“A bill to provide additional protections with respect to health information, and for other purposes.”
No CRS summary available for this bill.
This section directs the Secretary of Health and Human Services (HHS), in consultation with the Federal Trade Commission, to promulgate regulations establishing privacy, security, and breach notification standards for applicable health information processed by regulated entities (i.e., data controllers) and their service providers. Such standards must provide protections at least as stringent as HIPAA privacy, security, and breach notification rules (42 U.S.C. 1320d-2 note; 42 U.S.C. 17932) applicable to covered entities and business associates for protected health information, and must include (1) privacy requirements addressing permitted and prohibited uses/disclosures, authorizations, minimum necessary standards, individual rights (e.g., access, amendment, deletion, portability), and administrative safeguards; (2) security requirements for physical, technical, and administrative safeguards (for electronic data, based on NIST or HHS cybersecurity frameworks); and (3) breach notifications substantially similar to HIPAA requirements (45 C.F.R. pt. 164, subpt. D). The section authorizes HHS and the FTC to enforce the regulations, applies HIPAA civil monetary penalty provisions (45 C.F.R. pt. 160, subpt. D) to violations, and extends specified HITECH Act privacy and security requirements (42 U.S.C. 17941) to regulated entities and service providers. (As background, HIPAA, as amended by HITECH, regulates identifiable health information held by covered entities—health care providers, plans, and clearinghouses—and their business associates. Applicable health information is broader, encompassing any identifiable health-related data regardless of source.)
This section establishes requirements, in applying HIPAA right-of-access regulations (42 U.S.C. 17935(e); 45 C.F.R. § 164.524), for covered entities and business associates to transmit, produce, or provide access to an individual's protected health information (PHI) to a designated person or entity (except where permitted without authorization under 45 C.F.R. § 164.506(c)). Such requests must satisfy valid authorization standards (45 C.F.R. § 164.508(b)), and fulfillment may be conditioned on the recipient prepaying fees consistent with state law and subsection (b) and agreeing to the terms, limitations, and conditions specified in the individual's request. The section further limits fee protections (42 U.S.C. 17935(e)(3); 45 C.F.R. § 164.524(c)(4)) to (1) direct provision to the individual or personal representative, (2) persons involved in the individual's care or payment or for notification under 45 C.F.R. § 164.510(b)—limited to directly relevant PHI—and (3) electronic transmittal to the individual's health care provider's patient portal or mobile app. (Thus, HIPAA fee limits generally do not apply to third-party app developers or other designees.) The section defines terms by reference to HIPAA regulations (45 C.F.R. § 160.103) and directs the Secretary of Health and Human Services to amend guidance as needed within 180 days of enactment.
This section makes technical amendments to the confidentiality requirements for substance use disorder patient records by (1) replacing the cross-reference to "subsection (b)" with "the HIPAA regulations" in subsection (a); (2) in subsection (b), redesignating subparagraphs (A) through (D) of paragraph (2) as paragraphs (1) through (4) and simplifying the subsection heading by striking extraneous text; and (3) updating cross-references in subsections (c) and (g) from "subsection (b)(2)(C)" to "subsection (b)(3)". (As background, these requirements generally prohibit disclosure of such records without patient consent, subject to specified exceptions, and apply to programs receiving federal substance abuse block grant funds.)
This section directs the Secretary of Health and Human Services, not later than 60 days after enactment, to enter into a contract with the National Academies of Sciences, Engineering, and Medicine to conduct a study on the potential risks and benefits of compensating patients for sharing identifiable health data for research purposes. The study must examine (1) risks to patient privacy from integrating identifiable, de-identified, and aggregated health information into research datasets; (2) privacy-enhancing tools and methods; (3) feasibility of tracking patient data and consent for research dataset integration; (4) ethical considerations for compensating patients for identifiable and de-identified health data; (5) whether exemptions for de-identified data used in research should account for patient opt-in or opt-out opportunities; and (6) risks of re-identifying de-identified data.
This section requires any regulated entity or service provider accessing an individual's protected health information (PHI) through the patient right of access under HIPAA regulations (45 CFR 164.524) to (1) provide prior written plain language notification that such PHI will no longer be subject to HIPAA privacy protections and an explanation of potential redisclosures; and (2) obtain the individual's consent before selling the PHI. The section further requires such entities offering digital technology that generates wellness data (i.e., data promoting health or preventing disease, such as vital statistics, step counts, or medical regimen compliance) to provide advance written plain language notification that the data is not subject to HIPAA privacy protections and to offer an opt-out opportunity. Definitions apply from HIPAA regulations (45 CFR 160.103) and this Act; requirements take effect one year after enactment.
This section directs the Secretary of Health and Human Services, not later than one year after the date of enactment, to publish guidance on applying the minimum necessary standard (i.e., HIPAA requirement under 45 C.F.R. § 164.502(b) for covered entities to limit protected health information to the amount reasonably necessary to accomplish an intended purpose) to data used for artificial intelligence and machine learning applications. The guidance must address relevant requirements, including health data interoperability under section 3001(c)(9) of the Public Health Service Act (42 U.S.C. 300jj–11(c)(9)) and limited data sets under section 13405(b) of the HITECH Act (42 U.S.C. 17935(b)).
This section directs the Secretary of Health and Human Services to promulgate regulations not later than one year after enactment establishing unified national standards for rendering applicable health information as de-identified, modeled on HIPAA standards for de-identifying individually identifiable health information (45 C.F.R. pt. 164). The standards must (1) meet or exceed the HIPAA de-identification requirements of 45 C.F.R. § 164.514(b); (2) specify standards for privacy-enhancing technologies (i.e., software, hardware, or processes enhancing data privacy through predictability, manageability, disassociability, and confidentiality); and (3) provide that information does not qualify as de-identified when transferred by a regulated entity, service provider, covered entity, or business associate unless the recipient contractually agrees in writing not to re-identify it (or attempt to) and to impose the same requirement on downstream recipients.
This section applies the HIPAA preemption rules of 45 CFR § 160.203 (i.e., preemption of contrary state law, subject to exceptions for more protective state laws) to the requirements of this Act in the same manner as those rules apply to HIPAA privacy and security standards.