Session of 2000
HOUSE BILL No. 2914 By Representatives Findley, Barnes, Crow, Dean, Flaharty, Gilbert, Kirk,
McClure, O'Brien, Pauls, Phelps, Rehorn, Ruff, Showalter, Spangler,
Swenson, Toelkes and Wells
2-9

12 AN ACT concerning insurance companies; regarding the privacy of med-
13 ical records, enacting the health information privacy act.
14
15 Be it enacted by the Legislature of the State of Kansas:
16 Section 1. This act shall be known as the health information privacy
17 act.
18 Sec. 2. As used in this act:
19 (a) "Carrier" means a person or entity required to be licensed or
20 authorized by the commissioner to assume risk, including but not limited
21 to an insurer, a hospital, medical or health service corporation, a health
22 maintenance organization, a provider sponsored organization, a multiple
23 employer welfare arrangement, a self-insured group fund or a workers
24 compensation self-insurer. Carrier does not include a nonrisk-bearing
25 regulated insurance entity, such as a producer, agency or administrator.
26 (b) "Commissioner" means the commissioner of insurance.
27 (c) "Covered person" means a policyholder, subscriber, enrollee,
28 beneficiary, insured, certificateholder or other person covered by a policy,
29 contract or agreement of insurance issued by a carrier.
30 (d) "Disclose" means to release, transfer, or otherwise divulge pro-
31 tected health information to any person other than to the individual who
32 is the subject of the protected health information.
33 (e) "Facility" means an institution providing health care services or a
34 health care setting, including but not limited to hospitals and other li-
35 censed inpatient centers, ambulatory surgical or treatment centers, skilled
36 nursing centers, residential treatment centers, diagnostic, laboratory and
37 imaging centers and rehabilitation and other therapeutic health settings.
38 (f) "Health care" means:
39 (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance,
40 or palliative care, services, procedures, tests or counseling that:
41 (A) Relates to the physical, mental or behavioral condition of an in-
42 dividual; or
43 (B) affects the structure or function of the human body or any part
44 of the human body, including the banking of blood, sperm, organs or any

2
1 other tissue; or
2 (2) prescribing, dispensing or furnishing to an individual drugs or
3 biologicals, or medical devices or health care equipment and supplies.
4 (g) "Health care professional" means a physician or other health care
5 practitioner licensed, accredited or certified to perform specified health
6 services consistent with state law.
7 (h) "Health care provider" or "provider" means a health care profes-
8 sional or facility.
9 (i) "Health information" means any information or data, whether oral
10 or recorded in any form or medium, and personal facts or information
11 about events or relationships that relates to:
12 (1) The past, present or future physical, mental or behavioral health
13 or condition of an individual or a member of the individual's family;
14 (2) the provision of health care to an individual; or
15 (3) payment for the provision of health care to an individual.
16 (j) "Insurance support organization" means a person that regularly
17 engages, in whole or in part, in the practice of assembling or collecting
18 information from carriers, agents or other insurance support organiza-
19 tions for the purpose of ratemaking or ratemaking-related functions, reg-
20 ulatory or legislative cost analysis, detecting or preventing fraud, material
21 misrepresentation or material nondisclosure in connection with insurance
22 underwriting or insurance claim activity. Persons that are not considered
23 insurance support organizations for purposes of the act are agents, gov-
24 ernment institutions, insurance institutions, medical care institutions and
25 medical professionals.
26 (k) "Person" means an individual, a corporation, a partnership, an
27 association, a joint venture, a joint stock company, a trust, an unincor-
28 porated organization, any similar entity or a combination of the foregoing.
29 (l) "Protected health information" means health information:
30 (1) That identifies an individual who is the subject of the information;
31 or
32 (2) with respect to which there is a reasonable basis to believe that
33 the information could be used to identify an individual.
34 (m) "Research" means the process of systematic investigation or in-
35 quiry including, but not limited to any of the following: The systematic
36 development and testing of a hypothesis; and the systematic description,
37 analysis and measurement of processes, behaviors and physical, social,
38 political or medical phenomena.
39 (n) "Research organization" means a person or organization, other
40 than the carrier disclosing the protected health information, engaged in
41 research.
42 (o) (1) "Scientific, medical or public policy research" means research
43 conducted to improve the effectiveness of:

3
1 (A) Determining medical causation, diagnosis and treatment;
2 (B) public health; or
3 (C) the operations of the public or private health care, insurance or
4 workers compensation systems; and
5 (2) (A) the results of such research are intended for publication; and
6 (B) the research findings are intended to be widely disseminated be-
7 yond the carrier and research organization so as to benefit the public
8 good; and
9 (3) the scientific, medical or public policy research excludes all activ-
10 ities listed in subsection (h)(1) of section 10 and amendments thereto.
11 (p) "Unauthorized" means a collection, use or disclosure of protected
12 health information made by a carrier without the authorization of the
13 subject of that protected health information or that is not in compliance
14 with this act, unless collection, use or disclosure without an authorization
15 is permitted by this act.
16 Sec. 3. This act applies to all carriers and governs the management
17 of health information, including the collection, use, and disclosure of pro-
18 tected health information by carriers.
19 Sec. 4. (a) A carrier shall develop and implement written policies,
20 standards and procedures for the management of health information, in-
21 cluding policies, standards and procedures to guard against the unau-
22 thorized collection, use or disclosure of protected health information by
23 the carrier which shall include:
24 (1) Limitation on access to health information by only those persons
25 who need to use the health information in order to perform their jobs;
26 (2) appropriate training for all employees;
27 (3) disciplinary measures for violations of the health information pol-
28 icies, standards and procedures;
29 (4) identification of the job titles and job descriptions of persons that
30 are authorized to disclose protected health information;
31 (5) procedures for authorizing and restricting the collection, use or
32 disclosure of protected health information;
33 (6) methods for exercising the right to access and amend protected
34 health information as provided in sections 7 and 8 and amendments
35 thereto;
36 (7) methods for handling, disclosing, storing and disposing of health
37 information;
38 (8) periodic monitoring of the employees' compliance with the car-
39 rier's policies, standards and procedures in a manner sufficient for the
40 carrier to determine compliance with this act and to enforce its policies,
41 standards and procedures; and
42 (9) methods for informing and allowing an individual who is the sub-
43 ject of protected health information to request specialized disclosure or

4
1 nondisclosure of protected health information as required under section
2 13 and amendments thereto.
3 (b) (1) In any contractual arrangement between a carrier and a per-
4 son other than a covered person or health care provider where the person
5 collects or uses protected health information on behalf of the carrier or
6 where the carrier discloses protected health information to the person a
7 carrier shall:
8 (A) Require such person to have health information policies, stan-
9 dards and procedures that comply with the requirements of this act; and
10 (B) inform such person of its obligation to comply with any applicable
11 state and federal statutory and regulatory requirements governing the
12 collection, use or disclosure of protected health information.
13 (2) In any contractual arrangement between a carrier and a health
14 care provider, a carrier shall require that the health care provider have
15 health information privacy policies, standards and procedures.
16 (3) Notwithstanding the provisions of section 17 and amendments
17 thereto, all contractual arrangements described in this subsection in effect
18 on January 1, 2001, shall comply with this act no later than 18 months
19 after January 1, 2001, or the renewal date of the contract, whichever is
20 earlier.
21 (c) A carrier shall make the health information policies, standards and
22 procedures developed pursuant to this section available to the commis-
23 sioner for review.
24 Sec. 5. (a) A carrier shall draft a written notice of such carrier's health
25 information policies, standards and procedures developed pursuant to
26 section 4 and amendments thereto, which shall be made available to the
27 commissioner. The notice shall include:
28 (1) The collection, use and disclosure of protected health information
29 prohibited and permitted by this act;
30 (2) the procedures for authorizing and limiting disclosures of pro-
31 tected health information and for revoking authorizations;
32 (3) the procedures for accessing and amending protected health in-
33 formation; and
34 (4) the right of a covered person to review a copy of the carrier's
35 health information policies, standards and procedures.
36 (b) The carrier shall provide the notice to any person upon request,
37 to covered persons at the time the policy is first delivered, and to all other
38 individuals when requesting an authorization. If subsequent policies are
39 issued to the same insured, no additional notices are required to be in-
40 cluded when those subsequent policies are delivered.
41 Sec. 6. (a) Subject to the exceptions listed in subsection (b)(3), an
42 individual who is the subject of the protected health information has the
43 right to examine or receive a copy of the protected health information

5
1 that is in the possession of the carrier or a person acting on behalf of the
2 carrier.
3 (b) No later than 20 working days after receipt of a written request
4 for protected health information from an individual who is the subject of
5 protected health information, a carrier shall do one of the following:
6 (1) Provide a copy of the protected health information requested to
7 the individual or, if providing a copy is not possible, permit the individual
8 to examine the protected health information during regular business
9 hours;
10 (2) notify the individual that the carrier does not have the protected
11 health information and, if known, inform the individual of the name and
12 address of the person who has the protected health information requested
13 or, if the carrier will be obtaining access to the requested protected health
14 information, when the protected health information is expected to be
15 available to the individual; or
16 (3) deny the request in whole or in part if the carrier determines any
17 of the following:
18 (A) Knowledge of the protected health information would reasonably
19 be expected to identify a confidential source who provided the protected
20 health information in conjunction with a lawfully conducted investigation,
21 law enforcement investigation or court proceeding;
22 (B) the protected health information was compiled in preparation for
23 litigation, law enforcement or fraud investigation, quality assurance or
24 peer review purposes;
25 (C) the protected health information is the original work product of
26 the carrier, which would include but not be limited to interpretation,
27 mental impressions, instructions and other original product of the carrier,
28 its employees and agents;
29 (D) the requester is a party to a legal proceeding involving the carrier
30 where the health condition of the requester is at issue. Once a legal pro-
31 ceeding is resolved, the individual's right to access protected health in-
32 formation under this section and to amend protected health information
33 under section 7 and amendments thereto shall be restored; or
34 (E) disclosure of the protected health information to the individual
35 who is the subject of the protected health information is otherwise pro-
36 hibited by law.
37 (c) If a request to examine or copy protected health information is
38 denied in whole or in part under this section, the carrier shall notify the
39 individual who is the subject of the protected health information of the
40 reasons for the denial in writing. When the protected health information
41 was compiled in preparation for litigation, law enforcement or fraud in-
42 vestigation, the carrier is not required to notify the individual of the rea-
43 sons for the denial.

6
1 (d) A carrier is not required to create a new record or reformulate
2 an existing record in order to meet a request for protected health
3 information.
4 (e) The carrier may charge a reasonable fee for providing the pro-
5 tected health information requested and shall provide a detailed bill ac-
6 counting for the charges. No charge shall be made for reproduction of
7 protected health information requested for the purpose of supporting a
8 claim, supporting an appeal or accessing any federal or state sponsored
9 or operated health benefits program.
10 Sec. 7. (a) An individual who is the subject of protected health in-
11 formation has the right to amend the protected health information to
12 correct any inaccuracies.
13 (b) Within 30 working days after receipt of a written request from an
14 individual who is the subject of protected health information to amend
15 protected health information, a carrier shall act to verify the accuracy of
16 protected health information identified as erroneous by the individual and
17 shall do one of the following:
18 (1) Correct or amend, either by changing the information in question
19 or adding additional information as provided by the individual, or delete
20 the portion of the protected health information in dispute and notify the
21 individual of the changes; or
22 (2) notify the individual that the request has been denied, the reason
23 for the denial, and that the individual may:
24 (A) Request that the health care provider who created the record in
25 question amend the record. The carrier shall include the health care pro-
26 vider's name and address; or
27 (B) file a concise statement of what the individual believes to be the
28 correct information and the reasons why the individual disagrees with the
29 denial. The carrier shall retain this statement filed by the individual with
30 the protected health information.
31 (c) If the carrier corrects, amends or deletes the protected health
32 information as requested pursuant to subsection (b)(1), the carrier shall
33 furnish the correction, amendment or deletion to:
34 (1) All persons who have received the protected health information
35 that has been corrected, amended or deleted from the carrier within the
36 preceding two years;
37 (2) an insurance support organization whose primary source of pro-
38 tected health information is carriers, as long as the insurance support
39 organization has systematically received protected health information
40 from the carrier within the preceding seven years. The correction, amend-
41 ment or deletion need not be furnished if the insurance support organi-
42 zation no longer maintains the protected health information that has been
43 corrected, amended or deleted; and

7
1 (3) any person that furnished the protected health information that
2 was amended pursuant to subsection (b)(1).
3 (d) If the individual who is the subject of the protected health infor-
4 mation files a statement pursuant to subsection (b)(2)(B), the carrier shall:
5 (1) Clearly identify the matter or matters in dispute and include the
6 statement in any subsequent disclosure of the protected health infor-
7 mation; and
8 (2) furnish the statement to the persons described in subsection (c).
9 (e) Nothing in this section shall require a carrier to alter, delete, erase
10 or obliterate medical records provided to such carrier by a health care
11 provider.
12 (f) Nothing is this section shall be construed to give a person access
13 to protected health information covered by the exceptions listed in sub-
14 section (b)(3) or section 6 and amendments thereto.
15 Sec. 8. (a) A carrier shall provide upon request, to an individual who
16 is the subject of the protected health information, information regarding
17 disclosure of that individual's protected health information that is suffi-
18 cient to exercise the right to amend the information pursuant to section
19 7 and amendments thereto. This information shall include the date, pur-
20 pose, recipient and relevant authorization or basis for the disclosure. The
21 carrier may charge a reasonable fee for providing the information re-
22 garding the disclosures of information.
23 (b) A carrier shall maintain a system that is sufficient for the com-
24 missioner to determine that the carrier can produce a complete list of
25 disclosures:
26 (1) For routine disclosures, a carrier shall be able to track when rou-
27 tine disclosures are made, to whom they are made and for what purpose
28 they are made; and
29 (2) for all other disclosures, a carrier shall be able to identify the
30 authorization or release form or provision of law allowing the receipt or
31 disclosure of protected health information.
32 (c) A carrier is not required to include in the information developed
33 pursuant to subsection (a) of section 8 and amendments thereto, any
34 disclosures of protected health information that were compiled in prep-
35 aration for litigation, law enforcement or fraud investigation.
36 Sec. 9. (a) A carrier shall not collect, use or disclose protected health
37 information without a valid authorization from the subject of the pro-
38 tected health information, except as permitted by section 10 and amend-
39 ments thereto or as permitted or required by law or court order. Au-
40 thorization for the disclosure of protected health information may be
41 obtained for any purpose, provided that the authorization meets the
42 requirements of this section.
43 (b) A carrier shall retain the authorization or a copy thereof in the

8
1 record of the individual who is the subject of the protected health
2 information.
3 (c) A valid authorization shall be in writing and contain all the
4 following:
5 (1) The identity of the individual who is the subject of the protected
6 health information;
7 (2) a description of the types of protected health information to be
8 collected, used or disclosed. If the authorization is in support of an ap-
9 plication for coverage where tests, including genetic tests, and examina-
10 tions are to be performed in conjunction with underwriting the applica-
11 tion, the authorization shall include a description of the types of tests or
12 examinations to be performed and shall be accompanied by a statement
13 that the tested individual may choose whether to receive the results of
14 any laboratory tests or medical examinations performed. In cases where
15 the authorization is other than in support of an application for coverage,
16 and tests, including genetic tests, and examinations are to be performed,
17 an individual may choose whether to receive the results of any laboratory
18 tests or medical examinations performed and obtain, upon request, a de-
19 tailed list of laboratory tests or medical examinations to be performed
20 before tests or examinations are administered;
21 (3) a general description of the sources from which protected health
22 information will be collected;
23 (4) the name and address of the person to whom the protected health
24 information is to be disclosed, except that an authorization provided to a
25 carrier for collection of protected health information to support insurance
26 functions listed in subsection (h) of section 9 and amendments thereto
27 may generally describe the persons to whom protected health information
28 may be disclosed;
29 (5) the purpose of the authorization, including the reason for the
30 collection, the intended use of the protected health information, and the
31 scope of any disclosures that may be made in carrying out the purpose
32 for which the authorization is requested, provided those disclosures are
33 not otherwise prohibited by law;
34 (6) the signature of the individual who is the subject of the protected
35 health information or the individual who is legally empowered to grant
36 authority and the date signed; and
37 (7) a statement that the individual who is the subject of the protected
38 health information may revoke the authorization at any time, except as
39 provided in subsection (g) and subject to the rights of any person that
40 acted in reliance on the authorization prior to revocation.
41 (d) An authorization shall specify a length of time for which the au-
42 thorization shall remain valid, which in no event shall be for more that
43 12 months, except an authorization signed for one of the following

9
1 purposes:
2 (1) For the collection of protected health information to support in-
3 surance functions listed in subsection (h) of section 9 and amendments
4 thereto which event the authorization shall remain valid during the entire
5 term of the policy or as long as necessary for the carrier to meet such
6 carrier's obligations under the policy or as otherwise required by law;
7 (2) to support an application for, a reinstatement of, or a change in
8 benefits under a life insurance policy, in which event the authorization
9 shall expire in 30 months or whenever the application is denied, which-
10 ever occurs first; or
11 (3) to support or facilitate ongoing management of a chronic condi-
12 tion or illness or rehabilitation from an injury.
13 (e) A carrier shall obtain a separate authorization to disclose pro-
14 tected health information to an individual's employer, including the em-
15 ployer's designated risk manager, unless:
16 (1) The protected health information is disclosed pursuant to the em-
17 ployer's workers compensation program, to the extent necessary for the
18 performance of the employer's and carrier's rights and duties under state
19 laws governing workers compensation;
20 (2) the protected health information is disclosed pursuant to the em-
21 ployer's administration of a health and welfare benefit plan; or
22 (3) the protected health information is necessary to the administra-
23 tion of claims pursuant to a commercial lines policy.
24 (f) A carrier shall obtain a separate authorization to collect, use or
25 disclose protected health information if the purpose of the collection, use
26 or disclosure under subsection (c)(5) is for the marketing of services or
27 goods, or for other commercial gain. The purpose of the collection, use
28 or disclosure shall appear as a separate paragraph in bold type no smaller
29 than 12 point. The purpose shall be stated in clear and simple terms. The
30 request for authorization shall specify that the authorization shall remain
31 valid for no more than 12 months and may be revoked at any time. The
32 request for authorization shall state that the terms and conditions of all
33 insurance policies will not be affected in any way by a refusal to give
34 authorization. A separate authorization is not required if the use or dis-
35 closure is internal or to an affiliate and the only use of the information
36 will be in connection with the marketing of an insurance product, pro-
37 vided the affiliate agrees not to disclose the information for any other
38 purpose or to unaffiliated persons. With respect to insurance products,
39 the individual shall be given an opportunity to indicate that such individ-
40 ual does not want protected health information used for marketing pur-
41 poses and shall have given no indication that such individual does not
42 want protected health information used for these purposes.
43 (g) An individual who is the subject of protected health information

10
1 may revoke an authorization at any time, subject to the rights of any
2 person who acted in reliance on the authorization prior to notice of rev-
3 ocation. A revocation of an authorization shall be in writing, dated and
4 signed. A revocation of an authorization shall be retained by the carrier
5 in the record of the individual who is the subject of the protected health
6 information. A carrier shall give prompt notice of the revocation to all
7 persons to whom the carrier has disclosed protected health information
8 in reliance on the initial authorization.
9 (h) A carrier that has collected protected health information pursuant
10 to a valid authorization in accordance with this act, may use and disclose
11 the protected health information to a person acting on behalf of or at the
12 direction of the carrier for the performance of the carrier's insurance
13 functions: Claims administration, claims adjustment and management,
14 fraud investigation, underwriting, loss control, rate-making functions, re-
15 insurance, risk management, case management, disease management,
16 quality assessment, quality improvement, provider credentialing verifi-
17 cation, utilization review, peer review activities, grievance procedures and
18 internal administration of compliance, managerial, information systems,
19 and policyholder service functions. Additional insurance functions may
20 be allowed with the prior approval of the commissioner.
21 The protected health information shall not be used or disclosed for any
22 purpose other than in the performance of the carrier's insurance func-
23 tions, except as otherwise permitted in this act.
24 (i) An authorization to collect, use or disclose protected health infor-
25 mation pursuant to this act or a production of protected health infor-
26 mation pursuant to a court order shall not be construed to constitute a
27 waiver of any other privacy right provided to an individual who is the
28 subject of protected health information by other federal or state laws,
29 common law or rules of evidence.
30 (j) A person who receives protected health information from a carrier
31 shall not use the protected health information for any purpose other than
32 the lawful purpose for which it was disclosed.
33 (k) Nothing in this act shall require a carrier to provide a benefit or
34 commence or continue payment of a claim in the absence of protected
35 health information to support or deny the benefit or claim.
36 (l) A carrier that has collected protected health information prior to
37 the effective date of this act is not required to obtain an authorization for
38 the information. The information may only be used or disclosed in ac-
39 cordance with this act after the effective date.
40 Sec. 10. (a) A carrier may engage in the following activities with re-
41 gard to protected health information without authorization in the follow-
42 ing circumstances or as otherwise permitted by law:
43 (1) Collect protected health information from or disclose protected

11
1 health information to a carrier, provided that the carrier that is receiving
2 the information:
3 (A) Is investigating, evaluating, adjusting or settling a claim involving
4 the individual who is the subject of the protected health information; or
5 (B) has become or is considering becoming liable under a policy in-
6 suring the individual who is the subject of the protected health infor-
7 mation as a result of a merger, acquisition or other assumption of such
8 liability;
9 (2) collect, use or disclose protected health information to the extent
10 necessary to investigate, evaluate, subrogate or settle third-party claims,
11 provided that the claimant is the subject of the protected health infor-
12 mation and the protected health information is used for no other purpose
13 without a valid authorization or the use is otherwise permitted under
14 federal or state law;
15 (3) (A) collect, use or disclose protected health information to or
16 from an insurance support organization if:
17 (i) The insurance support organization has in place health informa-
18 tion policies, standards and procedures to ensure compliance with the
19 requirements of this act; and
20 (ii) the protected health information is used only to perform the in-
21 surance functions of claims settlement, detection and prevention of fraud,
22 or detection and prevention of material misrepresentation or material
23 nondisclosure; or
24 (iii) the protected health information is collected and used internally
25 only to perform the insurance functions of ratemaking and ratemaking-
26 related functions or regulatory or legislative cost analysis; and
27 (B) Additional insurance functions may be added to subparagraphs
28 (3)(A)(ii) and (iii) with prior approval of the commissioner;
29 (4) if the protected health information is necessary to provide ongoing
30 health care treatment, and if the disclosure has not been limited or pro-
31 hibited by the covered person who is the subject of the information,
32 collect protected health information from or disclose protected health
33 information to:
34 (A) A health care provider, employed by the carrier, who is furnishing
35 health care to a covered person;
36 (B) a health care provider with whom the carrier contracts to provide
37 health care services to covered persons; or
38 (C) a referring health care provider who continues to furnish health
39 care to a covered person;
40 (5) disclose protected health information to a person engaged in the
41 assessment, evaluation or investigation of the quality of health care fur-
42 nished by a provider pursuant to statutory or regulatory standards or pur-
43 suant to the requirements of a private or public program authorized to

12
1 provide for the payment of health care;
2 (6) subject to the limits of subsection (a) of section 13 and amend-
3 ments thereto, disclose protected health information to reveal a covered
4 person's presence in a facility owned by the carrier and the covered per-
5 son's general health condition, provided that the disclosure is limited to
6 directory information, unless the covered person has restricted that dis-
7 closure or the disclosure is otherwise prohibited by law. For the purposes
8 of this paragraph, directory information means information about the
9 presence or general health condition of a particular covered persons who
10 is a patient or is receiving emergency health care in a health care facility.
11 General health condition means the covered person's general health con-
12 dition or status described as "critical," "poor," "fair," "good," "excellent,"
13 or in terms that denote similar conditions;
14 (7) collect, use or disclose protected health information when the
15 protected health information is necessary to the performance of the car-
16 rier's obligations under any workers compensation law or contract;
17 (8) collect protected health information from or disclose protected
18 health information to a reinsurer, stop loss or excess loss carrier for the
19 purpose of underwriting, claims adjudication and conducting claim file
20 audits;
21 (9) collect protected health information from the individual who is
22 subject of the protected health information; and
23 (10) collect, use or disclose protected health information when the
24 protected health information is obtained from public sources such as
25 newspapers, public agency reports, and law enforcement or public safety
26 reports.
27 (b) Unless otherwise restricted by this section, a carrier that has col-
28 lected protected health information without an authorization pursuant to
29 subsection (a) of section 10 and amendments thereto, may use and dis-
30 close the information to a person acting on behalf of or at the direction
31 of the carrier to perform the insurance functions listed in subsection (h)
32 of section 9 and amendments thereto.
33 (c) A carrier shall disclose protected health information in any of the
34 following circumstances:
35 (1) To federal, state or local governmental authorities to the extent
36 the carrier disclosing the protected health information is required by law
37 to report protected health information or for fraud reporting purposes;
38 and
39 (2) the protected health information is needed for one of the follow-
40 ing purposes:
41 (A) To identify a deceased individual;
42 (B) to determine the cause and manner of death by a chief medical
43 examiner or the medical examiner's designee; or

13
1 (C) to provide necessary protected health information about a de-
2 ceased individual who is a donor of an anatomical gift; and
3 (3) to a state department of insurance that is performing an exami-
4 nation, investigation or audit of the carrier; or
5 (4) pursuant to a court order issued after the court's determination
6 that the public interest in disclosure outweighs the individual's privacy
7 interest and that the protected health information is not reasonably avail-
8 able by other means.
9 (d) A disclosure of protected health information made pursuant to
10 subsection (c) shall not be construed to be or to operate as a waiver of
11 privacy rights provided by other federal or state laws, rules of evidence
12 or common law.
13 Sec. 11. (1) (a) A carrier may disclose protected health information
14 without authorization to research organizations conducting scientific,
15 medical or public policy research as provided in this act.
16 (b) (1) A carrier shall keep a record of research organizations to
17 which it discloses protected health information.
18 (2) The carrier shall keep the record five years.
19 (c) A carrier shall not disclose protected health information to a re-
20 search organization unless the research organization agrees that the pro-
21 tected health information shall not be disclosed by the research organi-
22 zation to a third person. The research organization may disclose the
23 protected health information to its agents, collaborators or contractors as
24 needed to conduct or assist with the research, as long as all requirements
25 of this section are applied to the agent, collaborator or contractor.
26 (d) A carrier shall disclose only the minimum data necessary to con-
27 duct the intended research. Protected health information shall be dis-
28 closed only where identification is necessary to conduct the research.
29 (e) If the scientific, medical or public policy research does not require
30 contact with the individual who is the subject of the protected health
31 information, the following protections shall exist prior to disclosure:
32 (1) The research organization develops and implements a written pol-
33 icy that includes procedures to assure the security and privacy of pro-
34 tected health information. The policy shall include:
35 (A) Training and disciplinary procedures to assure that persons in-
36 volved in research comply with the provisions of this act;
37 (B) safeguards to assure that information in a report of the research
38 project does not contain protected health information. The safeguards
39 shall include a system for ensuring that only authorized individuals are
40 able to establish a link between individuals and such individual's health
41 information; and
42 (C) a method for removing all information that identifies, directly or
43 indirectly through reference to publicly available information, the indi-

14
1 vidual who is the subject of the protected health information, when the
2 information is no longer needed for research that is otherwise permitted
3 under this subsection. The policy may also provide that the research or-
4 ganization may retain the protected health information for an indefinite
5 period if archived in an encoded form, and it may not be used for other
6 research unless the requirements of this section are met. "Encoded" as
7 used in this subparagraph means that the personally identifiable infor-
8 mation of the data is removed or encrypted and the key to restore the
9 protected health information is retained in a secure place within the re-
10 search organization with access limited to the minimum number of people
11 necessary to maintain the confidentiality and integrity of the key.
12 (2) (A) The research organization prepares a research plan that ex-
13 plains the purposes of the research, a general description of research
14 methods to be used and the potential benefits of the research.
15 (B) (i) All research plans using protected health information under
16 this act shall be available to the public and may be obtained by written
17 request to the chief executive officer of the research organization or
18 carrier.
19 (ii) If the research plan contains information that is proprietary or
20 protected from disclosure by contract or statute, the information may be
21 deleted from the copy made available to the public.
22 (iii) The research organization shall keep the research plan on file for
23 five years.
24 (3) (A) The carrier and the research organization shall execute a writ-
25 ten agreement:
26 (i) Stating the purposes of the research;
27 (ii) explaining how the purposes qualify as scientific, medical or pub-
28 lic policy research;
29 (iii) documenting that the organization is qualified under paragraphs
30 (1) and (2) of this subsection;
31 (iv) stating the expected time during which the data will be used for
32 the stated purposes;
33 (v) explaining the planned method of disposition of the protected
34 health information at the end of the term of use; and
35 (vi) stating that the written agreement shall be available to the public
36 and can be obtained by written request to the chief executive officer of
37 the research organization.
38 (B) The carrier shall provide a copy of the written, executed agree-
39 ment upon request to any person. If the executed agreement contains
40 information that is proprietary or protected from disclosure by contract
41 or statute, the information may be deleted from the copy that is made
42 available pursuant to this subsection.
43 (C) The carrier shall keep this agreement on file for five years.

15
1 (f) If the scientific, medical or public policy research requires contact
2 with the individual who is the subject of protected health information,
3 the following protections shall exist prior to disclosure:
4 (1) The research organization and carrier shall meet the requirements
5 of subsection (e); and
6 (2) (A) The research organization is responsible for obtaining a le-
7 gally effective informed consent of the subject or the subject's legally
8 authorized representative. A research organization shall seek consent only
9 under circumstance that provide the prospective subject or the represen-
10 tative with sufficient opportunity to consider whether to participate in the
11 research, and that minimize the possibility of coercion or undue
12 influence.
13 (B) the information that is given to the subject or the representative
14 shall be in language understandable to the subject or the representative.
15 (C) No informed consent, whether oral or written, may include any
16 exculpatory language through which the subject or the representative
17 waives or appears to waive any of the subject's legal rights, or releases or
18 appears to release the investigator, the sponsor, the research organization
19 or such organization's agents from liability or negligence.
20 (D) In seeking informed consent the following information shall be
21 provided to each subject:
22 (i) A statement that the study involves research, an explanation of the
23 purposes of the research and the expected duration of the subject's par-
24 ticipation, a description of the procedures to be followed and identifica-
25 tion of any procedures that are experimental;
26 (ii) a description of any reasonably foreseeable risks or discomforts
27 to the subject;
28 (iii) a description of any benefits to the subject or to others that may
29 reasonably be expected from the research;
30 (iv) a disclosure of appropriate alternative procedures or courses of
31 treatment, if any, that might be advantageous to the subject;
32 (v) a statement describing the extent to which confidentiality of re-
33 cords identifying the subject will be maintained;
34 (vi) for research involving more than minimal risk, an explanation as
35 to whether any compensation and medical treatments are available if in-
36 jury occurs and, if so, what such compensation and medical treatments
37 consist of, and where further information may be obtained.
38 (vii) an explanation of whom to contact for answers to pertinent ques-
39 tions about the research and the research subject's rights;
40 (viii) the name of a person to contact in the event of a research-
41 related injury to the subject; and
42 (ix) a statement that participation is voluntary, refusal to participate
43 will involve no penalty or loss of benefits to which the subject is otherwise

16
1 entitled, and that the subject may discontinue participation at any time
2 without penalty or loss of benefits to which the subject is otherwise
3 entitled.
4 (E) When appropriate, one or more of the following shall also be
5 provided to each subject:
6 (i) A statement that the particular treatment or procedure may in-
7 volve risks to the subject (or to the embryo or fetus, if the subject is or
8 may become pregnant) that are currently unforeseeable;
9 (ii) anticipated circumstances under which the subject's participation
10 may be terminated by the investigator without regard to the subject's
11 consent;
12 (iii) any additional costs to the subject that may result from partici-
13 pation in the research;
14 (iv) the consequences of a subject's decision to withdraw from the
15 research and procedures for orderly termination of participation by the
16 subject;
17 (v) a statement that significant new findings developed during the
18 course of the research that may relate to the subject's willingness to con-
19 tinue participation will be provided to the subject; and
20 (vi) the approximate number of subjects involved in the study.
21 (F) If a research organization submits research for approval by an
22 institutional review board under the federal policy for the protection of
23 human subjects, as originally published in 56 federal register 28000 (1991)
24 and as adopted and implemented by a federal department or agency,
25 compliance with that process will be deemed compliance with the pro-
26 vision of subsection (e)(2) and (f)(2) of this section.
27 (g) (1) If a carrier discloses to an organization conducting scientific,
28 medical or public policy research health information that is not protected
29 health information because all identifying information is encrypted, the
30 carrier and research organization shall execute a written agreement that
31 provides:
32 (A) That the research organization will not rerelease the data accom-
33 panied by the encrypted identifying information to a third person. The
34 research organization may disclose protected health information to its
35 agents, collaborators or contractors as needed to conduct or assist with
36 the research, as long as all requirements of this section are applied to the
37 agent, collaborator or subcontractor;
38 (B) that the research organization shall make no effort to link any
39 health information it received with encrypted identifying information to
40 any other data that may identify the individual who is the subject of the
41 information; and
42 (C) that the research organization shall make no effort to link any
43 encrypted protected health information with any other identifiable data.

17
1 (2) Prior to any encrypted information being decrypted or linked to
2 identifying data, the research organization shall comply with the require-
3 ments set forth in this section and health information with decrypted
4 identifying information shall be deemed protected health information.
5 (h) Nothing in this act shall be construed to prevent the creation, use
6 or release of anonymized data for which there is no reasonable basis to
7 believe that the information could be used to identify an individual.
8 (i) Nothing in this section shall be construed as superseding federal
9 laws and regulations governing scientific, medical and public policy
10 research.
11 Sec. 12. An unauthorized collection, use or disclosure of protected
12 health information by a carrier is prohibited and subject to the penalties
13 set forth in section 14 and amendments thereto. An unauthorized collec-
14 tion, use or disclosure includes:
15 (a) Unauthorized publication of protected health information;
16 (b) unauthorized collection, use or disclosure of protected health in-
17 formation for personal or professional gain, including unauthorized re-
18 search that does not meet the requirements of this act;
19 (c) unauthorized sale of protected health information;
20 (d) unauthorized manipulation of coded or encrypted health infor-
21 mation that reveals protected health information; and
22 (e) use of deception, fraud, or threat to procure authorization to col-
23 lect, use or disclose protected health information.
24 Sec. 13. (a) A carrier shall limit disclosure of information, including
25 health information, about an individual who is the subject of the infor-
26 mation if the individual clearly states in writing that disclosure to specified
27 individuals of all or part of that information could jeopardize the safety
28 of the individual. Disclosure of information under this subsection shall
29 be limited consistent with the individual's request, such as a request for
30 the carrier to not release any information to a spouse to prevent domestic
31 violence.
32 (b) Except as otherwise required by law, a carrier shall not disclose
33 protected health information concerning health services related to repro-
34 ductive health, sexually transmitted diseases, substance abuse and behav-
35 ioral health, including mailing appointment notices, calling the home to
36 confirm appointments or mailing a bill or explanation of benefits to a
37 policyholder or certificateholder, if the individual who is the subject of
38 the protected health information makes a written request. The written
39 request shall include information as to how any amounts payable by the
40 individual will be handled. A carrier shall not require the individual to
41 obtain the policyholder's or certificateholder's authorization to receive
42 health care services or to submit a claim. Except as provided in subsection
43 (c), this section shall not apply to minors.

18
1 (c) (1) A carrier shall recognize the right of any minor who may ob-
2 tain health care without the consent of a parent or legal guardian pursuant
3 to state or federal law, to exclusively exercise rights granted under this
4 act regarding health information; and
5 (2) a carrier shall not disclose any protected health information re-
6 lated to any health care service to which the minor has lawfully consented,
7 including mailing appointment notices, calling the home to confirm ap-
8 pointments or mailing a bill or explanation of benefits to a policyholder
9 or certificateholder, without the express authorization of the minor. A
10 carrier shall not require the minor to obtain the policyholder's or certi-
11 ficateholder's authorization to receive health care services to submit a
12 claim.
13 (d) A carrier that cannot comply with the requirements of this section
14 relating to the suppression of benefit, payment and similar information
15 by the effective date of this act because of demonstrated financial or
16 technological burdens may make a written request to the commissioner
17 for an extension of the time permitted for compliance. The request shall
18 propose a plan and a timetable for compliance not to exceed 18 months
19 after the effective date of this act. Carriers that are granted an extension
20 by the commissioner shall report this extension and the lack of current
21 compliance with the provisions of this section in the notice of health
22 information policies, standards and procedures required by section 5 and
23 amendments thereto.
24 Sec. 14. (a) (1) Whenever the commissioner has reason to believe
25 that a person has committed gross negligence in violation of a material
26 provision of this act and that an action under this section is in the public
27 interest, the commissioner may bring an action to enjoin violations of the
28 act. An injunction issued under this section shall be issued without bond.
29 (2) In addition to the relief available pursuant to paragraph (1) of this
30 subsection, the commissioner may request and the court may order any
31 other temporary or permanent relief as may be in the public interest,
32 including any of the following, or any combination of the following:
33 (A) A civil penalty of not more than $10,000 for each violation, not
34 to exceed $50,000 in the aggregate for multiple violations.
35 (B) A civil penalty of not more than $250,000 if the court finds that
36 violations of this act have occurred with sufficient frequency to constitute
37 a general business practice.
38 (C) Reasonable attorney fees, investigation and court costs.
39 (b) (1) The penalties described in paragraph (2) of this subsection
40 shall apply to a person that collects, uses or discloses protected health
41 information in knowing violation of this act.
42 (2) A person described in paragraph (1) shall:
43 (A) Be fined not more than $50,000, imprisoned not more than one

19
1 year, or both;
2 (B) if the offense is committed under false pretenses, be fined not
3 more than $250,000, imprisoned not more than five years, or any com-
4 bination of these penalties; or
5 (C) if the offense is committed with the intent to sell, transfer or use
6 protected health information for malicious harm, be fined not more than
7 $500,000, imprisoned not more than 10 years, or any combination of these
8 penalties.
9 (c) In any claim made under this section relating to an unauthorized
10 disclosure in which the carrier is being sued under a theory of vicarious
11 liability for the actions or omissions of the carrier's employees, it shall be
12 an affirmative defense that the carrier substantially complied with the
13 requirements of section 4 and amendments thereto.
14 (d) An individual may not maintain an action against a carrier that
15 disclosed protected health information in good faith reliance on the in-
16 dividual's authorization, if that authorization meets the requirements of
17 section 9 and amendments thereto and if the disclosure was made in
18 compliance with the requirements of this act.
19 (e) A person may not maintain an action against a carrier for refusing
20 to provide information or limiting disclosure of protected health infor-
21 mation when the refusal or limitation is based upon an individual's request
22 pursuant to section 13 and amendments thereto.
23 Sec. 15. The commissioner may promulgate rules and regulations
24 necessary to carry out the provisions of this act.
25 Sec. 16. If any provision of this act, or the application of the provision
26 to any person or circumstance is held invalid, the remainder of the act,
27 and the application of the provision to persons or circumstances other
28 than those to which it is held invalid, shall not be affected.
29 Sec. 17. This act shall take effect and be in force from and after
30 January 1, 2001, and its publication in the statute book.