hb0891p-Perfected Bill Text

FIRST REGULAR SESSION

[PERFECTED]

HOUSE SUBSTITUTE FOR

HOUSE BILL NO. 891

91ST GENERAL ASSEMBLY

Taken up for Perfection April 9, 2001.

House Substitute for House Bill No. 891 ordered Perfected and printed, as amended.

TED WEDEL, Chief Clerk

2131L.04P

AN ACT

To amend chapter 191, RSMo, by adding thereto one new section relating to private confidential information, with a penalty provision and an effective date.

Be it enacted by the General Assembly of the state of Missouri, as follows:

Section A. Section 191, RSMo, is amended by adding thereto one new section, to be known as section 191.940, to read as follows:

191.940. 1. For the purposes of this section the following terms mean:

(1) "Disclose", to release, transfer, provide access to, or divulge in any other manner information outside the entity holding the information, except that disclosure shall not include any information divulged directly to the individual to whom such information pertains;

(2) "Health information", any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or an individual that relates to:

(a) The past, present or future physical, mental or behavioral health or condition of an individual;

(b) The provision of health care to an individual; or

(c) Payment for the provision of health care to an individual;

(3) "Licensee", all licensed insurers, producers and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered pursuant to chapter 375, RSMo, a health maintenance organization holding or required to hold, a certificate of authority pursuant to chapter 354, RSMo, or any other entity or person subject to the supervision and regulation of the department of insurance;

(4) "Nonpublic personal health information", health information:

(a) That identifies an individual who is the subject of the information; or

(b) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual;

(5) "Person", without limitation, an individual, a foreign or domestic corporation whether for profit or not-for-profit, a partnership a limited liability company, an unincorporated society or association, two or more persons having a joint or common interest, or any other entity.

2. Any person who, in the ordinary course of business, practice of a profession or rendering of a service, creates, stores, receives or furnishes nonpublic personal health information shall not disclose by any means of communication such nonpublic personal health information except pursuant to a prior, written authorization of the person to whom such information pertains or such person's authorized representative, if:

(1) The nonpublic personal health information is disclosed to an affiliate or other third party in exchange for consideration; or

(2) The purpose of the disclosure is:

(a) For the marketing of services or goods for personal, family or household purposes;

(b) To facilitate an employer's employment-related decisions, including, but not limited to, hiring, termination, and the establishment of any other conditions of employment, except as necessary to provide health or other benefits to an existing employee;

(c) For use in connection with the evaluation of an existing or requested extension of credit for personal, family or household purposes; or

(d) Unrelated to any legitimate objective regarding the business, practice or service offered by the disclosing person or entity.

3. Nothing in this section shall be deemed to prohibit any disclosure of nonpublic personal health information as is necessary to comply with any other state or federal law.

4. Any person other than a licensee who knowingly violates the provisions of this section shall be fined not more than five hundred dollars for each violation of this section and may be liable in a civil action for damages or equitable relief. Any violation under this subsection may be enforced by a state agency responsible for regulating the person or by the attorney general.

5. To the extent a person other than a licensee is subject to and complies with all requirements of the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services, 45 CFR Parts 160 to 164 (the "federal privacy rules"), such person shall not be in violation of this section. Until April 14, 2003, a person other than a licensee that is subject to the federal privacy rules shall be deemed to be in compliance with this section upon demonstration of a good faith effort to comply with the requirements of the federal privacy rules.

6. Irrespective of whether a licensee is subject to the federal privacy rules, if a licensee complies with all requirements of the federal privacy rules except for the effective date provision, the licensee shall not be in violation of this section. Until April 14, 2003, a licensee shall deemed to be in compliance with this section upon demonstration of a good faith effort to comply with the requirements of the federal privacy rules.

7. If a licensee complies with the model regulation adopted on September 26, 2000, by the National Association of Insurance Commissioners entitled "Privacy of Consumer Financial and Health Information Regulation", the licensee shall not be in violation of this section.

8. Notwithstanding the provisions of subsections 5, 6 and 7 of this section, no person or licensee may disclose nonpublic personal health information for marketing purposes contrary to paragraph (a) of subdivision (2) of subsection 2 of this section.

9. The director of the department of insurance shall have the sole authority to enforce this section with respect to licensees including, without limitation, treating violations of this section by licensees as unfair trade practices pursuant to sections 375.930 to 375.948, RSMo.

10. There shall be established a "Commission on Health Information Privacy" to study the issue of the protection of the privacy of nonpublic personal health information. By January 1, 2003, the commission shall make a recommendation to the general assembly of what additional legislative measures should be enacted to protect the privacy of nonpublic health information.

(1) The members of the commission shall be named by the governor and shall be citizens and residents of the state. The commission shall consist of fifteen individuals: one representative from the health insurance industry; one representative from the life insurance industry; one representative from the property and casualty insurance industry; three representatives from consumer advocacy organizations; three representatives from health care provider organizations; one representative from the department of health; one representative from the department of insurance; and four at-large representatives with demonstrated interest or expertise in health information privacy issues.

(2) Members shall receive no remuneration for their services but shall be reimbursed for actual and reasonable expenses incurred by them in the performance of their duties.

Section B. Section 191.940 of section A of this act shall become effective January 1, 2002.

Missouri House of Representatives