fied in (a) (2) and (3) above, and persons who participate in the accomplishment
of the objectives of diagnosis, fact-finding, or service under the supervision ol^
or in cooperation with, the service provider ;
{')) Any diagnosis or opinions formed by the service provider regarding the
patient's physical, mental or emotional condition ;
(6) Any advice, instructions or prescriptions issued by the .service provider in
the course of diagnosis, treatment, or provision of other service :
(7) Any summary, resume or characterization of tlie substance, or any part of
the information described in subsections (1) througli (6) above.
(b) "Patient" means an individual who consults, is examined, interviewed,
treated, or is otherwise served to some extent by a service provider, as herein-
after defined, with regard to medical, mental or emotional condition or social
deprivation or dysfunction.
(c) "Patient identifier" means :
(1) the patient's name or other de.scriptive data from which a iterson might
be reasonably anticipated to be able to identify such patient or be led to other
data from which such patient might be recognized as the person described ; or
(2) a code, number, or other means to be used to match the patient with any
confidential information regarding him.
(d) "Person" means any natural per.son, corporation, association, partnership,
and any state, local or federal government, or any agency or other part thereof,
including a court.
< e) "Secretary" means the Secretary of Health, Education and Welfare.
(f) "Service provider" means :
(1) an entity, other than a federal entity, that (A) is a hospital, skilled nurs-
ing facility, or intermediate care facility, as defined for purposes of title XXIII
or XIX of the Social Security Act, and (B) has been approved by the Secretary
for itarticipation in the program under title XVIII, or certified by a state agency
for participation in a program under title XIX ; and
(2) with respect to those provisions that the Secretary makes ai»plicable to an
entity by regulation, an entity, other than a federal entity, that (A) is an entity
(other than an entity subject to subparagraph (1)) for wliich approval by the
Secretary is required for participation in or coverage under the program under
title XVIII, or for which certification by a state agency is re(]uired for i>articipa-
tion in a program under title XIX, and (B) has been approved by the Secretary
for participation in or coverage under the program under title XVIII, or certified
by a state agency for participation in a program under title XIX : and
(3) with respect to those provisions the Secretary makes applicable by regula-
tion, a Health Maintenance Organization, medical group, or individual practice
association (as those terms are defined in Subchapter XI of the Public Health
Service Act) that receives federal grants, loan guarantees or contracts pursuant
to the provisions of that subchapter.
NOTIFICATION OF DISCLOSURES
Seo. 204. A service provider shall notify a patient in such form and manner as
the Secretary may require, of the disclosures that mav be made of confidential
information concerning a patient without authorization of the patient and of the
procedure by which the individual can learn of each kind of disclosure. The serv-
ice provider shall make such notification (unless it cannot do so under the
circumstances ) —
<a) when it first records any confidential information concerning that patient ;
(h) when it first provides services to a patient at least one vear after it last
provided services to that patient ; and
(c) when it first provides services after the effective date of this Act
42-l!»0— in 17
244
ArxnORIZED DISCLOSURES
Sec. 20r;. (a) Consent may be given by a patient who is twelve years of age. or
over, for the transmission or disclosure of confidential information. Such consent
shall be: (1) in writing and signed by patient; (2) specific as to the nature and
content of the information to be disclosed, who may disclose such information,
and to whom such information may be transmitted or disclosed ; (3) specific as to
tlie use to which the transmitted or disclosed informatioi^ may be put: and (4)
specific as to the expiration date, which shall not exceed two years from the date
the authorization was signed.
Sitch specifications shall constitute the limits of the authorization. ,
(b) (1) The patient may withdraw such consent at any time by written notice
to the person authorized to receive such confidential information. (2) Upon
receipt of such written notice, the pesron authorized to disclose shall promptly
notify all persons in possession of said confidential information that consent to
disclosure has been withdrawn.
(c) If the patient is under twelve (12) years of age or incomi>etent, consent
may be given for the transmission or disclostire of confidential information by the
patient's parents, guardian or legal representative.
(d) The service provider shall retain a copy of each consent form, and shall
keep a permanent record of each disclosure made pursuant to such consent,
including the nature of the data disclosed and to whom they were disclosed. The
consent form and disclosure records shall be treated as part of the confidential
record to which consent to disclosure applies.
DISCLOSURE WITHOUT AUTHORIZATION
Sec. 20(i. No disclosure or transmission of confidential information shall be
made without consent, except in the following situations :
(a) to otlier individuals employed by or affiliated with the service provider,
when and to the extent to which the performance of their dtities recpiires that
they liave access to such information, provided that individuals receiving confi-
dential information under this subsection shall not redisclose such information,
except as anthoi-ized by this Act. For purposes of this subsection. (1) persons
eneaged in good faith in training programs with a service provider and their
clinical supervisors shall be denied to be employed by the service provider and
may have access to such records and information to the extent reasonably
required in their training and duties ; however,
(2) individuals employed by the service provider who are involved in financial
audit, preparation of bills or who are otherwise engaged in the collection of
charires for service'^ to a patient shall not. by virtu.e tliereof alone, have acces*^ to
confidential records and information, except with respect to names, addresses,
and other information essential to the preparation and submission of bills and
chiinis for payment of charges for services to a patient.
(bid") for purposes of audit and evaluation whether or not such audit or
evaluation is required by statute. Proridefl. That the service provider notifies the
individual wlio is the subject of the disclosed information that disclosure has been
made, and to whom it has been made. And provided further. That the service pro-
vider ret;; ins a record of such disclosure.
(2) Any organization or agency designated under Federal law to ])erform such
r( views r)r audits sliall maintain the confidentiality of confidential information,
shill not disclose such infoi-mation except to the extent required by Federal law,
atid sha'l destroy the means by which patients can be identified in such informa-
tion, and records containing such information, at the earliest opportunity consist-
ent with tlie requirements of Federal law.
CA) In the case of an audit or evaluation not sppcifically required by statute,
the Secretary shall, by regulation, establish procedures to as.sure that adequate
safeguards, including a program for removal or destruction of identifiers, are
estalilislied liy tlie user or recipient of confidential information to protect it from
unauthorized disclosure.
<(â– ) whevo n statute j-equires a service provider to report si^ecific diagnoses to
a Federal. State or local public health authority.
(f\) where a sliitute requires a service provider to report .specified items of
information about an individual to Federal, State or local law enforcement
ofllcials.
(c) to the parent, guardian or legal custodian of a minor twelve (12) years
i
•..I r>
245 •
<»f age or niulcr. where the service provider determines that such disclosure is
aiiproprlate muler ihe circumstauces.
(f) (1) to medical or law euforcement personnel, when and to the extent
necessary to meet a bona fide medical emergency, or
(2) if tlie patient is incapalile of j;iving consent due to a bona fide medical
emergency, to tlie immediate family or any other individual with whom the
patient is Iviiown to have a respunsible relalionsliip. Provided, Tliat the servi<-e
jtrovider notifies the individual who is the subject of the disclosed information
that tlie disclosure lias been made, and to whom it has heen made. And pro-
vided further. That the service provider retains a record of sucli disclosures.
(3) For pur])oses of this section, "liona fide medical emergency"' means any
situation in wliicli the health or safety of tlie patient or any otlier individual
is in immediate danger.
(g)(1) to qualified personnel for use in a liiomedical, epidemiologic, or
health services researcli pro.ieet. or a health statistics project, provided that
tlie researcli plan shall first be sulmiitted to, and approved l)y, an appropriate
institutional review board, and by the director of the service provider or his
designee. Qualified personnel granted access to confidential information may
not identify, directly or indirectly, any individual patient in any report of sucli
research project, or otherwise disclose iiatient identities in any manner, except
to tlie extent authorized by subsection (f ) .
(2) For purposes of this subsection, tlie term "qualified personnel" means
persons whose training and experience are appropriate to the nature and level
of the work in which they are enga,ged and who, when working as part of an
organization, are i>erforming such work witli adequate administrative safe-
guards against unautliorized disclosures.
( h ) pursuant to an administrative or judicial summons or subpoena.
PRESCRIPTIONS
Sec. 207. Prescriptions for dru,gs sliall be considered confidential information
and subject to tlie iirovisions of this Act: Provided, hoircrer. Tliat nothing in
this Act sliall be construed or limiting or interfering with State and Federal
monitoring of the handling and dispensing of prescription drugs: And provided
further. That the Secretary shall by regulation provide for access to pre-
scriptions for purposes of research, under conditions that adequately safe-
guard from disclosure the identities of the patient and the service provider.
MANDATORY CAUTIONS
Sec. 208. (a) All non-oral disclosures of confidential information shall I'par
the following statement: "The protection of the confidentiality of informal i(ii\
contained herein is required by Federal law, which provides for damages and
jienalties for violations. This material shall not be disclosed to anyone witliont-
consent or other authorization as provided for by law." A copy of the pertinent
consent form specifying to whom and for wdiat specific use such communication
or record is disclosed or transmitted, or a statement setting fortli any other
statutory autliorization for disclosure or transmittal and limitations imp<->sed
thereon, sliall accompany all sucli non-oral disclosures. Tn cases of oral dis-
closure, tlie person disclosing confidential information shall inform the reciji-
ieiit that such information is confidential under Federal law.
(h) Service jiroviders shall insure tliat all jtersons in their employ or under
their supervision are aware of their responsibilities to maintain the confiden-
ti.'ility of infonnation jirotected by this Act and of the existence of penalties:
and civil liabilities fm- violation of tliis Act.
CIVIE remedies AND CRIMINAL PENALTIES
Sec. 200. (a) Any individual a.ggrieved by an actual or attempted violatioif
of this Act may. without regard to the amount in controversy, bring a civil
action in the district court for the district in which he or the alleged violator
resides or in which such vi()lation occun^ed. for ai)i)roiiriate relief, including
temporary and permanent injunctions. Sucli aggrieved individual may also
prove a cause of action for general or s])ecial damages, or botli. reasonable
attorney's fees, reimhxirsement for seasonable litigation costs and, in cases of
willful or grossly negligent violations, punitive damages.
(b) Any person who (1) acting under false pretenses, knowingly and will-
246
full.v requests or obtains coufidential information concerning an individual
from a service provider, or (2) knowingly and willfully violates any provision
of this Act, shall be guilty of a misdemeanor, and upon conviction shall be
lined not more than $10,000 or imprisoned for not more than one year or both,
(c) A service provider may not continue to receive federal funds, grants,
loans or contracts in a program under title XVIII or XIX of the Social
Security Act or Subchapter XI of the Public Health Service Act, unless such
service provider provides adequate assurances and evidence, in such form as
the Secretary may from time to time require of its substantial compliance
with this Act.
PATIENT ACCESS TO INFOEMATIOKT
Sec. 210. (a) Except as provided in subsection (c), upon request of a
patient, a service provider shall, within thirty days following the request,
allow the patient access to his full service record, for purposes of inspection
and/or copying. The service provider may not impose a charge for permitting
such an inspection, and may not impose more than a reasonable charge (in any
event no greater than the charge imposed on third persons) for providing such
a copy.
(b) The service provider shall in accordance with regulations promulgated
by the Secretary, establish procedures which: (1) allow an individual to
contest the accuracy, or completeness of confidential information pertaining to
that individual; (2) allow confidential information to be corrected upon
request of the individual when the service provider concurs in the proposed
correction; (3) allow an individual who believes that the service provider
maintains inaccurate or incomplete confidential information concerning him
to add a statement to the record setting forth what he believes to be an accu-
rate or complete version of that information. Such a statement shall become a
permanent part of the service provider's medical record system, and shall be
disclosed to any individual, agency or organization to which the disputed in-
formation has been or will be disclosed.
(c) If a service provider determines that disclosure to an individual of
records pertaining to that individual's treatment or consultation for any
medical condition would be detrimental to that individual, the service pro-
vider may refuse to disclose such information. Upon such refusal, the service
provider shall advise the patient that the patient may appoint another indi-
vidual of the patient's own choice as authorized representative to have access
to the record. The service provider must provide the authorized representative
access to the records, provided that the procedures specified in section 20.j have
been complied with.
(d) If the individual is under twelve (12) years of age, or as a conse-
quence of physical or mental incapacity, shall have been placed under guard-
ianship, his parent or duly appointed legal representative may exercise nil tl^e
rights set forth in these subsections (a) through (c) on behalf of that
individual.
PREEMPTION
Sec. 211. No state or political subdivision of a state may establish or continue
in effect any law or regulation that is less stringent than the provisions of this
Act.
EFFECTIVE DATE
Sec. 212. This Act shall take effect 180 days after enactment, and shall apply
to all records maintained by service providers regardless of whether they were
first maintained prior to the effective date of this Act.
Section-by- Section Analysis
Section 1 provides that the Act may be cited as the Privacy Act Amendments
of 197S.
Sertion 2 adds a new Title II to the Privacy Act, entitled "Confidentiality of
Medical Records."
Section 201 lists the Act's findings and purposes.
Section 202 provides that no person subject to the Act may release confidential
information, as that term is defined in the Act, except as expressly authorized.
Se<^tion 203 contains the Act's definitions. Confidential information, which the
Art is designed to protect, is defined as any medical information in individually
identifiable form, that is transmitted to a service provider by a patient or the
patient's family, or that is placed in the patient's records by the service provider.
247
This section also contains the definition of "service provider," wliich establislies
the medical entities to which the Act will apply. Included in this definition are
non-federal hospitals, nursing homes or intermediate care facilities that receive
medicare or medicaid funds. Further, to the extent the Secretary of Health, Edu-
cation and Welfare determines the Act should be applicable to other non-federal
entities receiving medicare or medicaid funds, such as clinical laboratories, to
Health Maintenance Organizations receiving grants, loan guarantees or con-
tracts under the Public Health Service Act, he may make it applicable by
regulation.
Se<^tion 204 requires a service provider to notify each patient of the disclosures
that section 206 of the bill authorizes a service provider to make without patient
consent. This notification is to be provided, in such form as the Secretary may
require, the first time it maintains information on a patient, and on certain other
specified occasions.
Section 205 provides the mechanism by which an individual over 12 years of
age (or the parents or legal guardian of a minor under 12) may consent to the
release of confidential information. Consent must be in writing and signed by
the patient, specifically state the information that may be disclosed, and the
identitv of the individual (s) who may disclose it and to whom it may be disclosed.
Consent may be withdrawn in writing at any time. Further, consent forms must be
made part of the patient's permanent record.
Section 206 recognizes that there are a limited number of situations in which
consent to disclosure cannot be obtained, or is impractical, but where disclosure
is nonetheless essential. Pursuant to this section, disclosure without consent may
be made in any of the following situations :
1. Where disclosure to an individual employed by or affiliated with the service
provider is necessary to carry out the individual's duties or for billing purix)ses ;
redisclosure by the recipient would be prohibited.
2. For purposes of audit and evaluation of the service provider, under safe-
guards against redisclosure specified in the bill.
3. Where a statute re<iuires a service provider to report specific items of infor-
mation, such a diagnoses of communicable diseases, or instances of child abuse,
to public health or law enforcement personnel.
4. To the parent or guardian of a minor under 12 years of age where the service
provider believes such disclosure appropriate.
5. Where a medical emergency exists presenting an immediate danger to the
health and safety of the patient or any other individual exists, disclosure without
consent is permissible, provided subsequent notification is provided to the indi-
vidual whose records are released.
6. To qualified personnel for use in biomedical, epidemiologic, or health services
research or statistics projects, provided that the persons to whom such informa-
tion is released not redisclose it.
7. Pursuant to an administrative or judicial summons or subpoena.
Section 207 provides that prescriptions for drugs shall be treated as confidential
information. However, nothing in the bill is intended to interfere with federal
or state monitoring of prescription drugs, or access to prescriptions without
identifying data, pursuant to regulations issued by the Secretary.
Section 208 provides that all written disclosures of confidential information
be accompanied by a statement setting forth the statutory authorization for
disclosure, and warning that unauthorized disclosure is punishable by law.
Section 209 contains the civil remedies and criminal penalties for violation of
the Act. Persons aggrieved by an actual or attempted violation of the Act may
bring a civil action for injunctive relief, or for monetary damages, in federal
courts without regard to the minimum damages usually required to bring an
action in federal court. The l)ill also provides for criminal penalties of up to
$10,000 fine or one year in prison or both for persons who obtain confidential
information under false pretenses, or who knowingly or willfully violate any
provision of this Act. Finally, this section makes compliance with the Act a pre-
condition for further federal assistance under the medicare and medicaid pro-
grams, and the Public Health Service Act.
Section 210 governs patient access to his or her own records. The service pro-
vider must permit the patient access to his or her own records for purposes of
inspection and/or copying within 30 days of a request. The bill directs the Secre-
tary to establish procedures permitting an individual to contest the accuracy of.
and correct his or her own records. Where the service provider determines that
disclosure of particular records to the patient would be harmful, it may withhold
24S
siuh records. However, in siu-li rases, the p«itioiit may appoint an authorizpfl
repre.sentative who must be given access by the service provider, provided lliat
the patient lias executed the appropriate consent form.
In the case of minors under 12 years of age. all rights set forth in this section
may be exercised by the minor's parent, guardian or legal representative.
Section 211 preempts less stringent state and local regulations.
Section 212 provides that the Act shall take effect 180 days after enactment,
and apply to all records held by the service provider, regardless of whether the
records were first maintained prior to the time of enactment of the law.
Mr. RiBicoFF. Mr. President. I am pleased to join my colleague Senator Javits
in this legislation. We in the Governmental Affairs' Committee have heard a
great deal of testimony about individual privacy and about the need for greater
potection of the right to privacy. The question of how best to protect the con-
fidentiality of medical records is a complex one. None of us wants his medical
record open to the public. Each of us wants the right to some privacy regarding
his health and discussions with his family physician. The doctor-patient relation-
ship depends on confidentiality. At the same time, we must be careful that con-
fidentiality requirements are not written in such a way as to deny other legitimate
needs. The Center for Disease C(nitrol must have access to records in its work in
• tracking and controlling epidemics. The National Institutes of Health requires
â– some access for research purposes. Access may be necessary to find and contact
individuals who have received radiation treatments which have since been found
to be unsafe. The Occupational Safety and Health Administration must have
access to worker health records. In all of these examples there is a defined goal.
In none of these is the individual's health record made public.
Any legislation dealing with access to and privacy of medical records must
balance these needs. The legislation introduced today can serve as a vehicle for
congressional consideration of this question. We welcome comments on the
liarticular provisions of the bill. It may be that changes are needed to strike
the i>roper balance. However, it is important that we in the Congress consider
the issue.
Exacted Sept. 5, 1978 "Confidentialty Act"
AN ACT To protect the confidentiality of records and communications of recipients of
mental health or development.-il disability services, and to amend and repeal certain
acts and sections herein named in connection therewith
Br it enacted ly the People of the State of Illinois, represented in the General
As.s( nihil/:
AUTICLE I
Section 1. This Act shall be known and may be cited as the "Mental Health and
Peveloi)mental Disaltilities Confidentiality Act".
Section 2. The term.s used in this Act, unless the context requires otherwise,