician assistance studies.

(4)

provide for the collection of data regarding the effectiveness of the demonstration project to be funded under the grant in improving the safety of patients, the efficiency of health care delivery, and in increasing the likelihood that graduates of the grantee will adopt and incorporate qualified health information technology, in the delivery of health care services; and

(5)

provide matching funds in accordance with subsection (d).

(c)

Use of Funds

(1)

In general

With respect to a grant under subsection (a), an eligible entity shall—

(A)

use grant funds in collaboration with 2 or more disciplines; and

(B)

use grant funds to integrate qualified health information technology into community-based clinical education.

(2)

Limitation

An eligible entity shall not use amounts received under a grant under subsection (a) to purchase hardware, software, or services.

(d)

Matching Funds

(1)

In general

The Secretary may award a grant to an entity under this section only if the entity agrees to make available non-Federal contributions toward the costs of the program to be funded under the grant in an amount that is not less than $1 for each $2 of Federal funds provided under the grant.

(2)

Determination of amount contributed

Non-Federal contributions under paragraph (1) may be in cash or in kind, fairly evaluated, including equipment or services. Amounts provided by the Federal Government, or services assisted or subsidized to any significant extent by the Federal Government, may not be included in determining the amount of such contributions.

(e)

Evaluation

The Secretary shall take such action as may be necessary to evaluate the projects funded under this section and publish, make available, and disseminate the results of such evaluations on as wide a basis as is practicable.

(f)

Reports

Not later than 1 year after the date of enactment of this title, and annually thereafter, the Secretary shall submit to the Committee on Health, Education, Labor, and Pensions and the Committee on Finance of the Senate, and the Committee on Energy and Commerce of the House of Representatives a report that—

(1)

describes the specific projects established under this section; and

(2)

contains recommendations for Congress based on the evaluation conducted under subsection (e).

(g)

Authorization of Appropriations

There is authorized to be appropriated to carry out this section, $10,000,000 for each of fiscal years 2009 through 2011.

(h)

Sunset

This section shall not apply after September 30, 2011.

.

II

Testing of Health Information Technology

201.

National Institute for Standards and Technology testing

(a)

Pilot testing of standards and implementation specifications

In coordination with the HIT Standards Committee established under section 3003 of the Public Health Service Act, as added by section 101, with respect to the development of standards and implementation specifications under such section, the Director of the National Institute for Standards and Technology shall test such standards and specifications in order to assure the efficient implementation and use of such standards and specifications.

(b)

Voluntary testing program

In coordination with the HIT Standards Committee established under section 3003 of the Public Health Service Act, as added by section 101, with respect to the development of standards and implementation specifications under such section, the Director of the National Institute of Standards and Technology shall support the establishment of a conformance testing infrastructure, including the development of technical test beds. The development of this conformance testing infrastructure may include a program to accredit independent, non-Federal laboratories to perform testing.

202.

Research and development programs

(a)

Health care Information Enterprise Integration Research Centers

(1)

In general

The Director of the National Institute of Standards and Technology, in consultation the Director of the National Science Foundation and other appropriate Federal agencies, shall establish a program of assistance to institutions of higher education (or consortia thereof which may include nonprofit entities and Federal Government laboratories) to establish multidisciplinary Centers for Health Care Information Enterprise Integration.

(2)

Review; competition

Grants shall be awarded under this subsection on a merit-reviewed, competitive basis.

(3)

Purpose

The purposes of the Centers described in paragraph (1) shall be—

(A)

to generate innovative approaches to health care information enterprise integration by conducting cutting-edge, multidisciplinary research on the systems challenges to health care delivery; and

(B)

the development and use of health information technologies and other complementary fields.

(4)

Research areas

Research areas may include—

(A)

interfaces between human information and communications technology systems;

(B)

voice-recognition systems;

(C)

software that improves interoperability and connectivity among health information systems;

(D)

software dependability in systems critical to health care delivery;

(E)

measurement of the impact of information technologies on the quality and productivity of health care;

(F)

health information enterprise management;

(G)

health information technology security and integrity; and

(H)

relevant health information technology to reduce medical errors.

(5)

Applications

An institution of higher education (or a consortium thereof) seeking funding under this subsection shall submit an application to the Director of the National Institute of Standards and Technology at such time, in such manner, and containing such information as the Director may require. The application shall include, at a minimum, a description of—

(A)

the research projects that will be undertaken by the Center established pursuant to assistance under paragraph (1) and the respective contributions of the participating entities;

(B)

how the Center will promote active collaboration among scientists and engineers from different disciplines, such as information technology, biologic sciences, management, social sciences, and other appropriate disciplines;

(C)

technology transfer activities to demonstrate and diffuse the research results, technologies, and knowledge; and

(D)

how the Center will contribute to the education and training of researchers and other professionals in fields relevant to health information enterprise integration.

(b)

National Information Technology Research and Development Program

The National High-Performance Computing Program established by section 101 of the High-Performance Computing Act of 1991 (15 U.S.C. 5511) shall coordinate Federal research and development programs related to the development and deployment of health information technology, including activities related to—

(1)

computer infrastructure;

(2)

data security;

(3)

development of large-scale, distributed, reliable computing systems;

(4)

wired, wireless, and hybrid high-speed networking;

(5)

development of software and software-intensive systems;

(6)

human-computer interaction and information management technologies; and

(7)

the social and economic implications of information technology.

III

Privacy and security provisions

300.

Definitions

In this title, except as specified otherwise:

(1)

Breach

The term breach means the unauthorized acquisition or disclosure of protected health information which compromises the security, privacy, or integrity of protected health information maintained by or on behalf of a person. Such term does not include any unintentional acquisition of such information by an employee or agent of the covered entity or business associate involved if such acquisition was made in good faith and within the course and scope of the employment or other contractual relationship of such employee or agent, respectively, with the covered entity or business associate and if such information is not further acquired, used, or disclosed by such employee or agent.

(2)

Business associate

The term business associate has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

(3)

Covered entity

The term covered entity has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

(4)

Disclose

The terms disclose and disclosure have the meaning given the term disclosure in section 160.103 of title 45, Code of Federal Regulations.

(5)

Encryption

The term encryption has the meaning given such term in section 164.304 of title 45, Code of Federal Regulations.

(6)

Health care operations

The term health care operation has the meaning given such term in section 164.501 of title 45, Code of Federal Regulations.

(7)

Health care provider

The term health care provider has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

(8)

Personal health record

The term personal health record means an electronic record of individually identifiable health information on an individual that is drawn from multiple sources and that is managed, shared, and controlled by or for the individual.

(9)

Protected health information

The term protected health information has the meaning given such term under section 160.103 of title 45, Code of Federal Regulations.

(10)

Secretary

The term Secretary means the Secretary of Health and Human Services.

(11)

Security

The term security has the meaning given such term in section 164.304 of title 45, Code of Federal Regulations.

(12)

State

The term State means each of the several States, the District of Columbia, Puerto Rico, the Virgin Islands, Guam, American Samoa, and the Northern Mariana Islands.

(13)

Use

The term use has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations.

(14)

Vendor of personal health records

The term vendor means an entity that offers or maintains a personal health record and that is not a covered entity.

A

Security provisions

301.

Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions

(a)

Application of security provisions

Sections 164.308, 164.310, and 164.312 of title 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.

(b)

Application of civil and criminal penalties

Sections 1176 and 1177 of the Social Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to a business associate of a covered entity with respect to a section applied under subsection (a) to such business associate in the same manner that such sections apply to a covered entity with respect to such section.

(c)

Annual guidance

For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary of Health and Human Services shall, in consultation with industry stakeholders, annually issue guidance on the latest safeguard technologies for use in carrying out the sections described in subsection (a).

302.

Notification in the case of breach

(a)

In general

A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unencrypted protected health information (as defined in subsection (h)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unencrypted protected health information has been, or is reasonably believed by the covered entity to have been, accessed or acquired as a result of such breach.

(b)

Notification of covered entity by business associate

A business associate of a covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unencrypted protected health information shall, following the discovery of a breach of such information, notify the covered entity of such breach. Such notice shall include the identification of each individual whose unencrypted protected health information has been, or is reasonably believed to have been, accessed or acquired during such breach.

(c)

Breaches treated as discovered

For purposes of this section, a breach shall be treated as discovered by a covered entity or by a business associate as of the first day on which such breach is known to such entity or associate, respectively, (including any person that is an employee, officer, or other agent of such entity or associate, respectively) or should reasonably have been known to such entity or associate (or person) to have occurred.

(d)

Timeliness of notification

(1)

In general

All notifications required under this section shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach by the covered entity involved (or business associate involved in the case of a notification required under subsection (b)).

(2)

Burden of proof

The covered entity involved (or business associate involved in the case of a notification required under subsection (b)), shall have the burden of demonstrating that all notifications were made as required under this subtitle, including evidence demonstrating the necessity of any delay.

(e)

Methods of notice

(1)

Individual notice

Notice required under this section to be provided to an individual, with respect to a breach, shall be provided promptly and in the following form:

(A)

Written notification by first-class mail to the individual (or the next of kin of the individual if the individual is deceased) at the last known address of the individual or the next of kin, respectively, or, if specified as a preference by the individual, by electronic mail. The notification may be provided in one or more mailings as information is available.

(B)

In the case where there is insufficient, or out-of-date contact information that precludes direct written (or, if specified by the individual under subparagraph (A), electronic) notification to the individual, a substitute form of notice shall be provided, including a conspicuous posting on the home page of the Web site of the covered entity involved or notice in major print or broadcast media, including major media in geographic areas where the individuals affected by the breach likely reside. Such a notice in media will include a toll-free phone number where an individual can learn whether or not the individual’s unencrypted protected health information is possibly included in the breach.

(C)

In any case deemed by the covered entity involved to require urgency because of possible imminent misuse of unencrypted protected health information, the covered entity, in addition to notice provided under subparagraph (A), may provide information to individuals by telephone or other means, as appropriate.

(2)

Media notice

Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unencrypted protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed or acquired during such breach.

(3)

Notice to Secretary

Notice shall be provided to the Secretary by covered entities of unencrypted protected health information that has been acquired or disclosed in a breach.

(4)

Posting on HHS public website

The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unencrypted protected health information of more than 1,000 individuals is acquired or disclosed.

(f)

Content of notification

Regardless of the method by which notice is provided to individuals under this section, notice of a breach shall include, to the extent possible, the following:

(1)

A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known.

(2)

A description of the types of unencrypted protected health information that were involved in the breach (such as full name, Social Security number, date of birth, home address, account number, or disability code).

(3)

The steps individuals should take to protect themselves from potential harm resulting from the breach.

(4)

A brief description of what the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further breaches.

(5)

Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address.

(g)

Delay of notification authorized for law enforcement purposes

If a law enforcement official determines that a notification, notice, or posting required under this section would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed in the same manner as provided under section 164.528(a)(2) of title 45, Code of Federal Regulations, in the case of a disclosure covered under such section.

(h)

Unencrypted protected health information defined

For purposes of this section, the term unencrypted protected health information means protected health information that is not protected—

(1)

through the use of encryption; or

(2)

through the use of a technology specified by the Secretary as being at least as effective as encryption for purposes of rendering protected health information indecipherable without authorization.

303.

Education on Health Information Privacy and report on compliance

(a)

Regional office privacy advisors

Not later than 6 months after the date of the enactment of this Act, the Secretary shall designate an individual in each regional office of the Department of Health and Human Services to offer guidance and education to covered entities, business associates, and individuals on their rights and responsibilities related to Federal privacy requirements for protected health information.

(b)

Report on compliance

(1)

In general

For the first year beginning after the date of the enactment of this Act and annually thereafter, the Secretary shall prepare and submit to Congress a report concerning complaints of alleged violations of the provisions of sections 301 and 302, the provisions of subtitle B, and the provisions of subparts C and E of title 45, Code of Federal Regulations that are received by the Secretary during the year for which the report is being prepared. Each such report shall include, with respect to such complaints received during the year—

(A)

the number of such complaints;

(B)

the resolution or disposition of such complaints;

(C)

the amount of civil money penalties imposed with respect to such complaints, as applicable;

(D)

the number of compliance reviews conducted and the outcome of each such review;

(E)

the number of subpoenas or inquiries issued; and

(F)

the Secretary’s plan for improving compliance with and enforcement of such provisions for the following year.

(2)

Availability to public

Each report under paragraph (1) shall be made available to the public on the Internet website of the Department of Health and Human Services.

(c)

Education initiative on uses of health information

(1)

In general

The Office for Civil Rights within the Department of Health and Human Services shall develop and maintain a multi-faceted national education initiative to enhance public transparency regarding the uses of protected health information, including programs to educate individuals about the potential uses of their health information and effects of such uses. Such programs shall be conducted in a variety of languages and present information in a clear and understandable manner.

(2)

Authorization of appropriations

There is authorized to be appropriated to carry out paragraph (1), $10,000,000 for the period of fiscal years 2009 through 2013.

B

Improved privacy provisions and additional security provisions

311.

Application of penalties to business associates of covered entities for violations of privacy contract requirements

(a)

Application of contract requirements

In the case of a business associate of a covered entity that obtains or creates protected health information pursuant to a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations, with such covered entity, the business associate may use and disclose such protected health information only if such use or disclosure, respectively, is in compliance with each applicable requirement of section 164.504(e) of such title.

(b)

Application of knowledge elements associated with contracts

Section 164.504(e)(1)(ii) of title 45, Code of Federal Regulations, shall apply to a business associate described in subsection (a), with respect to compliance with such subsection, in the same manner that such section applies to a covered entity, with respect to compliance with the standards in sections 164.502(e) and 164.504(e) of such title, except that in applying such section 164.504(e)(1)(ii) each reference to the business associate, with respect to a contract, shall be treated as a reference to the covered entity involved in such contract.

(c)

Application of civil and criminal penalties

In the case of a business associate that violates any provision of subsection (a) or (b), the provisions of sections 1176 and 1177 of the Social Security Act shall apply to the business associate with respect to such violation in the same manner as such provisions apply to a person who violates a provision of part C of title XI of such Act.

312.

Restrictions on certain disclosures of health information; accounting of certain protected health information disclosures

(a)

Requested restrictions on certain disclosures of health information

In the case that an individual requests under paragraph (a)(1)(i)(A) of section 164.522 of title 45, Code of Federal Regulations, that a covered entity restrict the disclosure of the protected health information of the individual, notwithstanding paragraph (a)(1)(ii) of such section, the covered entity must comply with the requested restriction if—

(1)

except as otherwise required by law, the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment); and

(2)

the protected health information pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full.

(b)

Disclosures required To be limited to the limited data set or the minimum necessary

(1)

In general

A covered entity shall be treated as being in compliance with section 164.502(b)(1) of title 45, Code of Federal Regulations, with respect to the use, disclosure, or request of protected health information described in such section, only if the covered entity makes reasonable efforts to limit such protected health information to the limited data set (as defined in section 164.514(e)(2) of such title) or, if needed by such entity, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively.

(2)

Application of exceptions

The exceptions described in section 164.502(b)(2) of title 45, Code of Federal Regulations, shall apply to the requirement under paragraph (1) as of the effective date described in section 322 in the same manner that such exceptions apply to section 164.502(b)(1) of such title before such date.

(c)

Accounting of certain protected health information disclosures required if covered entity uses electronic medical record

(1)

In General

In the case that a covered entity uses or maintains an electronic medical record with respect to protected health information, the exception under section 164.528(a)(1)(i) of title 45, Code of Federal Regulations, shall not apply to disclosures (other than oral disclosures) made by such entity of such information.

(2)

Electronic medical record defined

For purposes of paragraph (1), the term electronic medical record means an electronic record of individually identifiable health information on an individual that is created, gathered, managed, and consulted by authorized clinicians and staff within a single organization.

(3)

Effective date

The provisions of this subsection shall apply to disclosures made by a covered entity on or after the date specified under section 322.

(d)

Application of consent requirements for certain uses and disclosures by health care providers with electronic medical records

(1)

In general

In applying section 164.506 of title 45, Code of Federal Regulations, in the case of a covered entity that is a health care provider, with respect to protected health information of an individual that is used or maintained by such entity in an electronic medical record (as defined in subsection (c)(2)), such covered entity may not use or disclose such protected health information for purposes of health care operations unless the covered entity obtains the consent of the individual to disclose such information for such purposes and any such consent shall be revocable by the individual at any time.

(2)

Effective date

The provisions of this subsection shall apply to disclosures made by a covered entity on or after the date specified under section 322.

313.

Conditions on certain contacts as part of health care operations

(a)

In general

A communication by a covered entity or business associate that is about a product or service and that encourages recipients of the communication to purchase or use the product or service shall not be considered a health care operation for purposes of subpart E of part 164 of title 45, Code of Federal Regulations, unless the communication is made as described in subparagraph (i), (ii), or (iii) of paragraph (1) of the definition of marketing in section 164.501 of such title. A covered entity or business associate may not receive direct payment for any such communication made as described in such subparagraph (i), (ii), or (iii).

(b)

Effective date

Subsection (a) shall apply to contracting occurring on or after the effective date specified under section 322.

314.

Study on application of privacy and security requirements to vendors of personal health records

Not later than one year after the date of the enactment of this Act, the Secretary , in consultation with the Federal Trade Commission, shall submit to Congress recommendations—

(1)

to identify requirements relating to security, privacy, and notification in the case of a breach of security or privacy (including the applicability of an exemption to notification in the case of protected health information which has been rendered indecipherable through the use of encryption or alternative technologies) that should be applied to vendors of personal health records and to third party service providers that such vendors make available to individuals with personal health records offered or maintained by such vendor, with respect to information in such a record so offered or maintained; and

(2)

to determine which Federal government agency is best equipped to enforce such requirements recommended to be applied to such vendors of personal health records and such third party service providers.

315.

Temporary breach notification requirement for vendors of personal health records

(a)

In general

In accordance with subsection (c), each vendor of personal health records shall, following the discovery of a breach of security of unencrypted individually identifiable health information in such records maintained or offered by such vendor—

(1)

notify each individual who is a citizen or resident of the United States whose unencrypted individually identifiable health information was acquired by an unauthorized person as a result of such a breach of security; and

(2)

notify the Federal Trade Commission.

(b)

Notification of vendors of personal health records by third party service providers

A third party service provider that is made available by a vendor of personal health records to individuals with such records maintained or offered by such vendor and that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unencrypted individually identifiable health information in such records shall, following the discovery of a breach of security of such information, notify such vendor of such breach. Such notice shall include the identification of each individual whose unencrypted individually identifiable health information has been, or is reasonably believed to have been, accessed or acquired during such breach.

(c)

Application of requirements for timeliness, method, and content of notifications

Subsections (c), (d), (e), and (f) of section 302 shall apply to a notification required under subsection (a) and a vendor of personal health records and a third party service provider described in subsection (b), with respect to a breach of security under subsection (a) of unencrypted individually identifiable health information in such records maintained or offered by such vendor, in the same manner that such subsections apply to a notification required under such section and a covered entity and a business associate of such covered entity, with respect to a breach under such section of unencrypted protected health information held, used, or disclosed by such covered entity.

(d)

Notification of the Secretary

Upon receipt of a notification of a breach of security under subsection (a)(2), the Federal Trade Commission shall notify the Secretary of such breach.

(e)

Enforcement

A violation of subsection (a) or (b) shall be treated as an unfair and deceptive act or practice in violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.

(f)

Definitions

For purposes of this section:

(1)

Breach of security

The term breach of security means, with respect to unencrypted individually identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual.

(2)

Individually identifiable health information

The term individually identifiable health information has the meaning given such term in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)).

(3)

Unencrypted individually identifiable health information

The term unencrypted individually identifiable health information means individually identifiable health information that is not protected—

(A)

through the use of encryption; or

(B)

through the use of a technology specified by the Secretary as being at least as effective as encryption for purposes of rendering individually identifiable health information indecipherable without authorization.

(g)

Effective date

The provisions of this section shall apply to breaches of security occurring during the 2-year period beginning on the date of the enactment of this Act.

316.

Business associate contracts required for certain entities

Each organization, with respect to a covered entity, that provides data transmission of protected health information to such entity and that requires access on a routine basis to such protected health information, such as a Health Information Exchange, Regional Health Information Organization, or E-prescribing Gateway, is required to enter into a written contract (or other written arrangement) described in section 164.502(e)(2) of title 45, Code of Federal Regulations, with such entity and shall be treated as a business associate of the covered entity for purposes of section 311.

317.

Guidance on implementation specification to de-identify protected health information

Not later than 12 months after the date of the enactment of this Act, the Secretary shall, in consultation with stakeholders, issue guidance on how best to implement the requirements for the de-identification of protected health information under section 164.514(b) of title 45, Code of Federal Regulations.

318.

GAO report on treatment disclosures

Not later than one year after the date of the enactment of this Act, the Comptroller General of the United States shall submit to Congress a report on the best practices related to the disclosure among health care providers of protected health information of an individual for purposes of treatment of such individual. Such report shall include an examination of the best practices implemented by States and by other entities, such as health information exchanges and regional health information organizations, including an examination of the extent to which such best practices are successful with respect to the quality of the resulting health care provided to the individual and with respect to the ability of the health care provider to manage such best practices.

319.

Clarification of application of wrongful disclosures criminal penalties

Section 1177(a) of the Social Security Act (42 U.S.C. 1320d–6(a)) is amended by adding at the end the following new sentence: For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1180(b)(3)) and the individual obtained or disclosed such information without authorization..

C

Relationship to other laws; clarification; effective date

321.

Relationship to other laws

(a)

Application of HIPAA State preemption

Section 1178 of the Social Security Act (42 U.S.C. 1320d–7) shall apply to a provision or requirement under this title in the same manner that such section applies to a provision or requirement under part C of title XI of such Act or a standard or implementation specification adopted or established under sections 1172 through 1174 of such Act.

(b)

Health Insurance Portability and Accountability Act

The standards governing the privacy and security of individually identifiable health information promulgated by the Secretary under sections 262(a) and 264 of the Health Insurance Portability and Accountability Act of 1996 shall remain in effect to the extent that they are consistent with this title. The Secretary shall by rule amend such Federal regulations as required to make such regulations consistent with this title.

322.

Effective date

The provisions of this title (other than sections 301(c), 303, 314, 315, 317, 318, and 319) shall take effect on the date that is 12 months after the date of the enactment of this Act.