PRINTER'S NO. 692
No. 636 Session of 2001
INTRODUCED BY DERMODY, WALKO, READSHAW, GEORGE, DAILEY, BARRAR, ORIE, M. BAKER, McGILL, WANSACZ, DeWEESE, GEIST, THOMAS, HENNESSEY, CURRY, PETRARCA, CRUZ, MUNDY, SCHULER, BELFANTI, SCRIMENTI, HALUSKA, BELARDI, SOLOBAY, CALTAGIRONE, PISTELLA, CASORIO, STABACK, FAIRCHILD, TIGUE, MELIO, SATHER, CLARK, TRELLO, SAINATO, SHANER, MANN, LAUGHLIN, WOJNAROSKI, BEBKO- JONES, LEH, HERSHEY, JOSEPHS, COSTA, WASHINGTON, STEELMAN, McCALL, ROHRER, PIPPY, HORSEY, FREEMAN, DeLUCA, YUDICHAK, BISHOP, HARHAI, MANDERINO AND SAYLOR, FEBRUARY 12, 2001
REFERRED TO COMMITTEE ON HEALTH AND HUMAN SERVICES, FEBRUARY 12, 2001
AN ACT 1 Providing for confidentiality of medical records; imposing 2 duties on the Department of Health; and providing for a civil 3 cause of action for violations. 4 The General Assembly finds and declares as follows: 5 (1) There is a compelling need to protect the 6 confidentiality of health information and medical records and 7 to prohibit the unauthorized disclosure of individually 8 identifiable health information. 9 (2) It is the purpose of this act to recognize that 10 individuals have the right to control their own medical 11 records and to prevent disclosure of the contents of those 12 medical records without their knowing, meaningful and 13 informed consent. 14 (3) It is the intent of the General Assembly to provide
1 specific privacy protections for personal medical records and 2 to provide a remedy for violations of this act. 3 The General Assembly of the Commonwealth of Pennsylvania 4 hereby enacts as follows: 5 Section 1. Short title. 6 This act shall be known and may be cited as the Health 7 Information Confidentiality Act. 8 Section 2. Definitions. 9 The following words and phrases when used in this act shall 10 have the meanings given to them in this section unless the 11 context clearly indicates otherwise: 12 "Health information." Any information or medical records, in 13 whatever form, pertaining to medical and health care services 14 performed by or at the direction of an individual health care 15 provider or an institutional health care provider which 16 identifies the patient or client, or from whom the identity of 17 the patient or client can reasonably be determined, which is in 18 the possession of an individual health care provider, 19 institutional health care provider or an information source. The 20 term includes, but is not limited to, medical records relating 21 to the evaluation, diagnosis or treatment of an injury, illness 22 or condition. 23 "Individual health care provider." A physician, nurse, 24 emergency medical services worker, chiropractor, psychologist, 25 nurse-midwife, physician assistant, dentist or other person 26 providing medical, nursing or other health care services of any 27 kind. 28 "Information source." The term shall mean: 29 (1) An individual health care provider. 30 (2) An institutional health care provider. 20010H0636B0692 - 2 -
1 (3) An ambulatory service facility. 2 (4) A health maintenance organization as defined in the 3 act of December 29, 1972 (P.L.1701, No.364), known as the 4 Health Maintenance Organization Act. 5 (5) A medical or health service plan with a certificate 6 of authority issued by the Insurance Department, including, 7 but not limited to, hospital plan corporations as defined in 8 40 Pa.C.S. Ch. 61 (relating to hospital plan corporations) 9 and professional health services plan corporations as defined 10 in 40 Pa.C.S. Ch. 63 (relating to professional health 11 services plan corporations). 12 (6) A commercial insurer with a certificate of authority 13 issued by the Insurance Department providing health or 14 accident insurance. 15 (7) A self-insured employer providing health or accident 16 coverage or benefits for employees employed in this 17 Commonwealth. 18 (8) An administrator of a self-insured or partially 19 self-insured health or accident plan providing covered 20 services in this Commonwealth. 21 (9) Any health and welfare fund that provides health or 22 accident benefits or insurance pertaining to covered services 23 in this Commonwealth. 24 (10) The Department of Public Welfare for those covered 25 services it purchases or provides through the medical 26 assistance program under the act of June 13, 1967 (P.L.31, 27 No.21), known as the Public Welfare Code. 28 (11) Any other payor for covered services in this 29 Commonwealth other than an individual. 30 "Institutional health care provider." A hospital, nursing 20010H0636B0692 - 3 -
1 home, hospice, drug and alcohol services provider, clinic, blood 2 bank, plasmapheresis or other blood product center, organ or 3 tissue bank, sperm bank, clinical laboratory or any health care 4 institution required to be licensed in this Commonwealth. 5 "Medical record." The written or graphic documentation, 6 electronic or sound record, videotape, phonograph or computer 7 record of services pertaining to medical or health care 8 performed by or at the direction of an individual health care 9 provider or institutional health care provider. The term 10 includes, but is not limited to, diagnostic documentation such 11 as X-rays, electrocardiograms, electroencephalograms and test 12 results. 13 Section 3. Limitations on disclosure. 14 (a) Disclosure limited.--All health information and medical 15 records in the possession or custody of an individual health 16 care provider, institutional health care provider or information 17 source or an employee or agent of an individual health care 18 provider, institutional health care provider or information 19 source shall be kept confidential and may not be released or its 20 contents disclosed to anyone, except: 21 (1) To the subject of the health care information. 22 (2) To the subject's primary care physician, provided 23 that the subject has indicated the identity of that primary 24 care physician to whom such information may be released. 25 (3) To a person specifically designated in a written 26 consent under subsection (b). 27 (4) To an agent, employee or medical staff member of a 28 health care provider when disclosure is necessary for 29 purposes of diagnosis or treatment. 30 (5) To prevent death or severe illness in an emergency 20010H0636B0692 - 4 -
1 where disclosure of health information is necessary for 2 treatment of the patient or client. 3 (6) To a peer review organization or committee as 4 defined in the act of July 20, 1974 (P.L.564, No.193), known 5 as the Peer Review Protection Act, a nationally recognized 6 accrediting agency, any Federal or State Government agency 7 with oversight responsibilities over health care providers, 8 or as otherwise provided by law. 9 (7) To an insurer, but only to the extent necessary to 10 reimburse a health care provider or to make payment of a 11 claim submitted under an insured's policy. 12 (8) Pursuant to an order of a court of common pleas 13 after application showing good cause with proper notice and 14 an opportunity to be heard. The court shall weigh the need 15 for disclosure against the privacy interest of the individual 16 and possible harm resulting from disclosure. 17 (b) Required elements of written consent to disclosure.--A 18 written consent to disclosure of health care information shall 19 include: 20 (1) The specific name of the individual or organization 21 permitted to make the disclosure. 22 (2) The name or title of the individual to whom or the 23 name of the organization to which the disclosure is to be 24 made. 25 (3) The name of the patient or client whose records are 26 to be disclosed. 27 (4) The specific purpose or purposes of the disclosure. 28 (5) The amount and kind of information to be disclosed. 29 (6) The signature of the patient or client or, if the 30 patient or client is 12 years of age or younger, the 20010H0636B0692 - 5 -
1 signature of the patient's or client's parent or guardian. 2 (7) The date on which the consent is signed. 3 (8) A statement that the consent is subject to 4 revocation at any time except to the extent that the person 5 who is to make the disclosure has already acted in reliance 6 on it. 7 (9) The date, event or condition upon which the consent 8 will expire, if not earlier revoked. 9 In no event shall a written consent under this act be deemed 10 valid more than one year after the date the consent was signed. 11 (c) Expired, deficient or false consent.--A disclosure may 12 not be made on the basis of a consent which: 13 (1) has expired; 14 (2) on its face substantially fails to conform to any of 15 the requirements set forth under subsection (b); 16 (3) is known to have been revoked; or 17 (4) is known by the person holding the information to be 18 materially false. 19 (d) Notice to accompany disclosure.--Each disclosure made 20 with the subject's written consent must be accompanied by the 21 following written statement: 22 This information has been disclosed to you from records 23 the confidentiality of which is protected by Commonwealth 24 law. Commonwealth law prohibits you from making any 25 further disclosure of this information unless further 26 disclosure is expressly permitted by the written consent 27 of the person to whom it pertains. A general 28 authorization for the release of health or other 29 information or medical records is not sufficient for this 30 purpose. 20010H0636B0692 - 6 -
1 Section 4. Duty to maintain confidentiality. 2 In the event that health information is disclosed under 3 section 3(a)(6) or (7), an individual health care provider, 4 institutional health care provider or information source shall 5 take all necessary steps to maintain the confidentiality of the 6 patient or client and that patient's or client's health 7 information and medical records. Unless there is a compelling 8 need to disclose the actual identity of the patient or client, 9 all information relating to the identity of the patient or 10 client, or from which the identity can be reasonably determined, 11 shall not be disclosed. 12 Section 5. Recordkeeping requirements. 13 Individual health care providers, institutional health care 14 providers and information sources shall maintain, as a permanent 15 part of the patient's or client's medical records, a record of 16 all disclosures of health care information to any person not 17 employed by or affiliated with it. The record shall include the 18 name and address of each person receiving the health care 19 information and a description of the information disclosed. 20 Section 6. Prohibition on disclosure to employers. 21 Health information may not be disclosed to a patient's or 22 client's employer without the written consent of the patient or 23 client under section 3(b). In the case of disclosure to an 24 employer, the written consent must also include a statement why 25 the disclosure to the employer is necessary and that the patient 26 or client understands the reason for the disclosure. 27 Section 7. Development of further safeguards. 28 Within one year of the enactment of this act, the Department 29 of Health shall promulgate standards for the implementation of 30 administrative, technological and physical safeguards by 20010H0636B0692 - 7 -
1 individual health care providers, institutional health care 2 providers and information sources to protect against 3 unauthorized disclosure of individually identifiable health 4 information. 5 Section 8. Applicability of other laws. 6 Nothing in this act is intended to alter limitations on 7 disclosure or release of health information or medical records 8 that are prescribed in applicable State law. 9 Section 9. Civil cause of action. 10 Any person aggrieved by a violation of this act shall have a 11 cause of action against the person who committed the violation 12 and may recover: 13 (1) Compensatory damages, but not less than liquidated 14 damages, computed at the rate of $1,000 for each violation. 15 (2) Punitive damages. 16 (3) Reasonable attorney fees and litigation costs. 17 Section 10. Separate violations. 18 Each disclosure of health care information in violation of 19 this act shall be considered a separate violation for purposes 20 of civil liability. 21 Section 11. Repeals. 22 All acts and parts of acts are repealed insofar as they are 23 inconsistent with this act. 24 Section 12. Effective date. 25 This act shall take effect in 60 days. A17L35BIL/20010H0636B0692 - 8 -