SECOND REGULAR SESSION
HOUSE BILL NO. 1089
92ND GENERAL ASSEMBLY
INTRODUCED BY REPRESENTATIVES BISHOP (Sponsor), ZWEIFEL, DONNELLY, WHORTON, SPRENG, SAGER, MEINERS, CARNAHAN, JONES, WILLOUGHBY, WALKER, WILDBERGER,
MORRIS, SKAGGS, DARROUGH AND LeVOTA (Co-sponsors).Read 1st time January 14, 2004, and copies ordered printed.
STEPHEN S. DAVIS, Chief Clerk
To amend chapter 191, RSMo, by adding thereto one new section relating to nonpublic personal health information.
Be it enacted by the General Assembly of the state of Missouri, as follows:
Section A. Chapter 191, RSMo, is amended by adding thereto one new section, to be known as section 191.890, to read as follows:
191.890. 1. For purposes of this section, the following terms mean:
(1) "Disclose", to release, transfer, provide access to, or divulge in any other manner information outside the entity holding the information; except that disclosure shall not include any information divulged directly to the individual to whom such information pertains;
(2) "Federal privacy rules", the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services, 45 CFR Parts 160 to 164;
(3) "Health information", any information or data except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or an individual that relates to;
(a) The past, present, or future physical, mental, or behavioral health or condition of an individual;
(b) The provision of health care to an individual; or
(c) Payment for the provision of health care to an individual;
(4) "Licensee", all licensed insurers, producers, and other persons licensed or required to be licensed, or authorized or required to be authorized, or registered or required to be registered pursuant to chapter 375, RSMo, a health maintenance organization holding or required to hold a certificate of authority pursuant to chapter 354, RSMo, or any other entity or person subject to the supervision and regulation of the department of insurance;
(5) "Nonpublic personal health information", health information:
(a) That identifies an individual who is the subject of the information; or
(b) With respect to which there is a reasonable basis to believe that the information could be used to identify an individual;
(6) "Person", without limitation, an individual, a foreign or domestic corporation whether for profit or not-for-profit, a partnership, a limited liability company, an unincorporated society or association, two or more persons having a joint or common interest, a governmental agency or any other entity.
2. Any person who in the ordinary course of business, practice of a profession, or rendering of a service creates, stores, receives, or furnishes nonpublic personal health information shall not disclose by any means of communication such nonpublic personal health information except pursuant to a prior written authorization, valid for two years, of the person to whom such information pertains or such person's authorized representative, if:
(1) The nonpublic personal health information is disclosed in exchange for consideration to an affiliate or other third party; or
(2) The purpose of the disclosure is:
(a) For the marketing of services or goods for personal, family, or household purposes;
(b) To facilitate an employer's employment-related decisions regarding hiring, termination, and the establishment of any other conditions of employment, except as necessary to provide health or other benefits to an existing employee;
(c) For use in connection with the evaluation of an existing or requested extension of credit for personal, family, or household purposes; or
(d) To deliberately or maliciously cause harm to the person to whom the nonpublic personal health information pertains or to a person who creates, stores, or receives the nonpublic personal health information, except as necessary to conduct the business, practice, or service offered by the disclosing person or entity.
3. Nothing in this section shall be deemed to prohibit any disclosure of nonpublic personal health information as is necessary to comply with any other state or federal law, or a court order.
4. Any person other than a licensee who knowingly violates the provisions of this section shall be assessed an administrative penalty of not more than five hundred dollars for each violation of this section. An administrative penalty pursuant to this section may be assessed by a state agency with primary regulatory authority over a person, by the attorney general upon referral by a state agency with primary regulatory authority over a person, or by the attorney general if no state agency has primary regulatory authority over the person. A state agency has primary regulatory authority over a person if the state agency licenses, certifies or examines the business, profession or services of the person. No person shall be subject to administrative penalties pursuant to this subsection from more than one state agency with respect to the same violation. Any administrative penalty imposed pursuant to this subsection shall be paid into the school fund as provided by law for other fines and penalties.
5. To the extent a person other than a licensee is subject to and complies with the federal Health Insurance Portability and Accountability Act privacy rules promulgated by the United States Department of Health and Human Services, 45 CFR Parts 160 to 164 (the federal privacy rules), such person shall be deemed to be in compliance with this section.
6. Irrespective of whether a licensee is subject to the federal privacy rules, if a licensee complies with all requirements of the federal privacy rules except for the effective date provision, the licensee shall be deemed to be in compliance with this section.
7. If a licensee complies with the model regulation adopted on September 26, 2000, by the National Association of Insurance Commissioners entitled "Privacy of Consumer Financial and Health Information Regulation", the licensee shall be deemed to be in compliance with this section.
8. Notwithstanding the provisions of subsections 5 and 6 of this section, no person or licensee may disclose nonpublic personal health information for marketing purposes contrary to paragraph (a) of subdivision (2) of subsection 2 of this section.
9. The provisions of this section do not apply to information from or to consumer reporting agencies as defined by the federal Fair Credit Reporting Act, 15 U.S.C. Section 1681 et seq., or debt collectors as defined by the federal Fair Debt Collection Practices Act, 15 U.S.C. Section 1692 et seq. to the extent such entities are engaged in activities regulated by these federal acts.
10. The provisions of this section do not apply to information disclosed in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit, including but not limited to the sale of a portfolio of loans, if the disclosure of nonpublic personal health information concerns solely consumers of the business or unit and the disclosure of the nonpublic personal health information is not the primary reason for the sale, merger, transfer, or exchange.
11. The director of the department of insurance shall have the sole authority to enforce this section with respect to licensees. A licensee who knowingly violates the provisions of this section shall be assessed an administrative penalty of not more than five hundred dollars for each violation and shall be entitled to all the protections of law contained in subsection 4 of this section.
12. Nothing in this section shall be construed to prohibit disclosure by any person for purposes other than those specifically listed in subsection 2 of this section. If an agent discloses information to a principal for purposes that do not violate subsection 2 of this section, the agent shall not be deemed liable for any disclosure by the principal.
13. This section does not apply to the disclosure of nonpublic personal health information which was originally collected for marketing purposes, provided that:
(1) The information is disclosed solely for the purposes of marketing products directly to the individual to whom such information pertains;
(2) The individual to whom such information pertains voluntarily reports the information; and
(3) At the time the information is collected, the individual to whom the information pertains receives clear and conspicuous notice stating that the information will be disclosed to third parties for the purposes of marketing products or services to the individual.
14. Notwithstanding any other provision of law, this section shall not apply to the conduct of medical research, as defined in 45 CFR part 46.
15. The provisions of this section shall become effective January 1, 2005.