Health; code; disclosure of nonpublic financial information by

health care providers; provide for.

HEALTH: Code; CONSUMER PROTECTION: Other; CIVIL RIGHTS:

Privacy; HEALTH FACILITIES: Other; HEALTH FACILITIES: Patients;

HEALTH: Occupations

A bill to amend 1978 PA 368, entitled

"Public health code,"

(MCL 333.1101 to 333.25211) by adding part 25.

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

1 PART 25

2 PRIVACY OF FINANCIAL INFORMATION

3 SEC. 2501. (1) THIS PART APPLIES TO THE TREATMENT OF NON-

4 PUBLIC PERSONAL FINANCIAL INFORMATION ABOUT INDIVIDUALS WHO

5 OBTAIN HEALTH OR MEDICAL CARE FROM HEALTH CARE PROVIDERS. THIS

6 PART DOES NOT APPLY TO INFORMATION ABOUT PERSONS WHO ARE NOT

7 INDIVIDUALS.

8 (2) THIS PART DOES NOT MODIFY, LIMIT, OR SUPERSEDE ANY STAT-

9 UTE OR RULE APPLICABLE TO THE CONFIDENTIALITY OR PRIVACY OF

10 INDIVIDUALLY IDENTIFIABLE HEALTH AND MEDICAL INFORMATION,

06450'02 DAM

2

1 INCLUDING, BUT NOT LIMITED TO, APPLICABLE PROVISIONS IN THIS ACT

2 OR ANY OF THE FOLLOWING:

3 (A) SECTION 2157 OF THE REVISED JUDICATURE ACT OF 1961, 1961

4 PA 236, MCL 600.2157.

5 (B) SECTION 1750 OF THE MENTAL HEALTH CODE, 1974 PA 258,

6 MCL 330.1750.

7 (C) SECTION 406 OF THE NONPROFIT HEALTH CARE CORPORATION

8 REFORM ACT, 1980 PA 350, MCL 550.1406.

9 (D) SECTIONS 410 AND 492A OF THE MICHIGAN PENAL CODE, 1931

10 PA 328, MCL 750.410 AND 750.492A.

11 (E) SECTION 13 OF THE FREEDOM OF INFORMATION ACT, 1976

12 PA 442, MCL 15.243.

13 (F) SECTION 34 OF THE THIRD PARTY ADMINISTRATOR ACT, 1984

14 PA 218, MCL 550.934.

15 SEC. 2503. AS USED IN THIS PART:

16 (A) "HEALTH CARE PROVIDER" MEANS A PERSON LICENSED, CERTI-

17 FIED, OR REGISTERED UNDER ARTICLE 6 OR 15 OR A FACILITY OR AGENCY

18 LICENSED OR AUTHORIZED UNDER ARTICLE 17.

19 (B) "NONPUBLIC PERSONAL FINANCIAL INFORMATION" MEANS PERSON-

20 ALLY IDENTIFIABLE FINANCIAL INFORMATION ABOUT AN INDIVIDUAL AND

21 ANY LIST, DESCRIPTION, OR OTHER GROUPING OF INDIVIDUALS AND PUB-

22 LICLY AVAILABLE INFORMATION PERTAINING TO THEM THAT IS DERIVED

23 USING ANY PERSONALLY IDENTIFIABLE FINANCIAL INFORMATION THAT IS

24 NOT PUBLICLY AVAILABLE. NONPUBLIC PERSONAL FINANCIAL INFORMATION

25 DOES NOT INCLUDE ANY OF THE FOLLOWING:

26 (i) HEALTH AND MEDICAL INFORMATION OTHERWISE PROTECTED BY

27 STATE OR FEDERAL LAW.

06450'02

3

1 (ii) PUBLICLY AVAILABLE INFORMATION.

2 (iii) ANY LIST, DESCRIPTION, OR OTHER GROUPING OF INDIVIDU-

3 ALS, AND PUBLICLY AVAILABLE INFORMATION PERTAINING TO THEM, THAT

4 IS DERIVED WITHOUT USING ANY PERSONALLY IDENTIFIABLE FINANCIAL

5 INFORMATION THAT IS NOT PUBLICLY AVAILABLE.

6 (C) "PERSONALLY IDENTIFIABLE FINANCIAL INFORMATION" MEANS

7 ANY OF THE FOLLOWING:

8 (i) INFORMATION AN INDIVIDUAL PROVIDES TO A HEALTH CARE PRO-

9 VIDER TO OBTAIN HEALTH OR MEDICAL CARE FROM THE HEALTH CARE

10 PROVIDER.

11 (ii) INFORMATION ABOUT AN INDIVIDUAL RESULTING FROM ANY

12 TRANSACTION INVOLVING HEALTH OR MEDICAL CARE BETWEEN A HEALTH

13 CARE PROVIDER AND AN INDIVIDUAL.

14 (iii) INFORMATION THE HEALTH CARE PROVIDER OTHERWISE OBTAINS

15 ABOUT AN INDIVIDUAL IN CONNECTION WITH PROVIDING HEALTH OR MEDI-

16 CAL CARE TO THAT INDIVIDUAL.

17 (D) "PUBLICLY AVAILABLE INFORMATION" MEANS ANY INFORMATION

18 THAT A HEALTH CARE PROVIDER HAS A REASONABLE BASIS TO BELIEVE IS

19 LAWFULLY MADE AVAILABLE TO THE GENERAL PUBLIC FROM FEDERAL,

20 STATE, OR LOCAL GOVERNMENT RECORDS, BY WIDE DISTRIBUTION BY THE

21 MEDIA, OR BY DISCLOSURES TO THE GENERAL PUBLIC THAT ARE REQUIRED

22 TO BE MADE BY FEDERAL, STATE, OR LOCAL LAW. A HEALTH CARE PRO-

23 VIDER HAS A REASONABLE BASIS TO BELIEVE THAT INFORMATION IS LAW-

24 FULLY MADE AVAILABLE TO THE GENERAL PUBLIC IF BOTH OF THE FOLLOW-

25 ING APPLY:

06450'02

4

1 (i) THE HEALTH CARE PROVIDER HAS TAKEN STEPS TO DETERMINE

2 THAT THE INFORMATION IS OF THE TYPE THAT IS AVAILABLE TO THE

3 GENERAL PUBLIC.

4 (ii) IF AN INDIVIDUAL CAN DIRECT THAT THE INFORMATION BE

5 WITHHELD FROM THE GENERAL PUBLIC, THAT THE INDIVIDUAL HAS NOT

6 DIRECTED THAT THE INFORMATION BE WITHHELD FROM THE GENERAL

7 PUBLIC.

8 SEC. 2505. (1) A HEALTH CARE PROVIDER SHALL USE REASONABLE

9 CARE TO SECURE NONPUBLIC PERSONAL FINANCIAL INFORMATION FROM

10 UNAUTHORIZED ACCESS. EXCEPT AS IS NECESSARY OR WHEN REQUIRED BY

11 LAW, A HEALTH CARE PROVIDER SHALL NOT DISCLOSE NONPUBLIC PERSONAL

12 FINANCIAL INFORMATION TO A PERSON WITHOUT THE PRIOR AND SPECIFIC

13 INFORMED CONSENT OF THE INDIVIDUAL TO WHOM THE NONPUBLIC PERSONAL

14 FINANCIAL INFORMATION PERTAINS. THE INDIVIDUAL'S CONSENT SHALL

15 BE IN WRITING. EXCEPT WHEN A DISCLOSURE IS MADE TO THE COMMIS-

16 SIONER OR ANOTHER GOVERNMENTAL AGENCY, A COURT, OR ANY OTHER GOV-

17 ERNMENTAL ENTITY, A HEALTH CARE PROVIDER SHALL MAKE A DISCLOSURE

18 FOR WHICH PRIOR AND SPECIFIC INFORMED CONSENT IS NOT REQUIRED

19 UPON THE CONDITION THAT THE PERSON TO WHOM THE DISCLOSURE IS MADE

20 PROTECT AND USE THE DISCLOSED INFORMATION ONLY IN THE MANNER

21 AUTHORIZED BY THE HEALTH CARE PROVIDER, PURSUANT TO SECTION

22 2507. IF AN INDIVIDUAL HAS AUTHORIZED THE RELEASE OF NONPUBLIC

23 PERSONAL FINANCIAL INFORMATION TO A SPECIFIC PERSON, A HEALTH

24 CARE PROVIDER SHALL MAKE A DISCLOSURE TO THAT PERSON UPON THE

25 CONDITION THAT THE PERSON SHALL NOT RELEASE THE DATA TO A THIRD

26 PERSON UNLESS THE INDIVIDUAL EXECUTES IN WRITING ANOTHER PRIOR

06450'02

5

1 AND SPECIFIC INFORMED CONSENT AUTHORIZING THE ADDITIONAL

2 RELEASE.

3 (2) THIS SECTION DOES NOT PRECLUDE THE RELEASE OF INFORMA-

4 TION BY TELEPHONE PERTAINING TO AN INDIVIDUAL TO THAT INDIVIDUAL

5 IF THE IDENTITY OF THE INDIVIDUAL IS VERIFIED.

6 SEC. 2507. A HEALTH CARE PROVIDER SHALL ESTABLISH AND MAKE

7 PUBLIC THE POLICY OF THE HEALTH CARE PROVIDER REGARDING THE PRO-

8 TECTION OF PRIVACY AND THE CONFIDENTIALITY OF NONPUBLIC PERSONAL

9 FINANCIAL INFORMATION. THE POLICY, AT A MINIMUM, SHALL DO ALL OF

10 THE FOLLOWING:

11 (A) PROVIDE FOR THE HEALTH CARE PROVIDER'S IMPLEMENTATION OF

12 PROVISIONS IN THIS PART AND OTHER APPLICABLE LAWS AND GUIDELINES

13 RESPECTING COLLECTION, SECURITY, USE, RELEASE OF, AND ACCESS TO

14 NONPUBLIC PERSONAL FINANCIAL INFORMATION.

15 (B) IDENTIFY THE ROUTINE USES OF NONPUBLIC PERSONAL FINAN-

16 CIAL INFORMATION BY THE HEALTH CARE PROVIDER; PRESCRIBE THE MEANS

17 BY WHICH INDIVIDUALS WILL BE NOTIFIED REGARDING THOSE USES; AND

18 PROVIDE FOR NOTIFICATION REGARDING THE ACTUAL RELEASE OF NONPUB-

19 LIC PERSONAL FINANCIAL INFORMATION THAT MAY BE IDENTIFIED WITH,

20 OR THAT MAY CONCERN, AN INDIVIDUAL, UPON SPECIFIC REQUEST BY THAT

21 INDIVIDUAL. AS USED IN THIS SUBDIVISION, "ROUTINE USE" MEANS THE

22 ORDINARY USE OR RELEASE OF NONPUBLIC PERSONAL FINANCIAL INFORMA-

23 TION COMPATIBLE WITH THE PURPOSE FOR WHICH THE INFORMATION WAS

24 COLLECTED.

25 (C) ASSURE THAT NO PERSON SHALL HAVE ACCESS TO NONPUBLIC

26 PERSONAL FINANCIAL INFORMATION EXCEPT ON THE BASIS OF A NEED TO

27 KNOW.

06450'02

6

1 (D) ESTABLISH THE CONTRACTUAL OR OTHER CONDITIONS UNDER

2 WHICH NONPUBLIC PERSONAL FINANCIAL INFORMATION MAY BE RELEASED.

3 (E) PROVIDE THAT ANY PAYMENT APPLICATIONS AND FORMS DEVEL-

4 OPED BY THE HEALTH CARE PROVIDER SHALL CONTAIN AN INDIVIDUAL'S

5 CONSENT TO THE RELEASE OF DATA AND INFORMATION THAT IS LIMITED TO

6 THE DATA AND INFORMATION NECESSARY FOR THE PAYMENT FOR HEALTH OR

7 MEDICAL SERVICES, AND SHALL REASONABLY NOTIFY INDIVIDUALS OF

8 THEIR RIGHTS PURSUANT TO THE HEALTH CARE PROVIDER'S POLICY AND

9 APPLICABLE LAW.

10 SEC. 2509. THIS PART DOES NOT LIMIT ACCESS TO RECORDS OR

11 ENLARGE OR DIMINISH THE INVESTIGATIVE AND EXAMINATION POWERS OF

12 GOVERNMENTAL AGENCIES PROVIDED FOR BY LAW.

13 SEC. 2511. NOTHING IN THIS PART SHALL BE CONSTRUED TO

14 MODIFY, LIMIT, OR SUPERSEDE THE OPERATION OF THE FAIR CREDIT

15 REPORTING ACT, TITLE VI OF THE CONSUMER CREDIT PROTECTION ACT,

16 PUBLIC LAW 90-321, 15 U.S.C. 1681 TO 1681v, AND NO INFERENCE

17 SHALL BE DRAWN ON THE BASIS OF THE PROVISIONS OF THIS PART

18 REGARDING WHETHER INFORMATION IS TRANSACTION OR EXPERIENCE INFOR-

19 MATION UNDER SECTION 603 OF THE FAIR CREDIT REPORTING ACT, TITLE

20 VI OF THE CONSUMER CREDIT PROTECTION ACT, PUBLIC LAW 90-321, 15

21 U.S.C. 1681a.

22 SEC. 2513. A HEALTH CARE PROVIDER SHALL NOT UNFAIRLY DIS-

23 CRIMINATE AGAINST ANY INDIVIDUAL BECAUSE THAT INDIVIDUAL HAS NOT

24 OPTED IN OR DOES NOT INTEND TO OPT INTO THE DISCLOSURE OF HIS OR

25 HER NONPUBLIC PERSONAL FINANCIAL INFORMATION PURSUANT TO THE PRO-

26 VISIONS OF THIS PART.

06450'02

7

1 SEC. 2515. A PERSON WHO VIOLATES THIS PART IS GUILTY OF A

2 MISDEMEANOR PUNISHABLE BY IMPRISONMENT FOR NOT MORE THAN 1 YEAR,

3 OR A FINE OF NOT MORE THAN $1,000.00, OR BOTH.

06450'02 Final page. DAM