Report Title:
Health Care Information
Description:
Makes omnibus changes to the privacy of health care information law.
|
HOUSE OF REPRESENTATIVES |
H.B. NO. |
1537 |
|
TWENTY-FIRST LEGISLATURE, 2001 |
||
|
STATE OF HAWAII |
||
|
|
A BILL FOR AN ACT
RELATING TO HEALTH CARE.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. Chapter 323C, Hawaii Revised Statutes, is amended by adding a new section to be appropriately designated and to read as follows:
"§323C- Exceptions.
This chapter shall not apply to:(1) Civil proceedings and actions brought in a federal court or in a federal administrative proceeding; and
(2) The investigation, processing, determination, or defense of any claim or application for:
(A) Workers' compensation benefits, including disability and medical benefits, third party subrogation claims, return to work programs, independent medical, chiropractic, and psychiatric examinations, vocational rehabilitation, auditing of medical payments, and program, financial, and accounting audits;
(B) Sick leave, leave sharing, family and medical leave, or any other leave for medical reasons;
(C) Accommodation under the Americans with Disabilities Act;
(D) Occupational Safety and Health Act and Hawai'i Occupational Health and Safety Act;
(E) Disability claims under a retirement plan or temporary or long term disability insurance;
(F) Social Security, retirement, pension, 401K, profit sharing and other benefit plans;
(G) Employee's fitness for duty or to return to work, work performance and attendance, drug and alcohol testing, including laboratory work and review by medical review officers, counseling and treatment by substance abuse professionals, substance abuse programs, and employee assistance programs, grievance proceedings under any collective bargaining agreement, and any other proceeding where the physical or mental condition of the employee is at issue;
(H) Paternity and payment of child support;
(I) Programs, benefits, and services for elderly or disabled persons, that are based on the physical or mental condition of the applicant, and that are established, provided, or funded by or through any federal, state or county agency, or by any agent or independent contractor of any agency. These benefits and services include, but are not limited to, tax relief and benefits, housing programs, parking and transportation programs, and programs under the Older Americans Act;
(J) Prepaid health care benefits or benefits provided under chapter 87;
(K) Programs where disclosure is authorized under federal or state law; and
(L) Disclosures to and from any office, department, division, employee, agent, or independent contractor of the same entity, person, or employer for the purpose for which disclosure was made."
SECTION 2. Section 323C-1, Hawaii Revised Statutes, is amended as follows:
1.
By amending the definition of "entity" to read: ""Entity" means a health care provider, health care data organization, health plan, health oversight agency, [public health authority, employer,] insurer, health researcher, [law enforcement official,] or educational institution, except as otherwise defined for purposes of a particular section only."
2.
By amending the definition of "health care provider" to read:""Health care provider" means a person who, with respect to any protected health information, receives, creates, uses, maintains, or discloses the protected health information while acting in whole or in part in the capacity of:
(1) A person who is licensed, certified, registered, or otherwise authorized by federal or state law to provide an item or service that constitutes health care in the ordinary course of business, or practice of a profession; or
[(2) A federal, state, or employer-sponsored program that directly provides items or services that constitute health care to beneficiaries; or
(3)] (2) An officer, employee, or agent of a person described in paragraph (1)[ or (2)]."
3.
By amending the definition of "health oversight agency" to read: ""Health oversight agency" means a person who, with respect to any protected health information, receives, creates, uses, maintains, or discloses the information while acting in whole or in part in the capacity of[:
(1) A] a person who performs or oversees the performance of an assessment, evaluation, determination, or investigation, relating to the licensing, accreditation, or credentialing of health care providers[; or
(2) A person who:
(A) Performs or oversees the performance of an audit, assessment, evaluation, determination, or investigation relating to the effectiveness of, compliance with, or applicability of, legal, fiscal, medical, or scientific standards or aspects of performance related to the delivery of, or payment for, health care; and
(B) Is]. A health oversight agency does not include a public agency, or any person acting on behalf of a public agency, acting pursuant to a requirement of a public agency, or carrying out activities under a federal or state law governing the assessment, evaluation, determination, investigation, or [prosecution for violations of paragraph (1).] under any program established or funded under any federal or state law."
4.
By amending the definition of "health plan" to read: ""Health plan" means any health insurance plan, including any hospital or medical service plan, dental or other health service plan or health maintenance organization plan, provider-sponsored organization, or other program providing or arranging for the provision of health [benefits, whether or not] care that is funded through the purchase of insurance. A health plan does not include any self-insured health plan."
5.
By amending the definition of "insurer" to read:""Insurer" means any person regulated under chapter 432D, article 1 of chapter 432, any group that has purchased a group insurance policy issued by a person regulated under chapter 432D, and any person regulated under article 10A of chapter 431, other than a life insurer, workers' compensation insurer, temporary disability insurer, or any other disability income insurer, or long-term care insurer. An insurer does not include any employer that is providing any insurance under a self-insured plan."
6.
By amending the definition of "person" to read: ""Person" means a [government, governmental subdivision, agency or authority,] corporation, company, association, firm, partnership, insurer, estate, trust, joint venture, individual, individual representative, and any other legal entity."
7.
By amending the definition of "protected health information" to read: ""Protected health information" means [any]:
(1) Any information, identifiable to an individual, [including demographic information, whether or not] that is created by a medical provider and recorded by the medical provider in any form or medium that relates directly or indirectly to the past, present, or future:
[(1)] (A) Physical or mental health or condition of a person, including tissue and genetic information;
[(2)] (B) Provision of health care to an individual; or
[(3)] (C) Payment for the provision of health care to an individual.
(2) Does not include information:
(A) That is provided by on on behalf of the individual who is the subject of the information; or
(B) That is provided for the investigation, processing, determination, or defense of any application or claim by the individual who is the subject of the information and whose medical condition is at issue."
SECTION 3. Section 323C-11, Hawaii Revised Statutes, is amended as follows:
1. By amending subsection (a) to read:
"(a) For the purposes of this section only, "entity" means a health care provider[,] or a health plan[, employer, health care data organization, insurer, or educational institution]."
2. By amending subsection (c) to read:
"(c) Unless ordered by a court of competent jurisdiction, an entity is not required to permit the inspection or copying of protected health information if any of the following conditions are met:
(1) The entity determines that the disclosure of the information could reasonably be expected to endanger the life or physical safety of, or cause substantial mental harm to, the individual who is the subject of the record[;] or to any individual;
(2) The information identifies, or could reasonably lead to the identification of, a person who provided information under a promise of confidentiality concerning the individual who is the subject of the information unless the confidential source can be protected by redaction or other similar means;
(3) The information is protected from discovery as provided in section 624-25.5; or
(4) The information was collected for or during a clinical trial monitored by an institutional review board, the trial is not complete, and the researcher reasonably believes that access would harm the conduct of the trial."
3. By amending subsection (g) to read:
"(g) An entity shall comply with or deny, in accordance with subsection (d), a request for inspection or copying of protected health information under this section not later than [thirty] forty-five days after the date on which the entity or agent receives the request."
SECTION 4. Section 323C-13, Hawaii Revised Statutes, is amended to read as follows:
"[[]§323C-13[]] Notice of confidentiality practices; forms of notices. (a) For the purposes of this section only, "entity" means [a] health care provider[, health care data organization,] or a health plan[, health oversight agency, public health authority, employer, insurer, health researcher, or educational institution].
(b) An entity shall prominently post or provide the current notice of the entity's confidentiality practices. The notice shall be printed in clear type and composed in plain language. This notice shall be given pursuant to the requirements of section 323C-22. For the purpose of informing each individual of the importance of the notice and educating the individual about the individual's rights under this chapter, the notice shall contain the following language, placed prominently at the beginning:
IMPORTANT: THIS NOTICE DEALS WITH THE SHARING OF INFORMATION FROM YOUR MEDICAL RECORDS. PLEASE READ IT CAREFULLY. This notice describes your confidentiality rights as they relate to information from your medical records and explains the circumstances under which information from your medical records may be shared with others. This information in this notice also applies to others covered under your health plan, such as your spouse or children. If you do not understand the terms of this notice, please ask for further explanation.
In addition, as shall be appropriate to the size and nature of the entity, the notice shall include information about:
(1) A description of an individual's rights with respect to protected health information which shall contain at a minimum, the following:
(A) An individual's right to inspect and copy their record;
(B) An individual's right to request that a health care provider append information to their medical record; and
(C) An individual's right to receive this notice by each health plan upon enrollment, annually, and when confidentiality practices are substantially amended.
(2) The uses and disclosures of protected health information authorized under this chapter including information about:
(A) Payment;
(B) Conducting quality assurance activities or outcomes assessments;
(C) Reviewing the competence or qualifications of health care professionals;
(D) Performing accreditation, licensing, or credentialing activities;
(E) Analyzing health plan claims or health care records data;
(F) Evaluating provider clinical performance;
(G) Carrying out utilization management; or
(H) Conducting or arranged for auditing services in accordance with statute, rule or accreditation requirements;
[(3) The right of the individual to limit disclosure of protected health information by deciding not to utilize any health insurance or other third party payment as payment for the service, as set forth in section 323C-21(c);
(4)] (3) The procedures for giving consent to disclosures of protected health information and for revoking the consent to disclose; and
[(5) The description of procedures established by the entity for the exercise of the individual's rights required under this chapter; and
(6)] (4) The right to obtain a copy of the notice of confidentiality practices required under this chapter.
[(c) The actual procedures established by the entities for the exercise of individual rights under this part shall be available in writing upon request.]"
SECTION 5. Section 323C-14, Hawaii Revised Statutes, is amended by amending subsection (a) to read as follows:
"(a) An entity shall establish and maintain administrative, technical, and physical safeguards that are appropriate to the size and nature of the entity establishing the safeguards, and that are appropriate to protect the confidentiality[,] and security[, accuracy, and integrity] of protected health information created, received, obtained, maintained, used, transmitted, or disposed of by the entity."
SECTION 6. Chapter 323C, Hawaii Revised Statutes, is amended by amending the title of part III to read as follows:
"PART III. RESTRICTION ON [USE OF] DISCLOSURE"
SECTION 7. Section 323C-21, Hawaii Revised Statutes, is amended to read as follows:
"§323C-21 General rules regarding [use and] disclosure. (a) An entity shall not [use or] disclose protected health information except as authorized under this part and under part IV. Disclosure of health information in the form of nonidentifiable health information shall not be construed as a disclosure of protected health information.
(b) For the purpose of treatment or qualified health care operations, an entity may [only use or] disclose protected health information if the [use or] disclosure is properly noticed pursuant to sections 323C-13 and 323C-22[. For all other uses and disclosures, an entity may only use or disclose protected health information,] if the use or disclosure is properly consented to pursuant to section 323C-23[.], or is authorized under part IV. Disclosure to and from offices, departments, divisions, employees, agents, or independent contractors of [an] the same entity [shall be considered as a disclosure within an entity.] shall not be a violation of this chapter.
(c) [If an individual does not want protected health information released pursuant to [subsection] (b), the individual shall advise the provider prior to the delivery of services that the relevant protected health information shall not be disclosed pursuant to subsection (b), and the individual shall pay the health care provider directly for health care services.] A health plan may decline to cover particular health care services if an individual has refused to allow the release of protected health care information pertaining to those particular health care services. [Protected health information related to health care services paid for directly by the individual shall not be disclosed without consent.
(d) An agent who receives protected health information from an entity shall be subject to all rules of disclosure and safeguard requirements under this part.
(e)] Every [use and] disclosure of protected health information shall be limited to the purpose for which it was collected. Any other [use without a valid consent to disclose] disclosure that is not authorized under this part or part IV shall be an unauthorized disclosure.
[(f)] (d) Nothing in this part permitting the disclosure of protected health information shall be construed to require disclosure.
[(g)] (e) An entity may disclose protected health information [to an employee or agent of the entity not otherwise authorized to receive such information] to any person for purposes of creating nonidentifiable information, if the entity prohibits the [employee or agent of the entity] the person from [using or] disclosing the protected health information for purposes other than the sole purpose of creating nonidentifiable information, as specified by the entity.
[(h)] (f) Any individual or entity who manipulates or uses nonidentifiable health information or who discloses a unique patient identifier to identify an individual, shall be deemed to have disclosed protected health information. The disclosure or transmission of a unique patient identifier shall be deemed to be a disclosure of protected health information[.]; provided that the disclosure of the protected health information is not otherwise authorized under this part or part IV."
SECTION 8. Section 323C-22, Hawaii Revised Statutes, is amended by amending subsection (b) to read as follows:
"(b) For each new enrollment or re-enrollment by an individual in a health plan, on or after July 1, 2000, a health plan shall make reasonable efforts to obtain the individual's signature on the notice of confidentiality practices. The notice to be signed shall state that the individual is signing on behalf of the individual and all others covered by the individual's health plan. If the plan is unable to obtain the aforementioned signature, the plan shall note the reason for the failure to obtain said signature. The lack of a signed notice of confidentiality practices shall not justify a denial of coverage of a claim, nor shall it limit a health plan's access to information necessary for treatment and qualified health care operations[; provided that the individual may elect to keep the records from being disclosed by paying for the subject health care services, as provided under section 323C-21(c)]."
SECTION 9. Section 323C-23, Hawaii Revised Statutes, is amended as follows:
1. By amending subsection (b) to read:
"(b) To be valid, an authorization shall be separate from any other notice or authorization required by this part, shall be either in writing, dated, and signed by the individual, or in electronic form, dated, and authenticated by the individual using a unique identifier, shall not have been revoked, and shall do the following:
[(1) Identify the person or entity authorized to disclose protected health information;
(2)] (1) Identify the individual who is the subject of the protected health information;
[(3)] (2) Describe the [nature of and the] time span of the protected health information to be disclosed;
[(4)] (3) Identify the person [to whom the information is to be disclosed;] who is authorized to receive the disclosed information;
[(5)] (4) Describe the purpose of the disclosure;
[(6)] (5) State that it is subject to revocation by the individual and indicate that the consent to disclose is valid until revocation by the individual; and
[(7)] (6) Include the date, not to exceed five years from the date of signing, at which the consent to disclose ends.
For purposes of this section, the following consent form, or a similar form, shall be deemed to be in compliance with this section:
"CONSENT TO DISCLOSURE OF PROTECTED HEALTH INFORMATION"
(Name of subject individual), the undersigned individual, whose date of birth is (Date of birth), and whose social security number is (Social security number), hereby consents to the disclosure of protected health information to (Name of person authorized to receive disclosure). As used herein, protected health care means any information that is:
Identifiable to the undersigned individual,
Created by a medical provider and recorded by the medical provider, and
Related directly or indirectly to the past, present, or future physical or mental health or condition of the individual, and includes the examination, diagnosis, testing, treatment, and evaluation, and the provision or payment of health care to the individual.
The time span of the protected health information is (Time span of information to be disclosed).
The purpose of the disclosure is (State purpose).
This Consent is revocable in writing at any time, except to the extent that action has been taken in reliance thereon, and shall remain valid until written revocation is received by the person authorized to receive disclosure, or until (List date not to exceed five years), whichever is earlier.
Dated (City and State), (Date of signing).
(Signature line)"
2. By amending subsection (d) to read:
"(d) [Sections 323C-31 to 323C-39 provide] Part IV provides for exceptions to the requirement for the authorization."
SECTION 10. Part IV of chapter 323C, Hawaii Revised Statutes, is amended by amending the title to Part IV to read as follows:
"PART IV. EXCEPTED [USES AND] DISCLOSURES"
SECTION 11. Section 323C-34, Hawaii Revised Statutes, is amended to read as follows:
"[[]§323C-34[]] Emergency circumstances. Any person, entity, or employer who creates or receives protected health information under this chapter may [use or] disclose protected health information in emergency circumstances when the [use or] disclosure is necessary to protect the health or safety of the individual who is the subject of the information, or any other individual, from serious, imminent harm. These other individuals include but are not limited to first responders such as police, fire, and medical personnel exposed to infectious disease. A disclosure made in the good faith belief that the [use or] disclosure was necessary to protect the health or safety of an individual from serious, imminent harm shall not be a violation of this chapter."
SECTION 12. Section 323C-36, Hawaii Revised Statutes, is amended to read as follows:
"[[]§323C-36[]] Public health. (a) Any person, employer, or entity may disclose protected health information to a public health authority or other person or entity authorized by law, for use in a legally authorized:
(1) Disease or injury report;
(2) Public health surveillance;
(3) Public health investigation or intervention; [or]
(4) Health or disease registry[.]; or
(5) Investigation of abuse or crime against the individual who is the subject of the information.
(b) The disclosure of protected health information, pursuant [to] this section, to a public health authority or other person or entity authorized by law shall not be a violation of this [part] chapter.
(c) Protected health information disclosed for purposes of this section [remains protected health information and shall not] may be further disclosed by the receiving authority or person, [except as permitted under this section.] or entity for the purposes for which the protected health information was disclosed."
SECTION 13. Section 323C-37, Hawaii Revised Statutes, is amended to read as follows:
"§323C-37 Health research. (a) A health care provider[,] or a health plan[, public health authority, employer, insurer, or educational institution] may disclose protected health information to a health researcher if the following requirements are met:
(1) The research shall have been approved by an institutional review board. In evaluating a research proposal, an institutional review board shall require that the proposal demonstrate a clear purpose, scientific integrity, and a realistic plan for maintaining the confidentiality of protected health information. Research not otherwise subjected by federal regulation to institutional review board review shall be subject only to the review requirements of this paragraph;
(2) The health care provider[,] or health plan[, public health authority, employer, insurer, or educational institution] shall only disclose protected health information which it has previously created or collected; and
(3) The holder of protected health information shall keep a record of all health researchers to whom protected health information has been made available.
(b) A health researcher who receives protected health information shall remove and destroy, at the earliest opportunity consistent with the purposes of the project involved, any information that would enable an individual to be identified.
(c) A health researcher who receives protected health information shall not disclose [or use] the protected health information or unique patient identifiers for any purposes not reviewed by an institutional review board under this part or for any purposes other than the health research project for which the information was obtained, except that the health researcher may disclose the information pursuant to section 323C-35(a)."
SECTION 14. Section 323C-38, Hawaii Revised Statutes, is amended to read as follows:
"§323C-38 Disclosure in civil, judicial, and administrative procedures. (a) Protected health information may be disclosed pursuant to a discovery request or subpoena in a civil action brought in a state court, or a discovery request or subpoena related to a state administrative proceeding[, only if the disclosure is made pursuant to a court order as provided for in subsection (b) or to a written authorization under section 323C-23].
(b) [A court order issued under this section shall:
(1) Provide that the protected health information involved is subject to court protection;
(2) Specify to whom the information may be disclosed;
(3) Specify that the information may not otherwise be disclosed or used; and
(4) Meet any other] The court or administrative hearing officer may impose such requirements related to disclosure that the court or officer determines are needed to protect the confidentiality of the information.
(c) This [section] chapter shall not apply in a case in which the protected health information sought under the discovery request or subpoena is:
(1) Nonidentifiable health information; or
(2) Related to a party to the litigation or administrative proceeding whose medical condition is at issue.
(d) The release of any protected health information under this section shall not [violate] be a violation of this [part.] chapter."
SECTION 15. Section 323C-39, Hawaii Revised Statutes, is amended to read as follows:
"[[]§323C-39[]] Disclosure for civil or administrative law enforcement purposes. (a) For the purposes of this [section] only, "entity" means a health care provider, health plan, health oversight agency, [employer,] insurer, and educational institution.
(b) Except as to disclosures to a health oversight agency, which are governed by section 323C-35, an entity, employer, or person who receives protected health information [pursuant to sections 323C-23 and 323C-31 through 323C-37,] may disclose protected health information under this [section,] chapter, if the disclosure is pursuant to[:
(1) An administrative subpoena or summons or judicial subpoena;
(2) Consent in accordance with section 323C-23; or
(3) A court order.
(c) A subpoena or summons for a disclosure under subsection (b)(1) shall only be issued if the civil or administrative law enforcement agency involved shows that there is probable cause to believe that the information is relevant to a legitimate law enforcement inquiry.
(d) When the matter or need for which protected health information was disclosed to a civil or administrative law enforcement agency under subsection (b) has concluded, including any derivative matters arising from the matter or need, the civil or administrative law enforcement agency shall either destroy the protected health information, or return all of the protected health information to the person from whom it was obtained.
(e) To the extent practicable, and consistent with the requirements of due process, a civil or administrative law enforcement agency shall redact personally identifying information from protected health information prior to the public disclosure of the protected information in a judicial or administrative proceeding.
(f)] a discovery request or a subpoena in a civil action brought in a state court, or a discovery request or a subpoena related to a state administrative proceeding.
(c) Protected health information obtained by a civil or administrative law enforcement agency pursuant to this section may only be used for purposes of a legitimate law enforcement activity.
[(g) If protected health information is obtained without meeting the requirements of subsection (b)(1), (2), or (3), any information that is unlawfully obtained shall be excluded from court proceedings unless the defendant requests otherwise.]"
SECTION 16. Section 323C-51, Hawaii Revised Statutes, is amended to read as follows:
"[[]§323C-51[]] Wrongful disclosure of protected health information. [(a)] A person who knowingly or intentionally [obtains] discloses protected health information relating to an individual [or discloses protected health information] to another person in violation of this chapter shall be guilty of a [class C felony.
(b) A person who knowingly or intentionally sells, transfers, or uses protected health information for commercial advantage, personal gain, or malicious harm, in violation of this chapter shall be guilty of a class B felony] misdemeanor."
SECTION 17. Section 323C-52, Hawaii Revised Statutes, is amended to read as follows:
"[[]§323C-52[]] Civil actions by individuals. (a) Any individual whose rights under this chapter have been knowingly or intentionally violated may bring a civil action against the person or entity responsible for the violation.
(b) In any civil action brought under this section, if the court finds a knowing or intentional violation of an individual's rights under this chapter, the court may award:
(1) Injunctive relief, including enjoining a person or entity from engaging in a practice that violates this chapter;
(2) Equitable relief;
(3) Compensatory damages for injuries suffered by the individual. Injuries compensable under this section may include, but are not limited to, personal injury including emotional distress, reputational injury, injury to property, and consequential damages;
(4) Punitive damages, as appropriate;
(5) Costs of the action[;] to the prevailing party;
(6) Attorneys' fees[, as appropriate] to the prevailing party; and
(7) Any other relief the court finds appropriate.
(c) No action may be commenced under this section after the time period stated in section 657-7."
SECTION 18. Section 323C-53, Hawaii Revised Statutes, is amended by amending subsections (a) and (b) to read as follows:
"(a) A court [shall] may issue and cause to be served upon a person, who has knowingly or intentionally violated any provision of this chapter, a copy of the court's findings and an order requiring the person to cease and desist from violating this chapter, or to otherwise comply with the requirements of this chapter. The court may also order any one or more of the following:
[(1) For any violation of this chapter, payment of a civil penalty of not more than $500 for each and every act or violation but not to exceed $5,000 in the aggregate for multiple violations;
(2)] (1) For a knowing or intentional violation of this chapter, payment of a civil penalty of not more than [$25,000] $1,000 for each and every act or violation but not to exceed [$100,000] $25,000 in the aggregate for multiple violations; and
[(3)] (2) For knowing and intentional violations of this chapter that have occurred with such frequency as to constitute a general business practice, a civil penalty of not more than $100,000.
(b) Any person who knowingly or intentionally violates a cease and desist order or injunction issued under this section may be subject to a civil penalty of not more than [$10,000] $1,000 for each and every [act in] violation of the cease and desist order."
SECTION 19. Statutory material to be repealed is bracketed and stricken. New statutory material is underscored.
SECTION 2O. This Act shall take effect upon its approval.
|
INTRODUCED BY: |
_____________________________ |