S. 3351 (112th): Protect Our Health Privacy Act

112th Congress, 2011–2013. Text as of Jun 27, 2012 (Introduced).

Status & Summary | PDF | Source: GPO

II

112th CONGRESS

2d Session

S. 3351

IN THE SENATE OF THE UNITED STATES

June 27, 2012

introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions

A BILL

To amend the American Recovery and Reinvestment Act with respect to the privacy of protected health information.

1.

Short title

This Act may be cited as the Protect Our Health Privacy Act.

2.

Reporting requirements

(a)

Notification in the case of breach

Paragraph (2) of section 13402(i) of division A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17932(i)) is amended to read as follows:

(2)

Information

The information described in this paragraph regarding breaches specified in paragraph (1) shall include—

(A)

the number and nature of all such breaches, including a description of the types of unsecured protected health information that were involved in each breach;

(B)

the identity of the covered entity involved in each breach, or if the breach affected less than 500 individuals, the kind of covered entity involved (such as a health plan, health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subtitle); and

(C)

actions taken in response to such breaches.

.

(b)

Report on compliance

Section 13424 of division A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17954) is amended—

(1)

in subsection (a)(1)—

(A)

by amending subparagraph (B) to read as follows:

(B)

information about such complaints resolved informally, including—

(i)

the number of such complaints resolved informally;

(ii)

a summary of the types of complaints so resolved, including identification of the most common types complaints so resolved, categorized by the privacy and security rule allegedly violated;

(iii)

for each such category, the average amount of time between receipt of a complaint to resolution of such complaint;

(iv)

examples, with entity and patient names and other individually identifiable health information redacted, of complaints resolved informally and the Secretary’s rationale for resolving such complaints informally; and

(v)

the number of covered entities that received technical assistance from the Secretary during such year in order to achieve compliance with such provisions and the types of such technical assistance provided.

;

(B)

in subparagraph (E), by inserting and a summary of the outcome of such subpoenas or inquiries after inquiries issued;

(C)

in subparagraph (F), by striking following year; and and inserting following year and enforcement priorities for the succeeding year;;

(D)

in subparagraph (G), by striking the period at the end and inserting a semicolon; and

(E)

by adding at the end the following:

(H)

the number of State attorney general actions that were pursued under this subtitle and notice of which was provided to the Secretary pursuant to section 1176(d)(4) of the Social Security Act; and

(I)

the number of health privacy or health security or data breach complaints referred to the Attorney General, including—

(i)

whether the Attorney General declined enforcement; and

(ii)

the number of complaints referred to the Attorney General but returned to the Secretary for enforcement and a summary of enforcement actions taken by the Secretary with respect to such complaints, including informal resolutions, civil monetary penalties, resolution agreements or settlements, or voluntary compliance actions.

; and

(2)

by adding at the end the following:

(g)

Annual studies

(1)

In general

For the first year beginning after the date of enactment of the Protect Our Health Privacy Act, and every year thereafter, the Attorney General shall submit to the Committee on the Judiciary of the Senate and the Committee on the Judiciary of the House of Representatives a report concerning complaints of alleged violations described in section 1177 of the Social Security Act, including violations of the provisions of this subtitle relating to privacy and security of health information, that were referred to the Department of Justice by the Department of Health and Human Services, the Federal Bureau of Investigation, or another State or Federal agency during the year for which the report is being prepared.

(2)

Requirements

Each report required under paragraph (1) shall—

(A)

be made available to the public on the websites of the Department of Justice and the Department of Health and Human Services; and

(B)

include, with respect to complaints received during the year for which the report is being prepared—

(i)

the total number of complaints received;

(ii)

the number of complaints received that were eligible for criminal enforcement; and

(iii)

of the complaints described in clause (ii), a summary of how each complaint was resolved that—

(I)

includes the rationale for declining enforcement, if applicable; and

(II)

does not identify the patients, individuals, or entities involved.

.

3.

Encryption for portable media

(a)

Guidance regarding unsecured protected health information

(1)

In general

Section 13402(h)(2) of division A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17932(h)(2)) is amended by inserting , including protected health information stored on portable media (as defined by the Secretary, which shall include thumb drives, laptop computers, tablet computers, and other similar devices), after protected health information.

(2)

Applicable

The amendment made by paragraph (1) shall apply to updated guidance issued under section 13402(h)(2) of division A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17932(h)(2)) after the date of enactment of this Act.

(b)

Portable media encryption requirement

(1)

In general

Section 13401 of division A of the American Recovery and Reinvestment Act of 2009 (42 U.S.C. 17931) is amended by adding at the end the following:

(d)

Portable media encryption requirement

Not later than 1 year after the date of enactment of the Protect Our Health Privacy Act, the Secretary shall issue regulations to require covered entities and business associates to render protected health information that is stored on portable media (as defined by the Secretary, which shall include thumb drives, laptop computers, tablet computers, and other similar devices) unusable, unreadable, or indecipherable to unauthorized individuals.

.

(2)

Conforming amendment

Section 13401(b) of such Act (42 U.S.C. 17931(b)) is amended by inserting or (d) after subsection (a).

4.

Use of data in business associate contracts; application of minimum necessary standard to business associates

(a)

In general

Section 13404 of division A of the American Recovery and Reinvestment Act (42 U.S.C. 17934) is amended by adding at the end the following:

(d)

Use of data in business associate contracts; application of minimum necessary standard to business associates

(1)

Limitation on scope and use of protected health information

As required by section 164.504(e) of title 45, Code of Regulations (as in effect on the date of enactment of this subsection), any business associate agreement between a covered entity and a business associate shall limit the use of protected health information by such business associate—

(A)

to only such information as necessary for the performance of the service or function that the covered entity has contracted with the business associate to perform on behalf of the covered entity; and

(B)

to only those uses that are necessary for the performance of the service or function described in subparagraph (A).

(2)

Application of minimum necessary standard to business associates

Section 164.502(b) of title 45, Code of Federal Regulations shall apply to a business associate of a covered entity in the same manner that such section applies to the covered entity. The additional requirements of this title that relate to the minimum necessary standard with respect to the use, disclosure, and request of protected health information that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associate agreement between the business associate and the covered entity.

.

(b)

Conforming amendment

Subsection (c) of such section 13404 (42 U.S.C. 17934) is amended by striking (a) or (b) and inserting (a), (b), or (d)(2).

(c)

Clarification

Nothing in subsection (d)(2) of section 13404 of division A of the American Recovery and Reinvestment Act (42 U.S.C. 17934) (as amended by subsection (a)) affects the application of the minimum necessary standard to business associates pursuant to section 164.504(e) of title 45, Code of Federal Regulations (relating to contracts and other arrangements between business associates and covered entities) as in effect on the date of enactment of this Act.

5.

Health information technology improvement initiative

Title XXX of the Public Health Service Act (42 U.S.C. 300jj et seq.) is amended by adding at the end the following:

3022.

Health information technology improvement initiative

(a)

In general

Not later than 18 months after the date of enactment of the Protect Our Health Privacy Act, the Secretary shall issue regulations to improve the safety, interoperability, and utility of health information technology systems.

(b)

Content

The regulations issued under subsection (a) shall include—

(1)

a system to track the effect of health information technology on the health of patients; and

(2)

minimum quality and risk management requirements for health information technology vendors.

(c)

Health information technology adverse health event reporting

(1)

In general

The Secretary shall designate an agency within the Department of Health and Human Services to promulgate regulations relating to a health information technology adverse health event reporting program and database. The Department shall consider definitions and standards developed by the National Quality Forum before promulgating such regulations.

(2)

Content

The regulations promulgated under paragraph (1) shall include mandatory submission of adverse health event reports by health information technology vendors and voluntary submission of adverse health event reports by users of health information, including patients and their family caregivers.

(3)

Use of reports

The agency designated under paragraph (1) shall analyze adverse health event reports and report findings and recommendations to the applicable industry and policymakers.

(4)

Protection of reports

The agency designated under paragraph (1) shall remove identifying information if adverse health event reports are made public. An adverse health event report may not be admitted or used in any action in a Federal or State court or any Federal or State administrative proceeding as evidence of fault, liability, or occurrence of an adverse health event.

(5)

Annual report

The agency designated under paragraph (1) shall use the database established under such paragraph to submit to Congress an annual report regarding the use and safety of health information technology.

.