REPORT TITLE:
Health Care Info Privacy


DESCRIPTION:
Protects privacy of health care information by stipulating
conditions under which information can be disclosed.  Provides
penalties.  (HB351 HD1)

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                        351
HOUSE OF REPRESENTATIVES                H.B. NO.           H.D. 1
TWENTIETH LEGISLATURE, 1999                                
STATE OF HAWAII                                            
                                                             
________________________________________________________________
________________________________________________________________


                   A  BILL  FOR  AN  ACT

RELATING TO PRIVACY OF HEALTH CARE INFORMATION.



BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  The legislature finds that individuals have a
 
 2 constitutional right to privacy with respect to personal health
 
 3 information and records, and with respect to information about
 
 4 medical care and health status, this right to privacy is at risk.
 
 5 Erosion of the right to privacy may reduce the willingness of
 
 6 patients to confide in physicians and other practitioners, thus
 
 7 jeopardizing the provision of quality health care.  Misuse of
 
 8 medical information may also be devastating to an individual's
 
 9 well being.  An individual's right to privacy means that an
 
10 individual's consent is needed to disclose his or her protected
 
11 health information, except in limited circumstances required by
 
12 the overriding public interest.  Any disclosure of protected
 
13 health information should be limited to only that information or
 
14 portion of the medical record necessary to fulfill the purpose of
 
15 the disclosure.
 
16      The legislature also finds that use of nonidentifiable
 
17 health information should be encouraged where appropriate and
 
18 that the continuing availability of timely and accurate personal
 

 
Page 2                                                     351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 health data for the delivery of health care services throughout
 
 2 the State is needed.  In addition, personal health information
 
 3 may be essential for selected types of medical research and
 
 4 public health uses of personal health information that are
 
 5 critical to both personal health as well as public health.  The
 
 6 privacy of an individual's health information must be assured
 
 7 without unduly jeopardizing clinical and epidemiological research
 
 8 undertaken to improve health care and health outcomes and to
 
 9 assure the quality and efficiency of health care.
 
10      The purpose of this Act is to:
 
11      (1)  Implement the right of the people to privacy
 
12           established under section 6 of article I of the
 
13           Constitution of the State of Hawaii which provides that
 
14           the legislature shall take affirmative steps to
 
15           implement the right to privacy through legislation;
 
16      (2)  Protect individuals from the adverse effects of the
 
17           improper disclosure of protected health information in
 
18           medical records;
 
19      (3)  Establish strong and effective mechanisms to protect
 
20           against the unauthorized and inappropriate use of
 
21           protected health information that is created or
 
22           maintained as part of health care treatment, diagnosis,
 

 
 
 
Page 3                                                     351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1           enrollment, payment, plan administration, testing, or
 
 2           research processes;
 
 3      (4)  Promote the effective exchange and transfer of health
 
 4           information in a manner that will ensure the
 
 5           confidentiality of protected health information without
 
 6           impeding the delivery of high quality health care;
 
 7      (5)  Create incentives to turn personal health information
 
 8           into nonidentifiable health information for oversight,
 
 9           health research, public health, law enforcement,
 
10           judicial, and administrative purposes, where
 
11           appropriate; and
 
12      (6)  Establish strong and effective remedies for violations
 
13           of this Act.
 
14      SECTION 2.  The Hawaii Revised Statutes is amended by adding
 
15 a new chapter to be appropriately designated and to read as
 
16 follows:
 
17                             "CHAPTER
 
18                PRIVACY OF HEALTH CARE INFORMATION
 
19                    PART I.  GENERAL PROVISIONS
 
20      §   -1  Definitions.  As used in this chapter, except as
 
21 otherwise specifically provided:
 
22      "Accrediting body" means a committee, organization, or
 
23 institution that has been authorized by law or is recognized by a
 

 
Page 4                                                     351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 health care regulating authority as an accrediting entity or any
 
 2 other entity that has been similarly authorized or recognized by
 
 3 law to perform specific accreditation, licensing, or
 
 4 credentialing activities.
 
 5      "Agent" means a person who represents and acts for another
 
 6 under a contract or relationship of agency, or whose function is
 
 7 to bring about, modify, affect, accept performance of, or
 
 8 terminate contractual obligations between the principal and a
 
 9 third person, including a contractor.
 
10      "Commissioner" means the insurance commissioner.
 
11      "Designated individual's representative" means a person who
 
12 is authorized by law (based on grounds other than the minority of
 
13 an individual), or by an instrument recognized under law, to act
 
14 as an agent, attorney, guardian, proxy, or other legal
 
15 representative of a protected individual.  The term includes a
 
16 health care power of attorney.
 
17      "Director" means the director of the office of information
 
18 practices.
 
19      "Disclose" means to release, transfer, provide access to,
 
20 share, or otherwise divulge protected health information to any
 
21 person other than the individual who is the subject of the
 
22 information.  The term includes the initial disclosure and any
 
23 subsequent redisclosures of protected health information.
 

 
Page 5                                                     351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      "Employer" means any individual or type of organization,
 
 2 including any partnership, association, trust, estate, joint
 
 3 stock company, insurance company, or corporation, whether
 
 4 domestic or foreign, a debtor in possession or receiver or
 
 5 trustee in bankruptcy, or a legal representative of a deceased
 
 6 person, who has one or more regular individuals in his or her
 
 7 employment.
 
 8      "Employment" means services performed for wages under any
 
 9 contract of hire, written or oral, expressed or implied, with an
 
10 employer.
 
11      "Health care" means:
 
12      (1)  Preventive, diagnostic, therapeutic, rehabilitative,
 
13           palliative, or maintenance services:
 
14           (A)  With respect to the physical or mental condition
 
15                of an individual; or
 
16           (B)  Affecting the structure or function of the human
 
17                body or any part of the human body, including the
 
18                banking of blood, sperm, organs, or any other
 
19                tissue; or
 
20      (2)  Any sale or dispensing of a drug, device, equipment, or
 
21           other health care-related item to an individual, or for
 
22           the use of an individual pursuant to a prescription or
 
23           order by a health care provider.
 

 
Page 6                                                     351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      "Health care data organization" means a for-profit or
 
 2 nonprofit private corporation that engages primarily in the
 
 3 business of collecting, analyzing, and disseminating identifiable
 
 4 and nonidentifiable patient information.  A health care data
 
 5 organization is not a health care provider, an insurer, a health
 
 6 researcher, or a health oversight agency.
 
 7      "Health care provider" means a person who, with respect to
 
 8 any protected health information, receives, creates, uses,
 
 9 maintains, or discloses the protected health information while
 
10 acting in whole or in part in the capacity of:
 
11      (1)  A person who is licensed, certified, registered, or
 
12           otherwise authorized by federal or state law to provide
 
13           an item or service that constitutes health care in the
 
14           ordinary course of business, or practice of a
 
15           profession;
 
16      (2)  A federal, state, or employer-sponsored program that
 
17           directly provides items or services that constitute
 
18           health care to beneficiaries; or
 
19      (3)  An officer, employee, or agent of a person described in
 
20           paragraph (1) or (2).
 
21      "Health oversight agency" means a person who, with respect
 
22 to any protected health information, receives, creates, uses,
 

 
 
 
Page 7                                                     351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 maintains, or discloses the information while acting in whole or
 
 2 in part in the capacity of:
 
 3      (1)  A person who performs or oversees the performance of an
 
 4           assessment, evaluation, determination, or
 
 5           investigation, relating to the licensing,
 
 6           accreditation, or credentialing of health care
 
 7           providers; or
 
 8      (2)  A person who:
 
 9           (A)  Performs or oversees the performance of an audit,
 
10                assessment, evaluation, determination, or
 
11                investigation relating to the effectiveness of,
 
12                compliance with, or applicability of, legal,
 
13                fiscal, medical, or scientific standards or
 
14                aspects of performance related to the delivery of,
 
15                or payment for, health care; and
 
16           (B)  Is a public agency, acting on behalf of a public
 
17                agency, acting pursuant to a requirement of a
 
18                public agency, or carrying out activities under a
 
19                federal or state law governing the assessment,
 
20                evaluation, determination, investigation, or
 
21                prosecution for violations of paragraph (1).
 
22      "Health plan" means any health insurance plan, including any
 
23 hospital or medical service plan, dental or other health service
 

 
Page 8                                                     351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 plan or health maintenance organization plan, provider-sponsored
 
 2 organization, or other program providing or arranging for the
 
 3 provision of health benefits, whether or not funded through the
 
 4 purchase of insurance.
 
 5      "Health researcher" means a person, or an officer, employee
 
 6 or independent contractor of a person, who receives protected
 
 7 health information as part of a systematic investigation,
 
 8 testing, or evaluation designed to develop or contribute to
 
 9 generalized scientific and clinical knowledge.
 
10      "Institutional review board" means a research committee
 
11 established and operating in accord with title 45 C.F.R. 46
 
12 Sections 107, 108, 109, and 115.
 
13      "Insurer" means any entity that may have access to or
 
14 possession of protected health information, including those
 
15 entities regulated under chapter 431 or 432, and groups that have
 
16 purchased a group insurance policy on behalf of their members.
 
17      "Law enforcement inquiry" means a lawful investigation
 
18 conducted by an appropriate government agency or official
 
19 inquiring into a violation of, or failure to comply with, any
 
20 criminal or civil statute or any regulation, rule, or order
 
21 issued pursuant to such a statute.
 

 
 
 
 
 
Page 9                                                     351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      "Nonidentifiable health information" means any information
 
 2 that would otherwise be protected health information except that
 
 3 the information does not reveal the identity of the individual
 
 4 whose health or health care is the subject of the information and
 
 5 there is no reasonable basis to believe that the information
 
 6 could be used, either alone or with other information that is, or
 
 7 should reasonably be known, to be available to recipients of the
 
 8 information, to reveal the identity of that individual.
 
 9      "Office of information practices" shall be as defined by
 
10 chapter 92F.
 
11      "Payment" means the activities undertaken by a health plan
 
12 or provider, which are reasonably necessary to determine
 
13 responsibility for coverage, services, and the actual payment for
 
14 services, if any.
 
15      "Person" means a government, governmental subdivision,
 
16 agency or authority, corporation, company, association, firm,
 
17 partnership, insurer, estate, trust, joint venture, individual,
 
18 individual representative, and any other legal entity.
 
19      "Protected health information" means any information,
 
20 identifiable to an individual, including demographic information,
 
21 whether or not recorded in any form or medium that relates
 
22 directly or indirectly to the past, present, or future:
 

 
 
 
Page 10                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (1)  Physical or mental health or condition of a person,
 
 2           including tissue and genetic information;
 
 3      (2)  Provision of health care to an individual; or
 
 4      (3)  Payment for the provision of health care to an
 
 5           individual.
 
 6      "Public health authority" means an agency of the State or a
 
 7 county that is:
 
 8      (1)  Primarily responsible for public health matters; and
 
 9      (2)  Primarily engaged in activities such as disease and
 
10           injury reporting, public health surveillance, and
 
11           public health investigation or intervention.
 
12      "Qualified health care operations" means:
 
13      (1)  Only those services provided by or on behalf of a
 
14           health plan or health care provider for the purpose of
 
15           carrying out the management functions of a health care
 
16           provider or health plan, or implementing the terms of a
 
17           contract for health plan benefits as follows:
 
18           (A)  Conducting quality assurance activities or
 
19                outcomes assessments;
 
20           (B)  Reviewing the competence or qualifications of
 
21                health care professionals;
 
22           (C)  Performing accreditation, licensing, or
 
23                credentialing activities;
 

 
Page 11                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1           (D)  Analyzing health plan claims or health care
 
 2                records data;
 
 3           (E)  Evaluating provider clinical performance;
 
 4           (F)  Carrying out utilization management; or
 
 5           (G)  Conducting or arranging for auditing services in
 
 6                accordance with statute, rule, or accreditation
 
 7                requirements;
 
 8      (2)  A qualified health care operation must:
 
 9           (A)  Be an operation which cannot be carried on with
 
10                reasonable effectiveness and efficiency without
 
11                identifiable patient information;
 
12           (B)  Be limited to only that protected health
 
13                information collected under the terms of the
 
14                contract for health plan benefits and without
 
15                which the operation cannot be carried on with
 
16                reasonable effectiveness and efficiency;
 
17           (C)  Be limited to the minimum amount of protected
 
18                health information, including the minimum number
 
19                of records and the minimum number of documents
 
20                within each patient's record, necessary to carry
 
21                on the operation with reasonable effectiveness and
 
22                efficiency; and
 

 
 
 
Page 12                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1           (D)  Limit the handling and examination of protected
 
 2                health information, to those persons who are
 
 3                reasonably well qualified, by training,
 
 4                credentials, or experience, to conduct the phase
 
 5                of the operation in which they are involved.
 
 6      "Treatment" means the provision of health care by, or the
 
 7 coordination of health care among, health care providers, or the
 
 8 referral of a patient from one provider to another, or
 
 9 coordination of health care or other services among health care
 
10 providers and third parties authorized by the health plan or the
 
11 plan member.
 
12      "Unique patient identifier" means a number or alpha-numeric
 
13 string assigned to an individual, which can be or is used to
 
14 identify individuals' protected health information.
 
15      "Writing" means writing in either a paper-based or computer-
 
16 based form, including electronic signatures.
 
17                   PART II.  INDIVIDUAL'S RIGHTS
 
18      §   -11  Inspection and copying of protected health
 
19 information.(a)  At the request in writing of an individual and
 
20 except as provided in subsection (b), a health care provider,
 
21 health plan, employer, health care data organization, insurer, or
 
22 educational institution shall permit an individual who is the
 
23 subject of protected health information or the individual's
 

 
Page 13                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 designee, to inspect and copy protected health information
 
 2 concerning the individual, including records created under
 
 3 section    -12, that the entity maintains.  The entity may set
 
 4 forth appropriate procedures to be followed for the inspection or
 
 5 copying and may require an individual to pay reasonable costs
 
 6 associated with the inspection or copying.
 
 7      (b)  Unless ordered by a court of competent jurisdiction, an
 
 8 entity described in subsection (a) is not required to permit the
 
 9 inspection or copying of protected health information if any of
 
10 the following conditions are met:
 
11      (1)  The entity determines that the disclosure of the
 
12           information could reasonably be expected to endanger
 
13           the life or physical safety of, or cause substantial
 
14           mental harm to, the individual who is the subject of
 
15           the record;
 
16      (2)  The information identifies, or could reasonably lead to
 
17           the identification of, a person who provided
 
18           information under a promise of confidentiality
 
19           concerning the individual who is the subject of the
 
20           information unless the confidential source can be
 
21           protected by redaction or other similar means;
 
22      (3)  The information is:
 

 
 
 
Page 14                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1           (A)  Subject to attorney-client privilege or attorney
 
 2                work product; or
 
 3           (B)  Protected from discovery as provided in section
 
 4                624-25.5;
 
 5      (4)  The information was collected for or during a clinical
 
 6           trial monitored by an institutional review board, the
 
 7           trial is not complete, and the researcher reasonably
 
 8           believes that access would harm the conduct of the
 
 9           trial.
 
10      (c)  If an entity described in subsection (a) denies a
 
11 request for inspection or copying pursuant to subsection (b), the
 
12 entity shall inform the individual in writing of:
 
13      (1)  The reasons for the denial of the request for
 
14           inspection or copying;
 
15      (2)  Any procedures for further review of the denial; and
 
16      (3)  The individual's right to file with the entity a
 
17           concise statement setting forth the request for
 
18           inspection or copying.
 
19      (d)  If an individual has filed a statement under subsection
 
20 (c)(3), the entity in any subsequent disclosure of the portion of
 
21 the information requested under subsection (a) shall include:
 
22      (1)  A copy of the individual's statement; and
 

 
 
 
Page 15                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (2)  A concise statement of the reasons for denying the
 
 2           request for inspection or copying.
 
 3      (e)  An entity described in subsection (a) shall permit the
 
 4 inspection and copying under subsection (a) of any reasonably
 
 5 segregable portion of a record after deletion of any portion that
 
 6 is exempt under subsection (b).
 
 7      (f)  An entity described in subsection (a) shall comply with
 
 8 or deny, in accordance with subsection (c), a request for
 
 9 inspection or copying of protected health information under this
 
10 section not later than thirty days after the date on which the
 
11 entity receives the request.
 
12      (g)  An agent of an entity described in subsection (a) shall
 
13 not be required to provide for the inspection and copying of
 
14 protected health information, except where:
 
15      (1)  The protected health information is retained by the
 
16           agent; and
 
17      (2)  The agent has received in writing a request from the
 
18           entity involved to fulfill the requirements of this
 
19           section, at which time this information shall be
 
20           provided to the requesting entity.  The requesting
 
21           entity shall comply with subsection (f) with respect to
 
22           any such information.
 

 
 
 
Page 16                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (h)  The entity shall afford at least one level of appeal by
 
 2 parties not involved in the original decision.
 
 3      (i)  This section shall not be construed to require that an
 
 4 entity described in subsection (a) conduct a formal, informal, or
 
 5 other hearing or proceeding concerning a request for inspection
 
 6 or copying of protected health information.
 
 7      §   -12  Additions to protected health information.(a)  A
 
 8 health care provider is the owner of the medical records in the
 
 9 health care provider's possession that were created by the health
 
10 care provider in treating a patient.  An individual or the
 
11 individual's authorized representative may request in writing
 
12 that a health care provider that generated certain health care
 
13 information append additional information to the record in order
 
14 to improve the accuracy or completeness of the information;
 
15 provided that appending this information does not erase or
 
16 obliterate any of the original information.  A health care
 
17 provider shall do one of the following:
 
18      (1)  Append the information as requested; or
 
19      (2)  Notify the individual that the request has been denied,
 
20           the reason for the denial, and that the individual may
 
21           file a statement of reasonable length explaining the
 
22           correctness or relevance of existing information or as
 
23           to the addition of new information.  The statement or
 

 
Page 17                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1           copies shall be appended to the medical record and at
 
 2           all times accompany that part of the information in
 
 3           contention.
 
 4      §   -13  Notice of confidentiality practices; forms of
 
 5 notices.(a)  A health care provider, health care data
 
 6 organization, health plan, health oversight agency, public health
 
 7 authority, employer, insurer, health researcher, or educational
 
 8 institution, as required by section    -22, shall post or provide
 
 9 in writing, and in a clear and conspicuous manner in plain
 
10 language, the current notice of the entity's confidentiality
 
11 practices.  For the purpose of informing each individual of the
 
12 individual's rights under this chapter, the notice shall include:
 
13      (1)  A description of an individual's rights with respect to
 
14           protected health information;
 
15      (2)  The uses and disclosures of protected health
 
16           information authorized under this chapter;
 
17      (3)  The right of the individual to limit disclosure of
 
18           protected health information by deciding not to utilize
 
19           any health insurance or other third party payment as
 
20           payment for the service, as set forth in section
 
21              -21(c);
 

 
 
 
 
 
Page 18                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (4)  The procedures for giving consent to disclosures of
 
 2           protected health information and for revoking consents
 
 3           to disclose;
 
 4      (5)  The description of procedures established by the entity
 
 5           for the exercise of the individual's rights; and
 
 6      (6)  The right to obtain a copy of the notice of the
 
 7           confidentiality practices required under this chapter.
 
 8      (b)  The actual procedures established by the entities for
 
 9 the exercise of individual rights under this part shall be
 
10 available in writing upon request.
 
11      §   -14  Establishment of safeguards.(a)  A health care
 
12 provider, health plan, health oversight agency, public health
 
13 authority, employer, insurer, health researcher, law enforcement
 
14 official, health care data organization, or educational
 
15 institution shall establish and maintain administrative,
 
16 technical, and physical safeguards that are appropriate to the
 
17 size and nature of the entity establishing the safeguards, and
 
18 appropriate to protect the confidentiality, security, accuracy,
 
19 and integrity of protected health information created, received,
 
20 obtained, maintained, used, transmitted, or disposed of by the
 
21 entity.
 
22      (b)  The office of information practices, in consultation
 
23 with the persons referenced in subsection (a), entities, and
 

 
Page 19                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 professional organizations, including organizations representing
 
 2 physicians, and after notice and opportunity for public comment,
 
 3 shall adopt rules under chapter 91 to implement subsection (a).
 
 4           PART III.  RESTRICTIONS ON USE AND DISCLOSURE
 
 5      §   -21  General rules regarding use and disclosure.(a)  A
 
 6 health care provider, health care data organization, health plan,
 
 7 health oversight agency, public health authority, employer,
 
 8 insurer, health researcher, law enforcement official, or
 
 9 educational institution may not use or disclose protected health
 
10 information except as authorized under this part and under part
 
11 IV.  Disclosure of health information in the form of
 
12 nonidentifiable health information shall not be construed as a
 
13 disclosure of protected health information.
 
14      (b)  For the purpose of treatment, payment, or qualified
 
15 health care operations, an entity described in subsection (a) may
 
16 only use or disclose protected health information within the
 
17 entity if the use or disclosure is properly noticed pursuant to
 
18 sections    -13 and    -22.  For all other uses and disclosures,
 
19 an entity may only use or disclose protected health information,
 
20 if the use or disclosure is properly consented to pursuant to
 
21 section    -23, and the use or disclosure is consistent with the
 
22 limitations under subsection (d) on the scope of disclosure.
 

 
 
 
Page 20                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 Disclosure to agents of an entity described in subsection (a)
 
 2 shall be considered as a disclosure within an entity.
 
 3      (c)  If an individual does not want protected health
 
 4 information released pursuant to section (b), the individual
 
 5 shall advise the provider that the relevant protected health
 
 6 information shall not be disclosed pursuant to subsection (b) and
 
 7 shall pay the health care provider directly for health care
 
 8 services.  Protected health information related to health care
 
 9 services paid for directly by the individual shall not be
 
10 disclosed without a consent to disclose pursuant to section
 
11    -23, by law, or by a court order.
 
12      (d)  An agent who receives protected health information from
 
13 an entity described in subsection (a) shall be subject to all
 
14 rules of disclosure and safeguard requirements under this part.
 
15      (e)  Every use and or disclosure of protected health
 
16 information by an entity under this part shall be limited to the
 
17 information necessary to accomplish the purpose for which the
 
18 information is disclosed.  Every use and or disclosure of
 
19 protected health information shall be limited to the purpose for
 
20 which it was collected.  Any other use without a valid consent to
 
21 disclose shall be an unauthorized disclosure.
 

 
 
 
 
 
Page 21                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (f)  Nothing in this part permitting the disclosure of
 
 2 protected health information shall be construed to require
 
 3 disclosure.
 
 4      (g)  Except as otherwise provided in this part, protected
 
 5 health information may not be disclosed unless the information is
 
 6 clearly identified as protected health information that is
 
 7 subject to this chapter.
 
 8      (h)  An entity described in subsection (a) may disclose
 
 9 protected health information to an employee or agent of the
 
10 entity for purposes of creating nonidentifiable information, if
 
11 the entity prohibits the employee or agent of the entity from
 
12 using or disclosing the protected health information for purposes
 
13 other than the sole purpose of creating nonidentifiable
 
14 information as specified by the entity.
 
15      (i)  Any individual or entity who manipulates or uses a
 
16 nonidentifiable database in order to identify an individual shall
 
17 be deemed to have disclosed protected health information.  The
 
18 disclosure or transmission of a unique patient identifier shall
 
19 be deemed to be a disclosure of protected health information.
 
20      §   -22  Giving notice regarding disclosure of protected
 
21 health information for treatment, payment, or qualified health
 
22 care operations.(a)  The notice required by section    -13
 
23 shall be:
 

 
Page 22                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (1)  Given by each health plan upon enrollment, annually,
 
 2           and when confidentiality practices are substantially
 
 3           amended, to each individual who is eligible to receive
 
 4           care under the health plan, or to the individual's
 
 5           parent or guardian if the individual is a minor or
 
 6           incompetent; and
 
 7      (2)  Posted in a conspicuous place or provided by those
 
 8           entities other than health plans identified in section
 
 9              -21(a).
 
10      (b)  Except as provided for in this chapter, a notice
 
11 required by this section shall not be construed as a waiver of
 
12 any rights that the individual has under other federal or state
 
13 laws, the rules of evidence, or common law.
 
14      (c)  Notices under this section shall not authorize the
 
15 disclosure of protected health information by a person with the
 
16 intent to sell, transfer, or use protected health information for
 
17 commercial purpose or advantage.  For such disclosures, a consent
 
18 is required as set forth by section    -23(a).
 
19      (d)  Health plans shall make every effort to obtain a
 
20 patient's signature on the notice of confidentiality practices.
 
21 Failure to obtain a signature shall not be construed to result in
 
22 denial of insurance.
 

 
 
 
Page 23                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      §   -23  Consent to disclose protected health information
 
 2 other than for treatment, payment, or qualified health care
 
 3 operations.(a)  A health care provider, health care data
 
 4 organization, health plan, health oversight, health researcher,
 
 5 public health authority, law enforcement official agency,
 
 6 employer, insurer, law enforcement official, or educational
 
 7 institution, pursuant to a consent to disclose, may disclose
 
 8 protected health information, for purposes other than those
 
 9 noticed under section    -22, which consent has been executed by
 
10 the individual who is the subject of the information.  The
 
11 consent to disclose must meet the requirements of subsection (d).
 
12      (b)  Sections    -31 to    -40 provide for exceptions to the
 
13 requirement for the consent to disclose.
 
14      (c)  An individual, in writing, may revoke or amend a
 
15 consent to disclose as described in subsection (d).  An entity
 
16 described in subsection (a) that discloses protected health
 
17 information pursuant to a consent to disclose that has been
 
18 revoked under this subsection shall not be subject to any
 
19 liability or penalty under this part if that entity had no actual
 
20 or constructive notice of the revocation.
 
21      (d)  To be valid, a consent to disclose protected health
 
22 information shall:
 

 
 
 
Page 24                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (1)  Identify the person or entity authorized to disclose
 
 2           protected health information;
 
 3      (2)  Identify the individual who is the subject of the
 
 4           protected health information;
 
 5      (3)  Describe the nature of and the time span of the
 
 6           protected health information to be disclosed;
 
 7      (4)  Identify the person to whom the information is to be
 
 8           disclosed;
 
 9      (5)  Describe the purpose of the disclosure;
 
10      (6)  State that it is subject to revocation by the
 
11           individual and indicate that the consent to disclose is
 
12           valid until revocation by the individual;
 
13      (7)  Include the date at which the consent to disclose ends;
 
14           and
 
15      (8)  (A)  Be either:
 
16                (i)  In writing, dated, and signed by the
 
17                     individual; or
 
18               (ii)  In electronic form, dated, and authenticated
 
19                     by the individual using a unique identifier;
 
20                     and
 
21           (B)  Not have been revoked under subsection (b).
 
22      (e)  An individual may revoke in writing a consent to
 
23 disclose under this section at any time.  An individual's consent
 

 
Page 25                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 to disclose is deemed to be revoked at the time of the
 
 2 cancellation or nonrenewal of enrollment in the health plan.  An
 
 3 individual may not maintain an action against a person for
 
 4 disclosure of protected health information which disclosure was
 
 5 made in good faith reliance on the individual's consent to
 
 6 disclose at the time disclosure was made.
 
 7      (f)  A recipient of protected health information pursuant to
 
 8 a consent to disclose under this section may use the information
 
 9 solely to carry out the purpose for which the information was
 
10 authorized for release.
 
11      (g)  Each person collecting or storing protected health
 
12 information shall maintain a record for a period of seven years
 
13 for each consent to disclose of an individual and revocation
 
14 thereof.
 
15      (h)  Except as provided for in this chapter, the receipt of
 
16 the notice required by sections    -13 and    -22 by an
 
17 individual shall not be construed as a waiver of any rights that
 
18 the individual has under other federal or state laws, the rules
 
19 of evidence, or common law.
 
20      (i)  The office of information practices, after notice and
 
21 opportunity for public comment, shall develop and disseminate
 
22 model written consents to disclose of the type described in
 
23 subsection (a).
 

 
Page 26                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1              PART IV.  EXCEPTED USES AND DISCLOSURES
 
 2      §   -31  Coroner or medical examiner.  When a coroner or
 
 3 medical examiner or their duly appointed deputies seek protected
 
 4 health information for the purpose of inquiry into and
 
 5 determination of, the cause, manner, and circumstances of a
 
 6 death, any person shall provide the requested protected health
 
 7 information to the coroner or medical examiner or to the duly
 
 8 appointed deputies without undue delay.  If a coroner or medical
 
 9 examiner or their duly appointed deputies receives protected
 
10 health information, this protected health information shall
 
11 remain protected health information unless it is attached to or
 
12 otherwise made a part of a coroner's or medical examiner's
 
13 official report.  Health information attached to or otherwise
 
14 made a part of a coroner's or medical examiner's official report
 
15 shall be exempt from this chapter except as provided for in this
 
16 subsection.
 
17      §   -32  Designated individual's representative, relative,
 
18 or friend, and directory information.(a)  A health care
 
19 provider, or a person who receives protected health information
 
20 under subsection (b), may disclose any protected health
 
21 information regarding an individual to a designated individual's
 
22 representative, relative, or friend if:
 

 
 
 
Page 27                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (1)  The individual who is the subject of the information:
 
 2           (A)  Has been notified of the individual's right to
 
 3                object to the disclosure and the individual has
 
 4                not objected to the disclosure; or
 
 5           (B)  Is in a physical or mental condition such that
 
 6                the individual is not capable of objecting, and
 
 7                there are no prior indications that the
 
 8                individual would object; and
 
 9      (2)  The information disclosed is for the purpose of
 
10           providing health care to that individual; or
 
11      (3)  The disclosure of the protected health information is
 
12           consistent with good medical or professional practice.
 
13      (b)  Except as provided in subsection (d), an entity
 
14 described in subsection (a) may disclose the information
 
15 described in subsection (c) to any other person if the individual
 
16 who is the subject of the information:
 
17      (1)  Has been notified of the individual's right to object
 
18           and the individual has not objected to the disclosure;
 
19           or
 
20      (2)  Is in a physical or mental condition such that the
 
21           individual is not capable of objecting; and
 
22           (A)  The designated individual's representative,
 
23                relative, or friend has not objected; and
 

 
Page 28                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1           (B   There are no prior indications that the individual
 
 2                would object.
 
 3      (c)  Information that may be disclosed in subsection (b) is
 
 4 only that information that consists of any of the following
 
 5 items:
 
 6      (1)  The name of the individual who is the subject of the
 
 7           information;
 
 8      (2)  The general health status of the individual, described
 
 9           as critical, poor, fair, stable, or satisfactory or in
 
10           terms denoting similar conditions; or
 
11      (3)  The location of the individual on premises controlled
 
12           by a provider.  This disclosure shall not be made if
 
13           the information would reveal specific information about
 
14           the physical or mental condition of the individual,
 
15           unless the individual expressly authorizes the
 
16           disclosure.
 
17      (d)  A disclosure shall not be made under this section if
 
18 the health care provider involved has reason to believe that the
 
19 disclosure of this information could lead to the physical or
 
20 mental harm of the individual, unless the individual expressly
 
21 authorizes the disclosure.
 
22      §   -33  Identification of deceased individuals.  An entity
 
23 described in section    -32 may disclose protected health
 

 
Page 29                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 information if the disclosure is necessary to assist in the
 
 2 identification or safe handling of a deceased individual.
 
 3      §   -34  Emergency circumstances.  Any person who creates or
 
 4 receives protected health information under this chapter may use
 
 5 or disclose protected health information in emergency
 
 6 circumstances when the use or disclosure is necessary to protect
 
 7 the health or safety of the individual who is the subject of the
 
 8 information from serious, imminent harm.  No disclosure made in
 
 9 the good faith belief that the use or disclosure was necessary to
 
10 protect the health or safety or an individual from serious,
 
11 imminent harm shall be in violation of, or punishable under, this
 
12 chapter.
 
13      §   -35  Disclosures for health oversight.(a)  Any person
 
14 may disclose protected health information to a health oversight
 
15 agency for purposes of an oversight function authorized by law.
 
16      (b)  A public health authority or health researcher may
 
17 disclose protected health information to a health oversight
 
18 agency for purposes of an oversight function of the public health
 
19 authority or health researcher authorized by law.
 
20      (c)  For purposes of this section, the individual with
 
21 authority to authorize the health oversight function involved
 
22 shall provide to the persons described in subsection (a) or (b) a
 

 
 
 
Page 30                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 statement that the protected health information is being sought
 
 2 for a legally authorized oversight function.
 
 3      (d)  Protected health information about an individual that
 
 4 is disclosed under this section may not be used in, or disclosed
 
 5 to any person for use in, an administrative, civil, or criminal
 
 6 action or investigation directed against the individual unless
 
 7 the action or investigation arises out of and is directly related
 
 8 to:
 
 9      (1)  The receipt of health care or payment for health care;
 
10      (2)  An action involving a fraudulent claim related to
 
11           health; or
 
12      (3)  An action involving oversight of a public health
 
13           authority or a health researcher.
 
14      §   -36  Public health.(a)  Any person or entity may
 
15 disclose protected health information to a public health
 
16 authority or other person authorized by law for use in a legally
 
17 authorized:
 
18      (1)  Disease or injury report;
 
19      (2)  Public health surveillance;
 
20      (3)  Public health investigation or intervention; or
 
21      (4)  Health or disease registry.
 
22      (b)  No person or entity shall be liable for the disclosure
 
23 of protected health information, which is authorized by this
 

 
Page 31                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 part, to a public health authority or other person authorized by
 
 2 law.
 
 3      (c)  Limitations or prohibitions on disclosure of health
 
 4 information in this chapter shall not limit the requirements for
 
 5 disclosure and confidentiality otherwise established by law.
 
 6      §   -37  Health research.  A health care provider, health
 
 7 plan, public health authority, employer, insurer, or educational
 
 8 institution may disclose protected health information to a health
 
 9 researcher if the following requirements are met:
 
10      (1)  The research has been approved by an institutional
 
11           review board.  In evaluating a research proposal, an
 
12           institutional review board shall require that the
 
13           proposal demonstrate a clear purpose, scientific
 
14           integrity, and a realistic plan for maintaining the
 
15           confidentiality of protected health information;
 
16      (2)  The research involves analysis of protected health
 
17           information previously created or collected by the
 
18           holder of protected health information;
 
19      (3)  The person who receives protected health information
 
20           removes or destroys, at the earliest opportunity
 
21           consistent with the purposes of the project involved,
 
22           information that would enable an individual to be
 
23           identified;
 

 
Page 32                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (4)  The person who receives protected health information
 
 2           shall not disclose or use the protected health
 
 3           information for any purposes other than the health
 
 4           research project for which the information was
 
 5           obtained, except that the health researcher may also
 
 6           disclose the information pursuant to sections    -34
 
 7           and    -35(b).
 
 8      (5)  The holder of protected health information keeps a
 
 9           record of all health researchers to whom protected
 
10           health information has been made available; and
 
11      (6)  Any disclosure of the information to other persons is
 
12           not made.
 
13      §   -38  Disclosure in civil, judicial, and administrative
 
14 procedures.(a)  Any person may disclose protected health
 
15 information pursuant to a discovery request or subpoena in a
 
16 civil action brought in a state court or a request or subpoena
 
17 related to a state administrative proceeding, but only if the
 
18 disclosure is made pursuant to a court order as provided for in
 
19 subsection (b).
 
20      (b)  Any subpoena or discovery request for protected health
 
21 information is valid only if accompanied by a court order from a
 
22 competent jurisdiction.  In considering a request for a court
 
23 order regarding the disclosure of protected health information
 

 
Page 33                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 under subsection (a), the court shall issue an order if the court
 
 2 determines that without the disclosure of the information, the
 
 3 person requesting the order would be impaired from establishing a
 
 4 claim or defense.  An order issued under this subsection shall:
 
 5      (1)  Provide that the protected health information involved
 
 6           is subject to court protection;
 
 7      (2)  Specify to whom the information may be disclosed;
 
 8      (3)  Specify that the information may not otherwise be
 
 9           disclosed or used; and
 
10      (4)  Meet any other requirements that the court determines
 
11           are needed to protect the confidentiality of the
 
12           information.
 
13      (c)  This section shall not apply in a case in which the
 
14 protected health information sought under the discovery request
 
15 or subpoena is:
 
16      (1)  Nonidentifiable health information;
 
17      (2)  Related to a party to the litigation whose medical
 
18           condition is at issue; or
 
19      (3)  Could be disclosed under any of sections    -22,
 
20              -23,    -31 through    -37,    -39, and    -40.
 
21      (d)  This section shall not be construed to supersede:
 

 
 
 
 
 
Page 34                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1           (1)  Any grounds that may apply under federal or state
 
 2                law for objecting to turning over the protected
 
 3                health information; and
 
 4           (2)  section 622-59.
 
 5      (e)  Any provider shall be immune to any action, civil or
 
 6 criminal, related to the release of any protected health
 
 7 information pursuant to this section.
 
 8      §   -39  Disclosure for law enforcement purposes.(a)
 
 9 Except as to disclosures to a health oversight agency, which are
 
10 governed by section    -35, a health care provider, health plan,
 
11 health oversight agency, employer, insurer, educational
 
12 institution, or person who receives protected health information
 
13 pursuant to sections    -23 and    -31 through    -37, may
 
14 disclose protected health information under this section, if the
 
15 disclosure is pursuant to:
 
16      (1)  A subpoena issued under the authority of a grand jury;
 
17           or
 
18      (2)  An administrative subpoena or summons or judicial
 
19           subpoena or warrant.
 
20      (b)  A subpoena or summons for a disclosure under subsection
 
21 (a)(1) or (2) shall only be issued if the law enforcement agency
 
22 involved shows that there is probable cause to believe that the
 
23 information is relevant to a legitimate law enforcement inquiry.
 

 
Page 35                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (c)  When the matter or need for which protected health
 
 2 information was disclosed to a law enforcement agency or grand
 
 3 jury under subsection (a) has concluded, including any derivative
 
 4 matters arising from the matter or need, the law enforcement
 
 5 agency or grand jury shall either destroy the protected health
 
 6 information, or return all of the protected health information to
 
 7 the person from whom it was obtained.
 
 8      (d)  To the extent practicable, and consistent with the
 
 9 requirements of due process, a law enforcement agency shall
 
10 redact personally identifying information from protected health
 
11 information prior to the public disclosure of the protected
 
12 information in a judicial or administrative proceeding.
 
13      (e)  Protected health information obtained by a law
 
14 enforcement agency pursuant to this section may only be used for
 
15 purposes of a legitimate law enforcement activity.
 
16      (f)  If protected health information is obtained without
 
17 meeting the requirements of subsection (a)(1) or (2), any
 
18 information that is unlawfully obtained shall be excluded from
 
19 court proceedings unless the defendant requests otherwise.
 
20      (g)  Any health care provider shall have immunity from any
 
21 action, civil or criminal, related to the disclosure of any
 
22 protected health information pursuant to this section.
 

 
 
 
Page 36                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      §   -40  Payment card and electronic payment transaction.
 
 2 (a)  If an individual pays for health care by presenting a debit,
 
 3 credit, or other payment card or account number, or by any other
 
 4 electronic payment means, the entity receiving payment may
 
 5 disclose to a person described in subsection (b) only such
 
 6 protected health information about the individual as is necessary
 
 7 for the processing of the payment transaction or the billing or
 
 8 collection of amounts charged to, debited from, or otherwise paid
 
 9 by, the individual using the card, number, or other electronic
 
10 means.
 
11      (b)  A person who is a debit, credit, or other payment card
 
12 issuer, or is otherwise directly involved in the processing of
 
13 payment transactions involving such cards or other electronic
 
14 payment transactions, or is otherwise directly involved in the
 
15 billing or collection of amounts paid through these means, may
 
16 use or disclose protected health information about an individual
 
17 that has been disclosed in accordance with subsection (a) only
 
18 when necessary for:
 
19      (1)  The settlement, billing, or collection of amounts
 
20           charged to, debited from, or otherwise paid by the
 
21           individual using a debit, credit, or other payment card
 
22           or account number, or by other electronic payment
 
23           means;
 

 
Page 37                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (2)  The transfer of receivables, accounts, or interest
 
 2           therein;
 
 3      (3)  The internal audit of the debit, credit, or other
 
 4           payment card account information;
 
 5      (4)  Compliance with federal, state, or county law; or
 
 6      (5)  Compliance with a properly authorized civil, criminal,
 
 7           or regulatory investigation by federal, state, or
 
 8           county authorities as governed by the requirements of
 
 9           this section.
 
10      §   -41  Standards for electronic disclosures.  The office
 
11 of information practices shall adopt rules to establish standards
 
12 for disclosing, authorizing, and authenticating, protected health
 
13 information in electronic form consistent with this part.
 
14      §   -42  Rights of minors.(a)  In the case of an
 
15 individual:
 
16      (1)  Who is eighteen years of age or older, all rights of
 
17           the individual under this chapter shall be exercised by
 
18           the individual; or
 
19      (2)  Who, acting alone, can obtain a type of health care
 
20           without violating any applicable federal or state law,
 
21           and who has sought this care, the individual shall
 
22           exercise all rights of the individual under this
 

 
 
 
Page 38                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1           chapter with respect to protected health information
 
 2           relating to the health care.
 
 3      (b)  Except as provided in subsection (a)(2), in the case of
 
 4 an individual who is:
 
 5      (1)  Under fourteen years of age, all of the individual's
 
 6           rights under this chapter shall be exercised only
 
 7           through the parent or legal guardian; or
 
 8      (2)  At least fourteen but under eighteen years of age, the
 
 9           rights of inspection and amendment, and the right to
 
10           authorize use and disclosure of protected health
 
11           information of the individual shall be exercised by the
 
12           individual, or by the parent or legal guardian of the
 
13           individual.
 
14      §   -43  Deceased individuals.  This chapter shall continue
 
15 to apply to protected health information concerning a deceased
 
16 individual following the death of that individual.  A person who
 
17 is authorized by law or by an instrument recognized under law, to
 
18 act as an executor of the estate of a deceased individual, or
 
19 otherwise to exercise the rights of the deceased individual, to
 
20 the extent so authorized, may exercise and discharge the rights
 
21 of the deceased individual under this chapter.
 

 
 
 
 
 
Page 39                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1                        PART V.  SANCTIONS
 
 2      §   -51  Wrongful disclosure of protected health
 
 3 information.(a)  The penalties described in subsection (b)
 
 4 shall apply to a person that knowingly and intentionally:
 
 5      (1)  Obtains protected health information relating to an
 
 6           individual in violation of this chapter; or
 
 7      (2)  Discloses protected health information to another
 
 8           person in violation of this chapter.
 
 9      (b)  A person described in subsection (a) shall:
 
10      (1)  Be guilty of a class C felony;
 
11      (2)  If the offense is committed with the intent to sell,
 
12           transfer, or use protected health information for
 
13           commercial advantage, personal gain, or malicious harm,
 
14           be guilty of a class B felony.
 
15      §   -52  Civil actions by individuals.(a)  Any individual
 
16 whose rights under this chapter have been knowingly, or
 
17 negligently violated may bring a civil action to recover:
 
18      (1)  Any preliminary and equitable relief as the court
 
19           determines to be appropriate; and
 
20      (2)  The greater of compensatory damages or liquidated
 
21           damages of $5,000 for each violation.
 
22      (b)  In any action brought under this section in which the
 
23 individual has prevailed because of a knowing violation of a
 

 
Page 40                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 provision of this chapter, the court, in addition to any relief
 
 2 awarded under subsection (a), may award any punitive damages that
 
 3 may be appropriate.
 
 4      (c)  In the case of a civil action brought under subsection
 
 5 (a) in which the individual has substantially prevailed, the
 
 6 court may assess against the respondent a reasonable attorney's
 
 7 fee and other litigation costs and expenses (including expert
 
 8 fees) reasonably incurred.
 
 9      (d)  No action may be commenced under this section more than
 
10 two years after the date on which the violation was or should
 
11 reasonably have been discovered.
 
12      §   -53  Prevention and deterrence.  To promote the
 
13 prevention and deterrence of acts and or omissions which violate
 
14 laws designed to safeguard the protected health information in a
 
15 manner consistent with this chapter, the director of the office
 
16 of information practices, with any other appropriate individual,
 
17 organization, or agency, may provide advice, training, technical
 
18 assistance, and guidance regarding ways to prevent improper
 
19 disclosure of protected health information.
 
20      §   -54  Cease and desist orders; civil penalty.(a)
 
21 Whenever the director has reason to believe that any person has
 
22 materially and substantially violated any provision of this
 
23 chapter, and that a proceeding by the director in respect thereto
 

 
Page 41                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 would be in the interest of the public, the director shall issue
 
 2 and serve upon the person:
 
 3      (1)  A statement of the charges in that respect; and
 
 4      (2)  A notice of a hearing, to be held at a time and place
 
 5           fixed in the notice, which shall not be less than
 
 6           fifteen days after the date of service.
 
 7      (b)  At the time and place fixed for the hearing, the person
 
 8 shall have an opportunity to be heard and to show cause why an
 
 9 order should not be made by the director requiring the person to
 
10 cease and desist from the acts, methods, or practices which are
 
11 the subject of the statement or otherwise to comply with the
 
12 requirements of this chapter.
 
13      (c)  The hearing shall be deemed a contested case hearing
 
14 pursuant to chapter 91.
 
15      (d)  All remedies, penalties, and proceedings set forth in
 
16 this section are to be invoked solely and exclusively by the
 
17 director.
 
18      (e)  If, after the hearing, the director determines that the
 
19 person charged has violated any provision of this chapter, the
 
20 director shall reduce the findings to writing and shall issue and
 
21 cause to be served upon the person charged with the violation a
 
22 copy of the findings and an order requiring the person to cease
 
23 and desist from violating this chapter or otherwise to comply
 

 
Page 42                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 with the requirements of this chapter.  The director, at the
 
 2 director's discretion, may also order any one or more of the
 
 3 following:
 
 4      (1)  In a case in which the violation relates to part II,
 
 5           payment of a civil penalty of not more than $500 for
 
 6           each and every act or violation but not to exceed
 
 7           $5,000 in the aggregate for multiple violations;
 
 8      (2)  In a case in which the violation relates to part III or
 
 9           part IV, payment of a civil penalty of not more than
 
10           $10,000 for each and every act or violation but not to
 
11           exceed $50,000 in the aggregate for multiple
 
12           violations; and
 
13      (3)  In a case in which the director finds that violations
 
14           have occurred with such frequency as to constitute a
 
15           general business practice, a civil penalty of not more
 
16           than $100,000.
 
17      (f)  Any person who violates a cease and desist order or a
 
18 compliance order of the director under this section may be
 
19 subject at the discretion of the director, after notice and
 
20 hearing and upon order of the director, to a civil penalty of not
 
21 more than $10,000 for each and every act in violation of the
 
22 cease and desist order.
 

 
 
 
Page 43                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (g)  No order of the director pursuant to this section or
 
 2 order of court to enforce it shall in any way relieve or absolve
 
 3 any person affected by the order from any other liability,
 
 4 penalty, or forfeiture required by law.
 
 5      (h)  No fact found or decision made in a hearing held under
 
 6 this section shall be binding on any party in any subsequent
 
 7 civil action to recover damages based upon the same or similar
 
 8 facts.
 
 9      (i)  Any person aggrieved by an order of the director under
 
10 this section may obtain judicial review of the order in the
 
11 manner provided for by chapter 91.
 
12      (j)  The powers vested in the director by this article shall
 
13 be additional to any other power to enforce penalties or civil
 
14 penalties authorized by law with respect to the methods, acts,
 
15 and practices which violate this chapter.
 
16      §   -55  Injunctive relief.(a)  Whenever the director has
 
17 reason to believe that any person has engaged, is engaging, or is
 
18 about to engage in any activity which makes the person subject to
 
19 a civil monetary penalty under section    -56, the director may
 
20 bring an action in an appropriate circuit court to enjoin the
 
21 activity, or to enjoin the person from concealing, removing,
 
22 encumbering, or disposing of assets which may be required in
 

 
 
 
Page 44                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 order to pay a civil monetary penalty if any such penalty were to
 
 2 be imposed or to seek other appropriate relief.
 
 3      (b)  A principal is liable for penalties under section
 
 4    -54 for the actions of the principal's agent acting within the
 
 5 scope of the agency.
 
 6      §   -56  Notice to the Commissioner.  Whenever the director
 
 7 conducts any investigation or takes any other action against a
 
 8 person for a violation of this chapter and the commissioner has
 
 9 regulatory oversight over the person, the director shall give the
 
10 commissioner notice of the director's investigation or action."
 
11      §   -57  No liability for permissible disclosures.  A health
 
12 care provider, health care data organization, health plan, health
 
13 oversight agency, health researcher, public health authority, law
 
14 enforcement official, employer, insurer, or educational
 
15 institution who makes a disclosure of protected health
 
16 information about an individual that is permitted by this chapter
 
17 shall not be liable to the individual for the disclosure under
 
18 common law.
 
19      §   -58  Relationship to other laws.(a)  Nothing in this
 
20 chapter shall be construed to preempt or modify any provisions of
 
21 state law concerning a privilege of a witness or person in a
 
22 court of the State.  Receipt of notice pursuant to section    -22
 

 
 
 
Page 45                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 or consent to disclose pursuant to section    -23 shall not be
 
 2 construed as a waiver of these privileges.
 
 3      (b)  Nothing in this chapter shall be construed to preempt,
 
 4 supersede, or modify the operation of any state law that:
 
 5      (1)  Provides for the reporting of vital statistics such as
 
 6           birth or death information;
 
 7      (2)  Requires the reporting of abuse or neglect information
 
 8           about any individual;
 
 9      (3)  Relates to public or mental health and that prevents or
 
10           otherwise restricts disclosure of information otherwise
 
11           permissible under this chapter; or
 
12      (4)  Governs a minor's right to access protected health
 
13           information or health care services."
 
14      SECTION 3.  Section 622-52, Hawaii Revised Statutes, is
 
15 amended to read as follows:
 
16      "§622-52  Subpoena duces tecum for medical records,
 
17 compliance.(a)  Whenever a subpoena duces tecum accompanied by
 
18 a court order obtained as described in subsection (d) is served
 
19 upon the custodian of medical records or other qualified witness
 
20 from a health care provider, health plan, public health
 
21 authority, employer, insurer, law enforcement official,
 
22 educational institution, or medical facility, in [an] a civil
 
23 action or other proceeding [on a claim for personal injuries] in
 

 
Page 46                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1 which the custodian or the custodian's employer is neither a
 
 2 party to the action or proceeding nor is it alleged that the
 
 3 claim arose at the medical facility, and such subpoena requires
 
 4 the production in court, or before an officer, board, commission,
 
 5 or tribunal, of all or any part of the medical records of a
 
 6 patient who is or has been cared for or treated at the medical
 
 7 facility, it shall be sufficient compliance therewith if the
 
 8 custodian or other qualified witness within five days after
 
 9 receipt of such subpoena, delivers by registered or certified
 
10 mail or by messenger a true and correct copy (which may be by any
 
11 method described in rule 1001(4), Hawaii rules of evidence) of
 
12 all the medical records described in such subpoena to the clerk
 
13 of the court or the clerk's deputy authorized to issue it,
 
14 together with the affidavit described in section 622-53.
 
15      (b)  The copy of the medical records shall be separately
 
16 enclosed in an inner envelope or wrapper, sealed, with the title
 
17 and number of the action, name of the custodian or other
 
18 qualified witness, and date of the subpoena clearly inscribed
 
19 thereon; the sealed envelope or wrapper shall then be enclosed in
 
20 an outer envelope or wrapper, sealed, and directed as follows:
 
21      (1)  If the subpoena directs attendance in court, to the
 
22           clerk of such court or the clerk's deputy authorized to
 
23           issue it, at the courthouse.
 

 
Page 47                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (2)  In other cases, to the officer, board, commission, or
 
 2           tribunal conducting the hearing, at the place
 
 3           designated in the subpoena.
 
 4      (c)  The copy of the medical records shall remain sealed and
 
 5 shall be opened only at the time of trial, or other hearing, upon
 
 6 the direction of the judge, officer, board, commission, or
 
 7 tribunal conducting the proceeding, in the presence of all
 
 8 parties who have appeared in person or by counsel at such trial,
 
 9 or hearing, unless the parties or counsel in the proceeding
 
10 otherwise agree, or unless the sealed envelope or wrapper is
 
11 returned to the custodian or other qualified witness who is to
 
12 appear personally.  Copies of medical records which are not
 
13 introduced in evidence or required as part of the record shall be
 
14 returned by registered or certified mail or by messenger to the
 
15 person or entity from whom received.  If the copies of the
 
16 medical records are introduced in evidence or are required as
 
17 part of the record, they shall be returned by registered or
 
18 certified mail or messenger to the person or entity from whom
 
19 received as soon as their use is no longer needed, after the
 
20 trial, or other hearing.
 
21      (d)  Any subpoena or discovery request for protected health
 
22 information is valid only if accompanied by a court order from a
 
23 competent jurisdiction.
 

 
Page 48                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (1)  In considering a request for a court order regarding
 
 2           the disclosure of protected health information under
 
 3           subsection (a), the court shall issue an order if the
 
 4           court determines that without the disclosure of the
 
 5           information, the person requesting the order would be
 
 6           impaired from establishing a claim or defense;
 
 7      (2)  An order issued under paragraph (1) shall:
 
 8           (A)  Provide that the protected health information
 
 9                involved is subject to court protection;
 
10           (B)  Specify to whom the information may be disclosed;
 
11           (C)  Specify that the information may not otherwise be
 
12                disclosed or used; and
 
13           (D)  Meet any other requirements that the court
 
14                determines are needed to protect the
 
15                confidentiality of the information.
 
16      (e)  This section shall not apply in a case in which the
 
17 protected health information sought under discovery request or
 
18 subpoena:
 
19      (1)  Is nonidentifiable health information;
 
20      (2)  Is related to a party to the litigation whose medical
 
21           condition is at issue; or
 
22      (3)  Could be disclosed under any of sections    -22,
 
23              -23,    -31 through    -37,    -39, and    -40.
 

 
Page 49                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      (f)  This section shall not be construed to supersede any
 
 2 grounds that may apply under federal or state law for objecting
 
 3 to turning over the protected health information.
 
 4      (g)  Any provider shall be immune to any action, civil or
 
 5 criminal, related to the release of any protected health
 
 6 information pursuant to this section."
 
 7      SECTION 4.  The director shall submit a report to the
 
 8 legislature of its progress toward adopting rules required by
 
 9 this Act, and regarding the use of existing licensure,
 
10 certification, and regulatory mechanisms for the imposition of
 
11 sanctions or penalties for the wrongful disclosure of protected
 
12 health information, no later than 20 days prior to the convening
 
13 of the 2000 legislature.
 
14      SECTION 5.  If any provision of this Act, or the application
 
15 thereof to any person or circumstance is held invalid, the
 
16 invalidity does not affect other provisions or applications of
 
17 this Act which can be given affect without the invalid provision
 
18 or application, and to this end the provisions of this Act are
 
19 severable.
 
20      SECTION 6.  Statutory material to be repealed is bracketed.
 
21 New statutory material is underscored.
 

 
 
 
 
 
Page 50                                                    351
                                     H.B. NO.           H.D. 1
                                                        
                                                        

 
 1      SECTION 7.  This Act shall take effect on July 1, 2000,
 
 2 except that all sections in this Act requiring the development
 
 3 and adoption of rules shall be effective upon its approval.