Part B—Relationship to Other Laws; Regulatory References; Effective Date; Reports
§17951. Relationship to other laws
(a) Application of HIPAA State preemption
Section 1178 of the Social Security Act (
(b) Health Insurance Portability and Accountability Act of 1996
The standards governing the privacy and security of individually identifiable health information promulgated by the Secretary under sections 262(a) and 264 of the Health Insurance Portability and Accountability Act of 1996 shall remain in effect to the extent that they are consistent with this subchapter. The Secretary shall by rule amend such Federal regulations as required to make such regulations consistent with this subchapter.
(c) Construction
Nothing in this subchapter shall constitute a waiver of any privilege otherwise applicable to an individual with respect to the protected health information of such individual.
(
Editorial Notes
References in Text
This subchapter, referred to in text, was in the original "this subtitle", meaning subtitle D (§13400 et seq.) of title XIII of div. A of
The Social Security Act, referred to in subsec. (a), is act Aug. 14, 1935, ch. 531,
The Health Insurance Portability and Accountability Act of 1996, referred to in subsec. (b), is
§17952. Regulatory references
Each reference in this subchapter to a provision of the Code of Federal Regulations refers to such provision as in effect on February 17, 2009 (or to the most recent update of such provision).
(
Editorial Notes
References in Text
This subchapter, referred to in text, was in the original "this subtitle", meaning subtitle D (§13400 et seq.) of title XIII of div. A of
§17953. Studies, reports, guidance
(a) Report on compliance
(1) In general
For the first year beginning after February 17, 2009, and annually thereafter, the Secretary shall prepare and submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Ways and Means and the Committee on Energy and Commerce of the House of Representatives a report concerning complaints of alleged violations of law, including the provisions of this subchapter as well as the provisions of subparts C and E of part 164 of title 45, Code of Federal Regulations, (as such provisions are in effect as of February 17, 2009) relating to privacy and security of health information that are received by the Secretary during the year for which the report is being prepared. Each such report shall include, with respect to such complaints received during the year—
(A) the number of such complaints;
(B) the number of such complaints resolved informally, a summary of the types of such complaints so resolved, and the number of covered entities that received technical assistance from the Secretary during such year in order to achieve compliance with such provisions and the types of such technical assistance provided;
(C) the number of such complaints that have resulted in the imposition of civil monetary penalties or have been resolved through monetary settlements, including the nature of the complaints involved and the amount paid in each penalty or settlement;
(D) the number of compliance reviews conducted and the outcome of each such review;
(E) the number of subpoenas or inquiries issued;
(F) the Secretary's plan for improving compliance with and enforcement of such provisions for the following year; and
(G) the number of audits performed and a summary of audit findings pursuant to
(2) Availability to public
Each report under paragraph (1) shall be made available to the public on the Internet website of the Department of Health and Human Services.
(b) Study and report on application of privacy and security requirements to non-HIPAA covered entities
(1) Study
Not later than one year after February 17, 2009, the Secretary, in consultation with the Federal Trade Commission, shall conduct a study, and submit a report under paragraph (2), on privacy and security requirements for entities that are not covered entities or business associates as of February 17, 2009, including—
(A) requirements relating to security, privacy, and notification in the case of a breach of security or privacy (including the applicability of an exemption to notification in the case of individually identifiable health information that has been rendered unusable, unreadable, or indecipherable through technologies or methodologies recognized by appropriate professional organization or standard setting bodies to provide effective security for the information) that should be applied to—
(i) vendors of personal health records;
(ii) entities that offer products or services through the website of a vendor of personal health records;
(iii) entities that are not covered entities and that offer products or services through the websites of covered entities that offer individuals personal health records;
(iv) entities that are not covered entities and that access information in a personal health record or send information to a personal health record; and
(v) third party service providers used by a vendor or entity described in clause (i), (ii), (iii), or (iv) to assist in providing personal health record products or services;
(B) a determination of which Federal government agency is best equipped to enforce such requirements recommended to be applied to such vendors, entities, and service providers under subparagraph (A); and
(C) a timeframe for implementing regulations based on such findings.
(2) Report
The Secretary shall submit to the Committee on Finance, the Committee on Health, Education, Labor, and Pensions, and the Committee on Commerce of the Senate and the Committee on Ways and Means and the Committee on Energy and Commerce of the House of Representatives a report on the findings of the study under paragraph (1) and shall include in such report recommendations on the privacy and security requirements described in such paragraph.
(c) Guidance on implementation specification to de-identify protected health information
Not later than 12 months after February 17, 2009, the Secretary shall, in consultation with stakeholders, issue guidance on how best to implement the requirements for the de-identification of protected health information under section 164.514(b) of title 45, Code of Federal Regulations.
(d) GAO report on treatment disclosures
Not later than one year after February 17, 2009, the Comptroller General of the United States shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Ways and Means and the Committee on Energy and Commerce of the House of Representatives a report on the best practices related to the disclosure among health care providers of protected health information of an individual for purposes of treatment of such individual. Such report shall include an examination of the best practices implemented by States and by other entities, such as health information exchanges and regional health information organizations, an examination of the extent to which such best practices are successful with respect to the quality of the resulting health care provided to the individual and with respect to the ability of the health care provider to manage such best practices, and an examination of the use of electronic informed consent for disclosing protected health information for treatment, payment, and health care operations.
(e) Report required
Not later than 5 years after February 17, 2009, the Government Accountability Office shall submit to Congress and the Secretary of Health and Human Services a report on the impact of any of the provisions of this Act on health insurance premiums, overall health care costs, adoption of electronic health records by providers, and reduction in medical errors and other quality improvements.
(f) Study
The Secretary shall study the definition of "psychotherapy notes" in section 164.501 of title 45, Code of Federal Regulations, with regard to including test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation, as determined by the mental health professional providing treatment or evaluation in such definitions and may, based on such study, issue regulations to revise such definition.
(
Editorial Notes
References in Text
This subchapter, referred to in subsec. (a)(1), was in the original "this subtitle", meaning subtitle D (§13400 et seq.) of title XIII of div. A of
This Act, referred to in subsec. (e), means div. A of