of a Health-Care Information Act

Sections 1-102 et seq

Prepared by David L. Hemond as Committee Drafter/Reporter

December 16, 1998

(Uniform Comments Omitted)

PLEASE NOTE, ALSO, THAT THE CHANGES SUGGESTED HERE ARE MADE TO HIGHLIGHT ISSUES. AS SUCH THEY ARE NOT NECESSARILY INTERNALLY CONSISTENT WITH THE REST OF THE DRAFT. ONCE DECISIONS ARE MADE, THE DRAFT AS A WHOLE WILL REQUIRE CLOSE SCUTINY FOR TECHNICAL AND STYLISTIC CONSISTENCY. MOST CHANGES SINCE THE PRIOR DRAFT ARE CONTAINED IN ARTICLE 5 AND THE FOLLOWING PROVISIONS AND ARE

INDICATED IN BOLD UPPER CASE.

SECTION 1-102. DEFINITIONS.

As used in this [Act], unless the context otherwise requires:

(1) "Audit" means an assessment, evaluation, determination, or investigation of a health-care provider OR OTHER RECORD HOLDER by a person not employed by or affiliated with the provider OR RECORD HOLDER to determine compliance with:

(i) statutory, regulatory, fiscal, medical, or scientific standards;

(ii) a private or public program of payments to a health-care provider; or

(iii) requirements for licensing, accreditation, or certification.

Drafter’s comment: Sufficiency of definition of "audit" was questioned if act is extended to apply beyond "health-care providers". This definition provides an exception to the rule of nondiclosure to allow evaluations and investigations. Such a rule may also be necessary for insurers, employers, and others to whom the general nondisclosure rule may be applied. This draft suggests using the term "record holder" to refer to that expanded class. See proposed definition below.

(2) "Directory information" means information disclosing the presence and the general health condition of a particular patient who is an in-patient in a health-care facility or who is currently receiving emergency health care in a health-care facility.

Drafter’s comment: Some members questioned the act’s presumption that "directory information" should be disclosable absent patient permission.

Drafter’s comment: Committee sentiment appeared to be that "disclose" should be defined. Draft option is from S. 2330. Identical language, but omitting the last sentence, is contained in H.R. 4250.

(3) "General health condition" means the patient's health status described in terms of "critical," "poor," "fair," "good," "excellent," or terms denoting similar conditions.

(4) "Health care" means any care, service, or procedure provided by a health-care provider:

(i) to diagnose, treat, or maintain a patient's physical or mental condition, or

(ii) that affects the structure or any function of the human body.

Drafter’s comment: The Schreiber information (attached Brady memo dated September 21, 1998) notes the following "health care" definition in H.R 3900, Representative Shays’ bill:

[(A) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, including appropriate assistance with disease and symptom management and maintenance, counseling, service, or procedure – (i) with respect to the physical or mental condition of an individual; (ii) affecting the structure or function of the human body or any part of the human body, including the banking of blood, sperm, organs or any other tissue; and (B) any sale or dispensing of a drug, device, equipment, or other health care related item to an individual, or for the use of an individual, pursuant to a prescription.]

(5) "Health-care facility" means a hospital, clinic, nursing home, laboratory, office, or similar place, where a health-care provider provides health care to patients.

(6) "Health-care information" means any information, whether oral or recorded in any form or medium, that identifies or can readily be associated with the identity of a patient and relates to the patient's health care. The term includes any record of disclosures of health-care information.

Drafter’s comment: Committee members expressed concern that the definition of "health-care information" be sufficiently broad. While the act definition does appear to be broad, other acts also have broad formulations. The various federal proposals use possibly broader, more specific language. See Schreiber information, Brady memo dated September 21, 1998. A sample, based on H.R. 3900, Representative Shays’ bill, defining "individually identifiable health information" is set out in brackets below.

[any information, including demographic information, collected from an individual, whether oral or recorded in any form or medium, that –

(A) is created or received by a health care provider, health plan, health oversight agency, public health authority, employer, health or life insurer, school or university; (B)(i) relates to the past, present, future physical or mental health or condition of an individual (including individual cells and their components), the provision of health care to an individual, or the past, present, or future payment activities related to the provision of health care to an individual; and (ii)(I) identifies an individual; (II) contains personal identifiers that provide a direct means of identifying an individual; or (III) has been provided in an encrypted format that does not directly identify an individual, but that provides a method for decrypting the information.]

(7) "Health-care provider" means a person who is licensed, certified, or otherwise authorized by the law of this State to provide health care in the ordinary course of business or practice of a profession. The term does not include a person who provides health care solely through the sale or dispensing of [drugs or] medical devices.

Drafter’s comment: This definition is central to applicability of act’s provisions. Committee agreed to include pharmacists, as reflected by strike out language. Should provision also apply to dealer in medical devices? Consensus is to expand application of act beyond these core "health care providers". The drafter assumes that will be done by adding provisions applying to "obligated nonhealth-care providers" the POP category hypothesized by Mr. Breetz (referred to in this draft as "record holders"), or, perhaps, to any person maintaining or receiving confidential information. If so, the definition of "health-care provider" may not need expanding.

(8) "Institutional review board" means any board, committee, or other group formally designated by an institution, or authorized under federal or state law, to review, approve the initiation of, or conduct periodic review of research programs to assure the protection of the rights and welfare of human research subjects.

(9) "Maintain," as related to health-care information, means to hold, possess, preserve, retain, store, or control that information.

(*) "ORIGINATING RECORD HOLDER" MEANS THE HEALTH-CARE PROVIDER OR OTHER RECORD HOLDER BY WHOM THE INFORMATION CONSTITUTING THE HEALTH-CARE RECORD WAS CREATED OR ORIGINALLY COLLECTED.

Drafter's comment: Committee comments have indicated that the primary responsibility for responding to requests to examine and copy and requests to correct and amend should be with the person responsible for creating the record in the first instance. In the usual case, that will be the health-care provider. However, the current version of this act also contemplates covering, for example, pharmacies, employers, and insurers who, in a particular context, may be the original creator of the record. A definition such as that suggested here is necessary to cover those persons.

(10) "Patient" means an individual who receives or has received health care. The term includes a deceased individual who has received health care.

Drafter’s comment: Sufficiency of "patient" definition has been questioned. Draft assumes that there is "medical information" that we want to be confidential under this act that is not gathered initially by a health care provider. i.e. Disclosures to employer or life insurer on applications that do not reflect professional’s diagnosis and treatment. The proposed draft therefore makes little use of the definition of "patient".

(11) "Person" means an individual, corporation, business trust, estate, trust, partnership, association, joint venture, government, governmental subdivision or agency, or any other legal or commercial entity.

SECTION 2-101. DISCLOSURE BY HEALTH-CARE PROVIDER.

(a) Except as authorized in Section 2-104, a health-care provider, an individual who assists a health-care provider in the delivery of health care, [or] an agent and employee of a health-care provider, AND ANY OTHER RECORD HOLDER may not disclose health-care information about [a patient] AN INDIVIDUAL to any other person without the [patient's] written authorization OF THE INDIVIDUAL WHO IS THE SUBJECT OF THE HEALTH CARE INFORMATION. A disclosure made under a [patient's] written authorization must conform to the authorization.

Drafter’s comment: This subsection states the basic rule, that health care information may not be disclosed without written authorization. The committee has indicated that this rule should extend beyond "health-care providers" but has not settled on whether there are contexts in which these rules do not apply. This issue could be dealt with here, or under section 2-104, specifying exceptions. The italicized language incorporates the drafts suggested use of the term "record holder", restricted to commercial contexts to avoid what may be unintended consequences of nondisclosure rules – law suits, for example, between family members for disclosures in a social context. (See for example the Massachusetts bill 1498, which refers to "commercial users"). This draft also suggests, as one possibility, addressing the application of the act to insurers through an exception in section 2-104 that allows insurers to rely on compliance with the Insurance Information and Privacy Protection Act.

(b) A health-care provider AND ANY OTHER RECORD HOLDER shall maintain, in conjunction with [a patient's] AN INDIVIDUAL’S recorded health-care information, a record of each person who has received or examined, in whole or in part, the recorded health-care information during the next preceding [three] years, except for a person who has examined the recorded health-care information under paragraph (1) or (2) of Section 2-104(a). The record of disclosure must include the name, address, and institutional affiliation, if any, of each person receiving or examining the recorded health-care information, the date of the receipt or examination, and, to the extent practicable, a description of the information disclosed. A HEALTH-CARE PROVIDER’S RECORD OF DISCLOSURE IS PART OF THE PATIENT’S RECORDED HEALTH-CARE INFORMATION.

(c) A PERSON TO WHOM HEALTH-CARE INFORMATION IS DISCLOSED MAY NOT REDISCLOSE THAT INFORMATION TO ANY OTHER PERSON UNLESS THAT DISCLOSURE IS AUTHORIZED UNDER SUBSECTION (a) OF THIS SECTION OR UNDER SECTION 2-104 OR 2-105.

Drafter’s comment: The last sentence in subsection (b) was added for clarity. Subsection (c) is suggested to clarify that a person receiving health care information is under the same obligation as the original holder to maintain its confidentiality and may not disclose it except as expressly authorized.

SECTION 2-102. [PATIENT] AUTHORIZATION [TO HEALTH-CARE PROVIDER] FOR DISCLOSURE.

(a) [A patient] AN INDIVIDUAL WHO IS THE SUBJECT OF HEALTH-CARE INFORMATION may authorize a [health-care provider] PERSON HOLDING THAT INFORMATION to disclose the [patient's health-care] information. [A health-care provider shall] EXCEPT AS PROVIDED HEREIN, AN ORIGINATING RECORD HOLDER MUST honor an authorization and, if requested, provide a copy of the recorded health-care information. [unless the health-care provider] AN AUTHORIZATION THAT WOULD PERMIT DISCLOSURE OF THE INFORMATION TO THE INDIVIDUAL WHO IS THE SUBJECT OT THE HEALTH-CARE INFORMATION IS ONLY VALID TO PERMIT DISCLOSURE BY THE ORIGINATING RECORD HOLDER AND THAT ORIGINATING RECORD HOLDER MAY [denies the patient] DENY THE INDIVIDUAL access to THE health-care information under Section 3-102.

Drafter’s comment: Gist of committee comments is to make act’s provisions more generally applicable. New language in this section would make authorization language more generally applicable, applying beyond the health-care provider/ patient context. It presumes, however, that only originating record holders are obligated to comply with an authorization to disclose and that the authorization process cannot bypass the right of originating record holders to deny patient access under section 3-102. Thus the primary obligation to disclose is on "originating record holders" and a patient cannot authorize the subsequent holder of a record to disclose to the patient.

(b) A health-care provider OR OTHER RECORD HOLDER may charge a reasonable fee, not to exceed the [health-care provider's actual cost] CHARGES PERMITTED A PROVIDER UNDER SUBSECTION (b) OF SECTION 20-7c OF THE GENERAL STATUTES for providing the health-care information, and is not required to honor an authorization until the fee is paid.

Drafter's comment: Committee members suggested incorporating current Connecticut standards for costs which are set out in section 20-7c with respect to medical information obtained from providers.

(c) To be valid, a disclosure authorization [to a health-care provider] must:

(1) be in writing, dated, and signed by the [patient] INDIVIDUAL WHO IS THE SUBJECT OF THE HEALTH-CARE INFORMATION;

(2) identify the nature of the information to be disclosed;

(3) identify the person to whom the information is to be disclosed [.];

Drafter’s comment: H.R. 3900, section 103, requires at least the following:

[(A) a general statement of the purposes for which the individually identifiable health information disclosed pursuant to the authorization may be used;

(b) a general description of the persons who are authorized to use such information;

(c) a valid signature of an individual whose health or health care is the subject of the information (or an authorized representative of such individual);

(D) the date of the signature;

(E) an expiration date upon which the authorization is no longer valid; and

(F) reasonable procedures permitting such individual or representative to revoke the authorization…]

Section 5 of massachusetts bill 1498 contains additional requirements, including, for example, that the consent be informed, that the consent be in writing printed in at least 12-point type, that the consent disclose that the subject has the right to segregate protected health information and to prevent the entrance of protected information into a computer without jeopardizing care and payment rights.

The drafter proposes additional language as noted in line with the federal model, but including a notice that the information may not be redisclosed except as expressly authorized.

(d) Except as provided by this [Act], the signing of an authorization [by a patient] is not a waiver of any rights [a patient has] under other statutes, the rules of evidence, or common law.

(e) A [health-care provider] PERSON WHO OBTAINS AN AUTHORIZATION shall retain [each] THE authorization [or] AND ANY revocation OF THAT AUTHORIZATION in conjunction with any health-care information from which disclosures are made.

(f) Except for authorizations to provide information to third-party health-care payors, an authorization may not permit the release of health-care information relating to future health care that the [patient] INDIVIDUAL receives more than six months after the authorization was signed.

(g) An authorization in effect on the effective date of this [Act] remains valid for 30 months after the effective date of this [Act] unless an earlier date is specified or it is revoked under Section 2-103. Health-care information disclosed under such an authorization is otherwise subject to this [Act]. An authorization written after the effective date of this [Act] becomes invalid after the expiration date contained in the authorization, which may not exceed 30 months. If the authorization does not contain an expiration date, it expires six months after it is signed.

SECTION 2-103. PATIENT'S REVOCATION OF AUTHORIZATION FOR DISCLOSURE.

[A patient] AN INDIVIDUAL may revoke a disclosure authorization [to a health-care provider] MADE UNDER SECTION 2-102 OF THIS ACT at any time unless disclosure is required to effectuate payments for health care that has been provided or other substantial action has been taken in reliance on the authorization. [A patient] AN INDIVIDUAL may not maintain an action [against the health-care provider] for disclosures made in good-faith reliance on an authorization if the [health-care provider] PERSON MAKING THE DISCLOSURE had no notice of the revocation of the authorization.

SECTION 2-104. DISCLOSURE WITHOUT [PATIENT'S] AUTHORIZATION.

(a) IF DISCLOSURE IS NOT PROHIBITED BY ANY OTHER PROVISION OF STATE OR FEDERAL LAW, INCLUDING PROHIBITIONS ON THE DISCLOSURE OF MENTAL HEALTH INFORMATION, A DIAGNOSIS OF HIV OR AIDS, OR TREATMENT FOR SUBSTANCE ABUSE, A health-care provider OR OTHER RECORD HOLDER may disclose health-care information about [a patient] AN INDIVIDUAL without the [patient's] INDIVIDUAL’S authorization to the extent a recipient needs to know the information, if the disclosure is:

Drafter’s comment: This draft suggests explicitly not applying these disclosure authorizations to contexts where current restrictions are greater.

(1) to a person who is providing health-care to the [patient] INDIVIDUAL;

(2) to any other person who requires health-care information for health-care education, or to provide planning, quality assurance, peer review, or administrative, legal, financial, or actuarial services to the [health-care provider] RECORD HOLDER, or for assisting [the] A health-care provider in the delivery of health care and the [health-care provider] PERSON DISCLOSING THE INFORMATION reasonably believes that the person RECEIVING THE INFORMATION:

(i) will not use or disclose the health-care information for any other purpose; and

(ii) will take appropriate steps to protect the health-care information.

(3) to any [other] health-care provider who has previously provided health care to the [patient] INDIVIDUAL WHO IS THE SUBJECT OF THE HEALTH-CARE INFORMATION, to the extent necessary to provide health care to the [patient] INDIVIDUAL, unless the [patient] INDIVIDUAL has instructed the health-care provider not to make the disclosure;

(4) to any person if the health-care provider OR OTHER RECORD HOLDER reasonably believes that disclosure will avoid or minimize an imminent danger to the health or safety of the [patient or] any [other] individual;

(5) WITH RESPECT TO INFORMATION HELD BY A HEALTH CARE PROVIDER CONCERNING AN INPATIENT AT A HEALTH CARE FACILITY, UNLESS THE INDIVIDUAL HAS INSTRUCTED THE HEALTH CARE PROVIDER NOT TO MAKE THE DISCLOSURE, to immediate family members of the [patient] INDIVIDUAL WHO IS THE SUBJECT OF THE HEALTH-CARE INFORMATION, or any other individual with whom the [patient] INDIVIDUAL is known to have a close personal relationship, if made in accordance with good medical or other professional practice [, unless the patient has instructed the health-care provider not to make the disclosure] IF THE INPATIENT (i) WAS NOTIFIED OF THE RIGHT TO OBJECT TO SUCH A DISCLOSURE AT THE TIME OF ADMISSION TO THE FACILITY AND HAS NOT OBJECTED, OR (ii) IS IN A PHYSICAL OR MENTAL CONDITION SUCH THAT IT WOULD NOT BE POSSIBLE TO NOTIFY THE INPATIENT OF THE RIGHT TO OBJECT AND THERE ARE NO PRIOR INDICATIONS THAT THE INPATIENT WOULD OBJECT;

Drafter’s comment: Committee discussions have indicated substantial discomfort with the breach in confidentiality authorized by the initial draft. Numerous medical conditions, such as HIV, drug dependence, and the performance of an abortion are not appropriate for release without explicit authorization, even, or particularly, to close family members. However, other communications, particularly to spouses or children in situations where the individual cannot explicitly authorize disclosure, are accepted practice. A requirement, for example, that one obtain a court order or appointment as conservator to find out that one’s spouse has had a stroke may impose an impractical burden. This draft suggests adding language such as that contained in the Massacusetts bill, 1498, section 8 (a), which limits disclosures to an inpatient context and requires prior notice where possible.

(6) to a health-care provider who is the successor in interest to the health-care provider maintaining the health-care information;

(7) for use in a research project that an institutional review board has determined:

(i) is of sufficient importance to outweigh the intrusion into the privacy of the [patient] INDIVIDUAL that would result from the disclosure;

(ii) is impracticable without the use or disclosure of the health-care information in individually identifiable form;

(iii) contains reasonable safeguards to protect the information from redisclosure;

(iv) contains reasonable safeguards to protect against identifying, directly or indirectly, any patient in any report of the research project; and

(v) contains procedures to remove or destroy at the earliest opportunity, consistent with the purposes of the project, information that would enable the patient to be identified, unless an institutional review board authorizes retention of identifying information for purposes of another research project;

Drafter’s comment: The Massachusetts bills generally allow identifiable info to be released for research only on consent. See section 12 of 1498.

(8) to a person who obtains information for purposes of an audit, if that person agrees in writing to:

(i) remove or destroy, at the earliest opportunity consistent with the purpose of the audit, information that would enable the [patient] INDIVIDUAL WHO IS THE SUBJECT OF THE HEALTH-CARE INFORMATION to be identified; and

(ii) not to disclose the information further, except to accomplish the audit or report unlawful or improper conduct involving fraud in payment for health-care [by a health-care provider or patient], or other unlawful conduct [by the health-care provider];

(9) to an official of a penal or other custodial institution in which the [patient] INDIVIDUAL is detained.

(b) A health-care provider may disclose health-care information about [a patient] AN INDIVIDUAL without the [patient's] INDIVIDUAL’S authorization if the disclosure is:

(1) directory information CONCERNING AN INPATIENT AT A HEALTH-CARE FACILITY, unless the [patient] INDIVIDUAL has instructed the health-care provider not to make the disclosure OR THE DISCLOSURE IS OTHERWISE PROHIBITED BY LAW;

Drafter’s comment: The committee seemed concerned at the expansive nature of this authorization. Draft suggests limiting authority to inpatient context. Additional restriction, such as that under subparagraph (a)(5), above, could be added.

(2) to federal, state, or local public-health authorities, to the extent the health-care provider is required by law to report health-care information or when needed to protect the public health;

(3) to federal, state, or local law enforcement authorities to the extent required by law;

(4) pursuant to compulsory process in accordance with Section 2-105;

(c) NOTWITHSTANDING THE PROVISIONS OF THIS ACT, AN INSURANCE INSTITUTION, INSURANCE AGENT, OR INSURANCE-SUPPORT ORGANIZATION MAY DISCLOSE HEALTH-CARE INFORMATION IF MADE IN COMPLIANCE WITH THE CONNECTICUT INSURANCE INFORMATION AND PRIVACY PROTECTION ACT.

Drafter’s comment: Considerable committee discussion has revolved around the interrelationship of this act and the Connecticut Insurance Information and Privacy Protection Act. Insurance representatives have indicated that the Insurance Information and Privacy Protection Act generally provides similar regulation of information disclosure to that provided by the health-care information act, but formulated specifically to apply in insurance contexts. If protections under the Insurance Information and Privacy Protection Act are, in fact, adequate, one method in which insurer interests could be accommodated would be to exempt insurer actions to the extent that they complied with that act. Such a provision is suggested in subsection (c) above.

SECTION 2-105. COMPULSORY PROCESS.

(a) Health-care information may not be disclosed by [a health-care provider] A RECORD HOLDER pursuant to compulsory legal process or discovery in any judicial, legislative, or administrative proceeding unless:

(1) the [patient] INDIVIDUAL WHO IS THE SUBJECT OF THE HEALTH-CARE INFORMATION has consented in writing to the release of the health-care information in response to compulsory process or a discovery request;

(2) the [patient] INDIVIDUAL has waived the right to claim confidentiality for the health-care information sought;

(3) the [patient] INDIVIDUAL is a party to the proceeding and has placed his [or her] physical or mental condition in issue;

(4) the [patient's] INDIVIDUAL’S physical or mental condition is relevant to the execution or witnessing of a will;

(5) the physical or mental condition of a deceased [patient] INDIVIDUAL is placed in issue by any person claiming or defending through or as a beneficiary of [the patient] THAT INDIVIDUAL;

(6) [a patient's] AN INDIVIDUAL’S health-care information is to be used in the [patient's] INDIVIDUAL’S commitment proceeding;

(7) the health-care information is for use in any law enforcement proceeding or investigation in which [a health-care provider] RECORD HOLDER is the subject or a party; but, health-care information so obtained may not be used in any proceeding, against the [patient] INDIVIDUAL WHO IS THE SUBJECT OF THE HEALTH-CARE INFORMATION, unless the matter relates to payment for the [patient's] INDIVIDUAL’S health care, or unless authorized under paragraph (9).

(8) the health-care information is relevant to a proceeding brought under Article 8; or

(9) a court has determined that particular health-care information is subject to compulsory legal process or discovery because the party seeking the information has demonstrated that the interest in access outweighs the patient's privacy interest.

(b) Unless the court, for good cause shown, determines that the notification should be waived or modified, if health-care information is sought under paragraph (2), (4), or (5) of subsection (a) or in a civil proceeding or investigation under paragraph (9) of subsection (a), the person seeking discovery or compulsory process shall mail a notice by first-class mail to the [patient] INDIVIDUAL WHO IS THE SUBJECT OF THE HEALTH-CARE INFORMATION or the [patient's] INDIVIDUAL’S attorney of record of the compulsory process or discovery request at least [ten] days before presenting the certificate required under subsection (c) to the [health-care provider] RECORD HOLDER.

(c) Service of compulsory process or discovery requests [upon a health-care provider] FOR HEALTH-CARE INFORMATION must be accompanied by a written certification, signed by the person seeking to obtain health-care information, or his [or her] authorized representative, identifying at least one paragraph of subsection (a) under which compulsory process or discovery is being sought. The certification must also state, in the case of information sought under paragraph (2), (4), or (5) of subsection (a), or in a civil proceeding under paragraph (9) of subsection (a), that the requirements of subsection (b) for notice have been met. A person may sign the certification only if the person reasonably believes that the paragraph of subsection (a) identified in the certification provides an appropriate basis for the use of discovery or compulsory process. Unless otherwise ordered by the court, the [health-care provider] PERSON SERVED shall maintain a copy of the process and the written certification as a permanent part of the [patient's] INDIVIDUAL’S health-care information.

(d) Production of health-care information under this section, in and of itself, does not constitute a waiver of any privilege, objection, or defense existing under other law or rule of evidence or procedure.

SECTION 3-101. REQUIREMENTS AND PROCEDURES FOR [PATIENT'S] EXAMINATION AND COPYING.

(a) Upon receipt of a written request from [a patient] THE INDIVIDUAL WHO IS THE SUBJECT OF THE INFORMATION to examine or copy all or part of [the patient's] THAT INDIVIDUAL’S recorded health-care information, [a health-care provider] AN ORIGINATING RECORD HOLDER, as promptly as required under the circumstances, but no later than [ten] THIRTY days after receiving the request shall:

(1) make the information available for examination during regular business hours and provide a copy, if requested, to the [patient] INDIVIDUAL WHO IS THE SUBJECT OF THE INFORMATION;

(2) inform [the patient] THAT INDIVIDUAL if the information does not exist or cannot be found;

(3) if the [health-care provider] PERSON REQUESTED TO DISCLOSE THE INFORMATION IS NOT THE ORIGINATING RECORD HOLDER OR does not maintain a record of the information, inform the [patient] INDIVIDUAL and provide the name and address, if known, of the health-care provider OR OTHER PERSON who maintains the record;

(4) if the information is in use or unusual circumstances have delayed handling the request, inform the [patient] INDIVIDUAL and specify in writing the reasons for the delay and the earliest date, not later than [21] THIRTY days after receiving the request, when the information will be available for examination or copying or when the request will be otherwise disposed of; or

(5) deny the request, in whole or in part, under Section 3-102 and inform the [patient] INDIVIDUAL.

(b) Upon request, the [health-care provider] ORIGINATING RECORD HOLDER shall provide an explanation of any code or abbreviation used in the health-care information. If a record of the particular health-care information requested is not maintained by the [health-care provider] ORIGINATING RECORD HOLDER in the requested form, the [health-care provider] ORIGINATING RECORD HOLDER is not required to create a new record or reformulate an existing record to make the health-care information available in the requested form. The [health-care provider] ORIGINATING RECORD HOLDER may charge a reasonable fee, not to exceed the [health-care provider's actual cost] CHARGES PERMITTED A PROVIDER UNDER SUBSECTION (b) OF SECTION 20-7c OF THE GENERAL STATUTES, for providing the health-care information and is not required to permit examination or copying until the fee is paid.

(a) A health-care provider OR OTHER ORIGINATING RECORD HOLDER may deny access to health-care information by [a patient] THE INDIVIDUAL WHO IS THE SUBJECT OF THAT INFORMATION if the health-care provider OR OTHER ORIGINATING RECORD HOLDER reasonably concludes that:

(1) knowledge of the health-care information would be injurious to the health of the [patient] INDIVIDUAL;

(2) knowledge of the health-care information could reasonably be expected to lead to the [patient's] INDIVIDUAL’S identification of an individual who provided the information in confidence and under circumstances in which confidentiality was appropriate;

(3) knowledge of the health-care information could reasonably be expected to cause danger to the life or safety of any individual;

(4) the health-care information was compiled and is used solely for CIVIL OR CRIMINAL litigation, quality assurance, peer review, or administrative purposes; [or]

(5) access to the health-care information is otherwise prohibited by law; OR

(6) ACCESS TO THE HEALTH-CARE INFORMATION MAY BE REASONABLY DENIED UNDER THE DISCLOSURE STANDARD OF SECTION 4-194, SUBSECTION (l) OF SECTION 17a-28, SUBSECTION (b) OF SECTION 17a-548, OR AN OTHER PROVISION OF STATE OR FEDERAL LAW.

Drafter's comment: Subsection (6) is inserted to address concerns raised as to existing conflicting standards for denial of access. The premise of this draft is that any statutory standard allowing denial may be invoked. However, the individual will have rights unders subsections (c) and (d) to review of the information by a separate health-care provider or petition to the Superior Court.

(b) If a health-care provider OR ORIGINATING RECORD HOLDER denies a request for examination and copying under this section, the provider OR RECORD HOLDER, to the extent possible, shall segregate health-care information for which access has been denied under subsection (a) from information for which access cannot be denied and permit the [patient] INDIVIDUAL to examine or copy the disclosable information.

(c) If a health-care provider OR ORIGINATING RECORD HOLDER denies [a patient's] AN INDIVIDUAL’S request for examination and copying, in whole or in part, under paragraph (1) or (3) of subsection (a), the provider OR ORIGINATING RECORD HOLDER shall, EXCEPT AS PROVIDED IN SUBSECTION (d) OF THIS SECTION, permit examination and copying of the record by [another] A health-care provider, selected by the [patient] INDIVIDUAL, who is licensed, certified, or otherwise authorized under the laws of this State to treat the [patient] INDIVIDUAL for the same condition [as the health-care provider denying the request] THAT IS THE SUBJECT OF THE REQUESTED INFORMATION. The health-care provider OR RECORD HOLDER denying the request shall inform the [patient] INDIVIDUAL of the [patient's] INDIVIDUAL’S right to select [another] A health-care provider under this subsection.

Drafter's comment: Subsection (d) reflects an effort to address process concerns raised with respect to the disclosure of sensitive information, where a health-care provider has initially denied access based on health or confidentiality concerns. The proposed language parallels the provision in section 4-195 allowing a petition with respect to an agency's denial of personal data.

ARTICLE IV

(a) For purposes of accuracy or completeness, [a patient] AN INDIVIDUAL may request in writing that [a health-care provider] AN ORIGINATING RECORD HOLDER correct or amend its record of the [patient's] INDIVIDUAL’S health-care information to which [a patient] THE INDIVIDUAL has access under Section 3-101.

(b) As promptly as required under the circumstances, but no later than [ten] THIRTY days after receiving a request from [a patient] AN INDIVIDUAL to correct or amend its record of the [patient's] INDIVIDUAL’S health-care information, the [health-care provider] ORIGINATING RECORD HOLDER shall:

(1) make the requested correction or amendment and inform the [patient] REQUESTING INDIVIDUAL of the action and of the [patient's] INDIVIDUAL’S right to have the correction or amendment sent to previous recipients of the health-care information in question;

(2) inform the [patient] INDIVIDUAL if the record no longer exists or cannot be found;

(3) if the [health-care provider] PERSON REQUESTED TO CORRECT OR AMEND THE RECORD IS NOT THE ORIGINATING RECORD HOLDER OR does not maintain the record, inform the [patient] INDIVIDUAL and provide the [patient] INDIVIDUAL with the name and address, if known, of the person who maintains the record;

(4) if the record is in use or unusual circumstances have delayed the handling of the correction or amendment request, inform the [patient] INDIVIDUAL and specify in writing, the earliest date, not later than [21] THIRTY days after receiving the request, when the correction or amendment will be made or when the request will otherwise be disposed of; or

(5) inform the [patient] INDIVIDUAL in writing of the [provider's] ORIGINATING RECORD HOLDER’S refusal to correct or amend the record as requested, the reason for the refusal, and the [patient's] INDIVIDUAL right to add a statement of disagreement and to have that statement sent to previous recipients of the disputed health-care information.

(c) AN INSURANCE INSTITUTION, AGENT OR INSURANCE-SUPPORT ORGANIZATION IN COMPLIANCE WITH THE REQUIREMENTS OF SECTION 38a-984 OF THE GENERAL STATUTES IS IN COMPLIANCE WITH THE REQUIREMENTS OF THIS ARTICLE.

Drafter's comment: Subsection (c) is suggested to avoid problems created by the overlapping of this act with the insurer's Privacy Act. The rights under section 38a-984 are substantially similar to those under this act. See also similar rights as set out in the NAIC draft, section 8.

SECTION 4-102. PROCEDURE FOR ADDING CORRECTION OR AMENDMENT OR STATEMENT OF DISAGREEMENT.

(a) In making a correction or amendment, the [health-care provider] ORIGINATING RECORD HOLDER shall:

(1) add the amending information as a part of the health record; and

(2) mark the challenged entries as corrected or amended entries and indicate the place in the record where the corrected or amended information is located, in a manner practicable under the circumstances.

(b) If the [health-care provider] ORIGINATING RECORD HOLDER maintaining the record of the [patient's] INDIVIDUAL’S health-care information refuses to make the [patient's] proposed correction or amendment, the [provider] RECORD HOLDER shall:

(1) permit the [patient] INDIVIDUAL to file as a part of the record of the [patient's] INDIVIDUAL’S health-care information a concise statement of the correction or amendment requested and the reasons therefor; and

(2) mark the challenged entry to indicate that the [patient] INDIVIDUAL claims the entry is inaccurate or incomplete and indicate the place in the record where the statement of disagreement is located, in a manner practicable under the circumstances.

(c) NOTHING IN THIS SECTION REQUIRES THE RECORD HOLDER TO ALTER, DELETE, ERASE OR OBLITERATE HEALTH-CARE INFORMATION COLLECTED OR PROVIDED BY A HEALTH-CARE PROVIDER.

Drafter's comment: Subsection (c) is derived from a similar provision in section 8 F. of the NAIC draft and is suggested to clarify that original information collected or provided by a health-care provider, even if "corrected" or "amended", need not be erased or obliterated.

SECTION 4-103. DISSEMINATION OF CORRECTED OR AMENDED INFORMATION OR STATEMENT OF DISAGREEMENT.

(a) [A health-care provider] AN ORIGINATING RECORD HOLDER, upon request of [a patient] AN INDIVIDUAL WHO CORRECTED, AMENDED, OR DISAGREED WITH, A RECORD, shall take reasonable steps to provide copies of corrected or amended information or of a statement of disagreement to all persons designated by the [patient] INDIVIDUAL and who are identified in the health-care information as having examined or received copies of the information sought to be corrected or amended.

(b) [A health-care provider] AN ORIGINATING RECORD HOLDER may charge the [patient] INDIVIDUAL a reasonable fee, not exceeding the [provider's] actual cost, for distributing corrected or amended information or the statement of disagreement, unless the [provider's] RECORD HOLDER’S error necessitated the correction or amendment.

SECTION 5-101. CONTENT AND DISSEMINATION OF NOTICE.

[(a) A health-care provider who provides health care at a health-care facility that the provider operates and who maintains a record of a patient's health-care information shall create a "notice of information practices" that contains substantially the following:

Notice

"We keep a record of the health-care services we provide you. You may ask us to see and copy that record. You may also ask us to correct that record. We will not disclose your record to others unless you direct us to do so or unless the law authorizes or compels us to do so. You may see your record or get more information about it at ____________________."

(b) The health-care provider shall post a copy of the notice of information practices in a conspicuous place in the health-care facility and, upon request, provide patients or prospective patients with a copy of the notice.]

Drafter’s comment: Pursuant to Committee discussions, I have provided an expanded notice of information practices, drawing from the recent Massachusetts bill.

(a) A person authorized to consent to health care for another may exercise the rights of that person under this [Act] to the extent necessary to effectuate the terms or purposes of the grant of authority. If the [patient] INDIVIDUAL is a minor and is authorized to consent to health care without parental consent under the laws of this State, only the minor may exercise the rights [of a patient] under this [Act] as to information pertaining to health care to which the minor lawfully consented.

(b) A person authorized to act for [a patient] AN INDIVIDUAL shall act in good faith to represent the best interests of [the patient] THE INDIVIDUAL.

SECTION 7-101. DUTY TO ADOPT SECURITY SAFEGUARDS.

(a) A [health-care provider] RECORD HOLDER shall [effect reasonable] ESTABLISH AND MAINTAIN ADEQUATE safeguards for the security of all health-care information it maintains. ADEQUATE SAFEGUARDS MUST INCLUDE WRITTEN POLICIES, STANDARDS AND PROCEDURES FOR THE MANAGEMENT OF HEALTH-CARE INFORMATION, INCLUDING POLICIES, STANDARDS AND PROCEDURES TO GUARD AGAINST THE PROHIBITED COLLECTION, USE OR DISCLOSURE OF THAT INFORMATION. ADEQUATE SAFEGUARDS MUST INCLUDE:

A [health-care provider] RECORD HOLDER shall maintain a record of existing health-care information [for at least one year following receipt of an authorization to disclose that health-care information under Section 2-102, and] during the pendency of a request for examination and copying under Section 3-101 or a request for correction or amendment under Section 4-101.

Drafter's comment: Committee consensus was that the provision for one year extension beyond receipt of an authorization to disclose was unnecessary in the light of existing laws governing retention of the record.

SECTION 8-101. CRIMINAL PENALTY.

(a) A person who willfully discloses health-care information in violation of this [Act], and who knew or should have known that disclosure is prohibited, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.

(b) A person who, by means of (i) bribery, (ii) theft, (iii) misrepresentation of identity, purpose of use or entitlement to the information, [or (iv) trespass,] examines or obtains, in violation of this [Act], health-care information maintained by a [health-care provider] RECORD HOLDER, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year], or both.

(c) A person who, knowing that a certification under Section 2-105(c) or a disclosure authorization under Section 2-102 is false, willfully presents the certification or disclosure authorization to a [health-care provider] RECORD HOLDER, is guilty of a [misdemeanor], and upon conviction is punishable by a fine not exceeding [$10,000] or imprisonment for a period not exceeding [one year] or both.

Drafter's comment: The Committee comments indicated that this section should provide a broader base of criminal penalties. Subsection (d) is added to address violations for commercial gain or with intent to cause malicious harm. See for exeample, section 6-101 of the Model State Public Health Privacy Act. Consideration should be given to whether the penalties should be conformed to the system of classified crimes under Title 53a of the General Statutes.

SECTION 8-102. CIVIL ENFORCEMENT.

The [Attorney General or appropriate local law enforcement official] may maintain a civil action to enforce this [Act]. The court may order any relief authorized by Section 8-103.

Drafter's comment: Committee comments indicated uncertainty as to whether civil enforcement by a public official was necessary or appropriate. I have not made any proposed change in the draft.

SECTION 8-103. CIVIL REMEDIES.

(a) A person aggrieved by a violation of this [Act] may maintain an action for relief as provided in this section.

(b) The court may order the health-care provider or other person to comply with this [Act] and may order any other appropriate relief.

(c) A [health-care provider] RECORD HOLDER who relies in good faith upon a certification, pursuant to Section 2-105(c), is not liable for disclosures made in reliance on that certification.

(d) In an action by [a patient] AN INDIVIDUAL alleging that health-care information was improperly withheld under Article III the burden of proof is on the [health-care provider] RECORD HOLDER to establish that the information was properly withheld.

(e) If the court determines that there is a violation of this [Act], the aggrieved person is entitled to recover damages for [pecuniary losses] ACTUAL DAMAGES sustained as a result of the violation; and, in addition, if the violation results from willful or grossly negligent conduct, the aggrieved person may recover not in excess of [$5,000], exclusive of any pecuniary loss.

(f) If a plaintiff prevails, the court may assess reasonable attorney's fees and all other expenses reasonably incurred in the litigation.

(g) Any action under this [Act] is barred unless the action is commenced within [2] year[s] after the [cause of action] [claim for relief] accrues.

Drafter's comment: The Committee comments indicated that an individual right of action should be retained, similar to that provided by section 38a-995 of the Insurance Information and Privacy Protection Act. The primary distinction between section 38a-995 and this provision (other than the inherent restriction of 38a-995 to the insurance context) is that this section limits damages to pecuniary losses except that it allows an enhanced $5,000 penalty, in subsection (e) for willful or grossly negligent conduct. Given the Committee comments that differing levels of conduct should be recognized, I replaced "pecuniary losses" with "actual damages" to retain the 38a-995 right of action but left the enhanced penalty in the draft to allow further redress for egregious conduct. However, to strictly retain the section 38a-995 standard, the enhanced penalty provision should be deleted. For comparison, section 6-103 of the Model State Public Health Privacy Act includes a similar enhanced penalty provision (up to $10,000) for willful or grossly negligent conduct. The NAIC draft does not include a private right of action, but suggests that it be considered.

This [Act] shall be applied and construed to effectuate its general purpose to make uniform the law with respect to the subject of this [Act] among states enacting it.

SECTION 9-102. SHORT TITLE.

This [Act] may be cited as the Uniform Health-Care Information Act.

SECTION 9-103. SEVERABILITY.

If any provision of this [Act] or its application to any person or circumstance is held invalid, the invalidity does not affect other provisions or applications of this [Act] which can be given effect without the invalid provision or application, and to this end the provisions of this [Act] are severable.

SECTION 9-104. REPEALS.

The following acts and parts of acts are repealed:

(1)

(2)

(3)

SECTION 9-105. SAVING CLAUSE.

This [Act] does not affect other law restricting, to a greater extent than does this [Act], the disclosure of specific types of health-care information to any person other than the patient to whom it relates.

SECTION 9-106. CONFLICTING LAWS.

[(a) This [Act] does not restrict a health-care provider from complying with obligations imposed by federal health-care payment programs or federal law.]

[(b) In the event of a conflict between this [Act] and the Uniform Information Practices Act, the provisions of this [Act] apply.]