Medical Information Privacy and Security Act

TABLE OF CONTENTS:

Title I: Individuals' Rights

Subtitle A: Access to Protected Health Information by

Subjects of the Information

Subtitle B: Establishment of Safeguards

Title II: Restrictions on Use and Disclosure

Title III: Office of Health Information Privacy of the

Department of Health and Human Services

Subtitle A: Designation

Subtitle B: Enforcement

Title IV: Miscellaneous

Medical Information Privacy and Security Act - Title I: Individuals' Rights - Subtitle A: Access to Protected Health Information by Subjects of the Information - Requires specified parties to permit an individual who is the subject of protected health information to inspect and copy the information. (The list of specified parties varies throughout this Act and includes such individuals and entities as health care providers, health plans, health oversight agencies, public health authorities, employers, health researchers, law enforcement officials, health or life insurers, schools, universities, emergency medical personnel, and their agents.) Sets forth provisions concerning: (1) supplements to protected information; and (2) the provision of notice of privacy practices.

Subtitle B: Establishment of Safeguards - Requires specified parties to establish safeguards to ensure the confidentiality, security, accuracy, and integrity of protected health information. Mandates development of model safeguard guidelines. Requires specified parties to establish a record of disclosures not related to payment or treatment.

Title II: Restrictions on Use and Disclosure - Prohibits specified parties from disclosing protected health information, except as authorized under this title. Allows disclosure if authorized by the information subject. Mandates model written authorizations and model limitations. Provides for segregation of files on request, authorization revocation, and records of authorizations and revocations.

(Sec. 203) Sets forth rules governing authorizations for disclosure of protected information for purposes other than for treatment or payment. Mandates model authorizations.

(Sec. 204) Allows any person to disclose protected health information: (1) in order to allay or remedy a threat of imminent physical or mental harm to an information subject; and (2) if there is an identifiable threat of serious injury or death to an identifiable individual or group and other requirements are met.

(Sec. 205) Authorizes disclosure to: (1) a public health authority; (2) certain protection and advocacy agencies if an individual is vulnerable to abuse or neglect by an agency providing health or social services; (3) a health oversight agency, under specified circumstances; and (4) on court order, a law enforcement authority.

(Sec. 209) Regulates disclosure: (1) to next of kin; and (2) in directories of individuals admitted to a facility.

(Sec. 210) Applies the requirements and protections of specified parts of the Code of Federal Regulations to research conducted by all research facilities using personally identifiable health information. Directs the Secretary of Health and Human Services to report to the Congress whether written informed consent should be required and, if so, under what circumstances, before personally identifiable data can be used for medical research.

(Sec. 211) Allows specified parties to disclose for certain judicial and administrative purposes.

(Sec. 212) Sets forth a sequence regulating who may exercise an individual's rights under this Act when the individual cannot knowingly or effectively do so, designating first a person named in a health care power of attorney, then an individual authorized by law or by an instrument recognized under law to act as the individual's representative, then next of kin, and last the health care provider, in each case moving to the next level if the person cannot be contacted after a reasonable effort. Sets forth provisions concerning: (1) the rights of minors; and (2) deceased individuals.

(Sec. 213) Prohibits retaliation for the exercise of rights under this Act or disclosure of information regarding a possible violation of this Act.

Title III: Office of Health Information Privacy of the Department of Health and Human Services - Subtitle A: Designation - Establishes the Office of Health Information Privacy, including in its duties receiving and investigating violation complaints and providing for the conduct of audits.

Subtitle B: Enforcement - Chapter 1: Criminal Provisions - Amends the Federal criminal code to impose criminal penalties for knowingly and intentionally obtaining or disclosing protected health information in violation of title II of this Act.

(Sec. 312) Mandates regulations and procedures to permit the debarment of specified parties from receiving benefits under any Federal health programs if the managers or officers are found guilty of such obtaining or disclosing. Authorizes the Attorney General to provide advice, technical assistance, and guidance to reduce improper disclosure.

Chapter 2: Civil Sanctions - Imposes civil monetary penalties on specified parties if the Office determines a party has substantially and materially failed to comply with this Act.

(Sec. 323) Allows any individual whose rights under this Act have been knowingly or negligently violated to bring a civil action to recover preliminary and equitable relief, compensatory (or specified liquidated) damages, punitive damages (for knowing violations), and attorney's fees. Sets a time limit for the commencement of actions.

Title IV: Miscellaneous - Amends the Privacy Act of 1974 to require an agency that receives protected health information to promulgate rules to exempt a system of records within the agency from all but specified provisions of that Act.