II
112th CONGRESS
2d Session
S. 3351
IN THE SENATE OF THE UNITED STATES
June 27, 2012
Mr. Franken introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions
A BILL
To amend the American Recovery and Reinvestment Act with respect to the privacy of protected health information.
Short title
This Act may be cited as
the Protect Our Health Privacy
Act
.
Reporting requirements
Notification in the case of breach
Paragraph (2) of section 13402(i) of division A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17932(i)) is amended to read as follows:
Information
The information described in this paragraph regarding breaches specified in paragraph (1) shall include—
the number and nature of all such breaches, including a description of the types of unsecured protected health information that were involved in each breach;
the identity of the covered entity involved in each breach, or if the breach affected less than 500 individuals, the kind of covered entity involved (such as a health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subtitle); and
actions taken in response to such breaches.
.
Report on compliance
Section 13424 of division A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17954) is amended—
in subsection (a)(1)—
by amending subparagraph (B) to read as follows:
information about such complaints resolved informally, including—
the number of such complaints resolved informally;
a summary of the types of complaints so resolved, including identification of the most common types complaints so resolved, categorized by the privacy and security rule allegedly violated;
for each such category, the average amount of time between receipt of a complaint to resolution of such complaint;
examples, with entity and patient names and other individually identifiable health information redacted, of complaints resolved informally and the Secretary’s rationale for resolving such complaints informally; and
the number of covered entities that received technical assistance from the Secretary during such year in order to achieve compliance with such provisions and the types of such technical assistance provided.
;
in subparagraph
(E), by inserting and a summary of the outcome of such subpoenas or
inquiries
after inquiries issued
;
in subparagraph
(F), by striking following year; and
and inserting
following year and enforcement priorities for the succeeding
year;
;
in subparagraph (G), by striking the period at the end and inserting a semicolon; and
by adding at the end the following:
the number of State attorney general actions that were pursued under this subtitle and notice of which was provided to the Secretary pursuant to section 1176(d)(4) of the Social Security Act; and
the number of health privacy or health security or data breach complaints referred to the Attorney General, including—
whether the Attorney General declined enforcement; and
the number of complaints referred to the Attorney General but returned to the Secretary for enforcement and a summary of enforcement actions taken by the Secretary with respect to such complaints, including informal resolutions, civil monetary penalties, resolution agreements or settlements, or voluntary compliance actions.
; and
by adding at the end the following:
Annual studies
In general
For the first year beginning after the date of enactment of the Protect Our Health Privacy Act, and every year thereafter, the Attorney General shall submit to the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives a report concerning complaints of alleged violations described in section 1177 of the Social Security Act, including violations of the provisions of this subtitle relating to privacy and security of health information, that were referred to the Department of Justice by the Department of Health and Human Services, the Federal Bureau of Investigation, or another State or Federal agency during the year for which the report is being prepared.
Requirements
Each report required under paragraph (1) shall—
be made available to the public on the websites of the Department of Justice and the Department of Health and Human Services; and
include, with respect to complaints received during the year for which the report is being prepared—
the total number of complaints received;
the number of complaints received that were eligible for criminal enforcement; and
of the complaints described in clause (ii), a summary of how each complaint was resolved that—
includes the rationale for declining enforcement, if applicable; and
does not identify the patients, individuals, or entities involved.
.
Encryption for portable media
Guidance regarding unsecured protected health information
In general
Section 13402(h)(2) of division A of the American
Recovery and Reinvestment Act of 2009 (42 U.S.C. 17932(h)(2)) is amended by
inserting , including protected health information stored on portable
media (as defined by the Secretary, which shall include thumb drives, laptop
computers, tablet computers, and other similar devices),
after
protected health information
.
Applicable
The amendment made by paragraph (1) shall apply to updated guidance issued under section 13402(h)(2) of division A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17932(h)(2)) after the date of enactment of this Act.
Portable media encryption requirement
In general
Section 13401 of division A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17931) is amended by adding at the end the following:
Portable media encryption requirement
Not later than 1 year after the date of enactment of the Protect Our Health Privacy Act, the Secretary shall issue regulations to require covered entities and business associates to render protected health information that is stored on portable media (as defined by the Secretary, which shall include thumb drives, laptop computers, tablet computers, and other similar devices) unusable, unreadable, or indecipherable to unauthorized individuals.
.
Conforming amendment
Section 13401(b) of such Act (42 U.S.C. 17931(b)) is
amended by inserting or (d)
after subsection
(a)
.
Use of data in business associate contracts; application of minimum necessary standard to business associates
In general
Section 13404 of division A of the American Recovery and Reinvestment Act (42 U.S.C. 17934) is amended by adding at the end the following:
Use of data in business associate contracts; application of minimum necessary standard to business associates
Limitation on scope and use of protected health information
As required by section 164.504(e) of title 45, Code of Regulations (as in effect on the date of enactment of this subsection), any business associate agreement between a covered entity and a business associate shall limit the use of protected health information by such business associate—
to only such information as necessary for the performance of the service or function that the covered entity has contracted with the business associate to perform on behalf of the covered entity; and
to only those uses that are necessary for the performance of the service or function described in subparagraph (A).
Application of minimum necessary standard to business associates
Section 164.502(b) of title 45, Code of Federal Regulations shall apply to a business associate of a covered entity in the same manner that such section applies to the covered entity. The additional requirements of this title that relate to the minimum necessary standard with respect to the use, disclosure, and request of protected health information that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.
.
Conforming amendment
Subsection (c) of such section 13404 (42 U.S.C. 17934)
is amended by striking (a) or (b)
and inserting (a), (b),
or (d)(2)
.
Clarification
Nothing in subsection (d)(2) of section 13404 of division A of the American Recovery and Reinvestment Act (42 U.S.C. 17934) (as amended by subsection (a)) affects the application of the minimum necessary standard to business associates pursuant to section 164.504(e) of title 45, Code of Federal Regulations (relating to contracts and other arrangements between business associates and covered entities) as in effect on the date of enactment of this Act.
Health information technology improvement initiative
Title XXX of the Public Health Service Act (42 U.S.C. 300jj et seq.) is amended by adding at the end the following:
Health information technology improvement initiative
In general
Not later than 18 months after the date of enactment of the Protect Our Health Privacy Act, the Secretary shall issue regulations to improve the safety, interoperability, and utility of health information technology systems.
Content
The regulations issued under subsection (a) shall include—
a system to track the effect of health information technology on the health of patients; and
minimum quality and risk management requirements for health information technology vendors.
Health information technology adverse health event reporting
In general
The Secretary shall designate an agency within the Department of Health and Human Services to promulgate regulations relating to a health information technology adverse health event reporting program and database. The Department shall consider definitions and standards developed by the National Quality Forum before promulgating such regulations.
Content
The regulations promulgated under paragraph (1) shall include mandatory submission of adverse health event reports by health information technology vendors and voluntary submission of adverse health event reports by users of health information, including patients and their family caregivers.
Use of reports
The agency designated under paragraph (1) shall analyze adverse health event reports and report findings and recommendations to the applicable industry and policymakers.
Protection of reports
The agency designated under paragraph (1) shall remove identifying information if adverse health event reports are made public. An adverse health event report may not be admitted or used in any action in a Federal or State court or any Federal or State administrative proceeding as evidence of fault, liability, or occurrence of an adverse health event.
Annual report
The agency designated under paragraph (1) shall use the database established under such paragraph to submit to Congress an annual report regarding the use and safety of health information technology.
.
