H. R. 4805
IN THE HOUSE OF REPRESENTATIVES
March 17, 2016
Mrs. McMorris Rodgers (for herself and Mr. Byrne) introduced the following bill; which was referred to the Committee on Energy and Commerce, and in addition to the Committee on Ways and Means, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned
To amend the Health Information Technology for Economic and Clinical Health Act to provide that information held by health care clearinghouses is subject to privacy protections that are equivalent to the protections that apply to information held by other types of covered entities under the HIPAA Privacy Rule, and for other purposes.
This Act may be cited as the
Ensuring Patient Access to Healthcare Records Act of 2016.
The Congress finds as follows:
The Health Insurance Portability and Accountability Act of 1996 (
HIPAA), through certain of its implementing regulations known as the Privacy Rule, protects the health information of enrollees of health plans and other individuals (in this section referred to as
protected health information).
The HIPAA Privacy Rule applies to protected health information held by health care providers, plans, and clearinghouses, which are known as
covered entities. Such Rule also applies to vendors that perform certain functions for covered entities and thereby come into possession of protected health information. The HIPAA Privacy Rule refers to these vendors as
The HIPAA Privacy Rule applies both to the internal use of protected health information by covered entities and their business associates and to the disclosure of such information to other parties.
Covered entities and their business associates are subject to substantial civil and criminal penalties if they use or disclose protected health information in violation of the HIPAA Privacy Rule.
Clearinghouses play a unique, central role in the health care system, interacting with both health care providers and plans. Clearinghouses convert information from providers into claims-processing standard electronic formats and then submit the claims to the plans and finally send providers the plan payments.
Claims and other data held by clearinghouses could be analyzed longitudinally and geographically, providing powerful analytical tools that could benefit the overall health care system and facilitate medical innovation in the 21st Century.
Clearinghouses are unable to unlock the benefits of such claims and other data because the HIPAA Privacy Rule assigns clearinghouses a dual role. Such clearinghouses are not only covered entities, but are also business associates. The latter role substantially restricts the ability of clearinghouses to analyze claims data.
Clearinghouses should not be considered business associates and should instead have the same ability to use and disclose health-related data as other types of covered entities.
Eliminating the business-associate role of clearinghouses would not affect the applicability of the civil and criminal penalties that enforce the HIPAA Privacy Rule. Clearinghouses would continue to be subject to such penalties in their role as covered entities.
In addition to the uses of health-related information that the HIPAA Privacy Rule currently authorizes for covered entities, there are several particular analytical uses that should be authorized specifically for clearinghouses because of the unique benefits that would result from authorizing those uses. Although these particular new analytical uses should be authorized for clearinghouses, the disclosure of health information pursuant to these uses should be subject to the protection principles currently underlying the HIPAA Privacy Rule, including enforcement principles.
Treatment of certain HIPAA-related activities of health care clearinghouses
Subtitle D of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17921 et seq.) is amended by adding at the end the following:
Health Care Clearinghouses; Analytical Functions Toward Improving the Health Care System
Authority regarding analytical functions toward improving the health care system
With respect to the use and disclosure of protected health information, the Secretary—
shall not consider health care clearinghouses to be business associates under this subtitle, part C of title XI of the Social Security Act, or the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 for purposes of carrying out activities described in section 1171(2) of the Social Security Act and subsections (b) and (c) of this section; and
shall consider such clearinghouses to be covered entities under such provisions of law for such purposes.
The functions that may be carried out by a health care clearinghouse pursuant to subsection (a) include the following:
Promptly upon the request of individuals, providing such individuals with access to their protected health information as permitted by section 164.502(a)(1)(i) of title 45, Code of Federal Regulations. In carrying out the previous sentence, the clearinghouse may charge such an individual a fee, not to exceed the fair market value, for preparing the record of such information involved.
Promptly upon the request of individuals, providing such individuals with access to their protected health information as required by section 164.502(a)(2)(i) of title 45, Code of Federal Regulations. In carrying out the previous sentence, the clearinghouse may charge such an individual a fee, not to exceed the fair market value, for preparing the record of such information involved.
With respect to the access of patients to experimental treatments and diagnostics, notifying patients that they may be appropriate candidates as subjects in clinical research, and conducting research to identify such patients, pursuant to the preparatory-research provisions of section 164.512(i) of title 45, Code of Federal Regulations, and pursuant to the regulations referred to in paragraph (1) of this subsection.
Making public health disclosures authorized by sections 164.512(b) or 164.514(e) of title 45, Code of Federal Regulations, including notifying manufacturers of drugs or devices about adverse events related to their products pursuant to such section 164.512(b).
Research as authorized by sections 164.512(i) or 164.514(e) of title 45, Code of Federal Regulations.
Consistent with the applicable requirements of section 164.514 of title 45, Code of Federal Regulations, creating de-identified health information or a limited data set.
In addition to the functions that may be carried out by a health care clearinghouse pursuant to subsection (a), such a clearinghouse may, subject only to the privacy protections under paragraph (2), aggregate, use, and disclose data the clearinghouse possesses in order to carry out the following functions:
Prepare reports, analyses, and presentations on the quality and costs of health care services, including in specific geographic areas, in order to assist individuals select health care services and providers.
Prepare reports, analyses, and presentations of health-services outcomes data, including presentations addressing outcomes of various types of approaches to a particular disease, disorder, or other adverse health condition.
Prepare reports, analyses, and presentations of epidemiological data to assist decisionmaking in development programs for new treatments or diagnostics.
Prepare reports, analyses, and presentations on costs and charges for health care products and services.
Upon the request of a covered entity, prepare reports, analyses, and presentations that benchmark the operations of such covered entity against the operations of one or more other covered entities that have elected to participate in such benchmarking.
A health care clearinghouse may carry out the functions described in paragraph (1) without obtaining any authorizations under section 164.508 of title 45, Code of Federal Regulations. For purposes of such paragraph, with respect to any report, analysis, or presentation provided by the clearinghouse to a third party, such report, analysis, or presentation—
shall include only de-identified data; or
if containing protected health information, shall include such data that is—
subject to a qualifying data use agreement (as defined in subsection (i)); or
provided to the Food and Drug Administration for purposes authorized by law for such Administration, subject to protected health information being disclosed to such Administration only to the extent necessary for such purposes.
In the case of a health care clearinghouse, the authority under subsections (a) through (c) includes applicability with respect to protected health information collected from other covered entities and includes applicability with respect to the aggregation of such information between covered entities.
Comprehensive Records Per Request of Individual
For purposes of subsection (b)(2), when a health care clearinghouse receives a request from an individual for the protected health information of the individual, the clearinghouse shall provide to the individual a comprehensive record of such information (across health care providers and health plans), unless the clearinghouse determines in its discretion that providing a comprehensive record is not technologically feasible. In preparing such record for the individual, the clearinghouse may, with the permission of the individual, purchase the protected health care information of the individual from one or more other health care clearinghouses (and the cost of such purchase may be included in the fee charged to the individual).
Situations not involving direct interaction with individuals
Sections 164.400 through 164.414, sections 164.520 through 164.528, and 164.530 of title 45, Code of Federal Regulations, apply to a clearinghouse to the extent that it has current contact information pursuant to direct interaction with the individual. In the case of each other individual, the clearinghouse shall carry out its functions under this subtitle, part C of title XI of the Social Security Act, and the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 as if the clearinghouse were a business associate. The individuals to whom the preceding sentence applies includes individuals with respect to whom the sole clearinghouse function is to process or facilitate the processing of nonstandard data elements of health information into standard data elements.
With respect to agreements entered into by a health care clearinghouse before the effective date of this section, a provision of an agreement that conflicts with this section shall not have any legal force or effect. The preceding sentence may not be construed as affecting any provision of an agreement that does not conflict with this section. A health care clearinghouse shall provide notice of this subsection to each entity with which the clearinghouse has an agreement that is affected by this subsection.
Section 13410(a)(2) applies to this part in the same manner as such section applies to parts 1 and 2.
For purposes of this part:
The term de-identified, with respect to health information, means such information that is not individually identifiable as determined in accordance with the standards under section 164.514(b) of title 45, Code of Federal Regulations.
The term health care clearinghouse has the meaning given such term in section 1171 of the Social Security Act.
The term individual, with respect to protected health information, has the meaning that applies under section 160.103 of title 45, Code of Federal Regulations.
The term qualifying data use agreement means an agreement that establishes the permitted uses and disclosures of protected health information by the recipient for one or more functions described in subsection (c)(1) and restricts the use and disclosure of the information by the recipient in the same manner as applies under paragraphs (e)(4)(ii)(B) and (e)(4)(ii)(C) (1)–(4) of section 164.514 of title 45, Code of Federal Regulations, but without regard to the references to limited data sets.
Relation to other laws
Section 13421 applies to this part in the same manner as such section applies to parts 1 and 2, except to the extent that such section concerns section 1178(a)(2)(B) of the Social Security Act.
Not later than the expiration of the 90-day period beginning on the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate regulations to carry out the amendment made by subsection (a).
Section 1171(2) of the Social Security Act (42 U.S.C. 1320d(2)) is amended by inserting before the period the following:
, or that carries out such processing function and in addition any of the functions authorized in section 13451 of the Health Information Technology for Economic and Clinical Health Act.