[Congressional Bills 117th Congress]
[From the U.S. Government Publishing Office]
[S. 3620 Introduced in Senate (IS)]

<DOC>






117th CONGRESS
  2d Session
                                S. 3620

To establish the Commission for the Comprehensive Study of Health Data 
                      Use and Privacy Protection.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            February 9, 2022

  Mr. Cassidy (for himself and Ms. Baldwin) introduced the following 
  bill; which was read twice and referred to the Committee on Health, 
                     Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
To establish the Commission for the Comprehensive Study of Health Data 
                      Use and Privacy Protection.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Health Data Use and Privacy 
Commission Act''.

SEC. 2. FINDINGS; RULE OF CONSTRUCTION; SENSE OF CONGRESS.

    (a) Findings.--Congress finds the following:
            (1) The people of the United States are increasingly 
        concerned about their civil liberties and the confidentiality, 
        security, and use of their personal health information.
            (2) Commercial entities are increasingly aware that 
        consumers expect them to adopt privacy policies and take 
        appropriate steps to protect consumers' personal health 
        information.
            (3) Due to a lack of Federal guidelines and a range of 
        different State and local rules regarding privacy protection 
        for individually identifiable health information, there is a 
        growing concern about the confidentiality of personal health 
        information collected outside the context of health care 
        delivery, payment, and the practice of medicine generally.
            (4) There is a need to ensure that accurate and timely 
        health information flows to meet the needs of patients, reduce 
        costs in the health care system, coordinate care, and improve 
        health care outcomes.
            (5) Access to accurate and complete health information is 
        critical to ensure the equitable, safe, and effective delivery 
        of care, the development of novel treatments and cures, the 
        promotion of public health, and the refinement of health care 
        delivery.
            (6) During the public health emergency with respect to 
        COVID-19 declared by the Secretary of Health and Human Services 
        under section 319 of the Public Health Service Act (42 U.S.C. 
        247d), some Federal and State privacy rules have been waived, 
        modified, or not enforced to help contain the pandemic. As a 
        result, the COVID-19 contagion has uncovered areas where 
        current State and Federal privacy rules may impede patient 
        care, public health management, and efforts to control the 
        pandemic. Moreover, the pandemic has spurred innovation 
        including the development of new technologies and technology 
        platforms that may not be covered by current regulatory 
        constructs.
            (7) Privacy regulations promulgated under the Health 
        Insurance Portability and Accountability Act of 1996 (Public 
        Law 104-191) have provided clearly defined responsibilities and 
        enforcement for entities and business associates covered by 
        such regulations, however, the regulations should be assessed 
        to account for the evolution of emerging technologies, data and 
        data management tools, and the modernization of health care 
        delivery.
            (8) New rules and policies from the Federal Government 
        encouraging the flow of health information to improve care and 
        patient access to their own health information, including the 
        rules promulgated under the 21st Century Cures Act (Public Law 
        114-255), raise the issue of protected health information 
        flowing to entities that are not subject to standardized 
        privacy protections, including the privacy regulations 
        promulgated under the Health Information Portability and 
        Accountability Act of 1996 (Public Law 104-191), the Health 
        Information Technology for Economic and Clinical Health Act 
        (Public Law 111-5) (including the amendments made by such Act), 
        and section 444 of the General Education Provisions Act (20 
        U.S.C. 1232g; commonly known as the ``Family Educational Rights 
        and Privacy Act of 1974'').
            (9) Given the extensive proliferation of laws and proposals 
        concerning the privacy of health information in light of recent 
        changes in technology, applications, social media, and other 
        platforms, and the increasing generation, collection, use, 
        sharing, and selling of personal health information, a 
        coordinated and comprehensive review is necessary to evaluate 
        the effectiveness of existing protections of personal health 
        information compiled by the health care, insurance, financial 
        services, consumer electronics, advertising, technology, and 
        other industries.
            (10) Use of the internet as a medium for commercial, 
        social, and health related activities will continue to grow, 
        and more data, including personal health information, will be 
        generated, exchanged, and used by an increasing number of 
        entities engaged in the digital marketplace.
            (11) An increasing number of people of the United States 
        are using consumer health technologies, including wearable 
        technology, with about 20 percent of people of the United 
        States reporting using such technology in 2020, and generating 
        data about their personal health and well-being.
            (12) The United States is the leading economic and social 
        force in the global information economy, and it is important 
        for the United States to continue that leadership. As countries 
        and governing bodies around the world continue to establish 
        privacy standards, these standards will directly affect the 
        United States.
            (13) The shift from an industry-focused economy to an 
        information-focused economy calls for a swift reassessment of 
        the most effective ways to balance personal privacy against 
        information use for legitimate purposes, keeping in mind the 
        potential for unintended effects on technology and product 
        development, innovation, and medical research.
    (b) Rule of Construction.--This Act shall not be construed to 
prohibit the enactment of privacy legislation by Congress during the 
existence of the Commission on Health Data Use and Privacy Protection 
established under section 3.
    (c) Sense of Congress.--It is the sense of Congress that--
            (1) it is the responsibility of Congress to act to protect 
        the privacy of individuals, including individuals' medical 
        information, and to foster the improvement our Nation's health 
        care system; and
            (2) further study by the Commission established under 
        section 3 should not be considered a prerequisite for further 
        consideration or enactment of health privacy or other related 
        privacy legislation by Congress.

SEC. 3. ESTABLISHMENT.

    There is established a commission to be known as the ``Commission 
on Health Data Use and Privacy Protection'' (referred to in this Act as 
the ``Commission'').

SEC. 4. DUTIES OF COMMISSION.

    (a) Study.--The Commission shall conduct a study of issues relating 
to protection of individual privacy and the appropriate balance to be 
achieved between protecting individual privacy and allowing and 
advancing appropriate uses of personal health information, including 
the following issues:
            (1) The monitoring, collection, and distribution of 
        personal health information by Federal, State, and local 
        governments, such as the collection of information to combat 
        the spread of infectious diseases such as COVID-19, the threat 
        of substance use disorders involving opioids and other 
        substances, and other public health threats and benefits.
            (2) Current efforts to address the access, exchange, and 
        use of personal health information by Federal and State 
        governments, individuals, or entities, including--
                    (A) existing statutes and regulations relating to 
                the protection of individual privacy, such as section 
                552a of title 5, United States Code (commonly known as 
                the ``Privacy Act of 1974''), section 552 of title 5, 
                United States Code (commonly known as the ``Freedom of 
                Information Act''), the Federal Trade Commission Act 
                (15 U.S.C. 42 et seq.), the Common Rule and other 
                applicable regulations promulgated under the Health 
                Information Portability and Accountability Act of 1996 
                (Public Law 104-191), the Health Information Technology 
                for Economic and Clinical Health Act (Public Law 111-5) 
                (including the amendments made by such Act), the 21st 
                Century Cures Act (Public Law 114-255) (including the 
                amendments made by such Act), and section 444 of the 
                General Education Provisions Act (20 U.S.C. 1232g; 
                commonly known as the ``Family Educational Rights and 
                Privacy Act of 1974'');
                    (B) relevant legislation pending before Congress 
                and State legislatures;
                    (C) privacy protection efforts undertaken by--
                            (i) the Federal Government;
                            (ii) State governments; or
                            (iii) foreign governments and international 
                        governing bodies;
                    (D) privacy protection efforts undertaken by the 
                private sector, including any relevant recommendations, 
                frameworks, or proposals; and
                    (E) self-regulatory efforts initiated or proposed 
                by the private sector to respond to privacy issues.
            (3) The differences and similarities between Federal, 
        State, and international rules for protecting the privacy of 
        health information and the degree to which such similarities or 
        differences create or address problems related to collecting, 
        sharing, and using health information to improve care and lower 
        costs, and any trade-offs related to patient privacy and 
        patient control over health information.
            (4) The need for consistency in deidentification standards 
        for health data to avoid conflicting requirements that could 
        impede the improvement of health care through clinical trials, 
        technology development, public health surveillance, monitoring 
        of general health trends, and medical research.
            (5) Technologies and data currently used for treatment, 
        payment, and health care operations, compared with technologies 
        used when the privacy regulations promulgated under section 264 
        of the Health Insurance Portability and Accountability Act of 
        1996 (42 U.S.C. 1320d-2 note) were first issued, including an 
        assessment of any gaps in the privacy protections under such 
        regulations resulting from data collection and use by non-
        covered entities, taking into account recommendations of the 
        National Committee on Vital and Health Statistics and the 
        Office for the National Coordinator for Health Information 
        Technology.
            (6) The monitoring, collection, and distribution of 
        personal information by individuals or entities, including 
        access to, and use of, personal health information and medical 
        records, and the ability to access and restrict the 
        information.
            (7) Employer practices and policies with respect to the 
        health information of employees, including--
                    (A) the extent to which employers collect, use, or 
                disclose employee health information for marketing, 
                employment, or insurance underwriting purposes;
                    (B) what restrictions employers place on disclosure 
                or use of employee health information; and
                    (C) practices of employer medical departments with 
                respect to disclosing employee health information to 
                administrative or other personnel of the employer.
            (8) Current enforcement of privacy laws and rules through 
        the Federal Trade Commission, the Office for Civil Rights of 
        the Department of Health and Human Services, the Civil Rights 
        Division of the Department of Justice, State agencies 
        (including State attorneys general), and private rights of 
        action. Such evaluation shall include an examination of 
        efficacy, recommendations, and advantages and disadvantages of 
        different enforcement mechanisms, and the potential for 
        consolidation of enforcement.
            (9) Varying notices of privacy practices and whether such 
        practices are effective in informing consumers of their rights 
        and responsibilities, including, as appropriate, an assessment 
        of best practices.
            (10) Varying statutory and regulatory employee training 
        requirements, including, as appropriate, an assessment of best 
        practices and whether harmonized training requirements may be 
        more effective in encouraging efficient and effective training 
        of employees in sound practices concerning personal health 
        data.
            (11) Challenges and potential solutions to consent 
        requirements and processes, particularly related to medical 
        research.
            (12) The degree to which personal health information is 
        sold with or without consent, and the uses of such information.
    (b) Field Hearings.--The Commission may conduct field hearings in 
the United States.
    (c) Report.--
            (1) In general.--Not later than 6 months after the 
        appointment of all members of the Commission--
                    (A) a majority of the members of the Commission 
                shall approve a report described in paragraph (2); and
                    (B) the Commission shall submit the approved report 
                to the Committee on Health, Education, Labor, and 
                Pensions of the Senate, the Committee on Energy and 
                Commerce of the House of Representatives, the Secretary 
                of Health and Human Services, and the President.
            (2) Contents.--The report required under paragraph (1) 
        shall include a detailed statement of findings, conclusions, 
        and recommendations, including the following:
                    (A) Findings from the study conducted by the 
                Commission pursuant to section 4(a), including 
                potential threats posed to individual health privacy 
                and to legitimate business and policy interests.
                    (B) Analysis of purposes for which sharing of 
                health information is appropriate and beneficial to 
                consumers and the threat to health outcomes and costs 
                if privacy rules are too stringent.
                    (C) Analysis of the effectiveness of existing 
                statutes, regulations, private sector self-regulatory 
                efforts, technology advances, and market forces in 
                protecting individual health privacy.
                    (D) Recommendations on whether Federal legislation 
                is necessary, and if so, specific suggestions on 
                proposals to reform, streamline, harmonize, unify, or 
                augment current laws and regulations relating to 
                individual health privacy, including reforms or 
                additions to existing law related to enforcement, 
                preemption, consent, penalties for misuse, 
                transparency, and notice of privacy practices.
                    (E) Analysis of whether additional regulations may 
                impose costs or burdens, or cause unintended 
                consequences in other policy areas, such as security, 
                law enforcement, medical research, health care cost 
                containment, improved patient outcomes, public health, 
                or critical infrastructure protection, and whether such 
                costs or burdens are justified by the additional 
                regulations or benefits to privacy, including whether 
                such benefits may be achieved through less onerous 
                means.
                    (F) Cost analysis of legislative or regulatory 
                changes proposed in the report.
                    (G) Recommendations on non-legislative solutions to 
                individual health privacy concerns, including 
                education, market-based measures, industry best 
                practices, and new technologies.
                    (H) Review of the effectiveness and utility of 
                third-party statements of privacy principles and 
                private sector self-regulatory efforts, as well as 
                third-party certification or accreditation programs 
                meant to ensure compliance with privacy requirements.
    (d) Additional Report.--Together with the report under subsection 
(c), the Commission shall submit to Congress and the President any 
additional report of dissenting opinions or minority views by a member 
or members of the Commission.
    (e) Interim Report.--The Commission may submit to Congress and the 
President an interim report approved by a majority of the members of 
the Commission.

SEC. 5. MEMBERSHIP.

    (a) Number and Appointment.--The Commission shall--
            (1) be composed of 17 members to be appointed by the 
        Comptroller General; and
            (2) reflect the views of health providers, ancillary health 
        care workers, health care purchasers, health plans, health 
        technology developers, researchers, consumers, public health 
        experts, civil liberties experts, genomics experts, educators, 
        the consumer electronics industry, and relevant Federal 
        agencies, and other entities as the Secretary of Health and 
        Human Services determines appropriate.
    (b) Terms.--Each member of the Commission shall be appointed for 
the life of the Commission.
    (c) Vacancies.--A vacancy in the Commission shall be filled in the 
same manner in which the original appointment was made.
    (d) Compensation; Travel Expenses.--Members of the Commission shall 
serve without pay, but shall receive travel expenses, including per 
diem in lieu of subsistence, in accordance with sections 5702 and 5703 
of title 5, United States Code.
    (e) Quorum.--A majority of the members of the Commission shall 
constitute a quorum, but a lesser number may hold hearings.
    (f) Meetings.--
            (1) In general.--The Commission shall meet at the call of 
        the Chair or a majority of its members.
            (2) Initial meeting.--Not later than 60 days after the date 
        of the enactment of this Act, the Commission shall hold its 
        initial meeting.
            (3) Virtual or in-person meetings.--Meetings may be held in 
        person or virtually.
    (g) Ethical Disclosure.--The Comptroller General shall establish a 
system for public disclosure by members of the Commission of financial 
and other potential conflicts of interest relating to such members. 
Members of the Commission shall be treated as employees of Congress for 
purposes of applying title I of the Ethics in Government Act of 1978 (5 
U.S.C. App.).

SEC. 6. DIRECTOR; STAFF; EXPERTS AND CONSULTANTS.

    (a) Director.--
            (1) In general.--Not earlier than 45 days after the date of 
        enactment of this Act, the Commission shall appoint a Director 
        of the Commissioner (referred to in this Act as the 
        ``Director'') without regard to the provisions of title 5, 
        United States Code, governing appointments to the competitive 
        service.
            (2) Pay.--The Director shall be paid at the rate payable 
        for level III of the Executive Schedule established under 
        section 5314 of title 5, United States Code.
    (b) Staff.--The Director may appoint staff as the Director 
determines appropriate.
    (c) Applicability of Certain Civil Service Laws.--
            (1) In general.--The staff of the Commission shall be 
        appointed without regard to the provisions of title 5, United 
        States Code, governing appointments in the competitive service.
            (2) Pay.--The staff of the Commission shall be paid in 
        accordance with the provisions of chapter 51 and subchapter III 
        of chapter 53 of that title relating to classification and 
        General Schedule pay rates, but at rates not in excess of the 
        maximum rate for grade GS-15 of the General Schedule under 
        section 5332 of that title.
    (d) Experts and Consultants.--The Director may procure temporary 
and intermittent services under section 3109(b) of title 5, United 
States Code.
    (e) Staff of Federal Agencies.--
            (1) In general.--Upon request of the Director, the head of 
        any Federal department or agency may detail, on a reimbursable 
        basis, any of the personnel of that department or agency to the 
        Commission to assist it in carrying out this Act.
            (2) Notification.--Before making a request under this 
        subsection, the Director shall give notice of the request to 
        each member of the Commission.

SEC. 7. POWERS OF COMMISSION.

    (a) Hearings and Sessions.--The Commission may, for the purpose of 
carrying out this Act, hold hearings, sit and act at times and places, 
take testimony, and receive evidence as the Commission considers 
appropriate. The Commission may administer oaths or affirmations to 
witnesses appearing before it.
    (b) Powers of Members and Agents.--Any member or agent of the 
Commission may, if authorized by the Commission, take any action which 
the Commission is authorized to take by this section.
    (c) Obtaining Official Information.--
            (1) In general.--Except as provided in paragraph (2), if 
        the Chair of the Commission submits a request to a Federal 
        department or agency for information necessary to enable the 
        Commission to carry out this Act, the head of that department 
        or agency shall furnish that information to the Commission.
            (2) Exception for national security.--If the head of the 
        department or agency determines that it is necessary to guard 
        such information from disclosure to protect the national 
        security interests of the United States, the head shall not 
        furnish that information to the Commission.
    (d) Mails.--The Commission may use the United States mails in the 
same manner and under the same conditions as other departments and 
agencies of the United States.
    (e) Administrative Support Services.--Upon the request of the 
Director, the Administrator of General Services shall provide to the 
Commission, on a reimbursable basis, the administrative support 
services necessary for the Commission to carry out this Act.
    (f) Gifts and Donations.--The Commission may accept, use, and 
dispose of gifts or donations of services or property to carry out this 
Act, but only to the extent or in the amounts provided in advance in 
appropriation Acts.
    (g) Contracts.--The Commission may contract with and compensate 
persons and government agencies for supplies and services, without 
regard to section 3709 of the Revised Statutes (41 U.S.C. 5).
    (h) Subpoena Power.--
            (1) In general.--The Commission may issue subpoenas 
        requiring the attendance and testimony of witnesses and the 
        production of any evidence relating to any matter that the 
        Commission is empowered to investigate by section 4. The 
        attendance of witnesses and the production of evidence may be 
        required by such subpoena from any place within the United 
        States and at any specified place of hearing within the United 
        States.
            (2) Failure to obey a subpoena.--If a person refuses to 
        obey a subpoena issued under paragraph (1), the Commission may 
        apply to a United States district court for an order requiring 
        that person to appear before the Commission to give testimony, 
        produce evidence, or both, relating to the matter under 
        investigation. The application may be made within the judicial 
        district where the hearing is conducted or where that person is 
        found, resides, or transacts business. Any failure to obey the 
        order of the court may be punished by the court as civil 
        contempt.
            (3) Service of subpoenas.--The subpoenas of the Commission 
        shall be served in the manner provided for subpoenas issued by 
        a United States district court under the Federal Rules of Civil 
        Procedure for the United States district courts.
            (4) Service of process.--All process of any court to which 
        application is made under paragraph (2) may be served in the 
        judicial district in which the person required to be served 
        resides or may be found.

SEC. 8. TERMINATION.

    The Commission shall terminate 30 days after submitting a report 
under section 4(c).

SEC. 9. AUTHORIZATION OF APPROPRIATIONS.

    (a) In General.--There are authorized to be appropriated to the 
Commission such sums as may be necessary to carry out this Act.
    (b) Availability.--Any sums appropriated pursuant to the 
authorization in subsection (a) shall remain available until expended.

SEC. 10. BUDGET ACT COMPLIANCE.

    Any new contract authority authorized by this Act shall be 
effective only to the extent or in the amounts provided in advance in 
appropriation Acts.

SEC. 11. PRIVACY PROTECTIONS.

    (a) Destruction or Return of Information Required.--Upon the 
conclusion of the matter or need for which individually identifiable 
information was disclosed to the Commission, the Commission shall 
either destroy the individually identifiable information or return it 
to the person or entity from which it was obtained, unless the 
individual that is the subject of the individually identifiable 
information has authorized its disclosure.
    (b) Disclosure of Information Prohibited.--The Commission--
            (1) shall protect individually identifiable information 
        from improper use; and
            (2) may not disclose such information to any person, 
        including Congress or the President, unless the individual that 
        is the subject of the information has authorized such a 
        disclosure.
    (c) Proprietary Business Information and Financial Information.--
The Commission shall protect from improper use, and may not disclose to 
any person, proprietary business information and proprietary financial 
information that may be viewed or obtained by the Commission in the 
course of carrying out its duties under this Act.
                                 <all>