[Latest draft as of 1/4/96 Vermont Leg council doc. #35612. The "doubled-S" section symbol has been replaced with "Sec." at all occurrances.] TO THE HOUSE OF REPRESENTATIVES The Committee on Health and Welfare to which was referred House Bill H. 237 entitled "AN ACT RELATING TO HEALTH CARE INFORMATION" respectfully report that they have considered the same and recommend that the bill be amended by striking all after the enacting clause and inserting in lieu thereof the following: Sec. 1. LEGISLATIVE PURPOSE The purpose of this act is to clarify and consolidate the laws that protect an individual's privacy and access regarding their personal health care information and the laws that establish the legal responsibilities of persons, including health care providers, health care facilities, insurance companies and employers, who acquire personally identifiable health care information to maintain the security and confidentiality of that information during its acquisition, storage, disclosure and disposition. Sec. 2. 18 V.S.A. chapter 221, subchapter 9 is added to read: Subchapter 9. Health Care Information Practices Sec. 9461. DEFINITIONS For the purposes of this subchapter, (1) "Amend" means to indicate one or more disputed entries in health care information or to change the entry without obliterating the original information. (2) "Custodian" means any health care provider or health care facility that creates, controls or retains health care information or any person who obtains individually identifiable health care information for lawful purposes. (3) "Disclosure" means the release of health care information in any manner, including a subsequent release of health care information by a person to whom health care information was initially disclosed. (4) "Health care" means any preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, counseling, service or procedure provided to an individual for the individual's physical or mental condi-tion or the structure or function of any part of the human body, including the sale or dispensing of medication or durable goods pursuant to a prescription. (5) "Health care facility" means any facility or institution, whether public or private, proprietary or not-for-profit, that offers health care diagnosis, treatment, inpatient or ambulatory care to two or more unrelated persons. (6) "Health care information" means any data or information, whether oral or recorded, in any form or medium, that directly identifies the individual or can reasonably identify the individual by reference to publicly available information and that: (A) relates to the individual's health history, health care, health status, health benefits or application for health benefits; or (B) is obtained by a health care provider or health care facility in the course of providing health care to the individual and is obtained from the individ-ual, a member of the individual's family or a person with whom the individual has a close personal relationship. (7) "Health care provider" means a person, partnership or corporation, other than a facility or institution, that is licensed, certified or authorized by law to provide professional health care services in this state to an individual during that individual's medical care, treatment or confinement. (8) "Health insurer" means an insurance company that offers health insurance to the public, a nonprofit hospital and medical service corporation or a health maintenance organization and, to the extent permitted under federal law, any administrator of an insured, self-insured or publicly funded health care benefit plan offered by a public or private entity. (9) "Individual" means a natural person, alive or dead, who is the subject of health care information and includes the individual's attorney-in-fact, legal guardian, executor or administrator. Sec. 9462. DISCLOSURE OF HEALTH CARE INFORMATION; GENERALLY (a) Health care information shall be confidential and shall not be disclosed by any person except as provided in this subchapter. A disclosure of health care information by any person shall be limited: (1) to persons who require the information for a lawful purpose which, for the purposes of this subchapter, does not include the marketing of services or goods, and (2) to the minimum amount of information necessary to accomplish the lawful purpose. (b) A custodian shall create a record of all disclosures made to any person who is not an agent, employee or independent contractor of the custodian. That record shall be retained in the health care information and shall include the following information: (1) The name, address and institutional affiliation, if any, of the person to whom the information is disclosed. (2) The date and purpose of the disclosure. (3) A description of the information disclosed. (4) A statement as to whether the disclosure was made pursuant to an authorization or an exception under section 9464 of this title. (c) No person to whom health care information is disclosed may use the information for any purpose other than the lawful purpose for which it was disclosed. (d) Disclosure of health care information relating to an HIV related illness, AIDS, a sexually transmitted disease, mental health treatment or drug or alcohol treatment is prohibited unless the individual specifically authorizes disclosure of that information pursuant to section 9463 of this title. (e) The provisions of this subchapter do not affect other laws that restrict to a greater extent the disclosure of specific types of health care information to a person other than the individual to whom it relates. Sec. 9463. AUTHORIZATION FOR DISCLOSURE; REVOCATION (a) A custodian shall only disclose health care information pursuant to a valid authorization by the individual who is the subject of the information, except as provided in section 9464 of this title. (b) An authorization to disclose health care information shall be retained in the individual's health care information. An authorization shall be valid if it is in writing or in electronic form and includes all the following: (1) The identity of the individual subject of the information. (2) The name of the custodian who will disclose the information. (3) A description of the health care information to be dis-closed. (4) The name and address of the person to whom the information is to be disclosed. (5) The general purpose of the disclosure. (6) The signature of the individual and the date signed or, if in electronic form, a unique identifier of the individual and the date the individual authenticated the electronic authorization. (7) A statement that the individual may revoke the authorization at any time. (8) An authorization to provide or pay for health care shall be on a separate page. (c) An authorization may specify a length of time the authorization shall remain valid, which in no event shall be for more than 12 months, except an authorization signed for one of the following purposes: (1) To support claims for benefits under a health insurance policy in which event the authorization shall remain valid during the entire term of coverage of the policy. (2) To support an application for a health, disability or life insurance policy, reinstatement of a policy or a change in benefits under an existing policy in which case the authorization shall expire in 12 months or whenever the policy is denied, whichever occurs first. (d) An individual may revoke an authorization at any time. A revocation of an authorization shall be valid if it is in writing or in electronic form and is dated and authenticated as required for an authorization under subsection (b) of this section. A revocation of an authorization shall be retained in the individual's health care information. Sec. 9464. DISCLOSURE WITHOUT AUTHORIZATION (a) A custodian is not required to, but may disclose health care information without the authorization of the individual in any of the following circumstances: (1) To another health care provider who is providing health care to the individual or to a referring health care provider who continues to provide health care to the individual and the information is necessary to provide appropriate ongoing health care treatment to the individual, to the extent the disclosure has not been limited by the individual. (2) To an agent, employee or independent contractor of the custodian in order to carry out the custodian's lawful purposes or health care activities, including risk management, quality assurance, utilization review and peer review activities. For the purposes of this subdivision, lawful purposes or lawful health care activities do not include the marketing of services or goods. (3) If the person disclosing reasonably believes that disclosure is necessary to avoid or minimize serious risk of imminent harm to the health or safety of any individual. Information disclosed under this subdivision may not be used in any administrative, civil or criminal action or investigation directed against the individual subject of the information. (4) The individual lacks the capacity to consent and the disclosure is to a member of the individual's immediate family or to a person with whom the individual is known to have a close personal relationship, provided that the disclosure is made in accordance with good professional practice; the information relates to health care currently being provided to the individual; and the disclosure has not been limited or prohibited by the individual. (5) To a successor in interest of a custodian that is a health care provider or health care facility provided that the custodian gave the individual at least 30 days' notice of the disclosure and the opportunity to designate a different provider or facility to receive the information. (6) To conduct a scientific research project that has been approved by an institutional review board, which, for the purposes of this subdivision, means any board, committee or other group formally designated by a health care facility and authorized under federal law to review, approve or conduct periodic review of research programs, provided the project: (A) contains adequate safeguards to assure that any information in any report of the research project does not identify, directly or indirectly through reference to publicly available information, the individual subject of the information; and (B) does not require direct contact with an individual subject of the information unless that individual has received notice from the custodian disclosing the information that such contact is possible and the individual has authorized the contact. (7) The disclosure is to federal, state or local governmental authorities to the extent the custodian disclosing the information is required or permitted by law to report specific health care information to determine compliance with state or federal licensure, certification, registration rules or professional regulations or for the protection of the public health. Information disclosed under this subdivision may not be used in any administrative, civil or criminal action or investigation directed against any individual subject of the information. (8) The disclosure is to federal or state governmental authorities for use only in the investigation or prosecution of criminal activity or a violation of laws relating to the provision of health care or payment for health care as required or permitted by federal or state law. Information disclosed under this subdivision may not be used in any administrative, civil or criminal action or investigation directed against the individual subject of the information, unless the action or investigation involves the individual subject of the information and arises from the provision of health care or payment for health care. (9) The disclosure is based on a reasonable belief that the information is needed for one of the following purposes: (A) To identify a deceased individual. (B) To determine the cause and manner of death by a chief medical examiner or the medical examiner's designee. (10) To a person engaged in the assessment, evaluation or investigation of the quality of health care provided by a custodian pursuant to statutory or regulatory standards or the requirements of a private or public program for the payment of health care. (b) Except as provided in this subchapter, neither an authorization to disclose health care information under section 9463 of this title nor a production of health care information pursuant to legal process under section 9465 of this title shall be construed to be or to operate as a waiver of the individual's confidentiality rights provided by other federal or state laws, rules of evidence or common law. Sec. 9465. LEGAL PROCESS (a) A custodian shall disclose health care information about an individual pursuant to legal process, including subpoenas, subpoenas duces tecum and discovery requests, in any judicial, legislative or administrative proceeding if: (1) The individual has consented in writing to the disclosure of the information in response to the legal process. (2) The individual is a party to a proceeding in which the individual's physical, mental or emotional condition has been placed in issue . (3) The individual's physical or mental condition is relevant to the execution or witnessing of a will or a trust. (4) The disclosure is permitted without authorization pursuant to subdivision (a)(8) of section 9464 of this title. (5) A court has ordered disclosure after a hearing of which both the individual subject of the information and the custodian receive notice and in which the party requesting disclosure has demonstrated that the public interest in disclosure outweighs the individual's privacy interest and that the information is not reasonably available by other means. (b) In the case of health care information being sought under subdivisions (a)(2), (3) or (4) of this section, the person seeking disclosure shall mail a notice of the request by first class mail to the individual who is the subject of the health care information and to the individual's attorney of record, at least 21 days before serving a legal process certificate on the custodian from whom the information is sought. The notice shall specify the information to be disclosed and the reasons for disclosure and shall include notice of the individual's rights to object to disclosure pursuant to subsection (d) of this section. (c) Any service of legal process upon a custodian shall be accompanied by a written certification, signed by the person seeking the information or by that person's authorized representative, that states all the reasons that support legal process as listed in subsection (a) of this section and that the person reasonably believes that one or more of the criteria listed in subsection (a) of this section supports the use of legal process. For information being sought under subdivisions (a)(2), (3) or (4) of this section, the certification shall also include a copy of the notice and a statement that the notice requirements of subsection (b) of this section have been met. The custodian shall release the information requested upon receipt of the legal process and shall retain a copy of the process and the written certification as a part of the individual's health care information. (d) The custodian or the individual subject of the information may file an objection to the request for disclosure in the appropriate forum on or before the date on which the disclosure is sought. The person requesting disclosure shall have the burden of establishing that disclosure should be granted. (e) Protective orders regarding any information disclosed pursuant to this section may be issued at the request of the individual who is the subject of the information. Sec. 9466. INDIVIDUAL RIGHT TO ACCESS TO HEALTH CARE INFORMATION; DENIAL (a) No later than ten days after receipt of a written request from an individual to examine or receive a copy of the individual's health care information, the custodian shall: (1) Provide a copy of the information requested to the individual or permit the individual to examine the information during regular business hours; or (2) Notify the individual that the custodian does not have the information and if applicable, inform the individual of the name and address of the person who has the information requested or when the information will be available; or (3) Deny the request in whole or part, if the custodian reasonably determines any of the following: (A) Knowledge of the information would adversely and substantially affect the individual's health. (B) Knowledge of the information could reasonably be expected to identify a person who provided the information in confidence and under circumstances in which confidentiality was appropriate; or (C) The information was compiled solely for litigation, quality assurance or peer review purposes. (b) If a request to examine or copy information is denied in whole or in part under this section, the person denying access shall notify the individual in writing of the reasons for the denial and the individual's rights under this subsection and subsection (f) of this section. To the extent possible, the information to which access has been denied shall be separated from information that may be disclosed and the individual shall be permitted to examine or copy the disclosable information. (c) A health care provider who has denied a request for access in whole or in part under subdivision (3)(A) or (B) of this section shall permit a health care provider selected by the individual to examine and copy the information. The reviewing health care provider shall have the same license or certification as the health care provider denying access. If the reviewing health care provider also denies the request, the individual may petition the superior court for access to the health care information. The court shall resolve the matter based on criteria in subsection (a) of this section. (this option tips the scales in favor or the patient, since the only scenario that would prevent the patient from gaining access to their record is if the reviewer also denies access) OR (c) A health care provider who has denied a request for access in whole or in part under subdivision (a)(3)(A) or (B) of this section shall permit a health care provider selected by the individual to examine and copy the information. The reviewing health care provider shall be licensed or certified to treat the individual for the same condition as the health care provider denying access. A reviewing health care provider who is not currently providing health care to the individual shall not disclose the health care information. If a reviewing health care provider who is not currently providing health care to the individual would permit access to the information, but the custodian continues to deny access, or if a reviewing health care provider also denies access, the individual may petition the superior court for access to the information. The court shall resolve the matter based on criteria in subsection (a) of this section. (this option tilts the power in favor of the custodian, since the only scenario in which the individual may gain access without going to court is if the reviewing health care provider is also providing treatment and agrees that access is appropriate, in which case the reviewer can just disclose the information to the individual.) (d) A custodian that is a health care provider or a health facility or a health insurer shall, on reasonable request, explain any code, abbreviation, term or notation used in the health care information. (e) If a custodian does not maintain the information in the form requested by the individual, the custodian is not required to create a new record or reformulate an existing record in order to meet the request. (f) The custodian may charge a reasonable fee for providing the health care information requested. A reasonable fee shall be the usual commercial rate for actual reproduction of the information. The custodian may also charge an additional fee of no more than $5.00 for each hour of personnel time required to reproduce the health care information. A detailed bill accounting for the charges shall be provided by the custodian. Sec. 9467. RIGHT TO AMEND HEALTH CARE INFORMATION (a) An individual may request in writing that a custodian amend the individual's health care information in order to improve the accuracy or completeness of the information, as long as the amendment does not delete, erase or obliterate any of the original information. (b) Within 30 days after receipt of a written request from an individual to amend the individual's health care information, a custodian shall do one of the following: (1) Amend the information as requested. (2) Notify the individual that the request has been denied, the reason for the denial, and that the individual may file a concise statement of what the individual believes to be the correct information and the reasons the individual disagrees with the denial. This statement by the individual shall be retained in the health care information. (c) At the request of the individual whose health care information has been amended pursuant to this section or who has filed a statement pursuant to subsection (b)(2) of this section, the custodian shall provide a copy of the amended information or the individual's statement to the person who provided the original information and shall take reasonable steps to provide those documents to all persons designated by the individual or who are identified in the information as having received copies of that information within the previous year. Sec. 9468. NOTICE OF INFORMATION PRACTICES Health care providers and health care facilities shall post a notice in a conspicuous public place and provide the notice to all individuals whose health care information is maintained by the provider or facility. The notice shall substantially include the following information: THE CONFIDENTIALITY OF YOUR HEALTH CARE INFORMATION WILL BE PROTECTED. NONE OF YOUR HEALTH CARE INFORMATION WILL BE DISCLOSED OR RELEASED TO ANYONE WITHOUT YOUR KNOWING, WRITTEN AUTHORIZATION, UNLESS THE RELEASE IS REQUIRED TO ASSURE THAT YOU RECEIVE COMPETENT AND APPROPRIATE HEALTH CARE OR IT IS SPECIFICALLY REQUIRED BY LAW. YOU MAY GET OR SEE A COPY OF YOUR MEDICAL RECORDS UPON REQUEST. YOU MAY ASK YOUR HEALTH CARE PROVIDER ANY QUESTIONS YOU HAVE ABOUT YOUR RECORDS, INCLUDING WHETHER YOUR MEDICAL RECORDS ARE HANDLED ELECTRONICALLY OR MANUALLY. A COPY OF THE MEDICAL RECORD LAW IS AVAILABLE AT ____________________________________(location) Sec. 9469. RIGHTS OF MINORS A minor who lawfully may consent to health care without the consent of a parent or legal guardian may exclusively exercise the rights of an individual under this subchapter regarding information pertaining to the health care to which the minor has lawfully consented. Sec. 9470. REPRESENTATIVE OF DECEASED INDIVIDUAL An executor or administrator of a deceased individual may exercise all the rights of the deceased individual provided by this subchapter subject to any written limitations or restrictions requested by the deceased individual. If there is no executor or administrator, the rights of a deceased individual may be exercised by the following persons, in the following order of priority: (1) A person designated by a durable power of attorney for health care. (2) The surviving spouse. (3) An adult child. (4) A parent. (5) An adult sibling. (6) Any other person authorized by law to act for the individual. Sec. 9471. MAINTENANCE OF HEALTH CARE INFORMATION; CONFIDENTIALITY PROCEDUR ES (a) A custodian that is a health care provider or a health care facility shall develop and implement policies, standards and procedures to protect the confidentiality, security and integrity of health care information to ensure that the information is not negligently, inappropriately or unlawfully disclosed. These procedures shall include: (1) The use of nondisclosure and confidentiality agreements. (2) Periodic training for all employees. (3) Disciplinary measures for violations of the confidentiality procedure. (4) Methods for handling, storing and disposition of health care information. (b) Health care information generated, received or compiled by a health care provider or health care facility shall be retained by the facility or provider, or their successors or assigns, for a minimum period of ten years, or ten years after the individual subject of the information reaches the age of majority, whichever is longer. (c) A custodian who is the employer of the individual shall adopt and implement policies and procedures to ensure that the health care information is maintained separately and apart from the individual's employment records and is used only for the lawful health care purposes for which the information was disclosed. (d) A custodian shall destroy health care information when there is no longer any lawful purpose for maintaining the information. A custodian that is a health care facility or provider shall notify the individual at the individual's last known address at least 30 days prior to destroying the individual's health care information. Sec. 9472. VIOLATIONS; CRIMINAL PENALTIES Any person who intentionally examines, obtains, modifies, destroys or discloses health care information in violation of this subchapter, or who uses a false certification or authorization to examine or obtain health care information in violation of this subchapter, shall be impris-oned not more than one year or fined not more than $10,000.00, or both. A penalty under this section may be imposed in addition to other available criminal penalties. Sec. 9473. CIVIL ACTION; REMEDIES: ATTORNEY GENERAL ACTION (a) Whenever the attorney general has reason to believe that a person has knowingly violated a provision of this subchapter and that an action under this section would be in the public interest, the attorney general may bring an action against the person to enjoin violations of this subchapter. An injunction issued under this section shall be issued without bond. (b) In addition to the relief provided in subsection (a) of this section, the attorney general may request and the court may order any other temporary or permanent relief as may be in the public interest, including the following: (1) A civil penalty of not more than $10,000.00 for each violation, but not to exceed $50,000.00 in the aggregate for multiple violations. (2) A civil penalty of not more than $250,000.00 if the court finds that a violation of this subchapter has occurred with sufficient frequency to constitute a general business practice. (3) Actual damages suffered by the aggrieved by the individual. (4) Reasonable attorney fees, investigatory expenses and court costs. (c) An individual who is aggrieved by a violation of this subchapter may bring a civil action for the following: (1) Actual damages or $1,000.00, whichever is greater. (2) Punitive damages. (3) Preliminary and equitable relief as the court deems appropriate. (4) Reasonable attorney fees, expenses and costs. (d) In an action alleging that health care information was improperly withheld under section 9466 of this title, the person denying access to the information has the burden of proof to establish that the information was withheld in good faith. (e) In an action under this section in which a custodian is being sued under a theory of vicarious liability for the acts or omissions of the custodian's employee, it shall be an affirmative defense that the employer substantially complied with the requirements of section 9471 of this title. (f) No civil action may be maintained under this section against any person who, in good faith, disclosed health care information in response to legal process as provided in section 9465 of this title. (g) No action may be commenced under this section more than three years after the date on which the violation occurred or reasonably should have been discovered. Sec. 3. 12 V.S.A. Sec. 1908 is amended to read: Sec. 1908. BURDEN OF PROOF (a) For the purpose of this section, malpractice means professional medical negligence comprised of the elements listed in this section. In a malpractice action based on the negligence of the personnel of a hospital, a physician licensed under chapter 23 of Title 26, a dentist licensed under chapter 13 of Title 26, a podiatrist licensed under chapter 7 of Title 26, a chiropractor licensed under chapter 9 of Title 26, a nurse licensed under chapter 27 of Title 26, or an osteopathic physician licensed under chapter 33 of Title 26, the plaintiff shall have the burden of proving all the following: (1) The degree of knowledge or skill possessed or the degree of care ordinarily exercised by a reasonably skillful, careful, and prudent health care professional engaged in a similar practice under the same or similar circumstances whether or not within the state of Vermont. (2) The defendant either lacked this degree of knowledge or skill or failed to exercise the appropriate degree of care; and (3) As That as a proximate result of this lack of knowledge or skill or the failure to exercise this degree of care, the plaintiff suffered injuries that would not otherwise have been incurred. (b) In any malpractice action, it shall be an affirmative defense that the plaintiff restricted access to the plaintiff's health care information by the defendant health care provider or facility under 18 V.S.A. Sec. 9463(1) and that the restricted information was material to the allegedly negligent care or procedure. Sec. 4. 12 V.S.A. Sec. 1612 is amended to read: Sec. 1612. PATIENTS' PRIVILEGE (a) Confidential information privileged. Unless the patient waives the privilege by authorizing its disclosure pursuant to 18 V.S.A. Sec. 9463 or unless the privilege is waived disclosure is permitted or required by an express provision of law, a person authorized to practice medicine, chiropractic or dentistry, a registered professional or licensed practical nurse, or a mental health professional as defined in 18 V.S.A. Sec. 7101(13) shall not be allowed to disclose any health care information, as defined in 18 V.S.A. Sec. 9461(6) acquired in attending a patient in a professional capacity, including joint or group counseling sessions, and which was necessary to enable the provider to act in that capacity. * * * (c) Mental or physical condition of deceased patient. A physician, chiropractor or nurse shall be required to disclose any information as to the mental or physical condition of a deceased patient privileged under subsection (a), except information which would tend to disgrace the memory of the decedent, either in the absence of an objection by a party to the litigation or when the privilege has been waived: (1) by the personal representative, or the surviving spouse, or the next of kin of the decedent; or (2) in any litigation where the interests of the personal representative are deemed by the trial judge to be adverse to those of the estate of the decedent, by any party in interest; or (3) if the validity of the will of the decedent is in question, by the executor named in the will, or the surviving spouse or any heir-at-law or any of the next of kin or any other party in interest. Sec. 4. EFFECTIVE DATE This act shall take effect on January 1, 1997.