[USC02] 42 USC CHAPTER 7, SUBCHAPTER XI, Part C: Administrative Simplification
Result 1 of 1
   
 
42 USC CHAPTER 7, SUBCHAPTER XI, Part C: Administrative Simplification
From Title 42—THE PUBLIC HEALTH AND WELFARECHAPTER 7—SOCIAL SECURITYSUBCHAPTER XI—GENERAL PROVISIONS, PEER REVIEW, AND ADMINISTRATIVE SIMPLIFICATION

Part C—Administrative Simplification

§1320d. Definitions

For purposes of this part:

(1) Code set

The term "code set" means any set of codes used for encoding data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes.

(2) Health care clearinghouse

The term "health care clearinghouse" means a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.

(3) Health care provider

The term "health care provider" includes a provider of services (as defined in section 1395x(u) of this title), a provider of medical or other health services (as defined in section 1395x(s) of this title), and any other person furnishing health care services or supplies.

(4) Health information

The term "health information" means any information, whether oral or recorded in any form or medium, that—

(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

(5) Health plan

The term "health plan" means an individual or group plan that provides, or pays the cost of, medical care (as such term is defined in section 300gg–91 of this title). Such term includes the following, and any combination thereof:

(A) A group health plan (as defined in section 300gg–91(a) of this title), but only if the plan—

(i) has 50 or more participants (as defined in section 1002(7) of title 29); or

(ii) is administered by an entity other than the employer who established and maintains the plan.


(B) A health insurance issuer (as defined in section 300gg–91(b) of this title).

(C) A health maintenance organization (as defined in section 300gg–91(b) of this title).

(D) Parts 1 A, B, C, or D of the Medicare program under subchapter XVIII.

(E) The medicaid program under subchapter XIX.

(F) A Medicare supplemental policy (as defined in section 1395ss(g)(1) of this title).

(G) A long-term care policy, including a nursing home fixed indemnity policy (unless the Secretary determines that such a policy does not provide sufficiently comprehensive coverage of a benefit so that the policy should be treated as a health plan).

(H) An employee welfare benefit plan or any other arrangement which is established or maintained for the purpose of offering or providing health benefits to the employees of 2 or more employers.

(I) The health care program for active military personnel under title 10.

(J) The veterans health care program under chapter 17 of title 38.

(K) The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS), as defined in section 1072(4) of title 10.

(L) The Indian health service program under the Indian Health Care Improvement Act (25 U.S.C. 1601 et seq.).

(M) The Federal Employees Health Benefit Plan under chapter 89 of title 5.

(6) Individually identifiable health information

The term "individually identifiable health information" means any information, including demographic information collected from an individual, that—

(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—

(i) identifies the individual; or

(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

(7) Standard

The term "standard", when used with reference to a data element of health information or a transaction referred to in section 1320d–2(a)(1) of this title, means any such data element or transaction that meets each of the standards and implementation specifications adopted or established by the Secretary with respect to the data element or transaction under sections 1320d–1 through 1320d–3 of this title.

(8) Standard setting organization

The term "standard setting organization" means a standard setting organization accredited by the American National Standards Institute, including the National Council for Prescription Drug Programs, that develops standards for information transactions, data elements, or any other standard that is necessary to, or will facilitate, the implementation of this part.

(9) Operating rules

The term "operating rules" means the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications as adopted for purposes of this part.

(Aug. 14, 1935, ch. 531, title XI, §1171, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2021; amended Pub. L. 107–105, §4, Dec. 27, 2001, 115 Stat. 1007; Pub. L. 111–5, div. A, title XIII, §13102, Feb. 17, 2009, 123 Stat. 242; Pub. L. 111–148, title I, §1104(b)(1), Mar. 23, 2010, 124 Stat. 146.)

References in Text

The Indian Health Care Improvement Act, referred to in par. (5)(L), is Pub. L. 94–437, Sept. 30, 1976, 90 Stat. 1400, which is classified principally to chapter 18 (§1601 et seq.) of Title 25, Indians. For complete classification of this Act to the Code, see Short Title note set out under section 1601 of Title 25 and Tables.

Prior Provisions

A prior section 1171 of act Aug. 14, 1935, was classified to section 1320c–20 of this title prior to repeal by Pub. L. 97–35.

Amendments

2010—Par. (9). Pub. L. 111–148 added par. (9).

2009—Par. (5)(D). Pub. L. 111–5 substituted "C, or D" for "or C".

2001—Par. (5)(D). Pub. L. 107–105 substituted "Parts A, B, or C" for "Part A or part B".

Effective Date of 2010 Amendment

Pub. L. 111–148, title I, §1105, Mar. 23, 2010, 124 Stat. 154, provided that: "This subtitle [subtitle B (§§1101–1105) of title I of Pub. L. 111–148, enacting subchapter I of chapter 157 of this title, amending this section and sections 1320d–2 and 1395y of this title, enacting provisions set out as a note under section 1320d–2 of this title, and amending provisions set out as a note under this section] shall take effect on the date of enactment of this Act [Mar. 23, 2010]."

Purpose

Pub. L. 104–191, title II, §261, Aug. 21, 1996, 110 Stat. 2021, as amended by Pub. L. 111–148, title I, §1104(a), Mar. 23, 2010, 124 Stat. 146, provided that: "It is the purpose of this subtitle [subtitle F (§§261–264) of title II of Pub. L. 104–191, enacting this part, amending sections 242k and 1395cc of this title, and enacting provisions set out as a note under section 1320d–2 of this title] to improve the Medicare program under title XVIII of the Social Security Act [42 U.S.C. 1395 et seq.], the medicaid program under title XIX of such Act [42 U.S.C. 1396 et seq.], and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of uniform standards and requirements for the electronic transmission of certain health information and to reduce the clerical burden on patients, health care providers, and health plans."

1 So in original. Probably should be "Part".

§1320d–1. General requirements for adoption of standards

(a) Applicability

Any standard adopted under this part shall apply, in whole or in part, to the following persons:

(1) A health plan.

(2) A health care clearinghouse.

(3) A health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1320d–2(a)(1) of this title.

(b) Reduction of costs

Any standard adopted under this part shall be consistent with the objective of reducing the administrative costs of providing and paying for health care.

(c) Role of standard setting organizations

(1) In general

Except as provided in paragraph (2), any standard adopted under this part shall be a standard that has been developed, adopted, or modified by a standard setting organization.

(2) Special rules

(A) Different standards

The Secretary may adopt a standard that is different from any standard developed, adopted, or modified by a standard setting organization, if—

(i) the different standard will substantially reduce administrative costs to health care providers and health plans compared to the alternatives; and

(ii) the standard is promulgated in accordance with the rulemaking procedures of subchapter III of chapter 5 of title 5.

(B) No standard by standard setting organization

If no standard setting organization has developed, adopted, or modified any standard relating to a standard that the Secretary is authorized or required to adopt under this part—

(i) paragraph (1) shall not apply; and

(ii) subsection (f) shall apply.

(3) Consultation requirement

(A) In general

A standard may not be adopted under this part unless—

(i) in the case of a standard that has been developed, adopted, or modified by a standard setting organization, the organization consulted with each of the organizations described in subparagraph (B) in the course of such development, adoption, or modification; and

(ii) in the case of any other standard, the Secretary, in complying with the requirements of subsection (f), consulted with each of the organizations described in subparagraph (B) before adopting the standard.

(B) Organizations described

The organizations referred to in subparagraph (A) are the following:

(i) The National Uniform Billing Committee.

(ii) The National Uniform Claim Committee.

(iii) The Workgroup for Electronic Data Interchange.

(iv) The American Dental Association.

(d) Implementation specifications

The Secretary shall establish specifications for implementing each of the standards adopted under this part.

(e) Protection of trade secrets

Except as otherwise required by law, a standard adopted under this part shall not require disclosure of trade secrets or confidential commercial information by a person required to comply with this part.

(f) Assistance to Secretary

In complying with the requirements of this part, the Secretary shall rely on the recommendations of the National Committee on Vital and Health Statistics established under section 242k(k) of this title, and shall consult with appropriate Federal and State agencies and private organizations. The Secretary shall publish in the Federal Register any recommendation of the National Committee on Vital and Health Statistics regarding the adoption of a standard under this part.

(g) Application to modifications of standards

This section shall apply to a modification to a standard (including an addition to a standard) adopted under section 1320d–3(b) of this title in the same manner as it applies to an initial standard adopted under section 1320d–3(a) of this title.

(Aug. 14, 1935, ch. 531, title XI, §1172, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2023.)

Prior Provisions

A prior section 1172 of act Aug. 14, 1935, was classified to section 1320c–21 of this title prior to the general amendment of part B of this subchapter by Pub. L. 97–248.

§1320d–2. Standards for information transactions and data elements

(a) Standards to enable electronic exchange

(1) In general

The Secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for—

(A) the financial and administrative transactions described in paragraph (2); and

(B) other financial and administrative transactions determined appropriate by the Secretary, consistent with the goals of improving the operation of the health care system and reducing administrative costs, and subject to the requirements under paragraph (5).

(2) Transactions

The transactions referred to in paragraph (1)(A) are transactions with respect to the following:

(A) Health claims or equivalent encounter information.

(B) Health claims attachments.

(C) Enrollment and disenrollment in a health plan.

(D) Eligibility for a health plan.

(E) Health care payment and remittance advice.

(F) Health plan premium payments.

(G) First report of injury.

(H) Health claim status.

(I) Referral certification and authorization.

(J) Electronic funds transfers.

(3) Accommodation of specific providers

The standards adopted by the Secretary under paragraph (1) shall accommodate the needs of different types of health care providers.

(4) Requirements for financial and administrative transactions

(A) In general

The standards and associated operating rules adopted by the Secretary shall—

(i) to the extent feasible and appropriate, enable determination of an individual's eligibility and financial responsibility for specific services prior to or at the point of care;

(ii) be comprehensive, requiring minimal augmentation by paper or other communications;

(iii) provide for timely acknowledgment, response, and status reporting that supports a transparent claims and denial management process (including adjudication and appeals); and

(iv) describe all data elements (including reason and remark codes) in unambiguous terms, require that such data elements be required or conditioned upon set values in other fields, and prohibit additional conditions (except where necessary to implement State or Federal law, or to protect against fraud and abuse).

(B) Reduction of clerical burden

In adopting standards and operating rules for the transactions referred to under paragraph (1), the Secretary shall seek to reduce the number and complexity of forms (including paper and electronic forms) and data entry required by patients and providers.

(5) Consideration of standardization of activities and items

(A) In general

For purposes of carrying out paragraph (1)(B), the Secretary shall solicit, not later than January 1, 2012, and not less than every 3 years thereafter, input from entities described in subparagraph (B) on—

(i) whether there could be greater uniformity in financial and administrative activities and items, as determined appropriate by the Secretary; and

(ii) whether such activities should be considered financial and administrative transactions (as described in paragraph (1)(B)) for which the adoption of standards and operating rules would improve the operation of the health care system and reduce administrative costs.

(B) Solicitation of input

For purposes of subparagraph (A), the Secretary shall seek input from—

(i) the National Committee on Vital and Health Statistics, the Health Information Technology Policy Committee, and the Health Information Technology Standards Committee; and

(ii) standard setting organizations and stakeholders, as determined appropriate by the Secretary.

(b) Unique health identifiers

(1) In general

The Secretary shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system. In carrying out the preceding sentence for each health plan and health care provider, the Secretary shall take into account multiple uses for identifiers and multiple locations and specialty classifications for health care providers.

(2) Use of identifiers

The standards adopted under paragraph (1) shall specify the purposes for which a unique health identifier may be used.

(c) Code sets

(1) In general

The Secretary shall adopt standards that—

(A) select code sets for appropriate data elements for the transactions referred to in subsection (a)(1) from among the code sets that have been developed by private and public entities; or

(B) establish code sets for such data elements if no code sets for the data elements have been developed.

(2) Distribution

The Secretary shall establish efficient and low-cost procedures for distribution (including electronic distribution) of code sets and modifications made to such code sets under section 1320d–3(b) of this title.

(d) Security standards for health information

(1) Security standards

The Secretary shall adopt security standards that—

(A) take into account—

(i) the technical capabilities of record systems used to maintain health information;

(ii) the costs of security measures;

(iii) the need for training persons who have access to health information;

(iv) the value of audit trails in computerized record systems; and

(v) the needs and capabilities of small health care providers and rural health care providers (as such providers are defined by the Secretary); and


(B) ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures which isolate the activities of the health care clearinghouse with respect to processing information in a manner that prevents unauthorized access to such information by such larger organization.

(2) Safeguards

Each person described in section 1320d–1(a) of this title who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards—

(A) to ensure the integrity and confidentiality of the information;

(B) to protect against any reasonably anticipated—

(i) threats or hazards to the security or integrity of the information; and

(ii) unauthorized uses or disclosures of the information; and


(C) otherwise to ensure compliance with this part by the officers and employees of such person.

(e) Electronic signature

(1) Standards

The Secretary, in coordination with the Secretary of Commerce, shall adopt standards specifying procedures for the electronic transmission and authentication of signatures with respect to the transactions referred to in subsection (a)(1).

(2) Effect of compliance

Compliance with the standards adopted under paragraph (1) shall be deemed to satisfy Federal and State statutory requirements for written signatures with respect to the transactions referred to in subsection (a)(1).

(f) Transfer of information among health plans

The Secretary shall adopt standards for transferring among health plans appropriate standard data elements needed for the coordination of benefits, the sequential processing of claims, and other data elements for individuals who have more than one health plan.

(g) Operating rules

(1) In general

The Secretary shall adopt a single set of operating rules for each transaction referred to under subsection (a)(1) with the goal of creating as much uniformity in the implementation of the electronic standards as possible. Such operating rules shall be consensus-based and reflect the necessary business rules affecting health plans and health care providers and the manner in which they operate pursuant to standards issued under Health Insurance Portability and Accountability Act of 1996.

(2) Operating rules development

In adopting operating rules under this subsection, the Secretary shall consider recommendations for operating rules developed by a qualified nonprofit entity that meets the following requirements:

(A) The entity focuses its mission on administrative simplification.

(B) The entity demonstrates a multi-stakeholder and consensus-based process for development of operating rules, including representation by or participation from health plans, health care providers, vendors, relevant Federal agencies, and other standard development organizations.

(C) The entity has a public set of guiding principles that ensure the operating rules and process are open and transparent, and supports nondiscrimination and conflict of interest policies that demonstrate a commitment to open, fair, and nondiscriminatory practices.

(D) The entity builds on the transaction standards issued under Health Insurance Portability and Accountability Act of 1996.

(E) The entity allows for public review and updates of the operating rules.

(3) Review and recommendations

The National Committee on Vital and Health Statistics shall—

(A) advise the Secretary as to whether a nonprofit entity meets the requirements under paragraph (2);

(B) review the operating rules developed and recommended by such nonprofit entity;

(C) determine whether such operating rules represent a consensus view of the health care stakeholders and are consistent with and do not conflict with other existing standards;

(D) evaluate whether such operating rules are consistent with electronic standards adopted for health information technology; and

(E) submit to the Secretary a recommendation as to whether the Secretary should adopt such operating rules.

(4) Implementation

(A) In general

The Secretary shall adopt operating rules under this subsection, by regulation in accordance with subparagraph (C), following consideration of the operating rules developed by the non-profit entity described in paragraph (2) and the recommendation submitted by the National Committee on Vital and Health Statistics under paragraph (3)(E) and having ensured consultation with providers.

(B) Adoption requirements; effective dates

(i) Eligibility for a health plan and health claim status

The set of operating rules for eligibility for a health plan and health claim status transactions shall be adopted not later than July 1, 2011, in a manner ensuring that such operating rules are effective not later than January 1, 2013, and may allow for the use of a machine readable identification card.

(ii) Electronic funds transfers and health care payment and remittance advice

The set of operating rules for electronic funds transfers and health care payment and remittance advice transactions shall—

(I) allow for automated reconciliation of the electronic payment with the remittance advice; and

(II) be adopted not later than July 1, 2012, in a manner ensuring that such operating rules are effective not later than January 1, 2014.

(iii) Health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, referral certification and authorization

The set of operating rules for health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, and referral certification and authorization transactions shall be adopted not later than July 1, 2014, in a manner ensuring that such operating rules are effective not later than January 1, 2016.

(C) Expedited rulemaking

The Secretary shall promulgate an interim final rule applying any standard or operating rule recommended by the National Committee on Vital and Health Statistics pursuant to paragraph (3). The Secretary shall accept and consider public comments on any interim final rule published under this subparagraph for 60 days after the date of such publication.

(h) Compliance

(1) Health plan certification

(A) Eligibility for a health plan, health claim status, electronic funds transfers, health care payment and remittance advice

Not later than December 31, 2013, a health plan shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable standards (as described under paragraph (7) of section 1320d of this title) and associated operating rules (as described under paragraph (9) of such section) for electronic funds transfers, eligibility for a health plan, health claim status, and health care payment and remittance advice, respectively.

(B) Health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, health claims attachments, referral certification and authorization

Not later than December 31, 2015, a health plan shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable standards and associated operating rules for health claims or equivalent encounter information, enrollment and disenrollment in a health plan, health plan premium payments, health claims attachments, and referral certification and authorization, respectively. A health plan shall provide the same level of documentation to certify compliance with such transactions as is required to certify compliance with the transactions specified in subparagraph (A).

(2) Documentation of compliance

A health plan shall provide the Secretary, in such form as the Secretary may require, with adequate documentation of compliance with the standards and operating rules described under paragraph (1). A health plan shall not be considered to have provided adequate documentation and shall not be certified as being in compliance with such standards, unless the health plan—

(A) demonstrates to the Secretary that the plan conducts the electronic transactions specified in paragraph (1) in a manner that fully complies with the regulations of the Secretary; and

(B) provides documentation showing that the plan has completed end-to-end testing for such transactions with their partners, such as hospitals and physicians.

(3) Service contracts

A health plan shall be required to ensure that any entities that provide services pursuant to a contract with such health plan shall comply with any applicable certification and compliance requirements (and provide the Secretary with adequate documentation of such compliance) under this subsection.

(4) Certification by outside entity

The Secretary may designate independent, outside entities to certify that a health plan has complied with the requirements under this subsection, provided that the certification standards employed by such entities are in accordance with any standards or operating rules issued by the Secretary.

(5) Compliance with revised standards and operating rules

(A) In general

A health plan (including entities described under paragraph (3)) shall file a statement with the Secretary, in such form as the Secretary may require, certifying that the data and information systems for such plan are in compliance with any applicable revised standards and associated operating rules under this subsection for any interim final rule promulgated by the Secretary under subsection (i) that—

(i) amends any standard or operating rule described under paragraph (1) of this subsection; or

(ii) establishes a standard (as described under subsection (a)(1)(B)) or associated operating rules (as described under subsection (i)(5)) for any other financial and administrative transactions.

(B) Date of compliance

A health plan shall comply with such requirements not later than the effective date of the applicable standard or operating rule.

(6) Audits of health plans

The Secretary shall conduct periodic audits to ensure that health plans (including entities described under paragraph (3)) are in compliance with any standards and operating rules that are described under paragraph (1) or subsection (i)(5).

(i) Review and amendment of standards and operating rules

(1) Establishment

Not later than January 1, 2014, the Secretary shall establish a review committee (as described under paragraph (4)).

(2) Evaluations and reports

(A) Hearings

Not later than April 1, 2014, and not less than biennially thereafter, the Secretary, acting through the review committee, shall conduct hearings to evaluate and review the adopted standards and operating rules established under this section.

(B) Report

Not later than July 1, 2014, and not less than biennially thereafter, the review committee shall provide recommendations for updating and improving such standards and operating rules. The review committee shall recommend a single set of operating rules per transaction standard and maintain the goal of creating as much uniformity as possible in the implementation of the electronic standards.

(3) Interim final rulemaking

(A) In general

Any recommendations to amend adopted standards and operating rules that have been approved by the review committee and reported to the Secretary under paragraph (2)(B) shall be adopted by the Secretary through promulgation of an interim final rule not later than 90 days after receipt of the committee's report.

(B) Public comment

(i) Public comment period

The Secretary shall accept and consider public comments on any interim final rule published under this paragraph for 60 days after the date of such publication.

(ii) Effective date

The effective date of any amendment to existing standards or operating rules that is adopted through an interim final rule published under this paragraph shall be 25 months following the close of such public comment period.

(4) Review committee

(A) Definition

For the purposes of this subsection, the term "review committee' means a committee chartered by or within the Department of Health and Human services that has been designated by the Secretary to carry out this subsection, including—

(i) the National Committee on Vital and Health Statistics; or

(ii) any appropriate committee as determined by the Secretary.

(B) Coordination of HIT standards

In developing recommendations under this subsection, the review committee shall ensure coordination, as appropriate, with the standards that support the certified electronic health record technology approved by the Office of the National Coordinator for Health Information Technology.

(5) Operating rules for other standards adopted by the Secretary

The Secretary shall adopt a single set of operating rules (pursuant to the process described under subsection (g)) for any transaction for which a standard had been adopted pursuant to subsection (a)(1)(B).

(j) Penalties

(1) Penalty fee

(A) In general

Not later than April 1, 2014, and annually thereafter, the Secretary shall assess a penalty fee (as determined under subparagraph (B)) against a health plan that has failed to meet the requirements under subsection (h) with respect to certification and documentation of compliance with—

(i) the standards and associated operating rules described under paragraph (1) of such subsection; and

(ii) a standard (as described under subsection (a)(1)(B)) and associated operating rules (as described under subsection (i)(5)) for any other financial and administrative transactions.

(B) Fee amount

Subject to subparagraphs (C), (D), and (E), the Secretary shall assess a penalty fee against a health plan in the amount of $1 per covered life until certification is complete. The penalty shall be assessed per person covered by the plan for which its data systems for major medical policies are not in compliance and shall be imposed against the health plan for each day that the plan is not in compliance with the requirements under subsection (h).

(C) Additional penalty for misrepresentation

A health plan that knowingly provides inaccurate or incomplete information in a statement of certification or documentation of compliance under subsection (h) shall be subject to a penalty fee that is double the amount that would otherwise be imposed under this subsection.

(D) Annual fee increase

The amount of the penalty fee imposed under this subsection shall be increased on an annual basis by the annual percentage increase in total national health care expenditures, as determined by the Secretary.

(E) Penalty limit

A penalty fee assessed against a health plan under this subsection shall not exceed, on an annual basis—

(i) an amount equal to $20 per covered life under such plan; or

(ii) an amount equal to $40 per covered life under the plan if such plan has knowingly provided inaccurate or incomplete information (as described under subparagraph (C)).

(F) Determination of covered individuals

The Secretary shall determine the number of covered lives under a health plan based upon the most recent statements and filings that have been submitted by such plan to the Securities and Exchange Commission.

(2) Notice and dispute procedure

The Secretary shall establish a procedure for assessment of penalty fees under this subsection that provides a health plan with reasonable notice and a dispute resolution procedure prior to provision of a notice of assessment by the Secretary of the Treasury (as described under paragraph (4)(B)).

(3) Penalty fee report

Not later than May 1, 2014, and annually thereafter, the Secretary shall provide the Secretary of the Treasury with a report identifying those health plans that have been assessed a penalty fee under this subsection.

(4) Collection of penalty fee

(A) In general

The Secretary of the Treasury, acting through the Financial Management Service, shall administer the collection of penalty fees from health plans that have been identified by the Secretary in the penalty fee report provided under paragraph (3).

(B) Notice

Not later than August 1, 2014, and annually thereafter, the Secretary of the Treasury shall provide notice to each health plan that has been assessed a penalty fee by the Secretary under this subsection. Such notice shall include the amount of the penalty fee assessed by the Secretary and the due date for payment of such fee to the Secretary of the Treasury (as described in subparagraph (C)).

(C) Payment due date

Payment by a health plan for a penalty fee assessed under this subsection shall be made to the Secretary of the Treasury not later than November 1, 2014, and annually thereafter.

(D) Unpaid penalty fees

Any amount of a penalty fee assessed against a health plan under this subsection for which payment has not been made by the due date provided under subparagraph (C) shall be—

(i) increased by the interest accrued on such amount, as determined pursuant to the underpayment rate established under section 6621 of the Internal Revenue Code of 1986; and

(ii) treated as a past-due, legally enforceable debt owed to a Federal agency for purposes of section 6402(d) of the Internal Revenue Code of 1986.

(E) Administrative fees

Any fee charged or allocated for collection activities conducted by the Financial Management Service will be passed on to a health plan on a pro-rata basis and added to any penalty fee collected from the plan.

(Aug. 14, 1935, ch. 531, title XI, §1173, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2024; amended Pub. L. 111–148, title I, §1104(b)(2), title X, §10109(a), Mar. 23, 2010, 124 Stat. 147, 915.)

References in Text

The Health Insurance Portability and Accountability Act of 1996, referred to in subsec. (g)(1), (2)(D), is Pub. L. 104–191, Aug. 21, 1996, 110 Stat. 1936. For complete classification of this Act to the Code, see Short Title of 1996 Amendments note set out under section 201 of this title and Tables.

The Internal Revenue Code of 1986, referred to in subsec. (j)(4)(D)(i), (ii), is classified generally to Title 26, Internal Revenue Code.

Prior Provisions

A prior section 1173 of act Aug. 14, 1935, was classified to section 1320c–22 of this title prior to the general amendment of part B of this subchapter by Pub. L. 97–248.

Amendments

2010—Subsec. (a)(1)(B). Pub. L. 111–148, §10109(a)(1)(A), inserted before period at end ", and subject to the requirements under paragraph (5)".

Subsec. (a)(2)(J). Pub. L. 111–148, §1104(b)(2)(A), added subpar. (J).

Subsec. (a)(4). Pub. L. 111–148, §1104(b)(2)(B), added par. (4).

Subsec. (a)(5). Pub. L. 111–148, §10109(a)(1)(B), added par. (5).

Subsecs. (g) to (j). Pub. L. 111–148, §1104(b)(2)(C), added subsecs. (g) to (j).

Guidance on Protected Health Information

Pub. L. 116–136, div. A, title III, §3224, Mar. 27, 2020, 134 Stat. 380, provided that: "Not later than 180 days after the date of enactment of this Act [Mar. 27, 2020], the Secretary of Health and Human Services shall issue guidance on the sharing of patients' protected health information pursuant to section 160.103 of title 45, Code of Federal Regulations (or any successor regulations) during the public health emergency declared by the Secretary of Health and Human Services under section 319 of the Public Health Service Act (42 U.S.C. 247d) with respect to COVID–19, during the emergency involving Federal primary responsibility determined to exist by the President under section 501(b) of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (42 U.S.C. 5191(b)) with respect to COVID–19, and during the national emergency declared by the President under the National Emergencies Act (50 U.S.C. 1601 et seq.) with respect to COVID–19. Such guidance shall include information on compliance with the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note) and applicable policies, including such policies that may come into effect during such emergencies."

Making T–MSIS Data on Substance Use Disorders Available to Researchers

Pub. L. 115–271, title I, §1015(b), Oct. 24, 2018, 132 Stat. 3922, provided that:

"(1) In general.—The Secretary [probably means the Secretary of Health and Human Services] shall publish in the Federal Register a system of records notice for the data specified in paragraph (2) for the Transformed Medicaid Statistical Information System, in accordance with section 552a(e)(4) of title 5, United States Code. The notice shall outline policies that protect the security and privacy of the data that, at a minimum, meet the security and privacy policies of SORN 09–70–0541 for the Medicaid Statistical Information System.

"(2) Required data.—The data covered by the systems of records notice required under paragraph (1) shall be sufficient for researchers and States to analyze the prevalence of substance use disorders in the Medicaid beneficiary population and the treatment of substance use disorders under Medicaid across all States (including the District of Columbia, Puerto Rico, the United States Virgin Islands, Guam, the Northern Mariana Islands, and American Samoa), forms of treatment, and treatment settings.

"(3) Initiation of data-sharing activities.—Not later than January 1, 2019, the Secretary shall initiate the data-sharing activities outlined in the notice required under paragraph (1)."

Accessing, Sharing, and Using Health Data for Research Purposes

Pub. L. 114–255, div. A, title II, §2063, Dec. 13, 2016, 130 Stat. 1080, provided that:

"(a) Guidance Related to Remote Access.—Not later than 1 year after the date of enactment of this Act [Dec. 13, 2016], the Secretary of Health and Human Services (referred to in this section as the 'Secretary') shall issue guidance clarifying that subparagraph (B) of section 164.512(i)(1)(ii) of part 164 of the Rule (prohibiting the removal of protected health information by a researcher) does not prohibit remote access to health information by a researcher for such purposes as described in section 164.512(i)(1)(ii) of part 164 of the Rule so long as—

"(1) at a minimum, security and privacy safeguards, consistent with the requirements of the Rule, are maintained by the covered entity and the researcher; and

"(2) the protected health information is not copied or otherwise retained by the researcher.

"(b) Guidance Related to Streamlining Authorization.—Not later than 1 year after the date of enactment of this Act, the Secretary shall issue guidance on the following:

"(1) Authorization for use and disclosure of health information.—Clarification of the circumstances under which the authorization for the use or disclosure of protected health information, with respect to an individual, for future research purposes contains a sufficient description of the purpose of the use or disclosure, such as if the authorization—

"(A) sufficiently describes the purposes such that it would be reasonable for the individual to expect that the protected health information could be used or disclosed for such future research;

"(B) either—

"(i) states that the authorization will expire on a particular date or on the occurrence of a particular event; or

"(ii) states that the authorization will remain valid unless and until it is revoked by the individual; and

"(C) provides instruction to the individual on how to revoke such authorization at any time.

"(2) Reminder of the right to revoke.—Clarification of the circumstances under which it is appropriate to provide an individual with an annual notice or reminder that the individual has the right to revoke such authorization.

"(3) Revocation of authorization.—Clarification of appropriate mechanisms by which an individual may revoke an authorization for future research purposes, such as described in paragraph (1)(C).

"(c) Working Group on Protected Health Information for Research.—

"(1) Establishment.—Not later than 1 year after the date of enactment of this Act [Dec. 13, 2016], the Secretary shall convene a working group to study and report on the uses and disclosures of protected health information for research purposes, under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191) [see Tables for classification].

"(2) Members.—The working group shall include representatives of—

"(A) relevant Federal agencies, including the National Institutes of Health, the Centers for Disease Control and Prevention, the Food and Drug Administration, and the Office for Civil Rights;

"(B) the research community;

"(C) patients;

"(D) experts in civil rights, such as privacy rights;

"(E) developers of health information technology;

"(F) experts in data privacy and security;

"(G) health care providers;

"(H) bioethicists; and

"(I) other experts and entities, as the Secretary determines appropriate.

"(3) Report.—Not later than 1 year after the date on which the working group is convened under paragraph (1), the working group shall conduct a review and submit a report to the Secretary containing recommendations on whether the uses and disclosures of protected health information for research purposes should be modified to allow protected health information to be available, as appropriate, for research purposes, including studies to obtain generalizable knowledge, while protecting individuals' privacy rights. In conducting the review and making recommendations, the working group shall—

"(A) address, at a minimum—

"(i) the appropriate manner and timing of authorization, including whether additional notification to the individual should be required when the individual's protected health information will be used or disclosed for such research;

"(ii) opportunities for individuals to set preferences on the manner in which their protected health information is used in research;

"(iii) opportunities for patients to revoke authorization;

"(iv) notification to individuals of a breach in privacy;

"(v) existing gaps in statute, regulation, or policy related to protecting the privacy of individuals, and

"(vi) existing barriers to research related to the current restrictions on the uses and disclosures of protected health information; and

"(B) consider, at a minimum—

"(i) expectations and preferences on how an individual's protected health information is shared and used;

"(ii) issues related to specific subgroups of people, such as children, incarcerated individuals, and individuals with a cognitive or intellectual disability impacting capacity to consent;

"(iii) relevant Federal and State laws;

"(iv) models of facilitating data access and levels of data access, including data segmentation, where applicable;

"(v) potential impacts of disclosure and non-disclosure of protected health information on access to health care services; and

"(vi) the potential uses of such data.

"(4) Report submission.—The Secretary shall submit the report under paragraph (3) to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives, and shall post such report on the appropriate Internet website of the Department of Health and Human Services.

"(5) Termination.—The working group convened under paragraph (1) shall terminate the day after the report under paragraph (3) is submitted to Congress and made public in accordance with paragraph (4).

"(d) Definitions.—In this section:

"(1) The rule.—References to 'the Rule' refer to part 160 or part 164, as appropriate, of title 45, Code of Federal Regulations (or any successor regulation).

"(2) Part 164.—References to a specified section of 'part 164', refer to such specified section of part 164 of title 45, Code of Federal Regulations (or any successor section)."

Clarification on Permitted Uses and Disclosures of Protected Health Information

Pub. L. 114–255, div. B, title XI, §11003, Dec. 13, 2016, 130 Stat. 1270, provided that:

"(a) In General.—The Secretary [of Health and Human Services], acting through the Director of the Office for Civil Rights, shall ensure that health care providers, professionals, patients and their families, and others involved in mental or substance use disorder treatment have adequate, accessible, and easily comprehensible resources relating to appropriate uses and disclosures of protected health information under the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 [Pub. L. 104–191] (42 U.S.C. 1320d–2 note).

"(b) Guidance.—

"(1) Issuance.—In carrying out subsection (a), not later than 1 year after the date of enactment of this section [Dec. 13, 2016], the Secretary shall issue guidance clarifying the circumstances under which, consistent with regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996, a health care provider or covered entity may use or disclose protected health information.

"(2) Circumstances addressed.—The guidance issued under this section shall address circumstances including those that—

"(A) require the consent of the patient;

"(B) require providing the patient with an opportunity to object;

"(C) are based on the exercise of professional judgment regarding whether the patient would object when the opportunity to object cannot practicably be provided because of the incapacity of the patient or an emergency treatment circumstance; and

"(D) are determined, based on the exercise of professional judgment, to be in the best interest of the patient when the patient is not present or otherwise incapacitated.

"(3) Communication with family members and caregivers.—In addressing the circumstances described in paragraph (2), the guidance issued under this section shall clarify permitted uses or disclosures of protected health information for purposes of—

"(A) communicating with a family member of the patient, caregiver of the patient, or other individual, to the extent that such family member, caregiver, or individual is involved in the care of the patient;

"(B) in the case that the patient is an adult, communicating with a family member of the patient, caregiver of the patient, or other individual involved in the care of the patient;

"(C) in the case that the patient is a minor, communicating with the parent or caregiver of the patient;

"(D) involving the family members or caregivers of the patient, or others involved in the patient's care or care plan, including facilitating treatment and medication adherence;

"(E) listening to the patient, or receiving information with respect to the patient from the family or caregiver of the patient;

"(F) communicating with family members of the patient, caregivers of the patient, law enforcement, or others when the patient presents a serious and imminent threat of harm to self or others; and

"(G) communicating to law enforcement and family members or caregivers of the patient about the admission of the patient to receive care at, or the release of a patient from, a facility for an emergency psychiatric hold or involuntary treatment."

Development and Dissemination of Model Training Programs

Pub. L. 114–255, div. B, title XI, §11004, Dec. 13, 2016, 130 Stat. 1271, provided that:

"(a) Initial Programs and Materials.—Not later than 1 year after the date of the enactment of this Act [Dec. 13, 2016], the Secretary [of Health and Human Services], in consultation with appropriate experts, shall identify the following model programs and materials, or (in the case that no such programs or materials exist) recognize private or public entities to develop and disseminate each of the following:

"(1) Model programs and materials for training health care providers (including physicians, emergency medical personnel, psychiatrists, including child and adolescent psychiatrists, psychologists, counselors, therapists, nurse practitioners, physician assistants, behavioral health facilities and clinics, care managers, and hospitals, including individuals such as general counsels or regulatory compliance staff who are responsible for establishing provider privacy policies) regarding the permitted uses and disclosures, consistent with the standards governing the privacy and security of individually identifiable health information promulgated by the Secretary under part C of title XI of the Social Security Act (42 U.S.C. 1320d et seq.) and regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 [Pub. L. 104–191] (42 U.S.C. 1320d–2 note) and such part C, of the protected health information of patients seeking or undergoing mental or substance use disorder treatment.

"(2) A model program and materials for training patients and their families regarding their rights to protect and obtain information under the standards and regulations specified in paragraph (1).

"(b) Periodic Updates.—The Secretary shall—

"(1) periodically review and update the model programs and materials identified or developed under subsection (a); and

"(2) disseminate the updated model programs and materials to the individuals described in subsection (a).

"(c) Coordination.—The Secretary shall carry out this section in coordination with the Director of the Office for Civil Rights within the Department of Health and Human Services, the Assistant Secretary for Mental Health and Substance Use, the Administrator of the Health Resources and Services Administration, and the heads of other relevant agencies within the Department of Health and Human Services.

"(d) Input of Certain Entities.—In identifying, reviewing, or updating the model programs and materials under subsections (a) and (b), the Secretary shall solicit the input of relevant national, State, and local associations; medical societies; licensing boards; providers of mental and substance use disorder treatment; organizations with expertise on domestic violence, sexual assault, elder abuse, and child abuse; and organizations representing patients and consumers and the families of patients and consumers.

"(e) Funding.—There are authorized to be appropriated to carry out this section—

"(1) $4,000,000 for fiscal year 2018;

"(2) $2,000,000 for each of fiscal years 2019 and 2020; and

"(3) $1,000,000 for each of fiscal years 2021 and 2022."

Delay in Transition From ICD–9 to ICD–10 Code Sets

Pub. L. 113–93, title II, §212, Apr. 1, 2014, 128 Stat. 1047, provided that: "The Secretary of Health and Human Services may not, prior to October 1, 2015, adopt ICD–10 code sets as the standard for code sets under section 1173(c) of the Social Security Act (42 U.S.C. 1320d–2(c)) and section 162.1002 of title 45, Code of Federal Regulations."

Promulgation of Rules

Pub. L. 111–148, title I, §1104(c), Mar. 23, 2010, 124 Stat. 153, provided that:

"(1) Unique health plan identifier.—The Secretary [of Health and Human Services] shall promulgate a final rule to establish a unique health plan identifier (as described in section 1173(b) of the Social Security Act (42 U.S.C. 1320d–2(b))) based on the input of the National Committee on Vital and Health Statistics. The Secretary may do so on an interim final basis and such rule shall be effective not later than October 1, 2012.

"(2) Electronic funds transfer.—The Secretary shall promulgate a final rule to establish a standard for electronic funds transfers (as described in section 1173(a)(2)(J) of the Social Security Act, as added by subsection (b)(2)(A)). The Secretary may do so on an interim final basis and shall adopt such standard not later than January 1, 2012, in a manner ensuring that such standard is effective not later than January 1, 2014.

"(3) Health claims attachments.—The Secretary shall promulgate a final rule to establish a transaction standard and a single set of associated operating rules for health claims attachments (as described in section 1173(a)(2)(B) of the Social Security Act (42 U.S.C. 1320d–2(a)(2)(B))) that is consistent with the X12 Version 5010 transaction standards. The Secretary may do so on an interim final basis and shall adopt a transaction standard and a single set of associated operating rules not later than January 1, 2014, in a manner ensuring that such standard is effective not later than January 1, 2016."

Activities and Items for Initial Consideration; ICD Coding Crosswalks

Pub. L. 111–148, title X, §10109(b), (c), Mar. 23, 2010, 124 Stat. 916, provided that:

"(b) Activities and Items for Initial Consideration.—For purposes of section 1173(a)(5) of the Social Security Act [42 U.S.C. 1320d–2(a)(5)], as added by subsection (a), the Secretary of Health and Human Services (in this section referred to as the 'Secretary') shall, not later than January 1, 2012, seek input on activities and items relating to the following areas:

"(1) Whether the application process, including the use of a uniform application form, for enrollment of health care providers by health plans could be made electronic and standardized.

"(2) Whether standards and operating rules described in section 1173 of the Social Security Act should apply to the health care transactions of automobile insurance, worker's compensation, and other programs or persons not described in section 1172(a) of such Act (42 U.S.C. 1320d–1(a)).

"(3) Whether standardized forms could apply to financial audits required by health plans, Federal and State agencies (including State auditors, the Office of the Inspector General of the Department of Health and Human Services, and the Centers for Medicare & Medicaid Services), and other relevant entities as determined appropriate by the Secretary.

"(4) Whether there could be greater transparency and consistency of methodologies and processes used to establish claim edits used by health plans (as described in section 1171(5) of the Social Security Act (42 U.S.C. 1320d(5))).

"(5) Whether health plans should be required to publish their timeliness of payment rules.

"(c) ICD Coding Crosswalks.—

"(1) ICD–9 to icd–10 crosswalk.—The Secretary shall task the ICD–9–CM Coordination and Maintenance Committee to convene a meeting, not later than January 1, 2011, to receive input from appropriate stakeholders (including health plans, health care providers, and clinicians) regarding the crosswalk between the Ninth and Tenth Revisions of the International Classification of Diseases (ICD–9 and ICD–10, respectively) that is posted on the website of the Centers for Medicare & Medicaid Services, and make recommendations about appropriate revisions to such crosswalk.

"(2) Revision of crosswalk.—For purposes of the crosswalk described in paragraph (1), the Secretary shall make appropriate revisions and post any such revised crosswalk on the website of the Centers for Medicare & Medicaid Services.

"(3) Use of revised crosswalk.—For purposes of paragraph (2), any revised crosswalk shall be treated as a code set for which a standard has been adopted by the Secretary for purposes of section 1173(c)(1)(B) of the Social Security Act (42 U.S.C. 1320d–2(c)(1)(B)).

"(4) Subsequent crosswalks.—For subsequent revisions of the International Classification of Diseases that are adopted by the Secretary as a standard code set under section 1173(c) of the Social Security Act (42 U.S.C. 1320d–2(c)), the Secretary shall, after consultation with the appropriate stakeholders, post on the website of the Centers for Medicare & Medicaid Services a crosswalk between the previous and subsequent version of the International Classification of Diseases not later than the date of implementation of such subsequent revision."

Recommendations With Respect to Privacy of Certain Health Information

Pub. L. 104–191, title II, §264, Aug. 21, 1996, 110 Stat. 2033, provided that:

"(a) In General.—Not later than the date that is 12 months after the date of the enactment of this Act [Aug. 21, 1996], the Secretary of Health and Human Services shall submit to the Committee on Labor and Human Resources and the Committee on Finance of the Senate and the Committee on Commerce and the Committee on Ways and Means of the House of Representatives detailed recommendations on standards with respect to the privacy of individually identifiable health information.

"(b) Subjects for Recommendations.—The recommendations under subsection (a) shall address at least the following:

"(1) The rights that an individual who is a subject of individually identifiable health information should have.

"(2) The procedures that should be established for the exercise of such rights.

"(3) The uses and disclosures of such information that should be authorized or required.

"(c) Regulations.—

"(1) In general.—If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act [42 U.S.C. 1320d–2(a)] (as added by section 262) is not enacted by the date that is 36 months after the date of the enactment of this Act [Aug. 21, 1996], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act. Such regulations shall address at least the subjects described in subsection (b).

"(2) Preemption.—A regulation promulgated under paragraph (1) shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.

"(d) Consultation.—In carrying out this section, the Secretary of Health and Human Services shall consult with—

"(1) the National Committee on Vital and Health Statistics established under section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k)); and

"(2) the Attorney General."

Ex. Ord. No. 13181. To Protect the Privacy of Protected Health Information in Oversight Investigations

Ex. Ord. No. 13181, Dec. 20, 2000, 65 F.R. 81321, provided:

By the authority vested in me as President of the United States by the Constitution and the laws of the United States of America, it is ordered as follows:

Section 1. Policy.

It shall be the policy of the Government of the United States that law enforcement may not use protected health information concerning an individual that is discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations of a non-health oversight matter, except when the balance of relevant factors weighs clearly in favor of its use. That is, protected health information may not be so used unless the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services. Protecting the privacy of patients' protected health information promotes trust in the health care system. It improves the quality of health care by fostering an environment in which patients can feel more comfortable in providing health care professionals with accurate and detailed information about their personal health. In order to provide greater protections to patients' privacy, the Department of Health and Human Services is issuing final regulations concerning the confidentiality of individually identifiable health information under the Health Insurance Portability and Accountability Act of 1996 [Pub. L. 104–191, see Tables for classification] (HIPAA). HIPAA applies only to "covered entities," such as health care plans, providers, and clearinghouses. HIPAA regulations therefore do not apply to other organizations and individuals that gain access to protected health information, including Federal officials who gain access to health records during health oversight activities.

Under the new HIPAA regulations, health oversight investigators will appropriately have ready access to medical records for oversight purposes. Health oversight investigators generally do not seek access to the medical records of a particular patient, but instead review large numbers of records to determine whether a health care provider or organization is violating the law, such as through fraud against the Medicare system. Access to many health records is often necessary in order to gain enough evidence to detect and bring enforcement actions against fraud in the health care system. Stricter rules apply under the HIPAA regulations, however, when law enforcement officials seek protected health information in order to investigate criminal activity outside of the health oversight realm.

In the course of their efforts to protect the health care system, health oversight investigators may also uncover evidence of wrongdoing unrelated to the health care system, such as evidence of criminal conduct by an individual who has sought health care. For records containing that evidence, the issue thus arises whether the information should be available for law enforcement purposes under the less restrictive oversight rules or the more restrictive rules that apply to non-oversight criminal investigations.

A similar issue has arisen in other circumstances. Under 18 U.S.C. 3486, an individual's health records obtained for health oversight purposes pursuant to an administrative subpoena may not be used against that individual patient in an unrelated investigation by law enforcement unless a judicial officer finds good cause. Under that statute, a judicial officer determines whether there is good cause by weighing the public interest and the need for disclosure against the potential for injury to the patient, to the physician-patient relationship, and to the treatment services. It is appropriate to extend limitations on the use of health information to all situations in which the government obtains medical records for a health oversight purpose. In recognition of the increasing importance of protecting health information as shown in the medical privacy rule, a higher standard than exists in 18 U.S.C. 3486 is necessary. It is, therefore, the policy of the Government of the United States that law enforcement may not use protected health information concerning an individual, discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations, against that individual except when the balance of relevant factors weighs clearly in favor of its use. That is, protected health information may not be so used unless the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services.

Sec. 2. Definitions.

(a) "Health oversight activities" shall include the oversight activities enumerated in the regulations concerning the confidentiality of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to the "Health Insurance Portability and Accountability Act of 1996," as amended [Pub. L. 104–191, see Tables for classification].

(b) "Protected health information" shall have the meaning ascribed to it in the regulations concerning the confidentiality of individually identifiable health information promulgated by the Secretary of Health and Human Services pursuant to the "Health Insurance Portability and Accountability Act of 1996," as amended.

(c) "Injury to the patient" includes injury to the privacy interests of the patient.

Sec. 3. Implementation.

(a) Protected health information concerning an individual patient discovered during the course of health oversight activities shall not be used against that individual patient in an unrelated civil, administrative, or criminal investigation of a non-health oversight matter unless the Deputy Attorney General of the U.S Department of Justice, or insofar as the protected health information involves members of the Armed Forces, the General Counsel of the U.S. Department of Defense, has authorized such use.

(b) In assessing whether protected health information should be used under subparagraph (a) of this section, the Deputy Attorney General shall permit such use upon concluding that the balance of relevant factors weighs clearly in favor of its use. That is, the Deputy Attorney General shall permit disclosure if the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services.

(c) Upon the decision to use protected health information under subparagraph (a) of this section, the Deputy Attorney General, in determining the extent to which this information should be used, shall impose appropriate safeguards against unauthorized use.

(d) On an annual basis, the Department of Justice, in consultation with the Department of Health and Human Services, shall provide to the President of the United States a report that includes the following information:

(i) the number of requests made to the Deputy Attorney General for authorization to use protected health information discovered during health oversight activities in a non-health oversight, unrelated investigation;

(ii) the number of requests that were granted as applied for, granted as modified, or denied;

(iii) the agencies that made the applications, and the number of requests made by each agency; and

(iv) the uses for which the protected health information was authorized.

(e) The General Counsel of the U.S. Department of Defense will comply with the requirements of subparagraphs (b), (c), and (d), above. The General Counsel also will prepare a report, consistent with the requirements of subparagraphs (d)(i) through (d)(iv), above, and will forward it to the Department of Justice where it will be incorporated into the Department's annual report to the President.

Sec. 4. Exceptions.

(a) Nothing in this Executive Order shall place a restriction on the derivative use of protected health information that was obtained by a law enforcement agency in a non-health oversight investigation.

(b) Nothing in this Executive Order shall be interpreted to place a restriction on a duty imposed by statute.

(c) Nothing in this Executive Order shall place any additional limitation on the derivative use of health information obtained by the Attorney General pursuant to the provisions of 18 U.S.C. 3486.

(d) This order does not create any right or benefit, substantive or procedural, enforceable at law by a party against the United States, the officers and employees, or any other person.

William J. Clinton.      

§1320d–3. Timetables for adoption of standards

(a) Initial standards

The Secretary shall carry out section 1320d–2 of this title not later than 18 months after August 21, 1996, except that standards relating to claims attachments shall be adopted not later than 30 months after August 21, 1996.

(b) Additions and modifications to standards

(1) In general

Except as provided in paragraph (2), the Secretary shall review the standards adopted under section 1320d–2 of this title, and shall adopt modifications to the standards (including additions to the standards), as determined appropriate, but not more frequently than once every 12 months. Any addition or modification to a standard shall be completed in a manner which minimizes the disruption and cost of compliance.

(2) Special rules

(A) First 12-month period

Except with respect to additions and modifications to code sets under subparagraph (B), the Secretary may not adopt any modification to a standard adopted under this part during the 12-month period beginning on the date the standard is initially adopted, unless the Secretary determines that the modification is necessary in order to permit compliance with the standard.

(B) Additions and modifications to code sets

(i) In general

The Secretary shall ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets.

(ii) Additional rules

If a code set is modified under this subsection, the modified code set shall include instructions on how data elements of health information that were encoded prior to the modification may be converted or translated so as to preserve the informational value of the data elements that existed before the modification. Any modification to a code set under this subsection shall be implemented in a manner that minimizes the disruption and cost of complying with such modification.

(Aug. 14, 1935, ch. 531, title XI, §1174, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2026.)

§1320d–4. Requirements

(a) Conduct of transactions by plans

(1) In general

If a person desires to conduct a transaction referred to in section 1320d–2(a)(1) of this title with a health plan as a standard transaction—

(A) the health plan may not refuse to conduct such transaction as a standard transaction;

(B) the insurance plan may not delay such transaction, or otherwise adversely affect, or attempt to adversely affect, the person or the transaction on the ground that the transaction is a standard transaction; and

(C) the information transmitted and received in connection with the transaction shall be in the form of standard data elements of health information.

(2) Satisfaction of requirements

A health plan may satisfy the requirements under paragraph (1) by—

(A) directly transmitting and receiving standard data elements of health information; or

(B) submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse, and receiving standard data elements through the health care clearinghouse.

(3) Timetable for compliance

Paragraph (1) shall not be construed to require a health plan to comply with any standard, implementation specification, or modification to a standard or specification adopted or established by the Secretary under sections 1320d–1 through 1320d–3 of this title at any time prior to the date on which the plan is required to comply with the standard or specification under subsection (b).

(b) Compliance with standards

(1) Initial compliance

(A) In general

Not later than 24 months after the date on which an initial standard or implementation specification is adopted or established under sections 1320d–1 and 1320d–2 of this title, each person to whom the standard or implementation specification applies shall comply with the standard or specification.

(B) Special rule for small health plans

In the case of a small health plan, paragraph (1) shall be applied by substituting "36 months" for "24 months". For purposes of this subsection, the Secretary shall determine the plans that qualify as small health plans.

(2) Compliance with modified standards

If the Secretary adopts a modification to a standard or implementation specification under this part, each person to whom the standard or implementation specification applies shall comply with the modified standard or implementation specification at such time as the Secretary determines appropriate, taking into account the time needed to comply due to the nature and extent of the modification. The time determined appropriate under the preceding sentence may not be earlier than the last day of the 180-day period beginning on the date such modification is adopted. The Secretary may extend the time for compliance for small health plans, if the Secretary determines that such extension is appropriate.

(3) Construction

Nothing in this subsection shall be construed to prohibit any person from complying with a standard or specification by—

(A) submitting nonstandard data elements to a health care clearinghouse for processing into standard data elements and transmission by the health care clearinghouse; or

(B) receiving standard data elements through a health care clearinghouse.

(Aug. 14, 1935, ch. 531, title XI, §1175, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2027.)

Extension of Deadline for Covered Entities Submitting Compliance Plans

Pub. L. 107–105, §2, Dec. 27, 2001, 115 Stat. 1003, provided that:

"(a) In General.—

"(1) Extension.—Subject to paragraph (2), notwithstanding section 1175(b)(1)(A) of the Social Security Act (42 U.S.C. 1320d–4(b)(1)(A)) and section 162.900 of title 45, Code of Federal Regulations, a health care provider, health plan (other than a small health plan), or a health care clearinghouse shall not be considered to be in noncompliance with the applicable requirements of subparts I through R of part 162 of title 45, Code of Federal Regulations, before October 16, 2003.

"(2) Condition.—Paragraph (1) shall apply to a person described in such paragraph only if, before October 16, 2002, the person submits to the Secretary of Health and Human Services a plan of how the person will come into compliance with the requirements described in such paragraph not later than October 16, 2003. Such plan shall be a summary of the following:

"(A) An analysis reflecting the extent to which, and the reasons why, the person is not in compliance.

"(B) A budget, schedule, work plan, and implementation strategy for achieving compliance.

"(C) Whether the person plans to use or might use a contractor or other vendor to assist the person in achieving compliance.

"(D) A timeframe for testing that begins not later than April 16, 2003.

"(3) Electronic submission.—Plans described in paragraph (2) may be submitted electronically.

"(4) Model form.—Not later than March 31, 2002, the Secretary of Health and Human Services shall promulgate a model form that persons may use in drafting a plan described in paragraph (2). The promulgation of such form shall be made without regard to chapter 35 of title 44, United States Code (commonly known as the 'Paperwork Reduction Act').

"(5) Analysis of plans; reports on solutions.—

"(A) Analysis of plans.—

"(i) Furnishing of plans.—Subject to subparagraph (D), the Secretary of Health and Human Services shall furnish the National Committee on Vital and Health Statistics with a sample of the plans submitted under paragraph (2) for analysis by such Committee.

"(ii) Analysis.—The National Committee on Vital and Health Statistics shall analyze the sample of the plans furnished under clause (i).

"(B) Reports on solutions.—The National Committee on Vital and Health Statistics shall regularly publish, and widely disseminate to the public, reports containing effective solutions to compliance problems identified in the plans analyzed under subparagraph (A). Such reports shall not relate specifically to any one plan but shall be written for the purpose of assisting the maximum number of persons to come into compliance by addressing the most common or challenging problems encountered by persons submitting such plans.

"(C) Consultation.—In carrying out this paragraph, the National Committee on Vital and Health Statistics shall consult with each organization—

"(i) described in section 1172(c)(3)(B) of the Social Security Act (42 U.S.C. 1320d–1(c)(3)(B)); or

"(ii) designated by the Secretary of Health and Human Services under section 162.910(a) of title 45, Code of Federal Regulations.

"(D) Protection of confidential information.—

"(i) In general.—The Secretary of Health and Human Services shall ensure that any material provided under subparagraph (A) to the National Committee on Vital and Health Statistics or any organization described in subparagraph (C) is redacted so as to prevent the disclosure of any—

     "(I) trade secrets;

     "(II) commercial or financial information that is privileged or confidential; and

     "(III) other information the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.

"(ii) Construction.—Nothing in clause (i) shall be construed to affect the application of section 552 of title 5, United States Code (commonly known as the 'Freedom of Information Act'), including the exceptions from disclosure provided under subsection (b) of such section.

"(6) Enforcement through exclusion from participation in medicare.—

"(A) In general.—In the case of a person described in paragraph (1) who fails to submit a plan in accordance with paragraph (2), and who is not in compliance with the applicable requirements of subparts I through R of part 162 of title 45, Code of Federal Regulations, on or after October 16, 2002, the person may be excluded at the discretion of the Secretary of Health and Human Services from participation (including under part C or as a contractor under sections 1816, 1842, and 1893) [42 U.S.C. 1395h, 1395u, 1395ddd] in title XVIII of the Social Security Act (42 U.S.C. 1395 et seq.).

"(B) Procedure.—The provisions of section 1128A of the Social Security Act (42 U.S.C. 1320a–7a) (other than the first and second sentences of subsection (a) and subsection (b)) shall apply to an exclusion under this paragraph in the same manner as such provisions apply with respect to an exclusion or proceeding under section 1128A(a) of such Act.

"(C) Construction.—The availability of an exclusion under this paragraph shall not be construed to affect the imposition of penalties under section 1176 of the Social Security Act (42 U.S.C. 1320d–5).

"(D) Nonapplicability to complying persons.—The exclusion under subparagraph (A) shall not apply to a person who—

"(i) submits a plan in accordance with paragraph (2); or

"(ii) who is in compliance with the applicable requirements of subparts I through R of part 162 of title 45, Code of Federal Regulations, on or before October 16, 2002.

"(b) Special Rules.—

"(1) Rules of construction.—Nothing in this section shall be construed—

"(A) as modifying the October 16, 2003, deadline for a small health plan to comply with the requirements of subparts I through R of part 162 of title 45, Code of Federal Regulations; or

"(B) as modifying—

"(i) the April 14, 2003, deadline for a health care provider, a health plan (other than a small health plan), or a health care clearinghouse to comply with the requirements of subpart E of part 164 of title 45, Code of Federal Regulations; or

"(ii) the April 14, 2004, deadline for a small health plan to comply with the requirements of such subpart.

"(2) Applicability of privacy standards before compliance deadline for information transaction standards.—

"(A) In general.—Notwithstanding any other provision of law, during the period that begins on April 14, 2003, and ends on October 16, 2003, a health care provider or, subject to subparagraph (B), a health care clearinghouse, that transmits any health information in electronic form in connection with a transaction described in subparagraph (C) shall comply with the requirements of subpart E of part 164 of title 45, Code of Federal Regulations, without regard to whether the transmission meets the standards required by part 162 of such title.

"(B) Application to health care clearinghouses.—For purposes of this paragraph, during the period described in subparagraph (A), an entity that processes or facilitates the processing of information in connection with a transaction described in subparagraph (C) and that otherwise would be treated as a health care clearinghouse shall be treated as a health care clearinghouse without regard to whether the processing or facilitation produces (or is required to produce) standard data elements or a standard transaction as required by part 162 of title 45, Code of Federal Regulations.

"(C) Transactions described.—The transactions described in this subparagraph are the following:

"(i) A health care claims or equivalent encounter information transaction.

"(ii) A health care payment and remittance advice transaction.

"(iii) A coordination of benefits transaction.

"(iv) A health care claim status transaction.

"(v) An enrollment and disenrollment in a health plan transaction.

"(vi) An eligibility for a health plan transaction.

"(vii) A health plan premium payments transaction.

"(viii) A referral certification and authorization transaction.

"(c) Definitions.—In this section—

"(1) the terms 'health care provider', 'health plan', and 'health care clearinghouse' have the meaning given those terms in section 1171 of the Social Security Act (42 U.S.C. 1320d) and section 160.103 of title 45, Code of Federal Regulations;

"(2) the terms 'small health plan' and 'transaction' have the meaning given those terms in section 160.103 of title 45, Code of Federal Regulations; and

"(3) the terms 'health care claims or equivalent encounter information transaction', 'health care payment and remittance advice transaction', 'coordination of benefits transaction', 'health care claim status transaction', 'enrollment and disenrollment in a health plan transaction', 'eligibility for a health plan transaction', 'health plan premium payments transaction', and 'referral certification and authorization transaction' have the meanings given those terms in sections 162.1101, 162.1601, 162.1801, 162.1401, 162.1501, 162.1201, 162.1701, and 162.1301 of title 45, Code of Federal Regulations, respectively."

§1320d–5. General penalty for failure to comply with requirements and standards

(a) General penalty

(1) In general

Except as provided in subsection (b), the Secretary shall impose on any person who violates a provision of this part—

(A) in the case of a violation of such provision in which it is established that the person did not know (and by exercising reasonable diligence would not have known) that such person violated such provision, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(A) but not to exceed the amount described in paragraph (3)(D);

(B) in the case of a violation of such provision in which it is established that the violation was due to reasonable cause and not to willful neglect, a penalty for each such violation of an amount that is at least the amount described in paragraph (3)(B) but not to exceed the amount described in paragraph (3)(D); and

(C) in the case of a violation of such provision in which it is established that the violation was due to willful neglect—

(i) if the violation is corrected as described in subsection (b)(3)(A),1 a penalty in an amount that is at least the amount described in paragraph (3)(C) but not to exceed the amount described in paragraph (3)(D); and

(ii) if the violation is not corrected as described in such subsection, a penalty in an amount that is at least the amount described in paragraph (3)(D).


In determining the amount of a penalty under this section for a violation, the Secretary shall base such determination on the nature and extent of the violation and the nature and extent of the harm resulting from such violation.

(2) Procedures

The provisions of section 1320a–7a of this title (other than subsections (a) and (b) and the second sentence of subsection (f)) shall apply to the imposition of a civil money penalty under this subsection in the same manner as such provisions apply to the imposition of a penalty under such section 1320a–7a of this title.

(3) Tiers of penalties described

For purposes of paragraph (1), with respect to a violation by a person of a provision of this part—

(A) the amount described in this subparagraph is $100 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $25,000;

(B) the amount described in this subparagraph is $1,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $100,000;

(C) the amount described in this subparagraph is $10,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $250,000; and

(D) the amount described in this subparagraph is $50,000 for each such violation, except that the total amount imposed on the person for all such violations of an identical requirement or prohibition during a calendar year may not exceed $1,500,000.

(b) Limitations

(1) Offenses otherwise punishable

No penalty may be imposed under subsection (a) and no damages obtained under subsection (d) with respect to an act if a penalty has been imposed under section 1320d–6 of this title with respect to such act.

(2) Failures due to reasonable cause

(A) In general

Except as provided in subparagraph (B) or subsection (a)(1)(C), no penalty may be imposed under subsection (a) and no damages obtained under subsection (d) if the failure to comply is corrected during the 30-day period beginning on the first date the person liable for the penalty or damages knew, or by exercising reasonable diligence would have known, that the failure to comply occurred.

(B) Extension of period

(i) No penalty

With respect to the imposition of a penalty by the Secretary under subsection (a), the period referred to in subparagraph (A) may be extended as determined appropriate by the Secretary based on the nature and extent of the failure to comply.

(ii) Assistance

If the Secretary determines that a person failed to comply because the person was unable to comply, the Secretary may provide technical assistance to the person during the period described in subparagraph (A). Such assistance shall be provided in any manner determined appropriate by the Secretary.

(3) Reduction

In the case of a failure to comply which is due to reasonable cause and not to willful neglect, any penalty under subsection (a) and any damages under subsection (d) that is 2 not entirely waived under paragraph (3) 3 may be waived to the extent that the payment of such penalty 4 would be excessive relative to the compliance failure involved.

(c) Noncompliance due to willful neglect

(1) In general

A violation of a provision of this part due to willful neglect is a violation for which the Secretary is required to impose a penalty under subsection (a)(1).

(2) Required investigation

For purposes of paragraph (1), the Secretary shall formally investigate any complaint of a violation of a provision of this part if a preliminary investigation of the facts of the complaint indicate such a possible violation due to willful neglect.

(d) Enforcement by State attorneys general

(1) Civil action

Except as provided in subsection (b), in any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision of this part, the attorney general of the State, as parens patriae, may bring a civil action on behalf of such residents of the State in a district court of the United States of appropriate jurisdiction—

(A) to enjoin further such violation by the defendant; or

(B) to obtain damages on behalf of such residents of the State, in an amount equal to the amount determined under paragraph (2).

(2) Statutory damages

(A) In general

For purposes of paragraph (1)(B), the amount determined under this paragraph is the amount calculated by multiplying the number of violations by up to $100. For purposes of the preceding sentence, in the case of a continuing violation, the number of violations shall be determined consistent with the HIPAA privacy regulations (as defined in section 1320d–9(b)(3) of this title) for violations of subsection (a).

(B) Limitation

The total amount of damages imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.

(C) Reduction of damages

In assessing damages under subparagraph (A), the court may consider the factors the Secretary may consider in determining the amount of a civil money penalty under subsection (a) under the HIPAA privacy regulations.

(3) Attorney fees

In the case of any successful action under paragraph (1), the court, in its discretion, may award the costs of the action and reasonable attorney fees to the State.

(4) Notice to Secretary

The State shall serve prior written notice of any action under paragraph (1) upon the Secretary and provide the Secretary with a copy of its complaint, except in any case in which such prior notice is not feasible, in which case the State shall serve such notice immediately upon instituting such action. The Secretary shall have the right—

(A) to intervene in the action;

(B) upon so intervening, to be heard on all matters arising therein; and

(C) to file petitions for appeal.

(5) Construction

For purposes of bringing any civil action under paragraph (1), nothing in this section shall be construed to prevent an attorney general of a State from exercising the powers conferred on the attorney general by the laws of that State.

(6) Venue; service of process

(A) Venue

Any action brought under paragraph (1) may be brought in the district court of the United States that meets applicable requirements relating to venue under section 1391 of title 28.

(B) Service of process

In an action brought under paragraph (1), process may be served in any district in which the defendant—

(i) is an inhabitant; or

(ii) maintains a physical place of business.

(7) Limitation on State action while Federal action is pending

If the Secretary has instituted an action against a person under subsection (a) with respect to a specific violation of this part, no State attorney general may bring an action under this subsection against the person with respect to such violation during the pendency of that action.

(8) Application of CMP statute of limitation

A civil action may not be instituted with respect to a violation of this part unless an action to impose a civil money penalty may be instituted under subsection (a) with respect to such violation consistent with the second sentence of section 1320a–7a(c)(1) of this title.

(e) Allowing continued use of corrective action

Nothing in this section shall be construed as preventing the Office for Civil Rights of the Department of Health and Human Services from continuing, in its discretion, to use corrective action without a penalty in cases where the person did not know (and by exercising reasonable diligence would not have known) of the violation involved.

(Aug. 14, 1935, ch. 531, title XI, §1176, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2028; amended Pub. L. 111–5, div. A, title XIII, §13410(a)(1), (d)(1)–(3), (e)(1), (2), (f), Feb. 17, 2009, 123 Stat. 271–276.)

Amendments

2009—Subsec. (a)(1). Pub. L. 111–5, §13410(d)(1), substituted "who violates a provision of this part—" for "who violates a provision of this part a penalty of not more than $100 for each such violation, except that the total amount imposed on the person for all violations of an identical requirement or prohibition during a calendar year may not exceed $25,000.", added subpars. (A) to (C), and inserted concluding provisions.

Subsec. (a)(3). Pub. L. 111–5, §13410(d)(2), added par. (3).

Subsec. (b)(1). Pub. L. 111–5, §13410(e)(2)(A), substituted "No penalty may be imposed under subsection (a) and no damages obtained under subsection (d)" for "A penalty may not be imposed under subsection (a)".

Pub. L. 111–5, §13410(a)(1)(A), substituted "a penalty has been imposed under section 1320d–6 of this title with respect to such act" for "the act constitutes an offense punishable under section 1320d–6 of this title".

Subsec. (b)(2). Pub. L. 111–5, §13410(d)(3)(A), redesignated par. (3) as (2) and struck out former par. (2). Prior to amendment, text of par. (2) read as follows: "A penalty may not be imposed under subsection (a) of this section with respect to a provision of this part if it is established to the satisfaction of the Secretary that the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision."

Subsec. (b)(2)(A). Pub. L. 111–5, §13410(e)(2)(B)(ii), which directed amendment of cl. (ii) of subpar. (A) by inserting "or damages" after "the penalty", was executed by making the insertion in subpar. (A) to reflect the probable intent of Congress and the intervening amendment by Pub. L. 111–5, §13410(d)(3)(B)(i), which struck out the cl. (ii) designation. See below.

Pub. L. 111–5, §13410(e)(2)(B)(i), substituted "no penalty may be imposed under subsection (a) and no damages obtained under subsection (d)" for "a penalty may not be imposed under subsection (a)".

Pub. L. 111–5, §13410(d)(3)(B)(i), substituted "in subparagraph (B) or subsection (a)(1)(C), a penalty may not be imposed under subsection (a) if the failure to comply is corrected" for "in subparagraph (B), a penalty may not be imposed under subsection (a) of this section if—

"(i) the failure to comply was due to reasonable cause and not to willful neglect; and

"(ii) the failure to comply is corrected".

Subsec. (b)(2)(B). Pub. L. 111–5, §13410(d)(3)(B)(ii), substituted "(A)" for "(A)(ii)" in two places.

Subsec. (b)(2)(B)(i). Pub. L. 111–5, §13410(e)(2)(C), substituted "With respect to the imposition of a penalty by the Secretary under subsection (a), the period" for "The period".

Subsec. (b)(3). Pub. L. 111–5, §13410(e)(2)(D), inserted "and any damages under subsection (d)" after "any penalty under subsection (a)".

Pub. L. 111–5, §13410(d)(3)(A), redesignated par. (4) as (3). Former par. (3) redesignated (2).

Subsec. (b)(4). Pub. L. 111–5, §13410(d)(3)(A), redesignated par. (4) as (3).

Subsec. (c). Pub. L. 111–5, §13410(a)(1)(B), added subsec. (c).

Subsec. (d). Pub. L. 111–5, §13410(e)(1), added subsec. (d).

Subsec. (e). Pub. L. 111–5, §13410(f), added subsec. (e).

Effective Date of 2009 Amendment

Amendment by Pub. L. 111–5 effective 12 months after Feb. 17, 2009, except as otherwise specifically provided, see section 13423 of Pub. L. 111–5, set out as an Effective Date note under section 17931 of this title.

Amendment by section 13410(a)(1) of Pub. L. 111–5 applicable to penalties imposed on or after the date that is 24 months after Feb. 17, 2009, see section 17939(b)(1) of this title.

Amendment by section 13410(d)(1)–(3) of Pub. L. 111–5 applicable to violations occurring after Feb. 17, 2009, see section 17939(d)(4) of this title.

Amendment by section 13410(e)(1), (2) of Pub. L. 111–5 applicable to violations occurring after Feb. 17, 2009, see section 17939(e)(3) of this title.

1 So in original. Probably should be "(b)(2)(A),".

2 So in original. Probably should be "are".

3 So in original. Probably should be "(2)".

4 So in original. The words "or damages" probably should appear after "penalty".

§1320d–6. Wrongful disclosure of individually identifiable health information

(a) Offense

A person who knowingly and in violation of this part—

(1) uses or causes to be used a unique health identifier;

(2) obtains individually identifiable health information relating to an individual; or

(3) discloses individually identifiable health information to another person,


shall be punished as provided in subsection (b). For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9(b)(3) of this title) and the individual obtained or disclosed such information without authorization.

(b) Penalties

A person described in subsection (a) shall—

(1) be fined not more than $50,000, imprisoned not more than 1 year, or both;

(2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

(3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

(Aug. 14, 1935, ch. 531, title XI, §1177, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2029; amended Pub. L. 111–5, div. A, title XIII, §13409, Feb. 17, 2009, 123 Stat. 271.)

Amendments

2009—Subsec. (a). Pub. L. 111–5 inserted at end "For purposes of the previous sentence, a person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if the information is maintained by a covered entity (as defined in the HIPAA privacy regulation described in section 1320d–9(b)(3) of this title) and the individual obtained or disclosed such information without authorization."

Effective Date of 2009 Amendment

Amendment by Pub. L. 111–5 effective 12 months after Feb. 17, 2009, see section 13423 of Pub. L. 111–5, set out as an Effective Date note under section 17931 of this title.

§1320d–7. Effect on State law

(a) General effect

(1) General rule

Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.

(2) Exceptions

A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d–1 through 1320d–3 of this title, shall not supersede a contrary provision of State law, if the provision of State law—

(A) is a provision the Secretary determines—

(i) is necessary—

(I) to prevent fraud and abuse;

(II) to ensure appropriate State regulation of insurance and health plans;

(III) for State reporting on health care delivery or costs; or

(IV) for other purposes; or


(ii) addresses controlled substances; or


(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.

(b) Public health

Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.

(c) State regulatory reporting

Nothing in this part shall limit the ability of a State to require a health plan to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.

(Aug. 14, 1935, ch. 531, title XI, §1178, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2029.)

References in Text

Section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, referred to in subsec. (a)(2)(B), is section 264(c)(2) of Pub. L. 104–191, which is set out as a note under section 1320d–2 of this title.

§1320d–8. Processing payment transactions by financial institutions

To the extent that an entity is engaged in activities of a financial institution (as defined in section 3401 of title 12), or is engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for a financial institution, this part, and any standard adopted under this part, shall not apply to the entity with respect to such activities, including the following:

(1) The use or disclosure of information by the entity for authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care, where such payment is made by any means, including a credit, debit, or other payment card, an account, check, or electronic funds transfer.

(2) The request for, or the use or disclosure of, information by the entity with respect to a payment described in paragraph (1)—

(A) for transferring receivables;

(B) for auditing;

(C) in connection with—

(i) a customer dispute; or

(ii) an inquiry from, or to, a customer;


(D) in a communication to a customer of the entity regarding the customer's transactions, payment card, account, check, or electronic funds transfer;

(E) for reporting to consumer reporting agencies; or

(F) for complying with—

(i) a civil or criminal subpoena; or

(ii) a Federal or State law regulating the entity.

(Aug. 14, 1935, ch. 531, title XI, §1179, as added Pub. L. 104–191, title II, §262(a), Aug. 21, 1996, 110 Stat. 2030.)

§1320d–9. Application of HIPAA regulations to genetic information

(a) In general

The Secretary shall revise the HIPAA privacy regulation (as defined in subsection (b)) so it is consistent with the following:

(1) Genetic information shall be treated as health information described in section 1320d(4)(B) of this title.

(2) The use or disclosure by a covered entity that is a group health plan, health insurance issuer that issues health insurance coverage, or issuer of a medicare supplemental policy of protected health information that is genetic information about an individual for underwriting purposes under the group health plan, health insurance coverage, or medicare supplemental policy shall not be a permitted use or disclosure.

(b) Definitions

For purposes of this section:

(1) Genetic information; genetic test; family member

The terms "genetic information", "genetic test", and "family member" have the meanings given such terms in section 300gg–91 of this title, as amended by the Genetic Information Nondiscrimination Act of 2007.1

(2) Group health plan; health insurance coverage; medicare supplemental policy

The terms "group health plan" and "health insurance coverage" have the meanings given such terms under section 300gg–91 of this title, and the term "medicare supplemental policy" has the meaning given such term in section 1395ss(g) of this title.

(3) HIPAA privacy regulation

The term "HIPAA privacy regulation" means the regulations promulgated by the Secretary under this part and section 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note).

(4) Underwriting purposes

The term "underwriting purposes" means, with respect to a group health plan, health insurance coverage, or a medicare supplemental policy—

(A) rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy;

(B) the computation of premium or contribution amounts under the plan, coverage, or policy;

(C) the application of any pre-existing condition exclusion under the plan, coverage, or policy; and

(D) other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

(c) Procedure

The revisions under subsection (a) shall be made by notice in the Federal Register published not later than 60 days after May 21, 2008, and shall be effective upon publication, without opportunity for any prior public comment, but may be revised, consistent with this section, after opportunity for public comment.

(d) Enforcement

In addition to any other sanctions or remedies that may be available under law, a covered entity that is a group health plan, health insurance issuer, or issuer of a medicare supplemental policy and that violates the HIPAA privacy regulation (as revised under subsection (a) or otherwise) with respect to the use or disclosure of genetic information shall be subject to the penalties described in sections 1320d–5 and 1320d–6 of this title in the same manner and to the same extent that such penalties apply to violations of this part.

(Aug. 14, 1935, ch. 531, title XI, §1180, as added Pub. L. 110–233, title I, §105(a), May 21, 2008, 122 Stat. 903.)

References in Text

The Genetic Information Nondiscrimination Act of 2007, referred to in subsec. (b)(1), probably means the Genetic Information Nondiscrimination Act of 2008, Pub. L. 110–233, May 21, 2008, 122 Stat. 881. For complete classification of this Act to the Code, see Short Title note set out under section 2000ff of this title and Tables.

Section 264 of the Health Insurance Portability and Accountability Act of 1996, referred to in subsec. (b)(3), is section 264 of Pub. L. 104–191, which is set out as a note under section 1320d–2 of this title.

Effective Date

Pub. L. 110–233, title I, §105(b)(2), May 21, 2008, 122 Stat. 905, provided that: "The amendment made by subsection (a) [enacting this section] shall take effect on the date that is 1 year after the date of the enactment of this Act [May 21, 2008]."

Regulations

Pub. L. 110–233, title I, §105(b)(1), May 21, 2008, 122 Stat. 905, provided that: "Not later than 12 months after the date of the enactment of this Act [May 21, 2008], the Secretary of Health and Human Services shall issue final regulations to carry out the revision required by section 1180(a) of the Social Security Act [42 U.S.C. 1320d–9(a)], as added by subsection (a). The Secretary has the sole authority to promulgate such regulations, but shall promulgate such regulations in consultation with the Secretaries of Labor and the Treasury."

1 See References in Text note below.