[Congressional Bills 117th Congress] [From the U.S. Government Publishing Office] [S. 3620 Introduced in Senate (IS)] <DOC> 117th CONGRESS 2d Session S. 3620 To establish the Commission for the Comprehensive Study of Health Data Use and Privacy Protection. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES February 9, 2022 Mr. Cassidy (for himself and Ms. Baldwin) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions _______________________________________________________________________ A BILL To establish the Commission for the Comprehensive Study of Health Data Use and Privacy Protection. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Health Data Use and Privacy Commission Act''. SEC. 2. FINDINGS; RULE OF CONSTRUCTION; SENSE OF CONGRESS. (a) Findings.--Congress finds the following: (1) The people of the United States are increasingly concerned about their civil liberties and the confidentiality, security, and use of their personal health information. (2) Commercial entities are increasingly aware that consumers expect them to adopt privacy policies and take appropriate steps to protect consumers' personal health information. (3) Due to a lack of Federal guidelines and a range of different State and local rules regarding privacy protection for individually identifiable health information, there is a growing concern about the confidentiality of personal health information collected outside the context of health care delivery, payment, and the practice of medicine generally. (4) There is a need to ensure that accurate and timely health information flows to meet the needs of patients, reduce costs in the health care system, coordinate care, and improve health care outcomes. (5) Access to accurate and complete health information is critical to ensure the equitable, safe, and effective delivery of care, the development of novel treatments and cures, the promotion of public health, and the refinement of health care delivery. (6) During the public health emergency with respect to COVID-19 declared by the Secretary of Health and Human Services under section 319 of the Public Health Service Act (42 U.S.C. 247d), some Federal and State privacy rules have been waived, modified, or not enforced to help contain the pandemic. As a result, the COVID-19 contagion has uncovered areas where current State and Federal privacy rules may impede patient care, public health management, and efforts to control the pandemic. Moreover, the pandemic has spurred innovation including the development of new technologies and technology platforms that may not be covered by current regulatory constructs. (7) Privacy regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) have provided clearly defined responsibilities and enforcement for entities and business associates covered by such regulations, however, the regulations should be assessed to account for the evolution of emerging technologies, data and data management tools, and the modernization of health care delivery. (8) New rules and policies from the Federal Government encouraging the flow of health information to improve care and patient access to their own health information, including the rules promulgated under the 21st Century Cures Act (Public Law 114-255), raise the issue of protected health information flowing to entities that are not subject to standardized privacy protections, including the privacy regulations promulgated under the Health Information Portability and Accountability Act of 1996 (Public Law 104-191), the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5) (including the amendments made by such Act), and section 444 of the General Education Provisions Act (20 U.S.C. 1232g; commonly known as the ``Family Educational Rights and Privacy Act of 1974''). (9) Given the extensive proliferation of laws and proposals concerning the privacy of health information in light of recent changes in technology, applications, social media, and other platforms, and the increasing generation, collection, use, sharing, and selling of personal health information, a coordinated and comprehensive review is necessary to evaluate the effectiveness of existing protections of personal health information compiled by the health care, insurance, financial services, consumer electronics, advertising, technology, and other industries. (10) Use of the internet as a medium for commercial, social, and health related activities will continue to grow, and more data, including personal health information, will be generated, exchanged, and used by an increasing number of entities engaged in the digital marketplace. (11) An increasing number of people of the United States are using consumer health technologies, including wearable technology, with about 20 percent of people of the United States reporting using such technology in 2020, and generating data about their personal health and well-being. (12) The United States is the leading economic and social force in the global information economy, and it is important for the United States to continue that leadership. As countries and governing bodies around the world continue to establish privacy standards, these standards will directly affect the United States. (13) The shift from an industry-focused economy to an information-focused economy calls for a swift reassessment of the most effective ways to balance personal privacy against information use for legitimate purposes, keeping in mind the potential for unintended effects on technology and product development, innovation, and medical research. (b) Rule of Construction.--This Act shall not be construed to prohibit the enactment of privacy legislation by Congress during the existence of the Commission on Health Data Use and Privacy Protection established under section 3. (c) Sense of Congress.--It is the sense of Congress that-- (1) it is the responsibility of Congress to act to protect the privacy of individuals, including individuals' medical information, and to foster the improvement our Nation's health care system; and (2) further study by the Commission established under section 3 should not be considered a prerequisite for further consideration or enactment of health privacy or other related privacy legislation by Congress. SEC. 3. ESTABLISHMENT. There is established a commission to be known as the ``Commission on Health Data Use and Privacy Protection'' (referred to in this Act as the ``Commission''). SEC. 4. DUTIES OF COMMISSION. (a) Study.--The Commission shall conduct a study of issues relating to protection of individual privacy and the appropriate balance to be achieved between protecting individual privacy and allowing and advancing appropriate uses of personal health information, including the following issues: (1) The monitoring, collection, and distribution of personal health information by Federal, State, and local governments, such as the collection of information to combat the spread of infectious diseases such as COVID-19, the threat of substance use disorders involving opioids and other substances, and other public health threats and benefits. (2) Current efforts to address the access, exchange, and use of personal health information by Federal and State governments, individuals, or entities, including-- (A) existing statutes and regulations relating to the protection of individual privacy, such as section 552a of title 5, United States Code (commonly known as the ``Privacy Act of 1974''), section 552 of title 5, United States Code (commonly known as the ``Freedom of Information Act''), the Federal Trade Commission Act (15 U.S.C. 42 et seq.), the Common Rule and other applicable regulations promulgated under the Health Information Portability and Accountability Act of 1996 (Public Law 104-191), the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5) (including the amendments made by such Act), the 21st Century Cures Act (Public Law 114-255) (including the amendments made by such Act), and section 444 of the General Education Provisions Act (20 U.S.C. 1232g; commonly known as the ``Family Educational Rights and Privacy Act of 1974''); (B) relevant legislation pending before Congress and State legislatures; (C) privacy protection efforts undertaken by-- (i) the Federal Government; (ii) State governments; or (iii) foreign governments and international governing bodies; (D) privacy protection efforts undertaken by the private sector, including any relevant recommendations, frameworks, or proposals; and (E) self-regulatory efforts initiated or proposed by the private sector to respond to privacy issues. (3) The differences and similarities between Federal, State, and international rules for protecting the privacy of health information and the degree to which such similarities or differences create or address problems related to collecting, sharing, and using health information to improve care and lower costs, and any trade-offs related to patient privacy and patient control over health information. (4) The need for consistency in deidentification standards for health data to avoid conflicting requirements that could impede the improvement of health care through clinical trials, technology development, public health surveillance, monitoring of general health trends, and medical research. (5) Technologies and data currently used for treatment, payment, and health care operations, compared with technologies used when the privacy regulations promulgated under section 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note) were first issued, including an assessment of any gaps in the privacy protections under such regulations resulting from data collection and use by non- covered entities, taking into account recommendations of the National Committee on Vital and Health Statistics and the Office for the National Coordinator for Health Information Technology. (6) The monitoring, collection, and distribution of personal information by individuals or entities, including access to, and use of, personal health information and medical records, and the ability to access and restrict the information. (7) Employer practices and policies with respect to the health information of employees, including-- (A) the extent to which employers collect, use, or disclose employee health information for marketing, employment, or insurance underwriting purposes; (B) what restrictions employers place on disclosure or use of employee health information; and (C) practices of employer medical departments with respect to disclosing employee health information to administrative or other personnel of the employer. (8) Current enforcement of privacy laws and rules through the Federal Trade Commission, the Office for Civil Rights of the Department of Health and Human Services, the Civil Rights Division of the Department of Justice, State agencies (including State attorneys general), and private rights of action. Such evaluation shall include an examination of efficacy, recommendations, and advantages and disadvantages of different enforcement mechanisms, and the potential for consolidation of enforcement. (9) Varying notices of privacy practices and whether such practices are effective in informing consumers of their rights and responsibilities, including, as appropriate, an assessment of best practices. (10) Varying statutory and regulatory employee training requirements, including, as appropriate, an assessment of best practices and whether harmonized training requirements may be more effective in encouraging efficient and effective training of employees in sound practices concerning personal health data. (11) Challenges and potential solutions to consent requirements and processes, particularly related to medical research. (12) The degree to which personal health information is sold with or without consent, and the uses of such information. (b) Field Hearings.--The Commission may conduct field hearings in the United States. (c) Report.-- (1) In general.--Not later than 6 months after the appointment of all members of the Commission-- (A) a majority of the members of the Commission shall approve a report described in paragraph (2); and (B) the Commission shall submit the approved report to the Committee on Health, Education, Labor, and Pensions of the Senate, the Committee on Energy and Commerce of the House of Representatives, the Secretary of Health and Human Services, and the President. (2) Contents.--The report required under paragraph (1) shall include a detailed statement of findings, conclusions, and recommendations, including the following: (A) Findings from the study conducted by the Commission pursuant to section 4(a), including potential threats posed to individual health privacy and to legitimate business and policy interests. (B) Analysis of purposes for which sharing of health information is appropriate and beneficial to consumers and the threat to health outcomes and costs if privacy rules are too stringent. (C) Analysis of the effectiveness of existing statutes, regulations, private sector self-regulatory efforts, technology advances, and market forces in protecting individual health privacy. (D) Recommendations on whether Federal legislation is necessary, and if so, specific suggestions on proposals to reform, streamline, harmonize, unify, or augment current laws and regulations relating to individual health privacy, including reforms or additions to existing law related to enforcement, preemption, consent, penalties for misuse, transparency, and notice of privacy practices. (E) Analysis of whether additional regulations may impose costs or burdens, or cause unintended consequences in other policy areas, such as security, law enforcement, medical research, health care cost containment, improved patient outcomes, public health, or critical infrastructure protection, and whether such costs or burdens are justified by the additional regulations or benefits to privacy, including whether such benefits may be achieved through less onerous means. (F) Cost analysis of legislative or regulatory changes proposed in the report. (G) Recommendations on non-legislative solutions to individual health privacy concerns, including education, market-based measures, industry best practices, and new technologies. (H) Review of the effectiveness and utility of third-party statements of privacy principles and private sector self-regulatory efforts, as well as third-party certification or accreditation programs meant to ensure compliance with privacy requirements. (d) Additional Report.--Together with the report under subsection (c), the Commission shall submit to Congress and the President any additional report of dissenting opinions or minority views by a member or members of the Commission. (e) Interim Report.--The Commission may submit to Congress and the President an interim report approved by a majority of the members of the Commission. SEC. 5. MEMBERSHIP. (a) Number and Appointment.--The Commission shall-- (1) be composed of 17 members to be appointed by the Comptroller General; and (2) reflect the views of health providers, ancillary health care workers, health care purchasers, health plans, health technology developers, researchers, consumers, public health experts, civil liberties experts, genomics experts, educators, the consumer electronics industry, and relevant Federal agencies, and other entities as the Secretary of Health and Human Services determines appropriate. (b) Terms.--Each member of the Commission shall be appointed for the life of the Commission. (c) Vacancies.--A vacancy in the Commission shall be filled in the same manner in which the original appointment was made. (d) Compensation; Travel Expenses.--Members of the Commission shall serve without pay, but shall receive travel expenses, including per diem in lieu of subsistence, in accordance with sections 5702 and 5703 of title 5, United States Code. (e) Quorum.--A majority of the members of the Commission shall constitute a quorum, but a lesser number may hold hearings. (f) Meetings.-- (1) In general.--The Commission shall meet at the call of the Chair or a majority of its members. (2) Initial meeting.--Not later than 60 days after the date of the enactment of this Act, the Commission shall hold its initial meeting. (3) Virtual or in-person meetings.--Meetings may be held in person or virtually. (g) Ethical Disclosure.--The Comptroller General shall establish a system for public disclosure by members of the Commission of financial and other potential conflicts of interest relating to such members. Members of the Commission shall be treated as employees of Congress for purposes of applying title I of the Ethics in Government Act of 1978 (5 U.S.C. App.). SEC. 6. DIRECTOR; STAFF; EXPERTS AND CONSULTANTS. (a) Director.-- (1) In general.--Not earlier than 45 days after the date of enactment of this Act, the Commission shall appoint a Director of the Commissioner (referred to in this Act as the ``Director'') without regard to the provisions of title 5, United States Code, governing appointments to the competitive service. (2) Pay.--The Director shall be paid at the rate payable for level III of the Executive Schedule established under section 5314 of title 5, United States Code. (b) Staff.--The Director may appoint staff as the Director determines appropriate. (c) Applicability of Certain Civil Service Laws.-- (1) In general.--The staff of the Commission shall be appointed without regard to the provisions of title 5, United States Code, governing appointments in the competitive service. (2) Pay.--The staff of the Commission shall be paid in accordance with the provisions of chapter 51 and subchapter III of chapter 53 of that title relating to classification and General Schedule pay rates, but at rates not in excess of the maximum rate for grade GS-15 of the General Schedule under section 5332 of that title. (d) Experts and Consultants.--The Director may procure temporary and intermittent services under section 3109(b) of title 5, United States Code. (e) Staff of Federal Agencies.-- (1) In general.--Upon request of the Director, the head of any Federal department or agency may detail, on a reimbursable basis, any of the personnel of that department or agency to the Commission to assist it in carrying out this Act. (2) Notification.--Before making a request under this subsection, the Director shall give notice of the request to each member of the Commission. SEC. 7. POWERS OF COMMISSION. (a) Hearings and Sessions.--The Commission may, for the purpose of carrying out this Act, hold hearings, sit and act at times and places, take testimony, and receive evidence as the Commission considers appropriate. The Commission may administer oaths or affirmations to witnesses appearing before it. (b) Powers of Members and Agents.--Any member or agent of the Commission may, if authorized by the Commission, take any action which the Commission is authorized to take by this section. (c) Obtaining Official Information.-- (1) In general.--Except as provided in paragraph (2), if the Chair of the Commission submits a request to a Federal department or agency for information necessary to enable the Commission to carry out this Act, the head of that department or agency shall furnish that information to the Commission. (2) Exception for national security.--If the head of the department or agency determines that it is necessary to guard such information from disclosure to protect the national security interests of the United States, the head shall not furnish that information to the Commission. (d) Mails.--The Commission may use the United States mails in the same manner and under the same conditions as other departments and agencies of the United States. (e) Administrative Support Services.--Upon the request of the Director, the Administrator of General Services shall provide to the Commission, on a reimbursable basis, the administrative support services necessary for the Commission to carry out this Act. (f) Gifts and Donations.--The Commission may accept, use, and dispose of gifts or donations of services or property to carry out this Act, but only to the extent or in the amounts provided in advance in appropriation Acts. (g) Contracts.--The Commission may contract with and compensate persons and government agencies for supplies and services, without regard to section 3709 of the Revised Statutes (41 U.S.C. 5). (h) Subpoena Power.-- (1) In general.--The Commission may issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence relating to any matter that the Commission is empowered to investigate by section 4. The attendance of witnesses and the production of evidence may be required by such subpoena from any place within the United States and at any specified place of hearing within the United States. (2) Failure to obey a subpoena.--If a person refuses to obey a subpoena issued under paragraph (1), the Commission may apply to a United States district court for an order requiring that person to appear before the Commission to give testimony, produce evidence, or both, relating to the matter under investigation. The application may be made within the judicial district where the hearing is conducted or where that person is found, resides, or transacts business. Any failure to obey the order of the court may be punished by the court as civil contempt. (3) Service of subpoenas.--The subpoenas of the Commission shall be served in the manner provided for subpoenas issued by a United States district court under the Federal Rules of Civil Procedure for the United States district courts. (4) Service of process.--All process of any court to which application is made under paragraph (2) may be served in the judicial district in which the person required to be served resides or may be found. SEC. 8. TERMINATION. The Commission shall terminate 30 days after submitting a report under section 4(c). SEC. 9. AUTHORIZATION OF APPROPRIATIONS. (a) In General.--There are authorized to be appropriated to the Commission such sums as may be necessary to carry out this Act. (b) Availability.--Any sums appropriated pursuant to the authorization in subsection (a) shall remain available until expended. SEC. 10. BUDGET ACT COMPLIANCE. Any new contract authority authorized by this Act shall be effective only to the extent or in the amounts provided in advance in appropriation Acts. SEC. 11. PRIVACY PROTECTIONS. (a) Destruction or Return of Information Required.--Upon the conclusion of the matter or need for which individually identifiable information was disclosed to the Commission, the Commission shall either destroy the individually identifiable information or return it to the person or entity from which it was obtained, unless the individual that is the subject of the individually identifiable information has authorized its disclosure. (b) Disclosure of Information Prohibited.--The Commission-- (1) shall protect individually identifiable information from improper use; and (2) may not disclose such information to any person, including Congress or the President, unless the individual that is the subject of the information has authorized such a disclosure. (c) Proprietary Business Information and Financial Information.-- The Commission shall protect from improper use, and may not disclose to any person, proprietary business information and proprietary financial information that may be viewed or obtained by the Commission in the course of carrying out its duties under this Act. <all>