The quick br


Back | WP 6.1 Version | ASCII Version |
PDF Version

DRAFT

FOR DISCUSSION ONLY

PROPOSED REVISIONS OF

UNIFORM HEALTH CARE INFORMATION ACT

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

SEPTEMBER, 1999

WITH REPORTER'S NOTES

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

The ideas and conclusions set forth in this draft, including the proposed statutory language and any comments or reporter's notes, have not been passed upon by the National Conference of Commissioners on Uniform State Laws or the Drafting Committee. They do not necessarily reflect the views of the Conference and its Commissioners and the Drafting Committee and its Members and Reporters. Proposed statutory language may not be used to ascertain the intent or meaning of any promulgated final statutory proposal.

DRAFTING COMMITTEE TO REVISE

UNIFORM HEALTH CARE INFORMATION ACT

BRUCE MUNSON, Revisor of Statutes Bureau, Suite 800, 131 W. Wilson Street, Madison, WI 53703, Chair

M. MICHAEL CRAMER, 216 N. Adams Street, Rockville, MD 20850

FREDERICK F. EICHHORN, JR., 7907 Lake Shore Drive, Gary, IN 46403

KENNETH LAWRENCE FORAN, 5001 Seminary Road, Alexandria, VA 22311-1920

DAVID A. GIBSON, 40 Park Place, P.O. Box 1767, Brattleboro, VT 05302

CYNTHIA IMBROGNO, United States District Court, P.O. Box 263, Spokane, WA 99210

SUSAN KELLY NICHOLS, P.O. Box 629, Raleigh, NC 27602-0629

LARRY L. RUTH, Suite 202, 1233 Lincoln Mall, Lincoln, NE 68508

CHARLES A. TROST, Nashville City Center, 511 Union Street, Suite 2100, Nashville, TN 37219-1760

DAVID HEMOND, Room 509A, State Capitol, Hartford, CT 06106, Reporter

EX OFFICIO

JOHN L. McCLAUGHERTY, P.O. Box 553, Charleston, WV 25322, President

ROBERT C. ROBINSON, P.O. Box 568, 12 Portland Pier, Portland, ME 04112, Division Chair

EXECUTIVE DIRECTOR

FRED H. MILLER, University of Oklahoma, College of Law, 300 Timberdell Road, Norman,

OK 73019, Executive Director

WILLIAM J. PIERCE, 1505 Roxbury Road, Ann Arbor, MI 48104, Executive Director Emeritus

Copies of this Act may be obtained from:

NATIONAL CONFERENCE OF COMMISSIONERS

ON UNIFORM STATE LAWS

211 E. Ontario Street, Suite 1300

Chicago, Illinois 60611

312/915-0195

UNIFORM HEALTH-CARE INFORMATION ACT

ARTICLE I

FINDINGS AND DEFINITIONS

SECTION 1-101. LEGISLATIVE FINDINGS.

The [Legislature] finds that:

(1) Health-care information is personal and sensitive information that if improperly used or released may do significant harm to a patient's interests in privacy, health-care, or other interests.

(2) Patients need access to their own health-care information as a matter of fairness to enable them to make informed decisions about their health care and correct inaccurate or incomplete information about themselves.

(3) In order to retain the full trust and confidence of patients, health-care providers have an interest in assuring that health-care information is not improperly disclosed and in having clear and certain rules for the disclosure of health-care information.

(4) Persons other than health-care providers obtain, use, and disclose health-record information in many different contexts and for many different purposes. It is the public policy of this State that a patient's interest in the proper use and disclosure of the patient's health-care information survives even when the information is held by persons other than health-care providers.

(5) The movement of patients and their health-care information across state lines, access to and exchange of health-care information from automated data banks, and the emergence of multi-state health-care providers creates a compelling need for uniform law, rules, and procedures governing the use and disclosure of health-care information.

Reporter's note: No changes recommended.

SECTION 1-102. DEFINITIONS.

As used in this [Act], unless the context otherwise requires:

(1) "Audit" means an assessment, evaluation, determination, or investigation of a health-care provider by a person not employed by or affiliated with the provider to determine compliance with:

(i) statutory, regulatory, fiscal, medical, or scientific standards;

(ii) a private or public program of payments to a health-care provider; or

(iii) requirements for licensing, accreditation, or certification.

(2) "Directory information" means information disclosing the presence and the general health condition of a particular patient who is an in-patient in a health-care facility or who is currently receiving emergency health care in a health-care facility.

(3) "DISCLOSE" MEANS TO RELEASE, TRANSFER, PROVIDE ACCESS TO, OR OTHERWISE DIVULGE HEALTH-CARE INFORMATION TO A PERSON OTHER THAN THE INDIVIDUAL WHO IS THE SUBJECT OF THE INFORMATION. THE TERM INCLUDES THE INITIAL DISCLOSURE AND ANY SUBSEQUENT REDISCLOSURES OF HEALTH-CARE INFORMATION.

Reporter's note: The section 2-101 prohibition on unauthorized disclosure is central to the structure of the act. Other modern bills, including the federal bills, define what "disclose" means. The proposed language is based on the federal bills. Inclusion of this defined term should be considered.

[~~(3)~~] (4) "General health condition" means the patient's health status described in terms of "critical," "poor," "fair," "good," "excellent," or terms denoting similar conditions.

[~~(4)~~] (5) "Health care" means [~~any care, service, or procedure provided by a health-care provider:~~

~~(i) to diagnose, treat, or maintain a patient's physical or mental condition, or~~

~~(ii) that affects the structure or any function of the human body.~~]

(i) PREVENTIVE, DIAGNOSTIC, THERAPEUTIC, REHABILITATIVE, MAINTENANCE, OR PALLIATIVE CARE, INCLUDING APPROPRIATE ASSISTANCE WITH DISEASE AND SYMPTOM MANAGEMENT AND MAINTENANCE, COUNSELING, SERVICE, OR PROCEDURE - (A) WITH RESPECT TO THE PHYSICAL OR MENTAL CONDITION OF AN INDIVIDUAL; (B) AFFECTING THE STRUCTURE OR FUNCTION OF THE HUMAN BODY OR ANY PART OF THE HUMAN BODY, INCLUDING THE BANKING OF BLOOD, SPERM, ORGANS OR ANY OTHER TISSUE; AND

(ii) PURSUANT TO A PRESCRIPTION OR MEDICAL ORDER, ANY SALE OR DISPENSING OF A DRUG, DEVICE, EQUIPMENT, OR OTHER HEALTH CARE RELATED ITEM TO AN INDIVIDUAL, OR FOR THE USE OF AN INDIVIDUAL.

Reporter's note: This proposed language is derived from the federal bills. See H.R. 2470, Sec. 2(6). The language is both more specific than that of the existing act and is better adapted to reflect the proposed coverage of the act of pharmacists and persons selling medical devices.

[~~(5)~~] (6) "Health-care facility" means a hospital, clinic, nursing home, laboratory, office, or similar place, where a health-care provider provides health care to patients.

[~~(6)~~] (7) "Health-care information" means any information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient and relates to the patient's health care. The term includes any record of disclosures of health-care information.

Reporter's note: The Committee should review whether the definition of "health-care information" is sufficiently broad. The proposed broadening of the definition of "health care", in itself, will have the effect of broadening coverage. However, other acts also have broad formulations that might be considered. The various federal proposals use more specific language. H.R. 3900, Representative Shays' bill, defines "individually identifiable health information" as set out in brackets below. (H.R. 2470, Sec. 2(19) is the most recent version.) Among the issues raised by this language is whether the act should explicitly address when encoded information continues to identify a patient.

[any information, including demographic information, collected from an individual, whether oral or recorded in any form or medium, that -

(A) is created or received by a health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, school or university; (B)(i) relates to the past, present, future physical or mental health or condition of an individual (including individual cells and their components), the provision of health care to an individual, or the past, present, or future payment activities related to the provision of health care to an individual; and (ii)(I) identifies an individual; (II) contains personal identifiers that provide a direct means of identifying an individual; or (III) has been provided in an encrypted format that does not directly identify an individual, but that provides a method for decrypting the information.]

[~~(7)~~] (8) "Health-care provider" means a person who is licensed, certified, or otherwise authorized by the law of this State to provide health care in the ordinary course of business or practice of a profession. The term [~~does not include~~] INCLUDES A HEALTH MAINTENANCE ORGANIZATION THAT PROVIDES HEATH CARE AND a person who provides health care solely through the sale or dispensing of drugs or medical devices.

Reporter's note: Because the act primarily regulates "health-care providers", this definition is central to the act's applicability. Health maintenance organizations, pharmacists, and dealers in medical devices are included as was provisionally decided during the June 7 teleconference.

[~~(8)~~] (9) "Institutional review board" means any board, committee, or other group formally designated by an institution, or authorized under federal or state law, to review, approve the initiation of, or conduct periodic review of research programs to assure the protection of the rights and welfare of human research subjects.

[~~(9)~~] (10) "Maintain," as related to health-care information, means to hold, possess, preserve, retain, store, or control that information.

[~~(10)~~] (11) "Patient" means an individual who receives or has received health care. The term includes a deceased individual who has received health care.

[~~(11)~~] (12) "Person" means an individual, corporation, business trust, estate, trust, partnership, association, joint venture, government, governmental subdivision or agency, or any other legal or commercial entity.

ARTICLE II

DISCLOSURE OF HEALTH-CARE INFORMATION

SECTION 2-101. DISCLOSURE BY HEALTH-CARE PROVIDER.

(a) Except as authorized in Section 2-104 OR SECTION 2-105, OR BY OTHER STATE LAW, a health-care provider, an individual who assists a health-care provider in the delivery of health care, or an agent and employee of a health-care provider may not disclose health-care information about a patient to any other person without the patient's written authorization. A disclosure made under a patient's written authorization must conform to the authorization.

(b) A health-care provider shall maintain, in conjunction with a patient's recorded health-care information, a record of each person who has received or examined, in whole or in part, the recorded health-care information during the next preceding [three] years, except for a person who has examined the recorded health-care information under paragraph (1) or (2) of Section 2-104(a). The record of disclosure must include the name, address, and institutional affiliation, if any, of each person receiving or examining the recorded health-care information, the date of the receipt or examination, and, to the extent practicable, a description of the information disclosed.

(c) A RECIPIENT OF DISCLOSED HEALTH-CARE INFORMATION MAY NOT REDISCLOSE THAT INFORMATION TO ANY OTHER PERSON UNLESS THAT DISCLOSURE IS AUTHORIZED UNDER SECTION 2-102, 2-104, OR 2-105, OR UNDER OTHER STATE LAW.

Reporter's note: Subsection (a) includes proposed new language that recognizes that states may retain or enact other provisions that allow disclosure in discrete cases without authorization. This act would not trump those provisions. Proposed new subsection (c) would provide, subject to statutory exceptions, that a person receiving health care information is under the same obligation as the health-care provider to maintain confidentiality and may not redisclose except as expressly authorized. Provisional decision at June 7 teleconference was to subject recipients to redisclosure limitations. Note however that some states have laws governing confidentiality of information held by insurers, state agencies, or employers and those state laws may authorize redisclosures in contexts not covered by this act. The exception in subsection (c) for authorization "under other state law" is intended to allow a redisclosure if it is explicitly authorized under another state statute.

SECTION 2-102. PATIENT AUTHORIZATION TO HEALTH-CARE PROVIDER FOR DISCLOSURE.

(a) A patient may authorize a health-care provider OR A RECIPIENT OF THE PATIENT'S HEALTH-CARE INFORMATION to disclose the patient's health-care information. A health-care provider shall honor an authorization and, if requested, provide a copy of the recorded health-care information unless the health-care provider denies the patient access to THE health-care information under Section 3-102.

Reporter's note: The new language in subsection (a) recognizes that the patient may authorize disclosure of information by a recipient of a previous disclosure subject to the same standards that apply to authorization of release by the health care provider.

(b) A health-care provider may charge a reasonable fee, not to exceed the health-care provider's actual cost for providing the health-care information, and is not required to honor an authorization until the fee is paid.

(c) To be valid, a disclosure authorization to a health-care provider OR TO A RECIPIENT OF HEALTH-CARE INFORMATION must:

(1) be in writing, dated, and signed by the patient;

(2) identify the nature of the information to be disclosed;

(3) identify the person to whom the information is to be disclosed [.];

(4) DESCRIBE THE PURPOSE OF THE DISCLOSURE, AND, IF INTENDED TO PERMIT SALE OR MARKETING OF THE INFORMATION, EXPRESSLY SO INDICATE;

(5) CONTAIN A NOTICE OF THE PATIENT'S RIGHT TO REVOKE THE AUTHORIZATION UNDER SECTION 2-103 AND, IF AN AUTHORIZATION FOR A HEALTH-CARE PROVIDER, OF THE PATIENT'S RIGHT TO RECEIVE A NOTICE OF INFORMATION PRACTICES; AND

(6) CONTAIN A NOTICE THAT A RECIPIENT OF DISCLOSED INFORMATION MAY NOT REDISCLOSE THAT INFORMATION TO ANOTHER PERSON EXCEPT AS EXPRESSLY PERMITTED UNDER THE AUTHORIZATION, UNDER THIS [ACT], OR UNDER OTHER STATE LAW.

Reporter's note: As proposed in subsection (c), the authorization would be required to identify the purpose for the disclosure. Explicit disclosure would be required of any proposed sale of the information. That suggestion follows the Committee decision to restrict "blanket authorizations" and require explicit authorization for sale of information and draws on other recent model acts.

For example H.R. 2470, section 201(d), requires that the authorization:

[(1) identify the individual who is the subject of the protected health information;

(2) describe the nature of the information to be disclosed;

(3) identify the type of person to whom the information is to be disclosed;

(4) describe the purpose of the disclosure;

(5) be subject to revocation by the individual and indicate that the authorization is valid until revocation by the individual; and

(6) be in writing, dated, and signed by the individual, a family member or other authorized representative.]

The Reporter proposes additional language similar to the federal model, but including, in subsection (c)(5), an express notice of the patient's right to revoke, and, in (c)(6), a notice that the information may not be redisclosed except as expressly authorized. Those notices are intended to raise consciousness both of patient rights with respect to the authorization and of the limitations on the authorization as use for redisclosure. Both notices further the Committee's provisional decision to restrict use of "blanket waivers".

(d) Except as provided by this [Act], the signing of an authorization by a patient is not a waiver of any rights a patient has under other statutes, the rules of evidence, or common law.

(e) A health-care provider shall retain each authorization [or] AND revocation OF AN AUTHORIZATION in conjunction with any health-care information from which disclosures are made.

(f) Except for authorizations to provide information to third-party health-care payors, an authorization may not permit the release of health-care information relating to future health care that the patient receives more than six months after the authorization was signed.

(g) An authorization in effect on the effective date of this [Act] remains valid for 30 months after the effective date of this [Act] unless an earlier date is specified or it is revoked under Section 2-103. Health-care information disclosed under such an authorization is otherwise subject to this [Act]. An authorization written after the effective date of this [Act] becomes invalid after the expiration date contained in the authorization, which may not exceed 30 months. If the authorization does not contain an expiration date, it expires six months after it is signed.

SECTION 2-103. PATIENT'S REVOCATION OF AUTHORIZATION FOR DISCLOSURE. A patient may revoke a disclosure authorization to a health-care provider OR TO A RECIPIENT OF HEALTH-CARE INFORMATION at any time unless disclosure is required to effectuate payments for health care that has been provided or other substantial action has been taken in reliance on the authorization. A patient may not maintain an action [~~against the health-care provider~~] for disclosures made in good-faith reliance on an authorization if the [~~health-care provider~~] PERSON MAKING THE DISCLOSURE had no notice of the revocation of the authorization.

Reporter's note: The suggested language reflects the act's proposed expanded redisclosure provisions.

SECTION 2-104. DISCLOSURE WITHOUT PATIENT'S AUTHORIZATION.

(a) IF DISCLOSURE IS NOT PROHIBITED BY ANY OTHER PROVISION OF STATE OR FEDERAL LAW, INCLUDING A PROHIBITION ON THE DISCLOSURE OF MENTAL HEALTH INFORMATION, DIAGNOSIS OF HIV OR AIDS, OR TREATMENT FOR SUBSTANCE ABUSE, [A] A health-care provider may disclose health-care information about a patient without the patient's authorization to the extent [a] THE recipient needs to know the information, if the disclosure is:

(1) to a person who is providing health-care to the patient;

(2) to any other person who requires health-care information for health-care education, or to provide planning, quality assurance, peer review, or administrative, legal, financial, or actuarial services to the health-care provider, or for assisting the health-care provider in the delivery of health care and (i) THE RECIPIENT HAS ESTABLISHED SAFEGUARDS PURSUANT TO SECTION 7-101 OR (ii) the health-care provider [~~reasonably believes~~] HAS RECEIVED REASONABLE ASSURANCES that the [~~person~~] RECIPIENT:

[~~(i)~~] (A) will not use or disclose the health-care information for any other purpose; and

[~~(ii)~~] (B) will take appropriate steps to protect the health-care information.

(3) to any other health-care provider who has previously provided health care to the patient, to the extent necessary to provide health care to the patient, unless the patient has instructed the health-care provider not to make the disclosure;

(4) to any person if the health-care provider reasonably believes that disclosure will avoid or minimize an imminent danger to the health or safety of the patient or any other individual;

(5) to immediate family members of the patient, or any other individual with whom the patient is known to have a close personal relationship, if made in accordance with good medical or other professional practice [~~, unless the patient~~ ~~has instructed the health-care provider not to make the disclosure~~] AND THE PATIENT (i) WAS NOTIFIED OF THE RIGHT TO OBJECT TO SUCH A DISCLOSURE AND HAS NOT OBJECTED, OR (ii) IS IN A PHYSICAL OR MENTAL CONDITION SUCH THAT THE PATIENT IS NOT CAPABLE OF OBJECTING, AND THERE ARE NO PRIOR INDICATIONS THAT THE PATIENT WOULD OBJECT;

Reporter's note: Numerous medical conditions, such as HIV, drug dependence, and the performance of an abortion are not appropriate for release without explicit authorization, even, or particularly, to close family members. However, other communications, particularly to spouses or children in situations where the individual cannot explicitly authorize disclosure, are accepted practice. A requirement, for example, that one obtain a court order or appointment as conservator to find out that one's spouse has had a stroke may impose an impractical burden. This draft suggests adding language such as that contained in the H.R. 2470, sec. 204, which requires prior notice to the patient where possible.

(6) to a health-care provider who is the successor in interest to the health-care provider maintaining the health-care information;

(7) for use in a research project that an institutional review board has determined:

(i) is of sufficient importance to outweigh the intrusion into the privacy of the patient that would result from the disclosure;

(ii) is impracticable without the use or disclosure of the health-care information in individually identifiable form;

(iii) contains reasonable safeguards to protect the information from redisclosure;

(iv) contains reasonable safeguards to protect against identifying, directly or indirectly, any patient in any report of the research project; and

(v) contains procedures to remove or destroy at the earliest opportunity, consistent with the purposes of the project, information that would enable the patient to be identified, unless an institutional review board authorizes retention of identifying information for purposes of another research project;

(8) to a person who obtains information for purposes of an audit, if that person agrees in writing to:

(i) remove or destroy, at the earliest opportunity consistent with the purpose of the audit, information that would enable the patient to be identified; and

(ii) not to disclose the information further, except to accomplish the audit or report unlawful or improper conduct involving fraud in payment for health-care by a health-care provider or patient, or other unlawful conduct by the health-care provider;

(9) to an official of a penal or other custodial institution in which the patient is detained.

(b) A health-care provider may disclose health-care information about a patient without the patient's authorization if the disclosure is:

(1) directory information, unless the patient has instructed the health-care provider not to make the disclosure OR THE DISCLOSURE IS OTHERWISE PROHIBITED BY LAW;

Reporter's note: The scope of allowed directory information should be reviewed because of its potentially stigmatizing effect. H.R. 2470, sec. 204 would require notice to the patient of his right to object where possible, but also includes exceptions concerning locations that reveal specific information. However, restrictions that impose burdens or required judgments may have the effect of precluding use of any directory information. This matter should be reviewed.

(2) to federal, state, or local public-health authorities, to the extent the health-care provider is required by law to report health-care information or when needed to protect the public health;

(3) to federal, state, or local law enforcement authorities to the extent required by law;

(4) pursuant to compulsory process in accordance with Section 2-105;

(c) NOTWITHSTANDING THE DISCLOSURE REQUIREMENTS OF THIS [ACT], A PUBLIC AGENCY, INSURANCE INSTITUTION, INSURANCE AGENT, OR INSURANCE-SUPPORT ORGANIZATION MAY DISCLOSE HEALTH-CARE INFORMATION IF DISCLOSURE IS MADE IN COMPLIANCE WITH OTHER STATE LAW GOVERNING THE CONFIDENTIALITY OF HEALTH-CARE INFORMATION HELD BY THAT ENTITY.

Reporter's note: How this section is drafted is critical to making the act acceptable to the health care profession. The section provides a major "health care" exception to the disclosure requirements, recognizing that the need for confidentiality must be carefully balanced with the needs and realities of medical practice. The premise is that certain disclosures are implicitly authorized. Thus, subsection (a)(1) authorizes disclosures between the patient's health-care providers because receipt of the information is critical to the competent provision of health care. Similarly, the system, itself, must be able to obtain information for quality review, as provided under (a)(2) and disclosure must be available to avoid imminent dangers to health or safety.

However, the broad unauthorized disclosures that are allowed in this context may violate some existing state laws that apply in highly sensitive contexts concerning mental health information, AIDS, and substance abuse. The provisional committee decisions recognized that states would be free to retain or adopt stricter standards for specific health information. The suggested new introductory language in subsection (a) explicitly recognizes that certain of the disclosures may not be allowable under that other state law. In that case, that more restrictive law would govern. Thus, as proposed, this act could be enacted without states being concerned that existing stricter standards were being trumped.

Subsection (c) addresses the converse situation where existing law has already authorized an insurer or public agency to make disclosures that might not otherwise be permitted under this act. While any state adopting this act should carefully review any such provisions for consistency with this act, a primary purpose of the act is to set a default standard for confidentiality where none currently exists. Where a state has acted to expressly authorize specific entities, such as insurers or public agencies, to disclose under a different standard, the Reporter proposes that those exceptions to the act be expressly recognized. Such a provision would be invoked, for example, if a state had enacted the NAIC model act or a model act governing privacy for public agencies. However, the language of this subsection should be carefully considered.

SECTION 2-105. COMPULSORY PROCESS.

(a) Health-care information may not be disclosed by a health-care provider pursuant to compulsory legal process or discovery in any judicial, legislative, or administrative proceeding unless:

(1) the patient has consented in writing to the release of the health-care information in response to compulsory process or a discovery request;

(2) the patient has waived the right to claim confidentiality for the health-care information sought;

(3) the patient is a party to the proceeding and has placed his [or her] physical or mental condition in issue;

(4) the patient's physical or mental condition is relevant to the execution or witnessing of a will;

(5) the physical or mental condition of a deceased patient is placed in issue by any person claiming or defending through or as a beneficiary of the patient;

(6) a patient's health-care information is to be used in the patient's commitment proceeding;

(7) the health-care information is for use in any law enforcement proceeding or investigation in which a health-care provider is the subject or a party; but, health-care information so obtained may not be used in any proceeding, against the patient, unless the matter relates to payment for the patient's health care, or unless authorized under paragraph (9).

(8) the health-care information is relevant to a proceeding brought under Article 8; or

(9) a court has determined that particular health-care information is subject to compulsory legal process or discovery because the party seeking the information has demonstrated that the interest in access outweighs the patient's privacy interest.

(b) Unless the court, for good cause shown, determines that the notification should be waived or modified, if health-care information is sought under paragraph (2), (4), or (5) of subsection (a) or in a civil proceeding or investigation under paragraph (9) of subsection (a), the person seeking discovery or compulsory process shall mail a notice by first-class mail to the patient or the patient's attorney of record of the compulsory process or discovery request at least [ten] days before presenting the certificate required under subsection (c) to the health-care provider.

(c) Service of compulsory process or discovery requests upon a health-care provider must be accompanied by a written certification, signed by the person seeking to obtain health-care information, or his [or her] authorized representative, identifying at least one paragraph of subsection (a) under which compulsory process or discovery is being sought. The certification must also state, in the case of information sought under paragraph (2), (4), or (5) of subsection (a), or in a civil proceeding under paragraph (9) of subsection (a), that the requirements of subsection (b) for notice have been met. A person may sign the certification only if the person reasonably believes that the paragraph of subsection (a) identified in the certification provides an appropriate basis for the use of discovery or compulsory process. Unless otherwise ordered by the court, the health-care provider shall maintain a copy of the process and the written certification as a permanent part of the patient's health-care information.

(d) Production of health-care information under this section, in and of itself, does not constitute a waiver of any privilege, objection, or defense existing under other law or rule of evidence or procedure.

Reporter's note: No changes were suggested.

ARTICLE III

EXAMINATION AND COPYING OF RECORD

SECTION 3-101. REQUIREMENTS AND PROCEDURES FOR PATIENT'S EXAMINATION AND COPYING.

(a) Upon receipt of a written request from a patient to examine or copy all or part of the patient's recorded health-care information, a health-care provider, as promptly as required under the circumstances, but no later than ~~ten~~ 30 days after receiving the request shall:

(1) make the information available for examination during regular business hours and provide a copy, if requested, to the patient;

(2) inform the patient if the information does not exist or cannot be found;

(3) if the health-care provider does not maintain a record of the information, inform the patient and provide the name and address, if known, of the health-care provider who maintains the record;

(4) if the information is in use or unusual circumstances have delayed handling the request, inform the patient and specify in writing the reasons for the delay and the earliest date, not later than 21 30 days after receiving the request, when the information will be available for examination or copying or when the request will be otherwise disposed of; or

(5) deny the request, in whole or in part, under Section 3-102 and inform the patient.

(b) Upon request, the health-care provider shall provide an explanation of any code or abbreviation used in the health-care information. If a record of the particular health-care information requested is not maintained by the health-care provider in the requested form, the health-care provider is not required to create a new record or reformulate an existing record to make the health-care information available in the requested form. The health-care provider may charge a reasonable fee, not to exceed the health-care provider's actual cost, for providing the health-care information and is not required to permit examination or copying until the fee is paid.

Reporter's note: The optional ten and twenty-one day periods provided by the current act were objected to as too short by medical records handlers during consideration of the act in Connecticut. The Reporter recommends setting the periods as 30 days.

SECTION 3-102. DENIAL OF EXAMINATION AND COPYING.

(a) A health-care provider may deny access to health-care information by a patient if the health-care provider reasonably concludes that:

(1) knowledge of the health-care information would be injurious to the health of the patient;

(2) knowledge of the health-care information could reasonably be expected to lead to the patient's identification of an individual who provided the information in confidence and under circumstances in which confidentiality was appropriate;

(3) knowledge of the health-care information could reasonably be expected to cause danger to the life or safety of any individual;

(4) the health-care information was compiled and is used solely for CIVIL OR CRIMINAL litigation, quality assurance, peer review, or administrative purposes; [or]

(5) access to the health-care information is otherwise prohibited by law; OR

(6) ACCESS TO THE HEALTH-CARE INFORMATION MAY BE REASONABLY DENIED UNDER AN OTHER PROVISION OF STATE OR FEDERAL LAW.

Reporter's note: Subsection (6) is inserted to address concerns raised as to existing conflicting standards for denial of access. The proposed language assumes that a nonact statutory standard allowing denial of the information (for example, under a separate provision governing mental health information or health care provider obligations) might be invoked. As proposed, the patient will have rights under subsections (c) and (d) to review of the information by a separate health-care provider or petition to the Court.

(b) If a health-care provider denies a request for examination and copying under this section, the provider, to the extent possible, shall segregate health-care information for which access has been denied under subsection (a) from information for which access cannot be denied and permit the patient to examine or copy the disclosable information.

(c) EXCEPT AS PROVIDED IN SUBSECTION (d) OF THIS SECTION, IF [If] a health-care provider denies a patient's request for examination and copying, in whole or in part, under paragraph (1) or (3) of subsection (a), the provider shall permit examination and copying of the record by [~~another]~~ A health-care provider, selected by the patient, who is licensed, certified, or otherwise authorized under the laws of this State to treat the patient for the same condition as the health-care provider denying the request. The health-care provider denying the request shall inform the patient of the patient's right to select [~~another~~] A health-care provider under this subsection.

(d) IF A PATIENT'S TREATING HEALTH-CARE PROVIDER HAS DENIES THE PATIENT ACCESS TO HEALTH-CARE INFORMATION UNDER SUBSECTION (a) AND, IN GOOD FAITH, BASED ON THE SENSITIVE NATURE OF THE INFORMATION, DETERMINES THAT ANY DISCLOSURE OF THE INFORMATION INCLUDING A DISCLOSURE TO ANOTHER HEALTH-CARE PROVIDER UNDER SUBSECTION (c) WOULD PREJUDICE TREATMENT OF THE PATIENT OR THE PROVIDER'S PROFESSIONAL OBLIGATIONS OF CONFIDENTIALITY, THE HEALTH-CARE PROVIDER MAY CONTINUE TO DENY ACCESS AND INFORM THE PATIENT OF THE PATIENT'S RIGHT TO PETITION THE [COURT] FOR AN ORDER THAT THE HEALTH-CARE PROVIDER DISCLOSE THE REQUESTED INFORMATION. THE PATIENT MAY, WITHIN THIRTY DAYS OF THE DENIAL AND NOTICE OF THE RIGHT TO PETITION, PETITION THE [COURT] FOR THE DISTRICT IN WHICH THE PATIENT RESIDES FOR AN ORDER REQUIRING THE HEALTH-CARE PROVIDER TO DISCLOSE THE REQUESTED INFORMATION. SUCH A PROCEEDING SHALL BE PRIVILEGED WITH RESPECT TO ASSIGNMENT FOR TRIAL. THE COURT, AFTER HEARING AND AN IN CAMERA REVIEW OF THE INFORMATION IN QUESTION, SHALL ISSUE THE DISCLOSURE ORDER REQUESTED UNLESS IT DETERMINES THAT THE DISCLOSURE WOULD BE DETRIMENTAL TO THE PATIENT OR IS OTHERWISE PROHIBITED BY LAW.

Reporter's note: Subsection (d) reflects an effort to address process concerns where a health-care provider has initially denied access based on health or confidentiality concerns. Given the sensitivity of some information, contexts may occur where court review is necessary. Subsection (d) suggests such a process. This issue has yet to be reviewed in committee.

ARTICLE IV

CORRECTION AND AMENDMENT OF RECORD

SECTION 4-101. REQUEST FOR CORRECTION OR AMENDMENT.

(a) For purposes of accuracy or completeness, a patient may request in writing that a health-care provider correct or amend its record of the patient's health-care information to which a patient has access under Section 3-101.

(b) As promptly as required under the circumstances, but no later than ~~ten~~ 30 days after receiving a request from a patient to correct or amend its record of the patient's health-care information, the health-care provider shall:

(1) make the requested correction or amendment and inform the patient of the action and of the patient's right to have the correction or amendment sent to previous recipients of the health-care information in question;

(2) inform the patient if the record no longer exists or cannot be found;

(3) if the health-care provider does not maintain the record, inform the patient and provide the patient with the name and address, if known, of the person who maintains the record;

(4) if the record is in use or unusual circumstances have delayed the handling of the correction or amendment request, inform the patient and specify in writing, the earliest date, not later than 21 30 days after receiving the request, when the correction or amendment will be made or when the request will otherwise be disposed of; or

(5) inform the patient in writing of the provider's refusal to correct or amend the record as requested, the reason for the refusal, and the patient's right to add a statement of disagreement and to have that statement sent to previous recipients of the disputed health-care information.

Reporter's note: The Reporter recommends revising the time periods to thirty days.

SECTION 4-102. PROCEDURE FOR ADDING CORRECTION OR AMENDMENT OR STATEMENT OF DISAGREEMENT.

(a) In making a correction or amendment, the health-care provider shall:

(1) add the amending information as a part of the health record; and

(2) mark the challenged entries as corrected or amended entries and indicate the place in the record where the corrected or amended information is located, in a manner practicable under the circumstances.

(b) If the health-care provider maintaining the record of the patient's health-care information refuses to make the patient's proposed correction or amendment, the provider shall:

(1) permit the patient to file as a part of the record of the patient's health-care information a concise statement of the correction or amendment requested and the reasons therefor; and

(2) mark the challenged entry to indicate that the patient claims the entry is inaccurate or incomplete and indicate the place in the record where the statement of disagreement is located, in a manner practicable under the circumstances.

(c) NOTHING IN THIS SECTION REQUIRES THE HEALTH-CARE PROVIDER TO ALTER, DELETE, ERASE, OR OBLITERATE HEALTH-CARE INFORMATION.

Reporter's notes: Subsection (c) is derived from a similar provision in section 8 F. of the NAIC draft and is suggested to clarify that original information collected or provided by a health-care provider, even if "corrected" or "amended", need not be erased or obliterated. The provision reflects a provisional Committee decision.

SECTION 4-103. DISSEMINATION OF CORRECTED OR AMENDED INFORMATION OR STATEMENT OF DISAGREEMENT.

(a) A health-care provider, upon request of a patient, shall take reasonable steps to provide copies of corrected or amended information or of a statement of disagreement to all persons designated by the patient and who are identified in the health-care information as having examined or received copies of the information sought to be corrected or amended.

(b) A health-care provider may charge the patient a reasonable fee, not exceeding the provider's actual cost, for distributing corrected or amended information or the statement of disagreement, unless the provider's error necessitated the correction or amendment.

Reporter's note: No change recommended.

ARTICLE V

NOTICE OF INFORMATION PRACTICES

SECTION 5-101. CONTENT AND DISSEMINATION OF NOTICE.

[(a) A health-care provider who provides health care at a health-care facility that the provider operates and who maintains a record of a patient's health-care information shall create a "notice of information practices" that contains substantially the following:

~~Notice~~

"We keep a record of the health-care services we provide you. You may ask us to see and copy that record. You may also ask us to correct that record. We will not disclose your record to others unless you direct us to do so or unless the law authorizes or compels us to do so. You may see your record or get more information about it at ____________________."

~~(b)]~~

(a) [~~The~~] EACH health-care provider shall post a copy of [~~the~~] A notice of information practices in a conspicuous place in the PROVIDER'S OFFICE OR health-care facility and, upon request, provide patients or prospective patients with a copy of the notice.

(b) THE NOTICE OF HEALTH-CARE INFORMATION PRACTICES MUST INCLUDE:

(1) A DESCRIPTION OF A PATIENT'S RIGHTS WITH RESPECT TO HEALTH-CARE INFORMATION, INCLUDING THE PATIENT'S RIGHTS TO REVOKE AN AUTHORIZATION, TO EXAMINE, AMEND, AND ADD TO A MEDICAL RECORD, AND TO RESTRICT DISCLOSURES, AND A BRIEF DESCRIPTION OF THE PROCESS FOR EXERCISING THOSE RIGHTS.

(2) A BRIEF SUMMARY OF THE USES AND DISCLOSURES OF HEALTH-CARE INFORMATION AUTHORIZED UNDER THIS [ACT];

(3) A BRIEF DESCRIPTION OF THE USUAL PRACTICES OF THE PROVIDER WITH RESPECT TO HEALTH-CARE INFORMATION INCLUDING REFERENCE TO SAFEGUARDS IMPLEMENTED PURSUANT TO SECTION 7-101 OF THIS [ACT]; AND

(4) NOTICE OF THE RIGHT TO OBTAIN A COPY OF THE NOTICE OF INFORMATION PRACTICES AND OF THE SAFEGUARDS.

Reporter's note: The Committee provisionally determined that "patients would be given full disclosure, without placing unreasonable administrative burdens and expenses on the health care system". The proposal requires the posting of an expanded notice of basic confidentiality practices. Ideally, the notice should alert patients both to ordinary medical practices and to the patient's rights with respect to those practices. This is a highly sensitive provision because it must not to be construed to place impractical burdens on practitioners and should not be drafted to provide legitimate grounds for providers to contest adoption of the act. On the other hand, the limited notice provided in the existing act seems to be overly truncated. Moreover, on the federal level, the Secretary of Health and Human Services has identified notice to consumers as a central goal of privacy legislation, noting that privacy law should "provide consumers with significant new rights to be informed about how their health information will be used�. Providers and payers should be required to advise patients in writing of their information practices." A reasonably descriptive notice would alert patients to the reality of disclosures, provide them with important notice of rights with respect to those disclosures, and protect health care providers who must make those disclosures in the regular course of practice. Some language was adopted from H.R. 2470, sec. 103, which contains the most recent federal version. Consideration should be given to whether posting alone provides a sufficient delivery mechanism.

ARTICLE VI

PERSONS AUTHORIZED TO ACT FOR PATIENT

SECTION 6-101. HEALTH-CARE REPRESENTATIVES.

(a) A person authorized to consent to health care for another may exercise the rights of that person under this [Act] to the extent necessary to effectuate the terms or purposes of the grant of authority. If the patient is a minor and is authorized to consent to health care without parental consent under the laws of this State, only the minor may exercise the rights of a patient under this [Act] as to information pertaining to health care to which the minor lawfully consented.

(b) A person authorized to act for a patient shall act in good faith to represent the best interests of the patient.

Reporter's notes. No changes recommended.

SECTION 6-102. REPRESENTATIVE OF DECEASED PATIENT. A [personal representative] of a deceased patient may exercise all of the deceased patient's rights WITH RESPECT TO THE DECEASED PATIENT'S HEALTH-CARE INFORMATION under this [Act]. If there is no [personal representative], or upon discharge of the [personal representative], a deceased patient's rights under this [Act] may be exercised by persons who are authorized by law to act for the deceased patient.

Reporter's note: Serious concerns have been raised over the rights of personal representatives to disclose health care information, particular where that information is sensitive or stigmatizing. While the Committee determined not to address sensitive health care information generally, consideration might be given to empowering the patient to explicitly limit disclosure of sensitive information by will or other testamentary document.

ARTICLE VII

SECURITY SAFEGUARDS AND RECORD RETENTION

SECTION 7-101. DUTY TO ADOPT SECURITY SAFEGUARDS.

(a) A health-care provider shall [~~effect reasonable~~] ESTABLISH AND MAINTAIN ADEQUATE safeguards for the security of all health-care information it maintains INCLUDING WRITTEN POLICIES, STANDARDS AND PROCEDURES FOR THE MANAGEMENT OF HEALTH-CARE INFORMATION, AND TO GUARD AGAINST THE PROHIBITED COLLECTION, USE, OR DISCLOSURE OF THAT INFORMATION. ADEQUATE SAFEGUARDS MUST INCLUDE:

(1) APPROPRIATE PROCEDURES TO PERMIT ACCESS TO HEALTH-CARE INFORMATION ONLY AS ALLOWED BY THIS ACT OR OTHER STATE LAW, AND WITH RESPECT TO EMPLOYEES, AGENTS, AND OTHERS PERFORMING SERVICES FOR THE HEALTH-CARE PROVIDER, PERMITTING ACCESS ONLY IF THE INFORMATION IS REQUIRED TO PERFORM THE SERVICES;

(2) APPROPRIATE TRAINING FOR EMPLOYEES, IF ANY;

(3) DISCIPLINARY MEASURES FOR VIOLATIONS OF THE POLICIES, STANDARDS, AND PROCEDURES;

(4) IDENTIFICATION OF THE CATEGORIES OF PERSONNEL WHO WILL HAVE ACCESS TO, OR MAY DISCLOSE, HEALTH-CARE INFORMATION ON BEHALF OF THE HEALTH-CARE PROVIDER UNDER THIS [ACT];

(5) PROCEDURES FOR AUTHORIZING, OBTAINING AUTHORIZATION FOR, AND RESTRICTING THE COLLECTION, USE, OR DISCLOSURE OF HEALTH-CARE INFORMATION PURSUANT TO THIS [ACT];

(6) PROCEDURES BY WHICH A PATIENT MAY EXERCISE ANY RIGHT TO ACCESS, AMEND, OR ADD TO THE PATIENT'S HEALTH-CARE INFORMATION, OR EXERCISE ANY OTHER RIGHTS UNDER THIS [ACT];

(7) SECURE PROCEDURES FOR HANDLING, DISCLOSING, STORING, AND DISPOSING OF HEALTH-CARE INFORMATION, INCLUDING PROCEDURES TO ENSURE SECURITY OF INFORMATION STORED OR TRANSMITTED IN ELECTRONIC MEDIA;

(8) PERIODIC MONITORING OF COMPLIANCE WITH THE POLICIES, STANDARDS, AND PROCEDURES.

(b) EXCEPT AS PROVIDED IN SUBSECTION (d), A HEALTH-CARE PROVIDER SHALL, PURSUANT TO ITS POLICIES, STANDARDS, AND PROCEDURES, REQUIRE THAT ANY PERSON ACTING ON BEHALF OF THE PROVIDER WHO MAINTAINS HEALTH-CARE INFORMATION AND ANY PERSON TO WHOM THE HEALTH-CARE PROVIDER DISCLOSES HEALTH-CARE INFORMATION HAVE SAFEGUARDS SIMILAR TO THOSE REQUIRED OF HEALTH-CARE PROVIDERS UNDER SUBSECTION (a) OF THIS SECTION.

(c) A HEALTH-CARE PROVIDER SHALL DISCLOSE ITS WRITTEN POLICIES, STANDARDS, AND PROCEDURES ON REQUEST TO ANY PATIENT WHOSE HEALTH-CARE INFORMATION IT COLLECTS,USES, MAINTAINS, OR DISCLOSES.

(d) A HEATH-CARE PROVIDER MAY DISCLOSE HEALTH-CARE INFORMATION TO A PERSON THAT HAS NOT ESTABLISHED THE SAFEGUARDS REQUIRED BY SUBSECTION (b) IF THE DISCLOSURE IS AUTHORIZED (1) BY THE PATIENT AFTER NOTICE OF THE LACK OF SAFEGUARDS, (2) UNDER SECTION 2-104(a)(2), PROVIDED THAT THE HEALTH-CARE PROVIDER HAS RECEIVED THE REQUIRED REASONABLE ASSURANCES, (3) UNDER SECTION 2-104(a)(4), TO AVOID OR MINIMIZE AN IMMINENT DANGER TO HEALTH OR SAFETY, (4) UNDER SECTION 2-104(a)(5) TO AN IMMEDIATE FAMILY MEMBER OR OTHER INDIVIDUAL, (5) UNDER SECTIONS 2-104(a)(7), (a)(8), AND (a)(9), SUBJECT TO THE REQUIREMENTS OF THOSE PROVISIONS, (6) UNDER SECTION 2-104(b) OR, (7) UNDER OTHER STATE LAW.

Reporter's note: The Committee's approved scope assumes that this section should be strengthened. Concern has also been expressed about the need for explicit provisions concerning electronic transmissions. Moreover, the concept that safeguard standards be adopted is central to the proposals of the Department of Health and Human Services. The Reporter suggests the language proposed above which should be compatible with any regulations adopted by the Department concerning electronic transmissions. This draft includes language based on section 5 of the NAIC model. See also section 5-101 et seq of the Model State Public Health Privacy Act, H.R. 4250, section 1184, and H.R. 2470, section 111. Subsection (d) would expressly recognize an exception to the security requirements for a disclosure under confidentiality requirements of other state law. As with the notice requirements proposed under section 5-101, the Committee should be concerned that this provision not be drafted so as to impose unreasonable administrative burdens on practitioners. The Reporter's intent is that the section be reasonably construed. A solo practitioner should not require extensive documentation of his practices and policies and reference to some developed standards of practice might suffice. A multi-state health care institution, on the other hand, should establish a clear practice for information flow. The language of this provision should receive close scrutiny.

SECTION 7-102. RETENTION OF RECORD. A health-care provider shall maintain a record of existing health-care information for at least one year following receipt of an authorization to disclose that health-care information under Section 2-102, and] during the pendency of a request for examination and copying under Section 3-101 or a request for correction or amendment under Section 4-101.

Reporter's note: No change recommended.

ARTICLE VIII

CIVIL REMEDIES [~~AND CRIMINAL SANCTIONS~~]

[~~SECTION 8-101. CRIMINAL PENALTY.~~

(a) A person who willfully discloses health-care information in violation of this [Act], and who knew or should have known that disclosure is prohibited, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.

(b) A person who, by means of (i) bribery, (ii) theft, (iii) misrepresentation of identity, purpose of use or entitlement to the information, [or (iv) trespass,] examines or obtains, in violation of this [Act], health-care information maintained by a health-care provider, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.

(c) A person who, knowing that a certification under Section 2-105(c) or a disclosure authorization under Section 2-102 is false, willfully presents the certification or disclosure authorization to a health-care provider, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year] or both.]

Reporter's note: The Committee's provisional decision was to not include criminal sanctions, but to allow such a state option. Conceptually, a provision such as this one would be retained as an optional, or alternative, section.

SECTION 8-102. CIVIL ENFORCEMENT. The [Attorney General or appropriate local law enforcement official] may maintain a civil action to enforce this [Act]. The court may order any relief authorized by Section 8-103.

Reporter's note: No change recommended.

SECTION 8-103. CIVIL REMEDIES.

(a) A person aggrieved by a violation of this [Act] may maintain an action for relief as provided in this section.

(b) The court may order the health-care provider or other person to comply with this [Act] and may order any other appropriate relief.

(c) A health-care provider who relies in good faith upon a certification, pursuant to Section 2-105(c), is not liable for disclosures made in reliance on that certification.

(d) In an action by a patient alleging that health-care information was improperly withheld under Article III the burden of proof is on the health-care provider to establish that the information was properly withheld.

(e) If the court determines that there is a violation of this [Act], the aggrieved person is entitled to recover damages for pecuniary losses sustained as a result of the violation; and, in addition, if the violation results from willful or grossly negligent conduct, the aggrieved person may recover not in excess of [$5,000], exclusive of any pecuniary loss.

(f) If a plaintiff prevails, the court may assess reasonable attorney's fees and all other expenses reasonably incurred in the litigation.

(g) Any action under this [Act] is barred unless the action is commenced within [2] year[s] after the [cause of action] [claim for relief] accrues.

Reporter's note: No change recommended at this time. However, this provision should be carefully reviewed.

ARTICLE IX

MISCELLANEOUS PROVISIONS

SECTION 9-101. UNIFORMITY OF APPLICATION AND CONSTRUCTION. This [Act] shall be applied and construed to effectuate its general purpose to make uniform the law with respect to the subject of this [Act] among states enacting it.

SECTION 9-102. SHORT TITLE. This [Act] may be cited as the Uniform Health-Care Information Act.

SECTION 9-103. SEVERABILITY. If any provision of this [Act] or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of this [Act] which can be given effect without the invalid provision or application, and to this end the provisions of this [Act] are severable.

SECTION 9-104. REPEALS. The following acts and parts of acts are repealed:

(1)

(2)

(3)

SECTION 9-105. SAVING CLAUSE. This [Act] does not affect other law restricting, to a greater extent than does this [Act], the disclosure of specific types of health-care information to any person other than the patient to whom it relates.

SECTION 9-106. CONFLICTING LAWS.

[(a) This [Act] does not restrict a health-care provider from complying with obligations imposed by federal health-care payment programs or federal law.]

[(b) In the event of a conflict between this [Act] and the Uniform Information Practices Act, the provisions of this [Act] apply.]