PRINTER'S NO. 692
No. 636 Session of 2001
INTRODUCED BY DERMODY, WALKO, READSHAW, GEORGE, DAILEY, BARRAR,
ORIE, M. BAKER, McGILL, WANSACZ, DeWEESE, GEIST, THOMAS,
HENNESSEY, CURRY, PETRARCA, CRUZ, MUNDY, SCHULER, BELFANTI,
SCRIMENTI, HALUSKA, BELARDI, SOLOBAY, CALTAGIRONE, PISTELLA,
CASORIO, STABACK, FAIRCHILD, TIGUE, MELIO, SATHER, CLARK,
TRELLO, SAINATO, SHANER, MANN, LAUGHLIN, WOJNAROSKI, BEBKO-
JONES, LEH, HERSHEY, JOSEPHS, COSTA, WASHINGTON, STEELMAN,
McCALL, ROHRER, PIPPY, HORSEY, FREEMAN, DeLUCA, YUDICHAK,
BISHOP, HARHAI, MANDERINO AND SAYLOR, FEBRUARY 12, 2001
REFERRED TO COMMITTEE ON HEALTH AND HUMAN SERVICES,
FEBRUARY 12, 2001
AN ACT
1 Providing for confidentiality of medical records; imposing
2 duties on the Department of Health; and providing for a civil
3 cause of action for violations.
4 The General Assembly finds and declares as follows:
5 (1) There is a compelling need to protect the
6 confidentiality of health information and medical records and
7 to prohibit the unauthorized disclosure of individually
8 identifiable health information.
9 (2) It is the purpose of this act to recognize that
10 individuals have the right to control their own medical
11 records and to prevent disclosure of the contents of those
12 medical records without their knowing, meaningful and
13 informed consent.
14 (3) It is the intent of the General Assembly to provide
1 specific privacy protections for personal medical records and
2 to provide a remedy for violations of this act.
3 The General Assembly of the Commonwealth of Pennsylvania
4 hereby enacts as follows:
5 Section 1. Short title.
6 This act shall be known and may be cited as the Health
7 Information Confidentiality Act.
8 Section 2. Definitions.
9 The following words and phrases when used in this act shall
10 have the meanings given to them in this section unless the
11 context clearly indicates otherwise:
12 "Health information." Any information or medical records, in
13 whatever form, pertaining to medical and health care services
14 performed by or at the direction of an individual health care
15 provider or an institutional health care provider which
16 identifies the patient or client, or from whom the identity of
17 the patient or client can reasonably be determined, which is in
18 the possession of an individual health care provider,
19 institutional health care provider or an information source. The
20 term includes, but is not limited to, medical records relating
21 to the evaluation, diagnosis or treatment of an injury, illness
22 or condition.
23 "Individual health care provider." A physician, nurse,
24 emergency medical services worker, chiropractor, psychologist,
25 nurse-midwife, physician assistant, dentist or other person
26 providing medical, nursing or other health care services of any
27 kind.
28 "Information source." The term shall mean:
29 (1) An individual health care provider.
30 (2) An institutional health care provider.
20010H0636B0692 - 2 -
1 (3) An ambulatory service facility.
2 (4) A health maintenance organization as defined in the
3 act of December 29, 1972 (P.L.1701, No.364), known as the
4 Health Maintenance Organization Act.
5 (5) A medical or health service plan with a certificate
6 of authority issued by the Insurance Department, including,
7 but not limited to, hospital plan corporations as defined in
8 40 Pa.C.S. Ch. 61 (relating to hospital plan corporations)
9 and professional health services plan corporations as defined
10 in 40 Pa.C.S. Ch. 63 (relating to professional health
11 services plan corporations).
12 (6) A commercial insurer with a certificate of authority
13 issued by the Insurance Department providing health or
14 accident insurance.
15 (7) A self-insured employer providing health or accident
16 coverage or benefits for employees employed in this
17 Commonwealth.
18 (8) An administrator of a self-insured or partially
19 self-insured health or accident plan providing covered
20 services in this Commonwealth.
21 (9) Any health and welfare fund that provides health or
22 accident benefits or insurance pertaining to covered services
23 in this Commonwealth.
24 (10) The Department of Public Welfare for those covered
25 services it purchases or provides through the medical
26 assistance program under the act of June 13, 1967 (P.L.31,
27 No.21), known as the Public Welfare Code.
28 (11) Any other payor for covered services in this
29 Commonwealth other than an individual.
30 "Institutional health care provider." A hospital, nursing
20010H0636B0692 - 3 -
1 home, hospice, drug and alcohol services provider, clinic, blood
2 bank, plasmapheresis or other blood product center, organ or
3 tissue bank, sperm bank, clinical laboratory or any health care
4 institution required to be licensed in this Commonwealth.
5 "Medical record." The written or graphic documentation,
6 electronic or sound record, videotape, phonograph or computer
7 record of services pertaining to medical or health care
8 performed by or at the direction of an individual health care
9 provider or institutional health care provider. The term
10 includes, but is not limited to, diagnostic documentation such
11 as X-rays, electrocardiograms, electroencephalograms and test
12 results.
13 Section 3. Limitations on disclosure.
14 (a) Disclosure limited.--All health information and medical
15 records in the possession or custody of an individual health
16 care provider, institutional health care provider or information
17 source or an employee or agent of an individual health care
18 provider, institutional health care provider or information
19 source shall be kept confidential and may not be released or its
20 contents disclosed to anyone, except:
21 (1) To the subject of the health care information.
22 (2) To the subject's primary care physician, provided
23 that the subject has indicated the identity of that primary
24 care physician to whom such information may be released.
25 (3) To a person specifically designated in a written
26 consent under subsection (b).
27 (4) To an agent, employee or medical staff member of a
28 health care provider when disclosure is necessary for
29 purposes of diagnosis or treatment.
30 (5) To prevent death or severe illness in an emergency
20010H0636B0692 - 4 -
1 where disclosure of health information is necessary for
2 treatment of the patient or client.
3 (6) To a peer review organization or committee as
4 defined in the act of July 20, 1974 (P.L.564, No.193), known
5 as the Peer Review Protection Act, a nationally recognized
6 accrediting agency, any Federal or State Government agency
7 with oversight responsibilities over health care providers,
8 or as otherwise provided by law.
9 (7) To an insurer, but only to the extent necessary to
10 reimburse a health care provider or to make payment of a
11 claim submitted under an insured's policy.
12 (8) Pursuant to an order of a court of common pleas
13 after application showing good cause with proper notice and
14 an opportunity to be heard. The court shall weigh the need
15 for disclosure against the privacy interest of the individual
16 and possible harm resulting from disclosure.
17 (b) Required elements of written consent to disclosure.--A
18 written consent to disclosure of health care information shall
19 include:
20 (1) The specific name of the individual or organization
21 permitted to make the disclosure.
22 (2) The name or title of the individual to whom or the
23 name of the organization to which the disclosure is to be
24 made.
25 (3) The name of the patient or client whose records are
26 to be disclosed.
27 (4) The specific purpose or purposes of the disclosure.
28 (5) The amount and kind of information to be disclosed.
29 (6) The signature of the patient or client or, if the
30 patient or client is 12 years of age or younger, the
20010H0636B0692 - 5 -
1 signature of the patient's or client's parent or guardian.
2 (7) The date on which the consent is signed.
3 (8) A statement that the consent is subject to
4 revocation at any time except to the extent that the person
5 who is to make the disclosure has already acted in reliance
6 on it.
7 (9) The date, event or condition upon which the consent
8 will expire, if not earlier revoked.
9 In no event shall a written consent under this act be deemed
10 valid more than one year after the date the consent was signed.
11 (c) Expired, deficient or false consent.--A disclosure may
12 not be made on the basis of a consent which:
13 (1) has expired;
14 (2) on its face substantially fails to conform to any of
15 the requirements set forth under subsection (b);
16 (3) is known to have been revoked; or
17 (4) is known by the person holding the information to be
18 materially false.
19 (d) Notice to accompany disclosure.--Each disclosure made
20 with the subject's written consent must be accompanied by the
21 following written statement:
22 This information has been disclosed to you from records
23 the confidentiality of which is protected by Commonwealth
24 law. Commonwealth law prohibits you from making any
25 further disclosure of this information unless further
26 disclosure is expressly permitted by the written consent
27 of the person to whom it pertains. A general
28 authorization for the release of health or other
29 information or medical records is not sufficient for this
30 purpose.
20010H0636B0692 - 6 -
1 Section 4. Duty to maintain confidentiality.
2 In the event that health information is disclosed under
3 section 3(a)(6) or (7), an individual health care provider,
4 institutional health care provider or information source shall
5 take all necessary steps to maintain the confidentiality of the
6 patient or client and that patient's or client's health
7 information and medical records. Unless there is a compelling
8 need to disclose the actual identity of the patient or client,
9 all information relating to the identity of the patient or
10 client, or from which the identity can be reasonably determined,
11 shall not be disclosed.
12 Section 5. Recordkeeping requirements.
13 Individual health care providers, institutional health care
14 providers and information sources shall maintain, as a permanent
15 part of the patient's or client's medical records, a record of
16 all disclosures of health care information to any person not
17 employed by or affiliated with it. The record shall include the
18 name and address of each person receiving the health care
19 information and a description of the information disclosed.
20 Section 6. Prohibition on disclosure to employers.
21 Health information may not be disclosed to a patient's or
22 client's employer without the written consent of the patient or
23 client under section 3(b). In the case of disclosure to an
24 employer, the written consent must also include a statement why
25 the disclosure to the employer is necessary and that the patient
26 or client understands the reason for the disclosure.
27 Section 7. Development of further safeguards.
28 Within one year of the enactment of this act, the Department
29 of Health shall promulgate standards for the implementation of
30 administrative, technological and physical safeguards by
20010H0636B0692 - 7 -
1 individual health care providers, institutional health care
2 providers and information sources to protect against
3 unauthorized disclosure of individually identifiable health
4 information.
5 Section 8. Applicability of other laws.
6 Nothing in this act is intended to alter limitations on
7 disclosure or release of health information or medical records
8 that are prescribed in applicable State law.
9 Section 9. Civil cause of action.
10 Any person aggrieved by a violation of this act shall have a
11 cause of action against the person who committed the violation
12 and may recover:
13 (1) Compensatory damages, but not less than liquidated
14 damages, computed at the rate of $1,000 for each violation.
15 (2) Punitive damages.
16 (3) Reasonable attorney fees and litigation costs.
17 Section 10. Separate violations.
18 Each disclosure of health care information in violation of
19 this act shall be considered a separate violation for purposes
20 of civil liability.
21 Section 11. Repeals.
22 All acts and parts of acts are repealed insofar as they are
23 inconsistent with this act.
24 Section 12. Effective date.
25 This act shall take effect in 60 days.
A17L35BIL/20010H0636B0692 - 8 -