BRUCE MUNSON, Revisor of Statutes Bureau, Suite 800, 131 W. Wilson Street, Madison, WI 53703,

Chair

M. MICHAEL CRAMER, 216 N. Adams Street, Rockville, MD 20850

FRANK DAYKIN, 4745 Giles Way, Carson City, NV 89704, Committee on Style Liaison

FREDERICK F. EICHHORN, JR., 7907 Lake Shore Drive, Gary, IN 46403

KENNETH LAWRENCE FORAN, 5001 Seminary Road, Alexandria, VA 22311-1920

DAVID A. GIBSON, 40 Park Place, P.O. Box 1767, Brattleboro, VT 05302

CYNTHIA IMBROGNO, United States District Court, P.O. Box 263, Spokane, WA 99210

SUSAN KELLY NICHOLS, P.O. Box 629, Raleigh, NC 27602-0629, Enactment Plan Coordinator

LARRY L. RUTH, Suite 202, 1233 Lincoln Mall, Lincoln, NE 68508

CHARLES A. TROST, Nashville City Center, 511 Union Street, Suite 2100, Nashville, TN 37219-1760

DAVID HEMOND, Room 509A, State Capitol, Hartford, CT 06106, Reporter

JOHN L. McCLAUGHERTY, P.O. Box 553, Charleston, WV 25322, President

ROBERT C. ROBINSON, P.O. Box 568, 12 Portland Pier, Portland, ME 04112, Division Chair

ALPHONSO O'NEIL-WHITE, 1901 Main Street, Buffalo, NY 14240, Health Law Section Advisor

ROBYN S. SHAPIRO, 100 E. Wisconsin Avenue, Milwaukee, WI 53202, Advisor

FRED H. MILLER, University of Oklahoma, College of Law, 300 Timberdell Road, Norman,

OK 73019, Executive Director

WILLIAM J. PIERCE, 1505 Roxbury Road, Ann Arbor, MI 48104, Executive Director Emeritus

SECTION 1-101. SHORT TITLE 4

SECTION 1-102. DEFINITIONS 4

SECTION 1-103. SCOPE 7

SECTION 1-104. RULEMAKING 7

SECTION 2-101. DISCLOSURE 9

SECTION 2-102. PATIENT'S AUTHORIZATION FOR DISCLOSURE 10

SECTION 2-103. PATIENT'S REVOCATION OF AUTHORIZATION FOR

DISCLOSURE 12

SECTION 2-104. DISCLOSURE WITHOUT PATIENT'S AUTHORIZATION 13

SECTION 2-105. DISCLOSURE ORDER 16

SECTION 3-101. REQUIREMENTS AND PROCEDURES FOR PATIENT'S

EXAMINATION AND COPYING 18

SECTION 3-102. REFUSAL OF EXAMINATION AND COPYING 19

SECTION 4-101. REQUEST FOR CORRECTION OR AMENDMENT 21

SECTION 4-102. PROCEDURE FOR ADDING CORRECTION OR AMENDMENT;

STATEMENT OF DISAGREEMENT 22

SECTION 4-103. DISSEMINATION OF CORRECTED OR AMENDED

INFORMATION OR STATEMENT OF DISAGREEMENT 23

SECTION 5-101. CONTENT AND DISSEMINATION OF NOTICE 24

SECTION 6-101. HEALTH CARE REPRESENTATIVES 26

SECTION 6-102. REPRESENTATIVE OF DECEASED PATIENT 26

SECTION 7-101. DUTY TO ADOPT SECURITY SAFEGUARDS 27

SECTION 7-102. RETENTION OF RECORD 28

SECTION 8-101. CIVIL ENFORCEMENT 29

SECTION 8-102. CIVIL REMEDIES 29

[SECTION 8-103. CRIMINAL PENALTY] 30

SECTION 9-101. UNIFORMITY OF APPLICATION AND CONSTRUCTION 32

SECTION 9-102. SEVERABILITY 32

SECTION 9-103. EFFECTIVE DATE 32

SECTION 9-104. REPEALS 32

SECTION 9-105. SAVING CLAUSE 33

The Uniform Health Care Information Act was approved by the National Conference for enactment in all States at its Annual Meeting on August 2-9, 1985 in Minneapolis, Minnesota and was approved by the American Bar Association on February 11, 1986. The Act was adopted by Montana and Washington. At a meeting on January 15-17, 1999, pursuant to a recommendation of the Scope and Program Committee, the Conference Executive Committee approved creation of a Drafting Committee to Revise the Uniform Health Care Information Act to review and report on a proposed scope of the revised Act by July 1999. The Drafting Committee met by teleconference on June 7, 1999, and, after approval by the Executive Committee of a proposed scope of revision at the July 1999 meeting, held drafting meetings September 24-26, 1999 at Little Rock, Arkansas and February 25-27, 2000 at Washington, D.C. The revised draft revision was submitted to the Committee on Style on March 24, 2000. The revision has not yet been considered by the Conference.

The Uniform Health Care Information Act, as revised, governs disclosure of and access to a patient's health care information. The law to which the Act is directed is in substantial flux both at the state and federal level. At the state level, few States have undertaken to comprehensively regulate health care information. However, every State has enacted laws concerning discrete aspects of health care information, including laws governing confidentiality of information concerning AIDS/HIV, mental health, access to information by public health authorities, and duties to report abuse or threats to public health. Those laws constitute an extensive patchwork that defies simple analysis. The best available summary of that law, prepared by the Georgetown University Privacy Project, is set out in Janlori Goldman's report, The State of Health Privacy: An Uneven Terrain, based on a 50-State survey completed in July 1999. See also the summary of State Laws set out in commentary to proposed federal rules at Federal Register/Vol. 64, No. 212, page 60011. Laws concerning when information must be disclosed, when it must be held confidential, and what obligations providers have to provide security safeguards and notice of their information practices vary widely from State to State, and depending on context, between more specific laws within individual States. A large volume of proposed state legislation is pending.

Confidentiality of health care information is also subject to extensive federal activity. Federal law governs confidentiality of health care information with respect to numerous federal programs and substance abuse. Proposed federal regulations covering health care information stored or transmitted in electronic media, and preempting less stringent state law, have been mandated by Congress and promulgated by the Department of Health and Human Services. However, over 50,000 comments were submitted concerning that proposal and no date has been set when they are scheduled to take effect. Numerous bills have been submitted in Congress over the last several years but no bill has been passed in both houses. Some of those bills, if enacted, would preempt the field.

Because health care is now carried out or supported by many multi-state operations and because medical information is widely disseminated nationally, and even internationally, uniformity of state law is highly desireable. Indeed, the need for uniformity has led some institutions to support preemptive federal regulation. The Act is directed to meet that need for uniformity while preserving to the States the prerogative to regulate more specifically with respect to sensitive or stigmatizing information and to reflect other state value judgments. In particular, the Act provides a mechanism by which individual States can impose reasonable confidentiality standards while reasonably limiting the administrative burdens and intrusions into health care operations that are inherent in such an Act. The Act also provides a private right of action and a more comprehensive enforcement mechanism than is available under the proposed federal regulations.

The Act sets out comprehensive rules governing disclosure of and access to a patient's health care information. The general rule is that health care information may not be disclosed by a health care provider without the patient's written authorization. However, that rule is, and as a matter of policy and practice should be, subject to policy exceptions that allow disclosure, without express authorization, among providers for health care purposes; to avoid an imminent danger to health or safety; to family members where appropriate; for quality assurance, peer review, audits, and related administrative matters; for research if approved by an institutional review board; to public health authorities and law enforcement authorities in accordance with other law; and for other discrete limited purposes.

The Act sets rules concerning a patient's right to access that patient's information and the right to seek a correction or add a statement of disagreement. The Act requires that providers give patients a notice of their information practices and that they establish security safeguards. Finally, the Act sets out an enforcement mechanism that includes a private right of action and an optional criminal penalty.

The Act as revised is closely based on the 1985 Act. The 1985 Act has provided a successful basis for confidentiality in the enacting States of Montana and Washington without incidence or adverse impact on the practice of health care. The 1985 Act remains a sound model for comprehensive coverage of health care information. The Act has been revised to reflect the explosion in information technology and changes in the practice of medicine through managed care and large multi-state providers. Moreover, the recent flurry of state legislation and proposed model acts has largely bypassed the 1985 Uniform Act, possibly because of concerns over limitations in its scope and safeguard provisions and because the language does not reflect electronic technology. The revised Act addresses those concerns by expanding coverage under the Act to persons receiving health care information in the regular course of business, by strengthening the requirements for security safeguards, and by drafting to reflect modern computer technology and electronic transmissions.

The practice of medicine has historically, and properly, been the subject of state law governing the licensing and practice of health care providers. The Act should be targeted for adoption in all States because it provides States with comprehensive uniform rules to protect health care information and because enactment of such a uniform law among the States provides a sound alternative to intrusive federal legislation in a field of inherent state authority.

SECTION 1-101. SHORT TITLE. This [Act] may be cited as the Uniform Health Care Information Act.

SECTION 1-102. DEFINITIONS. As used in this [Act]:

(1) "Audit" means an assessment, evaluation, determination, or investigation of a health care provider by a person not employed by or affiliated with the provider to determine compliance with:

(A) statutory, regulatory, fiscal, medical, or scientific standards;

(B) a private or public program of payments to a health care provider; or

(C) requirements for licensing, accreditation, or certification.

(2) "Authenticate" means:

(A) to sign; or

(B) with the intent to sign a record, otherwise to execute or adopt an electronic symbol, sound, message, or process referring to, attached to, included in, or logically associated or linked with, that record.

(3) "Directory information" means information disclosing the presence and the general health condition of a particular patient.

(4) "Disclose," with respect to health care information, means to release, transfer, provide or permit access to, or otherwise communicate the information to a person other than the individual who is the subject of the information.

(5) "General health condition" means the patient's health described as "critical," "poor," "fair," "good," "excellent," or by terms denoting similar conditions.

(6) "Health care" means:

(A) preventive, diagnostic, therapeutic, rehabilitative, or palliative care, including appropriate assistance with management of disease and symptoms and maintenance, or counseling and service and includes a procedure for the purpose of giving health care:

(i) with respect to the physical or mental condition of an individual; or

(ii) affecting the structure or function of the human body or any part of the human body, including the banking of blood, blood products, sperm, ova, genetic material, or organs or other tissue; or

(B) pursuant to a prescription or medical order, the sale or dispensing, to or for use by an individual, of a drug, device, equipment, or other item related to health care of the individual.

(7) "Health care information" means any information, whether oral or recorded in any form or medium, obtained by a health care provider in the course of providing health care to a patient, that identifies the patient and relates to the patient's health care. The term includes any record of disclosures of health care information.

(8) "Health care provider" means a person who is licensed, certified, or otherwise authorized by the law of this State to provide health care in the ordinary course of business or practice of a profession.

(9) "Identifies," with respect to health care information, includes information that can readily be associated with the identity of an individual.

(10) "Institutional review board" means any board, committee, or other group formally designated by an institution, or authorized under federal or state law, to review, approve the initiation of, or conduct periodic review of research to ensure the protection of the rights and welfare of human subjects of research.

(11) "Maintain," with respect to health care information, means to hold, possess, preserve, retain, store, or control access to the information.

(12) "Patient" means an individual who receives or has received health care. The term includes a deceased individual who has received health care.

(13) "Person" means an individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government; governmental subdivision, agency, or instrumentality; public corporation, or any other legal or commercial entity.

(14) "Record" means information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in a perceivable form.

Several definitions, as follows, are added to or were substantively modified from the definitions in the 1985 Act.

Subsection (2) defines "Authenticate" and subsection (14) defines "Record" to comply with efforts by the Conference to facilitate electronic media.

Subsection (6) redrafts the definition of "health care" to more clearly include such procedures for the purpose of health care as the banking of blood, blood products, sperm, ova, genetic material or organs.

Subsection (9) includes a new definition of "identifies" to avoid the need to clarify with each use of the term the fact that "identifies" includes "information that can be readily associated with the identity of an individual."

SECTION 1-103. SCOPE. [Except as provided in _____], this [Act] applies to a patient's health care information.

The Act is drafted to facilitate enactment and is intended to ensure confidentiality for health care information where more specific legislation has not been enacted. Many States have existing provisions that address specific types of health care information, such as information concerning HIV/AIDS or mental health, or information held by public agencies. For policy reasons such as the stigmatizing nature of sensitive information or the wish to facilitate disclosure for public purposes, some States may wish to retain those provisions and enact this law as a default provision that governs health care information generally but that is trumped by more specific legislation. This scope provision facilitates that intent but requires that States identify those trumping provisions. Because uniformity avoids complexity and confusion, state legislatures should carefully review those more specific provisions and retain them only if necessary to effect a considered policy.

SECTION 1-104. RULEMAKING. The [appropriate regulatory agency] may adopt regulations concerning the form and the dissemination of the notice of information practices required by Section 5-101 and concerning the nature and the sufficiency of the safeguards required by Section 7-101 [as they relate to entities regulated by that agency]. Those regulations shall ensure that patients receive notice of the practices that affect the confidentiality of their health care information, that the safeguards reflect the size and practice of the entity, and that only the minimum necessary administrative burden is imposed by those requirements.

This Act imposes obligations on health care providers to provide patients with notice of information practices and requires health care providers and others to adopt appropriate practices reasonably designed to safeguard the flow of health care information. Whether notice is appropriate and what safeguards are necessary will differ depending on the entity holding the information. This section permits States to empower an agency or agencies to set more specific regulatory guidelines concerning the notice of information practices and the security safeguards. Those guidelines may provide more specific limitations on the notice requirement to avoid inappropriate paper burdens and may specify and differentiate the safeguard requirements depending on the size and practices of entities. Often, the agency or agencies to be empowered will have responsibility for regulations concerning providers such as primary care physicians, hospitals, or pharmacists. However, guidelines might also be appropriate for insurers, employers, educators, and others who deal with health care records in the regular course of business.

SECTION 2-101. DISCLOSURE.

(a) Except as authorized in Section 2-104 or 2-105, or by other law, a health care provider, a person who assists a health care provider in providing health care, an agent and employee of a health care provider, or an independent contractor with a health care provider may not disclose a patient's health care information to any other person without the patient's authorization pursuant to Section 2-102. A disclosure made under a patient's authorization must comport with the authorization.

(b) A person to whom health care information is disclosed in the regular course of business or pursuant to an authorization may not disclose the information to any other person unless a health care provider would be authorized to make the disclosure under Section 2-104 or 2-105 or by other law or by an authorization that complies with Section 2-102.

(c) If a person to whom health care information is disclosed in the regular course of business is not otherwise subject to the jurisdiction of this State, the recipient, by accepting that information, consents to the jurisdiction of this State for the purpose of any disclosure by the recipient of that information.

Subsection (a) refers to "other law" to recognize that federal law governs certain disclosures and that States may retain or enact other provisions that allow disclosure in discrete cases without authorization. This Act would not trump those provisions. Subsection (b) provides, subject to statutory exceptions, that a person receiving health care information in the regular course of business is under the same obligation as the health care provider to maintain confidentiality and may not redisclose except as expressly authorized. The exception for authorization "under other law" allows a redisclosure if it is explicitly authorized under another provision. Subsection (c) addresses the State's need for jurisdiction for enforcement purposes over an out-of-state recipient who receives health care information in the regular course of business.

SECTION 2-102. PATIENT'S AUTHORIZATION FOR DISCLOSURE.

(a) A patient may authorize a health care provider or a person to whom health care information has been disclosed to disclose the patient's health care information. A health care provider shall honor an authorization pursuant to Section 3-101 unless the provider denies the patient access to the information under Section 3-102.

(b) An authorization for disclosure must:

(1) be a record, dated, and authenticated by the patient;

(2) identify the information to be disclosed;

(3) identify the person to whom the information is to be disclosed; and

(4) include a notice that:

(A) the purpose for which the information may be used is not limited unless expressly limited by the authorization;

(B) the authorization expires not later than six months after it is authenticated, or on such later date, not more than 30 months after it is authenticated, as it specifies;

(C) the patient may revoke the authorization; and

(D) further disclosure of the information by the recipient may require further authorization.

(c) An authorization to permit the sale or marketing of health care information must:

(1) comply with subsection (b);

(2) be executed separately from an authorization for any other purpose;

(3) be executed solely for the purpose of permitting sale or marketing of health care information; and

(4) contain a conspicuous statement of that purpose.

(d) Except as provided in the authorization, the authentication of an authorization by a patient is not a waiver of any rights the patient has under other law.

(e) Except for an authorization to provide information to third-party payers for health care or an authorization that expressly provides for a longer period, an authorization does not permit the release of health care information relating to health care that the patient receives more than six months after the authorization is authenticated.

(f) An authorization in effect on [the effective date of this [Act]] remains valid for 30 months after [the effective date of this [Act]] unless an earlier expiration date is specified or the authorization is revoked. Health care information disclosed under such an authorization is otherwise subject to this [Act]. An authorization given after [the effective date of this [Act]] becomes invalid on the expiration date contained in the authorization, or after 30 months, whichever is earlier. An authorization that does not contain an expiration date expires six months after it is authenticated. If a health care provider required to disclose under Section 3-101 receives an authorization that would expire less than 21 days after receipt, the authorization, unless revoked, is extended for 21 days after receipt to permit the required disclosure.

The revised Act in principle follows former Section 2-102 but is revised to facilitate use of electronic media. The new section also requires that an authorization include a notice that the purpose for which the information may be used is not limited unless it is expressly limited by the authorization, that the authorization expires as provided by the Act, that the patient may revoke the authorization, and that authorization may be required by the recipient for a further disclosure. Subsection (c) adds a new requirement that an authorization to permit the sale or marketing of information must be executed separately and contain a conspicuous statement of that purpose. Finally, subsection (f) contains a new provision that automatically extends an authorization for 21 days if the authorization is received less than 21 days before it would otherwise expire.

SECTION 2-103. PATIENT'S REVOCATION OF AUTHORIZATION FOR DISCLOSURE. A patient may revoke an authorization for disclosure at any time except with respect to health care information that is required to effectuate payments for health care that has been provided or with respect to health care information that relates to action that has been taken in reliance on the authorization. A patient may not maintain an action for disclosures made in reliance in good faith on an authorization if the person making the disclosure had no notice of the revocation of the authorization.

SECTION 2-104. DISCLOSURE WITHOUT PATIENT'S AUTHORIZATION.

(a) If disclosure is not prohibited by other law and the recipient needs to know the information, a health care provider may disclose health care information about a patient without the patient's authorization:

(1) to a current or former health care provider of the patient or a successor in interest of the provider if:

(A) the patient has not prohibited the health care provider who has the information from making the disclosure; and

(B) the information is disclosed to provide health care to the patient;

(2) to any person if the provider reasonably believes that disclosure is necessary to avoid or minimize an imminent danger to the health or safety of the patient or any other individual;

(3) to members of the patient's immediate family, or any other individual with whom the patient is known to have a close personal relationship, if the disclosure is made in accordance with good medical or other professional practice, unless the patient has instructed the provider not to make the disclosure;

(4) if disclosure in a form that does not identify the patient is impractical or does not achieve the purpose of the disclosure and the recipient has established reasonable safeguards pursuant to Section 7-101 or the recipient has given reasonable assurances that the information is protected from improper use and disclosure:

(A) to any person who requires health care information for health care education, or to provide planning, quality assurance, peer review, or administrative, legal, financial, or actuarial services to the provider, or to assist the provider in the delivery of health care; and

(B) to a person who obtains information for purposes of an audit, if that person agrees in a record:

(i) to remove or destroy, at the earliest opportunity consistent with the purpose of the audit, information that would enable the patient to be identified; and

(ii) not to disclose the information except to accomplish the audit or to report unlawful or improper conduct involving fraud in payment for health care by a health care provider or patient, or other unlawful conduct by the provider;

(5) for use in research that an institutional review board has determined:

(A) is of sufficient importance to outweigh the intrusion into the privacy of the patient that would result from the disclosure;

(B) is impracticable without the use or disclosure of the health care information in a form that identifies the patient;

(C) contains reasonable safeguards to protect the information from disclosure;

(D) contains reasonable safeguards to protect against identifying any patient in any report derived from the research; and

(E) contains procedures to remove or destroy, at the earliest opportunity consistent with the purposes of the research, information that would enable the patient to be identified, unless an institutional review board authorizes retention of identifying information for the purpose of other research;

(6) to an appropriate official of a penal or other custodial institution in which the patient is confined.

(b) A health care provider may disclose health care information about a patient without the patient's authorization if the disclosure is:

(1) directory information and the patient is an inpatient or is currently receiving emergency health care at a facility that provides health care, unless the patient has instructed the provider not to make the disclosure or the disclosure is otherwise prohibited by law;

(2) to public-health authorities, to the extent the provider is required by law to report health care information or when needed to protect the public health;

(3) to law enforcement authorities to the extent required by law;

(4) in accordance with Section 2-105 pursuant to an order for disclosure or pursuant to consent to compulsory process or consent to a request for discovery.

This section follows the principle of the 1985 Act that the confidentiality requirements where necessary should be subordinated to the needs of medical practice. In the general case, it is understood that a patient is providing information to the patient's physician for purposes of medical treatment and that the information can be used for that purpose. However, the section is extensively redrafted from the 1985 Act. Primary changes include:

(1) All health care providers to whom information may be disclosed are treated identically - a disclosure is allowed as long as it is for treatment and has not been expressly prohibited by the patient. The status of the provider as a current provider, former provider, or successor to a provider is not relevant.

(2) If information is to be disclosed for purposes of facilitating the medical practice or for an audit, the information cannot be disclosed if the purpose could be satisfied by the same information in nonidentifiable form. The recipient must also have established safeguards or given express assurance that the information will be protected.

SECTION 2-105. DISCLOSURE ORDER.

(a) Unless disclosure is authorized under Section 2-102 or 2-104 or other law or the patient has consented in a record to disclosure in response to compulsory process or a request for discovery, health care information may be disclosed only if a court orders disclosure.

(b) A person seeking disclosure under this section may file an appropriate request, application or motion with the court stating the health care information sought and ground for disclosure.

(c) The judicial proceeding to order disclosure under this [Act] must be conducted with due regard for the confidentiality of the information sought to be disclosed. The court may review the information in camera.

(d) Grounds for disclosure of health care information are:

(1) the patient has waived the confidentiality of the health care information sought;

(2) the patient is a party to a proceeding in which the patient has placed the patient's physical or mental condition in issue;

(3) the patient's physical or mental condition is relevant to the execution or witnessing of a will;

(4) the deceased patient's physical or mental condition is placed in issue by any person claiming or defending through or as a beneficiary of the patient;

(5) a patient's information is to be used in the patient's commitment to an institution;

(6) the information is for use in any law enforcement proceeding or investigation in which a health care provider is the subject or a party but information so obtained may not be used against the patient in any proceeding unless the matter relates to payment for the patient's health care, or disclosure is authorized under paragraph (8);

(7) the information is relevant to a proceeding initiated under [Article] 8; or

(8) the court determines that particular health care information is subject to compulsory legal process or discovery because the party seeking the information has demonstrated that the interest in access outweighs the patient's interest in privacy.

(e) Production of health care information under this section does not waive any privilege, objection, or defense existing under other law.

This section expressly defers to other state law, if any, governing compulsory process with respect to health care information. However, in the absence of such other law, this section allows disclosure pursuant to compulsory process only if ordered by a court in accordance with one of the grounds for disclosure set out in subsection (d).

SECTION 3-101. REQUIREMENTS AND PROCEDURES FOR PATIENT'S EXAMINATION AND COPYING.

(a) Upon receipt of an authorization to disclose under Section 2-102 and a request in a record for examination or copying of all or part of the patient's recorded health care information, a health care provider, as promptly as required under the circumstances, but no later than 10 days after receiving the request, shall, as appropriate:

(1) comply with the request by making the information available for examination during regular business hours and providing a requested copy of the information;

(2) inform the person who requested examination or copying if the information does not exist or cannot be ascertained;

(3) if the provider does not maintain a record of the information, inform the person who requested examination or copying and provide the name and address, if known, of the provider who maintains the record;

(4) if the information is in use or unusual circumstances have delayed handling the request, inform the person who requested examination or copying and specify in a record the reasons for the delay and the earliest date, not later than 21 days after receiving the request, when the information will be available for examination or copying or when the request will be otherwise disposed of; or

(5) refuse the request, in whole or in part, under Section 3-102 and inform the person making the request.

(b) Upon request, a health care provider shall provide an explanation of any code or abbreviation used in health care information the provider maintains. If a record of the particular health care information requested is not maintained by the provider in the requested form, the provider is not required to create a new record or reformulate an existing record to make the information available in the requested form. The provider may charge a reasonable fee for providing the health care information and need not permit examination or provide a copy until the fee is paid.

The language in the 1985 Act concerning "actual costs" was deleted as subject to an unreasonably restrictive interpretation. The legislature may wish to cross-reference existing state standards in analogous record-keeping provisions.

SECTION 3-102. REFUSAL OF EXAMINATION AND COPYING.

(a) A health care provider may refuse access to health care information requested pursuant to Section 3-101 if the provider reasonably concludes that:

(1) knowledge of the information would be injurious to the health of the patient;

(2) knowledge of the information could reasonably be expected to lead to the identification of an individual who provided the information in confidence and under circumstances in which confidentiality was appropriate;

(3) knowledge of the information could reasonably be expected to endanger the life or safety of any individual;

(4) the information was compiled and is used solely for civil or criminal litigation, quality assurance, peer review, or administrative purposes; or

(5) access to the information is otherwise prohibited by law.

(b) If a health care provider refuses a request under this section, the provider, to the extent possible, shall segregate health care information to which access has been refused under subsection (a) from information to which access cannot be refused and comply with the request with respect to the disclosable information.

(c) If a health care provider refuses a patient's request, in whole or in part, under subsection (a)(1), the provider shall permit examination and copying of the record by another health care provider, selected by the patient, who is licensed, certified, or otherwise authorized under the laws of this State to treat the patient for the same condition as the provider that refused the request. The provider that refused the request shall inform the patient of the patient's right to select a health care provider under this subsection.

(d) In any proceeding contesting a health care provider's refusal to honor a patient's authorization to disclose information, the court, after a hearing reviewing the information in camera, shall order the requested disclosure unless it determines that the provider has established grounds for refusal under subsection (a).

Subsection (c) addresses process concerns where a health care provider has initially denied access based on concern for the health of the patient. Subsection (d) requires the court to conduct an in camera review and requires disclosure unless the provider establishes grounds for denial.

SECTION 4-101. REQUEST FOR CORRECTION OR AMENDMENT.

(a) For purposes of accuracy or completeness, a patient may request in a record that a health care provider correct or amend the patient's health care information record to which the patient has access.

(b) As promptly as required under the circumstances, but no later than 10 days after receiving a request from a patient to correct or amend the patient's health care information record, a health care provider, as appropriate, shall:

(1) make the requested correction or amendment and inform the patient of the action and of the patient's right to have the correction or amendment sent to previous recipients of the information in question;

(2) inform the patient that the record no longer exists or cannot be ascertained;

(3) inform the patient that the provider does not maintain the record and provide the patient with the name and address, if known, of the person who maintains the record;

(4) inform the patient that the record is in use or unusual circumstances have delayed the handling of the correction or amendment request, and specify in a record the earliest date, which may not be later than 21 days after receiving the request, when the correction or amendment will be made or when the request will otherwise be disposed of; or

(5) inform the patient in a record of the provider's refusal to correct or amend the record as requested, the reason for the refusal, and the patient's right to add a statement of disagreement and to have the statement sent to previous recipients of the disputed information.

SECTION 4-102. PROCEDURE FOR ADDING CORRECTION OR AMENDMENT; STATEMENT OF DISAGREEMENT.

(a) In making a correction or amendment requested under Section 4-101, a health care provider shall:

(1) add the amending information as a part of the health record; and

(2) mark the challenged entries as corrected or amended entries and indicate the place in the record where the corrected or amended information is located, in a manner practicable under the circumstances.

(b) If the health care provider maintaining the patient's health care information record refuses to make the patient's proposed correction or amendment, the provider shall:

(1) permit the patient to file as a part of the record of the information a concise statement of the correction or amendment requested and the reasons therefor; and

(2) mark the challenged entry to indicate that the patient claims the entry is inaccurate or incomplete and indicate the place in the record where the statement of disagreement is located, in a manner practicable under the circumstances.

(c) This section does not require or authorize a health care provider to delete, erase, or obliterate health care information.

Subsection (c) clarifies that original information collected or provided by a health care provider, even if "corrected" or "amended", is not required or authorized to be erased or obliterated.

SECTION 4-103. DISSEMINATION OF CORRECTED OR AMENDED INFORMATION OR STATEMENT OF DISAGREEMENT.

(a) Upon request of a patient, a health care provider shall take reasonable steps to provide copies of corrected or amended information or of a statement of disagreement to all persons designated by the patient and identified in the health care information as having examined or received copies of the information sought to be corrected or amended.

(b) A health care provider may charge the patient a reasonable fee for distributing corrected or amended information or the statement of disagreement, unless the provider's error necessitated the correction or amendment.

The legislature may wish to cross-reference existing state standards in analogous record-keeping provisions.

SECTION 5-101. CONTENT AND DISSEMINATION OF NOTICE.

(a) A health care provider shall provide a copy of the notice of information practices required by subsection (b) to a patient or prospective patient when requested. A health care provider that directly cares for a patient shall ensure at the commencement of the patient-provider relationship that a copy of the notice is or has been provided to the patient.

(b) Except as more specifically provided in regulations promulgated by an agency authorized under Section 1-104, the notice of information practices concerning health care must contain substantially the following:

"We keep a record of the health care we provide you. This information is confidential and we have established safeguards to prevent its improper use or disclosure. However, some or all of this information may be legally disclosed without your authorization to assist in your treatment and to facilitate our practice of health care, to monitor our practice for quality assurance, peer review, and auditing, to support research, and for other legally authorized purposes. A more specific description of the permitted scope of and the limitations on these disclosures is set out in [Section 2-104 of the Uniform Health Care Information Act]. Any person that receives your information in the regular course of business pursuant to [Section 2-104] must have safeguards to prevent improper use or disclosure.

You have legal rights concerning your health care information, including the right to examine and copy your records, to request correction or amendment of your records, and to revoke any disclosure authorization that you signed. Your rights, and limitations on those rights, are more specifically set out in [The Uniform Health Care Information Act]. You may see your record or get more information about it at ___________."

This provision expands on the notice requirement in the 1985 Act. The Committee determined that "patients would be given full disclosure, without placing unreasonable administrative burdens and expenses on the health care system." The Act intends that a copy of a "notice of information practices" be provided to each patient at an appropriate time, typically at the beginning of the patient-provider relationship. In the absence of a request, posting was sufficient under the 1985 Act. The notice required by this Act more specifically alerts a patient both to ordinary medical information practices and to the patient's rights with respect to those practices. However, it is not intended that additional burdens be imposed once a notice has been provided. If, for example, a patient is a regular client of a clinic or hospital with several providers, the initial provision of the notice is sufficient. Similarly an indirect provider of care such as a radiologist acting pursuant to a primary provider's referral may rely on the referring provider to have provided the required notice. This provision does not require, or intend, that the provider obtain the patient's signature acknowledging receipt of the notice.

SECTION 6-101. HEALTH CARE REPRESENTATIVES.

(a) A person authorized to consent to health care for another may exercise the rights of that person under this [Act] consistent with the authority conferred. If the patient is a minor and is authorized to consent to health care without parental consent under the law of this State, only the minor may exercise the rights of a patient under this [Act] as to information concerning health care to which the minor lawfully consented.

(b) A person exercising authority to act for a patient shall act in good faith to represent the best interest of the patient.

(c) A health care provider shall not be liable for damages under Section 8-102 for a disclosure made in good faith reliance on a representation of authority under this section or Section 6-102.

SECTION 6-102. REPRESENTATIVE OF DECEASED PATIENT. A [personal representative] of a deceased patient may exercise all of the deceased patient's rights with respect to the deceased patient's health care information under this [Act]. If there is no [personal representative], or upon discharge of the [personal representative], a deceased patient's rights under this [Act] may be exercised by persons who are authorized by law to act for the deceased patient.

SECTION 7-101. DUTY TO ADOPT SECURITY SAFEGUARDS.

(a) A health care provider shall establish and maintain safeguards for the security of all health care information it maintains. The safeguards shall include policies, standards, and procedures for the management of health care information, including appropriate administrative, technical, and physical safeguards, that are reasonably designed to prevent the prohibited collection, use, or disclosure of that information.

(b) Before disclosing health care information in the regular course of business under Section 2-104(a)(4), a health care provider, pursuant to its policies, standards, and procedures, shall determine that the recipient of the information has safeguards similar to those required of providers under subsection (a).

The concept that security safeguards be adopted is central to the Act. The revision is more specific than the 1985 Act as to the nature of the safeguards that must be implemented.. However, the Committee continues to believe that specifying the details of specific safeguards in the Act is unworkable in light of the broad range of practitioners and entities to which the safeguards would apply. The Act requires standards that are reasonably designed for the adopting entity. The Committee also contemplates that an agency or agencies may be authorized by Section 1-104 to more specifically regulate the content of safeguards. In general, it is contemplated that a solo practitioner should not be required to extensively document practices and policies. Reference to some developed standards of practice might suffice. A large health care institution, on the other hand, would be expected to establish clear policies and guidelines to safeguard the information flow.

SECTION 7-102. RETENTION OF RECORD. A health care provider shall retain a patient's then existing health care information records for at least one year after receipt of an authorization to disclose information concerning the patient under Section 3-101 or a request for correction or amendment of information concerning the patient under Section 4-101. A health care provider shall maintain, as part of a patient's recorded health care information, a record of each person who has received or examined the information, in whole or in part, during the preceding [three] years, except for a person who has examined the information under Section 2-104(a)(1) or (4)(A). The record must include the name, address, and institutional affiliation, if any, of each person receiving or examining the information, the date of the receipt or examination, and, to the extent practicable, a description of the information disclosed and the basis of disclosure. A health care provider shall retain each authorization or revocation in conjunction with the health care information to which it relates.

This section requires that a provider retain the entire medical record of a patient for a period of one year after a disclosure request or request for correction. The provision is expressly intended to preclude a provider from destroying records that were not subject to the initial request but that are, in fact, relevant to an ongoing inquiry or proceeding.

SECTION 8-101. CIVIL ENFORCEMENT. The [attorney general or appropriate local law enforcement official] may maintain a civil action to enforce this [Act]. The court may order any relief authorized by Section 8-102.

SECTION 8-102. CIVIL REMEDIES.

(a) In addition to other civil remedies, a person aggrieved by a violation of this [Act] may maintain an action for relief as provided in this section.

(b) The court may order a health care provider or other person to comply with this [Act] and may order any other appropriate relief.

(c) If the court determines that there is a willful and intentional violation or reckless disregard of this [Act], the person injured is entitled to recover actual damages sustained as a result of the violation.

(d) If the actions of a party to the litigation were not substantially justified, the court may award the prevailing party reasonable attorney's fees and all other expenses reasonably incurred in the litigation.

(e) Any action under this [Act] is barred unless the action is commenced within 2 years after the right of action accrues.

The section requires that a violation be "intentional and willful" or "in reckless disregard" of the Act for the injured person to recover actual damages. That burden would not be required to obtain equitable relief such as a disclosure or compliance order. Unlike the 1985 Act, the revised Act also applies the "reasonable attorney's fees" provision to both parties but allows their assessment only if the court finds that the actions of the losing party were "not substantially justified." In an appropriate case, a State may wish to enact and codify subsection (e) (setting a statute of limitations) as a separate section to be codified with similar limitations.

[SECTION 8-103. CRIMINAL PENALTY.

(a) A person who maliciously or for personal gain willfully or with reckless indifference discloses health care information in violation of this [Act], and who knew or should have known that disclosure is prohibited, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.

(b) A person who, by means of (I) bribery, (ii) theft, [or] (iii) misrepresentation of identity, purpose of use, or entitlement to the information, [or (iv) trespass,] examines or obtains, in violation of this [Act], health care information maintained by a health care provider, is guilty of a [misdemeanor] and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.

(c) A person who, knowing that an authorization under Section 2-102 for disclosure is false, willfully presents the authorization to a health care provider, is guilty of a [misdemeanor] and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year] or both.]

The Committee retained criminal sanctions as a state option. Because the Act must avoid chilling the flow of medical information where necessary and proper, the standards for criminal liability should be set high. Subsection (a) requires an element of malice or personal gain even to convict on a simple violation.

SECTION 9-101. UNIFORMITY OF APPLICATION AND CONSTRUCTION. In construing and applying this Uniform Act, consideration must be given to the need to promote uniformity of the law with respect to its subject matter among States that enact it.

SECTION 9-102. SEVERABILITY. If any provision of this [Act] or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of this [Act] which can be given effect without the invalid provision or application, and to this end the provisions of this [Act] are severable.

SECTION 9-103. EFFECTIVE DATE. This [Act] takes effect . . . . . . . . . . .&n bsp;. . . .  .

Consideration should be given to providing an extended effective date to facilitate adoption by providers of the required safeguards and notices and to allow promulgation of any regulations authorized by Section 1-104.

SECTION 9-104. REPEALS. The following acts and parts of acts are repealed:

(1)

(2)

(3)

SECTION 9-105. SAVING CLAUSE. This [Act] does not affect an action or proceeding commenced or right accrued before [this [Act] takes effect].