PRINTER'S NO. 159
No. 171 Session of 1999
INTRODUCED BY DERMODY, BUXTON, THOMAS, TULLI, SEYFERT, BEBKO-
JONES, LAUGHLIN, HARHAI, PESCI, HERMAN, CLARK, BELFANTI,
GEIST, TRAVAGLIO, ALLEN, COY, WALKO, KENNEY, SHANER,
HENNESSEY, LEDERER, FAIRCHILD, PRESTON, CASORIO, VAN HORNE
AND EACHUS, JANUARY 27, 1999
REFERRED TO COMMITTEE ON HEALTH AND HUMAN SERVICES,
JANUARY 27, 1999
AN ACT
1 Providing for confidentiality of medical records.
2 The General Assembly finds and declares as follows:
3 (1) There is a compelling need to protect the
4 confidentiality of health information and medical records and
5 to prohibit the unauthorized disclosure of individually
6 identifiable health information.
7 (2) It is the purpose of this act to recognize that
8 individuals have the right to control their own medical
9 records and to prevent disclosure of the contents of those
10 medical records without their knowing, meaningful and
11 informed consent.
12 (3) It is the intent of the General Assembly to provide
13 specific privacy protections for personal medical records and
14 to provide a remedy for violations of this act.
15 The General Assembly of the Commonwealth of Pennsylvania
1 hereby enacts as follows:
2 Section 1. Short title.
3 This act shall be known and may be cited as the Health
4 Information Confidentiality Act.
5 Section 2. Definitions.
6 The following words and phrases when used in this act shall
7 have the meanings given to them in this section unless the
8 context clearly indicates otherwise:
9 "Health information." Any information or medical records, in
10 whatever form, pertaining to medical and health care services
11 performed by or at the direction of an individual health care
12 provider or an institutional health care provider which
13 identifies the patient or client, or from whom the identity of
14 the patient or client can reasonably be determined, which is in
15 the possession of an individual health care provider,
16 institutional health care provider or an information source. The
17 term includes, but is not limited to, medical records relating
18 to the evaluation, diagnosis or treatment of an injury, illness
19 or condition.
20 "Individual health care provider." A physician, nurse,
21 emergency medical services worker, chiropractor, psychologist,
22 nurse-midwife, physician assistant, dentist or other person
23 providing medical, nursing or other health care services of any
24 kind.
25 "Information source." The term shall mean:
26 (1) An individual health care provider.
27 (2) An institutional health care provider.
28 (3) An ambulatory service facility.
29 (4) A health maintenance organization as defined in the
30 act of December 29, 1972 (P.L.1701, No.364), known as the
19990H0171B0159 - 2 -
1 Health Maintenance Organization Act.
2 (5) A medical or health service plan with a certificate
3 of authority issued by the Insurance Department, including,
4 but not limited to, hospital plan corporations as defined in
5 40 Pa.C.S. Ch. 61 (relating to hospital plan corporations)
6 and professional health services plan corporations as defined
7 in 40 Pa.C.S. Ch. 63 (relating to professional health
8 services plan corporations).
9 (6) A commercial insurer with a certificate of authority
10 issued by the Insurance Department providing health or
11 accident insurance.
12 (7) A self-insured employer providing health or accident
13 coverage or benefits for employees employed in this
14 Commonwealth.
15 (8) An administrator of a self-insured or partially
16 self-insured health or accident plan providing covered
17 services in this Commonwealth.
18 (9) Any health and welfare fund that provides health or
19 accident benefits or insurance pertaining to covered services
20 in this Commonwealth.
21 (10) The Department of Public Welfare for those covered
22 services it purchases or provides through the medical
23 assistance program under the act of June 13, 1967 (P.L.31,
24 No.21), known as the Public Welfare Code.
25 (11) Any other payor for covered services in this
26 Commonwealth other than an individual.
27 "Institutional health care provider." A hospital, nursing
28 home, hospice, drug and alcohol services provider, clinic, blood
29 bank, plasmapheresis or other blood product center, organ or
30 tissue bank, sperm bank, clinical laboratory or any health care
19990H0171B0159 - 3 -
1 institution required to be licensed in this Commonwealth.
2 "Medical record." The written or graphic documentation,
3 electronic or sound record, videotape, phonograph or computer
4 record of services pertaining to medical or health care
5 performed by or at the direction of an individual health care
6 provider or institutional health care provider. The term
7 includes, but is not limited to, diagnostic documentation such
8 as X-rays, electrocardiograms, electroencephalograms and test
9 results.
10 Section 3. Limitations on disclosure.
11 (a) Disclosure limited.--All health information and medical
12 records in the possession or custody of an individual health
13 care provider, institutional health care provider or information
14 source or an employee or agent of an individual health care
15 provider, institutional health care provider or information
16 source shall be kept confidential and may not be released or its
17 contents disclosed to anyone, except:
18 (1) To the subject of the health care information.
19 (2) To the subject's primary care physician, provided
20 that the subject has indicated the identity of that primary
21 care physician to whom such information may be released.
22 (3) To a person specifically designated in a written
23 consent under subsection (b).
24 (4) To an agent, employee or medical staff member of a
25 health care provider when disclosure is necessary for
26 purposes of diagnosis or treatment.
27 (5) To prevent death or severe illness in an emergency
28 where disclosure of health information is necessary for
29 treatment of the patient or client.
30 (6) To a peer review organization or committee as
19990H0171B0159 - 4 -
1 defined in the act of July 20, 1974 (P.L.564, No.193), known
2 as the Peer Review Protection Act, a nationally recognized
3 accrediting agency, any Federal or State Government agency
4 with oversight responsibilities over health care providers,
5 or as otherwise provided by law.
6 (7) To an insurer, but only to the extent necessary to
7 reimburse a health care provider or to make payment of a
8 claim submitted under an insured's policy.
9 (8) Pursuant to an order of a court of common pleas
10 after application showing good cause with proper notice and
11 an opportunity to be heard. The court shall weigh the need
12 for disclosure against the privacy interest of the individual
13 and possible harm resulting from disclosure.
14 (b) Required elements of written consent to disclosure.--A
15 written consent to disclosure of health care information shall
16 include:
17 (1) The specific name of the individual or organization
18 permitted to make the disclosure.
19 (2) The name or title of the individual to whom or the
20 name of the organization to which the disclosure is to be
21 made.
22 (3) The name of the patient whose records are to be
23 disclosed.
24 (4) The specific purpose or purposes of the disclosure.
25 (5) The amount and kind of information to be disclosed.
26 (6) The signature of the patient or, if the patient is
27 12 years of age or younger, the signature of the patient's
28 parent or guardian.
29 (7) The date on which the consent is signed.
30 (8) A statement that the consent is subject to
19990H0171B0159 - 5 -
1 revocation at any time except to the extent that the person
2 who is to make the disclosure has already acted in reliance
3 on it.
4 (9) The date, event or condition upon which the consent
5 will expire, if not earlier revoked.
6 In no event shall a written consent under this act be deemed
7 valid more than one year after the date the consent was signed.
8 (c) Expired, deficient or false consent.--A disclosure may
9 not be made on the basis of a consent which:
10 (1) has expired;
11 (2) on its face substantially fails to conform to any of
12 the requirements set forth under subsection (b);
13 (3) is known to have been revoked; or
14 (4) is known by the person holding the information to be
15 materially false.
16 (d) Notice to accompany disclosure.--Each disclosure made
17 with the subject's written consent must be accompanied by the
18 following written statement:
19 This information has been disclosed to you from records
20 the confidentiality of which is protected by Commonwealth
21 law. Commonwealth law prohibits you from making any
22 further disclosure of this information unless further
23 disclosure is expressly permitted by the written consent
24 of the person to whom it pertains. A general
25 authorization for the release of health or other
26 information or medical records is not sufficient for this
27 purpose.
28 Section 4. Duty to maintain confidentiality.
29 In the event that health information is disclosed under
30 section 3(a)(6) or (7), an individual health care provider,
19990H0171B0159 - 6 -
1 institutional health care provider or information source shall
2 take all necessary steps to maintain the confidentiality of the
3 patient and that patient's health information and medical
4 records. Unless there is a compelling need to disclose the
5 actual identity of the patient or client, all information
6 relating to the identity of the patient or client, or from which
7 the identity can be reasonably determined, shall not be
8 disclosed.
9 Section 5. Recordkeeping requirements.
10 Individual health care providers, institutional health care
11 providers and information sources shall maintain, as a permanent
12 part of the patient's medical records, a record of all
13 disclosures of health care information to any person not
14 employed by or affiliated with it. The record shall include the
15 name and address of each person receiving the health care
16 information and a description of the information disclosed.
17 Section 6. Prohibition on disclosure to employers.
18 Health information may not be disclosed to a patient's or
19 client's employer without the written consent of the patient or
20 client under section 3(b). In the case of disclosure to an
21 employer, the written consent must also include a statement why
22 the disclosure to the employer is necessary and that the patient
23 or client understands the reason for the disclosure.
24 Section 7. Development of further safeguards.
25 Within one year of the enactment of this act, the Department
26 of Health shall promulgate standards for the implementation of
27 administrative, technological and physical safeguards by
28 individual health care providers, institutional health care
29 providers and information sources to protect against
30 unauthorized disclosure of individually identifiable health
19990H0171B0159 - 7 -
1 information.
2 Section 8. Applicability of other laws.
3 Nothing in this act is intended to alter limitations on
4 disclosure or release of health information or medical records
5 that are prescribed in applicable State law.
6 Section 9. Civil cause of action.
7 Any person aggrieved by a violation of this act shall have a
8 cause of action against the person who committed the violation
9 and may recover:
10 (1) Compensatory damages, but not less than liquidated
11 damages, computed at the rate of $1,000 for each violation.
12 (2) Punitive damages.
13 (3) Reasonable attorney fees and litigation costs.
14 Section 10. Separate violations.
15 Each disclosure of health care information in violation of
16 this act shall be considered a separate violation for purposes
17 of civil liability.
18 Section 11. Repeals.
19 All acts and parts of acts are repealed insofar as they are
20 inconsistent with this act.
21 Section 12. Effective date.
22 This act shall take effect in 60 days.
A11L35JRW/19990H0171B0159 - 8 -