MODEL HEALTH INFORMATION DISCLOSURE ACT (MHIDA)





















The students enrolled in the Law and Technology Seminar at the University of Iowa College of Law during the 1998-99 academic year that worked on the development of the Model Health Information Disclosure Act are as follows:



Michelle Bennett

Kris Corlette

Erin Gallagher

Kenneth Cox

Brent Oleson

Maria Perez

Joshua Reider

Eric Tindal

Laura Walter

Kathy Weno



Consultants:

Randall Bezanson

Sheldon F. Kurtz

Prefatory Note



The prefatory note to the Uniform Health-Care Information Act provides: "The critical role that confidentiality plays in the provision of health care has been recognized almost from the inception of the medical profession. Gelman, Prescribing Privacy: The Uncertain Role of the Physician in the Protection of Patient Privacy, 62 N.C.L.Rev. 255 (1984). It may be assumed that confidentiality is essential to a patient's trust in a health care provider and to a patient's willingness to supply information candidly for his or her benefit. Confidentiality may then be seen as improving the quality of health care.

Previously, people went to their doctor for treatment, paid their doctor, and submitted a claim to their insurance company for reimbursement. Records were maintained in paper form only. Since then, health care has become complicated. Now physicians practice in large groups, often as part of larger health care plans. Providers often contract out their billing, information flows directly from a health care provider to an insurance company. These changes and technological innovations, such as e-mail, the Internet, and electronic file storage, strain the traditional notions of confidentiality. The concern with this strain has prompted different legislatures, committees, and organizations to create new laws to address the changing health care industry. None of these attempts have been coordinated and thus have created uncertainty in the laws and an increased opportunity for breaches of confidentiality. The Model Health Information Disclosure Act attempts to remedy this problem by providing a model act focused on confidentiality of all forms of health care information in the possession of custodians.

The Act imposes a general duty upon all persons in possession of health care information not to disclose that information if disclosure would readily identify the subject of that information. The Act also imposes a duty for custodians to maintain individually identifiable health information in a reasonable manner.

At the same time, however, the Act incorporates a number of important exceptions to this general duty of nondisclosure. In some cases, the Act reflects a policy decision that the benefits of disclosure always outweigh the subject's privacy interest in the information. In those cases, disclosure is mandatory. In other cases, custodians are granted discretion whether to disclose information without the subject's consent. This, for all practical purposes, leaves the custodian to determine the appropriate balance between the benefits and burdens of disclosure.

The drafters also recognized that discrimination on the basis of health care information is a consequence that can flow from disclosure of health care information. Although the drafters find this type of discrimination disturbing, they decided that to draft an act regulating discriminatory uses of health care information would unnecessarily complicate the Act. In their judgement, the focus of the Act would be better served if it was limited to regulating disclosure of the information. As a consequence, the restrictions on the disclosure of individually identifiable health information act to restrict the uses of that information, but no special limitations on the use of the information have been incorporated in the Act.

The drafters also debated whether to include specific provisions addressing the increased sensitivity of genetic information. Because genetic information has implications unique to the properties of that information, such as disease prediction abilities. They decided that it would be an overwhelming task to create specific provisions and would essentially require the drafting of an additional statute. Because of this the drafters decided not to include specific provisions addressing the unique situation of genetic information. Genetic information has been given the same treatment as all other health information in the Act.

This Act was drafted to treat all individually identifiable health information alike. An unauthorized disclosure imposes liability regardless of the sensitivity of the information. The differences between types of information released may be taken into account when determining damages in a civil suit not when determining whether or not this Act applies to a disclosure.

MODEL HEALTH INFORMATION PRIVACY ACT



Section

1 Definitions

2 General Duty of Custodians

3 Internal Disclosure By Custodians

4 Consent

5 Mandatory Disclosures

6 Permissive Disclosures

7 Maintenance of Health Information

8 Authority of [State][Department of Health]

9 Sanctions and Remedies

10 Uniformity of Application and Construction

11 Short Title

12 Severability Clause

13 Effective Date





1. DEFINITIONS.



As used in this [Act], unless the context indicates otherwise, the following definitions apply:



(a) "Custodian" means any person that controls, possesses, or maintains health information about any individual.



(b) "Disclose"or "disclosure" means the release of any health information to any person other than the individual who is the subject of the information.



(c) "Health care" means any care, service, or procedure provided by a health care provider:



(1) to diagnose, treat, or maintain a patient's physical or mental condition or,



(2) that affects the structure or any function of the human body.



(d) "Health care provider" means a person, including a health care institution, licensed, certified, or otherwise authorized by the laws of this [state] to provide health care in the ordinary course of business or practice of a profession, other than a person who provides health care solely through the sale or dispensing of medical devices and supplies.



(e) "Health care institution" means an institution, facility, or agency licensed, certified, or otherwise authorized or permitted by law to provide health care in the ordinary course of business.



(f) "Health care representative" means an individual who is legally authorized to consent to health care for another, including an individual designated by the subject in any durable health care power of attorney or advance directive or last will admitted to probate to act as a health care representative under this [Act].



(g) "Health information" means information of any kind and in any form related to an individual's health.



(h) "HIV-Related Information" means any information from which a subject's HIV status may be inferred.



(i) "Individually identifiable" means information that would, itself or in combination with other information, identify the subject of the information.



(j) "Person" means an individual, corporation, business trust, estate, trust, partnership, association, joint venture, government, governmental subdivision or agency, or other legal or commercial entity.



(k) "State" means a State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, or a territory or insular possession subject to the jurisdiction of the United States.



(l) "Subject" means the individual to whom the health information relates.



Comment



The definition of "custodian" is expansive. It includes persons who customarily are thought of as collecting and retaining health care information about a subject such as doctors, other health care professionals and insurance companies. It also includes employers, researchers, schools, and even family and friends of a subject. The drafters adopted this broad definition in part to reflect their belief that the widest net should be cast in protecting individuals from the inappropriate disclosure of identifiable health care information.

Within any institution or organization, each individual employee who controls, possesses, or maintains individually identifiable health information about an individual is a separate custodian. Thus, disclosure of individually identifiable health information by one employee to another is subject to the general rule of Section 2, unless it is an internal disclosure under Section 3.

The word "disclose" is broad enough to include both oral and written disclosure.

The definition of "health information" is comprehensive. It includes assessment data, diagnoses, treatment plans, treatment results, histories, results of psychological, genetic, intelligence, or laboratory tests, any imaging produced by X-ray, MRI, CT or telemedicine, and pharmaceutical and genetic information in any form. "Health information" also includes information typically included in a subject's medical records, whether created by a health care provider or others such as social workers, school employees, insurance company employees, or employers.

"Health care representative" includes legally appointed guardians and persons acting under either so-called "family consent" laws, health care powers of attorney, or who are designated in a subject's last will. Unlike existing state laws, the Act permits a subject to designate a health care representative by either a power of attorney or last will. If a person does not designate a person as a health care representative in either document, then upon the person's death his or her identifiable health information can be disclosed at any time without limitation under the Act.

2. GENERAL DUTY OF CUSTODIANS.



(a) Except as otherwise provided by this [Act], a custodian of health information may not disclose individually identifiable health information without the consent of the subject or the subject's health care representative.



(b) This [Act] does not apply to disclosure of individually identifiable health information:



(1) by one individual to another individual for purposes unrelated to business or professional use, or



(2) to the general public as part of the publication of a bona fide news account by a recognized news organization.

Comment



Subsection (a) states the broad overall duty of custodians who control, possess or maintain individually identifiable health information. This duty is the core of the Act. Simply stated, a custodian's duty is to protect all individually identifiable health information from release. Sections 3 through 6 of the Act temper this non-disclosure rule in a number of circumstances. First, disclosure is permitted when the subject has consented to the disclosure. (Section 4) Second, in certain cases, custodians are required to disclose. (Section 5). Lastly, custodians are permitted in limited cases to make a disclosure in their discretion. (Sections 3 and 6).

Subsection (b)(1) was drafted to remove any concern about close friends and family being held liable under the Act for sharing information about the subject of the information. As defined in the Act "custodian" includes any person in possession of health care information about the subject of the information. As so defined, the definition would include a subject's spouse, children and friends who possess health information about the subject. While there are good reasons to treat them as custodians in certain cases, there are also a good number of instances where it would be inappropriate to treat their disclosure of information as prohibited under the Act. Under this subsection there are no restrictions when the disclosure of the information is not related to professional use or used in the course of business. This protects interactions that may occur such as a conversation between a spouse and a subject's physician, a phone call between family members, or the report of a hospitalized co-worker's condition to other concerned co-workers. The drafters recognize the value of these interactions to providing quality health care and maintaining the close relationship between individuals. Because it is not the intent of the drafters to interfere with these relationships, this type of interaction is exempted from liability under the Act.

Traditional theories of agency apply for employers when an employee, acting as an agent, discloses individually identifiable health information. However, when the employee discloses the individually identifiable health information in a personal situation outside the scope of employment, the employer is exempt from liability. For example, an insurance company whose employee discloses individually identifiable health information in violation of the Act would be liable if the disclosure occurred in the course of employment. However, if the disclosure occurred outside the employment, such as while the employee was walking on the golf course with his wife, the insurance company would not be liable.

Notwithstanding the exclusion in Section 2(b), as noted in the comments to Section 9 if any excluded disclosure about a subject would otherwise be impermissible under common law doctrines or other statutes, the subject may have a cause of action under such doctrines or statutes. For example, casual conversation about a subject among health care providers may be inconsistent with common law rules relating to confidentiality or privacy and the subject may have a cause of action under the common law.

Subsection (b)(2) exempts disclosures as part of the news reporting process. Because the focus of the Act is on each custodian's responsibility to protect individually identifiable health information, the consequences of disclosure under the Act fall upon the person who discloses the information, not the news organization who receives it. Health information can be a valuable part of information provided by the press to the public, but the release of the information should be within the guidelines of the Act to protect the privacy of a subject. News organizations should note, however, the Act does not exempt them from liability arising under other legal principles, such as the tort of invasion of privacy.

3. INTERNAL DISCLOSURE BY CUSTODIANS.



A custodian may disclose or use individually identifiable health information for its own internal use only when the disclosure or use is consistent with the purpose for which the information was lawfully obtained.



Comment



This Section recognizes the need for the use of identifiable health information within organizations. The drafters identified several areas within institutions where internal dissemination of individually identifiable health information may be necessary. Institutions that provide direct care to patients have uses of individually identifiable health information such as treatment and consultation activities, quality management, administrative activities, teaching and research. Other institutions such as third party payers and regulatory agencies also need the individually identifiable health information to provide payment, documentation and other administrative and quality management reasons.

The drafters discussed many hypothetical situations and have provided some as guidelines of where the limitations fall and provide examples of permissible internal uses by various custodians.



Health care institutions

Health care institutions have providers (other than the primary care giver) within the organization involved in the treatment of a patient who need access to individually identifiable health information to provide diagnostic, treatment or consultation services to the patient. Examples of such services include, but are not limited to, laboratory services, physical therapists, radiological services and students in professional health care programs. One example of appropriate use of identifiable health information is when an obstetrician needs to refer a pregnant woman to another obstetrician for an amniocentesis during her pregnancy. The referring physician would have explicit permission under the Act to send the subject's records to the physician performing the procedure.

Health care institutions also have administrative activities that utilize individually identifiable health information, such as billing; licensure; and reporting requirements for state and federal agencies or accrediting institutions such as the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO).

Finally, all health care institutions monitor the quality of care provided within its institution in some manner and at times utilization of individually identifiable health information is necessary. However at other times, aggregate information is adequate to meet this need and at these times, aggregate data should be utilized. Research activities, similarly to quality management activities, at times need individually identifiable health information. However, these situations should involve documented patient consent unless the project is approved by an Institutional Review Board (IRB)to be done without consent due to the nature of the research. The drafters of the Act consider an IRB to be a board, committee, or other group formally designated by an institution or authorized under federal or state law to review, approve the initiation of, or conduct periodic review of research programs to assure the protection of the rights and welfare of human research subjects. As an example of research activities, if the obstetrician who has received the referral to perform the amniocentesis in the hypothetical above, wants to maintain individually identifiable health information about the amniocentesis for possible long-term research, the consent form for the amniocentesis procedure should reflect this possibility unless the research has been approved through an IRB. After the consent form has been signed, the information becomes internal and available for future use without needing further releases from the subject. In a like manner, if researcher A requests information from medical records which is then collected by B when the information is in an identifiable form, if that information is disclosed to A in an unidentifiable form, no disclosure has occurred under the definition of the Act. The focus of the Act is to provide a shield to protect patient confidentiality as much as possible while still meeting the needs of researchers.

Other organizations

The drafters also recognizes that institutions other than direct care providers require the use of individually identifiable health information to provide their services. Particular concerns were noted by the drafters in regards to the privacy of individually identifiable health information when it is released beyond the custodian who generates the information, and becomes available to outside organizations such as third party payers. It is clear that without this information these organizations would be unable to provide their services such as accreditation or payment for services. However, because of the lack of a consistent approach by outside organizations in the management of this information, many opportunities exist for sensitive individually identifiable health information to be mishandled and the privacy of the individual to be violated. This concern is addressed by the Act by holding all custodians, including those who receive the information secondarily, to the same level of privacy protection.

For example, an organization that provides wellness programs for its employees would be able to monitor the effectiveness of the program by following the health of individuals who utilize the wellness program and comparing their utilization of health insurance with that of individuals not involved in it as this is an internal use consistent with the original purpose for which the information was collected. However, under the Act, this same wellness information is not available for the organization to use for employee retention purposes.

Similarly, under the Act individually identifiable health information would not be available from providers or payers to be sent to pharmaceutical companies for marketing purposes without possible criminal consequences (See Section 9). Nor would identifiable health information be available to transfer between sections of insurance companies for uses not consistent with the original purpose for collecting the information, which was for paying the subject's bill for services. Again, the focus of the Act is to shield the individual's privacy as much as possible while still meeting the needs of these organizations.





4. CONSENT.



(a) Custodians may disclose individually identifiable health information with the consent of the subject or the subject's health care representative.



(b) A valid consent must:



(1) be evidenced by a writing that is signed and dated by the subject or the subject's health care representative;



(2) identify the subject;



(3) identify by name the person to which the disclosure is to be made;



(4) identify by name the custodian that is to make the disclosure;



(5) specify the nature of the information to be disclosed; and



(6) specify the purpose of the disclosure.

(c) The subject or the subject's health care representative may revoke or amend the consent at any time.



(d) The consent is valid only for the custodian identified in the consent and only for information reasonably necessary to accomplish the purpose for which the consent is given unless the subject or the subject's health care representative specifically authorizes the release of all of the subject's health information to a health care provider.



(e) Where the subject or the subject's health care representative signing the consent does not prepare it:



(1) the terms of the consent shall be clearly identified so that a reasonable person would be aware of the scope and purpose of the consent; and



(2) upon request, a copy of the consent shall be given to the individual signing it.



(f) Any consent that a custodian obtained prior to the effective date of the [Act] is valid for 18 months after the effective date of the [Act].



Comment

The purpose of Section 4 is to allow a custodian to disclose a subject's individually identifiable health care information when the subject (or the subject's health care representative) has consented to the disclosure. A consent form is most commonly given to the subject or the subject's representative when the subject is initially treated by a health care provider or applies for an insurance policy. If a custodian obtains a valid consent, the custodian may disclose the subject's individually identifiable health care information only as specified by the consent.

Subsection (b) sets forth the information a consent form must contain to be valid under the Act. If a consent form does not fulfill all six requirements, it is invalid and disclosure is prohibited. Requiring a written consent that specifies who will be receiving the information and what specific information is being released allows a subject to know who has access to what part of the subject's individually identifiable health information and why. The goal of subsection (d) is to reduce the amount of individually identifiable health care information released by placing a "reasonable" standard on the amount of information a third party can request from a custodian. The person requesting the information has the burden to show that information requested is reasonably necessary for the purpose specified in the consent. This Section invalidates open-ended consent forms. For a subject who would like to allow a health provider complete discretion in the disclosure of their health care information, subsection (d) allows a subject to authorize a release of all their health care information. This type of blanket consent is valid only for disclosures to health care providers.

Subsection (e) requires a consent form (that is not written by the subject himself) to be clear and visible so a subject is aware of the meaning and scope of the consent. For example, consent forms that are buried deep in insurance applications may not be valid under this statute. This Section gives third parties an incentive to write clear consent forms, as they will be held to a reasonable person standard when interpreting whether a subject was aware of scope of the consent.

Subsection (f) gives custodians eighteen months to comply with the provisions of this Section. This grace period will minimize the Act's disruption to the ordinary course of business for the custodian, and give the custodian ample time to write new consent forms, if necessary, and obtain valid consent from subjects.



5. MANDATORY DISCLOSURES.



(a) A custodian must disclose individually identifiable health information when disclosure to a designated person is required by any law of this [state] or of the United States.



(b) A physician must disclose to the [state] [department of health] individually identifiable health information relating to the HIV-positive status of a subject who is a patient of the physician.



(c) The [state] [department of health] must disclose the subject's HIV-positive status to the [medical director] of a penal institution or mental health facility to which the subject is committed upon written request of the [medical director].



(d) A custodian must disclose individually identifiable health information when required by a subpoena or court order:



(1) for use in a proceeding in which the subject is a party and the individually identifiable health information is material to the dispute; or



(2) when the individually identifiable health information:



(i) is necessary for the adjudication of a material fact in a judicial or administrative proceeding; and



(ii) when the need for the information substantially outweighs the privacy interest of the subject.

(e) For purposes of subsection (d) a subject or a subject's health care representative shall be served with advance notice and given a reasonable opportunity to oppose the issuance of a subpoena or court order requiring disclosure of individually identifiable health information for use in a judicial or administrative proceeding, unless:



(1) notice would be impracticable because the whereabouts of the subject or subject's health care representative are unknown;



(2) notice would risk destruction or availability of the information; or



(3) exigent circumstances require dispensing with notice.

Comment



This Section lists situations where the disclosure of individually identifiable health information is mandatory. Subsection (a) requires disclosure when mandated by state or federal law, including rules promulgated by federal and state agencies. Laws that currently require the disclosure of health information are not affected by the Act.

Subsection (b) requires that a physician disclose HIV-related information to the state department of health. Because the HIV virus is communicable and life threatening, the state has an interest in tracking HIV. While the mandatory reporting of HIV information has been controversial, the drafters believe that any negative impact mandatory reporting had on the willingness of persons to be tested is now largely overcome by the availability of treatment and the decline in the stigmatization of the disease.

This Section assures that the state department of health will have the information necessary for tracking and studying HIV. Other uses the state department of health makes of this information are beyond the scope of the Act.

Subsection (c) requires the state department of health to release HIV-related information to the medical director of a penal institution or mental health facility because the drafters believe that medical personnel and administrators at these institutions have a justified need to know an individual's HIV-positive status. The institutional environment gives rise to dangers of transmission not ordinarily found in society.

Subsection (d) states the requirements for disclosure when required by a court or a legal order. Subsections (1) and (2) list conditions in which individually identifiable health information must be disclosed because, for example, of the need for information by law enforcement and for use in court proceedings.

Paragraph (2) requires disclosure if, in a judicial or administrative proceeding, the individually identifiable health information is necessary to adjudicate a material fact. In such case, the need for the information also must substantially outweigh the privacy interest of the individual. The standard of 'substantially outweighs' is strict in order to protect a heightened privacy interest of the subject of the information. Thus, in order to substantially outweigh the privacy interest there must be no other alternative methods to obtain the information.

Subsection (e) requires advance notice to the subject and allows the subject or the subject's health care representative to oppose the disclosure of the health information where the disclosure is sought through a subpoena or court order. This subsection seeks to balance the subject's interest in the privacy of the subject's medical records, and society's interest in fair trials and law enforcement. Notice gives two types of protection to the subject. First, the subject is given knowledge that others are trying to obtain the subject's health information. Second, the subject can challenge the need for disclosure. Three exceptions to the notice requirement are listed to ensure that the judicial proceeding or investigation is not hampered by this notice requirement. First, paragraph (1) allows for access where the subject cannot be found. This is applicable only where a reasonable effort is made to contact the subject. Paragraph (2) dispenses with the requirement of notice when notice may cause destruction or unavailability of the evidence. Third, paragraph (3) dispenses with the requirement of notice when exigent circumstances exist. While the notice requirement is important to protect the privacy interests of the subject, the requirement should not overburden public officials in the execution of their duties.



6. PERMISSIVE DISCLOSURES.



(a) A health care provider or an individual may disclose individually identifiable health information to a health care provider when that disclosure is reasonable and necessary for treatment of the subject .



(b) Except where disclosure is otherwise required by law, a custodian may disclose individually identifiable health information:



(1) to the [state], [tribal] or federal [public health agency] when the subject's identity is necessary to prevent or significantly reduce an imminent risk to public health or to a known individual; or



(2) to any person when:

(i) there is an imminent threat of serious injury or death to the subject or a known individual; and



(ii) release of the information is necessary to prevent or significantly reduce the risk of serious injury or death.



(c) A physician may disclose a subject's HIV-positive status to an individual who is known to have been in contact with the subject if:



(1) the physician reasonably believes that disclosure is medically appropriate and there is a significant risk of infection to that individual;



(2) the physician has counseled the subject regarding the need to notify the individual, and the physician reasonably believes the subject will not notify or inform the individual or abstain from activity which poses a significant risk of infection to the individual; and



(3) the physician informs the subject of the intent to notify the individual.



(d) A health care representative or an individual acting as an agent for the subject may disclose individually identifiable health information to any person if the purpose of the disclosure is related to the health care of the subject.





(e) A custodian may disclose individually identifiable health information at any time following the subject's death, unless the subject has designated a health care representative in either a durable health care power or advanced directive or in a last will. If the subject has named a health care representative, the consent of such representative is required for any disclosure within three years after the subject's death.



(f) This section authorizes disclosure of identifiable health information only to the extent necessary to accomplish the purpose for which the disclosure is permitted.



Comment

The purpose of Section 6 is to allow disclosure of individually identifiable health information when either the need for the individually identifiable health information outweighs the need for privacy or the privacy interest is not great. In these cases, the person disclosing the individually identifiable health information may not be held liable for a disclosure.

While the goal of the Act is to protect against disclosure of individually identifiable health information, privacy must not come at the expense of the public health, the health of the subject, or the health of other individuals.

Subsection (a) authorizes a subject's health care provider to release individually identifiable health information to another health care provider when the other provider is participating in the subject's health care. This transfer of information can be done without the written consent of the subject, if the release is "reasonable and necessary" to the treatment of the subject. This subsection also permits a like disclosure by an individual who is not a health care provider. The purpose of permitting this disclosure is to recognize that in many cases close family members or friends may be custodians of health care information about a subject and that their disclosure of this information to a health care provider of the subject is permitted. This exception is necessary because the Act's exclusion of "casual conversations" among a subject's relatives and friends under Section 2(b) of the Act does not apply to disclosures made for business or professional reasons.

Subsection (b) permits disclosure to any person if the custodian of the individually identifiable health information reasonably believes there is an imminent threat of serious harm to the subject or a known individual and the disclosure would significantly reduce the risk of serious injury or death. In light of Subsection (b) a disclosure consistent with the rule will not result in the custodian being liable to the subject. At some level, Section 6(b) reflects concerns similar to those raised in Tarasoff v. Regents of the University of California, 551 P.2d 334 (Cal 1976) where the court held that a wrongful death action could be brought against a psychotherapist who failed to disclose his patient's intent to murder another on the theory that he owed a duty of disclosure to the victim. This duty arose because the patient had confided his or her intention to inflict harm on another individual by name.

Subsection (c) treats the disclosure of HIV-related information separately. It provides for the disclosure of confidential HIV- related information if all the provisions of the subsection are met. While confidential HIV-related information should be closely guarded due to the serious possibility of discrimination, disclosure of the HIV-related information is allowed if the conditions are met because of the seriousness of the disease and the various methods of transmission. Any significant risk of future infection of HIV poses a serious threat to the person exposed to that risk. The subject's privacy interest is outweighed by the seriousness of the threat.

Subsection (d) permits a subject's health care representative (as defined in Section 1(f)) or another individual acting as a agent for the subject to disclose individually identifiable health information to any person if the disclosure is related to the health care of the subject. Thus, a spouse or parent could provide such information to an insurer or employer of the subject to assist in the processing of insurance claims and in making a workplace accommodation. Likewise, an elderly person's friend could provide such information to an agency processing the subject's Medicaid application to assist in the processing of that claim.

Subsection (e) assumes that a subject has a diminished privacy interest in individually identifiable health information after the subject is deceased. Therefore, after the subject's death, the information may be disclosed at any time. However, for those who want to protect the information, the subject of the information may designate a health care representative, who may protect the information for three years by preventing certain disclosures. Three years was chosen because there is usually a personal representative administering a decedent's estate during that period. In many cases, it is likely that the personal representative will be the same person as the health care representative.

The drafters had some concern about the release of genetic information after the subject's death. One concern was that genetic information could be considered family information, and, therefore, not disclosable after the death of the subject. Another concern was that family members could be discriminated against because of the genetic makeup of their parents or grandparents. The Act, however, is restricted to regulating disclosure and not use, and these concerns involve uses of information. Therefore, no restrictions on use were adopted and genetic information is treated like all other individually identifiable health information under the Act.

Subsection (f) provides an umbrella over all permissive disclosures in that it permits disclosures only to the extent necessary to accomplish the purpose for which it was permitted.

Although the Act permits the permissible disclosure of individually identifiable health information under certain circumstances, it provides little guidance as to the standards to be used in exercising discretion to release individually identifiable health information. The development of guidelines might be an appropriate matter for state regulation. For example, under the guidelines set out by the 1984 Presidents Commission on Ethical, Legal, and Social Issues in Biomedical and Behavioral Sciences, several factors must be present before disclosure of genetic information is permitted. Those guidelines allow for permissive disclosure when (1) reasonable efforts to elicit voluntary consent to disclose have failed; (2) there is a high probability both that harm will occur if information is withheld and that the disclosed information will actually be used to avert harm; (3) the harm that identifiable individuals would suffer would be serious; and (4) appropriate precautions are taken to ensure that only the genetic information needed for diagnosis and/or treatment of the disease in question is disclosed.

These same guidelines would also be appropriate before the release of individually identifiable health care information. The drafters of the Act encourage the agency authorized to implement the Act to consider utilizing either these guidelines or similar guidelines as the minimum standards before disclosure is allowed.



7. MAINTENANCE OF HEALTH INFORMATION.



(a) A custodian shall take reasonable measures to assure the integrity, confidentiality, and security of individually identifiable health information.

(b) A custodian may maintain a subject's individually identifiable health information for as long as it is lawful to possess it.

Comment

The exponential growth in the number of persons with access to a subject's individually identifiable health information and the growth in the mediums in which that information is stored and transmitted increases the need to regulate the manner in which health care information is maintained.

Subsection (a) requires a custodian to adopt reasonable measures to protect individually identifiable health information. Reasonable measures may vary depending on the type of custodian, information, and technology. Specific requirements will be established by rule by the state department of health under Section 8.

Subsection (b) permits but does not require a custodian to maintain individually identifiable health information for as long as it is lawful to do so. Therefore there is no need for a custodian to destroy health care information once the custodian no longer has a present connection with the subject so long as its retention is lawful. On the other hand the Act does not foreclose destruction and indeed, in many instances, a policy of regular destruction would be desirable.

Custodians who fail to maintain information in accordance with this Section may be subjected to civil liability under Section 9 or as otherwise provided for by law.

The Act does not specifically address the ways in which research related information is maintained. Research is essential to the advancement of medicine. Without privacy and confidentiality, patients will not reveal and physicians will not record accurate information necessary for clinical care or research. Because of the complex nature of this area, the Drafters decided that this issue is currently beyond the scope of the Act. An IRB will determine the maintenance of medical records by researchers. The IRB has the experience and expertise to decide the reasonable measures for maintenance of individually identifiable health information by researchers.

8. AUTHORITY OF [STATE] [DEPARTMENT OF HEALTH].

(a) The [State] [Department of Health] is authorized to:

(1) adopt rules and issue orders, pursuant to the [State] [Administrative Procedure Act], necessary to provide for the effective administration and enforcement of this [Act];

(2) hear appeals in contested cases pursuant to [State] [Administrative Procedure Act] on matters relating to the actions taken by the director under this [Act]; and

(3) establish, by rule, civil penalties which may be administratively assessed for violations of this [Act].

(b) The [State] [Department of Health] shall promulgate rules governing:

(1) security of individually identifiable health information;

(2) maintenance of sensitive individually identifiable health information; and

(3) disclosure of HIV-positive status to persons who may have been exposed in the course of providing medical treatment.

Comment

Section 8 authorizes the state department of health to provide rules necessary for the effective administration of the Act. This Section allows the Act to be applied with a certain amount of flexibility with regard to the rules placed upon specific custodians. Further, Section 8 permits health departments to change the disclosure rules applicable to custodians should the balance between disclosure and privacy change over time. Section 8 is not written to supplant, by silence, other state agencies. The entire statute is intended to put limitations and guidelines strictly on disclosure of information. Other agencies, such as State Insurance Division are free to adopt rules and regulations which are more restrictive than the Act's minimum standards for disclosure, unless they are inconsistent with the Act. Subsection (a) gives the state department of health enumerated powers. Paragraph (1) grants rule-making authority to the state department of health. The state department of health is the most efficient agency to implement the Act's requirements. Health departments are experienced in promulgating regulations, have the expertise to effectively implement the Act's requirements, and are experienced in dealing with the medical and insurance communities. This section also authorizes the state department of health to prescribe rules for the inspection and citation of custodians. For example, the state department of health may authorize representatives to inspect and question any custodian to assure compliance with the provisions of the Act.

Paragraph (2) grants adjudicatory authority to the state department of health. The adjudicatory and appeals process is to follow the procedures established in the State Administrative Procedure Act.

Paragraph (3) allows the state department of health to establish appropriate civil penalties for violations of the Act.

Subsection (b) lists three areas the state department of health must specifically regulate. Direct regulation of the areas specified in subsection (b) are beyond the scope of the Act. However, promulgation of regulations in the areas specified in subsection (b) is essential to achieving the goals of the Act.

Paragraph (1) directs the state department of health to adopt rules relating to the security of individually identifiable health information. At minimum, these rules should deal with securing individually identifiable health information from both unintended destruction and impermissible access. All health care information should be protected by the best security systems reasonably available and practicable, taking into account the available economic and personnel resources of the custodian. For example, the security requirements for a major tertiary care center will probably be different than those placed upon a small dentist's office. A reasonable security system will also be limited by the health information's form. For example, security requirements for health information in paper form likely will differ from the security requirements placed upon health information in an electronic format.

Paragraph (2) requires the state department of health to adopt rules governing the maintenance of sensitive individually identifiable health information. / For example, the state health department may require that sensitive health information be maintained separately from a subject's regular medical information. While the Act does not define the phrase sensitive health information, it might include any individually identifiable health information, the release of which is likely to create serious economic or social harm to the subject, such as mental health, genetic, and HIV information. The department of health can provide a specific definition by rule.

Paragraph (3) requires the state department of health to promulgate rules governing whether and under what conditions a custodian may disclose a subject's HIV status to an individual potentially exposed to HIV while providing medical treatment to the subject.

Under federal law the Department of Health and Human Services issues regulations relating to the maintenance of medical records. Any rules adopted pursuant to the authority of this Section can not be inconsistent with those regulations or other federal laws. 9. SANCTIONS AND REMEDIES

(a) Any person who discloses individually identifiable health information for commercial or financial advantage knowing that the disclosure is not permitted by this [Act] is guilty of a [class ____ felony].



(b) A custodian who recklessly discloses individually identifiable health information in violation of this [Act] shall be liable:



(1) to the subject in an amount of [$5,000] or actual damages if greater; and



(2) to any other person harmed by the disclosure for actual damages.



(c) A custodian who negligently discloses individually identifiable health information in violation of this [Act] shall be liable:

(1) to the subject in an amount of [$1,000] or actual damages if greater; and

(2) to any other person harmed by the disclosure for actual damages.

(d) Any individual harmed by a custodian's failure to comply with section 7(a) shall be entitled to recover damages of no less than [$1,000] or actual damages, whichever is greater.



(e) Any action under this [Act] is barred unless the action is commenced within two years after the violation was or should reasonably have been discovered.



(f) Any person who violates this [Act] may be subject to discipline for unprofessional conduct or to the suspension or revocation of a license.



Comment



For purposes of subsection (a) a person is considered to be acting knowingly if the person sells individually identifiable health information for commercial or financial gain, knowing the sale is a violation of the Act.

For the purposes of subsection (b) a person is liable only if that person recklessly discloses individually identifiable health information and the disclosure is proscribed by the Act. A person is liable to the subject if his disclosure violates the Act, in the amount of [$5,000] or actual damages, whichever is greater. A person would be liable to a third party for actual damages suffered by that party. For purposes of this subsection, a person would be reckless if the person disclosed individually identifiable health information in disregard of an obvious or known risk of harm to the subject.

Subsection (c) authorizes relief in the form of a mandatory minimum award of damages in the amount of $1,000 or actual damages, whichever is greater, for negligent disclosures not otherwise permitted by the Act. Additionally, a person would be liable to a third party for actual damages suffered by that party.

Negligent disclosures not covered by the Act by virtue of Section 2(b) may otherwise be actionable under other general legal principles. For example, Section 2(b) of the Act would not apply to a subject's doctor having a general discussion about the subject's health with a friend of the subject. However, if in the course of that discussion the doctor revealed confidential health information, the subject could have a cause of action against the doctor under general legal principles requiring the doctor to preserve a patient's confidences.

Subsection (d) authorizes relief in the form of a mandatory minimum award of damages in the amount of [$1,000] or actual damages, whichever is greater, for a person harmed by a custodian's failure to comply with section 7(a) of the Act.

Subsection (e) provides a statute of limitations for actions under the Act. The two year limitation period applies to both civil and criminal actions.

Subsection (f) allows a professional licensure board to discipline a licensee or suspend or revoke a licensee's license for a violation of the Act

The sanctions imposed in Section 9 are not exhaustive. The Department of Health is authorized under Section 8 to also adopt rules and regulations that impose additional fines, sanctions and other remedies.



10. UNIFORMITY OF APPLICATION AND CONSTRUCTION



This [Act] shall be applied and construed to effectuate its general purpose to make uniform the law with respect to the subject matter of this [Act] among States enacting it.



11. SHORT TITLE



This [Act] may be cited as the Health Information Disclosure Act.



12. SEVERABILITY CLAUSE



If any provision of this [Act] or its application to any person or circumstances is held invalid, the invalidity does not affect other provisions or applications of this [Act] which can be given effect without the invalid provisions or application, and to this end the provisions of this [Act] are severable.



13. EFFECTIVE DATE



This [Act] takes effect on [______________].