Text: S.3713 — 109th Congress (2005-2006)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (07/21/2006)


109th CONGRESS
2d Session
S. 3713


To protect privacy rights associated with electronic and commercial transactions.


IN THE SENATE OF THE UNITED STATES

July 21, 2006

Mrs. Clinton introduced the following bill; which was read twice and referred to the Committee on the Judiciary


A BILL

To protect privacy rights associated with electronic and commercial transactions.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Privacy Rights and OversighT for Electronic and Commercial Transactions Act of 2006” or the “PROTECT Act”.

SEC. 2. Private right of action.

(a) Compromised data.—

(1) IN GENERAL.—It shall be unlawful for any for profit entity that stores, processes, or otherwise handles the personal data of an individual to compromise the personal, nonpublic information of that individual through theft, loss, data breach or other malfeasance.

(2) LIABILITY.—An entity that violates this subsection shall—

(A) be liable to the injured individual for $1,000; and

(B) have a net liability arising from any individual data breach, theft, or loss event of not to exceed 1 percent of annual revenues for the entity.

(b) Identity theft.—

(1) IN GENERAL.—It shall be unlawful for any for profit entity to issue credit or an account for services to an unauthorized individual or make an inaccurate change to a credit report as a result of identity theft.

(2) LIABILITY.—An entity that violates this subsection shall—

(A) be liable for $5,000 to the injured individual for each instance of unauthorized use; and

(B) have a net liability for identity thefts resulting from a specific data breach event of not to exceed 5 percent of annual revenues for the entity.

(c) Small business exception.—A small business as defined by the standards of the Small Business Administration shall be exempt from this section although nothing in this section shall prohibit private rights of action against any entity for data loss or identity theft.

(d) Collective action.—A collective action may be brought under this section pursuant to the procedures provided in section 16(b) of the Fair Labor Standards Act of 1938.

SEC. 3. Opt-in for certain types of information.

Section 502 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802) is amended by adding at the end the following:

“(f) Opt in requirement for certain information.—

“(1) LIMITATION.—Notwithstanding subsection (b), a financial institution may not disclose usage data relating to a consumer to a nonaffiliated third part, unless—

“(A) such financial institution clearly and conspicuously requests authority from the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 504 to disclose such information to such third party; and

“(B) the consumer affirmatively authorizes such disclosure, in writing.

“(2) DEFINITION.—As used in this subsection, the term ‘usage data’, means any information relating to purchase history records or any listing of items and services purchased by the consumer to whom the information relates.”.

SEC. 4. Chief Privacy Officer within the Office of Management and Budget.

(a) Definitions.—In this section—

(1) the term “agency” has the meaning given under section 551(1) of title 5, United States Code; and

(2) the term “system of records” has the meaning given under section 552a(5) of title 5, United States Code.

(b) Designation of Chief Privacy Officer.—The President shall designate a senior officer within the Office of Management and Budget as the Chief Privacy Officer, who shall have primary responsibility for privacy policy throughout all agencies.

(c) Responsibilities.—The Chief Privacy Officer shall—

(1) ensure that the technologies procured and use of technologies by agencies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personally identifiable information;

(2) ensure that agency officers have the authority to enforce rules and regulations relating to the collection, processing, and storage of personally identifiable information within, between, and among agencies;

(3) ensure that personally identifiable information contained in each system of records is handled in full compliance with fair information practices required under section 552a of title 5, United States Code, (commonly referred to as the “Privacy Act”);

(4) evaluate legislative and regulatory proposals involving collection, use, and disclosure of personally identifiable information by agencies;

(5) exercise responsibility under the direction of the Director of the Office of Management and Budget with respect to privacy impact assessment rules, regulations, and oversight under section 208 of the E-Government Act of 2002 (44 U.S.C. 3501 note); and

(6) submit an annual report to the Congress containing an analysis of each agency of Federal activities that affect privacy, including complaints of privacy violations, implementation of section 552a of title 5, United States Code, (commonly referred to as the “Privacy Act”), internal controls, and other matters.

(d) Agency reports to the Chief Privacy Officer .—The head of each agency and the Chief Privacy Officer of each agency established under section 522 of the Consolidated Appropriations Act, 2005 (relating to Chief Privacy Officers) (5 U.S.C. 552a note; Public Law 108–447; 118 Stat. 3268) shall—

(1) provide to the Chief Privacy Officer established under this section such information as the Chief Privacy Officer considers necessary for the completion of the annual reports under subsection (c)(6); and

(2) submit annual reports to the Chief Privacy Officer established under this section that include—

(A) an assessment of agency policies and protocols relating to data security; and

(B) a description of the actions that are being taken to ensure protection against—

(i) threats and hazards to data security; and

(ii) unauthorized access or use of data.

(e) Notifications on Breaches of Personally Identifiable Information .—

(1) NOTIFICATION TO INDIVIDUAL.—

(A) IN GENERAL.—If a system of records maintained by an agency is breached and data with personally identifiable information is accessed or disclosed without authorization as a result of that breach, the agency shall provide timely notification to each individual affected by that breach.

(B) EXCEPTION.—An agency may delay notification under subparagraph (A) on the basis of national security.

(2) NOTIFICATION TO MAJOR CREDIT REPORTING SERVICES.—

(A) IN GENERAL.—If an individual receives notification of a breach under paragraph (1), the individual may request the agency to provide notification of the breach to all major credit reporting services.

(B) NOTIFICATION.—Upon the receipt of a request under subparagraph (A), the agency shall provide notification of the breach to all major credit reporting services.

(3) NO COST TO INDIVIDUAL.—Notification under paragraphs (1) or (2) shall be at no cost to any individual.

SEC. 5. Rulemaking relating to disclosures.

Section 504 of the Gramm-Leach-Bliley Act (15 U.S.C. 6804) is amended by adding at the end the following:

“(c) Disclosure regulations.—The Federal Trade Commission and each of the Federal functional regulators shall, promptly upon the date of enactment of this subsection, issue final rules applicable to financial institutions subject to their authority to require standard, clear, easy to understand disclosures of what specific information could be shared under this title, the types of third parties with which such information could be shared, and when consumers are given opt out opportunities.”.

SEC. 6. Annual disclosures to consumers.

Section 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6803) is amended by adding at the end the following:

“(c) Annual disclosures.—In addition to the disclosures required under subsection (a), upon written request of a consumer, each financial institution shall provide free of charge to the consumer up to once each year, a copy of all information maintained by the financial institution relating to the consumer, including any consolidated profile.”.

SEC. 7. Automatic free annual credit reports.

Section 612(a) of the Fair Credit Reporting Act (15 U.S.C. 1681j(a)) is amended by striking “period upon request of the consumer and” and inserting “period,”.

SEC. 8. Notice of security breaches.

(a) Notice to persons affected.—Each Federal agency, and each business entity, whether a nonprofit or for profit concern, shall promptly notify each person who may be a victim of identity theft due to a security breach involving the agency or entity, including the theft or potential theft of or other inappropriate access to identifying information relating to that person that is collected or maintained by the agency or business entity.

(b) Notice to consumer reporting agencies.—Each Federal agency and business entity described in subsection (a) shall promptly notify each consumer reporting agency described in section 603(p) of the Fair Credit Reporting Act (15 U.S.C. 1681a(p)) of a security breach described in subsection (a), including the names of all persons affected or potentially affected thereby.

(c) Regulations.—The Federal Trade Commission shall issue regulations to carry out the provisions of this section.

SEC. 9. Security freeze on credit reports.

Section 605B of the Fair Credit Reporting Act (15 U.S.C. 1681C–2) is amended to read as follows:

“SEC. 605B. Security freeze on release of information.

“(a) In general.—

“(1) CONSUMER PLACEMENT OF A SECURITY FREEZE ON INDIVIDUAL CREDIT FILES.—A consumer may place a security freeze on his or her file by making a request to a consumer reporting agency in writing, by telephone, or through a secure electronic connection made available by the consumer reporting agency.

“(2) CONSUMER DISCLOSURE.—If a consumer requests a security freeze under this section, the consumer reporting agency shall disclose to the consumer the process of placing and removing the security freeze and explain to the consumer the potential consequences of the security freeze. A consumer reporting agency may not imply or inform a consumer that the placement or presence of a security freeze on the file of the consumer may negatively affect the consumer's credit score.

“(b) Effect of security freeze.—

“(1) RELEASE OF INFORMATION BLOCKED.—If a security freeze is in place on the file of a consumer, a consumer reporting agency may not release information relating to that file for consumer credit purposes to a third party without prior express authorization from the consumer.

“(2) INFORMATION PROVIDED TO THIRD PARTIES.—Paragraph (1) does not prevent a consumer reporting agency from advising a third party that a security freeze is in effect with respect to the file of a consumer. If a third party requests access to the file of a consumer on which a security freeze is in place in connection with an application for credit, the third party may treat the application as incomplete.

“(3) CONSUMER CREDIT SCORE NOT AFFECTED.—The placement of a security freeze on a consumer file may not be taken into account for any purpose in determining the credit score of the consumer to whom the account relates.

“(c) Removal; temporary suspension.—

“(1) IN GENERAL.—Except as provided in paragraph (4), a security freeze under this section shall remain in place until the consumer requests that the security freeze be removed. A consumer may remove a security freeze on his or her credit file by making a request to a consumer reporting agency in writing, by telephone, or through a secure electronic connection made available by the consumer reporting agency.

“(2) CONDITIONS.—A consumer reporting agency may remove a security freeze placed on the file of a consumer only—

“(A) upon request of the consumer, pursuant to paragraph (1); or

“(B) if the agency determines that the credit file of the consumer was frozen due to a material misrepresentation of fact by the consumer.

“(3) NOTIFICATION TO CONSUMER.—If a consumer reporting agency intends to remove a security freeze on the file of a consumer pursuant to paragraph (2)(B), the consumer reporting agency shall notify the consumer in writing prior to removing the security freeze.

“(4) TEMPORARY SUSPENSION.—A consumer may have a security freeze on his or her credit file temporarily suspended by making a request to a consumer reporting agency in writing or by telephone and specifying beginning and ending dates for the period during which the security freeze is not to apply to that file.

“(d) Response times; notification of other entities.—

“(1) IN GENERAL.—A consumer reporting agency shall—

“(A) place a security freeze on the file of a consumer under subsection (a) not later than 5 business days after receiving a request from the consumer under subsection (a)(1); and

“(B) remove or temporarily suspend a security freeze not later than 3 business days after receiving a request for removal or temporary suspension from the consumer under subsection (c).

“(2) NOTIFICATION TO OTHER AGENCIES.—If the consumer so requests in writing or by telephone, a consumer reporting agency shall notify all other consumer reporting agencies described in section 603(p)(1) not later than 3 days after placing, removing, or temporarily suspending a security freeze on the file of the consumer under subsection (a), (c)(2)(A), or (c)(4), respectively.

“(3) IMPLEMENTATION BY OTHER COVERED ENTITIES.—A consumer reporting agency that is notified of a request under paragraph (2) to place, remove, or temporarily suspend a security freeze on the file of a consumer shall—

“(A) request proper identification from the consumer, in accordance with subsection (f), not later than 3 business days after receiving the notification; and

“(B) place, remove, or temporarily suspend the security freeze on that credit report not later than 3 business days after receiving proper identification.

“(e) Confirmation.—Except as provided in subsection (c)(3), whenever a consumer reporting agency places, removes, or temporarily suspends a security freeze on the file of a consumer at the request of that consumer under subsection (a) or (c), respectively, it shall send a written confirmation thereof to the consumer not later than 10 business days after placing, removing, or temporarily suspending the security freeze on the file. This subsection does not apply to the placement, removal, or temporary suspension of a security freeze by a consumer reporting agency because of a notification received under subsection (d)(2).

“(f) Identification required.—A consumer reporting agency may not place, remove, or temporarily suspend a security freeze on the file of a consumer or otherwise provide a credit report or score in accordance with this section at the request of the consumer, unless the consumer provides proper identification (within the meaning of section 610(a)(1) and the regulations thereunder).

“(g) Exceptions.—This section does not apply to the use of a consumer credit report by any of the following:

“(1) A person or entity, or a subsidiary, affiliate, or agent of that person or entity, or an assignee of a financial obligation owing by the consumer to that person or entity, or a prospective assignee of a financial obligation owing by the consumer to that person or entity in conjunction with the proposed purchase of the financial obligation, with which the consumer has or had prior to assignment an account or contract, including a demand deposit account, or to whom the consumer issued a negotiable instrument, for the purposes of reviewing the account or collecting the financial obligation owing for the account, contract, or negotiable instrument.

“(2) Any Federal, State, or local agency, law enforcement agency, trial court, or private collection agency acting pursuant to a court order, warrant, subpoena, or other compulsory process.

“(3) A child support agency or its agents or assigns acting pursuant to subtitle D of title IV of the Social Security Act (42 U.S.C. et seq.) or similar State law.

“(4) The Department of Health and Human Services, a similar State agency, or the agents or assigns of the Federal or State agency acting to investigate Medicare or Medicaid fraud.

“(5) The Internal Revenue Service or a State or municipal taxing authority, or a State department of motor vehicles, or any of the agents or assigns of these Federal, State, or municipal agencies acting to investigate or collect delinquent taxes, or unpaid court orders, or to fulfill any of their other statutory responsibilities.

“(6) The use of consumer credit information for the purposes of prescreening as provided in this title.

“(7) Any person or entity administering a credit file monitoring subscription to which the consumer has subscribed.

“(8) Any person or entity for the purpose of providing a consumer with a copy of his or her credit report or credit score, upon the request of the consumer and upon provision of appropriate identification in accordance with subsection (f).

“(h) Fees.—

“(1) IN GENERAL.—Except as provided in paragraph (2), a consumer reporting agency may charge a reasonable fee, as determined by the Commission by rule, promulgated in accordance with section 553 of title 5, United States Code, for placing, removing, or temporarily suspending a security freeze on the file of a consumer under this section.

“(2) EXCEPTION FOR IDENTIFICATION THEFT VICTIMS.—A consumer reporting agency may not charge a fee for placing, removing, or temporarily suspending a security freeze on the file of a consumer, if—

“(A) the consumer is a victim of identity theft;

“(B) the consumer requests the security freeze in writing;

“(C) the consumer has filed a police report with respect to the theft, or an identity theft report (as defined in section 603(q)(4)), not later than 90 days after the date on which the theft occurred or was discovered by the consumer;

“(D) the consumer provides a copy of the police report to the consumer reporting agency; and

“(E) the consumer—

“(i) has been notified by any entity that personally identifiable information handled by that entity has been compromised or breached; and

“(ii) notifies the consumer reporting agency of such compromise or breach.

“(i) Limitation on information changes in frozen files.—

“(1) IN GENERAL.—If a security freeze is in place on the file of consumer, a consumer reporting agency may not change any of the following official information in that file without sending a written confirmation of the change to the consumer, not later than 30 days after the change is made:

“(A) Name.

“(B) Date of birth.

“(C) Social Security number.

“(D) Address.

“(2) CONFIRMATION.—Paragraph (1) does not require written confirmation for technical modifications of a consumer's official information, including name and street abbreviations, complete spellings, or transposition of numbers or letters. In the case of an address change, the written confirmation shall be sent to both the new address and to the former address.

“(j) Certain entity exemptions.—

“(1) AGGREGATORS AND OTHER AGENCIES.—The provisions of subsections (a) through (i) do not apply to a consumer reporting agency that acts only as a reseller of credit information by assembling and merging information contained in the data base of another consumer reporting agency or multiple consumer reporting agencies, and does not maintain a permanent data base of credit information from which new consumer credit reports are produced.

“(2) OTHER EXEMPTED ENTITIES.—The following entities are not required to place a security freeze on the file of a consumer under this section:

“(A) A check services or fraud prevention services company which issues reports on incidents of fraud or authorizations for the purpose of approving or processing negotiable instruments, electronic funds transfers, or similar methods of payments.

“(B) A deposit account information service company which issues reports regarding account closures due to fraud, substantial overdrafts, ATM abuse, or similar negative information regarding a consumer, to inquiring banks or other financial institutions for use only in reviewing a consumer request for a deposit account at the inquiring bank or financial institution.

“(k) State Preemption.—This section shall preempt any provision of State of local law, regulation, or rule that requires consumer reporting agencies to comply with the request of a consumer to place, remove, or temporarily suspend a prohibition on the release by a consumer reporting agency of information from its files on that consumer, but only if it is determined by the Commission that this section will provide materially stronger consumer protections than those afforded to consumers under otherwise applicable State or local law.”.

SEC. 10. Safeguarding Americans from exporting identification data.

(a) Definitions.—As used in this section:

(1) BUSINESS ENTERPRISE.—The term “business enterprise” means—

(A) any organization, association, or venture established to make a profit;

(B) any health care business;

(C) any private, nonprofit organization; or

(D) any contractor, subcontractor, or potential subcontractor of an entity described in subparagraph (A), (B), or (C).

(2) HEALTH CARE BUSINESS.—The term “health care business” means any business enterprise or private, nonprofit organization that collects or retains personally identifiable information about consumers in relation to medical care, including—

(A) hospitals;

(B) health maintenance organizations;

(C) medical partnerships;

(D) emergency medical transportation companies;

(E) medical transcription companies;

(F) banks that collect or process medical billing information; and

(G) subcontractors, or potential subcontractors, of the entities described in subparagraphs (A) through (F).

(3) PERSONALLY IDENTIFIABLE INFORMATION.—The term “personally identifiable information” includes information such as—

(A) name;

(B) postal address;

(C) financial information;

(D) medical records;

(E) date of birth;

(F) phone number;

(G) e-mail address;

(H) social security number;

(I) mother's maiden name;

(J) password;

(K) State identification information; and

(L) driver's license number.

(b) Transmission of information.—

(1) PROHIBITION.—A business enterprise may not disclose personally identifiable information regarding a resident of the United States to any foreign branch, affiliate, subcontractor, or unaffiliated third party located in a foreign country unless—

(A) the business enterprise provides the notice of privacy protections described in sections 502 and 503 of the Gramm-Leach-Bliley Act (15 U.S.C. 6802 and 6803) or required by the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note), as appropriate;

(B) the business enterprise complies with the safeguards described in section 501(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6801(b)), as appropriate;

(C) the consumer is given the opportunity, before the time that such information is initially disclosed, to object to the disclosure of such information to such foreign branch, affiliate, subcontractor, or unaffiliated third party; and

(D) the consumer is given an explanation of how the consumer can exercise the nondisclosure option described in subparagraph (C).

(2) HEALTH CARE BUSINESSES.—A health care business may not terminate an existing relationship with a consumer of health care services to avoid the consumer from objecting to the disclosure under paragraph (1)(C).

(3) EFFECT ON BUSINESS RELATIONSHIP.—

(A) NONDISCRIMINATION.—A business enterprise may not discriminate against or deny an otherwise qualified consumer a financial product or a health care service because the consumer has objected to the disclosure under paragraph (1)(C).

(B) PRODUCTS AND SERVICES.—A business enterprise shall not be required to offer or provide a product or service through affiliated entities or jointly with nonaffiliated business enterprises.

(C) INCENTIVES AND DISCOUNTS.—Nothing in this subsection is intended to prohibit a business enterprise from offering incentives or discounts to elicit a specific response to the notice required under paragraph (1).

(4) LIABILITY.—

(A) IN GENERAL.—A business enterprise that knowingly and directly transfers personally identifiable information to a foreign branch, affiliate, subcontractor, or unaffiliated third party shall be liable to any person suffering damages resulting from the improper storage, duplication, sharing, or other misuse of such information by the transferee.

(B) CIVIL ACTION.—An injured party under subparagraph (A) may sue in law or in equity in any court of competent jurisdiction to recover the damages sustained as a result of a violation of this subsection.

(5) RULEMAKING.—The Chairman of the Federal Trade Commission shall promulgate regulations through which the Chairman may enforce the provisions of this subsection and impose a civil penalty for a violation of this section.

(c) Privacy for consumers of health services.—The Secretary of Health and Human Services shall revise the regulations promulgated pursuant to section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note) to require a covered entity (as defined by such regulations) that outsources protected health information (as defined by such regulations) outside the United States to include in such entity’s notice of privacy protections—

(1) notification that the covered entity outsources protected health information to business associates (as defined by such regulations) for processing outside the United States;

(2) a description of the privacy laws of the country to which the protected health information will be sent;

(3) any additional risks and consequences to the privacy and security of protected health information that arise as a result of the processing of such information in a foreign country;

(4) additional measures the covered entity is taking to protect the protected health information outsourced for processing outside the United States;

(5) notification that the protected health information will not be outsourced outside the United States if the consumer objects; and

(6) a certification that—

(A) the covered entity has taken reasonable steps to identify the locations where protected health information is outsourced by such business associates;

(B) attests to the privacy and security of the protected health information outsourced for processing outside the United States; and

(C) states the reasons for the determination by the covered entity that the privacy and security of such information is maintained.

(d) Privacy for consumers of financial services.—Section 503(b) of the Gramm-Leach-Bliley Act (15 U.S.C. 6803(b)) is amended—

(1) in paragraph (3), by striking “and” after the semicolon;

(2) in paragraph (4), by striking the period at the end and inserting “; and”; and

(3) by adding at the end the following:

“(5) if the financial institution outsources nonpublic personal information outside the United States—

“(A) information informing the consumer in simple language—

“(i) that the financial institution outsources nonpublic personal information to entities for processing outside the United States;

“(ii) of the privacy laws of the country to which nonpublic personal information will be sent;

“(iii) of any additional risks and consequences to the privacy and security of an individual’s nonpublic personal information that arise as a result of the processing of such information in a foreign country; and

“(iv) of the additional measures the financial institution is taking to protect the nonpublic personal information outsourced for processing outside the United States; and

“(B) a certification that—

“(i) the financial institution has taken reasonable steps to identify the locations where nonpublic personal information is outsourced by such entities;

“(ii) attests to the privacy and security of the nonpublic personal information outsourced for processing outside the United States; and

“(iii) states the reasons for the determination by the institution that the privacy and security of such information is maintained.”.

(e) Effective date.—This section shall take effect on the expiration of the date which is 90 days after the date of enactment of this Act.

SEC. 11. Telephone and communications records .

(a) In general.—Not later than 120 days after the date of enactment of this Act, the Federal Trade Commission, the Federal Communications Commission and the Attorney General shall establish a Center for Telecommunications Records Privacy (referred to in this section as the “Center”) which shall consist of the appropriate designees of each agency which shall be established by a memorandum of understanding among the agencies.

(b) Responsibilities.—The Center shall—

(1) be charged with evaluating the current rules, regulations and law regarding the unauthorized disclosure, access, and sharing of telephone and telephony technology call records and identify gaps in coverage and enforcement regarding the unauthorized disclosure, sharing, or sale of telephone and communications records; and

(2) on an annual basis—

(A) provide an assessment of the frequency and scope of the unauthorized and criminal disclosure of telecommunications records and provide an evaluation of the effectiveness of enacted laws and regulations;

(B) identify new telecommunications technologies not covered by current law or regulation; and

(C) make recommendations to Congress regarding other legislative or regulatory steps that can be taken to address emerging issues.

SEC. 12. Federal Trade Commission rules for data processors and rules for Federal agencies.

(a) In general.—The Federal Trade Commission shall issue new rules for Federal agencies responsible for working with data processors to ensure the security and confidentiality of nonpublic personal information to—

(1) protect against any anticipated threats or hazards to the security or integrity of such information;

(2) protect against unauthorized access to or use of such information which could result in substantial harm or inconvenience to a customer or the relevant financial institution; and

(3) protect against the illegal or unauthorized collection of personally identifiable information by data processors.

(b) Definition.—In this section, the term “data processor” means any entity the business of which in whole or in part is the handling processing, compilation, exchange, transmittal, or other management or processing of the nonpublic personal information of consumers by agreement on behalf of another institution.

(c) Report.—Each Federal agency covered by this section shall submit annual reports to the Chief Privacy Officer established under section 4, which shall include an assessment of agency policies and protocols dealing with data security and what steps are being taken to ensure against threats and hazards to that security and protecting against unauthorized access or use of data.

SEC. 13. Medical records.

(a) Application of penalties to certain employees.—Section 1177 of the Social Security Act (42 U.S.C. 1320d–6) is amended by adding at the end the following:

“(c) Clarification of application.—The provisions of subsection (a) shall apply to individuals who knowingly use, obtain, or disclose individually identifiable health information or a unique health identifier regardless of the manner in which such individuals obtain such information or the relation of the individual to the entity that maintains the information involved. The preceding sentence shall apply to individuals who illegally hack into computer systems to obtain data.”.

(b) Expanding the scope of the HIPAA privacy rule.—

(1) IN GENERAL.—The Secretary of Health and Human Services shall modify the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act (42 U.S.C. 1320dd–2 note) to broaden the scope of who is considered to be a covered entity to include those entities and individuals that disclose health information to other entities in the course of their commercial activities and not in relation to the provision of healthcare services.

(2) TIMING.—The Secretary of Health and Human Services shall—

(A) not later than 12 months after the date of enactment of this Act, promulgate a proposed rule for the modifications described in paragraph (1); and

(B) not later than 24 months after the date of enactment of this Act, promulgate a final rule for the modifications described in paragraph (1).

(3) REINSTATEMENT OF CERTAIN CONSENT PROVISIONS.—Notwithstanding any other provision of law, the provisions of section 164–506(b) of title 45, Code of Federal Regulations, as in effect on April 14, 2001 and modified in 2002, relating to the consent to use and disclose certain information for treatment, payment, or health care operations, shall be deemed to be reinstated and implemented accordingly.

(c) Reporting requirements.—The Secretary of Health and Human Services shall develop a procedure for the reporting to the Secretary, by individuals or entities receiving assistance from the Department of Health and Human Services, of any unlawful disclosures of identifiable health information in violation of section 1176 or 1177 of the Social Security Act (42 U.S.C. 12320d–5; 1320d–6) or the regulations promulgated under section 264(c) of the Health Insurance Portability and Accountability Act (42 U.S.C. 1320dd–2 note) by such individuals or entities. In developing such procedure, the Secretary shall—

(1) take into consideration the notification procedures used by other public or private sector entities, including the TRICARE program; and

(2) provide for the appropriate notification, by individuals or entities receiving assistance from the Department of Health and Human Services, to individuals whose identifiable health information has been disclosed in violation of such section 1176 or 1177 or such regulations by such individuals or entities.

(d) Investigation of complaints.—With respect to a report of an unlawful disclosure of health information under subsection (c), the Secretary of Health and Human Services shall investigate such disclosure using the complaint process contained in subpart C of part 160 of title 45, Code of Federal Regulations (as in effect on the date of enactment of this Act), except that for purposes of the review process contained in section 160.308 of such subpart, the Secretary shall establish a schedule of routine compliance reviews of covered entities (as such term is used for purposes of such section).