Search Results - THOMAS (Library of Congress)

THIS SEARCH     THIS DOCUMENT     GO TO
Next Hit        Forward           New Bills Search
Prev Hit        Back              HomePage
Hit List        Best Sections     Help
                Contents Display

Medical Financial Privacy Protection Act (Introduced in House)

HR 4585 IH

106th CONGRESS

2d Session

H. R. 4585

To strengthen consumers' control over the use and disclosure of their health information by financial institutions, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

June 6, 2000

Mr. LEACH introduced the following bill; which was referred to the Committee on Banking and Financial Services, and in addition to the Committee on Commerce, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL

To strengthen consumers' control over the use and disclosure of their health information by financial institutions, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the `Medical Financial Privacy Protection Act'.

SEC. 2. USE AND DISCLOSURE OF HEALTH INFORMATION BY FINANCIAL INSTITUTIONS.

(a) IN GENERAL- Title V of the Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.) is amended by inserting after section 502 the following:

`SEC. 502A. SPECIAL RULES FOR HEALTH INFORMATION.

`(a) RULES FOR DISCLOSURE-

`(1) GENERAL RULE REQUIRING AFFIRMATIVE CONSENT FOR DISCLOSURE-

`(A) IN GENERAL- A financial institution may not disclose any individually identifiable health information pertaining to a consumer to an affiliate or a nonaffiliated third party unless the financial institution--

`(i) has provided to the consumer a clear and conspicuous notice in writing, in electronic form, or in another form permitted by the regulations implementing this subtitle, of the categories of such information that may be disclosed and the categories of affiliates or nonaffiliated third parties to whom the financial institution discloses such information;

`(ii) has clearly and conspicuously requested in writing, in electronic form, or in another form permitted by the regulations implementing this subtitle, that the consumer affirmatively consent to such disclosure; and

`(iii) has obtained from the consumer such affirmative consent and such consent has not been withdrawn.

`(B) WITHDRAWAL OF CONSENT- Any withdrawal of consent is subject to the rights of any financial institution that acted in reliance on the consent prior to its withdrawal.

`(2) DISCLOSURE OF INFORMATION ABOUT PERSONAL SPENDING HABITS-

`(A) IN GENERAL- If a financial institution provides a service to a consumer through which the consumer makes or receives payments or transfers by check, debit card, credit card, or other similar instrument, the financial institution may not disclose any information described in subparagraph (B) pertaining to the consumer to an affiliate or a nonaffiliated third party unless the financial institution has satisfied the requirements of clauses (i), (ii), and (iii) of paragraph (1)(A) with respect to the disclosure.

`(B) INFORMATION DESCRIBED- The information described in this paragraph is--

`(i) an individualized list of a consumer's transactions or an individualized description of a consumer's interests, preferences, or other characteristics; or

`(ii) any such list or description constructed in response to an inquiry about a specific, named individual;

if the list or description is derived from individually identifiable health information collected in the course of providing a service described in subparagraph (A) to the consumer.

`(3) DISCLOSURE OF AGGREGATE LISTS- A financial institution may not disclose any aggregate list of consumers containing or derived from individually identifiable health information to an affiliate or a nonaffiliated third party unless the financial institution has satisfied, for each consumer on the list, the requirements of clauses (i), (ii), and (iii) of paragraph (1)(A) with respect to the disclosure.

`(4) EXCEPTIONS TO DISCLOSURE LIMITATIONS- This section shall not restrict a financial institution from disclosing individually identifiable health information--

`(A) for a purpose described in paragraph (1), (2), (3), (5), (7), or (8) of section 502(e);

`(B) in order to facilitate customer service, such as maintenance and operation of consolidated customer call centers or the use of consolidated customer account statements; or

`(C) to the institution's attorneys, accountants, and auditors.

`(5) LIMITS ON REDISCLOSURE AND REUSE OF INFORMATION-

`(A) IN GENERAL- Except as provided in subparagraph (B), an affiliate or a nonaffiliated third party that receives individually identifiable health information from a financial institution under this section shall not disclose such information to any other person, unless such disclosure would be lawful if made directly to such other person by the financial institution.

`(B) DISCLOSURE UNDER AN EXCEPTION- Notwithstanding subparagraph (A), any person that receives individually identifiable health information from a financial institution in accordance with one of the exceptions in paragraph (4) may use or disclose such information only--

`(i) as permitted under that exception; or

`(ii) under another exception in such paragraph to carry out the purpose for which the information was disclosed by the financial institution.

`(6) CONSTRUCTION- Except as provided in paragraph (4)(A), this section applies in lieu of subsections (b), (c), and (e) of section 502 to a disclosure by a financial institution of individually identifiable health information.

`(b) RULES FOR RECEIPT AND USE-

`(1) IN GENERAL- In deciding whether, or on what terms, to offer, provide, or continue to provide a loan or credit to a consumer, a financial institution shall not request to receive individually identifiable health information about the consumer from an affiliate or nonaffiliated third party, or use, evaluate, or otherwise consider any such information, unless the financial institution--

`(A) has clearly and conspicuously requested in writing, in electronic form, or in another form permitted by the regulations implementing this subtitle, that the consumer affirmatively consent to such receipt and use; and

`(B) has obtained from the consumer such affirmative consent and such consent has not been withdrawn.

`(2) RESTRAINT ON INFORMATION REQUESTS- In deciding whether, or on what terms, to offer, provide, or continue to provide a loan or credit to a consumer, a financial institution shall not request the consent described in paragraph (1)(A) to receive individually identifiable health information available from an affiliate, if the financial institution would not otherwise normally receive the same or substantially similar information from a nonaffiliated third party if that third party were the only person able to provide the information.

`(c) CONSUMER RIGHTS TO ACCESS AND CORRECT INFORMATION-

`(1) ACCESS-

`(A) IN GENERAL- Upon the request of a consumer, a financial institution shall make available to the consumer individually identifiable health information about the consumer that is within the possession of the financial institution.

`(B) EXCEPTIONS- Notwithstanding subparagraph (A), a financial institution--

`(i) shall not be required to disclose to a consumer any confidential commercial information, such as an algorithm used to derive credit scores or other risk scores or predictors;

`(ii) shall not be required to create new records in order to comply with the consumer's request;

`(iii) shall not be required to disclose to a consumer any information assembled by the financial institution, in a particular matter, as part of the financial institution's efforts to comply with laws preventing fraud, money laundering, or other unlawful conduct; and

`(iv) shall not disclose any information required to be kept confidential by any other Federal law.

`(2) CORRECTION-

`(A) OPPORTUNITY TO DISPUTE- A financial institution shall provide a consumer the opportunity to dispute the accuracy of any individually identifiable health information disclosed to the consumer pursuant to paragraph (1), and to present evidence thereon.

`(B) AMENDMENT, CORRECTION, OR DELETION- A financial institution--

`(i) shall amend, correct, or delete material information identified by a consumer that is materially incomplete or inaccurate; or

`(ii) shall notify the consumer of--

`(I) its refusal to make such amendment, correction, deletion;

`(II) the reasons for the refusal; and

`(III) the identity of the person who created the information and shall refer the consumer to that person for purposes of amending or correcting the information or filing with it a concise statement of what the consumer believes to be the correct information.

`(3) COORDINATION AND CONSULTATION- In prescribing regulations implementing this subsection, the Federal agencies specified in section 504(a) shall consult with one another to ensure that the regulations--

`(A) impose consistent requirements on the financial institutions under their respective jurisdictions;

`(B) take into account conditions under which financial institutions do business both in the United States and in other countries; and

`(C) are consistent with the principle of technology neutrality.

`(4) CHARGES FOR DISCLOSURES- A financial institution may impose a reasonable charge for making a disclosure under this subsection, which charge shall be disclosed to the consumer before making the disclosure.

`(d) SPECIAL REQUIREMENT TO PROTECT MENTAL HEALTH INFORMATION- In any case in which this section requires a person to obtain a consumer's affirmative consent to a receipt, use, or disclosure of individually identifiable health information, the person shall obtain a separate and specific consent with respect to any information pertaining to the mental health or mental condition of an individual.

`(e) RELATIONSHIP TO OTHER LAWS- Nothing in this section shall be construed as--

`(1) modifying, limiting, or superseding standards promulgated by the Secretary of Health and Human Services under--

`(A) part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.); or

`(B) section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191; 110 Stat. 2033); or

`(2) authorizing the use or disclosure of individually identifiable health information in a manner other than as permitted by other applicable law.'.

(b) DEFINITION OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION- Section 509 of the Gramm-Leach-Bliley Act (15 U.S.C. 6809) is amended by adding at the end the following:

`(12) INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION- The term `individually identifiable health information' means any information, including demographic information obtained from or about an individual, that is described in section 1171(6)(B) of the Social Security Act (42 U.S.C. 1320d(6)(B)).'.

(c) CLERICAL AMENDMENT- The table of contents for the Gramm-Leach-Bliley Act is amended by inserting after the item relating to section 502 the following:

`Sec. 502A. Special rules for health information.'.

SEC. 3. REGULATIONS; EFFECTIVE DATE.

(a) REGULATIONS-

(1) REGULATORY AUTHORITY- Section 504(a) of the Gramm-Leach-Bliley Act (15 U.S.C. 6804(a)) shall apply to the issuance of regulations to carry out the amendments made by this Act in the same manner as such section applies to the issuance of other regulations to carry out subtitle A of title V of the Gramm-Leach-Bliley Act, except as provided in paragraph (4).

(2) AUTHORITY TO GRANT EXCEPTIONS- The regulations issued to carry out the amendments made by this Act may include such additional exceptions to the provisions of section 502A of the Gramm-Leach-Bliley Act, as inserted by section 2, as are deemed consistent with the purposes of subtitle A of title V of such Act, except as provided in paragraph (3)(B).

(3) SPECIAL PROTECTIONS FOR MENTAL HEALTH INFORMATION-

(A) IN GENERAL- The regulations issued to carry out the amendments made by this Act shall, where appropriate, include special policies and procedures to protect the confidentiality of individually identifiable health information relating to the mental health or mental condition of an individual.

(B) AUTHORITY TO GRANT EXCEPTIONS- The regulations issued to carry out the amendments made by this Act may not include any exception to the provisions of section 502A of the Gramm-Leach-Bliley Act, as inserted by section 2, that diminishes the protection afforded by such section to the confidentiality of individually identifiable health information relating to the mental health or mental condition of an individual.

(4) DEADLINE- Regulations to carry out the amendments made by this Act shall be issued in final form not later than 6 months after the date of the enactment of this Act.

(b) EFFECTIVE DATE- The amendments made by this Act shall take effect 6 months after the date on which regulations are required to be issued under subsection (a)(4), except to the extent that a later date is specified in such regulations.

THIS SEARCH     THIS DOCUMENT     GO TO
Next Hit        Forward           New Bills Search
Prev Hit        Back              HomePage
Hit List        Best Sections     Help
                Contents Display