REPORT TITLE:
Health Care Info Privacy


DESCRIPTION:
Protects privacy of health care information by stipulating
conditions under which information can be disclosed.  Provides
penalties.  (HB351 HD2)

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
                                                        351
HOUSE OF REPRESENTATIVES                H.B. NO.           H.D. 2
TWENTIETH LEGISLATURE, 1999                                
STATE OF HAWAII                                            
                                                             
________________________________________________________________
________________________________________________________________


                   A  BILL  FOR  AN  ACT

RELATING TO PRIVACY OF HEALTH CARE INFORMATION.



BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

 1      SECTION 1.  The legislature finds that individuals have a
 
 2 constitutional right to privacy with respect to personal health
 
 3 information and records, and with respect to information about
 
 4 medical care and health status.  This right to privacy is at
 
 5 risk.  Erosion of the right to privacy may reduce the willingness
 
 6 of patients to confide in physicians and other practitioners,
 
 7 thus jeopardizing the provision of quality health care.  Misuse
 
 8 of medical information may also be devastating to an individual's
 
 9 well being.  An individual's right to privacy means that an
 
10 individual's consent is needed to disclose his or her protected
 
11 health information, except in limited circumstances required by
 
12 an overriding public interest.  Any disclosure of protected
 
13 health information should be limited to only that information or
 
14 portion of the medical record necessary to fulfill the purpose of
 
15 the disclosure.
 
16      The legislature also finds that use of nonidentifiable
 
17 health information should be encouraged where appropriate and
 
18 that the continuing availability of timely and accurate personal
 

 
Page 2                                                     351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 health data for the delivery of health care services throughout
 
 2 the State is needed.  In addition, personal health information
 
 3 may be essential for selected types of medical research and
 
 4 public health uses of personal health information that are
 
 5 critical to both personal health as well as public health.  The
 
 6 privacy of an individual's health information must be assured
 
 7 without unduly jeopardizing clinical and epidemiological research
 
 8 undertaken to improve health care and health outcomes and to
 
 9 assure the quality and efficiency of health care.
 
10      The purpose of this Act is to:
 
11      (1)  Implement the right of the people to privacy
 
12           established under section 6, article I of the
 
13           Constitution of the State of Hawaii which provides that
 
14           the legislature shall take affirmative steps to
 
15           implement the right to privacy through legislation;
 
16      (2)  Protect individuals from the adverse effects of the
 
17           improper disclosure of protected health information in
 
18           medical records;
 
19      (3)  Establish strong and effective mechanisms to protect
 
20           against the unauthorized and inappropriate use of
 
21           protected health information that is created or
 
22           maintained as part of health care treatment, diagnosis,
 
23           enrollment, payment, plan administration, testing, or
 
24           research processes;
 

 
Page 3                                                     351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (4)  Promote the effective exchange and transfer of health
 
 2           information in a manner that will ensure the
 
 3           confidentiality of protected health information without
 
 4           impeding the delivery of high quality health care;
 
 5      (5)  Create incentives to turn personal health information
 
 6           into nonidentifiable health information for oversight,
 
 7           health research, public health, law enforcement,
 
 8           judicial, and administrative purposes, where
 
 9           appropriate; and
 
10      (6)  Establish strong and effective remedies for violations
 
11           of this Act.
 
12      SECTION 2.  The Hawaii Revised Statutes is amended by adding
 
13 a new chapter to be appropriately designated and to read as
 
14 follows:
 
15                             "CHAPTER
 
16                PRIVACY OF HEALTH CARE INFORMATION
 
17                    PART I.  GENERAL PROVISIONS
 
18      §   -1  Definitions.  As used in this chapter, except as
 
19 otherwise specifically provided:
 
20      "Accrediting body" means a committee, organization, or
 
21 institution that has been authorized by law or is recognized by a
 
22 health care regulating authority as an accrediting entity or any
 

 
 
 
Page 4                                                     351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 other entity that has been similarly authorized or recognized by
 
 2 law to perform specific accreditation, licensing, or
 
 3 credentialing activities.
 
 4      "Agent" means a person who represents and acts for another
 
 5 under a contract or relationship of agency, or whose function is
 
 6 to bring about, modify, affect, accept performance of, or
 
 7 terminate contractual obligations between the principal and a
 
 8 third person, including a contractor.
 
 9      "Commissioner" means the insurance commissioner.
 
10      "Individual's designated representative" means a person who
 
11 is authorized by law (based on grounds other than the minority of
 
12 an individual), or by an instrument recognized under law, to act
 
13 as an agent, attorney, guardian, proxy, or other legal
 
14 representative of a protected individual.  The term includes a
 
15 health care power of attorney.
 
16      "Director" means the director of the office of information
 
17 practices.
 
18      "Disclose" means to release, transfer, provide access to,
 
19 share, or otherwise divulge protected health information to any
 
20 person other than the individual who is the subject of the
 
21 information.  The term includes the initial disclosure and any
 
22 subsequent redisclosures of protected health information.
 

 
 
 
Page 5                                                     351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      "Employer" means any individual or type of organization,
 
 2 including any partnership, association, trust, estate, joint
 
 3 stock company, insurance company, or corporation, whether
 
 4 domestic or foreign, a debtor in possession or receiver or
 
 5 trustee in bankruptcy, or a legal representative of a deceased
 
 6 person, who has one or more regular individuals in his or her
 
 7 employment.
 
 8      "Employment" means services performed for wages under any
 
 9 contract of hire, written or oral, expressed or implied, with an
 
10 employer.
 
11      "Health care" means:
 
12      (1)  Preventive, diagnostic, therapeutic, rehabilitative,
 
13           palliative, or maintenance services:
 
14           (A)  With respect to the physical or mental condition
 
15                of an individual; or
 
16           (B)  Affecting the structure or function of the human
 
17                body or any part of the human body, including the
 
18                banking of blood, sperm, organs, or any other
 
19                tissue;
 
20           or
 
21      (2)  Any sale or dispensing of a drug, device, equipment, or
 
22           other health care-related item to an individual, or for
 
23           the use of an individual pursuant to a prescription or
 
24           order by a health care provider.
 

 
Page 6                                                     351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      "Health care data organization" means an entity that engages
 
 2 primarily in the business of collecting, analyzing, and
 
 3 disseminating identifiable and nonidentifiable patient
 
 4 information.  A health care data organization is not a health
 
 5 care provider, an insurer, a health researcher, or a health
 
 6 oversight agency.
 
 7      "Health care provider" means a person who, with respect to
 
 8 any protected health information, receives, creates, uses,
 
 9 maintains, or discloses the protected health information while
 
10 acting in whole or in part in the capacity of:
 
11      (1)  A person who is licensed, certified, registered, or
 
12           otherwise authorized by federal or state law to provide
 
13           an item or service that constitutes health care in the
 
14           ordinary course of business, or practice of a
 
15           profession;
 
16      (2)  A federal, state, or employer-sponsored program that
 
17           directly provides items or services that constitute
 
18           health care to beneficiaries; or
 
19      (3)  An officer, employee, or agent of a person described in
 
20           paragraph (1) or (2).
 
21      "Health oversight agency" means a person who, with respect
 
22 to any protected health information, receives, creates, uses,
 
23 maintains, or discloses the information while acting in whole or
 
24 in part in the capacity of:
 

 
Page 7                                                     351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (1)  A person who performs or oversees the performance of an
 
 2           assessment, evaluation, determination, or
 
 3           investigation, relating to the licensing,
 
 4           accreditation, or credentialing of health care
 
 5           providers; or
 
 6      (2)  A person who:
 
 7           (A)  Performs or oversees the performance of an audit,
 
 8                assessment, evaluation, determination, or
 
 9                investigation relating to the effectiveness of,
 
10                compliance with, or applicability of, legal,
 
11                fiscal, medical, or scientific standards or
 
12                aspects of performance related to the delivery of,
 
13                or payment for, health care; and
 
14           (B)  Is a public agency, acting on behalf of a public
 
15                agency, acting pursuant to a requirement of a
 
16                public agency, or carrying out activities under a
 
17                federal or state law governing the assessment,
 
18                evaluation, determination, investigation, or
 
19                prosecution for violations of paragraph (1).
 
20      "Health plan" means any health insurance plan, including any
 
21 hospital or medical service plan, dental or other health service
 
22 plan or health maintenance organization plan, provider-sponsored
 

 
 
 
Page 8                                                     351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 organization, or other program providing or arranging for the
 
 2 provision of health benefits, whether or not funded through the
 
 3 purchase of insurance.
 
 4      "Health researcher" means a person, or an officer, employee
 
 5 or independent contractor of a person, who receives protected
 
 6 health information as part of a systematic investigation,
 
 7 testing, or evaluation designed to develop or contribute to
 
 8 generalized scientific and clinical knowledge.
 
 9      "Institutional review board" means a research committee
 
10 established and operating in accord with Title 45 C.F.R. 46
 
11 sections 107, 108, 109, and 115.
 
12      "Insurer" means any entity that may have access to or
 
13 possession of protected health information, including those
 
14 entities regulated under chapter 431 or 432, and groups that have
 
15 purchased a group insurance policy on behalf of their members.
 
16      "Law enforcement inquiry" means a lawful investigation
 
17 conducted by an appropriate government agency or official
 
18 inquiring into a violation of, or failure to comply with, any
 
19 criminal or civil statute or any regulation, rule, or order
 
20 issued pursuant to such a statute.
 
21      "Nonidentifiable health information" means any information
 
22 that would otherwise be protected health information except that
 
23 the information does not reveal the identity of the individual
 

 
Page 9                                                     351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 whose health or health care is the subject of the information and
 
 2 there is no reasonable basis to believe that the information
 
 3 could be used, either alone or with other information that is, or
 
 4 should reasonably be, known to be available to recipients of the
 
 5 information, to reveal the identity of that individual.
 
 6      "Office of information practices" shall be as defined by
 
 7 chapter 92F.
 
 8      "Payment" means the activities undertaken by a health plan
 
 9 or provider, which are reasonably necessary to determine
 
10 responsibility for coverage, services, and the actual payment for
 
11 services, if any.
 
12      "Person" means a government, governmental subdivision,
 
13 agency or authority, corporation, company, association, firm,
 
14 partnership, insurer, estate, trust, joint venture, individual,
 
15 individual representative, and any other legal entity.
 
16      "Protected health information" means any information,
 
17 identifiable to an individual, including demographic information,
 
18 whether or not recorded in any form or medium that relates
 
19 directly or indirectly to the past, present, or future:
 
20      (1)  Physical or mental health or condition of a person,
 
21           including tissue and genetic information;
 
22      (2)  Provision of health care to an individual; or
 

 
 
 
Page 10                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (3)  Payment for the provision of health care to an
 
 2           individual.
 
 3      "Public health authority" means an agency of the State or a
 
 4 county that is:
 
 5      (1)  Primarily responsible for public health matters; and
 
 6      (2)  Primarily engaged in activities such as disease and
 
 7           injury reporting, public health surveillance, and
 
 8           public health investigation or intervention.
 
 9      "Qualified health care operations" means:
 
10      (1)  Only those services provided by or on behalf of a
 
11           health plan or health care provider for the purpose of
 
12           carrying out the management functions of a health care
 
13           provider or health plan, or implementing the terms of a
 
14           contract for health plan benefits as follows:
 
15           (A)  Conducting quality assurance activities or
 
16                outcomes assessments;
 
17           (B)  Reviewing the competence or qualifications of
 
18                health care professionals;
 
19           (C)  Performing accreditation, licensing, or
 
20                credentialing activities;
 
21           (D)  Analyzing health plan claims or health care
 
22                records data;
 
23           (E)  Evaluating provider clinical performance;
 

 
Page 11                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1           (F)  Carrying out utilization management; or
 
 2           (G)  Conducting or arranging for auditing services in
 
 3                accordance with statute, rule, or accreditation
 
 4                requirements;
 
 5      (2)  A qualified health care operation shall:
 
 6           (A)  Be an operation which cannot be carried on with
 
 7                reasonable effectiveness and efficiency without
 
 8                identifiable patient information;
 
 9           (B)  Be limited to only that protected health
 
10                information collected under the terms of the
 
11                contract for health plan benefits and without
 
12                which the operation cannot be carried on with
 
13                reasonable effectiveness and efficiency;
 
14           (C)  Be limited to the minimum amount of protected
 
15                health information, including the minimum number
 
16                of records and the minimum number of documents
 
17                within each patient's record, necessary to carry
 
18                on the operation with reasonable effectiveness and
 
19                efficiency; and
 
20           (D)  Limit the handling and examination of protected
 
21                health information to those persons who are
 
22                reasonably well qualified, by training,
 
23                credentials, or experience, to conduct the phase
 
24                of the operation in which they are involved.
 

 
Page 12                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      "Treatment" means the provision of health care by, or the
 
 2 coordination of health care among, health care providers, or the
 
 3 referral of a patient from one provider to another, or
 
 4 coordination of health care or other services among health care
 
 5 providers and third parties authorized by the health plan or the
 
 6 plan member.
 
 7      "Unique patient identifier" means a number or alpha-numeric
 
 8 string assigned to an individual, which can be or is used to
 
 9 identify individuals' protected health information.
 
10      "Writing" means writing in either a paper-based or computer-
 
11 based form, including electronic signatures.
 
12                   PART II.  INDIVIDUAL'S RIGHTS
 
13      §   -11  Inspection and copying of protected health
 
14 information.(a)  At the request in writing of an individual and
 
15 except as provided in subsection (b), a health care provider,
 
16 health plan, employer, health care data organization, insurer, or
 
17 educational institution shall permit an individual who is the
 
18 subject of protected health information or the individual's
 
19 designee, to inspect and copy protected health information
 
20 concerning the individual, including records created under
 
21 section    -12, that the entity maintains.  The entity may set
 
22 forth appropriate procedures to be followed for the inspection or
 
23 copying and may require an individual to pay reasonable costs
 
24 associated with the inspection or copying.
 

 
Page 13                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (b)  Unless ordered by a court of competent jurisdiction, an
 
 2 entity described in subsection (a) is not required to permit the
 
 3 inspection or copying of protected health information if any of
 
 4 the following conditions are met:
 
 5      (1)  The entity determines that the disclosure of the
 
 6           information could reasonably be expected to endanger
 
 7           the life or physical safety of, or cause substantial
 
 8           mental harm to, the individual who is the subject of
 
 9           the record;
 
10      (2)  The information identifies, or could reasonably lead to
 
11           the identification of, a person who provided
 
12           information under a promise of confidentiality
 
13           concerning the individual who is the subject of the
 
14           information unless the confidential source can be
 
15           protected by redaction or other similar means;
 
16      (3)  The information is protected from discovery as provided
 
17           in section 624-25.5; or
 
18      (4)  The information was collected for or during a clinical
 
19           trial monitored by an institutional review board, the
 
20           trial is not complete, and the researcher reasonably
 
21           believes that access would harm the conduct of the
 
22           trial.
 

 
 
 
Page 14                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (c)  If an entity described in subsection (a) denies a
 
 2 request for inspection or copying pursuant to subsection (b), the
 
 3 entity shall inform the individual in writing of:
 
 4      (1)  The reasons for the denial of the request for
 
 5           inspection or copying;
 
 6      (2)  Any procedures for further review of the denial; and
 
 7      (3)  The individual's right to file with the entity a
 
 8           concise statement setting forth the request for
 
 9           inspection or copying.
 
10      (d)  If an individual has filed a statement under subsection
 
11 (c)(3), the entity in any subsequent disclosure of the portion of
 
12 the information requested under subsection (a) shall include:
 
13      (1)  A copy of the individual's statement; and
 
14      (2)  A concise statement of the reasons for denying the
 
15           request for inspection or copying.
 
16      (e)  An entity described in subsection (a) shall permit the
 
17 inspection and copying under subsection (a) of any reasonably
 
18 segregable portion of a record after deletion of any portion that
 
19 is exempt under subsection (b).
 
20      (f)  An entity described in subsection (a) shall comply with
 
21 or deny, in accordance with subsection (c), a request for
 
22 inspection or copying of protected health information under this
 
23 section not later than thirty days after the date on which the
 
24 entity receives the request.
 

 
Page 15                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (g)  An agent of an entity described in subsection (a) shall
 
 2 not be required to provide for the inspection and copying of
 
 3 protected health information, except where:
 
 4      (1)  The protected health information is retained by the
 
 5           agent; and
 
 6      (2)  The agent has received in writing a request from the
 
 7           entity involved to fulfill the requirements of this
 
 8           section, at which time this information shall be
 
 9           provided to the requestor.  The requestor shall comply
 
10           with subsection (f) with respect to any such
 
11           information.
 
12      (h)  The entity shall afford at least one level of appeal by
 
13 parties not involved in the original decision.
 
14      (i)  This section shall not be construed to require that an
 
15 entity described in subsection (a) conduct a formal, informal, or
 
16 other hearing or proceeding concerning a request for inspection
 
17 or copying of protected health information.
 
18      §   -12  Additions to protected health information.(a)  A
 
19 health care provider is the owner of the medical records in the
 
20 health care provider's possession that were created by the health
 
21 care provider in treating a patient.  An individual or the
 
22 individual's authorized representative may request in writing
 
23 that a health care provider that generated certain health care
 

 
Page 16                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 information append additional information to the record in order
 
 2 to improve the accuracy or completeness of the information;
 
 3 provided that appending this information does not erase or
 
 4 obliterate any of the original information.  A health care
 
 5 provider shall do one of the following:
 
 6      (1)  Append the information as requested; or
 
 7      (2)  Notify the individual that the request has been denied,
 
 8           the reason for the denial, and that the individual may
 
 9           file a statement of reasonable length explaining the
 
10           correctness or relevance of existing information or as
 
11           to the addition of new information.  The statement or
 
12           copies shall be appended to the medical record and at
 
13           all times accompany that part of the information in
 
14           contention.
 
15      §   -13  Notice of confidentiality practices; forms of
 
16 notices.(a)  A health care provider, health care data
 
17 organization, health plan, health oversight agency, public health
 
18 authority, employer, insurer, health researcher, or educational
 
19 institution, shall post or provide in writing, and in a clear and
 
20 conspicuous manner in plain language, the current notice of the
 
21 entity's confidentiality practices.  This notice shall be given
 
22 pursuant to the requirements of section     -22.  For the purpose
 
23 of informing each individual of the individual's rights under
 
24 this chapter, the notice shall include:
 

 
Page 17                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (1)  A description of an individual's rights with respect to
 
 2           protected health information;
 
 3      (2)  The uses and disclosures of protected health
 
 4           information authorized under this chapter;
 
 5      (3)  The right of the individual to limit disclosure of
 
 6           protected health information by deciding not to utilize
 
 7           any health insurance or other third party payment as
 
 8           payment for the service, as set forth in section
 
 9              -21(c);
 
10      (4)  The procedures for giving consent to disclosures of
 
11           protected health information and for revoking consents
 
12           to disclose;
 
13      (5)  The description of procedures established by the entity
 
14           for the exercise of the individual's rights; and
 
15      (6)  The right to obtain a copy of the notice of the
 
16           confidentiality practices required under this chapter.
 
17      (b)  The actual procedures established by the entities for
 
18 the exercise of individual rights under this part shall be
 
19 available in writing upon request.
 
20      §   -14  Establishment of safeguards.(a)  A health care
 
21 provider, health plan, health oversight agency, public health
 
22 authority, employer, insurer, health researcher, law enforcement
 
23 official, health care data organization, or educational
 

 
Page 18                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 institution shall establish and maintain administrative,
 
 2 technical, and physical safeguards that are appropriate to the
 
 3 size and nature of the entity establishing the safeguards, and
 
 4 appropriate to protect the confidentiality, security, accuracy,
 
 5 and integrity of protected health information created, received,
 
 6 obtained, maintained, used, transmitted, or disposed of by the
 
 7 entity.
 
 8      (b)  The office of information practices, in consultation
 
 9 with the persons referenced in subsection (a), entities, and
 
10 professional organizations, including organizations representing
 
11 physicians, and after notice and opportunity for public comment,
 
12 shall adopt rules under chapter 91 to implement subsection (a).
 
13           PART III.  RESTRICTIONS ON USE AND DISCLOSURE
 
14      §   -21  General rules regarding use and disclosure.(a)  A
 
15 health care provider, health care data organization, health plan,
 
16 health oversight agency, public health authority, employer,
 
17 insurer, health researcher, law enforcement official, or
 
18 educational institution may not use or disclose protected health
 
19 information except as authorized under this part and under part
 
20 IV.  Disclosure of health information in the form of
 
21 nonidentifiable health information shall not be construed as a
 
22 disclosure of protected health information.
 

 
 
 
Page 19                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (b)  For the purpose of treatment, payment, or qualified
 
 2 health care operations, an entity described in subsection (a) may
 
 3 only use or disclose protected health information within the
 
 4 entity if the use or disclosure is properly noticed pursuant to
 
 5 sections    -13 and    -22.  For all other uses and disclosures,
 
 6 an entity may only use or disclose protected health information,
 
 7 if the use or disclosure is properly consented to pursuant to
 
 8 section    -23, and the use or disclosure is consistent with the
 
 9 limitations under subsection (d) on the scope of disclosure.
 
10 Disclosure to agents of an entity described in subsection (a)
 
11 shall be considered as a disclosure within an entity.
 
12      (c)  If an individual does not want protected health
 
13 information released pursuant to section (b), the individual
 
14 shall advise the provider that the relevant protected health
 
15 information shall not be disclosed pursuant to subsection (b) and
 
16 shall pay the health care provider directly for health care
 
17 services.  Protected health information related to health care
 
18 services paid for directly by the individual shall not be
 
19 disclosed without a consent to disclose pursuant to section
 
20    -23, by law, or by a court order.
 
21      (d)  An agent who receives protected health information from
 
22 an entity described in subsection (a) shall be subject to all
 
23 rules of disclosure and safeguard requirements under this part.
 

 
Page 20                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (e)  Every use and or disclosure of protected health
 
 2 information by an entity under this part shall be limited to the
 
 3 information necessary to accomplish the purpose for which the
 
 4 information is disclosed.  Every use and or disclosure of
 
 5 protected health information shall be limited to the purpose for
 
 6 which it was collected.  Any other use without a valid consent to
 
 7 disclose shall be an unauthorized disclosure.
 
 8      (f)  Nothing in this part permitting the disclosure of
 
 9 protected health information shall be construed to require
 
10 disclosure.
 
11      (g)  Except as otherwise provided in this part, protected
 
12 health information may not be disclosed unless the information is
 
13 clearly identified as protected health information that is
 
14 subject to this chapter.
 
15      (h)  An entity described in subsection (a) may disclose
 
16 protected health information to an employee or agent of the
 
17 entity for purposes of creating nonidentifiable information, if
 
18 the entity prohibits the employee or agent of the entity from
 
19 using or disclosing the protected health information for purposes
 
20 other than the sole purpose of creating nonidentifiable
 
21 information as specified by the entity.
 
22      (i)  Any individual or entity who manipulates or uses
 
23 nonidentifiable health information to identify an individual,
 

 
Page 21                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 shall be deemed to have disclosed protected health information.
 
 2 The disclosure or transmission of a unique patient identifier
 
 3 shall be deemed to be a disclosure of protected health
 
 4 information.
 
 5      §   -22  Giving notice regarding disclosure of protected
 
 6 health information for treatment, payment, or qualified health
 
 7 care operations.(a)  The notice required by section    -13
 
 8 shall be:
 
 9      (1)  Given by each health plan upon enrollment, annually,
 
10           and when confidentiality practices are substantially
 
11           amended, to each individual who is eligible to receive
 
12           care under the health plan, or to the individual's
 
13           parent or guardian if the individual is a minor or
 
14           incompetent; and
 
15      (2)  Posted in a conspicuous place or provided by those
 
16           entities identified in section    -21(a), other than
 
17           health plans.
 
18      (b)  Except as provided for in this chapter, a notice
 
19 required by this section shall not be construed as a waiver of
 
20 any rights that the individual has under other federal or state
 
21 laws, the rules of evidence, or common law.
 
22      (c)  Notices under this section shall not authorize the
 
23 disclosure of protected health information by a person with the
 

 
Page 22                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 intent to sell, transfer, or use protected health information for
 
 2 commercial purpose or advantage.  For such disclosures, a consent
 
 3 is required as set forth by section    -23(a).
 
 4      (d)  Health plans shall make every effort to obtain a
 
 5 patient's signature on the notice of confidentiality practices.
 
 6 Failure to obtain a signature shall not be construed to result in
 
 7 denial of insurance.
 
 8      §   -23  Consent to disclose protected health information
 
 9 other than for treatment, payment, or qualified health care
 
10 operations.(a)  A health care provider, health care data
 
11 organization, health plan, health oversight, health researcher,
 
12 public health authority, law enforcement official agency,
 
13 employer, insurer, law enforcement official, or educational
 
14 institution, pursuant to a consent to disclose, may disclose
 
15 protected health information, for purposes other than those
 
16 noticed under section    -22, which consent has been executed by
 
17 the individual who is the subject of the information.  The
 
18 consent to disclose must meet the requirements of subsection (d).
 
19      (b)  Sections    -31 to    -40 provide for exceptions to the
 
20 requirement for the consent to disclose.
 
21      (c)  An individual, in writing, may revoke or amend a
 
22 consent to disclose as described in subsection (d).  An entity
 
23 described in subsection (a) that discloses protected health
 

 
Page 23                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 information pursuant to a consent to disclose that has been
 
 2 revoked under this subsection shall not be subject to any
 
 3 liability or penalty under this part if that entity had no actual
 
 4 or constructive notice of the revocation.
 
 5      (d)  To be valid, a consent to disclose protected health
 
 6 information shall:
 
 7      (1)  Identify the person or entity authorized to disclose
 
 8           protected health information;
 
 9      (2)  Identify the individual who is the subject of the
 
10           protected health information;
 
11      (3)  Describe the nature of and the time span of the
 
12           protected health information to be disclosed;
 
13      (4)  Identify the person to whom the information is to be
 
14           disclosed;
 
15      (5)  Describe the purpose of the disclosure;
 
16      (6)  State that it is subject to revocation by the
 
17           individual and indicate that the consent to disclose is
 
18           valid until revocation by the individual;
 
19      (7)  Include the date at which the consent to disclose ends;
 
20           and
 
21      (8)  (A)  Be either:
 
22                (i)  In writing, dated, and signed by the
 
23                     individual; or
 

 
Page 24                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1               (ii)  In electronic form, dated, and authenticated
 
 2                     by the individual using a unique identifier;
 
 3                and
 
 4           (B)  Not have been revoked under subsection (e).
 
 5      (e)  An individual may revoke in writing a consent to
 
 6 disclose under this section at any time.  An individual's consent
 
 7 to disclose is deemed to be revoked at the time of the
 
 8 cancellation or nonrenewal of enrollment in the health plan.  An
 
 9 individual may not maintain an action against a person for
 
10 disclosure of protected health information which disclosure was
 
11 made in good faith reliance on the individual's consent to
 
12 disclose at the time disclosure was made.
 
13      (f)  A recipient of protected health information pursuant to
 
14 a consent to disclose under this section may use the information
 
15 solely to carry out the purpose for which the information was
 
16 authorized for release.
 
17      (g)  Each person collecting or storing protected health
 
18 information shall maintain a record for a period of seven years
 
19 for each consent to disclose of an individual and revocation
 
20 thereof.
 
21      (h)  Except as provided for in this chapter, the receipt of
 
22 the notice required by sections    -13 and    -22 by an
 
23 individual shall not be construed as a waiver of any rights that
 

 
Page 25                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 the individual has under other federal or state laws, the rules
 
 2 of evidence, or common law.
 
 3      (i)  The office of information practices, after notice and
 
 4 opportunity for public comment, shall develop and disseminate
 
 5 model written consents to disclose of the type described in
 
 6 subsection (a).
 
 7              PART IV.  EXCEPTED USES AND DISCLOSURES
 
 8      §   -31  Coroner or medical examiner.  When a coroner or
 
 9 medical examiner or one of their duly appointed deputies seek
 
10 protected health information for the purpose of inquiry into and
 
11 determination of the cause, manner, and circumstances of a death,
 
12 any person shall provide the requested protected health
 
13 information to the coroner or medical examiner or to the duly
 
14 appointed deputies without undue delay.  If a coroner or medical
 
15 examiner or their duly appointed deputies receives protected
 
16 health information, this protected health information shall
 
17 remain protected health information unless it is attached to or
 
18 otherwise made a part of a coroner's or medical examiner's
 
19 official report.  Health information attached to or otherwise
 
20 made a part of a coroner's or medical examiner's official report
 
21 shall be exempt from this chapter.
 
22      §   -32  Individual's designated representative, relative,
 
23 or friend, and directory information.(a)  A health care
 
24 provider, or a person who receives protected health information
 

 
Page 26                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 under subsection (b), may disclose protected health information
 
 2 regarding an individual to an individual's designated
 
 3 representative, relative, or friend if:
 
 4      (1)  The individual who is the subject of the information:
 
 5           (A)  Has been notified of the individual's right to
 
 6                object to the disclosure and the individual has
 
 7                not objected to the disclosure; or
 
 8           (B)  Is in a physical or mental condition such that
 
 9                the individual is not capable of objecting, and
 
10                there are no prior indications that the
 
11                individual would object; and
 
12      (2)  The information disclosed is for the purpose of
 
13           providing health care to that individual; or
 
14      (3)  The disclosure of the protected health information is
 
15           consistent with good medical or professional practice.
 
16      (b)  Except as provided in subsection (d), an entity
 
17 described in subsection (a) may disclose the information
 
18 described in subsection (c) to any other person if the individual
 
19 who is the subject of the information:
 
20      (1)  Has been notified of the individual's right to object
 
21           and the individual has not objected to the disclosure;
 
22           or
 

 
 
 
Page 27                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (2)  Is in a physical or mental condition such that the
 
 2           individual is not capable of objecting; and
 
 3           (A)  The individual's designated representative,
 
 4                relative, or friend has not objected; and
 
 5           (B)  There are no prior indications that the individual
 
 6                would object.
 
 7      (c)  Information that may be disclosed in subsection (b) is
 
 8 only that information that consists of any of the following
 
 9 items:
 
10      (1)  The name of the individual who is the subject of the
 
11           information;
 
12      (2)  The general health status of the individual, described
 
13           as critical, poor, fair, stable, or satisfactory or in
 
14           terms denoting similar conditions; or
 
15      (3)  The location of the individual on premises controlled
 
16           by a provider.  This disclosure shall not be made if
 
17           the information would reveal specific information about
 
18           the physical or mental condition of the individual,
 
19           unless the individual expressly authorizes the
 
20           disclosure.
 
21      (d)  A disclosure shall not be made under this section if
 
22 the health care provider involved has reason to believe that the
 
23 disclosure of this information could lead to the physical or
 

 
Page 28                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 mental harm of the individual, unless the individual expressly
 
 2 authorizes the disclosure.
 
 3      §   -33  Identification of deceased individuals.  An entity
 
 4 described in section    -32 may disclose protected health
 
 5 information if the disclosure is necessary to assist in the
 
 6 identification or safe handling of a deceased individual.
 
 7      §   -34  Emergency circumstances.  Any person who creates or
 
 8 receives protected health information under this chapter may use
 
 9 or disclose protected health information in emergency
 
10 circumstances when the use or disclosure is necessary to protect
 
11 the health or safety of the individual who is the subject of the
 
12 information from serious, imminent harm.  No disclosure made in
 
13 the good faith belief that the use or disclosure was necessary to
 
14 protect the health or safety of an individual from serious,
 
15 imminent harm shall be in violation of, or punishable under, this
 
16 chapter.
 
17      §   -35  Disclosures for health oversight.(a)  Any person
 
18 may disclose protected health information to a health oversight
 
19 agency for purposes of an oversight function authorized by law.
 
20      (b)  A public health authority or health researcher may
 
21 disclose protected health information to a health oversight
 
22 agency for purposes of an oversight function of the public health
 
23 authority or health researcher authorized by law.
 

 
Page 29                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (c)  For purposes of this section, the individual with
 
 2 authority to authorize the health oversight function involved
 
 3 shall provide to the persons described in subsection (a) or (b) a
 
 4 statement that the protected health information is being sought
 
 5 for a legally authorized oversight function.
 
 6      (d)  Protected health information about an individual that
 
 7 is disclosed under this section may not be used in, or disclosed
 
 8 to any person for use in, an administrative, civil, or criminal
 
 9 action or investigation directed against the individual unless
 
10 the action or investigation arises out of and is directly related
 
11 to:
 
12      (1)  The receipt of health care or payment for health care;
 
13      (2)  An action involving a fraudulent claim related to
 
14           health; or
 
15      (3)  An action involving oversight of a public health
 
16           authority or a health researcher.
 
17      (e)  Protected health information disclosed for purposes of
 
18 this section is confidential and shall not be further disclosed.
 
19      §   -36  Public health.(a)  Any person or entity may
 
20 disclose protected health information to a public health
 
21 authority or other person authorized by law for use in a legally
 
22 authorized:
 

 
 
 
Page 30                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (1)  Disease or injury report;
 
 2      (2)  Public health surveillance;
 
 3      (3)  Public health investigation or intervention; or
 
 4      (4)  Health or disease registry.
 
 5      (b)  No person or entity shall be liable for the disclosure
 
 6 of protected health information, which is authorized by this
 
 7 part, to a public health authority or other person authorized by
 
 8 law.
 
 9      (c)  Limitations or prohibitions on disclosure of health
 
10 information in this chapter shall not limit the requirements for
 
11 disclosure and confidentiality otherwise established by law.
 
12      (d)  Protected health information disclosed for purposes of
 
13 this section is confidential and shall not be further disclosed.
 
14      §   -37  Health research.  A health care provider, health
 
15 plan, public health authority, employer, insurer, or educational
 
16 institution may disclose protected health information to a health
 
17 researcher if the following requirements are met:
 
18      (1)  The research has been approved by an institutional
 
19           review board.  In evaluating a research proposal, an
 
20           institutional review board shall require that the
 
21           proposal demonstrate a clear purpose, scientific
 
22           integrity, and a realistic plan for maintaining the
 
23           confidentiality of protected health information;
 

 
Page 31                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (2)  The research involves analysis of protected health
 
 2           information previously created or collected by the
 
 3           holder of protected health information;
 
 4      (3)  The person who receives protected health information
 
 5           removes or destroys, at the earliest opportunity
 
 6           consistent with the purposes of the project involved,
 
 7           information that would enable an individual to be
 
 8           identified;
 
 9      (4)  The person who receives protected health information
 
10           shall not disclose or use the protected health
 
11           information for any purposes other than the health
 
12           research project for which the information was
 
13           obtained, except that the health researcher may also
 
14           disclose the information pursuant to sections    -34
 
15           and    -35(b).
 
16      (5)  The holder of protected health information keeps a
 
17           record of all health researchers to whom protected
 
18           health information has been made available; and
 
19      (6)  Any disclosure of the information to other persons is
 
20           not made.
 
21      §   -38  Disclosure in civil, judicial, and administrative
 
22 procedures.(a)  Any person may disclose protected health
 
23 information pursuant to a discovery request or subpoena in a
 

 
Page 32                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 civil action brought in a state court or a request or subpoena
 
 2 related to a state administrative proceeding, but only if the
 
 3 disclosure is made pursuant to a court order as provided for in
 
 4 subsection (b).
 
 5      (b)  Any subpoena or discovery request for protected health
 
 6 information is valid only if accompanied by a court order from a
 
 7 competent jurisdiction.  In considering a request for a court
 
 8 order regarding the disclosure of protected health information
 
 9 under subsection (a), the court shall issue an order if the court
 
10 determines that without the disclosure of the information, the
 
11 person requesting the order would be impaired from establishing a
 
12 claim or defense.  An order issued under this subsection shall:
 
13      (1)  Provide that the protected health information involved
 
14           is subject to court protection;
 
15      (2)  Specify to whom the information may be disclosed;
 
16      (3)  Specify that the information may not otherwise be
 
17           disclosed or used; and
 
18      (4)  Meet any other requirements that the court determines
 
19           are needed to protect the confidentiality of the
 
20           information.
 
21      (c)  This section shall not apply in a case in which the
 
22 protected health information sought under the discovery request
 
23 or subpoena is:
 

 
Page 33                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (1)  Nonidentifiable health information; or
 
 2      (2)  Related to a party to the litigation whose medical
 
 3           condition is at issue.
 
 4      (d)  This section shall not be construed to supersede:
 
 5           (1)  Any grounds that may apply under federal or state
 
 6                law for objecting to turning over the protected
 
 7                health information; and
 
 8           (2)  Section 622-59.
 
 9      (e)  Any provider shall be immune to any action, civil or
 
10 criminal, related to the release of any protected health
 
11 information pursuant to this section.
 
12      §   -39  Disclosure for law enforcement purposes.(a)
 
13 Except as to disclosures to a health oversight agency, which are
 
14 governed by section    -35, a health care provider, health plan,
 
15 health oversight agency, employer, insurer, educational
 
16 institution, or person who receives protected health information
 
17 pursuant to sections    -23 and    -31 through    -37, may
 
18 disclose protected health information under this section, if the
 
19 disclosure is pursuant to:
 
20      (1)  A subpoena issued under the authority of a grand jury;
 
21           or
 
22      (2)  An administrative subpoena or summons or judicial
 
23           subpoena or warrant.
 

 
Page 34                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (b)  A subpoena or summons for a disclosure under subsection
 
 2 (a)(1) or (2) shall only be issued if the law enforcement agency
 
 3 involved shows that there is probable cause to believe that the
 
 4 information is relevant to a legitimate law enforcement inquiry.
 
 5      (c)  When the matter or need for which protected health
 
 6 information was disclosed to a law enforcement agency or grand
 
 7 jury under subsection (a) has concluded, including any derivative
 
 8 matters arising from the matter or need, the law enforcement
 
 9 agency or grand jury shall either destroy the protected health
 
10 information, or return all of the protected health information to
 
11 the person from whom it was obtained.
 
12      (d)  To the extent practicable, and consistent with the
 
13 requirements of due process, a law enforcement agency shall
 
14 redact personally identifying information from protected health
 
15 information prior to the public disclosure of the protected
 
16 information in a judicial or administrative proceeding.
 
17      (e)  Protected health information obtained by a law
 
18 enforcement agency pursuant to this section may only be used for
 
19 purposes of a legitimate law enforcement activity.
 
20      (f)  If protected health information is obtained without
 
21 meeting the requirements of subsection (a)(1) or (2), any
 
22 information that is unlawfully obtained shall be excluded from
 
23 court proceedings unless the defendant requests otherwise.
 

 
Page 35                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      §   -40  Payment card and electronic payment transaction.
 
 2 (a)  If an individual pays for health care by presenting a debit,
 
 3 credit, or other payment card or account number, or by any other
 
 4 electronic payment means, the entity receiving payment may
 
 5 disclose to a person described in subsection (b) only such
 
 6 protected health information about the individual as is necessary
 
 7 for the processing of the payment transaction or the billing or
 
 8 collection of amounts charged to, debited from, or otherwise paid
 
 9 by, the individual using the card, number, or other electronic
 
10 means.
 
11      (b)  A person who is a debit, credit, or other payment card
 
12 issuer, or is otherwise directly involved in the processing of
 
13 payment transactions involving such cards or other electronic
 
14 payment transactions, or is otherwise directly involved in the
 
15 billing or collection of amounts paid through these means, may
 
16 use or disclose protected health information about an individual
 
17 that has been disclosed in accordance with subsection (a) only
 
18 when necessary for:
 
19      (1)  The settlement, billing, or collection of amounts
 
20           charged to, debited from, or otherwise paid by the
 
21           individual using a debit, credit, or other payment card
 
22           or account number, or by other electronic payment
 
23           means;
 

 
Page 36                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (2)  The transfer of receivables, accounts, or interest
 
 2           therein;
 
 3      (3)  The internal audit of the debit, credit, or other
 
 4           payment card account information;
 
 5      (4)  Compliance with federal, state, or county law; or
 
 6      (5)  Compliance with a properly authorized civil, criminal,
 
 7           or regulatory investigation by federal, state, or
 
 8           county authorities as governed by the requirements of
 
 9           this section.
 
10      §   -41  Standards for electronic disclosures.  The office
 
11 of information practices shall adopt rules to establish standards
 
12 for disclosing, authorizing, and authenticating, protected health
 
13 information in electronic form consistent with this part.
 
14      §   -42  Rights of minors.(a)  In the case of an
 
15 individual:
 
16      (1)  Who is eighteen years of age or older, all rights of
 
17           the individual under this chapter shall be exercised by
 
18           the individual; or
 
19      (2)  Who, acting alone, can obtain a type of health care
 
20           without violating any applicable federal or state law,
 
21           and who has sought this care, shall exercise all rights
 
22           of the individual under this chapter with respect to
 
23           protected health information relating to the health
 
24           care.
 

 
Page 37                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (b)  Except as provided in subsection (a)(2), in the case of
 
 2 an individual who is:
 
 3      (1)  Under fourteen years of age, all of the individual's
 
 4           rights under this chapter shall be exercised only
 
 5           through the parent or legal guardian; or
 
 6      (2)  At least fourteen but under eighteen years of age, the
 
 7           rights of inspection and amendment, and the right to
 
 8           authorize use and disclosure of protected health
 
 9           information of the individual shall be exercised by the
 
10           individual, or by the parent or legal guardian of the
 
11           individual.
 
12      §   -43  Deceased individuals.  This chapter shall continue
 
13 to apply to protected health information concerning a deceased
 
14 individual following the death of that individual.  A person who
 
15 is authorized by law or by an instrument recognized under law, to
 
16 act as a personal representative of the estate of a deceased
 
17 individual, or otherwise to exercise the rights of the deceased
 
18 individual, to the extent so authorized, may exercise and
 
19 discharge the rights of the deceased individual under this
 
20 chapter.
 
21                        PART V.  SANCTIONS
 
22      §   -51  Wrongful disclosure of protected health
 
23 information.(a)  The penalties described in subsection (b)
 
24 shall apply to a person who knowingly and intentionally:
 

 
Page 38                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (1)  Obtains protected health information relating to an
 
 2           individual in violation of this chapter; or
 
 3      (2)  Discloses protected health information to another
 
 4           person in violation of this chapter.
 
 5      (b)  A person described in subsection (a) shall:
 
 6      (1)  Be guilty of a class C felony; and
 
 7      (2)  If the offense is committed with the intent to sell,
 
 8           transfer, or use protected health information for
 
 9           commercial advantage, personal gain, or malicious harm,
 
10           be guilty of a class B felony.
 
11      §   -52  Civil actions by individuals.(a)  Any individual
 
12 whose rights under this chapter have been knowingly or
 
13 negligently violated may bring a civil action to recover:
 
14      (1)  Any preliminary and equitable relief as the court
 
15           determines to be appropriate; and
 
16      (2)  The greater of compensatory damages or liquidated
 
17           damages of $5,000 for each violation.
 
18      (b)  In any action brought under this section in which the
 
19 individual has prevailed because of a knowing violation of a
 
20 provision of this chapter, the court, in addition to any relief
 
21 awarded under subsection (a), may award any punitive damages that
 
22 may be appropriate.
 

 
 
 
Page 39                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (c)  In the case of a civil action brought under subsection
 
 2 (a) in which the individual has substantially prevailed, the
 
 3 court may assess against the respondent a reasonable attorney's
 
 4 fee and other litigation costs and expenses (including expert
 
 5 fees) reasonably incurred.
 
 6      (d)  No action may be commenced under this section more than
 
 7 two years after the date on which the violation was or should
 
 8 reasonably have been discovered.
 
 9      §   -53  Prevention and deterrence.  To promote the
 
10 prevention and deterrence of acts or omissions that violate laws
 
11 designed to safeguard the protected health information in a
 
12 manner consistent with this chapter, the director of the office
 
13 of information practices, with any other appropriate individual,
 
14 organization, or agency, may provide advice, training, technical
 
15 assistance, and guidance regarding ways to prevent improper
 
16 disclosure of protected health information.
 
17      §   -54  Cease and desist orders; civil penalty.(a)
 
18 Whenever the director has reason to believe that any person has
 
19 materially and substantially violated any provision of this
 
20 chapter, and that a proceeding by the director in respect thereto
 
21 would be in the interest of the public, the director shall issue
 
22 and serve upon the person:
 
23      (1)  A statement of the charges in that respect; and
 

 
Page 40                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (2)  A notice of a hearing, to be held at a time and place
 
 2           fixed in the notice, which shall not be less than
 
 3           fifteen days after the date of service.
 
 4      (b)  At the time and place fixed for the hearing, the person
 
 5 shall have an opportunity to be heard and to show cause why an
 
 6 order should not be made by the director requiring the person to
 
 7 cease and desist from the acts, methods, or practices which are
 
 8 the subject of the statement or otherwise to comply with the
 
 9 requirements of this chapter.
 
10      (c)  The hearing shall be deemed a contested case hearing
 
11 pursuant to chapter 91.
 
12      (d)  All remedies, penalties, and proceedings set forth in
 
13 this section are to be invoked solely and exclusively by the
 
14 director.
 
15      (e)  If, after the hearing, the director determines that the
 
16 person charged has violated any provision of this chapter, the
 
17 director shall reduce the findings to writing and shall issue and
 
18 cause to be served upon the person charged with the violation a
 
19 copy of the findings and an order requiring the person to cease
 
20 and desist from violating this chapter or otherwise to comply
 
21 with the requirements of this chapter.  The director, at the
 
22 director's discretion, may also order any one or more of the
 
23 following:
 

 
Page 41                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (1)  In a case in which the violation relates to part II,
 
 2           payment of a civil penalty of not more than $500 for
 
 3           each and every act or violation but not to exceed
 
 4           $5,000 in the aggregate for multiple violations;
 
 5      (2)  In a case in which the violation relates to part III or
 
 6           part IV, payment of a civil penalty of not more than
 
 7           $10,000 for each and every act or violation but not to
 
 8           exceed $50,000 in the aggregate for multiple
 
 9           violations; and
 
10      (3)  In a case in which the director finds that violations
 
11           have occurred with such frequency as to constitute a
 
12           general business practice, a civil penalty of not more
 
13           than $100,000.
 
14      (f)  Any person who violates a cease and desist order or a
 
15 compliance order of the director under this section may be
 
16 subject at the discretion of the director, after notice and
 
17 hearing and upon order of the director, to a civil penalty of not
 
18 more than $10,000 for each and every act in violation of the
 
19 cease and desist order.
 
20      (g)  No order of the director pursuant to this section or
 
21 order of court to enforce it shall in any way relieve or absolve
 
22 any person affected by the order from any other liability,
 
23 penalty, or forfeiture required by law.
 

 
Page 42                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (h)  No fact found or decision made in a hearing held under
 
 2 this section shall be binding on any party in any subsequent
 
 3 civil action to recover damages based upon the same or similar
 
 4 facts.
 
 5      (i)  Any person aggrieved by an order of the director under
 
 6 this section may obtain judicial review of the order in the
 
 7 manner provided for by chapter 91.
 
 8      (j)  The powers vested in the director by this section shall
 
 9 be additional to any other power to enforce penalties or civil
 
10 penalties authorized by law with respect to the methods, acts,
 
11 and practices which violate this chapter.
 
12      §   -55  Injunctive relief.(a)  Whenever the director has
 
13 reason to believe that any person has engaged, is engaging, or is
 
14 about to engage in any activity which makes the person subject to
 
15 a civil monetary penalty under section    -54, the director may
 
16 bring an action in an appropriate circuit court to enjoin the
 
17 activity, or to enjoin the person from concealing, removing,
 
18 encumbering, or disposing of assets which may be required to pay
 
19 a civil monetary penalty if any such penalty were to be imposed
 
20 or to seek other appropriate relief.
 
21      (b)  A principal is liable for penalties under section
 
22    -54 for the actions of the principal's agent acting within the
 
23 scope of the agency.
 

 
Page 43                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      §   -56  Notice to the commissioner and the regulated
 
 2 industries complaints office.  Whenever the director conducts any
 
 3 investigation or takes any other action against a person for a
 
 4 violation of this chapter and the commissioner, the regulated
 
 5 industries complaints office, or other agency has regulatory
 
 6 oversight over the person, the director shall give the
 
 7 commissioner, the regulated industries complaints office, or any
 
 8 other agency that has regulatory oversight over the person,
 
 9 notice of the director's investigation or action.
 
10      §   -57  Relationship to other laws.(a)  Nothing in this
 
11 chapter shall be construed to preempt or modify any provisions of
 
12 state law concerning a privilege of a witness or person in a
 
13 court of the State.  Receipt of notice pursuant to section    -22
 
14 or consent to disclose pursuant to section    -23 shall not be
 
15 construed as a waiver of these privileges.
 
16      (b)  Nothing in this chapter shall be construed to preempt,
 
17 supersede, or modify the operation of any state law that:
 
18      (1)  Provides for the reporting of vital statistics such as
 
19           birth or death information;
 
20      (2)  Requires the reporting of abuse or neglect information
 
21           about any individual;
 
22      (3)  Relates to public or mental health and that prevents or
 
23           otherwise restricts disclosure of information otherwise
 
24           permissible under this chapter; or
 

 
Page 44                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      (4)  Governs a minor's right to access protected health
 
 2           information or health care services."
 
 3      SECTION 3.  Section 622-52, Hawaii Revised Statutes, is
 
 4 amended to read as follows:
 
 5      "§622-52  Subpoena duces tecum for medical records,
 
 6 compliance.(a)  Whenever a subpoena duces tecum accompanied by
 
 7 a court order obtained as described in subsection (d) is served
 
 8 upon the custodian of medical records or other qualified witness
 
 9 from a health care provider, health plan, public health
 
10 authority, employer, insurer, law enforcement official,
 
11 educational institution, or medical facility, in [an] a civil
 
12 action or other proceeding [on a claim for personal injuries] in
 
13 which the custodian or the custodian's employer is neither a
 
14 party to the action or proceeding nor is it alleged that the
 
15 claim arose at the medical facility, and such subpoena requires
 
16 the production in court, or before an officer, board, commission,
 
17 or tribunal, of all or any part of the medical records of a
 
18 patient who is or has been cared for or treated at the medical
 
19 facility, it shall be sufficient compliance therewith if the
 
20 custodian or other qualified witness within five days after
 
21 receipt of such subpoena, delivers by registered or certified
 
22 mail or by messenger a true and correct copy (which may be by any
 
23 method described in rule 1001(4), Hawaii rules of evidence) of
 

 
Page 45                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 all the medical records described in such subpoena to the clerk
 
 2 of the court or the clerk's deputy authorized to issue it,
 
 3 together with the affidavit described in section 622-53.
 
 4      (b)  The copy of the medical records shall be separately
 
 5 enclosed in an inner envelope or wrapper, sealed, with the title
 
 6 and number of the action, name of the custodian or other
 
 7 qualified witness, and date of the subpoena clearly inscribed
 
 8 thereon; the sealed envelope or wrapper shall then be enclosed in
 
 9 an outer envelope or wrapper, sealed, and directed as follows:
 
10      (1)  If the subpoena directs attendance in court, to the
 
11           clerk of such court or the clerk's deputy authorized to
 
12           issue it, at the courthouse[.]; and
 
13      (2)  In other cases, to the officer, board, commission, or
 
14           tribunal conducting the hearing, at the place
 
15           designated in the subpoena.
 
16      (c)  The copy of the medical records shall remain sealed and
 
17 shall be opened only at the time of trial, or other hearing, upon
 
18 the direction of the judge, officer, board, commission, or
 
19 tribunal conducting the proceeding, in the presence of all
 
20 parties who have appeared in person or by counsel at such trial,
 
21 or hearing, unless the parties or counsel in the proceeding
 
22 otherwise agree, or unless the sealed envelope or wrapper is
 
23 returned to the custodian or other qualified witness who is to
 

 
Page 46                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1 appear personally.  Copies of medical records [which] that are
 
 2 not introduced in evidence or required as part of the record
 
 3 shall be returned by registered or certified mail or by messenger
 
 4 to the person or entity from whom received.  If the copies of the
 
 5 medical records are introduced in evidence or are required as
 
 6 part of the record, they shall be returned by registered or
 
 7 certified mail or messenger to the person or entity from whom
 
 8 received as soon as their use is no longer needed, after the
 
 9 trial, or other hearing.
 
10      (d)  Any subpoena or discovery request for protected health
 
11 information is valid only if accompanied by a court order from a
 
12 competent jurisdiction.
 
13      (1)  In considering a request for a court order regarding
 
14           the disclosure of protected health information under
 
15           subsection (a), the court shall issue an order if the
 
16           court determines that without the disclosure of the
 
17           information, the person requesting the order would be
 
18           impaired from establishing a claim or defense;
 
19      (2)  An order issued under paragraph (1) shall:
 
20           (A)  Provide that the protected health information
 
21                involved is subject to court protection;
 
22           (B)  Specify to whom the information may be disclosed;
 

 
 
 
Page 47                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1           (C)  Specify that the information may not otherwise be
 
 2                disclosed or used; and
 
 3           (D)  Meet any other requirements that the court
 
 4                determines are needed to protect the
 
 5                confidentiality of the information.
 
 6      (e)  This section shall not apply in a case in which the
 
 7 protected health information sought under discovery request or
 
 8 subpoena:
 
 9      (1)  Is nonidentifiable health information;
 
10      (2)  Is related to a party to the litigation whose medical
 
11           condition is at issue; or
 
12      (3)  Could be disclosed under any of sections    -22,
 
13                                 /U>-40.
 
14      (f)  This section shall not be construed to supersede any
 
15 grounds that may apply under federal or state law for objecting
 
16 to turning over the protected health information."
 
17      SECTION 4.  The director of the office of information
 
18 practices shall submit a report to the legislature of the
 
19 progress toward adopting rules required by this Act, and
 
20 regarding the use of existing licensure, certification, and
 
21 regulatory mechanisms for the imposition of sanctions or
 
22 penalties for the wrongful disclosure of protected health
 
23 information, no later than twenty days prior to the convening of
 
24 the 2000 legislature.
 

 
Page 48                                                    351
                                     H.B. NO.           H.D. 2
                                                        
                                                        

 
 1      SECTION 5.  If any provision of this Act, or the application
 
 2 thereof to any person or circumstance is held invalid, the
 
 3 invalidity does not affect other provisions or applications of
 
 4 this Act which can be given affect without the invalid provision
 
 5 or application, and to this end the provisions of this Act are
 
 6 severable.
 
 7      SECTION 6.  Statutory material to be repealed is bracketed.
 
 8 New statutory material is underscored.