HEALTH CARE INFORMATION PROTECTION AND PRIVACY ACT
House Bill 4936
Sponsor: Rep. Andy Neumann
Committee: Health Policy
Complete to 9-6-01
A SUMMARY OF HOUSE BILL 4936 AS INTRODUCED 6-12-01
House Bill 4936 would create the Health Care Information Protection and Privacy Act. In general, the act would prohibit persons from disclosing a patient's health care information without the patient's written consent or the written consent of his or her authorized representative. The prohibition would not apply to disclosures specifically allowed by federal or state law, rule, regulation, or Medicaid policy, including those provided in the act. Written consent would have to be provided on a form developed by the Department of Consumer and Industry Services (CIS) in consultation with the Michigan Board of Medicine and the Michigan Board of Osteopathic Medicine and Surgery. A separate written consent form would be required for the disclosure of information concerning genetics or genetic testing. A detailed description of the bill is provided below.
Statement of findings and declarations. The bill would list the legislature's findings and declarations concerning the importance of health care information protection and privacy as follows: patients have a legally protected interest in health care information; patients have a right to privacy and a reasonable expectation that such information will be kept private and confidential; there is no existing comprehensive law that creates an appropriate standard of conduct for disclosure of such information; patients need explicit additional statutory protection from fraud, deception, nuisance, invasion of privacy, and breach of confidentiality related to the disclosure of such information; patients must be assured that their free and full disclosure of symptoms, conditions, and related information will remain private; the disclosure of such information without authorization may cause significant harm to patients; and patients have a right to access their health care information and a right to comment on the accuracy of that information.
Confidentiality of health care information. Health care information would be deemed confidential, and in general such information could not be disclosed by health care providers, health information custodians, third party payers, or their employees, agents, or contractors, without the patient or the patient's authorized representative's written consent. (See below for exceptions to the requirement of written consent.) Required consent forms would have to be "specific to a particular disclosure," and blanket forms would be prohibited. Every use and disclosure of health care information would be limited to the purpose or purposes for which it was collected, as specified in the consent form. A person who received such information with written consent, or without written consent as permitted by the act, could use the information solely to carry out the purpose for which it was authorized for disclosure and would be prohibited from redisclosing the information without a new authorization. Health care information that concerns a patient or other "information that identified a patient" could not be
sold, rented, licensed, exchanged, or in any other way transferred to another person for use in a commercial solicitation or for other marketing activity without first obtaining written consent. Such consent would have to authorize the release of the information for that specific purpose. "Information that identified a patient" would include, but would not be limited to, a patient's name, address, telephone number, Social Security number, and e-mail address; if the patient was a dependent of a policyholder, it would also include the policyholder's information.
The act would state that it was not to be construed to amend any law that provided more extensive protection to a patient for confidentiality of health care information or greater access to a patient, or the patient's authorized representative, to the patient's own information, than provided in the act. The act would not be intended to hinder, interfere with, or prevent a regulatory agency or law enforcement official either from obtaining, or attempting to obtain, any information under federal, state, or local law, or other legal means, or from disclosing such information in the execution of regulatory or law enforcement duties. Nor would the act be intended to conflict with provisions of laws applicable in the state that allowed for electronic filings, records, or signatures, if as a result of the application of those laws patients were not deprived of the protections and benefits provided in the act.
Consent form. Written consent would have to be provided on a form developed by CIS, in consultation with the Michigan Board of Medicine and the Michigan Board of Osteopathic Medicine. CIS, in consultation with the Michigan Board of Medicine and the Michigan Board of Osteopathic medicine, would have to develop and distribute a consent form within six months after the effective date of the act. Moreover, CIS would be required to distribute the model form, upon request and at no charge, to any person subject to the requirements of the act.
Consent forms for the disclosure of health care information would have to contain the following information in a clear and conspicuous manner: a description of the information to be used or disclosed that identified the information in a specific and meaningful fashion; a statement of the need for and proposed uses of the information; an expiration date; the person or a description of the types of persons authorized to disclose the information; the identity or description of the person or persons authorized to receive the information; a statement that the patient or patient's authorized representative may revoke the consent for disclosure of information at any future time, except to the extent action had already been taken in reliance upon the written consent of the patient or the patient's representative; a statement that the patient, or authorized representative, was entitled to receive a copy of the completed consent form. The form would also have to include a statement that specific and explicit consent was required for disclosure of information concerning alcohol or drug abuse, and information about Human Immunodeficiency Virus (HIV), Acquired Immunodeficiency Syndrome (AIDS), and AIDS related conditions (ARC).
Notice of rights with regard to genetic testing and information. If a patient chose to disclose information concerning genetics or genetic testing, the patient or his or her authorized representative would have to provide written consent on a form that was separate from the consent form described above. This separate consent form would have to contain the following notice:
NOTICE OF RIGHTS WITH REGARD TO
GENETIC TESTING AND INFORMATION
Michigan law restricts requests by commercial health insurers, Blue Cross Blue Shield of Michigan, health maintenance organizations, and employers that individuals undergo genetic testing or disclose whether genetic testing has been conducted or the results of genetic testing or genetic information. Patients who have questions about their rights may wish to seek legal advice.
Permissible disclosures of health care information without written consent. The bill would make several exceptions to the requirement that written consent be provided for the disclosure of health care information. Written consent would not be required if health care information was released or requested under federal or state law, rule, regulation, or Medicaid policy for purposes directly and specifically related to the administration of a federal or state program. This exception would apply to the following cases: reviews of a health provider's services; use of information in obtaining third party recoveries for payments; use of information in medical, fiscal, or utilization reviews; and investigation of fraud or abuse. A person could also disclose health care information without written consent if he or she reasonably believed that disclosure was necessary to prevent or lessen a serious and imminent threat to health or safety. In this case, the person could use or disclose the information to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. Further, it would be permissible to release information that was necessary to notify or assist in notifying a family member, a personal representative of the patient, or another person responsible for the patient's care of the patient's location, general condition, or death, unless the patient objected to the release. The bill would also permit disclosure without written consent if a search warrant, subpoena, investigative demand, or court order had been issued for the discovery, investigation, or use of health care information in a criminal investigation for a criminal, civil, or administrative proceeding. Other exceptions to the written consent requirement would include the acquisition of information that was authorized or required by any of the following: the Worker's Disability Compensation Act of 1969; the Child Protection Law or during the course of a child protective proceeding or during a criminal investigation or prosecution related to the released information; and by the Public Health Code to promote or protect the health, safety, and welfare of the public, or to support data, information, and research activities as set forth in the code.
Specific exceptions to the requirement of obtaining written consent for disclosing health care information would apply to health care providers. A health care provider could disclose information without written consent to an individual who was a next-of-kin, or other family member, or close personal friend, as long as the information was directly relevant to the individual's involvement in the patient's health care. In such cases, the individual could act on behalf of the patient to pick up filled prescriptions, medical supplies, x-rays, or other similar health-related items. Disclosure could be made with the patient's verbal agreement if the patient had legal authority to make his or her own health decisions. Disclosure could be made without the patient's verbal agreement only if his or her verbal agreement could not be obtained practicably or reasonably and the health care provider believed that it was in the patient's best interests to make the disclosure. A health care provider could also disclose health care information without written consent in the following circumstances: within the provider's own office, practice, or organizational affiliate; to the provider's employees, agents, contractors, or successors in interest; to another provider, to the extent necessary for the provider to carry out his or her responsibilities to the patient, consistent with good professional practices and standards of ethics.
The bill would also expressly permit a health care provider to disclose the following information about a patient admitted to the provider's health facility: the patient's name; his or her general health status-e.g., critical, poor, fair, stable, etc.; and the location of the patient on premises controlled by the provider, as long as such a disclosure would not reveal any specific information about the patient's physical or mental condition.
A person who, in good faith, disclosed health care information under any of these exceptions would be immune from liability arising from that conduct, unless the conduct constituted gross negligence or willful and wanton misconduct. Further, the act would state that it was neither intended to, nor to be construed to, change mandatory reporting requirements or restrict access to and use of health care information, if the access and use are already allowed by law without consent.
Duties of health care providers, third party payers, and health information custodians. The bill would impose certain duties on health care providers, third party payers, and health information custodians that received health care information. First, such persons would have to establish and maintain safeguards to protect the confidentiality, security, accuracy, and integrity of the information, and of personal identification information, that is created, received, obtained, maintained, used, transmitted, or disposed of by them. Second, they would have to have procedures for mitigating any deleterious effect of an unauthorized use or disclosure of information. Such procedures would have to include written notification of the violation to the patient. Moreover, procedures would have to be established for patients to obtain additional information on such matters. Third, providers, payers, and custodians would have to establish policies to protect such information from unauthorized disclosure or redisclosure. The policies would have to limit authorized access to the information to those who have a "need to know." They would also have to identify an individual or individuals who had responsibility for maintaining security procedures for the information and for carrying out the mitigation procedures. Further, the policies would have to provide for education and training of employees, agents, and contractors as to the necessity of maintaining the security and confidentiality of information.
Patients' access to information and other rights. A patient, or his or her authorized representative, could, upon written request, inspect health care information of a health care provider pertaining to that patient at any time during regular business hours. He or she could receive from the provider a copy of such information, or have copies transferred to another health care provider or other person, after paying reasonable costs for copies and postage. A patient or representative could also obtain copies of any health care information in the possession of a health information custodian upon payment of reasonable costs for copies and postage.
A health care provider would have to note the time and date of each request by a patient or representative to inspect the information, the name of the inspecting person, and the time and date of inspection; the provider would also have to identify the information disclosed for inspection. Upon written request, a provider or a health information custodian would have to provide copies of health care information within 30 days after receipt of the written request. A provider or custodian could not conceal or withhold all or any part of a patient's information that was covered by, and within the scope of, a written consent from the patient, the patient's authorized representative or any other person to whom disclosure had been directed.
A patient or his or her authorized representative could request in writing that a provider or custodian amend or append health care information to either include additional relevant information or to make a correction of any portion of the information that the patient believes is not accurate, relevant, timely, or complete. Within 60 days of receiving such a request, the provider or custodian would have to either amend or append the information, if doing so did not erase or obliterate any of the original information, or notify the patient or his or her representative that the request had been denied. In the latter case, the provider or custodian would have to give the reason for denial and inform the patient or representative that he or she may file a statement explaining the correctness or relevance of existing information or the need for additional information. A health care provider would have to append the statement to the patient's health care information, and a health information custodian would have include the statement in any report or information that the custodian provided to its members or third parties.
Maintenance, transferal, and destruction of health care information. Unless a longer period of time was required by law, a health care provider would have to retain his or her patient's health care information as follows: medical records with respect to competent adults would have to be kept at least 15 years from the last treatment or service; for incompetent adults, medical records would have to be kept at least 15 years after the individual's incompetency ceased or the individual died, whichever occurred sooner; and for minors, medical records would have to be kept for at least 15 years after the minor reached his or her 18th birthday. Mammograms would have to be kept for at least 15 years from the date of the last mammogram, and dental records would have to be kept for at least 15 years from the date of the last treatment or service.
A provider who ceased practicing or doing business or the personal representative of a deceased provider who was an independent practitioner would have to do one of the following. First, he or she could provide for the maintenance of patient health care information for at least 15 years, unless a longer period is required by law, by a person who stated, in writing, that the information would be maintained to protect patient confidentiality and disclosed in compliance with the act or other applicable laws. Second, he or she could provide for the transfer of information or copies of information to a health care provider as designated by the patient or the patient's authorized representative. Third, he or she could provide for the transfer of information or copies of information to the patient or the patient's authorized representative. Fourth, he or she could provide for the deletion or destruction of information that is more than 15 years old, or older if a longer retention period was required by law.
A health care provider who provided for the maintenance of information-in accordance with the first of the four options listed above-would have to provide written notice, by first-class mail, to each patient (or authorized representative) whose information was to be maintained; the notice would have to specify where and by whom the information was to be maintained. The provider would also have to publish a copy of a notice to the public at least once per week for three consecutive weeks in a newspaper that is published in the county in which the provider's or decedent's health practice was located, specifying where and by whom the information was to be maintained.
A health care provider who intended to provide for the deletion or destruction of any part of a patient's medical records, mammograms, and dental records (after the 15 year period during which they would have to be retained) would have to do either of the following. First, he or she could provide written notice to each patient whose information would be deleted or destroyed or the patient's representative. The notice would have to be provided at least 60 days prior to deleting or destroying information and would have to include the date on which the information would be deleted or destroyed. Second, the health care provider could publish a notice at least once per week for three consecutive weeks in a newspaper published in the county in which the provider's or decedent's health practice was located, specifying the date on which the health care information would be deleted or destroyed. In either case, the notice would have to inform the patient or representative that he or she could retrieve the information before that date at specified locations, dates, and times.
If a health care provider was licensed as a health professional or a health facility or agency under the Public Health Code or as a psychiatric hospital, psychiatric unit, or psychiatric partial hospitalization program under the Mental Health Code, the provider or a personal relative would have to notify CIS in writing if the practice or business ceased. The notification would have to describe the procedure for the dissemination, destruction, or deletion of health care information. If a provider maintained records of recipients of mental health services covered by the Mental Health Code, the written notification would also be provided to the Office of Recipient Rights within the Department of Community Health, or to its successor. The procedure for dissemination would have to include where and by whom the information would be maintained, the date or dates for destruction or deletion of information, and the location where, and dates and time when, information could be retrieved. The provider or his or her representative could also notify and provide the information in writing to a local professional association that served the particular group of health care providers, including, but not limited to, the county medical association, in the case of physicians.
Any health care information or personal identifying information that was deleted or destroyed under the act would have to be sufficiently shredded or incinerated or disposed of in a fashion that would protect the confidentiality of the information.
Filing complaints. A person who believed that a licensed health care provider, a licensed third party payer, or a licensed health care information custodian had violated the act could file a complaint with CIS. The division of the department that licensed the licensee would be responsible for reviewing the complaint, and if the division concluded that the licensee had violated the act, it could initiate the appropriate administrative proceedings.
Violations. An individual or an individual's authorized representative could bring a civil action against a person for declaratory relief, injunctive relief, or damages for a violation of most of the bill's provisions. The court could award actual damages or $500, whichever was greater, along with reasonable attorney fees and costs. However, these provisions would not apply to violations of "duties of health care providers, third party payers, and health information custodians," as described above.
In addition to other relief authorized by law, the attorney general could, on behalf of the state, commence a civil action seeking one or more of the following: temporary or permanent injunctive relief necessary to effectuate the provisions of the act; a declaratory judgment relating to the construction or applicability of the act; any relief necessary for the enforcement of the act; and a civil fine of not more than $5,000 for each violation, and if a violation was of a continuing nature, for each day of violation of the act. The amount of such a fine would be based upon the seriousness of the violation and any good faith effort of the person to comply with the act.
Actions brought under the act could be brought in the circuit court for Ingham county, in the county in which the defendant resided or had a place of business, in the county of the registered agent of a defendant corporation, or in the county where the alleged violation occurred. A person who violated the act for financial gain or other pecuniary advantage by intentionally and knowingly disclosing or concealing health care information, or by obtaining or causing the disclosure of such information by fraud or false pretenses, representations, or promises would be guilty of a felony. The felony would be punishable by imprisonment up to five years or $250,000, or both. A criminal penalty could be imposed in addition to a penalty imposed for other criminal offenses, including another criminal offense arising from the same conduct.
Other Provisions. CIS could promulgate rules to implement the act under the Administrative Procedures Act of 1969. Immunity given in federal or state law would not be abrogated by the act. An agreement with a patient or a patient's authorized representative waiving the provisions of the act would be deemed "against public policy" and would be considered void. If a provision of the act was held by a court to be invalid, the invalidity would not affect the remaining provisions of the act; the provisions of the act would be severable.
_____________________________________________________________________________________________________________________
This analysis was prepared by nonpartisan House staff for use by House members in their deliberations, and does not constitute an official statement of legislative intent.