Reproductive Health Client Data Privacy Act

Summary: The Reproductive Health Client Data Privacy Act prohibits Unregulated Pregnancy Clinics from disclosing personally-identifiable and private health information to any other entity without the consent of the client.

[BILL DRAFTING NOTE: This bill uses a unique definition of “Unregulated Pregnancy Clinic” which fits the needs of this particular legislation. Please work with local advocates to decide if this name works best for you and your state.]

SECTION 1. SHORT  TITLE

This Act shall be called the “Reproductive Health Client Data Privacy Act.”

SECTION 2. FINDINGS

The legislature finds that:

1. When clients go to any health care facility, they expect their sensitive personal health information to be kept confidential and the records and communications are kept secure from third parties, unless they explicitly give consent to sharing the information.

2. When hospitals, medical clinics and physicians operating in the regulated health marketplace solicit and record patients’ private health information, they are required by federal law to keep that information confidential pursuant to the Health Insurance Portability and Accountability Act (HIPAA). HIPAA also requires that private health information, as well as all communications with patients, be kept secure against breaches by third parties.

3. Unregulated Pregnancy Clinics that do not engage in transactions regulated by HIPAA, such as the electronic transfer of client data for the purpose of billing for services, billing health insurance and referrals, are not subject to HIPAA and, therefore, are not legally required to maintain the privacy or security of clients’ health information.

4. Many Unregulated Pregnancy Clinics collect personal health information from their clients, including medical histories, the results of medical tests, and communications with clients about health issues. Many Unregulated Pregnancy Clinics also maintain client records in online databases that are accessible by third parties outside of the center.

5. The State must ensure that health information is kept confidential unless individuals providing the information expressly agree to a disclosure.

SECTION 3. PRIVACY FOR CLIENTS OF UNREGULATED PREGNANCY CLINICS

After section XXX, the following new section XXX shall be inserted:

(A) DEFINITIONS—In this section:

1. “Health information” means information about the past, present, or future physical or mental health or condition of an individual, or the provision of health care to an individual, as these terms are used in the Health Insurance Portability and Accountability Act (HIPAA) Sec. 160.103.

2. “Unregulated Pregnancy Clinic” means a facility offering pregnancy-related health care services, including determination of pregnancy and pregnancy health care counseling, but is not a “covered entity” under the federal Health Insurance Portability and Accountability Act (HIPAA), 42 USC Sec. 1320d et al. and 45 CFR Parts 160 and 164.

(B) PRIVACY OF RECORDS REQUIRED

1. An Unregulated Pregnancy Clinic shall not disclose to any entity or individual a client’s name or any health information that could reasonably be linked with an individual client, without written permission of the client for that specific disclosure of information.

2. Prior to obtaining written permission for the disclosure of information, the Unregulated Pregnancy Clinic shall provide the client with a clear and understandable privacy notice, including:

(a) the specific purpose for disclosing the information to a third party;

(b) the specific types of information to be disclosed; and

(c) the third parties who might or will receive the information.

3. An Unregulated Pregnancy Clinic shall provide a simple mechanism for a client to revoke any consent for the disclosure of information.

4. Within 10 business days of a client’s request, an Unregulated Pregnancy Clinic shall provide to a client, without charge, a copy of all of that client’s records possessed by the center.

5. This section does not prohibit an Unregulated Pregnancy Clinic from disclosures that maintain the confidentiality of individual clients’ personal information, such as the numbers of clients who have been provided with particular goods or services.

6. Nothing in this section shall be construed to restrict an Unregulated Pregnancy Clinic’s ability to:

(a) comply with federal, state or local laws, rules or regulations;

(b) comply with lawful civil, criminal or regulatory inquiries; or

(c) defend itself against legal claims.

(C) SECURITY OF CLIENT HEALTH INFORMATION REQUIRED

1. An Unregulated Pregnancy Clinic shall:

(a) Protect clients’ health information by using data security protocols as effective as those required by the federal Health Insurance Portability and Accountability Act (HIPAA);

(b) Protect against any reasonably anticipated threats or hazards to, or prohibited uses of, such information; and

(c) Ensure compliance by its workforce.

2. Unregulated Pregnancy Clinics that receive client information by way of electronic communication, including but not limited to phone calls, emails, text messages, instant messages, chat room, and video or voice calls conducted via internet-based platforms, shall utilize an encryption system, meaning an algorithmic platform to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.

(D) ENFORCEMENT

1. Whenever the Attorney General or a district attorney [if applicable: a city attorney, a county counsel] has reasonable cause to believe that an Unregulated Pregnancy Clinic has violated this section, the Attorney General may issue a civil investigative demand pursuant to [cite code].

2. The Attorney General may commence an action in any court of competent jurisdiction for injunctive relief to compel compliance with the provisions of this section, and for civil penalties for violations.

3. Prior to commencing an action in court, the Attorney General shall give written notice to the Unregulated Pregnancy Clinic to cure such violations not later than 10 business days after receipt of the written notice.

4. Upon a finding by the court that an Unregulated Pregnancy Clinic has violated this section, the state shall be entitled to recover:

(a) civil penalties of up to three thousand dollars for a first violation;

(b) civil penalties of up to ten thousand dollars for a second or subsequent violation; and

(c) reasonable attorneys’ fees and costs.

5. In determining the overall amount of civil penalties to assess against an Unregulated Pregnancy Clinic, the court shall include, but not be limited to the following in its consideration:

(a) the nature and severity of the violation;

(b) the size, scope, and type of the offending organization; and

(c) the good faith cooperation of the offending organization with any investigations conducted by the Attorney General pursuant to this section.

SECTION 4. EFFECTIVE DATE

This law shall become effective on July 1, 20XX.

 

Next >
< Previous
SHARE