PRINTER'S NO. 159
No. 171 Session of 1999
INTRODUCED BY DERMODY, BUXTON, THOMAS, TULLI, SEYFERT, BEBKO- JONES, LAUGHLIN, HARHAI, PESCI, HERMAN, CLARK, BELFANTI, GEIST, TRAVAGLIO, ALLEN, COY, WALKO, KENNEY, SHANER, HENNESSEY, LEDERER, FAIRCHILD, PRESTON, CASORIO, VAN HORNE AND EACHUS, JANUARY 27, 1999
REFERRED TO COMMITTEE ON HEALTH AND HUMAN SERVICES, JANUARY 27, 1999
AN ACT 1 Providing for confidentiality of medical records. 2 The General Assembly finds and declares as follows: 3 (1) There is a compelling need to protect the 4 confidentiality of health information and medical records and 5 to prohibit the unauthorized disclosure of individually 6 identifiable health information. 7 (2) It is the purpose of this act to recognize that 8 individuals have the right to control their own medical 9 records and to prevent disclosure of the contents of those 10 medical records without their knowing, meaningful and 11 informed consent. 12 (3) It is the intent of the General Assembly to provide 13 specific privacy protections for personal medical records and 14 to provide a remedy for violations of this act. 15 The General Assembly of the Commonwealth of Pennsylvania
1 hereby enacts as follows: 2 Section 1. Short title. 3 This act shall be known and may be cited as the Health 4 Information Confidentiality Act. 5 Section 2. Definitions. 6 The following words and phrases when used in this act shall 7 have the meanings given to them in this section unless the 8 context clearly indicates otherwise: 9 "Health information." Any information or medical records, in 10 whatever form, pertaining to medical and health care services 11 performed by or at the direction of an individual health care 12 provider or an institutional health care provider which 13 identifies the patient or client, or from whom the identity of 14 the patient or client can reasonably be determined, which is in 15 the possession of an individual health care provider, 16 institutional health care provider or an information source. The 17 term includes, but is not limited to, medical records relating 18 to the evaluation, diagnosis or treatment of an injury, illness 19 or condition. 20 "Individual health care provider." A physician, nurse, 21 emergency medical services worker, chiropractor, psychologist, 22 nurse-midwife, physician assistant, dentist or other person 23 providing medical, nursing or other health care services of any 24 kind. 25 "Information source." The term shall mean: 26 (1) An individual health care provider. 27 (2) An institutional health care provider. 28 (3) An ambulatory service facility. 29 (4) A health maintenance organization as defined in the 30 act of December 29, 1972 (P.L.1701, No.364), known as the 19990H0171B0159 - 2 -
1 Health Maintenance Organization Act. 2 (5) A medical or health service plan with a certificate 3 of authority issued by the Insurance Department, including, 4 but not limited to, hospital plan corporations as defined in 5 40 Pa.C.S. Ch. 61 (relating to hospital plan corporations) 6 and professional health services plan corporations as defined 7 in 40 Pa.C.S. Ch. 63 (relating to professional health 8 services plan corporations). 9 (6) A commercial insurer with a certificate of authority 10 issued by the Insurance Department providing health or 11 accident insurance. 12 (7) A self-insured employer providing health or accident 13 coverage or benefits for employees employed in this 14 Commonwealth. 15 (8) An administrator of a self-insured or partially 16 self-insured health or accident plan providing covered 17 services in this Commonwealth. 18 (9) Any health and welfare fund that provides health or 19 accident benefits or insurance pertaining to covered services 20 in this Commonwealth. 21 (10) The Department of Public Welfare for those covered 22 services it purchases or provides through the medical 23 assistance program under the act of June 13, 1967 (P.L.31, 24 No.21), known as the Public Welfare Code. 25 (11) Any other payor for covered services in this 26 Commonwealth other than an individual. 27 "Institutional health care provider." A hospital, nursing 28 home, hospice, drug and alcohol services provider, clinic, blood 29 bank, plasmapheresis or other blood product center, organ or 30 tissue bank, sperm bank, clinical laboratory or any health care 19990H0171B0159 - 3 -
1 institution required to be licensed in this Commonwealth. 2 "Medical record." The written or graphic documentation, 3 electronic or sound record, videotape, phonograph or computer 4 record of services pertaining to medical or health care 5 performed by or at the direction of an individual health care 6 provider or institutional health care provider. The term 7 includes, but is not limited to, diagnostic documentation such 8 as X-rays, electrocardiograms, electroencephalograms and test 9 results. 10 Section 3. Limitations on disclosure. 11 (a) Disclosure limited.--All health information and medical 12 records in the possession or custody of an individual health 13 care provider, institutional health care provider or information 14 source or an employee or agent of an individual health care 15 provider, institutional health care provider or information 16 source shall be kept confidential and may not be released or its 17 contents disclosed to anyone, except: 18 (1) To the subject of the health care information. 19 (2) To the subject's primary care physician, provided 20 that the subject has indicated the identity of that primary 21 care physician to whom such information may be released. 22 (3) To a person specifically designated in a written 23 consent under subsection (b). 24 (4) To an agent, employee or medical staff member of a 25 health care provider when disclosure is necessary for 26 purposes of diagnosis or treatment. 27 (5) To prevent death or severe illness in an emergency 28 where disclosure of health information is necessary for 29 treatment of the patient or client. 30 (6) To a peer review organization or committee as 19990H0171B0159 - 4 -
1 defined in the act of July 20, 1974 (P.L.564, No.193), known 2 as the Peer Review Protection Act, a nationally recognized 3 accrediting agency, any Federal or State Government agency 4 with oversight responsibilities over health care providers, 5 or as otherwise provided by law. 6 (7) To an insurer, but only to the extent necessary to 7 reimburse a health care provider or to make payment of a 8 claim submitted under an insured's policy. 9 (8) Pursuant to an order of a court of common pleas 10 after application showing good cause with proper notice and 11 an opportunity to be heard. The court shall weigh the need 12 for disclosure against the privacy interest of the individual 13 and possible harm resulting from disclosure. 14 (b) Required elements of written consent to disclosure.--A 15 written consent to disclosure of health care information shall 16 include: 17 (1) The specific name of the individual or organization 18 permitted to make the disclosure. 19 (2) The name or title of the individual to whom or the 20 name of the organization to which the disclosure is to be 21 made. 22 (3) The name of the patient whose records are to be 23 disclosed. 24 (4) The specific purpose or purposes of the disclosure. 25 (5) The amount and kind of information to be disclosed. 26 (6) The signature of the patient or, if the patient is 27 12 years of age or younger, the signature of the patient's 28 parent or guardian. 29 (7) The date on which the consent is signed. 30 (8) A statement that the consent is subject to 19990H0171B0159 - 5 -
1 revocation at any time except to the extent that the person 2 who is to make the disclosure has already acted in reliance 3 on it. 4 (9) The date, event or condition upon which the consent 5 will expire, if not earlier revoked. 6 In no event shall a written consent under this act be deemed 7 valid more than one year after the date the consent was signed. 8 (c) Expired, deficient or false consent.--A disclosure may 9 not be made on the basis of a consent which: 10 (1) has expired; 11 (2) on its face substantially fails to conform to any of 12 the requirements set forth under subsection (b); 13 (3) is known to have been revoked; or 14 (4) is known by the person holding the information to be 15 materially false. 16 (d) Notice to accompany disclosure.--Each disclosure made 17 with the subject's written consent must be accompanied by the 18 following written statement: 19 This information has been disclosed to you from records 20 the confidentiality of which is protected by Commonwealth 21 law. Commonwealth law prohibits you from making any 22 further disclosure of this information unless further 23 disclosure is expressly permitted by the written consent 24 of the person to whom it pertains. A general 25 authorization for the release of health or other 26 information or medical records is not sufficient for this 27 purpose. 28 Section 4. Duty to maintain confidentiality. 29 In the event that health information is disclosed under 30 section 3(a)(6) or (7), an individual health care provider, 19990H0171B0159 - 6 -
1 institutional health care provider or information source shall 2 take all necessary steps to maintain the confidentiality of the 3 patient and that patient's health information and medical 4 records. Unless there is a compelling need to disclose the 5 actual identity of the patient or client, all information 6 relating to the identity of the patient or client, or from which 7 the identity can be reasonably determined, shall not be 8 disclosed. 9 Section 5. Recordkeeping requirements. 10 Individual health care providers, institutional health care 11 providers and information sources shall maintain, as a permanent 12 part of the patient's medical records, a record of all 13 disclosures of health care information to any person not 14 employed by or affiliated with it. The record shall include the 15 name and address of each person receiving the health care 16 information and a description of the information disclosed. 17 Section 6. Prohibition on disclosure to employers. 18 Health information may not be disclosed to a patient's or 19 client's employer without the written consent of the patient or 20 client under section 3(b). In the case of disclosure to an 21 employer, the written consent must also include a statement why 22 the disclosure to the employer is necessary and that the patient 23 or client understands the reason for the disclosure. 24 Section 7. Development of further safeguards. 25 Within one year of the enactment of this act, the Department 26 of Health shall promulgate standards for the implementation of 27 administrative, technological and physical safeguards by 28 individual health care providers, institutional health care 29 providers and information sources to protect against 30 unauthorized disclosure of individually identifiable health 19990H0171B0159 - 7 -
1 information. 2 Section 8. Applicability of other laws. 3 Nothing in this act is intended to alter limitations on 4 disclosure or release of health information or medical records 5 that are prescribed in applicable State law. 6 Section 9. Civil cause of action. 7 Any person aggrieved by a violation of this act shall have a 8 cause of action against the person who committed the violation 9 and may recover: 10 (1) Compensatory damages, but not less than liquidated 11 damages, computed at the rate of $1,000 for each violation. 12 (2) Punitive damages. 13 (3) Reasonable attorney fees and litigation costs. 14 Section 10. Separate violations. 15 Each disclosure of health care information in violation of 16 this act shall be considered a separate violation for purposes 17 of civil liability. 18 Section 11. Repeals. 19 All acts and parts of acts are repealed insofar as they are 20 inconsistent with this act. 21 Section 12. Effective date. 22 This act shall take effect in 60 days. A11L35JRW/19990H0171B0159 - 8 -