[Med-privacy] HIPSA bill

peter marshall pwm@comcast.net
Sat, 28 Jul 2007 13:34:23 -0700 

On July 18, the Health Information Privacy and Security Act of 2007
(HIPSA) (S.1814), was introduced into the Senate.  The bill was
sponsored by Senator Patrick Leahy (D-VT) and co-sponsored by Senator
Edward Kennedy (D-MA).  HIPSA seeks to provide individuals with access
to their personal health information while ensuring patient privacy.

HIPSA provides individuals the right to access their health data,
prohibits the use of health data without patient authorization. The bill
requires that organizations that store health information electronically
notify individuals of their privacy practices and establish adequate
safeguards to prevent security breaches, or face civil penalties. If a
breach does occur, the bill requires patient notification within 15 days
of the occurrence.  HIPSA also authorizes the Attorney General to file a
civil action against organizations that do not properly safeguard
electronic health records or provide individuals with information about
their health privacy rights.

Further, HIPSA requires de-identification of individually identifiable
health information used for research purposes. The bill provides
exceptions for public safety, national security, and law enforcement
purposes.  In addition, providers may disclose health information to law
enforcement personnel and a patient's next of kin, so long as the
patient has been given the right to opt-out of the disclosure.

HIPSA will establish a health information privacy department within the
Department of Health and Human Services.  The department's main function
will be to provide consumers with information regarding their privacy
rights.  HIPSA makes it a federal crime to "knowingly and intentionally
disclose or use sensitive health information without an individual's
consent."  If a person commits an offense, they may be fined $50,000 and
could be imprisoned for one year.  If the violation is committed with
the intent to sell or use the information for economic gain, violators
may be fined up to $500,000 and face up to 10 years in prison.

Health Information Privacy and Security Act of 2007, S.1814:

      http://thomas.loc.gov/cgi-bin/query/z?c110:S.1814:

[EPIC]