|
WRONGFUL
DISCLOSURE OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION
SEC. 1177. (a) OFFENSE.--A person who
knowingly and in violation of this part--
(1) uses or causes to be used a unique health
identifier;
(2) obtains
individually identifiable health
information relating to an individual; or
(3)
discloses individually identifiable health information to another person,
shall
be punished as provided in subsection (b).
(b) PENALTIES.--A person described in subsection
(a) shall--
(1) be fined not more than $50,000, imprisoned
not more than 1 year, or both;
(2) if the offense is committed under false
pretenses, be fined not more than $100,000, imprisoned not more than 5 years,
or both; and
(3) if the offense is committed with intent to
sell, transfer, or use individually identifiable health information for
commercial advantage, personal gain, or malicious harm, be fined not more than
$250,000, imprisoned not more than 10 years, or both.
EFFECT ON STATE
LAW
SEC. 1178. (a) GENERAL EFFECT.--
(1) GENERAL RULE.--Except as provided in
paragraph (2), a provision or requirement under this part, or a standard or
implementation specification adopted or established under sections 1172
through 1174, shall supersede any contrary provision of State law, including a
provision of State law that requires medical or health plan records (including
billing information) to be maintained or transmitted in written rather than
electronic form.
(2) EXCEPTIONS.--A provision or requirement under
this part, or a standard or implementation specification adopted or
established under sections 1172 through 1174, shall not supersede a contrary
provision of State law, if the provision of State law--
(A) is a provision the Secretary determines--
(i) is necessary--
(I) to prevent fraud and abuse;
(II) to ensure appropriate State regulation
of insurance and health
plans;
(III) for State reporting on health care
delivery or costs; or
(IV) for other purposes; or
(ii) addresses controlled substances; or
(B) subject to section 264(c)(2) of the Health
Insurance Portability and Accountability Act of 1996, relates to the privacy
of individually identifiable health
information.
(b) PUBLIC HEALTH.--Nothing in this part shall be
construed to invalidate or limit the authority, power, or procedures established
under any law providing for the reporting of disease or injury, child abuse,
birth, or death, public health surveillance, or public health investigation or
intervention.
(c) STATE REGULATORY REPORTING.--Nothing in this
part shall limit the ability of a State to require a health plan to report, or
to provide access to, information for management audits, financial audits,
program monitoring and evaluation, facility licensure or certification, or
individual licensure or certification.
PROCESSING PAYMENT
TRANSACTIONS BY FINANCIAL INSTITUTIONS
SEC. 1179. To the extent that an entity is
engaged in activities of a financial institution (as defined in section 1101 of
the Right to Financial Privacy Act of 1978), or is engaged in authorizing,
processing, clearing, settling, billing,transferring, reconciling, or collecting
payments, for a financial institution, this part, and any standard adopted under
this part, shall not apply to the entity with respect to such activities,
including the following:
(1) The use or disclosure of information by the
entity for authorizing, processing, clearing, settling, billing, transferring,
reconciling or collecting, a payment for, or related to, health plan premiums
or health care, where such payment is made by any means, including a credit,
debit, or other payment card, an account, check, or electronic funds transfer.
(2) The request for, or the use or disclosure of,
information by the entity with respect to a payment described in paragraph
(1)--
(A) for transferring receivables;
(B) for auditing;
(C) in connection with--
(i) a customer dispute; or
(ii) an inquiry from, or to, a customer;
(D) in a communication to a customer of the
entity regarding the customer's transactions, payment card, account, check,
or electronic funds transfer;
(E) for reporting to consumer reporting
agencies; or
(F) for complying with--
(i) a civil or criminal subpoena; or
(ii) a Federal or State law regulating the
entity.".
(b) CONFORMING AMENDMENTS.--
(1) REQUIREMENT FOR MEDICARE PROVIDERS.--Section
1866(a)(1) (42 U.S.C. 1395cc(a)(1)) is amended--
(A) by striking ``and" at the end of
subparagraph (P);
(B) by striking the period at the end of
subparagraph (Q) and inserting "; and"; and
(C) by inserting immediately after subparagraph
(Q) the following new subparagraph:
"(R) to contract only with a
health care
clearinghouse (as defined in section 1171) that meets each standard and
implementation specification adopted or established under part C of title
XI on or after the date on which the health care clearinghouse is required
to comply with the standard or specification."
(2) TITLE HEADING.--Title XI (42
U.S.C. 1301 et seq.) is amended by
striking the title heading and inserting the following:
"TITLE XI--GENERAL PROVISIONS, PEER REVIEW, AND
ADMINISTRATIVE SIMPLIFICATION".
|
