Report Title:
Medical Information Privacy; Non-HIPAA Transactions
Description:
Prohibits the negligent, reckless, or intentional acquisition, use, and disclosure of personal medical and health information, subject to certain exceptions. Applies to acquisitions, uses, and disclosures not covered by HIPAA. Creates a private right of action.
|
THE SENATE |
S.B. NO. |
1552 |
|
TWENTY-FIRST LEGISLATURE, 2001 |
||
|
STATE OF HAWAII |
||
|
|
A BILL FOR AN ACT
relating to Medical and health Information Privacy.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:
SECTION 1. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:
"CHAPTER
PRIVACY OF MEDICAL AND HEALTH RECORDS
§ -1 Purpose. Article I, section VI of the Hawaii Constitution states:
The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest. The legislature shall take affirmative steps to implement this right.
The purpose of Act 87, Session Laws of Hawaii 1999, the Medical Privacy Act, was to implement the affirmative duty of the legislature in article I, section VI, of the Hawaii Constitution. If Act 87 is repealed, regulations under the federal Health Insurance Portability and Accountability Act will cover certain protected health information only when acquired, used, or disclosed by a health plan, a health care clearinghouse, and a health care provider who transmits any health information in electronic form in connection with a transaction covered by the regulations. However, because of limitations imposed by Congress on the Health Insurance Portability and Accountability Act, the regulations will not cover many other transactions that the departments of health and human services believes should be covered.
This chapter will fulfill the legislative mandate in article I, section VI, of the Hawaii Constitution by providing reasonable protection for the privacy of identifiable health information even when it is not protected by Health Insurance Portability and Accountability Act regulations. Further, if, as is probable, the Health Insurance Portability and Accountability Act regulations are severely curtailed or repealed, this chapter will become the principal vehicle for insuring health information privacy as required by article I, section VI, of the Hawaii Constitution.
This chapter provides a statutory cause of action for damages for individuals whose identifiable health information is acquired, used, or disclosed in violation of the chapter. However, there are significant and important defenses that will protect the acquisition, use, and disclosure of health information in virtually all cases where the protection is warranted. Protection is afforded to the acquisition, use, and disclosure of health information:
(1) That is not negligently, recklessly, or intentionally made;
(2) That is made with the express or implied consent of the individual;
(3) That is required or specifically permitted by law;
(4) That is done by a health care provider in the good faith belief, based upon the provider’s professional judgment, that the acquisition, use, or disclosure is in the best interest of the individual;
(5) Where it is not reasonably foreseeable that the acquisition, use, or disclosure, and the effects thereof, would cause harm or detriment to an average person;
(6) Where the acquisition, use, or disclosure of an individual’s identifiable medical and health information has caused no harm or detriment to the individual; and
(7) Where the benefit to the person or to the public interest of acquiring, using, or disclosing the individual’s identifiable medical and health information for the purpose for which it was acquired, used, or disclosed, outweighs the risk of harm or detriment to the individual.
This last exception is capable of being sensibly interpreted by the courts to protect disclosures of protected health information when the public interest or the benefit to the person whose information is disclosed outweighs the risk of harm or detriment to the individual.
Finally, both consent and implied consent are defined in a manner to give protection to disclosures that are made after information reasonably calculated to inform the individual is provided and consented to, or where consent is reasonably to be implied from the circumstances.
§ -2 Applicability. This chapter shall apply only to the acquisition, use, or disclosure of identifiable medical and health information not covered by regulations adopted pursuant to the Health Insurance Portability and Accountability Act of 1996, as amended, title 45 Code of Federal Regulations, subtitle A, subchapter C, parts 160 to 164.
§ -3 General rules regarding use and disclosure. (a) No person or other legal entity shall negligently, recklessly, or intentionally acquire, use, or disclose any individual’s personal medical and health information, identifiable to the individual, without the individual’s express or implied consent.
(b) An individual shall be deemed to have impliedly consented to the acquisition, use, or disclosure of the individual's personal medical and health information when:
(1) The acquisition, use, or disclosure is reasonably necessary to process or determine a service, benefit, right, or privilege applied for by the individual or by a person acting lawfully in the individual's behalf; or
(2) The individual has voluntarily disclosed the individual's personal medical and health information to another and the information has thereafter been acquired, used, or disclosed in a manner that a reasonably prudent person, viewing the individual’s disclosure, would believe the individual would have permitted.
(c) An individual shall be deemed to have expressly consented to the acquisition, use, or disclosure of the individual's identifiable personal medical and health information when the individual voluntarily signs a statement containing information reasonably calculated to inform the individual of the purpose for which the information will or may be used and the persons or classes of persons who will or may acquire, use, or disclose the information.
(d) Subsection (a) shall not apply where:
(1) The acquisition, use, or disclosure of the individual’s personal medical and health information is required or specifically permitted by law;
(2) The acquisition, use, or disclosure is made by a health care provider in the good faith belief, based upon the provider’s professional judgment, that the acquisition, use, or disclosure is in the best interest of the individual;
(3) It is not reasonably foreseeable that the acquisition, use, or disclosure, and the effects thereof, would cause harm or detriment to an average person;
(4) The acquisition, use, or disclosure of an individual’s identifiable medical and health information has caused no harm or detriment to the individual; or
(5) The benefit to the person or to the public interest of the acquisition, use, or disclosure of the individual’s identifiable medical and health information for the purpose for which it was acquired, used, or disclosed, outweighs the risk of harm or detriment to the individual.
(e) Violation of this section shall give rise to a cause of action for damages for serious harm or detriment. Punitive damages may also be awarded in an appropriate case."
SECTION 2. This Act shall take effect upon its approval.
|
INTRODUCED BY: |
_____________________________ |