ASSEMBLY, No. 1727
STATE OF NEW JERSEY
INTRODUCED MARCH 18, 1996
By Assemblymen COHEN and IMPREVEDUTO
An Act concerning personal privacy with respect to medical records and other health care information, and supplementing Title 26 of the Revised Statutes.
Be It Enacted by the Senate and General Assembly of the State of New Jersey:
1. This act shall be known and may be cited as the "Medical Records Confidentiality Act."
2. The Legislature finds and declares that:
a. It is in the public interest to establish strong and effective mechanisms to protect the privacy of persons with respect to personally identifiable health care information that is created or maintained as part of health treatment, diagnosis, enrollment, payment, testing or research processes.
b. It is also in the public interest to promote the efficiency and security of the health information infrastructure so that members of the health care community may more effectively exchange and transfer health information in a manner that will ensure the confidentiality of personally identifiable health information; and
c. It is therefore necessary to enact such provisions into law in this State and to establish strong and effective remedies for violations of these provisions.
3. As used in this act:
"Certified health information service" means a health information service that receives personally identifiable health information for the purpose of creating nonidentifiable health information and has been certified by the commissioner pursuant to section 12 of this act.
"Certified institutional review board" means an institutional review board that has been certified by the commissioner pursuant to section 17 of this act.
"Commissioner" means the Commissioner of Health.
"Disclose" means to release, transfer or otherwise divulge protected health information to any person other than the individual who is the subject of the information.
"Health care" means preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, counseling, service or procedure with respect to an individual's physical or mental condition, or affecting the structure or function of the human body or any part thereof; or the sale or dispensing of a drug, device, equipment or other item to an individual or for the use of an individual pursuant to a prescription.
"Health care provider" means a person who, with respect to a specific item of protected health information, receives, creates, uses, maintains or discloses the information while acting in whole or in part in the capacity of: a person who is licensed, certified, registered or otherwise authorized by law to provide an item or service that constitutes health care in the ordinary course of business or practice of a profession; a State or federal program that directly provides items or services that constitute health care to beneficiaries of the program; or an officer or employee of such a person or program.
"Health information service" means a person who: uses protected health information to provide services to health information trustees for purposes authorized pursuant to this act, facilitates the transfer and exchange of protected health information between health information trustees, processes protected health information into standard format for transfer and exchanges between health information trustees, facilitates authorized access to protected health information, or transforms protected health information into nonidentifiable health information.
"Health information trustee" means a health care provider, health plan, health oversight agency, health researcher, public health authority, employer, insurer, school or university, or health information service to the extent that it creates, receives, obtains, maintains, uses or transmits protected health information; a person who obtains protected health information pursuant to this act; or an employee, agent or contractor of a person herein defined as a health information trustee insofar as that employee, agent or contractor creates, receives, obtains, maintains, uses or transmits protected health information.
"Health oversight agency" means an agency, person or other entity which: performs or oversees the performance of an assessment, evaluation, determination or investigation relating to the licensing, registration, accreditation or certification of health care providers; or performs or oversees the performance of an assessment, evaluation, determination, investigation or prosecution relating to compliance with legal, fiscal, medical or scientific standards governing the delivery of, or payment for, health care, health services or equipment, or health research, or governing health care fraud or fraudulent claims regarding health care, health services or equipment, or related activities and items; and which agency, person or other entity is a public agency or is acting on behalf of a public agency or pursuant to a requirement of a public agency, or is conducting activities under a State or federal law governing the activities of a health oversight agency.
"Health plan" means a health insurance plan, including a hospital or medical service plan, dental or other health service plan or health maintenance organization plan, or other program providing health benefits, whether or not funded through the purchase of insurance.
"Health researcher" means a person who receives a specific item of protected health information pursuant to section 17 of this act or while acting in whole or in part in the capacity of an officer or employee of such a person.
"Individual representative" means an individual legally empowered to make decisions concerning the provision of health care to an individual who lacks the legal capacity under State law to make these decisions , or the administrator or executor of a decedent's estate.
"Law enforcement inquiry" means a lawful investigation or official proceeding inquiring into a violation of, or failure to comply with, a criminal or civil law or any regulation, rule or order issued pursuant to that law.
"Protected health information" means information, including demographic information collected from an individual, whether oral or recorded in any form or medium, that is created or received by a health information trustee and relates to an individual's past, present or future physical or mental health or condition, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and which information identifies an individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify an individual.
"Public health authority" means an authority or instrumentality of the United States or this State that is responsible for public health matters and is engaged in such activities as injury reporting, public health, surveillance and public health investigation or intervention.
"Writing" means writing in either a paper-based or computer-based form, including electronic signatures.
4. a. Except as provided in subsection b. of this section, a health information trustee shall permit an individual who is the subject of protected health information or the individual's designee to inspect and copy protected health information concerning the individual, including records created pursuant to section 5 of this act that the trustee maintains. A health information trustee may require an individual to reimburse the trustee for the cost of the inspection and copying.
b. A health information trustee shall not be required to permit inspection or copying of protected health information under any of the following conditions:
(1) The trustee determines that disclosure of the information could reasonably be expected to endanger the life or physical safety of an individual;
(2) The information identifies or could reasonably lead to the identification of a person who provided information under a promise of confidentiality to a health care provider concerning the individual who is the subject of the information; or
(3) The information is used by the trustee solely for administrative purposes and not in the provision of health care or the administration of benefits to the individual who is the subject of the information, and has not been disclosed by the health information trustee to another person.
c. A health information trustee shall permit inspection and copying under subsection a. of this section of any reasonably segregable portion of a record after deletion of any portion that is exempt under subsection b. of this section.
d. A health information trustee shall comply with or deny, with a statement of the reasons for the denial, a request for inspection or copying of protected health information pursuant to his section no later than 30 days after the receipt of the request by the trustee.
5. a. A health information trustee shall no later than 45 days after the trustee receives from an individual a written request to correct or amend information:
(1) make the correction or amendment requested;
(2) inform the individual of the correction or amendment that has been made; and
(3) make reasonable efforts to inform any person who is identified by the individual, who is not an officer, employer, or agent of the trustee, and to whom the uncorrected or unamended portion of the information was previously disclosed, of the correction or amendment that has been made; or
(4) if the trustee does not take the actions required pursuant to this subsection, comply with the provisions of subsection b. of this section.
b. If the health information trustee refuses to make the correction or amendment, the trustee shall inform the individual of:
(1) the reasons for the refusal to make the correction or amendment;
(2) any procedures for further review of the refusal; and
(3) the individual's right to file with the trustee a concise statement setting forth the requested correction or amendment and the individual's reasons for disagreeing with the refusal.
c. After an individual has filed a statement of disagreement pursuant to paragraph (3) of subsection b. of this section, the health information trustee, in any subsequent disclosure of the disputed portion of the information, shall include a copy of the individual's statement, and may include a concise statement of the reasons for not making the requested correction or amendment.
d. The provisions of this section shall not be construed to require a health information trustee to conduct a formal, informal or other hearing or proceeding concerning a request for a correction or amendment to protected health information.
e. For the purposes of subsection a. of this section, a correction is deemed to have been made to protected health information when information that has been disputed by an individual has been corrected, clearly marked as incorrect, or supplemented by correct information.
6. A health information trustee other than a health information service shall provide, in a clear and conspicuous manner, written notice of the trustee's health information practices, including a notice of individual rights with respect to protected health information, on a form and in a manner prescribed by the commissioner.
7. A health information trustee shall establish and maintain appropriate administrative, technical and physical safeguards to ensure the confidentiality, security, accuracy and integrity of protected health information created, received, obtained, maintained, used or transmitted by the trustee, in accordance with standards established by the commissioner.
8. A health information trustee shall create and maintain with respect to any protected health information disclosure that is not related to treatment, a record of the disclosure in accordance with regulations adopted by the commissioner, for a period of not less than seven years.
9. A health information trustee shall not disclose protected health information except as authorized pursuant to this section.
a. Protected health information shall not be used or disclosed to any person unless the use or disclosure is compatible with and related to the purposes for which the information was obtained.
b. Every disclosure of protected health information by a health information trustee shall be limited to the minimum amount of information necessary to accomplish the purpose for which the information is disclosed.
c. Nothing in this section that permits a disclosure of health information shall be construed to require that disclosure.
d. Except as provided in this section, a health information trustee shall not disclose protected health information unless the information is clearly identified as protected health information that is subject to this section.
e. The commissioner shall adopt regulations protecting information identifying health care providers in order to promote the availability of health care services.
10. a. A health information trustee may disclose protected health information for purposes of treatment or payment pursuant to an authorization executed by the individual who is the subject of the information, or a person acting for the individual pursuant to State law, if each of the following requirements is met:
(1) The authorization is in writing or electronically authenticated, signed by the individual who is the subject of the information, dated, and provided on a form and in a manner prescribed by the commissioner.
(2) Separate forms authorizing disclosures for treatment and payment processes are provided to the individual.
(3) The information to be disclosed is specified, or is described in the authorization.
(4) The trustee who is authorized to disclose the information is specifically identified or is described in the authorization.
(5) The person to whom the information is to be disclosed is specifically identified or is described in the authorization.
(6) The authorization contains an acknowledgment that the individual who is the subject of the information has the right to revoke or amend the authorization.
(7) The authorization contains an acknowledgment that the individual who is the subject of the information has read a statement of the disclosure that the person who receives the protected health information intends to make.
(8) The authorization includes a statement that the information will be disclosed solely for a purpose that is compatible with, and related to, the purposes for which the information was collected or received by the trustee.
(9) The authorization specifies a date or event upon which the authorization expires.
b. (1) Authorization to disclose protected health information pursuant to subsection a. of this section may not be revoked with respect to disclosure of protected health information to permit validation of expenditures for health care that has previously been authorized.
(2) A health information trustee who discloses protected health information pursuant to an authorization described in subsection a. of this section that has been revoked shall not be subject to any liability or penalty under this act if the trustee had no actual or constructive notice of the revocation.
c. A health information trustee who discloses protected health information pursuant to an authorization under this section shall maintain a copy of the authorization.
11. a. A health information trustee may disclose protected health information pursuant to an authorization executed by the individual who is the subject of the information if all of the following conditions are met:
(1) The requirements of paragraphs (1) thru (6) of subsection a. of section 10 of this act are satisfied.
(2) The statement of intended disclosure shall be in writing, on a form that is separate from the authorization for disclosure, and shall be received by the individual authorizing the disclosure on or before the date the authorization is executed.
(3) The authorization is not requested on the same date that the trustee provides health care to the individual requested to provide the authorization.
(4) The authorization specifies a date or event upon which the authorization expires, which shall not exceed one year from the date of the execution of the authorization.
b. A health information trustee may not condition delivery of treatment or payment for services on the receipt of an authorization described in subsection a. of this section.
12. A health information trustee may disclose protected health information to a certified health information service for the purpose of creating nonidentifiable health information.
The commissioner shall adopt regulations establishing certification requirements for health information services under this act. The regulations shall include requirements that the health information service establish and maintain appropriate administrative, technical and physical safeguards to ensure the confidentiality, security, accuracy and integrity of protected health information.
The commissioner shall certify a health information service that meets the certification requirements established by the commissioner pursuant to this section.
13. a. A health care provider, or a person who receives protected health information pursuant to section 14 of this act, may disclose protected health information regarding an individual to the individual's next-of-kin, to a representative of the individual, or to an individual with whom that individual has a significant personal relationship, if:
(1) the individual who is the subject of the information has been notified of the individual's right to object, and has not objected, to the disclosure; is not competent to be notified about the right to object; or exigent circumstances exist such that it would not be practicable to notify the individual of the right to object; and
(2) the information disclosed relates to health care currently being provide to that individual.
b. (1) Except as provided in paragraph (2) of this subsection, a health information trustee may disclose the information described in subparagraph (b) of this paragraph to any person if:
(a) the individual who is the subject of the information:
has been notified of the individual's right to object, and has not objected, to the disclosure; is not competent to be notified about the right to object; or exigent circumstances exist such that it would not be practicable to notify the individual of the right to object; and
(b) the information consists only of one or more of the following items: the name of the individual who is the subject of the information; the general health status of the individual, described as critical, poor, fair, stable, or satisfactory or in terms denoting similar conditions; and
the location of the individual on premises controlled by a provider.
(2) If disclosure of the location of the individual reveals specific information about the physical or mental condition of the individual, the individual must expressly authorize the disclosure.
c. A health information trustee may disclose protected health information if necessary to assist in the identification of a decedent. The commissioner shall establish by regulation a procedure for obtaining protected health information relating to a decedent when there is no representative for that individual.
14. A person who receives protected health information pursuant to this act may disclose protected health information in emergency circumstances when necessary to protect the health or safety of an individual from serious imminent harm.
15. A health information trustee may disclose protected health information to a health oversight agency for an oversight function authorized by law. Protected health information about an individual that is disclosed under this section may not be used in, or disclosed to any person for use in, an administrative, civil, or criminal action or investigation directed against the individual unless the action or investigation arises out of and is directly related to the receipt of health care or payment for health care, or an action involving a fraudulent claim related to health.
16. A health care provider, health plan, health researcher, public health authority, employer, insurer, school or university, or certified health information network service, or person who receives protected health information pursuant to section 14 of this act, may disclose protected health information to a public health authority or other person authorized by law for use in a legally authorized disease or injury report, public health surveillance, or public health investigation or intervention.
17. a. A health information trustee may disclose protected health information to a health researcher if a certified institutional review board determines that the research project engaged in by the health researcher requires use of the protected health information for the effectiveness of the project, and is of sufficient importance to outweigh the intrusion into the privacy of the individual who is the subject of the information that would result from the disclosure.
b. A person who receives protected health information pursuant to subsection a. of this section shall:
(1) remove or destroy, at the earliest opportunity consistent with the purposes of the project, information that would enable an individual to be identified, unless a certified institutional review board has determined that there is a health or research justification to retain the identifiers, and there is an adequate plan to protect the identifiers from disclosure that is inconsistent with this section; and
(2) use protected health information solely for purposes of the health research project for which disclosure was authorized by a certified institutional review board pursuant to subsection a. of this section.
c. If a health researcher is not located in an academic center, a health care facility or public health agency, a determination required by a certified institutional review board pursuant to subsections a. or b. of this section shall be approved by the commissioner before the determination is issued.
d. The commissioner shall adopt regulations establishing certification requirements for institutional review boards under this section, and shall certify an institutional review board that meets those requirements. The regulations shall ensure that institutional review boards certified under this section have the qualifications to assess and protect the confidentiality of research subjects.
18. a. A health care provider, health plan, health oversight agency, employer, school, university, insurer, or person who receives protected health information pursuant to section 14 of this act, may disclose protected health information:
(1) pursuant to court rules or comparable rules of administrative
agencies, in connection with litigation or proceedings to which the individual who is the subject of the information is a party and in which the individual has placed his physical or mental condition at issue;
(2) to a court, and to others ordered by the court, if the protected health information is developed in response to a court-ordered physical or mental examination; or
(3) pursuant to a statute requiring the reporting of specific medical information to law enforcement authorities.
b. A person seeking protected health information pursuant to subsection a. of this section:
(1) shall notify the individual or the individual's attorney of the request for information;
(2) shall provide the health information trustee with a signed document attesting: that the individual has placed his physical or mental condition at issue in litigation or proceedings in which the individual is a party; and the date on which the individual or the individual's attorney was notified under paragraph (1) of this section; and
(3) shall not accept any requested protected health information from the trustee until the termination of the 10-day period beginning on the date notice was give pursuant to paragraph (1) of this subsection.
19. a. A health care provider, health plan, health oversight agency, employer, insurer, school or university, or person who receives protected health information pursuant to section 14 of this act, may disclose protected health information pursuant to this section if the disclosure is pursuant to a subpoena issued on behalf of a party who has complied with the provisions of subsection b. of this section.
b. A person may not obtain protected health information about an individual pursuant to a subpoena unless:
(1) a copy of the subpoena, together with a notice of the individual's right to challenge the subpoena in accordance with subsection c. of this section, has been served upon the individual on or before the date of return of the subpoena; and
(2) 15 days have passed since the date of service on the individual, and within that time period the individual has not indicated a challenge in accordance with subsection c. of this section, or disclosure has been ordered by a court pursuant to subsection c. of this section.
c. After service of a copy of the subpoena seeking protected health information pursuant to subsection b. of this section, the individual who is the subject of the protected health information may file in any court of competent jurisdiction a motion to quash the subpoena. The court shall grant a motion to quash unless the respondent demonstrates that there is reasonable ground to believe the information is relevant to a lawsuit or other judicial or administrative proceeding, and that the need of the respondent for the information outweighs the privacy interest of the individual. In the case of a motion to quash in which the individual has substantially prevailed, the court may assess against the respondent a reasonable attorney's fee and other litigation costs, including expert fees, reasonably incurred.
In determining whether the need of the respondent for the information outweighs the privacy interest of the individual, the court shall consider:
(1) the particular purpose for which the information was collected;
(2) the degree to which disclosure of the information would embarrass, injure, or invade the privacy of the individual;
(3) the effect of the disclosure on the individual's future health care;
(4) the importance of the information to the lawsuit or proceeding; and
(5) any other relevant factor.
20. a. (1) A health information trustee shall disclose protected health information if the disclosure is pursuant to a subpoena issued under the authority of a grand jury, or an administrative subpoena or summons or a judicial subpoena or warrant, which meets the conditions of paragraph (2) of this subsection.
(2) A government authority may not obtain protected health information about an individual pursuant to paragraph (1) of this subsection for use in a law enforcement inquiry unless there is probable cause to believe that the information is relevant to a legitimate law enforcement inquiry being conducted by the government authority.
(3) A government authority that obtains protected health information about an individual pursuant to a warrant shall, not later than 30 days after the date the warrant was executed, serve the individual with, or mail to the last known address of the individual, a notice that protected health information about the individual was obtained, together with a notice of the individual's right to challenge the warrant.
(4) Except as provided in paragraph (5) of this subsection, a government authority may not obtain protected health information about an individual pursuant to a subpoena or summons unless a copy of the subpoena or summons has been served on the individual, if the identity of the individual is known, on or before the date of the return of the subpoena or summons, together with notice of the individual's right to challenge the subpoena or summons. If the identity of the individual is not known at the time the subpoena or summons is served, the individual shall be served not later than 30 days thereafter with notice that protected health information about the individual was obtained together with notice of the individual's right to challenge the subpoena or summons.
(5) (a) A government authority may apply ex parte and under seal to an appropriate court to delay, for an initial period of not longer than 90 days, service of the notice regarding execution of the warrant as required pursuant to paragraph (3) of this subsection, or a copy of the subpoena as required pursuant to paragraph (4) of this subsection. The government authority may apply to the court for extensions of the delay.
(b) The court shall enter an ex parte order delaying or extending the delay of notice, an order prohibiting the disclosure of the request for, or the disclosure of, the protected health information, and an order requiring the disclosure of the protected health information if the court finds that:
(i) the inquiry being conducted is within the lawful jurisdiction of the government authority seeking the protected health information;
(ii) there is probable cause to believe that the protected health information being sought is relevant to a legitimate law enforcement inquiry;
(iii) the government authority's need for the information outweighs the privacy interest of the individual who is the subject of the information; and
(iv) there is reasonable ground to believe that receipt of notice by the individual will result in: endangering the life or physical safety of any individual, flight from prosecution, destruction of or tampering with evidence or the information being sought, the intimidation of potential witnesses, or disclosure of the existence or nature of a confidential law enforcement investigation or grand jury investigation that is likely to seriously jeopardize that investigation.
(6) Protected health information about an individual that is disclosed pursuant to this section may not be used in, or disclosed to any person for use in, an administrative, civil or criminal action or investigation directed against the individual unless the action or investigation arise out of, or is directly related to, the law enforcement inquiry for which the information was obtained.
b. Within 15 days after the date of service of a notice of execution of a warrant or a copy of a subpoena or summons, of a government authority seeking protected health information about an individual pursuant to subsection a. of this section, the individual may file a motion to quash the subpoena or summons. The court shall grant a motion to quash unless the government authority demonstrates there is probable cause to believe the protected health information is relevant to a legitimate law enforcement inquiry being conducted by the government authority and the government authority's need for the information outweighs the privacy interest of the individual. In the case of a motion to quash in which the individual has substantially prevailed, the court may assess against the government authority reasonable attorney's fees and other litigation costs, including expert fees reasonably incurred. A ruling denying a motion to quash under this section shall not be deemed to be a final order, and no interlocutory appeal may be taken therefrom by the individual.
c. A health information trustee may disclose protected health information to a law enforcement agency if the information is requested for use in an investigation or prosecution of a health information trustee, in the identification of a victim or witness in a law enforcement inquiry, or in connection with the investigation of criminal activity committed against the trustee or on premises controlled by the trustee.
21. A health information trustee whom the commissioner determines has substantially and materially failed to comply with the provisions of this act shall be subject, in addition to any other penalties that may be prescribed by law, to: a civil penalty of not more than $10,000 for each such violation, but not to exceed $50,000 in the aggregate for multiple violations; or a civil penalty of not more than $250,000, if the commissioner finds that these violations have occurred with such frequency as to constitute a general business practice.
The penalty shall be sued for and collected in the name of the Commissioner of Health in a summary proceeding in accordance with "the penalty enforcement law," N.J.S.2A:58-1 et seq.
22. a. An individual who is aggrieved by conduct in violation of the provisions of this act may bring a civil action to recover such preliminary and equitable relief as the court determines to be appropriate, the greater of actual damages or liquidated damages of $5,000, and punitive damages. In case of a civil action brought pursuant to this section in which the individual has substantially prevailed, the court may assess against the respondent a reasonable attorney's fee and other litigation costs, including expert fees, reasonably incurred.
No action may be commenced under this section more than three years after the date on which the violation was or should reasonably have been discovered.
23. A person who knowingly obtains protected health information relating to an individual, or discloses protected health information to another person, in violation of the provisions of this act, shall be guilty of a crime of the third degree, a crime of the second degree if the offense is committed under false pretenses, and a crime of the first degree if the offense is committed with intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm.
24. a. Nothing in this act shall be construed to preempt or modify State common or statutory law concerning a privilege of a witness or other person in a court proceeding.
b. Nothing in this act shall be construed to preempt, supersede or modify any statute or regulation relating to:
(1) the reporting of vital statistics such as birth or death information;
(2) the reporting of abuse or neglect information about any individual;
(3) public or mental health that prevents or otherwise restricts disclosure of protected health information otherwise allowed under this act;
(4) a minor's rights to access protected health information;
(5) notification to emergency response personnel of possible exposure to infectious diseases;
(6) the confidentiality of alcohol or drug abuse patient records; or
(7) any privilege for records used in health professional peer review activities.
25. A health information trustee who makes a disclosure of protected health information about an individual that is permitted by this act shall not be liable to the individual for that disclosure under common law.
26. The commissioner, pursuant to the "Administrative Procedure Act," P.L.1968, c.410 (C.52:14B-1 et seq.), shall adopt rules and regulations to effectuate the purposes of this act. The rules and regulations shall be adopted, as applicable, after consultation with the Attorney General, the Commissioners of Insurance, Human Services, Commerce and Economic Development, Labor and Education and the New Jersey Commission on Higher Education, and shall specify those determinations pursuant to this act which are to be made by the Attorney General, the Commissioners of Insurance, Human Services, Commerce and Economic Development, Labor and Education and the New Jersey Commission on Higher Education, respectively.
27. This act shall take effect one year after the date of enactment, except that the commissioner shall take such anticipatory administrative action in advance as shall be necessary to implement the provisions of this act.
STATEMENT
This bill, which is designated the "Medical Records Confidentiality Act," establishes confidentiality protections for medical records which parallel those contained in proposed federal legislation (Senate Bill No. 1360, currently pending in the United States Congress). The bill would: establish criminal and civil penalties for improperly releasing private medical records; allow the release of private medical information without the patient's permission under certain circumstances, such as for use by law enforcement authorities, medical researchers, and for administrative purposes within an insurance company, health care facility or HMO; and give every individual the right to inspect his own medical records and request corrections thereto.
This bill is intended to address a growing concern among the public about the security of medical records and other health care information, which is especially salient at a time of increasing focus by State policy makers on the potential of automated electronic data interchange technology to store and transmit this kind of information throughout the State health care system.
Designated the "Medical Records Confidentiality Act."