FORTY-EIGHTH LEGISLATUREHB 37/a
SECOND SESSION, 2008
February 10, 2008
Madam President:
Your JUDICIARY COMMITTEE, to whom has been referred
HOUSE JUDICIARY COMMITTEE SUBSTITUTE FOR
HOUSE BILL 37, as amended
has had it under consideration and reports same with recommendation that it DO PASS, amended as follows:
1. On page 1, line 15, after the semicolon, insert "PROVIDING FOR A PRIVATE RIGHT OF ACTION;".
2. On page 10, line 6, strike "and" and insert in lieu thereof a comma, and after "institutions" insert ", persons and other entities".
3. On page 10, line 10, strike "or" and insert in lieu thereof a comma, and after "institution" insert ", person or other entity".
4. On page 10, line 12, strike "or" and insert in lieu thereof a comma, and on line 13, after "institution" insert ", person or other entity".
5. On page 10, line 18, after "participation" insert ", but a health care provider or health care institution shall be required to maintain an audit log pursuant to Subsection C of this section".
6. On page 11, between lines 13 and 14, insert a new subsection to read:
"G. An individual may annually request a copy of the audit log of the individual's medical record.".
7. On page 11, line 24, strike "apparently having" and insert in lieu thereof "who reasonably believed the person had".
8. On page 12, between lines 6 and 7, insert the following new sections to read:
"Section 11. BREACH OF THE SECURITY SYSTEM.--
A. An entity that holds an individual's medical record or maintains computerized data that includes medical records shall disclose any breach following discovery or notification of the breach to a person whose medical record was, or was reasonably believed to have been, acquired by an unauthorized person.
B. The disclosure shall be made without unreasonable delay, which shall allow an entity time to determine the scope of the breach and restore the integrity of the data or data system or accommodate the legitimate needs of law enforcement pursuant to Subsection D of this section.
C. Disclosure shall be provided in the following manner:
(1) written notice;
(2) electronic notice, provided that the notice is consistent with the provisions applicable to electronic records and signatures in Section 7001 of Title 15 of the United States Code; or
(3) substitute notice, if the entity demonstrates that the cost of providing notice would exceed two hundred fifty thousand dollars ($250,000), or that the affected class of subject persons to be notified exceeds five hundred thousand, or the entity does not have sufficient contact information. Substitute notice shall be provided in the following manner:
(a) email notice;
(b) conspicuous posting of the notice on the entity's commonly used web site; or
(c) notification by publication.
D. Disclosure may be delayed if a law enforcement agency determines that disclosure will impede a criminal investigation. However, disclosure shall be made after the law enforcement agency determines that it will not compromise the investigation.
E. For purposes of this section:
(1) "breach" means unauthorized acquisition of electronic data or a computerized system containing unencrypted and confidential medical information maintained in a record. Good faith acquisition of personal information by an employee or agent of the entity for the purposes of the entity is not a breach, provided that the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure; and
(2) "entity" means a person who holds or compiles electronic medical records or maintains a computerized system that contains electronic medical records, including a health care provider, health care institution, health care group purchaser or a person engaged in a health information exchange.
Section 12. LAW ENFORCEMENT ACCESS.--
A. Unless otherwise provided by this section, a law enforcement agency may require a health care provider, health care institution, health care group purchaser or person engaged in a health information exchange to disclose the contents of a medical record to the law enforcement agency by an administrative subpoena authorized by statute or a grand jury, a trial subpoena or a court order for disclosure pursuant to Subsection B of this section.
B. The disclosure of medical records to a law enforcement agency pursuant to Subsection A of this section shall be allowed only if the law enforcement agency offers specific and articulatable facts showing reasonable grounds to believe that the contents of a medical record are relevant and material to an ongoing criminal investigation.
C. The law enforcement agency shall disclose to an individual that it has requested the individual's medical records before the receipt of the records in a manner provided in Subsection C of Section 11 of the Electronic Medical Records Act unless a court determines otherwise pursuant to Subsection D of this section.
D. Upon request by a law enforcement agency, a court shall order that the disclosure required under Subsection C of this section be delayed for up to ninety days if the court determines that there is reason to believe that disclosure of the existence of a court order may result in:
(1) endangering the life or physical safety of an individual;
(2) flight from prosecution;
(3) destruction or tampering with evidence;
(4) intimidation of a potential witness; or
(5) jeopardizing an investigation or delaying a trial.
E. On a motion made by a health care provider, health care institution, health care group provider or person engaged in health information exchange, a court issuing an order for disclosure may quash or modify such order if the information or records requested are unusually voluminous in nature or compliance with such order otherwise would cause an undue burden on the health care provider, health care institution, health care group purchaser or person engaged in a health information exchange.
F. A willful disclosure to unauthorized persons of a medical record obtained by a law enforcement agency that is not made pursuant to a law enforcement agent's official duties shall be a violation of the Electronic Medical Records Act. This subsection, however, shall not apply to information disclosed to the public by a federal, state or local governmental entity or by a plaintiff in a civil action, provided that the disclosure was lawful and prior to a civil or administrative proceeding.
Section 13. RIGHT TO CIVIL ACTION--DEFENSES--LIMITATIONS.--
A. A person aggrieved by a violation of the Electronic Medical Records Act may recover in a civil action from a health care provider, health care institution, health care group purchaser or person engaged in a health information exchange that knowingly or willfully violates the Electronic Medical Records Act.
B. In a civil action under this section, relief may include:
(1) preliminary and other equitable or declaratory relief as appropriate;
(2) damages pursuant to Subsection C or D of this section; and
(3) reasonable attorney fees and other reasonable costs incurred as the result of litigation.
C. If the violator knowingly violates the Electronic Medical Records Act, the court may assess the sum of actual damages and profits made by the violator as a result of the violation, provided that damages awarded shall not be less than one thousand dollars ($1,000).
D. If the violator willfully violates the Electronic Medical Records Act, the court may also assess punitive damages.
E. Good faith reliance on a subpoena, court order or legislative authorization for disclosure is a complete defense to any civil action brought under the Electronic Medical Records Act.
F. A civil action under this section shall not be commenced later than two years after the date upon which the claimant discovered or had a reasonable opportunity to discover the violation.".
9. Renumber the succeeding section accordingly.
Respectfully submitted,
__________________________________
Cisco McSorley, Chairman
Adopted_______________________ Not Adopted_______________________
(Chief Clerk) (Chief Clerk)
Date ________________________
The roll call vote was 6 For 2 Against
Yes: 6
No: Harden, Payne
Excused: Adair, Cravens
Absent: None
HB0037JU1