Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 119th Congress · S. 3097 (Introduced in Senate) — To provide additional protections with respect to health information, and for other purposes. · Sec. 2

Sec. 2. Protections for applicable health information

904 words·~4 min read·/bill/119/s/3097/is/section-2

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

The Secretary of Health and Human Services, in consultation with the Federal Trade Commission, shall promulgate regulations setting privacy, security, and breach notifications standards for the processing of applicable health information by regulated entities and their service providers. Such standards shall provide protections that are at least commensurate with, and wherever feasible and appropriate harmonize with, the protections provided through the privacy, security, and breach notification rules promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 ( 42 U.S.C. 1320d–2 note) and section 13402 of the HITECH Act ( 42 U.S.C. 17932 ) that apply to covered entities and business associates with respect to protected health information under such rules.
Such regulations promulgated under this section shall include the following: Privacy requirements, including the following: Permitted uses and disclosures of applicable health information without an individual’s written authorization that are consistent with the individual’s reasonable expectations. Other permitted uses and disclosures of applicable health information without an individual’s written authorization for certain public policy purposes, such as public health, health oversight, law enforcement, judicial and administrative proceedings, and any conditions for such uses and disclosures.
Uses and disclosures of applicable health information that require the individual’s written authorization and the requirements related to such written authorizations. Prohibited uses and disclosures of applicable health information. Minimum necessary requirements for the request, use, and disclosure of applicable health information and any exceptions. Standards and requirements related to legal representatives of the individual. Standards and requirements related to service providers.
Individual rights with respect to applicable health information, including the right of the individual to receive a privacy notice from the regulated entity, access to applicable health information, amendment of applicable health information, deletion of applicable health information, and portability of applicable health information, and any exceptions to such rights (such as with respect to applicable health information collected for research purposes), any conditions on such rights, and any other requirements related to such rights, including timeframes for responding to requests.
Administrative safeguards, including designation of a privacy officer, policies and procedures, training of workforce members, non-retaliation, documentation, and mitigation. Security requirements, including the following: Physical, technical, and administrative safeguards for applicable health information in any form. For electronic applicable health information, such safeguards shall be based on well-established national frameworks, such as cybersecurity performance goals of the National Institute of Standards and Technology or the Department of Health and Human Services.
Breach notification requirements in the event of a breach of applicable health information that are substantially similar to the breach notification requirements under subpart D of part 164 of title 45, Code of Federal Regulations (or any successor regulations). The Secretary, in consultation with the Federal Trade Commission, is authorized to enforce all provisions of this Act as described in subsection (c). In addition to any other sanctions or remedies that may be available under any provision of Federal law, in the case of a regulated entity or service provider that violates this section, subpart D of part 160 of title 45, Code of Federal Regulations (or any successor regulations), shall apply to the regulated entity or service provider with respect to such violation of this section in the same manner that such subpart applies to a person with respect to a violation of part 160 of title 45, Code of Federal Regulations (or any successor regulations).
The privacy and security practices under section 13412 of the Health Information Technology for Economic and Clinical Health Act ( 42 U.S.C. 17941 ) shall apply to regulated entities and service providers with respect to applicable health information in the same manner that such section applies to covered entities and business associates. In this section: The term applicable health information — means information (including demographic information) that— identifies an individual or with respect to which there is a reasonable basis to believe that the information could be used to identify an individual; and relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual; and may include information described in subparagraph
(A)that was not created or received by a health care provider, health plan, employer, or health care clearinghouse. The terms covered entities and business associates have the meanings given such terms in section 160.103 of title 45, Code of Federal Regulations (or any successor regulations). The term regulated entity — means a natural or legal person that, alone or jointly with others, determines the purpose and means of processing applicable health information; and does not include— a governmental entity such as a body, authority, board, bureau, commission, district, agency, or political subdivision of the Federal, State, or local government; a person or an entity that is collecting, processing, or transferring covered data on behalf of or a Federal, State, Tribal, territorial, or local government entity; and a covered entity or business associate, as such terms are defined in section 160.103 of title 45, Code of Federal Regulations (or any successor regulations). The term service provider means a natural or legal entity that processes applicable health information on a behalf of a regulated entity and that is not a covered entity or business associate, as such terms are defined in section 160.103 of title 45, Code of Federal Regulations (or any successor regulations).
Connectionstraces to 2
1 reference not yet in our index
  • 42 USC 1320d–2
Citation graph
cites case law
Sec. 2
Protections for applicable health information
U.S.C.§ 17932
U.S.C.§ 17941
Cite42 USC 1320d–2
Cites 3Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.