Session of 1999
         
SENATE BILL No. 259
         
By Committee on Financial Institutions and Insurance
          
2-8
          
  9             AN  ACT concerning insurance companies; regarding the privacy of med-
10             ical records, enacting the health information privacy act.
11      
12       Be it enacted by the Legislature of the State of Kansas:
13             Section  1. This act shall be known as the health information privacy
14       act.
15             Sec.  2. As used in this act:
16             (a) "Carrier" means a person or entity required to be licensed or
17       authorized by the commissioner to assume risk, including but not limited
18       to an insurer, a hospital, medical or health service corporation, a health
19       maintenance organization, a provider sponsored organization, a multiple
20       employer welfare arrangement, a self-insured group fund or a workers
21       compensation self-insurer. Carrier does not include a nonrisk-bearing
22       regulated insurance entity, such as a producer, agency or administrator.
23             (b) "Commissioner" means the commissioner of insurance.
24             (c) "Covered person" means a policyholder, subscriber, enrollee,
25       beneficiary, insured, certificateholder or other person covered by a policy,
26       contract or agreement of insurance issued by a carrier.
27             (d) "Disclose" means to release, transfer, or otherwise divulge pro-
28       tected health information to any person other than to the individual who
29       is the subject of the protected health information.
30             (e) "Facility" means an institution providing health care services or a
31       health care setting, including but not limited to hospitals and other li-
32       censed inpatient centers, ambulatory surgical or treatment centers, skilled
33       nursing centers, residential treatment centers, diagnostic, laboratory and
34       imaging centers and rehabilitation and other therapeutic health settings.
35             (f) "Health care" means:
36             (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance,
37       or palliative care, services, procedures, tests or counseling that:
38             (A) Relates to the physical, mental or behavioral condition of an in-
39       dividual; or
40             (B) affects the structure or function of the human body or any part
41       of the human body, including the banking of blood, sperm, organs or any
42       other tissue; or
43             (2) prescribing, dispensing or furnishing to an individual drugs or

SB 259

2

  1       biologicals, or medical devices or health care equipment and supplies.
  2             (g) "Health care professional" means a physician or other health care
  3       practitioner licensed, accredited or certified to perform specified health
  4       services consistent with state law.
  5             (h) "Health care provider" or "provider" means a health care profes-
  6       sional or facility.
  7             (i) "Health information" means any information or data, whether oral
  8       or recorded in any form or medium, and personal facts or information
  9       about events or relationships that relates to:
10             (1) The past, present or future physical, mental or behavioral health
11       or condition of an individual or a member of the individual's family;
12             (2) the provision of health care to an individual; or
13             (3) payment for the provision of health care to an individual.
14             (j) "Insurance support organization" means a person that regularly
15       engages, in whole or in part, in the practice of assembling or collecting
16       information from carriers, agents or other insurance support organiza-
17       tions for the purpose of ratemaking or ratemaking-related functions, reg-
18       ulatory or legislative cost analysis, detecting or preventing fraud, material
19       misrepresentation or material nondisclosure in connection with insurance
20       underwriting or insurance claim activity. Persons that are not considered
21       insurance support organizations for purposes of the act are agents, gov-
22       ernment institutions, insurance institutions, medical care institutions and
23       medical professionals.
24             (k) "Person" means an individual, a corporation, a partnership, an
25       association, a joint venture, a joint stock company, a trust, an unincor-
26       porated organization, any similar entity or a combination of the foregoing.
27             (l) "Protected health information" means health information:
28             (1) That identifies an individual who is the subject of the information;
29       or
30             (2) with respect to which there is a reasonable basis to believe that
31       the information could be used to identify an individual.
32             (m) "Research" means the process of systematic investigation or in-
33       quiry including, but not limited to any of the following: The systematic
34       development and testing of a hypothesis; and the systematic description,
35       analysis and measurement of processes, behaviors and physical, social,
36       political or medical phenomena.
37             (n) "Research organization" means a person or organization, other
38       than the carrier disclosing the protected health information, engaged in
39       research.
40             (o)  (1) "Scientific, medical or public policy research" means research
41       conducted to improve the effectiveness of:
42             (A) Determining medical causation, diagnosis and treatment;
43             (B) public health; or

SB 259

3

  1             (C) the operations of the public or private health care, insurance or
  2       workers compensation systems; and
  3             (2)  (A) the results of such research are intended for publication; and
  4             (B) the research findings are intended to be widely disseminated be-
  5       yond the carrier and research organization so as to benefit the public
  6       good; and
  7             (3) the scientific, medical or public policy research excludes all activ-
  8       ities listed in subsection (h)(1) of section 10 and amendments thereto.
  9             (p) "Unauthorized" means a collection, use or disclosure of protected
10       health information made by a carrier without the authorization of the
11       subject of that protected health information or that is not in compliance
12       with this act, unless collection, use or disclosure without an authorization
13       is permitted by this act.
14             Sec.  3. This act applies to all carriers and governs the management
15       of health information, including the collection, use, and disclosure of pro-
16       tected health information by carriers.
17             Sec.  4. (a) A carrier shall develop and implement written policies,
18       standards and procedures for the management of health information, in-
19       cluding policies, standards and procedures to guard against the unau-
20       thorized collection, use or disclosure of protected health information by
21       the carrier which shall include:
22             (1) Limitation on access to health information by only those persons
23       who need to use the health information in order to perform their jobs;
24             (2) appropriate training for all employees;
25             (3) disciplinary measures for violations of the health information pol-
26       icies, standards and procedures;
27             (4) identification of the job titles and job descriptions of persons that
28       are authorized to disclose protected health information;
29             (5) procedures for authorizing and restricting the collection, use or
30       disclosure of protected health information;
31             (6) methods for exercising the right to access and amend protected
32       health information as provided in sections 7 and 8 and amendments
33       thereto;
34             (7) methods for handling, disclosing, storing and disposing of health
35       information;
36             (8) periodic monitoring of the employees' compliance with the car-
37       rier's policies, standards and procedures in a manner sufficient for the
38       carrier to determine compliance with this act and to enforce its policies,
39       standards and procedures; and
40             (9) methods for informing and allowing an individual who is the sub-
41       ject of protected health information to request specialized disclosure or
42       nondisclosure of protected health information as required under section
43       13 and amendments thereto.

SB 259

4

  1             (b)  (1) In any contractual arrangement between a carrier and a per-
  2       son other than a covered person or health care provider where the person
  3       collects or uses protected health information on behalf of the carrier or
  4       where the carrier discloses protected health information to the person a
  5       carrier shall:
  6             (A) Require such person to have health information policies, stan-
  7       dards and procedures that comply with the requirements of this act; and
  8             (B) inform such person of its obligation to comply with any applicable
  9       state and federal statutory and regulatory requirements governing the
10       collection, use or disclosure of protected health information.
11             (2) In any contractual arrangement between a carrier and a health
12       care provider, a carrier shall require that the health care provider have
13       health information privacy policies, standards and procedures.
14             (3) Notwithstanding the provisions of section 17 and amendments
15       thereto, all contractual arrangements described in this subsection in effect
16       on January 1, 2000, shall comply with this act no later than 18 months
17       after January 1, 2000, or the renewal date of the contract, whichever is
18       earlier.
19             (c) A carrier shall make the health information policies, standards and
20       procedures developed pursuant to this section available to the commis-
21       sioner for review.
22             Sec.  5. (a) A carrier shall draft a written notice of such carrier's health
23       information policies, standards and procedures developed pursuant to
24       section 4 and amendments thereto, which shall be made available to the
25       commissioner. The notice shall include:
26             (1) The collection, use and disclosure of protected health information
27       prohibited and permitted by this act;
28             (2) the procedures for authorizing and limiting disclosures of pro-
29       tected health information and for revoking authorizations;
30             (3) the procedures for accessing and amending protected health in-
31       formation; and
32             (4) the right of a covered person to review a copy of the carrier's
33       health information policies, standards and procedures.
34             (b) The carrier shall provide the notice to any person upon request,
35       to covered persons at the time the policy is first delivered, and to all other
36       individuals when requesting an authorization. If subsequent policies are
37       issued to the same insured, no additional notices are required to be in-
38       cluded when those subsequent policies are delivered.
39             Sec.  6. (a) Subject to the exceptions listed in subsection (b)(3), an
40       individual who is the subject of the protected health information has the
41       right to examine or receive a copy of the protected health information
42       that is in the possession of the carrier or a person acting on behalf of the
43       carrier.

SB 259

5

  1             (b) No later than 20 working days after receipt of a written request
  2       for protected health information from an individual who is the subject of
  3       protected health information, a carrier shall do one of the following:
  4             (1) Provide a copy of the protected health information requested to
  5       the individual or, if providing a copy is not possible, permit the individual
  6       to examine the protected health information during regular business
  7       hours;
  8             (2) notify the individual that the carrier does not have the protected
  9       health information and, if known, inform the individual of the name and
10       address of the person who has the protected health information requested
11       or, if the carrier will be obtaining access to the requested protected health
12       information, when the protected health information is expected to be
13       available to the individual; or
14             (3) deny the request in whole or in part if the carrier determines any
15       of the following:
16             (A) Knowledge of the protected health information would reasonably
17       be expected to identify a confidential source who provided the protected
18       health information in conjunction with a lawfully conducted investigation,
19       law enforcement investigation or court proceeding;
20             (B) the protected health information was compiled in preparation for
21       litigation, law enforcement or fraud investigation, quality assurance or
22       peer review purposes;
23             (C) the protected health information is the original work product of
24       the carrier, which would include but not be limited to interpretation,
25       mental impressions, instructions and other original product of the carrier,
26       its employees and agents;
27             (D) the requester is a party to a legal proceeding involving the carrier
28       where the health condition of the requester is at issue. Once a legal pro-
29       ceeding is resolved, the individual's right to access protected health in-
30       formation under this section and to amend protected health information
31       under section 7 and amendments thereto shall be restored; or
32             (E) disclosure of the protected health information to the individual
33       who is the subject of the protected health information is otherwise pro-
34       hibited by law.
35             (c) If a request to examine or copy protected health information is
36       denied in whole or in part under this section, the carrier shall notify the
37       individual who is the subject of the protected health information of the
38       reasons for the denial in writing. When the protected health information
39       was compiled in preparation for litigation, law enforcement or fraud in-
40       vestigation, the carrier is not required to notify the individual of the rea-
41       sons for the denial.
42             (d) A carrier is not required to create a new record or reformulate
43       an existing record in order to meet a request for protected health

SB 259

6

  1       information.
  2             (e) The carrier may charge a reasonable fee for providing the pro-
  3       tected health information requested and shall provide a detailed bill ac-
  4       counting for the charges. No charge shall be made for reproduction of
  5       protected health information requested for the purpose of supporting a
  6       claim, supporting an appeal or accessing any federal or state sponsored
  7       or operated health benefits program.
  8             Sec.  7. (a) An individual who is the subject of protected health in-
  9       formation has the right to amend the protected health information to
10       correct any inaccuracies.
11             (b) Within 30 working days after receipt of a written request from an
12       individual who is the subject of protected health information to amend
13       protected health information, a carrier shall act to verify the accuracy of
14       protected health information identified as erroneous by the individual and
15       shall do one of the following:
16             (1) Correct or amend, either by changing the information in question
17       or adding additional information as provided by the individual, or delete
18       the portion of the protected health information in dispute and notify the
19       individual of the changes; or
20             (2) notify the individual that the request has been denied, the reason
21       for the denial, and that the individual may:
22             (A) Request that the health care provider who created the record in
23       question amend the record. The carrier shall include the health care pro-
24       vider's name and address; or
25             (B) file a concise statement of what the individual believes to be the
26       correct information and the reasons why the individual disagrees with the
27       denial. The carrier shall retain this statement filed by the individual with
28       the protected health information.
29             (c) If the carrier corrects, amends or deletes the protected health
30       information as requested pursuant to subsection (b)(1), the carrier shall
31       furnish the correction, amendment or deletion to:
32             (1) All persons who have received the protected health information
33       that has been corrected, amended or deleted from the carrier within the
34       preceding two years;
35             (2) an insurance support organization whose primary source of pro-
36       tected health information is carriers, as long as the insurance support
37       organization has systematically received protected health information
38       from the carrier within the preceding seven years. The correction, amend-
39       ment or deletion need not be furnished if the insurance support organi-
40       zation no longer maintains the protected health information that has been
41       corrected, amended or deleted; and
42             (3) any person that furnished the protected health information that
43       was amended pursuant to subsection (b)(1).

SB 259

7

  1             (d) If the individual who is the subject of the protected health infor-
  2       mation files a statement pursuant to subsection (b)(2)(B), the carrier shall:
  3             (1) Clearly identify the matter or matters in dispute and include the
  4       statement in any subsequent disclosure of the protected health infor-
  5       mation; and
  6             (2) furnish the statement to the persons described in subsection (c).
  7             (e) Nothing in this section shall require a carrier to alter, delete, erase
  8       or obliterate medical records provided to such carrier by a health care
  9       provider.
10             (f) Nothing is this section shall be construed to give a person access
11       to protected health information covered by the exceptions listed in sub-
12       section (b)(3) or section 6 and amendments thereto.
13             Sec.  8. (a) A carrier shall provide upon request, to an individual who
14       is the subject of the protected health information, information regarding
15       disclosure of that individual's protected health information that is suffi-
16       cient to exercise the right to amend the information pursuant to section
17       7 and amendments thereto. This information shall include the date, pur-
18       pose, recipient and relevant authorization or basis for the disclosure. The
19       carrier may charge a reasonable fee for providing the information re-
20       garding the disclosures of information.
21             (b) A carrier shall maintain a system that is sufficient for the com-
22       missioner to determine that the carrier can produce a complete list of
23       disclosures:
24             (1) For routine disclosures, a carrier shall be able to track when rou-
25       tine disclosures are made, to whom they are made and for what purpose
26       they are made; and
27             (2) for all other disclosures, a carrier shall be able to identify the
28       authorization or release form or provision of law allowing the receipt or
29       disclosure of protected health information.
30             (c) A carrier is not required to include in the information developed
31       pursuant to subsection (a) of section 8 and amendments thereto, any
32       disclosures of protected health information that were compiled in prep-
33       aration for litigation, law enforcement or fraud investigation.
34             Sec.  9. (a) A carrier shall not collect, use or disclose protected health
35       information without a valid authorization from the subject of the pro-
36       tected health information, except as permitted by section 10 and amend-
37       ments thereto or as permitted or required by law or court order. Au-
38       thorization for the disclosure of protected health information may be
39       obtained for any purpose, provided that the authorization meets the
40       requirements of this section.
41             (b) A carrier shall retain the authorization or a copy thereof in the
42       record of the individual who is the subject of the protected health
43       information.

SB 259

8

  1             (c) A valid authorization shall be in writing and contain all the
  2       following:
  3             (1) The identity of the individual who is the subject of the protected
  4       health information;
  5             (2) a description of the types of protected health information to be
  6       collected, used or disclosed. If the authorization is in support of an ap-
  7       plication for coverage where tests, including genetic tests, and examina-
  8       tions are to be performed in conjunction with underwriting the applica-
  9       tion, the authorization shall include a description of the types of tests or
10       examinations to be performed and shall be accompanied by a statement
11       that the tested individual may choose whether to receive the results of
12       any laboratory tests or medical examinations performed. In cases where
13       the authorization is other than in support of an application for coverage,
14       and tests, including genetic tests, and examinations are to be performed,
15       an individual may choose whether to receive the results of any laboratory
16       tests or medical examinations performed and obtain, upon request, a de-
17       tailed list of laboratory tests or medical examinations to be performed
18       before tests or examinations are administered;
19             (3) a general description of the sources from which protected health
20       information will be collected;
21             (4) the name and address of the person to whom the protected health
22       information is to be disclosed, except that an authorization provided to a
23       carrier for collection of protected health information to support insurance
24       functions listed in subsection (h) of section 9 and amendments thereto
25       may generally describe the persons to whom protected health information
26       may be disclosed;
27             (5) the purpose of the authorization, including the reason for the
28       collection, the intended use of the protected health information, and the
29       scope of any disclosures that may be made in carrying out the purpose
30       for which the authorization is requested, provided those disclosures are
31       not otherwise prohibited by law;
32             (6) the signature of the individual who is the subject of the protected
33       health information or the individual who is legally empowered to grant
34       authority and the date signed; and
35             (7) a statement that the individual who is the subject of the protected
36       health information may revoke the authorization at any time, except as
37       provided in subsection (g) and subject to the rights of any person that
38       acted in reliance on the authorization prior to revocation.
39             (d) An authorization shall specify a length of time for which the au-
40       thorization shall remain valid, which in no event shall be for more that
41       12 months, except an authorization signed for one of the following
42       purposes:
43             (1) For the collection of protected health information to support in-

SB 259

9

  1       surance functions listed in subsection (h) of section 9 and amendments
  2       thereto which event the authorization shall remain valid during the entire
  3       term of the policy or as long as necessary for the carrier to meet such
  4       carrier's obligations under the policy or as otherwise required by law;
  5             (2) to support an application for, a reinstatement of, or a change in
  6       benefits under a life insurance policy, in which event the authorization
  7       shall expire in 30 months or whenever the application is denied, which-
  8       ever occurs first; or
  9             (3) to support or facilitate ongoing management of a chronic condi-
10       tion or illness or rehabilitation from an injury.
11             (e) A carrier shall obtain a separate authorization to disclose pro-
12       tected health information to an individual's employer, including the em-
13       ployer's designated risk manager, unless:
14             (1) The protected health information is disclosed pursuant to the em-
15       ployer's workers compensation program, to the extent necessary for the
16       performance of the employer's and carrier's rights and duties under state
17       laws governing workers compensation;
18             (2) the protected health information is disclosed pursuant to the em-
19       ployer's administration of a health and welfare benefit plan; or
20             (3) the protected health information is necessary to the administra-
21       tion of claims pursuant to a commercial lines policy.
22             (f) A carrier shall obtain a separate authorization to collect, use or
23       disclose protected health information if the purpose of the collection, use
24       or disclosure under subsection (c)(5) is for the marketing of services or
25       goods, or for other commercial gain. The purpose of the collection, use
26       or disclosure shall appear as a separate paragraph in bold type no smaller
27       than 12 point. The purpose shall be stated in clear and simple terms. The
28       request for authorization shall specify that the authorization shall remain
29       valid for no more than 12 months and may be revoked at any time. The
30       request for authorization shall state that the terms and conditions of all
31       insurance policies will not be affected in any way by a refusal to give
32       authorization. A separate authorization is not required if the use or dis-
33       closure is internal or to an affiliate and the only use of the information
34       will be in connection with the marketing of an insurance product, pro-
35       vided the affiliate agrees not to disclose the information for any other
36       purpose or to unaffiliated persons. With respect to insurance products,
37       the individual shall be given an opportunity to indicate that such individ-
38       ual does not want protected health information used for marketing pur-
39       poses and shall have given no indication that such individual does not
40       want protected health information used for these purposes.
41             (g) An individual who is the subject of protected health information
42       may revoke an authorization at any time, subject to the rights of any
43       person who acted in reliance on the authorization prior to notice of rev-

SB 259

10

  1       ocation. A revocation of an authorization shall be in writing, dated and
  2       signed. A revocation of an authorization shall be retained by the carrier
  3       in the record of the individual who is the subject of the protected health
  4       information. A carrier shall give prompt notice of the revocation to all
  5       persons to whom the carrier has disclosed protected health information
  6       in reliance on the initial authorization.
  7             (h) A carrier that has collected protected health information pursuant
  8       to a valid authorization in accordance with this act, may use and disclose
  9       the protected health information to a person acting on behalf of or at the
10       direction of the carrier for the performance of the carrier's insurance
11       functions: Claims administration, claims adjustment and management,
12       fraud investigation, underwriting, loss control, rate-making functions, re-
13       insurance, risk management, case management, disease management,
14       quality assessment, quality improvement, provider credentialing verifi-
15       cation, utilization review, peer review activities, grievance procedures and
16       internal administration of compliance, managerial, information systems,
17       and policyholder service functions. Additional insurance functions may
18       be allowed with the prior approval of the commissioner.
19             The protected health information shall not be used or disclosed for any
20       purpose other than in the performance of the carrier's insurance func-
21       tions, except as otherwise permitted in this act.
22             (i) An authorization to collect, use or disclose protected health infor-
23       mation pursuant to this act or a production of protected health infor-
24       mation pursuant to a court order shall not be construed to constitute a
25       waiver of any other privacy right provided to an individual who is the
26       subject of protected health information by other federal or state laws,
27       common law or rules of evidence.
28             (j) A person who receives protected health information from a carrier
29       shall not use the protected health information for any purpose other than
30       the lawful purpose for which it was disclosed.
31             (k) Nothing in this act shall require a carrier to provide a benefit or
32       commence or continue payment of a claim in the absence of protected
33       health information to support or deny the benefit or claim.
34             (l) A carrier that has collected protected health information prior to
35       the effective date of this act is not required to obtain an authorization for
36       the information. The information may only be used or disclosed in ac-
37       cordance with this act after the effective date.
38             Sec.  10. (a) A carrier may engage in the following activities with re-
39       gard to protected health information without authorization in the follow-
40       ing circumstances or as otherwise permitted by law:
41             (1) Collect protected health information from or disclose protected
42       health information to a carrier, provided that the carrier that is receiving
43       the information:

SB 259

11

  1             (A) Is investigating, evaluating, adjusting or settling a claim involving
  2       the individual who is the subject of the protected health information; or
  3             (B) has become or is considering becoming liable under a policy in-
  4       suring the individual who is the subject of the protected health infor-
  5       mation as a result of a merger, acquisition or other assumption of such
  6       liability;
  7             (2) collect, use or disclose protected health information to the extent
  8       necessary to investigate, evaluate, subrogate or settle third-party claims,
  9       provided that the claimant is the subject of the protected health infor-
10       mation and the protected health information is used for no other purpose
11       without a valid authorization or the use is otherwise permitted under
12       federal or state law;
13             (3)  (A) collect, use or disclose protected health information to or
14       from an insurance support organization if:
15             (i) The insurance support organization has in place health informa-
16       tion policies, standards and procedures to ensure compliance with the
17       requirements of this act; and
18             (ii) the protected health information is used only to perform the in-
19       surance functions of claims settlement, detection and prevention of fraud,
20       or detection and prevention of material misrepresentation or material
21       nondisclosure; or
22             (iii) the protected health information is collected and used internally
23       only to perform the insurance functions of ratemaking and ratemaking-
24       related functions or regulatory or legislative cost analysis; and
25             (B) Additional insurance functions may be added to subparagraphs
26       (3)(A)(ii) and (iii) with prior approval of the commissioner;
27             (4) if the protected health information is necessary to provide ongoing
28       health care treatment, and if the disclosure has not been limited or pro-
29       hibited by the covered person who is the subject of the information,
30       collect protected health information from or disclose protected health
31       information to:
32             (A) A health care provider, employed by the carrier, who is furnishing
33       health care to a covered person;
34             (B) a health care provider with whom the carrier contracts to provide
35       health care services to covered persons; or
36             (C) a referring health care provider who continues to furnish health
37       care to a covered person;
38             (5) disclose protected health information to a person engaged in the
39       assessment, evaluation or investigation of the quality of health care fur-
40       nished by a provider pursuant to statutory or regulatory standards or pur-
41       suant to the requirements of a private or public program authorized to
42       provide for the payment of health care;
43             (6) subject to the limits of subsection (a) of section 13 and amend-

SB 259

12

  1       ments thereto, disclose protected health information to reveal a covered
  2       person's presence in a facility owned by the carrier and the covered per-
  3       son's general health condition, provided that the disclosure is limited to
  4       directory information, unless the covered person has restricted that dis-
  5       closure or the disclosure is otherwise prohibited by law. For the purposes
  6       of this paragraph, directory information means information about the
  7       presence or general health condition of a particular covered persons who
  8       is a patient or is receiving emergency health care in a health care facility.
  9       General health condition means the covered person's general health con-
10       dition or status described as "critical," "poor," "fair," "good," "excellent,"
11       or in terms that denote similar conditions;
12             (7) collect, use or disclose protected health information when the
13       protected health information is necessary to the performance of the car-
14       rier's obligations under any workers compensation law or contract;
15             (8) collect protected health information from or disclose protected
16       health information to a reinsurer, stop loss or excess loss carrier for the
17       purpose of underwriting, claims adjudication and conducting claim file
18       audits;
19             (9) collect protected health information from the individual who is
20       subject of the protected health information; and
21             (10) collect, use or disclose protected health information when the
22       protected health information is obtained from public sources such as
23       newspapers, public agency reports, and law enforcement or public safety
24       reports.
25             (b) Unless otherwise restricted by this section, a carrier that has col-
26       lected protected health information without an authorization pursuant to
27       subsection (a) of section 10 and amendments thereto, may use and dis-
28       close the information to a person acting on behalf of or at the direction
29       of the carrier to perform the insurance functions listed in subsection (h)
30       of section 9 and amendments thereto.
31             (c) A carrier shall disclose protected health information in any of the
32       following circumstances:
33             (1) To federal, state or local governmental authorities to the extent
34       the carrier disclosing the protected health information is required by law
35       to report protected health information or for fraud reporting purposes;
36       and
37             (2) the protected health information is needed for one of the follow-
38       ing purposes:
39             (A) To identify a deceased individual;
40             (B) to determine the cause and manner of death by a chief medical
41       examiner or the medical examiner's designee; or
42             (C) to provide necessary protected health information about a de-
43       ceased individual who is a donor of an anatomical gift; and

SB 259

13

  1             (3) to a state department of insurance that is performing an exami-
  2       nation, investigation or audit of the carrier; or
  3             (4) pursuant to a court order issued after the court's determination
  4       that the public interest in disclosure outweighs the individual's privacy
  5       interest and that the protected health information is not reasonably avail-
  6       able by other means.
  7             (d) A disclosure of protected health information made pursuant to
  8       subsection (c) shall not be construed to be or to operate as a waiver of
  9       privacy rights provided by other federal or state laws, rules of evidence
10       or common law.
11             Sec.  11. (1)  (a) A carrier may disclose protected health information
12       without authorization to research organizations conducting scientific,
13       medical or public policy research as provided in this act.
14             (b)  (1) A carrier shall keep a record of research organizations to
15       which it discloses protected health information.
16             (2) The carrier shall keep the record five years.
17             (c) A carrier shall not disclose protected health information to a re-
18       search organization unless the research organization agrees that the pro-
19       tected health information shall not be disclosed by the research organi-
20       zation to a third person. The research organization may disclose the
21       protected health information to its agents, collaborators or contractors as
22       needed to conduct or assist with the research, as long as all requirements
23       of this section are applied to the agent, collaborator or contractor.
24             (d) A carrier shall disclose only the minimum data necessary to con-
25       duct the intended research. Protected health information shall be dis-
26       closed only where identification is necessary to conduct the research.
27             (e) If the scientific, medical or public policy research does not require
28       contact with the individual who is the subject of the protected health
29       information, the following protections shall exist prior to disclosure:
30             (1) The research organization develops and implements a written pol-
31       icy that includes procedures to assure the security and privacy of pro-
32       tected health information. The policy shall include:
33             (A) Training and disciplinary procedures to assure that persons in-
34       volved in research comply with the provisions of this act;
35             (B) safeguards to assure that information in a report of the research
36       project does not contain protected health information. The safeguards
37       shall include a system for ensuring that only authorized individuals are
38       able to establish a link between individuals and such individual's health
39       information; and
40             (C) a method for removing all information that identifies, directly or
41       indirectly through reference to publicly available information, the indi-
42       vidual who is the subject of the protected health information, when the
43       information is no longer needed for research that is otherwise permitted

SB 259

14

  1       under this subsection. The policy may also provide that the research or-
  2       ganization may retain the protected health information for an indefinite
  3       period if archived in an encoded form, and it may not be used for other
  4       research unless the requirements of this section are met. "Encoded" as
  5       used in this subparagraph means that the personally identifiable infor-
  6       mation of the data is removed or encrypted and the key to restore the
  7       protected health information is retained in a secure place within the re-
  8       search organization with access limited to the minimum number of people
  9       necessary to maintain the confidentiality and integrity of the key.
10             (2)  (A) The research organization prepares a research plan that ex-
11       plains the purposes of the research, a general description of research
12       methods to be used and the potential benefits of the research.
13             (B)  (i) All research plans using protected health information under
14       this act shall be available to the public and may be obtained by written
15       request to the chief executive officer of the research organization or
16       carrier.
17             (ii) If the research plan contains information that is proprietary or
18       protected from disclosure by contract or statute, the information may be
19       deleted from the copy made available to the public.
20             (iii) The research organization shall keep the research plan on file for
21       five years.
22             (3)  (A) The carrier and the research organization shall execute a writ-
23       ten agreement:
24             (i) Stating the purposes of the research;
25             (ii) explaining how the purposes qualify as scientific, medical or pub-
26       lic policy research;
27             (iii) documenting that the organization is qualified under paragraphs
28       (1) and (2) of this subsection;
29             (iv) stating the expected time during which the data will be used for
30       the stated purposes;
31             (v) explaining the planned method of disposition of the protected
32       health information at the end of the term of use; and
33             (vi) stating that the written agreement shall be available to the public
34       and can be obtained by written request to the chief executive officer of
35       the research organization.
36             (B) The carrier shall provide a copy of the written, executed agree-
37       ment upon request to any person. If the executed agreement contains
38       information that is proprietary or protected from disclosure by contract
39       or statute, the information may be deleted from the copy that is made
40       available pursuant to this subsection.
41             (C) The carrier shall keep this agreement on file for five years.
42             (f) If the scientific, medical or public policy research requires contact
43       with the individual who is the subject of protected health information,

SB 259

15

  1       the following protections shall exist prior to disclosure:
  2             (1) The research organization and carrier shall meet the requirements
  3       of subsection (e); and
  4             (2)  (A) The research organization is responsible for obtaining a le-
  5       gally effective informed consent of the subject or the subject's legally
  6       authorized representative. A research organization shall seek consent only
  7       under circumstance that provide the prospective subject or the represen-
  8       tative with sufficient opportunity to consider whether to participate in the
  9       research, and that minimize the possibility of coercion or undue
10       influence.
11             (B) the information that is given to the subject or the representative
12       shall be in language understandable to the subject or the representative.
13             (C) No informed consent, whether oral or written, may include any
14       exculpatory language through which the subject or the representative
15       waives or appears to waive any of the subject's legal rights, or releases or
16       appears to release the investigator, the sponsor, the research organization
17       or such organization's agents from liability or negligence.
18             (D) In seeking informed consent the following information shall be
19       provided to each subject:
20             (i) A statement that the study involves research, an explanation of the
21       purposes of the research and the expected duration of the subject's par-
22       ticipation, a description of the procedures to be followed and identifica-
23       tion of any procedures that are experimental;
24             (ii) a description of any reasonably foreseeable risks or discomforts
25       to the subject;
26             (iii) a description of any benefits to the subject or to others that may
27       reasonably be expected from the research;
28             (iv) a disclosure of appropriate alternative procedures or courses of
29       treatment, if any, that might be advantageous to the subject;
30             (v) a statement describing the extent to which confidentiality of re-
31       cords identifying the subject will be maintained;
32             (vi) for research involving more than minimal risk, an explanation as
33       to whether any compensation and medical treatments are available if in-
34       jury occurs and, if so, what such compensation and medical treatments
35       consist of, and where further information may be obtained.
36             (vii) an explanation of whom to contact for answers to pertinent ques-
37       tions about the research and the research subject's rights;
38             (viii) the name of a person to contact in the event of a research-
39       related injury to the subject; and
40             (ix) a statement that participation is voluntary, refusal to participate
41       will involve no penalty or loss of benefits to which the subject is otherwise
42       entitled, and that the subject may discontinue participation at any time
43       without penalty or loss of benefits to which the subject is otherwise

SB 259

16

  1       entitled.
  2             (E) When appropriate, one or more of the following shall also be
  3       provided to each subject:
  4             (i) A statement that the particular treatment or procedure may in-
  5       volve risks to the subject (or to the embryo or fetus, if the subject is or
  6       may become pregnant) that are currently unforeseeable;
  7             (ii) anticipated circumstances under which the subject's participation
  8       may be terminated by the investigator without regard to the subject's
  9       consent;
10             (iii) any additional costs to the subject that may result from partici-
11       pation in the research;
12             (iv) the consequences of a subject's decision to withdraw from the
13       research and procedures for orderly termination of participation by the
14       subject;
15             (v) a statement that significant new findings developed during the
16       course of the research that may relate to the subject's willingness to con-
17       tinue participation will be provided to the subject; and
18             (vi) the approximate number of subjects involved in the study.
19             (F) If a research organization submits research for approval by an
20       institutional review board under the federal policy for the protection of
21       human subjects, as originally published in 56 federal register 28000 (1991)
22       and as adopted and implemented by a federal department or agency,
23       compliance with that process will be deemed compliance with the pro-
24       vision of subsection (e)(2) and (f)(2) of this section.
25             (g)  (1) If a carrier discloses to an organization conducting scientific,
26       medical or public policy research health information that is not protected
27       health information because all identifying information is encrypted, the
28       carrier and research organization shall execute a written agreement that
29       provides:
30             (A) That the research organization will not rerelease the data accom-
31       panied by the encrypted identifying information to a third person. The
32       research organization may disclose protected health information to its
33       agents, collaborators or contractors as needed to conduct or assist with
34       the research, as long as all requirements of this section are applied to the
35       agent, collaborator or subcontractor;
36             (B) that the research organization shall make no effort to link any
37       health information it received with encrypted identifying information to
38       any other data that may identify the individual who is the subject of the
39       information; and
40             (C) that the research organization shall make no effort to link any
41       encrypted protected health information with any other identifiable data.
42             (2) Prior to any encrypted information being decrypted or linked to
43       identifying data, the research organization shall comply with the require-

SB 259

17

  1       ments set forth in this section and health information with decrypted
  2       identifying information shall be deemed protected health information.
  3             (h) Nothing in this act shall be construed to prevent the creation, use
  4       or release of anonymized data for which there is no reasonable basis to
  5       believe that the information could be used to identify an individual.
  6             (i) Nothing in this section shall be construed as superseding federal
  7       laws and regulations governing scientific, medical and public policy
  8       research.
  9             Sec.  12. An unauthorized collection, use or disclosure of protected
10       health information by a carrier is prohibited and subject to the penalties
11       set forth in section 14 and amendments thereto. An unauthorized collec-
12       tion, use or disclosure includes:
13             (a) Unauthorized publication of protected health information;
14             (b) unauthorized collection, use or disclosure of protected health in-
15       formation for personal or professional gain, including unauthorized re-
16       search that does not meet the requirements of this act;
17             (c) unauthorized sale of protected health information;
18             (d) unauthorized manipulation of coded or encrypted health infor-
19       mation that reveals protected health information; and
20             (e) use of deception, fraud, or threat to procure authorization to col-
21       lect, use or disclose protected health information.
22             Sec.  13. (a) A carrier shall limit disclosure of information, including
23       health information, about an individual who is the subject of the infor-
24       mation if the individual clearly states in writing that disclosure to specified
25       individuals of all or part of that information could jeopardize the safety
26       of the individual. Disclosure of information under this subsection shall
27       be limited consistent with the individual's request, such as a request for
28       the carrier to not release any information to a spouse to prevent domestic
29       violence.
30             (b) Except as otherwise required by law, a carrier shall not disclose
31       protected health information concerning health services related to repro-
32       ductive health, sexually transmitted diseases, substance abuse and behav-
33       ioral health, including mailing appointment notices, calling the home to
34       confirm appointments or mailing a bill or explanation of benefits to a
35       policyholder or certificateholder, if the individual who is the subject of
36       the protected health information makes a written request. The written
37       request shall include information as to how any amounts payable by the
38       individual will be handled. A carrier shall not require the individual to
39       obtain the policyholder's or certificateholder's authorization to receive
40       health care services or to submit a claim. Except as provided in subsection
41       (c), this section shall not apply to minors.
42             (c)  (1) A carrier shall recognize the right of any minor who may ob-
43       tain health care without the consent of a parent or legal guardian pursuant

SB 259

18

  1       to state or federal law, to exclusively exercise rights granted under this
  2       act regarding health information; and
  3             (2) a carrier shall not disclose any protected health information re-
  4       lated to any health care service to which the minor has lawfully consented,
  5       including mailing appointment notices, calling the home to confirm ap-
  6       pointments or mailing a bill or explanation of benefits to a policyholder
  7       or certificateholder, without the express authorization of the minor. A
  8       carrier shall not require the minor to obtain the policyholder's or certi-
  9       ficateholder's authorization to receive health care services to submit a
10       claim.
11             (d) A carrier that cannot comply with the requirements of this section
12       relating to the suppression of benefit, payment and similar information
13       by the effective date of this act because of demonstrated financial or
14       technological burdens may make a written request to the commissioner
15       for an extension of the time permitted for compliance. The request shall
16       propose a plan and a timetable for compliance not to exceed 18 months
17       after the effective date of this act. Carriers that are granted an extension
18       by the commissioner shall report this extension and the lack of current
19       compliance with the provisions of this section in the notice of health
20       information policies, standards and procedures required by section 5 and
21       amendments thereto.
22             Sec.  14. (a)  (1) Whenever the commissioner has reason to believe
23       that a person has committed gross negligence in violation of a material
24       provision of this act and that an action under this section is in the public
25       interest, the commissioner may bring an action to enjoin violations of the
26       act. An injunction issued under this section shall be issued without bond.
27             (2) In addition to the relief available pursuant to paragraph (1) of this
28       subsection, the commissioner may request and the court may order any
29       other temporary or permanent relief as may be in the public interest,
30       including any of the following, or any combination of the following:
31             (A) A civil penalty of not more than $10,000 for each violation, not
32       to exceed $50,000 in the aggregate for multiple violations.
33             (B) A civil penalty of not more than $250,000 if the court finds that
34       violations of this act have occurred with sufficient frequency to constitute
35       a general business practice.
36             (C) Reasonable attorney fees, investigation and court costs.
37             (b)  (1) The penalties described in paragraph (2) of this subsection
38       shall apply to a person that collects, uses or discloses protected health
39       information in knowing violation of this act.
40             (2) A person described in paragraph (1) shall:
41             (A) Be fined not more than $50,000, imprisoned not more than one
42       year, or both;
43             (B) if the offense is committed under false pretenses, be fined not

SB 259

19

  1       more than $250,000, imprisoned not more than five years, or any com-
  2       bination of these penalties; or
  3             (C) if the offense is committed with the intent to sell, transfer or use
  4       protected health information for malicious harm, be fined not more than
  5       $500,000, imprisoned not more than 10 years, or any combination of these
  6       penalties.
  7             (c) In any claim made under this section relating to an unauthorized
  8       disclosure in which the carrier is being sued under a theory of vicarious
  9       liability for the actions or omissions of the carrier's employees, it shall be
10       an affirmative defense that the carrier substantially complied with the
11       requirements of section 4 and amendments thereto.
12             (d) An individual may not maintain an action against a carrier that
13       disclosed protected health information in good faith reliance on the in-
14       dividual's authorization, if that authorization meets the requirements of
15       section 9 and amendments thereto and if the disclosure was made in
16       compliance with the requirements of this act.
17             (e) A person may not maintain an action against a carrier for refusing
18       to provide information or limiting disclosure of protected health infor-
19       mation when the refusal or limitation is based upon an individual's request
20       pursuant to section 13 and amendments thereto.
21             Sec.  15. The commissioner may promulgate rules and regulations
22       necessary to carry out the provisions of this act.
23             Sec.  16. If any provision of this act, or the application of the provision
24       to any person or circumstance is held invalid, the remainder of the act,
25       and the application of the provision to persons or circumstances other
26       than those to which it is held invalid, shall not be affected.
27        Sec.  17. This act shall take effect and be in force from and after
28       January 1, 2000, and its publication in the statute book.