HOUSE BILL No. 4936 June 12, 2001, Introduced by Reps. Neumann, Lockwood, Jacobs, Whitmer, Rich Brown, Bovin, Schauer, Zelenko, Frank, Callahan, Dennis, Kolb, Raczkowski, DeWeese, Pestka, Adamini, Gieleghem, Waters, Hardman, Spade, Rivet, Anderson and Plakas and referred to the Committee on Health Policy. A bill to ensure the privacy of health care information; to establish certain rights with regard to health care information; to establish penalties for violations; and to authorize the adop- tion of rules. THE PEOPLE OF THE STATE OF MICHIGAN ENACT: 1 Sec. 1. This act shall be known and may be cited as the 2 "health care information protection and privacy act". 3 Sec. 2. The legislature finds and declares all of the 4 following: 5 (a) Patients have a legally protected interest in health 6 care information. 7 (b) Patients have a right to privacy and a reasonable expec- 8 tation that their health care information will be kept private 9 and confidential. 03898'01 KDD 2 1 (c) There is no existing comprehensive law that creates an 2 appropriate standard of conduct for disclosure of health care 3 information. 4 (d) Patients need explicit additional statutory protection 5 from fraud, deception, nuisance, invasion of privacy, and breach 6 of confidentiality related to the disclosure of health care 7 information. 8 (e) Patients must be assured that their free and full dis- 9 closure of symptoms, conditions, and related information will 10 remain private. 11 (f) The disclosure of health care information without autho- 12 rization may cause significant harm to patients, including 1 or 13 more of the following: 14 (i) Discouraging patients from making full disclosure of 15 their health care information to health care providers. 16 (ii) Subjecting patients to fraudulent, misleading, or 17 deceptive direct mail, telephone, or internet solicitations. 18 (iii) Subjecting patients to intimidation, intrusion, 19 harassment, and nuisance. 20 (iv) Subjecting patients to undue embarrassment or 21 ridicule. 22 (v) Subjecting patients to invasion of privacy. 23 (g) Patients have a right to access their health care infor- 24 mation and comment on the accuracy of that information. 25 Sec. 3. As used in this act: 26 (a) "Authorized representative" means 1 of the following: 03898'01 3 1 (i) A person empowered by the patient by explicit written 2 authorization to act on the patient's behalf to access, disclose, 3 or consent to the disclosure of the patient's health care infor- 4 mation, in accordance with this act. 5 (ii) A guardian appointed under section 5306 of the estates 6 and protected individuals code, 1998 PA 386, MCL 700.5306, to the 7 extent that the scope of the guardianship includes the authority 8 to act on the patient's behalf with regard to health care 9 information. 10 (iii) If the patient is deceased, his or her personal repre- 11 sentative or his or her heirs at law or the beneficiary of the 12 patient's life insurance policy, to the extent provided by sec- 13 tion 2157 of the revised judicature act of 1961, 1961 PA 236, MCL 14 600.2157. 15 (iv) With respect to an unemancipated minor, a parent, 16 guardian, or person acting in loco parentis, except that if a 17 minor lawfully obtains a health care service without the consent 18 or notification of a parent, guardian, or other person acting in 19 loco parentis, the minor has the exclusive right to exercise the 20 rights of a patient under this act with respect to health care 21 information relating to that care. 22 (b) "Business day" means a day other than a Saturday, a 23 Sunday, or a holiday recognized and observed by this state or the 24 federal government. 25 (c) "Department" means the department of consumer and indus- 26 try services. 03898'01 4 1 (d) "Disclosure" means the release, transfer, provision of 2 access to, or divulging in any other manner of health care 3 information. 4 (e) "Genetic information" means information about a gene, 5 gene product, or inherited characteristic that is derived from a 6 genetic test. 7 (f) "Genetic test" means the analysis of human DNA, RNA, 8 chromosomes, and those proteins and metabolites used to detect 9 heritable or somatic disease-related genotypes or karyotypes for 10 clinical purposes. A genetic test must be generally accepted in 11 the scientific and medical communities as being specifically 12 determinative for the presence, absence, or mutation of a gene or 13 chromosome in order to qualify under this definition. Genetic 14 test does not include a routine physical examination or a routine 15 analysis, including, but not limited to, a chemical analysis, of 16 body fluids, unless conducted specifically to determine the pres- 17 ence, absence, or mutation of a gene or chromosome. 18 (g) "Health care information" means information, recorded in 19 any form or medium, related to the health care of a specific 20 patient. Health care information includes, but is not limited 21 to, medical history, medical records, medical reports, medical 22 summaries, medical diagnoses and prognoses, prescriptions as 23 defined in section 17708(3) and described in section 17752 of the 24 public health code, 1978 PA 368, MCL 333.17708 and 333.17752, 25 medical treatment and medication ordered and given, other health 26 care-related notes and entries, and x-rays and other imaging 27 records. Health care information also includes personal medical 03898'01 5 1 information supplied to an internet site dealing with health care 2 matters. For purposes of this act, health care information does 3 not include any of the following: 4 (i) Ordinary business information pertaining to patients' 5 accounts. 6 (ii) Information that is obtained from the public records of 7 a governmental entity. 8 (iii) Nonidentifiable health care information. 9 (iv) Except for the purposes of sections 5 and 8, records of 10 recipients who receive mental health services under the mental 11 health code, 1974 PA 258, MCL 330.1101 to 330.2106. 12 (h) "Health information custodian" means an entity that col- 13 lects, organizes, analyzes, or maintains health care 14 information. Health information custodian includes entities that 15 collect information about individuals' health on behalf of the 16 insurance industry except as otherwise provided by law. Health 17 information custodian also includes an independent review organi- 18 zation as that term is defined in section 3 of the patient's 19 right to independent review act, 2000 PA 251, MCL 550.1903, a 20 prudent purchaser organization, and an insurance agent as that 21 term is used in section 1201 of the insurance code of 1956, 1956 22 PA 218, MCL 500.1201. Health information custodian includes an 23 internet site that obtains and retains or collects personal medi- 24 cal information from individuals who visit the site. Health 25 information custodian does not include a health care provider, 26 third party payer, a person that conducts health research, an 03898'01 6 1 organization that oversees or audits a health care provider for 2 risk management or quality control, or a governmental entity. 3 (i) "Health care provider" means 1 of the following: 4 (i) A health professional licensed or registered under 5 parts 161 to 183 and part 185 of the public health code, 1978 PA 6 368, MCL 333.16101 to 333.18311 and MCL 333.18501 to 333.18515. 7 (ii) Emergency medical services personnel licensed under 8 part 209 of the public health code, 1978 PA 368, MCL 333.20901 to 9 333.20979. 10 (iii) A health facility or agency as defined in 11 section 20106(1) of the public health code, 1978 PA 368, MCL 12 333.20106. 13 (iv) A substance abuse treatment program licensed under 14 parts 61 to 65 of the public health code, 1978 PA 368, MCL 15 333.6101 to 333.6523. 16 (v) A facility providing outpatient physical therapy serv- 17 ices, including speech pathology services. 18 (vi) A kidney disease treatment center, including a free- 19 standing hemodialysis unit. 20 (vii) An ambulatory health care facility. 21 (viii) A tertiary health care service facility. 22 (ix) A home health agency. 23 (x) An adult foster care facility licensed under the adult 24 foster care facility licensing act, 1979 PA 218, MCL 400.701 to 25 400.737. 26 (xi) A health-related provider, service, or supplier that 27 maintains a provider agreement with a third party payer. 03898'01 7 1 (xii) Any officer, employee, agent, or contractor of a 2 provider described in subparagraphs (i) to (xi), insofar as the 3 employee, agent, or contractor creates, receives, obtains, uses, 4 or discloses health care information. 5 (j) "Individual" means a natural person. 6 (k) "Newspaper" means either of the following as 7 applicable: 8 (i) A newspaper for the dissemination of general news and 9 information that has a bona fide list of paying subscribers or 10 has been published at least once a week in the same community 11 without interruption for at least 2 years, and has been estab- 12 lished, published, and circulated at least once a week without 13 interruption for at least 1 year in the county where publication 14 is to occur. 15 (ii) If no newspaper qualifies in the county where publica- 16 tion is to be made, a newspaper meeting this definition in an 17 adjoining county. 18 (l) "Nonidentifiable health care information" means any 19 information that would otherwise be protected as health care 20 information under section 4 except that the information does not 21 reveal the identity of the individual whose health or health care 22 is the subject of the information and there is no reasonable 23 basis to believe that the information could be used, either alone 24 or with other information that is or should reasonably be known 25 to be available to recipients of the information, to reveal the 26 identity of that individual. 03898'01 8 1 (m) "Patient" means an individual, including a deceased 2 individual, who receives or has received health care from a 3 health provider, provided the individual is 1 of the following: 4 (i) An adult. 5 (ii) An emancipated minor. 6 (iii) An unemancipated minor who lawfully obtains a health 7 care service without the consent or notification to a parent, 8 guardian, or other person acting in loco parentis, with respect 9 to health care information relating to that service. 10 (iv) An unemancipated minor represented by his or her autho- 11 rized representative. 12 (n) "Person" means an individual, partnership, cooperative, 13 association, private corporation, personal representative, 14 receiver, trustee, designee, governmental unit, or any other 15 legal entity. 16 (o) "Reasonable costs" means costs not to exceed 25 cents 17 per page for copies of health care information that are in paper 18 form, the actual duplication cost for health care information, 19 such as x-rays or microfiche, that is not in paper form, and 20 actual postage if the information is mailed to the patient, the 21 patient's authorized representative, or another recipient desig- 22 nated by the patient or authorized representative. 23 (p) "Reasonable notice" means 2 business days for informa- 24 tion stored on the business premises of a health care provider 25 and 7 business days for information stored off of the business 26 premises of a health care provider. 03898'01 9 1 (q) "Third party payer" means a public or private health 2 care payment or benefits program that is created, authorized, or 3 licensed under state or federal laws, including, but not limited 4 to, all of the following: 5 (i) An insurer authorized to do business in this state. 6 (ii) A nonprofit health care corporation. 7 (iii) A health maintenance organization. 8 (iv) A nonprofit dental care corporation. 9 (v) Medicaid, medicare, or another state or federal health 10 care program that pays for health care. 11 (vi) Any officer, employee, agent, or contractor of a third 12 party payer described in subparagraphs (i) to (v) above, insofar 13 as the employee, agent, or contractor creates, receives, obtains, 14 uses, or discloses health care information. 15 (r) "Use" means the employment, application, utilization, 16 examination, or analysis of information within an entity that 17 holds the information. 18 (s) "Written consent" includes consent provided by 19 facsimile. 20 Sec. 4. (1) Health care information is confidential. 21 Except as provided in section 9 or as specifically provided by 22 federal or state law, rule, regulation, or medicaid policy, 23 health care information shall not be disclosed by health care 24 providers, health information custodians, third party payers, or 25 their employees, agents, or contractors, without the written con- 26 sent of the patient or the patient's authorized representative on 27 a consent form meeting the requirements of subsection (2). 03898'01 10 1 (2) Consent forms for the disclosure of health care 2 information shall contain the following information in a clear 3 and conspicuous manner: 4 (a) A description of the information to be used or disclosed 5 that identifies the information in a specific and meaningful 6 fashion. 7 (b) A statement of the need for and proposed uses of the 8 health care information. 9 (c) A statement that specific and explicit consent is 10 required for disclosure of information concerning alcohol or drug 11 abuse, and information about human immunodeficiency virus (HIV), 12 acquired immunodeficiency syndrome (AIDS), and AIDS related con- 13 ditions (ARC). If this information is contained in a patient's 14 health care information, the consent form shall provide an oppor- 15 tunity for the patient to designate whether or not disclosure of 16 this information is authorized. 17 (d) An expiration date. If no expiration date is specified, 18 the consent shall expire 2 years after the date that the consent 19 was signed by the patient or the patient's authorized 20 representative. 21 (e) The person or a description of the types of persons 22 authorized to disclose the information. 23 (f) The identity or description of the person or persons 24 authorized to receive the information. 25 (g) A statement that the patient or patient's authorized 26 representative may revoke the consent for disclosure of health 27 care information at any future time, except to the extent action 03898'01 11 1 has already been taken in reliance upon the written consent of 2 the patient or the patient's representative. Any revocation must 3 be transmitted in writing to the entity authorized to disclose 4 the information. 5 (h) A statement that the patient, or an authorized represen- 6 tative of the patient, is entitled to receive a copy of the com- 7 pleted consent form. 8 (3) Within 6 months after the effective date of this act, 9 the department, in consultation with the Michigan board of medi- 10 cine and the Michigan board of osteopathic medicine and surgery, 11 shall develop and distribute a consent form for purposes of this 12 section that health care providers may adopt. The department 13 shall distribute the model form, upon request and at no charge, 14 to any person that is subject to the requirements of this act. 15 (4) If a patient chooses to disclose information concerning 16 genetics or genetic testing, the patient or the patient's autho- 17 rized representative must provide written consent on a form that 18 is separate from the consent form that is described in 19 subsection (2) and contains the following notice: 20 NOTICE OF RIGHTS WITH REGARD TO 21 GENETIC TESTING AND INFORMATION 22 Michigan law restricts requests by commercial health insur- 23 ers, Blue Cross Blue Shield of Michigan, health maintenance 24 organizations, and employers that individuals undergo gene- 25 tic testing or disclose whether genetic testing has been 26 conducted or the results of genetic testing or genetic 03898'01 12 1 information. Patients who have questions about their 2 rights may wish to seek legal advice. 3 (5) Consent forms must be specific to a particular disclo- 4 sure, and blanket consent forms are prohibited. 5 (6) Every use and disclosure of health care information 6 shall be limited to the purpose or purposes for which it was col- 7 lected as specified in the consent form. Any other use or dis- 8 closure without a valid consent to disclose shall be an unautho- 9 rized disclosure. 10 (7) A person that receives health care information, pursuant 11 to a written consent, or without consent when authorized under 12 section 9 or any federal or state law, rule, regulation, or medi- 13 caid policy, may use the information solely to carry out the pur- 14 pose for which the information was authorized for disclosure by 15 the patient or patient's authorized representative or by the law, 16 rule, regulation, or policy, and is prohibited from redisclosing 17 the information absent a new authorization permitting further 18 disclosure. 19 (8) Health care information that concerns a patient or 20 information that identifies a patient shall not be sold, rented, 21 licensed, exchanged, or in any other way transferred to another 22 person for use in a commercial solicitation or for other market- 23 ing activity, without first obtaining the prior written consent 24 of the patient or authorized representative that his or her 25 health care information or any information identifying him or her 26 may be released for this specific purpose. Information that 27 identifies a patient includes, but is not limited to, a patient's 03898'01 13 1 name, address, telephone number, social security number, and 2 e-mail address; and if a patient is a dependent of a health care 3 policyholder, the policyholder's name, address, telephone number, 4 social security number, and e-mail address. 5 (9) This act shall not be construed to amend any law that 6 provides more extensive protection to a patient for confidential- 7 ity of health care information or greater access to a patient, or 8 the patient's authorized representative, to the patient's own 9 health care information, than provided in this act. 10 (10) Nothing in this act is intended to hinder, interfere 11 with, or prevent a regulatory agency or law enforcement official 12 from obtaining, or attempting to obtain, any information under 13 federal, state, or local law, or other legal means, or to dis- 14 close the same in the execution of regulatory or law enforcement 15 duties. 16 (11) Nothing in this act is intended to conflict with provi- 17 sions of any laws applicable in Michigan that allow for elec- 18 tronic filings, records, or signatures, if as a result of the 19 application of those laws patients are not deprived of the pro- 20 tections and benefits provided in this act. 21 Sec. 5. Health care providers, third party payers, and 22 health information custodians that receive health care informa- 23 tion shall do all of the following: 24 (a) Establish and maintain safeguards to protect the confi- 25 dentiality, security, accuracy, and integrity of health care 26 information, and of personal information that identifies a 03898'01 14 1 patient, that is created, received, obtained, maintained, used, 2 transmitted, or disposed of by them. 3 (b) Establish policies to protect health care information 4 and personal information that identifies a patient from unautho- 5 rized disclosure or redisclosure that, at a minimum, does all of 6 the following: 7 (i) Limit authorized access to health care information and 8 personal information that identifies a patient to persons having 9 a "need to know" that information. 10 (ii) Identify an individual or individuals who have respon- 11 sibility for maintaining security procedures for health care 12 information and personal information that identifies a patient 13 and for carrying out mitigation required under subdivision (c). 14 (iii) Provide for education and training of employees, 15 agents, and contractors as to the necessity of maintaining the 16 security and confidentiality of health care information and of 17 personal information that identifies a patient. 18 (c) Have procedures for mitigating, to the extent practica- 19 ble, any deleterious effect of a use or disclosure of health care 20 information, or of personal information that identifies a 21 patient, in violation of this act. These procedures shall 22 include written notification to the patients whose health care 23 information or personal information was used or disclosed in vio- 24 lation of this act. 25 (d) Establish policies setting forth procedures for patients 26 to obtain additional information on matters notified under 27 subdivision (c). 03898'01 15 1 Sec. 6. (1) A patient, or a patient's authorized 2 representative, may, upon written request, do 1 or more of the 3 following: 4 (a) Inspect health care information of a health care pro- 5 vider pertaining to that patient at any time during regular busi- 6 ness hours, upon reasonable notice. 7 (b) Receive from a health care provider a copy of health 8 care information pertaining to that patient upon payment of rea- 9 sonable costs for copies and postage. 10 (c) Have copies of the patient's health care information 11 transferred by a health care provider to another health care pro- 12 vider or other person upon payment of reasonable costs for copies 13 and postage. 14 (d) Obtain copies of any health care information in the pos- 15 session of a health information custodian, upon payment of rea- 16 sonable costs for copies and postage. 17 (2) A health care provider shall note the time and date of 18 each request by a patient or patient's authorized representative 19 to inspect the patient's health care information, the name of the 20 inspecting person, and the time and date of inspection and iden- 21 tify the health care information disclosed for inspection. 22 (3) Upon written request, a health care provider or health 23 information custodian shall provide copies of health care infor- 24 mation in accordance with this section within 30 calendar days 25 after receipt of the written request. 26 (4) A health care provider or health information custodian 27 shall not conceal or withhold all or any portion of a patient's 03898'01 16 1 health care information that is covered by, and within the scope 2 of, a written consent from the patient, the patient's authorized 3 representative or a health care provider, or other person to whom 4 disclosure has been directed by the patient or the patient's 5 authorized representative. 6 Sec. 7. (1) A patient or a patient's authorized representa- 7 tive may request in writing that a health care provider amend or 8 append health care information pertaining to him or her to do 9 either of the following: 10 (a) Make a correction of any portion of the information that 11 the patient believes is not accurate, relevant, timely, or 12 complete. 13 (b) Include additional information in order to improve the 14 accuracy or completeness of the information. 15 (2) If a patient or a patient's authorized representative 16 requests that health care information be amended or appended, 17 within 60 days of receipt of the written request the health care 18 provider shall do 1 of the following: 19 (a) Amend the health care information or append information 20 as requested, if amending or appending information does not erase 21 or obliterate any of the original information. 22 (b) Notify the patient or the patient's authorized represen- 23 tative that the request has been denied, giving the reason for 24 the denial, and that the patient or the patient's authorized rep- 25 resentative may file a statement of reasonable length explaining 26 the correctness or relevance of existing information or the need 27 for the addition of new information. The statement or a copy 03898'01 17 1 shall be appended to the health care information pertaining to 2 the patient. 3 (3) A patient or a patient's authorized representative may 4 request in writing that a health information custodian amend or 5 append health care information pertaining to him or her that is 6 in the health information custodian's possession. If a patient 7 or a patient's authorized representative requests that health 8 care information in the possession of a health information custo- 9 dian be amended or appended, within 60 days of receipt of the 10 written request the health information custodian shall do 1 of 11 the following: 12 (a) Amend the health care information or append information 13 as requested, if amending or appending information does not erase 14 or obliterate any of the original information. 15 (b) Notify the patient or the patient's authorized represen- 16 tative that the request has been denied, giving the reason for 17 the denial, and that the patient or the patient's authorized rep- 18 resentative may file a statement of reasonable length explaining 19 the correctness or relevance of existing information or the need 20 for the addition of new information. The statement or a copy 21 shall be included in any report or information pertaining to the 22 patient that is provided by the health information custodian to 23 its members or third parties. 24 Sec. 8. (1) Unless a longer period of time is required by 25 law, a health care provider shall retain his or her patients' 26 health care information as follows: 03898'01 18 1 (a) Medical records with respect to competent adults shall 2 be kept at least 15 years from the date of the last treatment or 3 service. 4 (b) Medical records with respect to incompetent adults shall 5 be kept at least 15 years after the individual's incompetency 6 ceases, or 15 years after the individual's death, whichever 7 occurs sooner. 8 (c) Medical records with respect to minors shall be kept for 9 at least 15 years after the minor reaches his or her eighteenth 10 birthday. 11 (d) Mammograms shall be kept at least 15 years from the date 12 of the last mammogram. 13 (e) Dental records shall be kept at least 15 years from the 14 date of the last treatment or service. 15 (2) A health care provider who ceases practicing or doing 16 business as a health care provider, or the personal representa- 17 tive of a deceased health care provider who was an independent 18 practitioner, shall do 1 of the following for all patient health 19 care information in the possession of the health care provider 20 when the health care provider ceased practicing or doing business 21 or died: 22 (a) Provide for the maintenance of patient health care 23 information for at least 15 years, unless a longer period is 24 required by law, by a person who states, in writing, that the 25 information will be maintained to protect patient confidentiality 26 and will be disclosed in compliance with this act or any other 27 applicable law. 03898'01 19 1 (b) Provide for the transfer of health care information or 2 copies of health care information to a health care provider as 3 designated by the patient or the patient's authorized 4 representative. 5 (c) Provide for the transfer of health care information or 6 copies of health care information to the patient or the patient's 7 authorized representative. 8 (d) Subject to subsection (4), provide for the deletion or 9 destruction of health care information that is more than 15 years 10 old, or older if a longer retention period is required by law. 11 (3) If the health care provider undertakes to provide for 12 the maintenance of health care information, the health care pro- 13 vider shall do both of the following: 14 (a) Provide written notice, by first-class mail, to each 15 patient whose health care information will be maintained, or to a 16 representative authorized by the patient, at the last known 17 address of the patient or person, describing where and by whom 18 the health care information shall be maintained. 19 (b) Publish a copy of a notice to the public at least once 20 per week for 3 consecutive weeks in a newspaper that is published 21 in the county in which the health care provider's or decedent's 22 health practice was located, specifying where and by whom the 23 patient's health care information shall be maintained. 24 (4) If the health care provider intends to provide for the 25 deletion or destruction of any of a patient's health care infor- 26 mation retained under subsection (1), the health care provider or 03898'01 20 1 the health care provider's personal representative shall do at 2 least 1 of the following: 3 (a) Provide notice to each patient whose health care infor- 4 mation will be deleted or destroyed, or the patient's authorized 5 representative, that the information pertaining to the patient 6 will be deleted or destroyed. The notice shall be provided at 7 least 60 days before deleting or destroying any information, 8 shall be in writing, and shall be sent by first-class mail to the 9 last known address of the patient to whom the information per- 10 tains or the last known address of the patient's authorized 11 representative. The notice shall inform the patient or patient's 12 authorized representative of the date on which the health care 13 information will be deleted or destroyed, unless the patient or 14 the patient's authorized representative retrieves it before that 15 date, and the location where, and the dates and times when, the 16 health care information may be retrieved by the patient or the 17 patient's authorized representative. 18 (b) Publish a notice at least once per week for 3 consecu- 19 tive weeks in a newspaper that is published in the county in 20 which the health care provider's or decedent's health practice 21 was located, specifying the date on which the health care infor- 22 mation will be deleted or destroyed, unless the patient or the 23 patient's authorized representative retrieves it before that 24 date, and the location where, and the dates and times when, the 25 health care information may be retrieved by the patient or the 26 patient's authorized representative. 03898'01 21 1 (5) If a health care provider is licensed as a health 2 professional or a health facility or agency under the public 3 health code, 1978 PA 368, MCL 333.1101 to 333.25211, or as a psy- 4 chiatric hospital, psychiatric unit, or psychiatric partial hos- 5 pitalization program under the mental health code, 1974 PA 258, 6 MCL 330.1001 to 330.2106, the health care provider or a personal 7 representative shall notify the department in writing that the 8 practice or business has ceased and describe the procedure for 9 the dissemination, destruction, or deletion of health care 10 information. If a health care provider maintains records of 11 recipients of mental health services that are covered by the 12 mental health code, 1974 PA 258, MCL 330.1001 to 330.2106, the 13 written notification shall also be provided to the office of 14 recipient rights within the department of community health, or to 15 its successor. The procedure for dissemination shall include 16 where and by whom the health care information will be maintained; 17 the date or dates for destruction or deletion of health care 18 information; and the location where, and the dates and times 19 when, health care information may be retrieved by the patient or 20 the patient's authorized representative. The health care pro- 21 vider or a personal representative may also notify and provide 22 this information in writing to a local professional association 23 that serves the particular group of health care providers, 24 including, but not limited to, the county medical association in 25 the case of physicians. 26 (6) Any health care information or personal information that 27 identifies a patient that is deleted or destroyed under this act 03898'01 22 1 shall be sufficiently shredded or incinerated or disposed of in a 2 fashion that will protect the confidentiality of the patient's 3 health care information or the personal information concerning 4 the patient. 5 Sec. 9. (1) A consent for disclosure of health care infor- 6 mation under section 4 is not required in the following 7 situations: 8 (a) If health care information is released or requested 9 under federal or state law, rule, regulation, or medicaid policy 10 for purposes directly and specifically related to the administra- 11 tion of a federal or state program, including, but not limited 12 to, the following: 13 (i) Review of a health provider's services. 14 (ii) Use in obtaining third party recoveries for payments. 15 (iii) Use in medical, fiscal, or utilization reviews. 16 (iv) Investigation of fraud or abuse. 17 (b) As authorized by and to the extent necessary to comply 18 with the worker's disability compensation claims act of 1969, 19 1969 PA 317, MCL 418.101 to 418.941. 20 (c) For release under the child protection law, 1975 PA 238, 21 MCL 722.621 to 722.638, or during the course of a child protec- 22 tive proceeding or during a criminal investigation or prosecution 23 related to the released information. 24 (d) For any release to the extent required or authorized by 25 the public health code, 1978 PA 368, MCL 333.1101 to 333.25211, 26 to promote or protect the health, safety, and welfare of the 27 public, or to support data, information, and research activities 03898'01 23 1 as set out in article 2 of the public health code, 1978 PA 368, 2 MCL 333.2201 to 333.2263. 3 (e) If a person with possession of health care information, 4 consistent with standards of ethical conduct and based on a rea- 5 sonable belief that the use or disclosure is necessary to prevent 6 or lessen a serious and imminent threat to the health or safety 7 of the patient, another individual, or the public, uses or dis- 8 closes health care information to a person or persons reasonably 9 able to prevent or lessen the threat, including the target of the 10 threat. 11 (f) If a health care provider discloses health care informa- 12 tion under any of the following circumstances: 13 (i) Within the health care provider's own office, practice, 14 or organizational affiliate. 15 (ii) To the health care provider's employees, agents, con- 16 tractors, or successors in interest. 17 (iii) To another health care provider, to the extent needed 18 for the health care provider to carry out his or her responsibil- 19 ities to the patient for diagnosis, treatment, and care, consis- 20 tent with good health care professional practices and standards 21 of ethics. 22 (g) For any release that is necessary to notify or assist in 23 the notification of a family member or personal representative of 24 the patient, or other person responsible for the care of the 25 patient, of the patient's location, general condition, or death, 26 unless the patient objects to this release. A release under this 03898'01 24 1 subdivision may assist in the notification of a person by 2 identifying or locating the person. 3 (h) If a health care provider discloses, consistent with 4 good health care professional practices and standards of ethics, 5 health care information to an individual who is a next-of-kin, or 6 other family member, or close personal friend, and the health 7 care information is directly relevant to the individual's 8 involvement in the patient's health care. The purpose of this 9 disclosure may include, but is not limited to, allowing the indi- 10 vidual to act on behalf of the patient to pick up filled pre- 11 scriptions, medical supplies, x-rays, or other similar 12 health-related items. Disclosure under this subdivision shall be 13 made under 1 of the following circumstances: 14 (i) With the patient's verbal agreement if the patient has 15 the legal authority to make his or her own health decisions. 16 (ii) Without the patient's verbal agreement only if the 17 patient's verbal agreement cannot practicably or reasonably be 18 obtained and the health care provider believes that it is in the 19 patient's best interests to make the disclosure. 20 (i) As provided by law, if a search warrant, subpoena, 21 investigative demand, or court order has been issued for the dis- 22 covery, investigation, or use of health care information in a 23 criminal investigation or a criminal, civil, or administrative 24 proceeding. 25 (2) A health care provider may disclose the following infor- 26 mation to another person about a patient who is admitted to a 27 health facility: 03898'01 25 1 (a) The name of the patient. 2 (b) The general health status of the patient, described as 3 critical, poor, fair, stable, or satisfactory or in terms denot- 4 ing similar conditions. 5 (c) The location of the patient on premises controlled by a 6 provider. This disclosure shall not be made if the information 7 would reveal specific information about the physical or mental 8 condition of the patient, unless the patient or the patient's 9 authorized representative expressly authorizes the disclosure. 10 (3) A person who, in good faith, discloses health care 11 information under this section is immune from civil, administra- 12 tive, or criminal liability arising from that conduct, unless the 13 conduct constitutes gross negligence or willful and wanton 14 misconduct. 15 (4) This act is not intended, and shall not be construed, to 16 change mandatory reporting requirements or restrict access to, 17 and use of, health care information, if that access and use are 18 already allowed by law without consent. 19 Sec. 10. A person who believes that a licensed health care 20 provider, a licensed third party payer, or a licensed health care 21 information custodian has violated this act may file a complaint 22 with the department. The division of the department that 23 licenses the licensee about which the complaint has been made 24 shall review the complaint. If the division concludes that a 25 licensee has violated this act, the division may initiate the 26 appropriate administrative proceedings. 03898'01 26 1 Sec. 11. An individual or an individual's authorized 2 representative may bring a civil action against a person for 3 declaratory relief, injunctive relief, or damages for a violation 4 of section 4, 6, 7, or 8. The court may award actual damages or 5 $500.00, whichever is greater, along with reasonable attorney 6 fees and costs. 7 Sec. 12. (1) In addition to other relief authorized by law, 8 the attorney general may, on behalf of this state, commence a 9 civil action seeking 1 or more of the following: 10 (a) Temporary or permanent injunctive relief necessary to 11 effectuate the provisions of this act. 12 (b) A declaratory judgment relating to the construction or 13 applicability of this act. 14 (c) A civil fine of not more than $5,000.00 for each viola- 15 tion and, if a violation is of a continuing nature, for each day 16 of violation of this act. The amount of a fine imposed under 17 this subdivision shall be based upon the seriousness of the vio- 18 lation and any good faith effort of the person to comply with 19 this act. 20 (d) Any relief necessary for the enforcement of this act. 21 (2) An action brought under this act may be brought in the 22 circuit court for Ingham county, in the county in which the 23 defendant resides or has a place of business, in the county of 24 the registered agent of a defendant corporation, or in the county 25 where the alleged violation occurred. 26 Sec. 13. (1) A person who violates this act for financial 27 gain or other pecuniary advantage by intentionally and knowingly 03898'01 27 1 disclosing health care information, intentionally and knowingly 2 concealing health care information, or by obtaining or causing 3 the disclosure of health care information by fraud or false pre- 4 tenses, representations, or promises is guilty of a felony pun- 5 ishable by imprisonment for not more than 5 years or a fine of 6 not more than $250,000.00, or both. 7 (2) A criminal penalty provided for under this section may 8 be imposed in addition to a penalty imposed for any other crimi- 9 nal offense, including another criminal offense arising from the 10 same conduct. 11 Sec. 14. The penalties prescribed by this act are cumula- 12 tive and not exclusive. No patient, governmental authority, or 13 other person is limited to the remedies in this act if other rem- 14 edies are provided by common law or other statutory provisions. 15 The use of 1 enforcement remedy is not a bar to the use of other 16 remedies by the patient, governmental authority, or other 17 person. 18 Sec. 15. The department may promulgate rules to implement 19 this act pursuant to the administrative procedures act of 1969, 20 1969 PA 306, MCL 24.201 to 24.328. 21 Sec. 16. Immunity given in federal or state law is not 22 abrogated by the provisions of this act. 23 Sec. 17. An agreement with a patient or a patient's autho- 24 rized representative waiving the provisions of this act is 25 declared to be against public policy and void. 26 Sec. 18. If a provision of this act is held by a court to 27 be invalid, that invalidity shall not affect the remaining 03898'01 28 1 provisions of this act. The provisions of this act are 2 severable. 03898'01 Final page. KDD