Report Title:

Protected Heath Care Information; Privacy Amendments

 

Description:

Amends Act 87, to address the many concerns from the state, physicians, insurers, and the business community on medical privacy. These amendments are those that were suggested on behalf of the medical privacy task force.

 

THE SENATE

S.B. NO.

916

TWENTY-FIRST LEGISLATURE, 2001

 

STATE OF HAWAII

 


 

A BILL FOR AN ACT

 

Relating to protected health information.

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF HAWAII:

SECTION 1. Act 87, Section 2, Session Laws of Hawaii 1999, as amended by Acts 91, and 140, Session Laws of Hawaii 2000, is amended as follows:

"SECTION 2. The Hawaii Revised Statutes is amended by adding a new chapter to be appropriately designated and to read as follows:

"CHAPTER

PRIVACY OF HEALTH CARE INFORMATION

PART I. GENERAL PROVISIONS

§   -1 Purpose. The purpose of this article is to give effect to the Hawaii Constitution, article I, section 6, by taking affirmative steps to implement the people’s right to privacy with regard to protected health information. Individual authorization for disclosures of protected health information are required. Where necessary for purposes and activities for which there is a compelling state interest, protected health information may be disclosed without authorization, only with limitations designed to meet the compelling state interest, with significant safeguards for privacy, and when appropriate, with adequate notice.

§   -[1]1.5 Definitions. As used in this chapter, except as otherwise specifically provided:

"Accrediting body" means a committee, organization, or institution that has been authorized by law or is recognized by a health care regulating authority as an accrediting entity or any other entity that has been similarly authorized or recognized by law to perform specific accreditation, licensing, or credentialing activities.

"Agent" means a person not otherwise defined in this chapter who represents and acts for another under a contract or relationship of agency, or whose function is to bring about, modify, affect, accept performance of, or terminate contractual obligations between the principal and a third person, including a contractor.

["Commissioner" means the insurance commissioner.]

"Caregiver" means a person who has exhibited special concern for the individual and who is involved in the support, facilitation, or provision of the individual's health care.

"Continuum of care" means a system of services between all persons engaged in health care or other services that support the health care of patients in any setting.

"Delivery and financing of health care" includes but is not limited to the following activities:

(1) Treatment;

(2) The provision of drugs or supplies pursuant to a prescription or order, when disclosure is needed to obtain, convey, or provide information about the drugs or supplies;

(3) Payment that includes the activities undertaken by or on behalf of a covered entity or an agent to obtain premiums, to obtain reimbursement for the provision of health care or to determine or fulfill its responsibility for coverage under the health plan or insurance policy and for the provision of benefits under the health plan or insurance policy. Activities that constitute payment include determinations of coverage, improving methods of paying or coverage policies, adjudication or subrogation of claims derived from health status, billing, claims management, and medical data processing; review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; and utilization review activities, including precertification and preauthorization of services;

(4) Case management;

(5) Disease management;

(6) Conducting quality assurance activities or outcomes assessments;

(7) Reviewing the competence or qualifications of health care professionals, including peer review and evaluating provider clinical performance;

(8) Performing accreditation, licensing, or credentialing activities;

(9) Analyzing health plan claims or health care records data;

(10) Carrying out utilization management;

(11) Conducting or arranging for reporting or auditing services in accordance with statute, rule, or accreditation requirements;

(12) Conducting or participating in educational activities or training programs involving health care providers, students, and trainees learning under supervision;

(13) Risk management, including but not limited to, compiling and analyzing information in anticipation of, or for use in, civil, administrative or criminal proceedings;

(14) Complaints, grievance, and appeal procedures related to provision of health care as well as administration of other consumer disputes and inquiries;

(15) Policyholder service functions;

(16) Claims administration, adjustment, and management;

(17) Fraud investigation;

(18) Underwriting;

(19) Loss control, ratemaking, and guaranty fund functions;

(20) Reinsurance and excess loss insurance;

(21) Internal administration of compliance, managerial, and information systems and database security;

(22) The replacement of a group benefit plan or insurance policy or program; and

(23) Activities in connection with a sale, merger, transfer, or exchange of all or part of a business or operating unit so long as the protected health information is used for same purposes for which it was obtained.

"Director" means the director of the office of information practices.

"Disclose" means to release, transfer, provide access to, share, or otherwise divulge protected health information to any person other than the subject individual who is the subject of the information. The term includes the initial disclosure and any subsequent redisclosures of protected health information.

"Educational institution" means an institution or place for instruction or education including any public or private elementary school, secondary school, vocational school, correspondence school, business school, junior college, teachers college, college, normal school, professional school, university, or scientific or technical institution, or other institution furnishing education for children and adults.

"Employer" means any individual or type of organization, including any partnership, association, trust, estate, joint stock company, insurance company, or corporation, whether domestic or foreign, a debtor in possession or receiver or trustee in bankruptcy, or a legal representative of a deceased person, who has one or more individuals in his or her employment.

"Employment" means services performed for wages under any contract of hire, written or oral, expressed or implied, with an employer.

"Employment related benefits, entitlements, or services" means benefits, accommodations, or entitlements, that may be provided either voluntarily, by contract or by law to an employee or volunteer, including but not limited to, leave of absence and return to work programs, case management services, wages, wage replacement benefits, unemployment insurance benefits, disability, pension, retirement, health or other insurance benefits, health and safety programs.

"Entity" means a health care provider, health care data organization, health plan, health oversight agency, public health authority, employer, insurer, health researcher, labor organization, law enforcement [official,] agency, or educational institution, except as otherwise defined for purposes of a particular section only.

"Health care" means[:] the provision of care, services, or supplies to an individual and includes any:

(1) Preventive, diagnostic, therapeutic, rehabilitative, [palliative or maintenance services:] maintenance, or palliative, care, counseling, service, or procedure with respect to:

(A) [With respect to the physical] The physical, functional status, behavioral or mental condition of an individual; or

(B) Affecting the structure or function of the human body or any part of the human body, including the procurement or banking of blood, sperm, organs, or any other tissue; or

(2) Any sale or dispensing of a drug, device, equipment, or other health care-related item to an individual, or for the use of an individual pursuant to a prescription or order by a health care provider.

"Health care data organization" means an entity that engages primarily in the business of collecting, analyzing, and disseminating identifiable and nonidentifiable patient information. A health care data organization is not a health care provider, an insurer, a health researcher, or a health oversight agency.

"Health care provider" means a person who, with respect to any protected health information, receives, creates, uses, maintains, or discloses the protected health information while acting in whole or in part in the capacity of:

(1) A person who is licensed, certified, registered, or otherwise authorized by federal or state law to provide an item or service that constitutes health care in the ordinary course of business, or practice of a profession;

(2) A federal, state, or employer-sponsored program that directly provides items or services that constitute health care to beneficiaries; or

(3) An officer, employee, or agent of a person described in paragraph (1) or (2).

"Health oversight agency" means a person who, with respect to any protected health information, receives, creates, uses, maintains, or discloses the information while acting in whole or in part in the capacity of:

(1) A person who performs or oversees the performance of an assessment, evaluation, determination, or investigation, relating to the licensing, accreditation, or credentialing of health care providers; or

(2) A person who:

(A) Performs or oversees the performance of an audit, assessment, evaluation, determination, or investigation relating to the effectiveness of, compliance with, or applicability of, legal, fiscal, medical, or scientific standards or aspects of performance related to the delivery of, or payment for, health care; and

(B) Is a public agency, acting on behalf of a public agency, acting pursuant to a requirement of a public agency, or, for violations of paragraph (1), carrying out activities under a federal or state law governing the assessment, evaluation, determination, investigation, or prosecution [for violations of paragraph (1)].

"Health plan" means any person that offers any health insurance plan, including any hospital or medical service plan, dental or other health service plan or health maintenance organization plan, provider-sponsored organization, or other program providing [or arranging for the provision of health] for health care benefits, whether or not funded through the purchase of insurance.

"Health researcher" means a person, or an officer, employee or independent contractor of a person, who receives protected health information as part of a systematic investigation, testing, or evaluation designed to develop or contribute to generalized scientific and clinical knowledge.

"Individual's designated representative" means a person who is authorized by law (based on grounds other than the minority of an individual), or by an instrument recognized under law, to act as an agent, attorney, guardian, proxy, or other legal representative of a protected individual. The term includes a health care power of attorney.

"Institutional review board" means a research committee established and operating in accord with Title 45 Code of Federal Regulations 46 [sections] part 107, 108, 109, and 115.

"Insurer" means any person, [regulated under chapter 432D, article 1 of chapter 432, any group that has purchased a group insurance policy issued by a person regulated under chapter 432D, and any person regulated under article 10A of chapter 431, other than a life insurer, disability income insurer, or long-term care insurer.] including persons who are self-insured, regulated under the insurance laws of any state of the United States and its territories and the laws of the United States.

"Labor organization" means any organization in which employees are organized for the purpose of collective bargaining and which is the exclusive representative of all employees in one or more bargaining units and which has adopted formal collective bargaining procedures for dispute resolution.

"Law enforcement inquiry" means a lawful investigation conducted by an appropriate government agency or official inquiring into a violation of, or failure to comply with, any civil or administrative statute or any regulation, rule, or order issued pursuant to such a statute. It does not include a lawful criminal investigation or prosecution conducted by the county prosecutors or the department of the attorney general.

"Nonidentifiable health information" means any information that meets all of the following criteria: would otherwise be protected health information except that the information in and of itself does not reveal the identity of the [individual whose health or health care is the subject of the information] subject individual and will not be used in any way that would identify the subjects of the information or would create protected health information.

"Office of information practices" shall be as defined by chapter 92F.

"Person" means a government, governmental subdivision, agency or authority, corporation, company, association, firm, partnership, insurer, estate, trust, joint venture, individual, individual representative, and any other legal entity.

"Protected health information" means any information, identifiable to an individual, [including demographic information] whether or not recorded in any form or medium that relates [directly or indirectly] to the past, present, or future:

(1) Physical, behavioral, or mental health or condition of a person, including tissue and genetic information;

(2) Provision of health care or treatment to an individual; or

(3) Payment for the provision of health care or treatment to an individual[.] when it includes the information in paragraph (1) or (2).

"Public health authority" means [the department of health.] an agency of a sovereign nation, the United States, a federally recognized tribal government, a state, or a political subdivision of a state that:

(1) Has primary responsibility for public health matters; or

(2) Is primarily engaged in activities such as injury reporting, public health surveillance, and public health investigation or intervention.

["Qualified health care operations" means:

(1) Only those activities conducted by or on behalf of a health plan or health care provider for the purpose of carrying out the management functions of a health care provider or health plan, or implementing the terms of a contract for health plan benefits as follows:

(A) Payment, which means the activities undertaken by a health plan or provider which are reasonably necessary to determine responsibility for coverage, services, and the actual payment for services, if any;

(B) Conducting quality assurance activities or outcomes assessments;

(C) Reviewing the competence or qualifications of health care professionals;

(D) Performing accreditation, licensing, or credentialing activities;

(E) Analyzing health plan claims or health care records data;

(F) Evaluating provider clinical performance;

(G) Carrying out utilization management; or

(H) Conducting or arranging for auditing services in accordance with statute, rule, or accreditation requirements;

(2) A qualified health care operation shall:

(A) Be an operation which cannot be carried on with reasonable effectiveness and efficiency without identifiable patient information;

(B) Be limited to only that protected health information collected under the terms of the contract for health plan benefits and without which the operation cannot be carried on with reasonable effectiveness and efficiency;

(C) Be limited to the minimum amount of protected health information, including the minimum number of records and the minimum number of documents within each patient's record, necessary to carry on the operation with reasonable effectiveness and efficiency; and

(D) Limit the handling and examination of protected health information to those persons who are reasonably well qualified, by training, credentials, or experience, to conduct the phase of the operation in which they are involved.]

"Subject individual" means the individual to whom the protected health information refers.

"Surrogate" means a person, other than an individual's designated representative or relative, who is authorized to make a health-care decision for the individual.

"Treatment" means the provision of health care by, or the coordination of health care among health care providers, or the referral of a patient from one provider to another, or coordination of health care or other services among health care providers and or third parties [authorized by the health plan or the plan member.], including services for the continuum of care.

["Unique patient identifier" means a number or alpha-numeric string assigned to an individual, which can be or is used to identify an individual's protected health information.]

"Writing" means a written form that is either paper-or computer-based, and includes electronic signatures.

PART II. INDIVIDUAL'S RIGHTS

§   -11 Inspection and copying of protected health information. (a) For the purposes of this section only, "entity" means a health care provider, health plan, employer, health care data organization, insurer, or educational institution.

(b) At the request in writing of [an] a subject individual and except as provided in subsection (c), an entity shall permit [an] a subject individual [who is the subject of protected health information] or the subject individual's designee, to inspect and copy protected health information concerning the individual, including records created under section    -12, [that the entity maintains.] and protected health information received from other sources, that are maintained by the entity. The entity shall adopt appropriate procedures to be followed for the inspection or copying and may require an individual to pay reasonable costs associated with the inspection or copying. Nothing in this subsection prevents the entity from allowing inspection and copying rights when requested orally.

(c) Unless ordered by a court of competent jurisdiction, an entity is not required to permit the inspection or copying of protected health information if any of the following conditions are met:

(1) The entity determines that the disclosure of the information could reasonably be expected to endanger the life or physical safety of, or cause substantial mental harm to, the subject individual [who is the subject of the record];

(2) The information identifies, or could reasonably lead to the identification of, a person who provided information under a promise of confidentiality concerning the subject individual [who is the subject of the information] unless the confidential source can be protected by redaction or other similar means;

(3) The information is protected from discovery [as provided in section 624-25.5;] or disclosure under state or federal law; or

(4) The information was collected for [or during] a clinical trial monitored by an institutional review board, and the trial is not complete [, and the researcher reasonably believes that access would harm the conduct of the trial].

(d) If an entity denies a request for inspection or copying pursuant to subsection (c), the entity shall inform the individual in writing of:

(1) The reasons for the denial of the request for inspection or copying;

(2) Any procedures for further review of the denial; and

(3) The individual's right to file with the entity a concise statement setting forth the request for inspection or copying.

(e) If an individual has filed a statement under subsection (d)(3), the entity in any subsequent disclosure of the portion of the information requested under subsection (b) shall include:

(1) A copy of the individual's statement; and

(2) A concise statement of the reasons for denying the request for inspection or copying.

(f) An entity shall permit the inspection and copying under subsection (b) of any reasonably segregable portion of a record after deletion of any portion that is exempt under subsection (c).

(g) An entity shall comply with or deny, in accordance with subsection (d), a request for inspection or copying of protected health information under this section not later than thirty days after the date on which the entity or agent receives the request.

(h) An agent of an entity shall not be required to provide for the inspection and copying of protected health information, except where:

(1) The protected health information is retained by the agent; and

(2) The agent has received in writing a request from the entity involved to fulfill the requirements of this section, at which time this information shall be provided to the individual. The agent shall comply with subsection (g) with respect to any such information.

(i) The entity shall afford at least one level of appeal by parties not involved in the original decision.

(j) This section shall not be construed to require that an entity described in subsection (a) conduct a formal, informal, or other hearing or proceeding concerning a request for inspection or copying of protected health information.

(k) If an entity denies [an] a subject individual's request for copying pursuant to subsection (c), or if an individual so requests, the entity shall permit the inspection or copying of the requested protected health information by the subject individual's designated representative, upon presentation of a proper authorization signed by the individual, unless it is patently clear that doing so would defeat the purpose for which the entity originally denied the subject individual's request for inspection and copying.

§   -12 Additions to protected health information. A health care provider is the owner of the medical records in the health care provider's possession that were created by the health care provider in treating a patient. [An] A subject individual or the subject individual's authorized representative may request in writing that a health care provider that generated certain health care information append additional information to the record in order to improve the accuracy or completeness of the information; provided that appending this information does not erase or obliterate any of the original information. A health care provider shall do one of the following:

(1) Append the information as requested; or

(2) Notify the subject individual that the request has been denied, the reason for the denial, and that the subject individual may file a statement of reasonable length explaining the correctness or relevance of existing information or as to the addition of new information. The statement or copies shall be appended to the medical record and at all times accompany that part of the information in contention.

§   -13 Notice of [confidentiality] information practices; forms of notices. [(a) For the purposes of this section only, "entity" means health care provider, health care data organization, health plan, health oversight agency, public health authority, employer, insurer, health researcher, or educational institution.

(b)] (a) An [entity] employer and health care provider shall prominently post or provide the [current] notice [of the entity's confidentiality practices] described in subsection (b) or the model noticed approved by the director under section    -54. The notice shall be printed in clear type and composed in plain language. This notice shall be given pursuant to the requirements of section    -22. [For the purpose of informing each individual of the importance of the notice and educating the individual about the individual's rights under this chapter, the notice shall contain the following language, placed prominently at the beginning:

IMPORTANT: THIS NOTICE DEALS WITH THE SHARING OF INFORMATION FROM YOUR MEDICAL RECORDS. PLEASE READ IT CAREFULLY. This notice describes your confidentiality rights as they relate to information from your medical records and explains the circumstances under which information from your medical records may be shared with others. This information in this notice also applies to others covered under your health plan, such as your spouse or children. If you do not understand the terms of this notice, please ask for further explanation.

In addition, as shall be appropriate to the size and nature of the entity, the notice shall include information about:]

(b) The notice shall at a minimum consist of the following elements:

(1) A description of an individual's rights with respect to protected health information which shall contain at a minimum, the following:

(A) An individual's right to inspect and copy their record; and

(B) An individual's right to request that a health care provider append information to their medical record; [and

(C) An individual's right to receive this notice by each health plan upon enrollment, annually, and when confidentiality practices are substantially amended].

(2) The uses and disclosures of protected health information that are authorized under this chapter including [including information about:] a description of the uses and disclosures:

[(A) Payment;

(B) Conducting quality assurance activities or outcomes assessments;

(C) Reviewing the competence or qualifications of health care professionals;

(D) Performing accreditation, licensing, or credentialing activities;

(E) Analyzing health plan claims or health care records data;

(F) Evaluating provider clinical performance;

(G) Carrying out utilization management; or

(H) Conducting or arranged for auditing services in accordance with statute, rule or accreditation requirements;]

(A) Related to health care delivery and financing activities;

(B) Related to activities to determine, administer, or pay employment benefits or entitlements for which a claim has been filed;

(C) Related to activities that promote workplace or educational health and safety and that are required by federal or state law or rule or as terms of employment may require;

(D) That are required by law or rule.

[(3) The right of the individual to limit disclosure of protected health information by deciding not to utilize any health insurance or other third party payment as payment for the service, as set forth in section -21(c);

(4)] (3) The procedures for [giving consent to] authorizing the use and disclosures of protected health information and for revoking the [consent to] authorization to use and disclose;

[(5)] (4) The description of procedures established by the entity for the exercise of the individual's rights required under this chapter; [and]

(5) A statement advising the individual of the individual's right to complain to the entity and to the office of information practices if the individual believes that the individual's privacy rights have been violated;

(6) A statement of the entity’s duties and obligations regarding the privacy of the protected health information obtained, used, or disclosed by the entity; and

[(6)] (7) [The] An individual’s right to obtain a copy of the notice of confidentiality practices required under this chapter.

[(c)] (b) An entity shall establish procedures for the exercise of individual rights under this part. The actual procedures established by the entities for the exercise of individual rights under this part shall be available in writing upon request.

§   -14 Establishment of safeguards. (a) An entity shall establish and maintain administrative, technical, and physical safeguards that are appropriate to the size and nature of the entity establishing the safeguards, and that are appropriate to protect the confidentiality, security, accuracy, and integrity of protected health information created, received, obtained, maintained, used, transmitted, or disposed of by the entity.

(b) The office of information practices shall adopt rules pursuant to chapter 91 to implement subsection (a).

PART III. [RESTRICTIONS ON] RULES ON USE AND DISCLOSURE

§   -21 General rules regarding use and disclosure. (a) An entity shall not obtain, use, or disclose protected health information except as [authorized] permitted under this [part and under part IV.] chapter. [Disclosure] Use or disclosure of health information in the form of nonidentifiable health information shall not be construed as a use or disclosure of protected health information[.], except as set forth in subsection (h).

(b) [For the purpose of treatment or qualified health care operations, an entity may only use or disclose protected health information if the use or disclosure is properly noticed pursuant to sections -13 and § -22. For all other uses and disclosures, an entity may only use or disclose protected health information, if the use or disclosure is properly consented to pursuant to section -23.] Disclosure to agents of an entity shall be considered as a disclosure within an entity.

[(c) If an individual does not want protected health information released pursuant to [subsection] (b), the individual shall advise the provider prior to the delivery of services that the relevant protected health information shall not be disclosed pursuant to subsection (b), and the individual shall pay the health care provider directly for health care services. A health plan may decline to cover particular health care services if an individual has refused to allow the release of protected health care information pertaining to those particular health care services. Protected health information related to health care services paid for directly by the individual shall not be disclosed without consent.

(d)](c) An agent who receives protected health information from or on behalf of an entity shall be subject to all rules of disclosure and safeguard requirements under this part.

[(e) Every use and disclosure of protected health information shall be limited to the purpose for which it was collected. Any other use without a valid consent to disclose shall be an unauthorized disclosure.] (d) Protected health information may be used, within an entity, by those employees whose job functions require the use of such information.

(e) Entities who receive protected health information from other sources as provided in this chapter, may use and disclose this information as provided in this chapter.

(f) Nothing in this part permitting the disclosure of protected health information shall be construed to require disclosure.

(g) An entity may disclose protected health information to an employee or agent of the entity not otherwise authorized to receive such information for purposes of creating nonidentifiable information, if the entity prohibits the employee or agent of the entity from using or disclosing the protected health information for purposes other than the sole purpose of creating nonidentifiable information, as specified by the entity.

(h) Any individual or entity who manipulates or uses nonidentifiable health information to identify an individual, shall be deemed to have disclosed protected health information. [The disclosure or transmission of a unique patient identifier shall be deemed to be a disclosure of protected health information.]

§   -22 Giving notice [regarding disclosure of protected health information for treatment or qualified health care operations]. (a) The notice required by section    -13 shall be:

(1) [Given by each health plan upon enrollment, annually, and when confidentiality practices are substantially amended, to each individual who is eligible to receive care under the health plan, or to the individual's parent or guardian if the individual is a minor or incompetent;] Published by the director two times a year; and

(2) Posted by health care providers and employers in a conspicuous place or provided by [an entity other than a health plan.] health care providers and employers.

(b) For each new enrollment or re-enrollment by an individual in a health plan, on or after July 1, 2000, a health plan shall make reasonable efforts to obtain the individual's signature on the notice of confidentiality practices. The notice to be signed shall state that the individual is signing on behalf of the individual and all others covered by the individual's health plan. If the plan is unable to obtain the aforementioned signature, the plan shall note the reason for the failure to obtain said signature. The lack of a signed notice of confidentiality practices shall not justify a denial of coverage of a claim, nor shall it limit a health plan's access to information necessary for treatment and qualified health care operations; provided that the individual may elect to keep the records from being disclosed by paying for the subject health care services, as provided under section -21(c).]

[(c)] (b) Except as provided in this chapter, the notice required by this section and section    -13 shall not be construed as a waiver of any rights that the individual has under other federal or state laws, rules of evidence, or common law.

[(d) For the purposes of this subsection, "reasonable efforts" may include but are not limited to requiring the employer to present the notice to the individual and to request a signature, or mailing the notice to the individual with instructions to sign and return the notice within a specified period of time.]

§   -23 Authorization to obtain, use and disclose protected health information [other than for treatment, payment, or qualified health care operations]. (a) [An entity] Any person may obtain, use and disclose protected health information [for purposes other than those noticed under section -22,] pursuant to a separate written authorization [to disclose] executed by the subject individual or the subject individual's designated representative [who is the subject of the information]. The authorization must meet the requirements of subsection (b).

(b) To be valid, an authorization shall be separate from any other notice or authorization required by this part, shall be either in writing, dated, and signed by the subject individual[,] or the individual's designated representative, or in electronic form, dated, and authenticated by the individual using a unique identifier, shall not have been revoked, and shall do the following:

(1) Identify the [person] persons or [entity] entities authorized to disclose protected health information;

(2) Identify the subject individual [who is the subject of the protected health information];

(3) Describe the nature of [and the time span of the] protected health information to be disclosed[;] and used;

(4) Identify the [person] persons, or entities or types of entities to whom the information is to be disclosed[;] and used by;

(5) Describe the [purpose] general purposes of the uses and disclosure;

(6) State that it is subject to revocation by the subject individual [and indicate that the consent to disclose is valid until revocation by the individual]; except to the extent that a person has acted in reliance on it;

(7) [Include the date at which the authorization consent to disclose ends.] State the date, event, or condition upon which the authorization will expire if not revoked before. This date, event, or condition must ensure that the authorization will last no longer than reasonably necessary to serve the purpose for which it is given.

(c) [An] The subject individual or individual's designated representative may revoke in writing an authorization under this section at any time. [An authorization obtained by a health plan under this section is deemed to be revoked at the time of the cancellation or nonrenewal of enrollment in the health plan. An entity] A person that discloses protected health information pursuant to an authorization that has been revoked under this subsection shall not be subject to any liability or penalty under this part for the disclosure if that [entity] person acted in good faith [and had no actual or constructive notice of the revocation.] without reason to believe it had been revoked.

[(d) Sections -31 to -39 provide for exceptions to the requirement for the authorization.]

[(e)] (d) A recipient of protected health information pursuant to an authorization under this section may use the information solely to carry out the purpose for which the information was authorized for [release.] disclosure.

[(f)] (e) Each entity [collecting or storing] disclosing protected health information shall maintain [for seven years,] as part of an individual's protected health information, a record of each authorization by the individual and any revocation of authorization by the individual for as long as that entity maintains the protected health information.

(f) Any provision in an authorization required by this section which expressly waives or releases any rights of the subject individual against any person or entity shall be void.

(g) The use of coercion, duress, or threat to withhold benefits by the person or entity for whose protection the authorization is sought shall render the authorization void; provided that informing the individual of the consequences permitted by law of a refusal to execute the authorization shall not constitute coercion, duress, or a threat to withhold benefits.

PART IV. NO AUTHORIZATION REQUIRED [EXCEPTED USES AND DISCLOSURES]

§   -A Individual disclosures. (a) No authorizations are required for uses and disclosures of protected health information by the individual or for those uses and disclosures permitted under sections    -B to    -40.

(b) Any individual who voluntarily discloses the individual's own protected health information, or the protected health information of an individual which the individual is authorized to disclose under section    -32 or    -42, shall be deemed to have authorized the use and further disclosure of such information for any express purpose or purposes for which the information was given and for any implied purpose or purposes and to any person or persons which a reasonably prudent person, viewing the facts and circumstances would deem to be within the expectations of the individual.

§   -B Activities that are required by law, rules, or court order. Any holder of an individual’s protected health information, when required to disclose by state or federal law, rules, or court order, may disclose the protected health information without an authorization.

§   -C For delivery and financing of health care: When an individual has sought or been provided health care, no authorization is necessary for uses and disclosures which are necessary to provide timely, quality, and affordable health care, including, but not limited, to those activities defined as delivery and financing of health care, when the holder of protected health information has met the requirements of sections    -G,    -H, and all other obligations under this chapter.

§   -D Claims or requests for employment related benefits, entitlements or services. When an individual has made a claim or request, or when a report of injury for which benefits may be sought has been filed, for employment related benefits, entitlements, or services and protected health information is necessary to determine, support, and administer those employment related benefits, entitlements, or services, no authorization is required for such uses and disclosures of protected health information when the holder of protected health information has met the requirements of sections    -G,    -H, and all other obligations under this chapter.

§   -E Workplace or educational health and safety. When activities require the use or disclosure of protected health information to ensure a healthy and safe workplace or educational environment, no authorization is required for such uses and disclosures when the holder of protected health information has met the requirements of sections    -G,    -H, and all other obligations under this chapter. These activities may include, but are not limited to, data compiling, maintenance and reporting, investigating, consulting, and taking actions that promote workplace and educational health and safety, including but not limited to, federal and state requirements.

§   -F Collective bargaining; application. When activities, which promote the resolution of disputes between employers and employees under collective bargaining agreements only, require the use and disclosure of protected health information no authorization to use or disclose protected health information is required, when the holder of protected health information has met the requirements of sections    -G,    -H, and all other obligations under this chapter for the following activities:

(1) For the duty of fair representation by the exclusive representative of the employee or class of employees;

(2) Enforcement of the terms of a written collective bargaining agreement reached between the employer and the labor organization and executed by both parties;

(3) Resolution of a grievance or an arbitration issue under a collective bargaining agreement which issue includes protected health information of the individual employee, other employees within the class of employees who are parties to the grievance, or other employees whose protected health information is relevant to a disparate treatment case;

(4) Adjudicating or determining an employee’s internal administrative or judicial appeal arising out of the labor organization’s handling of the case;

(5) Communicating about grievance administration, with designated representative, third-party labor arbitrators or mediators mutually agreed to by the labor organization and employers, government agencies and boards and commissions and courts which adjudicate labor disputes; and

(6) Communicating with the officially designated representatives of the national or international labor organizations that are formally affiliated with the labor organization for purposes of appeal only.

§   -G Limitations or restrictions on uses and disclosures. (a) For those functions, activities, or operations in sections    -B to    -F protected health information may not be disclosed, obtained, or used without an authorization unless the following limitations or requirements are met:

(1) Notice has properly been given;

(2) The protected health information may be disclosed, obtained, or used for purposes noticed and related activities, or as authorized by law, rule, or by lawful agreement;

(3) The protected health information to be disclosed is limited to no more than the amount, including the number of records and the number of documents, reasonably necessary to carry on the task, operation, or program with reasonable effectiveness and economic feasibility;

(4) The handling and examination of protected health information is limited to those persons whose job requires them to use or disclose protected health information, and who are reasonably well qualified, by training, credentials, or experience, to conduct the phase of the task, operation, or function in which they are involved; and

(5) The safeguards required by section    -14 to protect the confidentiality, security, accuracy, and integrity of protected health information are established and maintained by the person or entity obtaining, using, or disclosing the information.

§   -H Statements of authority and compliance. The holder may release protected health information under sections    -B to    -F only upon an affirmative statement by the requester that it has authority under one or more requirements of sections    -B to    -G to obtain protected health information and that the requester has complied with the requirements imposed on it by this chapter. If the holder relies in good faith upon the requester’s statement of authority and compliance, the disclosure of protected health information shall be deemed to be in compliance with this law. This section shall not require written documentation of the authority.

§   -31 Coroner or medical examiner. When a coroner or medical examiner or one of their duly appointed deputies seek protected health information for the purpose of inquiry into and determination of the cause, manner, and circumstances of a death, any person shall provide the requested protected health information to the coroner or medical examiner or to the duly appointed deputies without undue delay. If a coroner or medical examiner or their duly appointed deputies receives protected health information, this protected health information shall remain protected health information unless it is attached to or otherwise made a part of a coroner's or medical examiner's official report. Health information attached to or otherwise made a part of a coroner's or medical examiner's official report shall be exempt from this chapter.

§   -32 Individual's designated representative, relative, [or] surrogate, [and directory information.] or caregiver. [(a)] A health care provider, [or a person who receives protected health information under subsection (b),] may disclose protected health information regarding an individual to an individual's designated representative, relative, [or] surrogate, or caregiver if:

(1) The subject individual [who is the subject of the information]:

(A) Has been notified of the individual's right to object to the disclosure and the individual has not objected to the disclosure; or

(B) Is in a physical or mental condition such that the individual is not capable of objecting, and there are no prior indications that the individual would object; and

(2) The information disclosed is for the purpose of [providing health care to that individual; or] the provision, support, or facilitation of health care to the individual;

(3) [The] A good faith disclosure under this section of [the] protected health information that is consistent with good medical or professional practice[.], is not a violation of this chapter.

[(b) Except as provided in subsection (d), a health care provider may disclose the information described in subsection (c) to any other person if the individual who is the subject of the information:

(1) Has been notified of the individual's right to object and the individual has not objected to the disclosure; or

(2) Is in a physical or mental condition such that the individual is not capable of objecting; and

(A) The individual's designated representative, relative, or surrogate has not objected; and

(B) There are no prior indications that the individual would object.

(c) Information that may be disclosed in subsection (b) is only that information that consists of any of the following items:

(1) The name of the individual who is the subject of the information;

(2) The general health status of the individual, described as critical, poor, fair, stable, or satisfactory or in terms denoting similar conditions; or

(3) The location of the individual on premises controlled by a provider. This disclosure shall not be made if the information would reveal specific information about the physical or mental condition of the individual, unless the individual expressly authorizes the disclosure.

(d) A disclosure shall not be made under this section if the health care provider involved has reason to believe that the disclosure of this information could lead to physical or mental harm to the individual, unless the individual expressly authorizes the disclosure.]

§   -I Directory information (a) A health care provider may disclose the information described in subsection (b) to any other person if the subject individual:

(1) Has not objected to the disclosure; or

(2) Is in a physical or mental condition such that the subject individual is not capable of objecting; and

(A) The individual's designated representative, relative, surrogate, or caregiver has not objected; and

(B) There are no prior indications that the subject individual would object.

(b) Information that may be disclosed in subsection (a) is only that information that consists of any of the following items:

(1) The name of the subject individual;

(2) The general health status of the individual, described as critical, poor, fair, stable, or satisfactory or in terms denoting similar conditions; or

(3) The location of the individual on premises controlled by a provider.

This disclosure shall not be made if the information would reveal specific information about the physical or mental condition of the individual, unless the individual expressly authorizes the disclosure.

§   -33 Identification of deceased individuals. A health care provider may disclose protected health information if the disclosure is necessary to assist in the identification or safe handling of a deceased individual.

§   -34 Emergency circumstances. (a) Any person who creates or receives protected health information under this chapter may use or disclose protected health information in [emergency] circumstances when the use or disclosure is necessary to protect the health or safety of an [the] individual [who is the subject of the information] from serious, imminent harm. A disclosure made in the good faith belief that the use or disclosure was necessary to protect the health or safety of an individual from serious, imminent harm shall not be a violation of this chapter.

(b) A provider may disclose a person's name, city of residence, age, sex, and general condition to a state or federally recognized disaster relief organization or public health authority for the purpose of coordination and provision of disaster welfare information to the public; provided that the person or the person's guardian, designated representative, relative, or surrogate has not objected.

(c) A state or federally recognized disaster relief organization or public health authority may disclose the name, city of residence, age, sex, general condition, and treating facility of any person who has been injured in a mass casualty event; provided that the patient or the patient's guardian, designated representative, relative, or surrogate has not objected.

§   -35 Disclosures for health oversight. (a) Any person may disclose protected health information to a health oversight agency for purposes of an oversight function authorized by law.

(b) For purposes of this section, the individual with authority to authorize the health oversight function involved shall provide to the person described in subsection (a) a statement that the protected health information is being sought for a legally authorized oversight function.

(c) Protected health information about an individual that was obtained under this section may not be used in, or disclosed to any person for use in, an administrative, civil, or criminal action or investigation directed against the individual unless the action or investigation arises out of and is directly related to:

(1) The receipt of health care or payment for health care;

(2) An action involving a fraudulent claim related to health; or

(3) An action involving oversight of a public health authority or a health researcher.

(d) Protected health information disclosed for purposes of this section remains protected health information and shall not be further disclosed by the receiving health oversight agency, except as permitted under this section.

§   -36 Public health. (a) Any person or entity may disclose protected health information to a public health authority or other person authorized by law, for use in a legally authorized:

(1) Disease or injury report;

(2) Public health surveillance;

(3) Public health investigation or intervention; or

(4) Health or disease registry.

(b) The disclosure of protected health information, pursuant [to] this section, to a public health authority or other person authorized by law shall not be a violation of this part.

(c) Protected health information disclosed for purposes of this section remains protected health information and shall not be further disclosed by the receiving authority or person, except as permitted under this section.

(d) The department of health may disclose protected health information when the director of health determines that disclosure is necessary to protect the health or safety of the public, and that the public interest in disclosure outweighs the privacy interests of the individual.

§   -37 Health research. (a) A [health care provider, health plan, public health authority, employer, insurer, or educational institution] holder of protected health information may disclose protected health information to a health researcher if the following requirements are met:

(1) The research shall have been approved by [an] any institutional review board[.] accepted by the holder of the protected health information. In evaluating a research proposal, an institutional review board shall require that the proposal demonstrate a clear purpose, scientific integrity, and a realistic plan for maintaining the confidentiality of protected health information; Research not otherwise subjected by federal regulation to institutional review board review shall be subject only to the review requirements of this paragraph;

(2) [The health care provider, health plan, public health authority, employer, insurer, or educational institution] The holder of protected health information shall only disclose protected health information which it has previously created or collected; [and]

(3) The holder of protected health information shall keep a record of all health researchers to whom protected health information has been made available[.]; and

(4) Research which has been approved by an institutional review board prior to the effective date of this law is exempt from subsection (a)(1).

(b) A health researcher who receives protected health information shall remove and destroy, at the earliest opportunity consistent with the purposes of the project involved, any information that would enable an individual to be identified.

(c) A health researcher who receives protected health information shall not disclose or use the protected health information [or unique patient identifiers] for any purposes not reviewed by an institutional review board under this part or for any purposes other than the health research project for which the information was obtained, except that the health researcher may disclose the information pursuant to section    -35(a).

§   -J Organ procurement organization. (a) An entity may disclose protected health information to an organ procurement organization, as defined in chapter 327, to carry out all legally permitted functions related to anatomical gifts, as those functions are defined in chapter 327.

(b) An organ procurement organization that receives protected health information may use and disclose such protected health information to carry out all legally permitted functions related to anatomical gifts, as defined in chapter 327.

(c) Protected health information disclosed for purposes of this section remains protected health information and shall not be further disclosed by the receiving organ procurement organization, except as permitted under this chapter.

§   -K Educational institutions. (a) A health care provider may disclose to an educational institution protected health information as is necessary to fulfill the requirements of sections 302A-1154 to 302A-1163, 325-33, and 325-34, and chapter 11-157, Hawaii administrative rules.

(b) Protected health information obtained from an individual disclosure as set forth in section    -A or pursuant to a written authorization as defined in section    -23 may be used or disclosed by or between employees or agents of the educational institution, or between a health care provider and an educational institution for the purposes of:

(1) Ensuring student attendance and enrollment;

(2) Preparing and collaborating on an agenda for a student’s pursuit of knowledge;

(3) Ensuring the safety and welfare of the students and employees of the educational institution;

(4) Carrying out campus-security related activities.

(c) For purposes of section    -23, the language in subsection (b) shall be considered to be a specific use for purposes of the requirements of the authorization.

§   -38 Disclosure in [civil, judicial and administrative procedures.] dispute resolution procedures. (a) [Protected] Unless otherwise protected from disclosure by state or federal law, protected health information may be obtained, used, or disclosed pursuant to a [discovery request or] subpoena in a [civil action , only if the disclosure is made pursuant to a court order as provided for in subsection (b) or to a written authorization under section -23.] judicial proceeding brought in a state or federal court, a subpoena related to a state administrative proceeding, a medical claims conciliation panel proceeding as set forth in chapter 671, a court annexed arbitration proceeding as set forth in chapter 601, or an arbitration or other alternative dispute resolution proceeding authorized by law or contract. Disclosures under this section may be made pursuant to:

(1) Written authorization under section    -23; or

(2) [(b)] A court order issued under this section. Such court order shall:

[(1)] (A) Provide that the protected health information involved is subject to court protection;

[(2)] (B) Specify to whom the information may be disclosed;

[(3)] (C) Specify the information that may not otherwise be disclosed or used; and

[(4)] (D) Meet any other requirements that the court determines are needed to protect the confidentiality of information.

[(c) This section shall not apply in a case in which]

(b) Neither a court order nor a written authorization under section    -23 shall be required when the protected health information sought under the [discovery request or] subpoena is:

(1) Nonidentifiable health information; or

(2) [Related to a party to the litigation whose medical condition is at issue.] The party or claimant issuing the subpoena, or that party’s or claimant's attorney, attests in writing, under penalty of perjury:

(A) That the protected health information sought relates to a party in the judicial proceeding or to a claimant in any other proceeding set forth in subsection (a), whose medical condition is at issue; and,

(B) That, five days prior to the service of the subpoena, notice of the subpoena together with a copy of the subpoena, has been served on the party or claimant whose medical condition is at issue or upon the attorney for that party or claimant and that such service has been made in the manner provided by applicable statute, court, or administrative rules.

(c) All protected health information obtained under this section may only be used for purposes of the judicial or other proceeding set forth in subsection (a) for which the protected health information was obtained. Unless otherwise provided by order of court, such protected health information may be disclosed to the parties to the proceeding (including their attorneys, employees, representatives, insurers, expert witnesses, agents, and consultants), to those presiding over the proceeding and to all those lawfully permitted to participate in, attend, or assist with the proceeding.

(d) Parties, claimants, and court reporters, in good faith, may furnish copies and disclose protected health information pursuant to court rules, and the rules and procedures of other dispute resolution tribunals.

[(d]] (e) The [release] good faith use and disclosure of any protected health information under this section shall not violate this part.

§   -39 Disclosure for civil or administrative law enforcement [purposes.] inquiries. (a) [For the purposes of this [subsection] only, "entity" means a health care provider, health plan, health oversight agency, employer, insurer, and educational institution.] A subpoena or summons for a disclosure of protected health information for law enforcement inquiries shall only be issued if the civil or administrative law enforcement agency involved shows that there is probable cause to believe that the information is relevant to a legitimate law enforcement inquiry.

[(b) Except as to disclosures to a health oversight agency, which are governed by section -35, an] An entity or other person who receives protected health information pursuant to sections    -23 and [   -31 through    -37,]    -A to    -K, may disclose protected health information under this section, if the disclosure is pursuant to:

(1) An administrative subpoena or summons or judicial subpoena;

(2) [Consent] Authorization in accordance with section    -23; or

(3) A court order.

[(c) A subpoena or summons for a disclosure under subsection (b)(1) shall only be issued if the civil or administrative law enforcement agency involved shows that there is probable cause to believe that the information is relevant to a legitimate law enforcement inquiry.

(d) ] (b) When the matter or need for which protected health information was disclosed to a civil or administrative law enforcement agency under subsection [(b)] (a) has concluded, including any derivative matters arising from the matter or need, the civil or administrative law enforcement agency shall either destroy the protected health information, or return all of the protected health information to the person from whom it was obtained.

[(e)] (c) To the extent practicable, and consistent with the requirements of due process, a civil or administrative law enforcement agency shall redact personally identifying information from protected health information prior to the public disclosure of the protected information in a judicial or administrative proceeding.

[(f)] (d) Protected health information obtained by a civil or administrative law enforcement agency pursuant to this section may only be used for purposes of a legitimate law enforcement activity.

[(g)] (e) If protected health information is obtained without meeting the requirements of subsection [(b)] (a)(1), (2), or (3), any information that is unlawfully obtained shall be excluded from court proceedings unless the [defendant requests] the court orders otherwise.

§   -L Disclosure in civil or administrative proceedings or tribunals. For purposes of due process, when any party or claimant has introduced into evidence protected health information in support of a claim or defense in the proceedings, the adjudicatory body may include such protected health information in its decisions, orders, or other published portions of the proceedings.

§   -M Limited disclosure for identification purposes in law enforcement procedures. An entity may disclose protected health information to a law enforcement official if:

(1) The disclosure is for the purpose of identifying a suspect, fugitive, material witness or missing person; provided that the entity may disclose only the following information:

(A) Name;

(B) Address;

(C) Social security number;

(D) Date of birth;

(E) Place of birth;

(F) Type of injury or other distinguishing characteristics; and

(G) Date and time of treatment; or

(2) The disclosure is of the protected health information of an individual who is or is suspected to be a victim of a crime, abuse, or other harm, if the law enforcement official represents that:

(A) The information is needed to determine whether a violation of law by a person other than the victim has occurred; and

(B) Immediate law enforcement activity that depends upon obtaining such information may be necessary.

§   -N Disclosure for firearm permit and registration purposes. A health care provider or public health authority shall disclose health information, including protected health information, relating to an individual’s mental health history, to the appropriate county chief of police in response to a request for the information from the chief of police; provided that:

(1) The information shall be used only for the purposes of evaluating the individual’s fitness to acquire or own a firearm; and

(2) The individual has signed an authorization permitting disclosure of the health information for that purpose.

§   -40 Payment card and electronic payment transaction. (a) If an individual pays for health care by presenting a debit, credit, or other payment card or account number, or by any other electronic payment means, the entity receiving payment may disclose to a person described in subsection (b) only such protected health information about the subject individual as is necessary for the processing of the payment transaction or the billing or collection of amounts charged to, debited from, or otherwise paid by, the individual using the card, number, or other electronic means.

(b) A person who is a debit, credit, or other payment card issuer, or is otherwise directly involved in the processing of payment transactions involving such cards or other electronic payment transactions, or is otherwise directly involved in the billing or collection of amounts paid through these means, may use or disclose protected health information about [an] a subject individual that has been disclosed in accordance with subsection (a) only when necessary for:

(1) The settlement, billing, or collection of amounts charged to, debited from, or otherwise paid by the individual using a debit, credit, or other payment card or account number, or by other electronic payment means;

(2) The transfer of receivables, accounts, or interest therein;

(3) The internal audit of the debit, credit, or other payment card account information;

(4) Compliance with federal, state, or county law; or

(5) Compliance with a properly authorized civil, criminal, or regulatory investigation by federal, state, or county authorities as governed by the requirements of this section.

§   -41 Standards for electronic disclosures. The office of information practices shall adopt rules to establish standards for disclosing, authorizing, and authenticating, protected health information in electronic form consistent with this part.

§   -42 Rights of minors. (a) In the case of an individual who is eighteen years of age or older, all rights of an individual under this chapter shall be exercised by the individual.

(b) In the case of an individual of any age who, acting alone, can obtain a type of health care without violating any applicable federal or state law, and who has sought this care, the individual shall exercise all rights of an individual under this chapter with respect to health care.

(c) Except as provided in subsection (b), in the case of an individual who is[:

(1) Under fourteen] Under eighteen years of age, all of the individual's rights under this chapter shall be exercised only through the parent or legal guardian[;

[(2) At least fourteen but under eighteen years of age, the rights of inspection and amendment, and the right to authorize use and disclosure of protected health information of the individual may be exercised by the individual, or by the parent or legal guardian of the individual. If the individual and the parent or legal guardian do not agree as to whether to authorize the use or disclosure of protected health information of the individual, the individual's authorization or revocation of authorization shall control].

[§ -43 Deceased individuals. This chapter shall continue to apply to protected health information concerning a deceased individual following the death of that individual. A person who is authorized by law or by an instrument recognized under law, to act as a personal representative of the estate of a deceased individual, or otherwise to exercise the rights of the deceased individual, to the extent so authorized, may exercise and discharge the rights of the deceased individual under this chapter.]

PART V. SANCTIONS

§   -51 Wrongful disclosure of protected health information. [(a) A person who knowingly or intentionally obtains protected health information relating to an individual or discloses protected health information to another person in violation of this chapter shall be guilty of a class C felony.

(b) A person who knowingly or intentionally sells, transfers, or uses protected health information for commercial advantage, personal gain, or malicious harm, in violation of this chapter shall be guilty of a class B felony.] (a) Any person who, with knowledge of or reason to know that it is prohibited by this chapter, intentionally, knowingly, or recklessly obtains, uses, causes to be used, or discloses protected health information in violation of this chapter, shall be punished:

(1) For a first offense, a fine not exceeding $1,000;

(2) For a second and later offense, a fine not exceeding $5,000; and

(3) For any subsequent offense, shall be guilty of a class C felony.

Any fine assessed here shall be reduced by any fines previously assessed by the director under part VI for the same act.

(b) Any person who, with knowledge of or reason to know that it is prohibited by this chapter, intentionally or knowingly obtains, uses, or discloses protected health information in violation of this chapter with the intent to sell, transfer, or use for commercial advantage or personal gain or to cause malicious harm shall be guilty of a class C felony.

(c) It shall be a defense to the violations or crimes in this section that:

(1) The obtaining, use, or disclosure of protected health information was incidental to a bona fide sale, merger, or transfer by an entity or person of a business or practice to a person or entity licensed or otherwise qualified to engage in such business or practice; the principal purpose of obtaining, using, or disclosing protected health information was not to receive a commercial advantage or personal gain or to cause malicious harm and that any amount received or the value of any thing or benefit provided to induce the obtaining, use, or disclosure of protected health information did not exceed $500;

(2) The person obtained, used, or disclosed protected health information in the course of lawful employment or under a lawful agreement involving stenographic duties or reproduction of records for entities authorized to obtain, use, or disclose protected health information under this chapter;

(3) The disclosure of protected health information was made in the good faith belief that the disclosure was in the best interest of the subject individual or his or her family; or

(4) The obtaining, use or disclosure of protected health information was made under constitutional privilege.

[§ -52 Civil actions by individuals. (a) Any individual whose rights under this chapter have been violated may bring a civil action against the person or entity responsible for the violation.

(b) In any civil action brought under this section, if the court finds a violation of an individual's rights under this chapter, the court may award:

(1) Injunctive relief, including enjoining a person or entity from engaging in a practice that violates this chapter;

(2) Equitable relief;

(3) Compensatory damages for injuries suffered by the individual. Injuries compensable under this section may include, but are not limited to, personal injury including emotional distress, reputational injury, injury to property, and consequential damages;

(4) Punitive damages, as appropriate;

(5) Costs of the action;

(6) Attorneys' fees, as appropriate; and

(7) Any other relief the court finds appropriate.

(c) No action may be commenced under this section after the time period stated in section 657-7.]

PART VI. ADMINISTRATIVE ENFORCEMENT

§   -O Implementation; reports. The director shall adopt rules pursuant to chapter 91 to implement this chapter. The director shall file an annual report with the legislature.

§   -[54] [Prevention] Notice, prevention, and deterrence. (a) The director shall develop and approve by July 1 a model notice based on the standards set forth in section    -13. Conspicuous posting or providing of this model notice by providers and employers shall be deemed to be in compliance with section    -13.

(b) To promote the prevention and deterrence of acts or omissions that violate laws designed to safeguard the protected health information in a manner consistent with this chapter, the director of the office of information practices, with any other appropriate individual, organization, or agency, may provide advice, training, technical assistance, and guidance regarding ways to prevent improper disclosure of protected health information.

§   –P Complaints. (a) A person may file with the director a written complaint for alleged violations of this chapter. A complaint, except for those complaints alleging a refusal to grant access, copying, or appending, shall be filed within one hundred eighty days after the person discovered or should have discovered the alleged violation but not more than two years after the alleged violation, unless the alleged violation was deliberately concealed. A complaint that alleges a refusal to grant access, copying, or appending shall be filed within forty-five days after the alleged refusal. It is a violation of this chapter to engage in a pattern of filing frivolous, vexatious, or bad faith complaints.

(b) The director may:

(1) Dismiss any complaint if the director determines that:

(A) The complaint is not timely, is trivial, frivolous, vexatious, or made in bad faith;

(B) The complainant should exhaust other grievance or review procedures; or

(C) The complaint could more appropriately be dealt with either initially or in its totality by means of another procedure or body;

(2) Mediate any dispute;

(3) Conduct a hearing under section    -Q, if the director believes there are reasonable grounds to believe there has been a violation of this chapter;

(4) Employ any other of the powers given to the director under part VI as necessary to enforce the obligations imposed by this chapter;

(5) Take any appropriate action to resolve complaints that may be necessary to appropriately remedy and deter the unlawful use or disclosure of protected health information in the public's interest. These actions may include, but are not limited to, conducting hearings or alternative dispute resolution, letters of warning, assessing sanctions or penalties, and making referrals to another agency;

(6) Issue cease and desist orders; or

(7) Determine that this chapter has been violated and may assess penalties against that complainant or complaint's lawyer when there is a finding by the director that a complainant or complaint's lawyer has engaged in a pattern of filing frivolous, vexatious, or bad faith complaints.

§   -Q Hearings. (a) If the director has reason to believe that a person has violated this chapter, the director shall issue and serve upon the person and the complainant, a copy of the complaint and a notice of a hearing, to be held at a time and place fixed in the notice, which shall not be fewer than thirty days after the date of service.

(b) At the time and place fixed for the hearing, the person and the complainant shall have an opportunity to be heard.

(c) The director shall prepare the findings and conclusions and shall issue it to the parties involved. In addition, the director may include orders relating to the promotion of compliance with this chapter. A summary of the decision and order shall be published in the director's annual report to the legislature.

(d) At the director's discretion, the director may also employ any other of the powers given to the director under part VI as necessary to enforce the obligations imposed by this chapter.

(e) The director's findings and conclusions and other orders shall not be used in any separate tort action alleging an invasion of privacy.

§   -R Violations of chapter. (a) When the director determines that a provision under this chapter has been violated, the director may order one or more of the following penalties:

(1) For any violation of this chapter, payment of a civil penalty of not more than $500 for each and every act or violation but not to exceed $5,000 in the aggregate for multiple violations;

(2) For a knowing violation of this chapter, payment of a civil penalty of not more than $25,000 for each and every act or violation but not to exceed $100,000 in the aggregate for multiple violations; and

(3) For violations of this chapter that have occurred with such frequency as to constitute a general business practice, a civil penalty of $100,000.

Any administrative penalties assessed under this section shall be reduced by the amount of criminal sanctions imposed for the same acts previously paid or payable under this chapter.

(b) When making a determination of violation, the director shall consider whether the disclosure was unavoidable under the circumstances. If the director determines that the disclosure was unavoidable, the sanctions required under section (a) shall not be imposed.

(c) The director's decision may be appealed to circuit court pursuant to chapter 91. The court may award the costs of the appeal to the person in whose favor a judgment was rendered.

(d) In any proceeding brought under this part, the director may award to the prevailing party any costs and fees, including attorney's fees, that justice may require. In determining whether to make such an award and the amount of such award, the director shall consider whether the claim or defense was made in good faith, whether the claim or defense was frivolous, whether acts in violation of this chapter were inadvertent, unavoidable, negligent, or intentional, and any other facts or findings that the director may deem relevant to the determination.

§   -53 Cease and desist orders; civil penalty. (a) [A court] The director shall issue and cause to be served upon a person, who has violated any provision of this chapter, a copy of the [court's] director’s findings and an order requiring the person to cease and desist from violating this chapter, or to otherwise comply with the requirements of this chapter. [The court may also order any one or more of the following:

(1) For any violation of this chapter, payment of a civil penalty of not more than $500 for each and every act or violation but not to exceed $5,000 in the aggregate for multiple violations;

(2) For a knowing violation of this chapter, payment of a civil penalty of not more than $25,000 for each and every act or violation but not to exceed $100,000 in the aggregate for multiple violations; and

(3) For violations of this chapter that have occurred with such frequency as to constitute a general business practice, a civil penalty of $100,000.]

(b) Any person who violates a cease and desist order or injunction issued under this section may be subject to a civil penalty of not more than $[10,000] 50,000 for each and every act in violation of the cease and desist order.

(c) No order or injunction issued under this section shall in any way relieve or absolve any person affected by the order from any other liability, penalty, or forfeiture required by law.

(d) Any civil penalties collected under this section shall be deposited into the general fund.

§   -S Notice to other regulatory agencies. Whenever the director takes action against any entity for violation of this chapter, the director shall notify any agency that has regulatory oversight over the organization of the director's action.

§   -55 Relationship to other laws. (a) Nothing in this chapter shall be construed to preempt or modify any provisions of state law concerning a privilege of a witness or person in a court of the state. Receipt of notice pursuant to section    -22 or consent to disclose pursuant to section    -23 shall not be construed as a waiver of these privileges.

(b) Nothing in this chapter shall be construed to preempt, supersede, or modify the operation of [any] the following state [law that:]laws:

(1) [Provides] All laws that provide for the reporting or disclosure of vital statistics such as birth or death information;

(2) [Requires] All laws that require the reporting of abuse or neglect information about any individual;

(3) [Relates] All laws that relate to public or mental health and that prevents or otherwise restricts disclosure of information otherwise permissible under this chapter, except that if this chapter is more protective of information, it shall prevail;

(4) Governs a minor's right to access protected health information or health care services; [or]

(5) Meets any other requirements that the court determines are needed to protect the confidentiality of the information;

(6) Chapter 92F. Nothing in this chapter shall be construed to close public access to government records that have been traditionally open to the public. Except as set forth herein, all uses and disclosures by government agencies subject to chapter 92F shall be governed by the requirements of chapter 92F. Except as set forth herein, uses and disclosures by the nonadministrative functions of the judicial branch of government shall be as necessary for purposes of providing due process;

(7) All laws requiring any entity to report protected health information to a government agency or an agent of a government agency, including discrimination laws and worker compensation laws;

(8) The Federal Educational Records Protection Act; or

(9) Any other laws that are more protective than this chapter."

SECTION 2. Chapter 92F, Hawaii Revised Statutes, is amended by adding a new section to be appropriately designated and to read as follows:

"92F-    Information practices commission. There is established an information practices commission. The commission shall consist of five members appointed by the governor. In making these appointments, the governor shall balance the interests and needs of consumers, health care, and business. These appointments shall not be subject to senate confirmation. The term of the commissioners shall be four years, except that the terms of the initial commissioners shall be two years for two commissioners, three years for two other commissioners and four years for one commissioner, as determined by the governor. The commission shall select one of its members to serve as chairperson. Vacancies on the commission shall be filled by the governor. Commissioners shall serve without compensation but shall be reimbursed for reasonable expenses, including travel expenses incurred in the discharge of their duties. The commission shall be attached to the office of information practices."

SECTION 3. Chapter 92F, Hawaii Revised Statutes, is amended by adding a new section to be appropriately designated and to read as follows:

"§92F-    Duties of the commission. To assist the office of information practices in implementing the responsibilities under its jurisdiction, the commission shall solicit and receive public comment on information practices. Every two years the commission shall file a report with the director, the governor and the legislature on its finding and recommendations on all matters within the jurisdiction of the office of information practices, including legislative changes, if any."

SECTION 4. Act 127, Session Laws of Hawaii 2000, is amended by repealing section 3.

["SECTION 3. Chapter 323C, Hawaii Revised Statutes, is amended by adding a new section to part IV to be appropriately designated to read as follows:

"§323C-A Disclosure for firearm permit and registration purposes. A health care provide or public health authority shall disclose health information, including protected health care information, relating to an individual's mental health history, to the appropriate county chief of police in response to a request for the information from the chief of police, provided that:

(1) The information shall be used only for the purposes of evaluating the individual's fitness to acquire or own a firearm; and

(2) The individual has signed a waiver permitting release of the health information for that purpose.""]

SECTION 5. Act 1, Second Special Session Laws of Hawaii 2000, is repealed.

SECTION 6. Act 87, Session Laws of Hawaii 1999, is amended by amending section 10 to read as follows:

"SECTION 10. This Act shall take effect [on July 1, 2000;] one year after the Secretary of the Department of Health and Human Services determines that provisions of this law are not preempted by 45 Code of Federal Regulations, parts 160 and 164; provided that sections 5, 6, and 7 shall take effect upon its approval."

INTRODUCED BY:

_____________________________