H. R. 3763
IN THE HOUSE OF REPRESENTATIVES
December 12, 2013
Mr. Posey introduced the following bill; which was referred to the Committee on Oversight and Government Reform, and in addition to the Committee on the Judiciary, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
To impose penalties for the unauthorized disclosure of personal health information by Federal employees.
This Act may be cited as the
Personal Health Information Protection Act
Unauthorized disclosure of personally identifiable covered information
Liability for Certain Acts
It shall be unlawful for any officer or employee of the United States—
willfully to make an unauthorized disclosure of personally identifiable covered information; or
to conspire to commit a violation of subparagraph (A).
Any violation of paragraph (1) shall be subject to a penalty of not more than the greatest of—
the penalty specified in the law setting forth the offense which covers a violation of paragraph (1), or
the penalty set forth in subparagraph (B).
The penalty set forth in this subparagraph is a felony punishable upon conviction by—
a fine in any amount not exceeding $100,000 for each such violation and imprisonment of not more than 7 years,
the costs of prosecution, and
dismissal from office or discharge from employment.
Forfeiture of annuities and retired pay
For purposes of this section—
Officer of the United States
The term officer of the United States means an officer appointed pursuant to section 2104(a)(1)(C) of title 5, United States Code.
Employee of the United States
The term employee of the United States means an employee, as defined by section 2105 of title 5, United States Code.
Personally identifiable covered information
The term personally identifiable covered information means protected health information (as defined in section 160.103 of title 45, Code of Federal Regulations, or any successor regulation).
Private right of action
Any person who violates section 2 of this Act or who willfully aids, abets, counsels, induces, or procures the commission of a violation of section 2 of this Act shall be liable to the person whose personally identifiable covered information was disclosed in violation of section 2 of this Act—
in the amount of $100,000 for each such violation, and
for costs of prosecution and attorney fees.
Jurisdiction; statute of limitations; venue; process
The United States district courts shall have exclusive jurisdiction of actions brought under this section. Any such action shall be brought not later than two years after the date the cause of action arises. Any action brought under subsection (a) of this section may be brought in any judicial district wherein the defendant is found, resides, or transacts business, or in the judicial district wherein any act or transaction constituting the violation occurs. Process in such action may be served in any judicial district of which the defendant is an inhabitant or wherever the defendant may be found.