Back | WordPerfect Version | ASCII
Version | PDF Version

DRAFT



FOR DISCUSSION ONLY







PROPOSED REVISIONS OF

UNIFORM HEALTH CARE INFORMATION ACT



NATIONAL CONFERENCE OF COMMISSIONERS



ON UNIFORM STATE LAWS



FEBRUARY, 2000



WITH REPORTER'S NOTES















Copyright© 2000

By

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS







The ideas and conclusions set forth in this draft, including the proposed statutory language and any comments or reporter's notes, have not been passed upon by the National Conference of Commissioners on Uniform State Laws or the Drafting Committee. They do not necessarily reflect the views of the Conference and its Commissioners and the Drafting Committee and its Members and Reporters. Proposed statutory language may not be used to ascertain the intent or meaning of any promulgated final statutory proposal.

DRAFTING COMMITTEE TO REVISE

UNIFORM HEALTH CARE INFORMATION ACT





BRUCE MUNSON, Revisor of Statutes Bureau, Suite 800, 131 W. Wilson Street, Madison, WI 53703, Chair

M. MICHAEL CRAMER, 216 N. Adams Street, Rockville, MD 20850

FREDERICK F. EICHHORN, JR., 7907 Lake Shore Drive, Gary, IN 46403

KENNETH LAWRENCE FORAN, 5001 Seminary Road, Alexandria, VA 22311-1920

DAVID A. GIBSON, 40 Park Place, P.O. Box 1767, Brattleboro, VT 05302

CYNTHIA IMBROGNO, United States District Court, P.O. Box 263, Spokane, WA 99210

SUSAN KELLY NICHOLS, P.O. Box 629, Raleigh, NC 27602-0629, Enactment Plan Coordinator

LARRY L. RUTH, Suite 202, 1233 Lincoln Mall, Lincoln, NE 68508

CHARLES A. TROST, Nashville City Center, 511 Union Street, Suite 2100, Nashville, TN 37219-1760

DAVID HEMOND, Room 509A, State Capitol, Hartford, CT 06106, Reporter





EX OFFICIO

JOHN L. McCLAUGHERTY, P.O. Box 553, Charleston, WV 25322, President

ROBERT C. ROBINSON, P.O. Box 568, 12 Portland Pier, Portland, ME 04112, Division Chair





AMERICAN BAR ASSOCIATION ADVISOR



ROBYN S. SHAPIRO, 100 E. Wisconsin Avenue, Milwaukee, WI 53202



EXECUTIVE DIRECTOR

FRED H. MILLER, University of Oklahoma, College of Law, 300 Timberdell Road, Norman,

OK 73019, Executive Director

WILLIAM J. PIERCE, 1505 Roxbury Road, Ann Arbor, MI 48104, Executive Director Emeritus

















Copies of this Act may be obtained from:

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

211 E. Ontario Street, Suite 1300

Chicago, Illinois 60611

312/915-0195

UNIFORM HEALTH CARE INFORMATION ACT

[ARTICLE] 1

GENERAL PROVISIONS

SECTION 1-101. SHORT TITLE. This [Act] may be cited as the Uniform Health Care Information Act.

SECTION 1-102. LEGISLATIVE FINDINGS. The [Legislature] finds that:

(1) Health care information is personal and sensitive information that if improperly used or released may do significant harm to a patient's interests in privacy, health care, or other interests.

(2) Patients need access to their own health care information as a matter of fairness to enable them to make informed decisions about their health care and correct inaccurate or incomplete information about themselves.

(3) In order to retain the full trust and confidence of patients, health care providers have an interest in assuring that health care information is not improperly disclosed and in having clear and certain rules for the disclosure of health care information.

(4) Persons other than health care providers obtain, use, and disclose health-record information in many different contexts and for many different purposes. It is the public policy of this State that a patient's interest in the proper use and disclosure of the patient's health care information survives even when the information is held by persons other than health care providers.

(5) The movement of patients and their health care information across state lines, access to and exchange of health care information from automated data banks, and the emergence of multi-state health care providers creates a compelling need for uniform law, rules, and procedures governing the use and disclosure of health care information.

Reporter's note: See Frank Daykin's styling letter concerning the use of a purpose clause. The section has been retained pursuant to the Committee's direction and subject to further review.



SECTION 1-103. SCOPE. This [Act] applies to health care information generally. Federal law, including regulations governing the electronic transmission of health care information, and other state law [including _____] applies to specific types of health care information. Federal law controls a case to which it applies. Unless otherwise provided in this [Act], the other state law controls a case to which it applies if that other state law restricts or permits disclosure of health care information to a greater extent than this [Act].

Reporter's note: The Act is drafted to facilitate enactment and is intended to provide a base of confidentiality for health care information where more specific legislation has not been enacted. For example, federal regulations have been promulgated that govern electronic transmissions. Also, many states have existing provisions that address specific types of health care information, such as information concerning HIV/AIDS or mental health, or information held by public agencies. For policy reasons such as the stigmatizing nature of sensitive information or the wish to facilitate disclosure for public purposes, some states may wish to retain those provisions and enact this law as a default provision that governs health care information generally but that is trumped by more specific legislation. This scope provision signals that intent. However, because uniformity in this area is helpful to avoid unnecessary complexity and confusion, state legislatures should carefully review those more specific provisions and retain them only if necessary to effect a considered policy.

SECTION 1-104. RULEMAKING. The [appropriate regulatory agency] may adopt regulations concerning the notice of information practices required by Section 5-101 and the safeguards required by Section 7-101 [as they relate to entities regulated by that agency].

Reporter's note: This Act imposes obligations on health care providers and others to adopt appropriate practices reasonably designed to safeguard the flow of health care information. This new section is an invitation to states to empower an agency or agencies to set more specific regulatory guidelines. Often, the agency or agencies to be empowered will have responsibility for regulations concerning providers such as primary care physicians, hospitals, or pharmacists. However, guidelines might also be appropriate for insurers, employers, educators, and others who deal with health care records in the regular course of business.



SECTION 1-105. DEFINITIONS. As used in this [Act]:

(1) "Audit" means an assessment, evaluation, determination, or investigation of a health care provider by a person not employed by or affiliated with the provider to determine compliance with:

(A) statutory, regulatory, fiscal, medical, or scientific standards;

(B) a private or public program of payments to a health care provider; or

(C) requirements for licensing, accreditation, or certification.

(2) "Directory information" means information disclosing the presence and the general health condition of a particular patient.

(3) "Disclose," with respect to health care information, means to release, transfer, provide access to, or otherwise communicate the information to a person other than the individual who is the subject of the information.

(4) "General health condition" means the patient's health described as "critical," "poor," "fair," "good," "excellent," or by terms denoting similar conditions.

(5) "Health care" means:

(A) preventive, diagnostic, therapeutic, rehabilitative, or palliative care, including appropriate assistance with management of disease and symptoms and maintenance, counseling and service, or a procedure:

(i) with respect to the physical or mental condition of an individual; or

(ii) affecting the structure or function of the human body or any part of the human body, including the banking of blood, sperm, or organs or other tissue; or

(B) pursuant to a prescription or medical order, the sale or dispensing, to or for use by an individual, of a drug, device, equipment, or other item related to health care of the individual.

(6) "Health care information" means any information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient and relates to the patient's health care. The term includes any record of disclosures of health care information.

(7) "Health care provider" means a person who is licensed, certified, or otherwise authorized by the law of this State to provide health care in the ordinary course of business or practice of a profession. (8) "Institutional review board" means any board, committee, or other group formally designated by an institution, or authorized under federal or state law, to review, approve the initiation of, or conduct periodic review of research to ensure the protection of the rights and welfare of human subjects of research.

(9) "Maintain," with respect to health care information, means to hold, possess, preserve, retain, store, or control the information.

(10) "Patient" means an individual who receives or has received health care. The term includes a deceased individual who has received health care.

(11) "Person" means an individual, corporation, business trust, estate, trust, partnership, limited liability company, association, joint venture, government; governmental subdivision, agency, or instrumentality; public corporation, or any other legal or commercial entity.

[ARTICLE] 2

DISCLOSURE OF HEALTH CARE INFORMATION

SECTION 2-101. DISCLOSURE.

(a) Except as authorized in Section 2-104 or 2-105, or by other law, a health care provider, an individual who assists a health care provider in providing health care, an agent and employee of a health care provider, or an independent contractor with a health care provider may not disclose health care information about a patient to any other person without the patient's written authorization pursuant to Section 2-102. A disclosure made under a patient's written authorization must comport with the authorization.

(b) A person to whom health care information has been disclosed may not disclose the information to any other person unless a health care provider would be authorized to make the disclosure under Section 2-104 or 2-105 or the disclosure is authorized by other law or by an authorization that complies with Section 2-102.

Reporter's note: Subsection (a) includes proposed new language that recognizes that federal law governs certain disclosures and that states may retain or enact other provisions that allow disclosure in discrete cases without authorization. This Act would not trump those provisions. Subsection (b) provides, subject to statutory exceptions, that a person receiving health care information is under the same obligation as the health care provider to maintain confidentiality and may not redisclose except as expressly authorized. The exception for authorization "under other law" allows a redisclosure if it is explicitly authorized under another provision.

SECTION 2-102. PATIENT'S AUTHORIZATION FOR DISCLOSURE.

(a) A patient may authorize a health care provider or a person to whom health care information has been disclosed to disclose the patient's health care information. A health care provider shall honor an authorization pursuant to Section 3-101 unless the provider denies the patient access to the information under Section 3-102.

(b) An authorization for disclosure must:

(1) be in writing, dated, and signed by the patient, or in electronic form, dated and authenticated by the patient using a unique identifier;

(2) identify the information to be disclosed;

(3) identify the person to whom the information is to be disclosed; and

(4) except as otherwise provided in subsection (c), include a notice that:

(A) the purpose for which the information may be used is not limited unless expressly limited by the authorization;

(B) the authorization expires not later than six months after it is signed or authenticated, or such later date, not more than 30 months after it is signed or authenticated, as is specified;

(C) the patient may revoke the authorization; and

(D) further disclosure of the information by the recipient may be subject to state and federal requirements for confidentiality and may require further authorization.

(c) An authorization to permit the sale or marketing of health care information must comply with subsection (b), be executed separately from an authorization for other purposes, and contain a conspicuous statement that it is executed solely for the purpose of permitting sale or marketing of health care information.

(d) Except as otherwise provided in this [Act], the signing or authentication of an authorization by a patient is not a waiver of any rights the patient has under other statutes, the rules of evidence, or common law.

(e) Except for authorizations to provide information to third-party payers for health care, an authorization may not permit the release of health care information relating to health care that the patient receives more than six months after the authorization is signed or authenticated.

(f) An authorization in effect on [the effective date of this [Act]] remains valid for 30 months after [the effective date of this [Act]] unless an earlier expiration date is specified or the authorization is revoked. Health care information disclosed under such an authorization is otherwise subject to this [Act]. An authorization given after [the effective date of this [Act]] becomes invalid on the expiration date contained in the authorization, or after 30 months, whichever is earlier. An authorization that does not contain an expiration date expires six months after it is signed or authenticated.

SECTION 2-103. PATIENT'S REVOCATION OF AUTHORIZATION FOR DISCLOSURE. A patient may revoke an authorization for disclosure at any time with respect to all or part of the information authorized to be disclosed except with respect to disclosure of health care information that is required to effectuate payments for health care that has been provided or with respect to health care information that relates to action that has been taken in reliance on the authorization. A patient may not maintain an action for disclosures made in reliance in good faith on an authorization if the person making the disclosure had no notice [KNOWLEDGE] of the revocation of the authorization.

Reporter's note: The new language reflects the Act's expanded redisclosure provisions. The section is also redrafted to allow a partial revocation and to specify that the revocation is prohibited only with respect to those aspects of the information that were relied on.



SECTION 2-104. DISCLOSURE WITHOUT PATIENT'S AUTHORIZATION.

(a) If disclosure is not prohibited by other state or federal law, a health care provider may disclose health care information about a patient without the patient's authorization:

(1) to a current or former health care provider of the patient or a successor in interest of the provider if: (A) the recipient needs to know the information; (B) the patient has not prohibited the health care provider who has the information from making the disclosure; and (C) the information is disclosed to provide health care to the patient.

(2) to any person if the provider reasonably believes that disclosure is necessary to avoid or minimize an imminent danger to the health or safety of the patient or any other individual;

(3) to members of the patient's immediate family, or any other individual with whom the patient is known to have a close personal relationship, if the recipient needs to know the information and the disclosure made in accordance with good medical or other professional practice, unless the patient has instructed the provider not to make the disclosure;

(4) if disclosure in a form that does not identify the individual is impractical or does not satisfy the need to know the information and the recipient has established reasonable safeguards pursuant to Section 7-101 or has given reasonable assurances that the information is protected from improper use and disclosure:

(A) to any person who requires health care information for health care education, or to provide planning, quality assurance, peer review, or administrative, legal, financial, or actuarial services to the provider, or to assist the provider in the delivery of health care; and

(B) to a person who obtains information for purposes of an audit, if that person agrees in writing:

(i) to remove or destroy, at the earliest opportunity consistent with the purpose of the audit, information that would enable the patient to be identified; and

(ii) not to disclose the information further, except to accomplish the audit or to report unlawful or improper conduct involving fraud in payment for health care by a health care provider or patient, or other unlawful conduct by the provider;

(5) for use in research that an institutional review board has determined:

(A) is of sufficient importance to outweigh the intrusion into the privacy of the patient that would result from the disclosure;

(B) is impracticable without the use or disclosure of the health care information in individually identifiable form;

(C) contains reasonable safeguards to protect the information from redisclosure;

(D) contains reasonable safeguards to protect against identifying, directly or indirectly, any patient in any report derived from the research; and

(E) contains procedures to remove or destroy, at the earliest opportunity consistent with the purposes of the research, information that would enable the patient to be identified, unless an institutional review board authorizes retention of identifying information for the purpose of other research;

(6) to an appropriate official of a penal or other custodial institution in which the patient is confined.

(b) A health care provider may disclose health care information about a patient without the patient's authorization if the disclosure is:

(1) directory information and the patient is an inpatient or is currently receiving emergency health care at a facility that provides health care, unless the patient has instructed the provider not to make the disclosure or the disclosure is otherwise prohibited by state or federal law;

(2) to federal, state, or local public-health authorities, to the extent the provider is required by law to report health care information or when needed to protect the public health;

(3) to federal, state, or local law enforcement authorities to the extent required by law;

(4) in accordance with Section 2-105 pursuant to an order for disclosure or pursuant to consent to compulsory process or a request for discovery.

Reporter's note: This section is extensively redrafted. The primary changes are as follows:

(1) All health care providers to whom information may be disclosed are treated identically - such a disclosure is allowed as long as it is for treatment and has not been expressly prohibited by the patient. The status of the provider as a current provider, former provider, or successor to a provider is not relevant. (Former subsections (3) and (6) are consolidated in new subsection (1).)

(2) If information is disclosed for purposes of facilitating the medical practice or for an audit, the information cannot be disclosed if the purpose could be satisfied by the same information in nonidentifiable form. The recipient must also have established safeguards or given express assurance that the information will be protected.



SECTION 2-105. DISCLOSURE ORDER.



(a) Unless disclosure is authorized under Section 2-102 or 2-104 or other law or the patient has consented in writing to disclosure in response to compulsory process or a request for discovery, health care information may be disclosed only if a court orders disclosure for good cause shown.

(b) A person seeking disclosure under this section shall file an appropriate application or motion stating the health care information sought and ground for disclosure. (c) The judicial proceeding must be conducted with due regard for the confidentiality of the information sought to be disclosed. The court may review the information in camera and shall follow applicable rules to protect its confidentiality.

(d) Grounds for disclosure of health care information include the following:

(1) the patient has waived the right to claim confidentiality for the information sought;

(2) the patient is a party to a proceeding in which the patient has placed the patient's physical or mental condition in issue;

(3) the patient's physical or mental condition is relevant to the execution or witnessing of a will;

(4) the physical or mental condition of a deceased patient is placed in issue by any person claiming or defending through or as a beneficiary of the patient;

(5) a patient's information is to be used in the patient's commitment to an institution;

(6) the information is for use in any law enforcement proceeding or investigation in which a health care provider is the subject or a party but information so obtained may not be used against the patient in any proceeding unless the matter relates to payment for the patient's health care, or disclosure is authorized under paragraph (8);

(7) the information is relevant to a proceeding initiated under [Article] 8; or

(8) a court has determined that particular health care information is subject to compulsory legal process or discovery because the party seeking the information has demonstrated that the interest in access outweighs the patient's interest in privacy.

(e) Production of health care information under this section, in itself, does not waive any privilege, objection, or defense existing under other law or a rule of evidence or procedure.

[ARTICLE] 3

EXAMINATION AND COPYING OF RECORD

SECTION 3-101. REQUIREMENTS AND PROCEDURES FOR [PATIENT'S] EXAMINATION AND COPYING.

(a) Upon receipt of an authorization to disclose under Section 2-102 and a written request for examination or copying of all or part of the patient's recorded health care information, a health care provider, as promptly as required under the circumstances, but no later than 10 days after receiving the request, shall, as appropriate:

(1) comply with the request by making the information available for examination during regular business hours and providing a requested copy of the information;

(2) inform the person who requested examination or copying if the information does not exist or cannot be ascertained;

(3) if the provider does not maintain a record of the information, inform the person who requested examination or copying and provide the name and address, if known, of the provider who maintains the record;

(4) if [the information is in use or unusual] circumstances have delayed handling the request, inform the person who requested examination or copying and specify in writing the reasons for the delay and the earliest date, not later than 21 days after receiving the request, when the information will be available for examination or copying or when the request will be otherwise disposed of; or

(5) refuse the request, in whole or in part, under Section 3-102 and inform the person making the request.

(b) Upon request, a health care provider shall provide an explanation of any code or abbreviation used in health care information the provider maintains. If a record of the particular health care information requested is not maintained by the provider in the requested form, the provider is not required to create a new record or reformulate an existing record to make the information available in the requested form. The provider may charge a reasonable fee for providing the health care information and need not permit examination or provide a copy until the fee is paid.

Reporter's note: The language concerning "actual costs" was deleted as subject to an unreasonably restrictive interpretation. The legislature may wish to cross-reference existing state standards in analogous record-keeping provisions. Committee should review (a)(4) language concerning use or unusual circumstances.

SECTION 3-102. REFUSAL OF EXAMINATION AND COPYING.

(a) A health care provider may refuse access to health care information requested pursuant to Section 3-101 if the provider reasonably concludes that:

(1) knowledge of the information would be injurious to the health of the patient;

(2) knowledge of the information could reasonably be expected to lead to the identification of an individual who provided the information in confidence and under circumstances in which confidentiality was appropriate;

(3) knowledge of the information could reasonably be expected to endanger the life or safety of any individual;

(4) the information was compiled and is used solely for civil or criminal litigation, quality assurance, peer review, or administrative purposes; or

(5) access to the information is otherwise prohibited [OR MAY REASONABLY BE DENIED] by law.

(b) If a health care provider refuses a request under this section, the provider, to the extent possible, shall segregate health care information to which access has been refused under subsection (a) from information to which access cannot be refused and comply with the request with respect to the disclosable information.

(c) If a health care provider refuses a patient's request, in whole or in part, under subsection (a) (1), the provider shall permit examination and copying of the record by another health care provider, selected by the patient, who is licensed, certified, or otherwise authorized under the laws of this State to treat the patient for the same condition as the provider that refused the request. The provider that refused the request shall inform the patient of the patient's right to select a health care provider under this subsection.

(d) In any proceeding contesting a health care provider's refusal to honor a patient's authorization to disclose information, the court, after a hearing reviewing the information in camera, shall order the requested disclosure unless it determines that the provider has established grounds for refusal under subsection (a).

Reporter's note: Subsection (d) addresses process concerns where a health care provider has initially denied access based on health or confidentiality concerns. Subsection (d) provides a process that specifies an in camera review and a disclosure order unless the provider establishes grounds for denial.

[ARTICLE] 4

CORRECTION AND AMENDMENT OF RECORD

SECTION 4-101. REQUEST FOR CORRECTION OR AMENDMENT.

(a) For purposes of accuracy or completeness, a patient may request in writing that a health care provider correct or amend its record of the patient's health care information to which the patient has access.

(b) As promptly as required under the circumstances, but no later than 10 days after receiving a request from a patient to correct or amend its record of the patient's health care information, a health care provider, as appropriate, shall:

(1) make the requested correction or amendment and inform the patient of the action and of the patient's right to have the correction or amendment sent to previous recipients of the information in question;

(2) inform the patient that the record no longer exists or cannot be ascertained;

(3) inform the patient that the provider does not maintain the record and provide the patient with the name and address, if known, of the person who maintains the record;

(4) inform the patient that [the record is in use or unusual] circumstances have delayed the handling of the correction or amendment request, and specify in writing the earliest date, which may not be later than 21 days after receiving the request, when the correction or amendment will be made or when the request will otherwise be disposed of; or

(5) inform the patient in writing of the provider's refusal to correct or amend the record as requested, the reason for the refusal, and the patient's right to add a statement of disagreement and to have the statement sent to previous recipients of the disputed information.

SECTION 4-102. PROCEDURE FOR ADDING CORRECTION OR AMENDMENT; STATEMENT OF DISAGREEMENT.

(a) In making a correction or amendment requested under Section 4-101, a health care provider shall:

(1) add the amending information as a part of the health record; and

(2) mark the challenged entries as corrected or amended entries and indicate the place in the record where the corrected or amended information is located, in a manner practicable under the circumstances.

(b) If the health care provider maintaining the record of a patient's health care information refuses to make the patient's proposed correction or amendment, the provider shall:

(1) permit the patient to file as a part of the record of the information a concise statement of the correction or amendment requested and the reasons therefor; and

(2) mark the challenged entry to indicate that the patient claims the entry is inaccurate or incomplete and indicate the place in the record where the statement of disagreement is located, in a manner practicable under the circumstances.

(c) This section does not require or authorize a health care provider to delete, erase, or obliterate health care information.

Reporter's notes: Subsection (c) is derived from a similar provision in section 8 F. of the NAIC draft and is suggested to clarify that original information collected or provided by a health care provider, even if "corrected" or "amended", is not required or authorized to be erased or obliterated.

SECTION 4-103. DISSEMINATION OF CORRECTED OR AMENDED INFORMATION OR STATEMENT OF DISAGREEMENT.

(a) Upon request of a patient, a health care provider shall take reasonable steps to provide copies of corrected or amended information or of a statement of disagreement to all persons designated by the patient and identified in the health care information as having examined or received copies of the information sought to be corrected or amended.

(b) A health care provider may charge the patient a reasonable fee for distributing corrected or amended information or the statement of disagreement, unless the provider's error necessitated the correction or amendment.

Reporter's note: The language concerning "actual costs" was deleted as subject to an unreasonably restrictive interpretation. The legislature may wish to cross-reference existing state standards in analogous record-keeping provisions.

[ARTICLE] 5

NOTICE OF INFORMATION PRACTICES

SECTION 5-101. CONTENT AND DISSEMINATION OF NOTICE.

(a) A health care provider shall provide a copy of the notice of information practices required by subsection (b) to the provider's patient at the commencement of the patient-provider relationship and to a patient or prospective patient when requested. If a patient has not received a copy of the notice, the provider shall provide a copy during the next treatment.

(b) Except as more specifically provided in regulations promulgated by an agency authorized under Section 1-104, the notice of information practices concerning health care must [comply with federal regulations for covered entities that process electronic transmissions of health care information or] contain substantially the following:

Notice

"We keep a record of the health care we provide you. This information is confidential and we have established safeguards to prevent its improper use or disclosure. However, some or all of this information may be legally disclosed without your authorization to assist in your treatment and to facilitate our practice of health care, to monitor our practice for quality assurance, peer review, and auditing, to support research, and for other legally authorized purposes. A more specific description of the permitted scope of and the limitations on these disclosures is set out in [Section 2-104 of the Uniform Health Care Information Act]. Any person that receives your information in the regular course of business pursuant to [Section 2-104] must have safeguards to prevent improper use or disclosure.

You have legal rights concerning your health care information, including the right to examine and copy your records, to request correction or amendment of your records, to revoke any disclosure authorization that you signed, and to know what safeguards have been established. Your rights, and limitations on those rights, are more specifically set out in [The Uniform Health Care Information Act]. You may see your record or get more information about it at ___________."

Reporter's note: The Committee determined that "patients would be given full disclosure, without placing unreasonable administrative burdens and expenses on the health care system." The Act requires that a copy of a "notice of information practices" be provided to each patient at the beginning of the patient-provider relationship or during the next treatment. The notice alerts patients both to ordinary medical practices and to the patient's rights with respect to those practices. Bracketed language is suggested to recognize compliance with federal requirements for a notice of information practices as sufficient.

[ARTICLE] 6

PERSONS AUTHORIZED TO ACT FOR PATIENT

SECTION 6-101. HEALTH CARE REPRESENTATIVES.

(a) A person authorized to consent to health care for another may exercise the rights of that person under this [Act] to the extent necessary to effectuate the terms or purposes of the authority conferred. If the patient is a minor and is authorized to consent to health care without parental consent under the law of this State, only the minor may exercise the rights of a patient under this [Act] as to information concerning health care to which the minor lawfully consented.

(b) A person exercising authority to act for a patient shall act in good faith to represent the best interest of the patient.

SECTION 6-102. REPRESENTATIVE OF DECEASED PATIENT. A [personal representative] of a deceased patient may exercise all of the deceased patient's rights with respect to the deceased patient's health care information under this [Act]. If there is no [personal representative], or upon discharge of the [personal representative], a deceased patient's rights under this [Act] may be exercised by persons who are authorized by law to act for the deceased patient.

[ARTICLE] 7

SECURITY SAFEGUARDS AND RECORD RETENTION

SECTION 7-101. DUTY TO ADOPT SECURITY SAFEGUARDS.

(a) A health care provider shall establish and maintain safeguards for the security of all health care information it maintains, including policies, standards, and procedures for the management of health care information which are reasonably designed to prevent the prohibited collection, use, or disclosure of that information. [The safeguards must comply with any applicable regulations promulgated under Section 1-104. A provider that establishes and maintains safeguards in compliance with federal regulations governing covered entities that electronically transmit health care information is deemed to have complied with this [Act].]

(b) A health care provider, pursuant to its policies, standards, and procedures, shall require that any person to which the provider discloses health care information under Section 2-104(a)(4) in the regular course of business have safeguards similar to those required of providers under subsection (a).

(c) A health care provider shall disclose the policies, standards, and procedures adopted as safeguards on request to any person whose health care information it collects, uses, maintains, or discloses.

Reporter's note: The concept that safeguard standards be adopted is central to the Act. However, the Committee found that specifying the details of specific standards was unworkable in light of the broad range of practices to which the standards would apply. The Act requires standards that are reasonably designed for the adopting entity. The Committee also contemplates that an agency or agencies may be authorized by Section 1-104 to regulate information practices. Regulations may be established by such an agency to more specifically govern the content of safeguards. In general, it is contemplated that a solo practitioner should not require extensive documentation of his practices and policies. Reference to some developed standards of practice might suffice. A large health care institution, on the other hand, would be expected to establish clear policies and guidelines to safeguard the information flow. Suggested language is included to recognize compliance with federal safeguard requirements as compliance with this Act.



SECTION 7-102. RETENTION OF RECORD.

(a) A health care provider shall maintain a record of existing health care information for at least one year after receipt of an authorization to disclose that information under Section 3-101 or a request for correction or amendment under Section 4-101.

(b) A health care provider shall retain each authorization or revocation in conjunction with the health care information to which it relates.

(c) A health care provider shall maintain, as part of a patient's recorded health care information, a record of each person who has received or examined the information, in whole or in part, during the preceding [three] years, except for a person who has examined the information under Section 2-104(a)(1) or (4)(a). The record of disclosure must include the name, address, and institutional affiliation, if any, of each person receiving or examining the information, the date of the receipt or examination, and, to the extent practicable, a description of the information disclosed and the basis of disclosure.

[ARTICLE] 8

CIVIL REMEDIES [AND CRIMINAL SANCTIONS]

SECTION 8-101. CIVIL ENFORCEMENT. The [attorney general or appropriate local law enforcement official] may maintain a civil action to enforce this [Act]. The court may order any relief authorized by Section 8-102.

SECTION 8-102. CIVIL REMEDIES.

(a) In addition to other civil remedies, a person aggrieved by a violation of this [Act] may maintain an action for relief as provided in this section.

(b) The court may order a health care provider or other person to comply with this [Act] and may order any other appropriate relief.

(c) If the court determines that there is a willful and intentional violation of this [Act], the aggrieved person is entitled to recover actual damages sustained as a result of the violation.

(d) If the actions of a party to the litigation were not substantially justified, the court may award the prevailing party reasonable attorney's fees and all other expenses reasonably incurred in the litigation.

(e) Any action under this [Act] is barred unless the action is commenced within 2 years after the right of action accrues.

Reporter's note: The section is drafted to lift the cap on damages but to impose a burden of "intentional and willful" violation to recover actual damages. That burden would not be required to obtain equitable relief such as a disclosure or compliance order. The Act also applies the "reasonable attorney's fees" provision to both parties but allows their assessment only if the court finds that the actions of the losing party were "not substantially justified". In an appropriate case, a state may wish to enact and codify subsection (e) (setting a statute of limitations) as a separate section to be codified with similar limitations.



OPTIONAL PROVISION.

[SECTION 8-103. CRIMINAL PENALTY.

(a) A person who maliciously or for personal gain willfully discloses health care information in violation of this [Act], and who knew or should have known that disclosure is prohibited, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.

(b) A person who, by means of (i) bribery, (ii) theft, [or] (iii) misrepresentation of identity, purpose of use, or entitlement to the information, [or (iv) trespass,] examines or obtains, in violation of this [Act], health care information maintained by a health care provider, is guilty of a [misdemeanor] and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.

(c) A person who, knowing that an authorization under Section 2-102 for disclosure is false, willfully presents the authorization to a health care provider, is guilty of a [misdemeanor] and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year] or both.]

Reporter's note: The Committee decided to retain criminal sanctions as a state option. Because the Act must avoid chilling the flow of medical information where necessary and proper, the standards for criminal liability should be set high. Subsection (a) is revised to require an element of malice or personal gain to convict on a simple violation.

[ARTICLE] 9

MISCELLANEOUS PROVISIONS

SECTION 9-101. UNIFORMITY OF APPLICATION AND CONSTRUCTION. In construing and applying this Uniform Act, consideration must be given to the need to promote uniformity of the law with respect to its subject matter among states that enact it.

SECTION 9-102. SEVERABILITY. If any provision of this [Act] or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of this [Act] which can be given effect without the invalid provision or application, and to this end the provisions of this [Act] are severable.

SECTION 9-103. EFFECTIVE DATE. This [act] takes effect... .

Reporter's note: Consideration should be given to providing an extended effective date to facilitate adoption by providers of the required safeguards and notices and to allow promulgation of any regulations authorized by Section 1-104.



SECTION 9-104. REPEALS. The following acts and parts of acts are repealed:

(1)

(2)

(3)

SECTION 9-105. SAVING CLAUSE. This [Act] does not affect an action or proceeding commenced or right accrued before [this [Act] takes effect].