[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Vermont bill as passed house
Here is the bill as passed by the house.
Yes, I think it will pass.
There was a floor fight over how much access law enforcement should have to
records, absent consent.
AN ACT RELATING TO HEALTH CARE INFORMATION
It is hereby enacted by the General Assembly of the State of Vermont:
Sec. 1. LEGISLATIVE PURPOSE
The purpose of this act is
(1) To declare that the stateÂ’s policy regarding the handling and
disclosure of personal health care information, in part, requires that
individually identifiable health care information not be disclosed without
the prior authorization of the individual except as otherwise permitted or
required by law or court order.
(2) To clarify the laws regarding individual privacy and access to
personal health care information.
(3) To clarify the laws that establish the legal responsibilities of
persons, including health care providers, health care facilities, insurance
companies and employers, to maintain the security and confidentiality of
individually identifiable health care information during its acquisition,
storage, disclosure and disposition.
Sec. 2. 18 V.S.A. chapter 221, subchapter 9 is added to read:
Subchapter 9. Health Care Information Practices
Â§ 9461. DEFINITIONS
For the purposes of this subchapter,
(1) Â“AmendÂ” means to indicate one or more disputed entries in health care
information or to change the entry without obliterating the original
(2) Â“CustodianÂ” means any health care provider, health care facility or
health insurer that creates, controls or retains health care information, or
any person who obtains health care information for lawful purposes.
Â“CustodianÂ” shall include natural persons only when acting in the course of
their employment or agency.
(3) Â“DisclosureÂ” means the release of health care information in any
manner, including a subsequent release of health care information by a
person to whom health care information was initially disclosed.
(4) Â“Health careÂ” means any preventive, diagnostic, therapeutic,
rehabilitative, maintenance or palliative care, counseling, service or
procedure provided to an individual for the individual's physical or mental
condition or the structure or function of any part of the human body,
including the sale or dispensing of medication or durable goods pursuant to
(5) Â“Health care facilityÂ” means any facility or institution, whether
public or private, proprietary or not-for-profit, that offers health care
diagnosis, treatment, inpatient or ambulatory care to two or more unrelated
(6) Â“Health care informationÂ” means any data or information, whether oral
or recorded, in any form or medium, that directly identifies the individual
or can reasonably identify the individual by reference to publicly available
information and that:
(A) relates to the individual's health history, health care, health
status, health benefits or application for health benefits; and
(B) is obtained by or from a health care provider, a health care
facility, a health insurer, or an employer.
(7) Â“Health care providerÂ” means a natural person, partnership or
corporation, other than a facility or institution, that is licensed,
certified or authorized by law to provide professional health care services
in this state to an individual during that individualÂ’s medical care,
treatment or confinement.
(8) Â“Health insurerÂ” means an insurance company that offers health
insurance to the public, a nonprofit hospital and medical service
corporation or a health maintenance organization and, to the extent
permitted under federal law, any administrator of an insured, self-insured
or publicly funded health care benefit plan offered by a public or private
(9) Â“IndividualÂ” means a natural person, alive or dead, who is the
subject of health care information and includes the individual's
attorney-in-fact, legal guardian, executor or administrator.
Â§ 9462. DISCLOSURE OF HEALTH CARE INFORMATION; GENERALLY
(a) Health care information shall be confidential and shall not be
disclosed by any custodian except as provided in this subchapter, or as
permitted or required by law or court order. A disclosure of health care
information by any person shall be limited:
(1) to persons who require the information for a lawful purpose which,
for the purposes of this subchapter, does not include the marketing of
services or goods; and
(2) to the minimum amount of information necessary to accomplish the
lawful purpose for the disclosure.
(b) A custodian that is a health care provider, health care facility or
health insurer shall create a record of all disclosures made to any person
who is not an agent, employee or independent contractor of the custodian.
That record shall be retained in the health care information and shall
include the following information:
(1) The name, address and institutional affiliation, if any, of the
person to whom the information is disclosed.
(2) The date and purpose of the disclosure.
(3) A description of the information disclosed.
(4) A statement that the disclosure was made pursuant to an authorization
or a specific provision of law, which is included in the statement.
(c) No person to whom health care information is disclosed may use the
information for any purpose other than the lawful purpose for which it was
(d) The provisions of this subchapter do not affect other laws that
restrict to a greater extent the disclosure of specific types of health care
information to a person other than the individual to whom it relates. No
provision of this subchapter shall affect any other state or federal laws
that expressly permit or require the disclosure of health care information.
Â§ 9463. AUTHORIZATION FOR DISCLOSURE; REVOCATION
(a) A custodian shall disclose health care information only pursuant to a
valid authorization by the individual who is the subject of the information,
except as permitted or required by law or court order.
(b) An authorization to disclose health care information shall be retained
in the individualÂ’s health care information. An authorization shall be
valid if it is in writing or in electronic form and includes all the following:
(1) The identity of the individual subject of the information.
(2) A description of the health care information to be disclosed.
(3) The name and address of the person to whom the information is to be
(4) The purpose of the disclosure and the scope of any further
disclosures that may be made in carrying out the lawful purpose for which
the disclosure is requested, provided those disclosures are not otherwise
prohibited by law.
(5) The signature of the individual and the date signed or, if in
electronic form, a unique identifier of the individual and the date the
individual authenticated the electronic authorization.
(6) A statement that the individual may revoke the authorization at any
time, subject to the rights of any person who acted in reliance on the
authorization prior to revocation.
(c) An authorization to provide or pay for health care shall be on a
(d) Disclosure of health care information pursuant to an authorization
under this section that relates to the presence or treatment of an HIV
related illness, AIDS, a sexually transmitted disease, mental health
condition or drug or alcohol abuse or dependency is prohibited unless the
individual specifically and affirmatively authorizes disclosure of that
information. The authorization shall be on a distinct section of the
authorization or on a separate document.
(e) An authorization may specify a length of time the authorization shall
remain valid, which in no event shall be for more than 12 months, except an
authorization signed for one of the following purposes:
(1) To support payment of benefits under a health insurance policy, in
which event the authorization shall remain valid during the entire term of
coverage of the policy.
(2) To support claims for benefits or compensation, in which event the
authorization shall remain valid during the pendency of the claim.
(3) To support an application for a health, disability or life insurance
policy, reinstatement of a policy or a change in benefits under an existing
policy, in which case the authorization shall expire in 12 months or
whenever the policy is denied, whichever occurs first.
(f) An individual may revoke an authorization at any time, subject to the
rights of any person who acted in reliance on the authorization prior to
revocation. A revocation of an authorization shall be valid if it is in
writing or in electronic form and is dated and authenticated as required
under subsection (b) of this section. A revocation of an authorization
shall be retained in the individualÂ’s health care information.
(g) Except as provided in this subchapter, an authorization to disclose
health care information under this section or a production of health care
information pursuant to a court order shall not be construed to be or to
operate as a waiver of any other confidentiality right provided by other
federal or state laws, common law or rules of evidence.
Â§ 9464. DISCLOSURE WITHOUT AUTHORIZATION
(a) A custodian may, but is not required to, disclose health care
information without the authorization of the individual when permitted by
law, including in the following circumstances:
(1) To another health care provider who is providing health care to the
individual or to a referring health care provider who continues to provide
health care to the individual if the information is necessary to provide
appropriate ongoing health care treatment and the disclosure has not been
limited or prohibited by the individual.
(2) To an agent, employee or independent contractor of the custodian in
order to carry out the custodianÂ’s lawful purposes or health care
activities, including risk management, quality assurance, utilization review
and peer review activities. For the purposes of this subdivision, lawful
purposes or lawful health care activities do not include the marketing of
services or goods.
(3) Between insurance carriers provided that both insurers are adjusting
the same claim and both have obtained health care information relating to
that claim pursuant to a valid authorization or court order.
(4) To a member of the individualÂ’s immediate family or to a person with
whom the individual is known to have a close personal relationship when the
individual lacks the capacity to consent and the disclosure is made in
accordance with good professional practice, is necessary to provide
appropriate health care to the individual and has not been limited or
prohibited by the individual.
(5) To a successor in interest of a custodian that is a health care
provider or health care facility provided that the custodian gives the
individual at least 30 daysÂ’ notice of the disclosure and the opportunity to
designate a different provider or facility to receive the information.
(6) To conduct a scientific research project that has been approved by an
institutional review board, which, for the purposes of this subdivision,
means any board, committee or other group formally designated by a health
care facility and authorized under federal law to review, approve or conduct
periodic review of research programs, provided that the project:
(A) contains adequate safeguards to assure that any information in any
report of the research project does not identify, directly or indirectly
through reference to publicly available information, the individual subject
of the information; and
(B) does not require direct contact with an individual subject of the
information unless that individual has received notice from the custodian
disclosing the information that such contact is possible and the individual
has authorized the contact.
(7) The disclosure is limited to directory information, unless the
individual has restricted that disclosure or the disclosure is otherwise
prohibited by law. For the purposes of this subdivision Â“directory
informationÂ” means information about the presence or general health
condition of a particular individual who is an inpatient or is receiving
emergency health care in a health care facility. Â“General health conditionÂ”
means the individualÂ’s general health condition or status described as
Â“critical,Â” Â“poor,Â” Â“fair,Â” Â“good,Â” Â“excellentÂ” or in other terms that
denote similar conditions.
(8) To a person engaged in the assessment, evaluation or investigation of
the quality of health care provided by a custodian pursuant to statutory or
regulatory standards or the requirements of a private or public program for
the payment of health care.
(b) Nothing in this subchapter shall prohibit disclosure of health care
information when permitted or required by law, including in any of the
(1) When a custodian that is currently providing treatment to the subject
of the information has determined, based on reasonable professional
judgment, that the subject of the information poses a direct threat of
imminent harm to the health or safety of any individual, then the custodian
shall disclose only the minimum amount of health care information, to the
minimum number of persons necessary, and in as confidential a manner as
possible in order to avoid or minimize the harm.
(2) The disclosure is to federal, state or local governmental authorities
to the extent the custodian disclosing the information is required by law to
report specific health care information in order to protect the public
health or to determine compliance with state or federal licensure,
certification, registration rules or professional regulations.
(3) The disclosure is to federal or state governmental authorities for
use only in the lawful investigation of a violation of laws relating to the
provision of health care or the payment for health care. Information
disclosed under this subdivision may not be used in any administrative,
civil or criminal action or investigation directed against the individual
subject of the information, unless the action or investigation involves the
individual subject of the information and arises from the provision of
health care or payment for health care.
(4) The disclosure is based on a reasonable belief that the information
is needed for one of the following purposes:
(A) To identify a deceased individual.
(B) To determine the cause and manner of death by a chief medical
examiner or the medical examiner's designee.
(C) To provide necessary health care information about a deceased
individual who is a donor of an anatomical gift in accordance with chapter
109 of this title for the purpose of effecting that gift.
(c) A disclosure of health care information made pursuant to this section
shall not be construed to be or to operate as a waiver of the individual's
confidentiality rights provided by other federal or state laws, rules of
evidence or common law.
Â§ 9465. INDIVIDUAL RIGHT TO ACCESS TO HEALTH CARE INFORMATION;
(a) No later than 20 days after receipt of a written request from an
individual to examine or receive a copy of the individualÂ’s health care
information, a custodian shall:
(1) Provide a copy of the information requested to the individual or
permit the individual to examine the information during regular business hours;
(2) Notify the individual that:
(A) the custodian does not have the information and, if known, inform
the individual of the name and address of the person who has the information
requested or when the information will be available; or
(B) access to the information is delayed due to circumstances that are
unusual and when the information will be available or denied, which shall
not be later than an additional 20 days after receipt of the request;
(3) Deny the request in whole or in part if the custodian has a lawful
basis for the denial, based on factors which may include those listed in
subsection (b) of this section. (b) If a request to examine or copy
information is denied in whole or in part under this section, the custodian
shall notify the individual in writing of the reasons for the denial and the
individual's rights under this section. To the extent possible, the
information to which access has been denied shall be separated from
information that may be disclosed and the individual shall be permitted to
examine or copy the disclosable information. If the request is denied in
whole or in part under this section, the individual may file an action in
the superior court to obtain production of the information. In determining
whether access to the information should be granted, the court shall
consider at a minimum the following factors:
(1) Knowledge of the information would adversely and substantially affect
the individualÂ’s health;
(2) Knowledge of the information would reasonably be expected to identify
a person who provided the information in confidence and under circumstances
in which confidentiality was appropriate; or
(3) The information was compiled solely for litigation, quality assurance
or peer review purposes.
(c) A custodian that is a health care provider, health care facility or
health insurer shall, on reasonable request, explain any code, abbreviation,
term or notation used by that custodian in the health care information.
(d) If a custodian does not maintain the information in the form requested
by the individual, the custodian is not required to create a new record or
reformulate an existing record in order to meet the request.
(e) The custodian may charge a reasonable fee for providing the health
care information requested. A reasonable fee shall be the usual commercial
rate for actual reproduction of the information. The custodian may also
charge an additional fee of no more than $5.00 for each hour of personnel
time required to reproduce the health care information. A detailed bill
accounting for the charges shall be provided by the custodian.
Â§ 9466. RIGHT TO AMEND HEALTH CARE INFORMATION
(a) An individual may request in writing that a custodian amend the
individualÂ’s health care information in order to improve the accuracy or
completeness of the information, as long as the amendment does not delete,
erase or obliterate any of the original information.
(b) Within 30 days after receipt of a written request from an individual
to amend the individualÂ’s health care information, a custodian shall do one
of the following:
(1) Amend the information as requested.
(2) Notify the individual that the request has been denied, the reason
for the denial, and that the individual may file a concise statement of what
the individual believes to be the correct information and the reasons the
individual disagrees with the denial. This statement by the individual
shall be retained in the health care information.
Â§ 9467. LEGAL PROCESS; RIGHT TO OBJECT TO DISCLOSURE;
NOTICE TO SUBJECT OF INFORMATION
A custodian shall make a good faith effort to notify the individual subject
of health care information prior to disclosure pursuant to legal process,
including a court order, subpoena, subpoena duces tecum or a discovery
request, unless otherwise ordered by the court. A custodian or the
individual subject of health care information, or both, may object to
disclosure under this section by filing an objection or a request for a
protective order, or both, in the appropriate forum.
Â§ 9468. NOTICE OF INFORMATION PRACTICES
Health care providers and health care facilities shall post a notice in a
conspicuous public place on the premises and shall provide the notice to all
individuals whose health care information is maintained by the provider or
facility. The notice shall include the following:
THE CONFIDENTIALITY OF YOUR HEALTH CARE INFORMATION WILL BE PROTECTED.
YOUR HEALTH CARE INFORMATION WILL NOT BE DISCLOSED OR RELEASED TO ANYONE
WITHOUT YOUR WRITTEN AUTHORIZATION, EXCEPT TO ENSURE THAT YOU RECEIVE
COMPETENT AND APPROPRIATE HEALTH CARE OR AS PERMITTED OR REQUIRED BY LAW.
YOU MAY REQUEST A COPY OF YOUR MEDICAL RECORDS. YOU MAY ASK YOUR HEALTH
CARE PROVIDER ANY QUESTIONS YOU HAVE ABOUT YOUR RECORDS, INCLUDING WHETHER
YOUR MEDICAL RECORDS ARE HANDLED ELECTRONICALLY OR MANUALLY. A COPY OF THE
MEDICAL RECORDS LAW IS AVAILABLE AT
Â§ 9469. RIGHTS OF MINORS
A minor who lawfully may consent to health care without the consent of a
parent or legal guardian may exclusively exercise the rights of an
individual under this subchapter regarding information pertaining to the
health care to which the minor has lawfully consented.
Â§ 9470. REPRESENTATIVE OF DECEASED INDIVIDUAL
An executor or administrator of a deceased individual may exercise all the
rights of the deceased individual provided by this subchapter subject to any
written limitations or restrictions by the decedent that are included in the
health care information. If there is no executor or administrator, the
rights of a deceased individual may be exercised by the following persons,
in the following order of priority:
(1) The surviving spouse.
(2) Any other person authorized by law to act for the individual.
Â§ 9471. MAINTENANCE OF HEALTH CARE INFORMATION;
(a) A custodian shall develop and implement policies, standards and
procedures to protect the confidentiality, security and integrity of health
care information to ensure that the information is not negligently,
inappropriately or unlawfully disclosed. These procedures shall include:
(1) The use of nondisclosure and confidentiality policies and agreements,
which shall include guidelines for access to health care information on a
need-to-know basis only, and safeguards to enforce those guidelines.
(2) Periodic training for all employees regarding the requirements of
this subchapter and any related licensing rules or professional ethical
(3) Disciplinary measures for violations of the confidentiality procedure.
(4) Identification of individuals who are authorized to disclose health
(5) Methods for handling, disclosing, storing and disposing of health
care information, including procedures for appropriate responses to court
ordered legal process, legal process from a governmental entity or legal
process issued by an attorney.
(b) An individualÂ’s health care information generated, received or
compiled by a health care provider or health care facility shall be retained
by the facility or provider, or its successors or assigns, for a minimum
period of ten years, or ten years after the individual reaches the age of
majority, whichever is longer.
(c) Employers shall adopt and implement policies and procedures to ensure
that employee health care information is maintained separately and apart
from other employment records and is used only for the lawful health care
purposes for which the information was acquired.
(d) A custodian that is not a health care provider or a health care
facility shall destroy health care information when there is no longer any
lawful purpose for maintaining the information.
Â§ 9472. CIVIL ACTION: REMEDIES: ATTORNEY GENERAL
(a) Whenever the attorney general has reason to believe that a person has
knowingly violated a provision of this subchapter and that an action under
this section is in the public interest, the attorney general may bring an
action to enjoin violations of this subchapter. An injunction issued under
this section shall be issued without bond.
(b) In addition to relief available pursuant to subsection (a) of this
section, the attorney general may request and the court may order any other
temporary or permanent relief as may be in the public interest, including
(1) A civil penalty of not more than $10,000.00 for each violation, not
to exceed $50,000.00 in the aggregate for multiple violations.
(2) A civil penalty of not more than $250,000.00 if the court finds that
a violation of this subchapter has occurred with sufficient frequency to
constitute a general business practice.
(3) Actual damages suffered by the aggrieved individual.
(4) Reasonable attorney fees, investigatory expenses and court costs.
(c) An individual who is aggrieved by a violation of this subchapter may
bring a civil action for the following:
(1) Actual damages or $1,000.00, whichever is greater.
(2) Punitive damages.
(3) Temporary, preliminary and equitable relief as the court deems
(4) Reasonable attorney fees, expenses and costs.
(d) In an action under this section, evidence that the custodian complied
with the requirements of subsection 9471(a) of this title is admissible, if
(e) An individual may not maintain an action against a person who
disclosed health care information in good faith reliance on the individualÂ’s
authorization that meets the requirements of subsection 9463(b) of this
title and made the disclosure in compliance with requirements of this
Sec. 3. 12 V.S.A. Â§ 1612 is amended to read:
Â§ 1612. PATIENTS' PRIVILEGE
(a) Confidential information privileged. Unless the patient waives the
privilege by authorizing its disclosure pursuant to 18 V.S.A. Â§ 9463 or
unless the privilege is waived disclosure is permitted or required by an
express provision of law, a person authorized to practice medicine,
chiropractic or dentistry, a registered professional or licensed practical
nurse, or a mental health professional as defined in 18 V.S.A. Â§ 7101(13)
shall not be allowed to disclose any health care information, as defined in
18 V.S.A. Â§ 9461(6) acquired in attending a patient in a professional
capacity, including joint or group counseling sessions, and which was
necessary to enable the provider to act in that capacity.
* * *
(c) Mental or physical condition of deceased patient. A physician,
chiropractor or nurse shall be required to disclose any information as to
the mental or physical condition of a deceased patient privileged under
subsection (a), except information which would tend to disgrace the memory
of the decedent, either in the absence of an objection by a party to the
litigation or when the privilege has been waived:
(1) by the personal representative, or the surviving spouse, or the next
of kin of the decedent; or
(2) in any litigation where the interests of the personal representative
are deemed by the trial judge to be adverse to those of the estate of the
decedent, by any party in interest; or
(3) if the validity of the will of the decedent is in question, by the
executor named in the will, or the surviving spouse or any heir-at-law or
any of the next of kin or any other party in interest.
Sec. 4. 12 V.S.A. Â§ 523 is added to read:
Â§ 523. ACTIONS BASED ON VIOLATION OF CONFIDENTIALITY OF
HEALTH CARE INFORMATION
An action for violation of subchapter 9 of chapter 221 of Title 18 shall be
commenced within three years after the cause of action accrues and not
after. The cause of action shall be deemed to accrue as of the date the
violation was discovered or reasonably should have been discovered.
Sec. 5. CONSTRUCTION
Nothing in this act shall be construed to limit or expand the ability of
law enforcement officers to obtain health care information in the course of
performing lawful law enforcement activities.
Sec. 6. EFFECTIVE DATE
This act shall take effect on July 1, 1997.