January 23, 2003, Introduced by Senator JACOBS and referred to the Committee on Health Policy.
A bill to ensure the privacy of health care information; to
establish certain rights with regard to health care information;
to establish penalties for violations; and to authorize the
adoption of rules.
THE PEOPLE OF THE STATE OF MICHIGAN ENACT:
1 Sec. 1. This act shall be known and may be cited as the
2 "health care information protection and privacy act".
3 Sec. 2. The legislature finds and declares all of the
4 following:
5 (a) Patients have a legally protected interest in health care
6 information.
7 (b) Patients have a right to privacy and a reasonable
8 expectation that their health care information will be kept
9 private and confidential.
10 (c) There is no existing comprehensive law that creates an
1 appropriate standard of conduct for disclosure of health care
2 information.
3 (d) Patients need explicit additional statutory protection
4 from fraud, deception, nuisance, invasion of privacy, and breach
5 of confidentiality related to the disclosure of health care
6 information.
7 (e) Patients must be assured that their free and full
8 disclosure of symptoms, conditions, and related information will
9 remain private.
10 (f) The disclosure of health care information without
11 authorization may cause significant harm to patients, including
12 1 or more of the following:
13 (i) Discouraging patients from making full disclosure of
14 their health care information to health care providers.
15 (ii) Subjecting patients to fraudulent, misleading, or
16 deceptive direct mail, telephone, or internet solicitations.
17 (iii) Subjecting patients to intimidation, intrusion,
18 harassment, and nuisance.
19 (iv) Subjecting patients to undue embarrassment or ridicule.
20 (v) Subjecting patients to invasion of privacy.
21 (g) Patients have a right to access their health care
22 information and comment on the accuracy of that information.
23 Sec. 3. As used in this act:
24 (a) "Authorized representative" means 1 of the following:
25 (i) A person empowered by the patient by explicit written
26 authorization to act on the patient's behalf to access, disclose,
27 or consent to the disclosure of the patient's health care
1 information, in accordance with this act.
2 (ii) A guardian appointed under section 5306 of the estates
3 and protected individuals code, 1998 PA 386, MCL 700.5306, to the
4 extent that the scope of the guardianship includes the authority
5 to act on the patient's behalf with regard to health care
6 information.
7 (iii) If the patient is deceased, his or her personal
8 representative or his or her heirs at law or the beneficiary of
9 the patient's life insurance policy, to the extent provided by
10 section 2157 of the revised judicature act of 1961, 1961 PA 236,
11 MCL 600.2157.
12 (iv) With respect to an unemancipated minor, a parent,
13 guardian, or person acting in loco parentis, except that if a
14 minor lawfully obtains a health care service without the consent
15 or notification of a parent, guardian, or other person acting in
16 loco parentis, the minor has the exclusive right to exercise the
17 rights of a patient under this act with respect to health care
18 information relating to that care.
19 (b) "Business day" means a day other than a Saturday, a
20 Sunday, or a holiday recognized and observed by this state or the
21 federal government.
22 (c) "Department" means the department of consumer and
23 industry services.
24 (d) "Disclosure" means the release, transfer, provision of
25 access to, or divulging in any other manner of health care
26 information.
27 (e) "Genetic information" means information about a gene,
1 gene product, or inherited characteristic that is derived from a
2 genetic test.
3 (f) "Genetic test" means the analysis of human DNA, RNA,
4 chromosomes, and those proteins and metabolites used to detect
5 heritable or somatic disease-related genotypes or karyotypes for
6 clinical purposes. A genetic test must be generally accepted in
7 the scientific and medical communities as being specifically
8 determinative for the presence, absence, or mutation of a gene or
9 chromosome in order to qualify under this definition. Genetic
10 test does not include a routine physical examination or a routine
11 analysis, including, but not limited to, a chemical analysis, of
12 body fluids, unless conducted specifically to determine the
13 presence, absence, or mutation of a gene or chromosome.
14 (g) "Health care information" means information, recorded in
15 any form or medium, related to the health care of a specific
16 patient. Health care information includes, but is not limited
17 to, medical history, medical records, medical reports, medical
18 summaries, medical diagnoses and prognoses, prescriptions as
19 defined in section 17708(3) and described in section 17752 of the
20 public health code, 1978 PA 368, MCL 333.17708 and 333.17752,
21 medical treatment and medication ordered and given, other health
22 care-related notes and entries, and x-rays and other imaging
23 records. Health care information also includes personal medical
24 information supplied to an internet site dealing with health care
25 matters. For purposes of this act, health care information does
26 not include any of the following:
27 (i) Ordinary business information pertaining to patients'
1 accounts.
2 (ii) Information that is obtained from the public records of
3 a governmental entity.
4 (iii) Nonidentifiable health care information.
5 (iv) Except for the purposes of sections 5 and 8, records of
6 recipients who receive mental health services under the mental
7 health code, 1974 PA 258, MCL 330.1001 to 330.2106.
8 (h) "Health information custodian" means an entity that
9 collects, organizes, analyzes, or maintains health care
10 information. Health information custodian includes entities that
11 collect information about individuals' health on behalf of the
12 insurance industry except as otherwise provided by law. Health
13 information custodian also includes an independent review
14 organization as that term is defined in section 3 of the
15 patient's right to independent review act, 2000 PA 251, MCL
16 550.1903, a prudent purchaser organization, and an insurance
17 agent as the term "agent" is used in section 1201 of the
18 insurance code of 1956, 1956 PA 218, MCL 500.1201. Health
19 information custodian includes an internet site that obtains and
20 retains or collects personal medical information from individuals
21 who visit the site. Health information custodian does not
22 include a health care provider, third party payer, a person that
23 conducts health research, an organization that oversees or audits
24 a health care provider for risk management or quality control, or
25 a governmental entity.
26 (i) "Health care provider" means 1 of the following:
27 (i) A health professional licensed or registered under
1 parts 161 to 183 and part 185 of the public health code, 1978 PA
2 368, MCL 333.16101 to 333.18311 and MCL 333.18501 to 333.18515.
3 (ii) Emergency medical services personnel licensed under
4 part 209 of the public health code, 1978 PA 368, MCL 333.20901 to
5 333.20979.
6 (iii) A health facility or agency as defined in
7 section 20106(1) of the public health code, 1978 PA 368, MCL
8 333.20106.
9 (iv) A substance abuse treatment program licensed under
10 parts 61 to 65 of the public health code, 1978 PA 368, MCL
11 333.6101 to 333.6523.
12 (v) A facility providing outpatient physical therapy
13 services, including speech pathology services.
14 (vi) A kidney disease treatment center, including a
15 freestanding hemodialysis unit.
16 (vii) An ambulatory health care facility.
17 (viii) A tertiary health care service facility.
18 (ix) A home health agency.
19 (x) An adult foster care facility licensed under the adult
20 foster care facility licensing act, 1979 PA 218, MCL 400.701 to
21 400.737.
22 (xi) A health-related provider, service, or supplier that
23 maintains a provider agreement with a third party payer.
24 (xii) Any officer, employee, agent, or contractor of a
25 provider described in subparagraphs (i) to (xi), insofar as the
26 employee, agent, or contractor creates, receives, obtains, uses,
27 or discloses health care information.
1 (j) "Individual" means a natural person.
2 (k) "Newspaper" means either of the following as applicable:
3 (i) A newspaper for the dissemination of general news and
4 information that has a bona fide list of paying subscribers or
5 has been published at least once a week in the same community
6 without interruption for at least 2 years, and has been
7 established, published, and circulated at least once a week
8 without interruption for at least 1 year in the county where
9 publication is to occur.
10 (ii) If no newspaper qualifies in the county where
11 publication is to be made, a newspaper meeting this definition in
12 an adjoining county.
13 (l) "Nonidentifiable health care information" means any
14 information that would otherwise be protected as health care
15 information under section 4 except that the information does not
16 reveal the identity of the individual whose health or health care
17 is the subject of the information and there is no reasonable
18 basis to believe that the information could be used, either alone
19 or with other information that is or should reasonably be known
20 to be available to recipients of the information, to reveal the
21 identity of that individual.
22 (m) "Patient" means an individual, including a deceased
23 individual, who receives or has received health care from a
24 health provider, provided the individual is 1 of the following:
25 (i) An adult.
26 (ii) An emancipated minor.
27 (iii) An unemancipated minor who lawfully obtains a health
1 care service without the consent or notification to a parent,
2 guardian, or other person acting in loco parentis, with respect
3 to health care information relating to that service.
4 (iv) An unemancipated minor represented by his or her
5 authorized representative.
6 (n) "Person" means an individual, partnership, cooperative,
7 association, private corporation, personal representative,
8 receiver, trustee, designee, governmental unit, or any other
9 legal entity.
10 (o) "Reasonable costs" means costs not to exceed 25 cents per
11 page for copies of health care information that are in paper
12 form, the actual duplication cost for health care information,
13 such as x-rays or microfiche, that is not in paper form, and
14 actual postage if the information is mailed to the patient, the
15 patient's authorized representative, or another recipient
16 designated by the patient or authorized representative.
17 (p) "Reasonable notice" means 2 business days for information
18 stored on the business premises of a health care provider and 7
19 business days for information stored off of the business premises
20 of a health care provider.
21 (q) "Third party payer" means a public or private health care
22 payment or benefits program that is created, authorized, or
23 licensed under state or federal laws, including, but not limited
24 to, all of the following:
25 (i) An insurer authorized to do business in this state.
26 (ii) A nonprofit health care corporation.
27 (iii) A health maintenance organization.
1 (iv) A nonprofit dental care corporation.
2 (v) Medicaid, medicare, or another state or federal health
3 care program that pays for health care.
4 (vi) Any officer, employee, agent, or contractor of a third
5 party payer described in subparagraphs (i) to (v) above, insofar
6 as the employee, agent, or contractor creates, receives, obtains,
7 uses, or discloses health care information.
8 (r) "Use" means the employment, application, utilization,
9 examination, or analysis of information within an entity that
10 holds the information.
11 (s) "Written consent" includes consent provided by
12 facsimile.
13 Sec. 4. (1) Health care information is confidential.
14 Except as provided in section 9 or as specifically provided by
15 federal or state law, rule, regulation, or medicaid policy,
16 health care information shall not be disclosed by health care
17 providers, health information custodians, third party payers, or
18 their employees, agents, or contractors, without the written
19 consent of the patient or the patient's authorized representative
20 on a consent form meeting the requirements of subsection (2).
21 (2) Consent forms for the disclosure of health care
22 information shall contain the following information in a clear
23 and conspicuous manner:
24 (a) A description of the information to be used or disclosed
25 that identifies the information in a specific and meaningful
26 fashion.
27 (b) A statement of the need for and proposed uses of the
1 health care information.
2 (c) A statement that specific and explicit consent is
3 required for disclosure of information concerning alcohol or drug
4 abuse, and information about human immunodeficiency virus (HIV),
5 acquired immunodeficiency syndrome (AIDS), and AIDS related
6 conditions (ARC). If this information is contained in a
7 patient's health care information, the consent form shall provide
8 an opportunity for the patient to designate whether or not
9 disclosure of this information is authorized.
10 (d) An expiration date. If no expiration date is specified,
11 the consent shall expire 2 years after the date that the consent
12 was signed by the patient or the patient's authorized
13 representative.
14 (e) The person or a description of the types of persons
15 authorized to disclose the information.
16 (f) The identity or description of the person or persons
17 authorized to receive the information.
18 (g) A statement that the patient or authorized representative
19 may revoke the consent for disclosure of health care information
20 at any future time, except to the extent action has already been
21 taken in reliance upon the written consent of the patient or the
22 authorized representative. Any revocation must be transmitted in
23 writing to the entity authorized to disclose the information.
24 (h) A statement that the patient, or an authorized
25 representative, is entitled to receive a copy of the completed
26 consent form.
27 (3) Within 6 months after the effective date of this act, the
1 department, in consultation with the Michigan board of medicine
2 and the Michigan board of osteopathic medicine and surgery, shall
3 develop and distribute a consent form for purposes of this
4 section that health care providers may adopt. The department
5 shall distribute the model form, upon request and at no charge,
6 to any person that is subject to the requirements of this act.
7 (4) If a patient chooses to disclose information concerning
8 genetics or genetic testing, the patient or the authorized
9 representative must provide written consent on a form that is
10 separate from the consent form that is described in
11 subsection (2) and contains the following notice:
12 NOTICE OF RIGHTS WITH REGARD TO
13 GENETIC TESTING AND INFORMATION
14 Michigan law restricts requests by commercial health
15 insurers, Blue Cross Blue Shield of Michigan, health
16 maintenance organizations, and employers that individuals
17 undergo genetic testing or disclose whether genetic testing
18 has been conducted or the results of genetic testing or
19 genetic information. Patients who have questions about
20 their rights may wish to seek legal advice.
21 (5) Consent forms must be specific to a particular
22 disclosure, and blanket consent forms are prohibited.
23 (6) Every use and disclosure of health care information shall
24 be limited to the purpose or purposes for which it was collected
25 as specified in the consent form. Any other use or disclosure
26 without a valid consent to disclose shall be an unauthorized
27 disclosure.
1 (7) A person that receives health care information, pursuant
2 to a written consent, or without consent when authorized under
3 section 9 or any federal or state law, rule, regulation, or
4 medicaid policy, may use the information solely to carry out the
5 purpose for which the information was authorized for disclosure
6 by the patient or authorized representative or by the law, rule,
7 regulation, or policy, and is prohibited from redisclosing the
8 information absent a new authorization permitting further
9 disclosure.
10 (8) Health care information that concerns a patient or
11 information that identifies a patient shall not be sold, rented,
12 licensed, exchanged, or in any other way transferred to another
13 person for use in a commercial solicitation or for other
14 marketing activity, without first obtaining the prior written
15 consent of the patient or authorized representative that his or
16 her health care information or any information identifying him or
17 her may be released for this specific purpose. Information that
18 identifies a patient includes, but is not limited to, a patient's
19 name, address, telephone number, social security number, and
20 e-mail address; and if a patient is a dependent of a health care
21 policyholder, the policyholder's name, address, telephone number,
22 social security number, and e-mail address.
23 (9) This act shall not be construed to amend any law that
24 provides more extensive protection to a patient for
25 confidentiality of health care information or greater access to a
26 patient, or the patient's authorized representative, to the
27 patient's own health care information, than provided in this
1 act.
2 (10) This act is not intended to hinder, interfere with, or
3 prevent a regulatory agency or law enforcement official from
4 obtaining, or attempting to obtain, any information under
5 federal, state, or local law, or other legal means, or to
6 disclose the same in the execution of regulatory or law
7 enforcement duties.
8 (11) This act is not intended to conflict with provisions of
9 any laws applicable in Michigan that allow for electronic
10 filings, records, or signatures, if as a result of the
11 application of those laws patients are not deprived of the
12 protections and benefits provided in this act.
13 Sec. 5. Health care providers, third party payers, and
14 health information custodians that receive health care
15 information shall do all of the following:
16 (a) Establish and maintain safeguards to protect the
17 confidentiality, security, accuracy, and integrity of health care
18 information, and of personal information that identifies a
19 patient, that is created, received, obtained, maintained, used,
20 transmitted, or disposed of by them.
21 (b) Establish policies to protect health care information and
22 personal information that identifies a patient from unauthorized
23 disclosure or redisclosure that, at a minimum, does all of the
24 following:
25 (i) Limit authorized access to health care information and
26 personal information that identifies a patient to persons having
27 a "need to know" that information.
1 (ii) Identify an individual or individuals who have
2 responsibility for maintaining security procedures for health
3 care information and personal information that identifies a
4 patient and for carrying out mitigation required under
5 subdivision (c).
6 (iii) Provide for education and training of employees,
7 agents, and contractors as to the necessity of maintaining the
8 security and confidentiality of health care information and of
9 personal information that identifies a patient.
10 (c) Have procedures for mitigating, to the extent
11 practicable, any deleterious effect of a use or disclosure of
12 health care information, or of personal information that
13 identifies a patient, in violation of this act. These procedures
14 shall include written notification to the patients whose health
15 care information or personal information was used or disclosed in
16 violation of this act.
17 (d) Establish policies setting forth procedures for patients
18 to obtain additional information on matters notified under
19 subdivision (c).
20 Sec. 6. (1) A patient, or an authorized representative,
21 may, upon written request, do 1 or more of the following:
22 (a) Inspect health care information of a health care provider
23 pertaining to that patient at any time during regular business
24 hours, upon reasonable notice.
25 (b) Receive from a health care provider a copy of health care
26 information pertaining to that patient upon payment of reasonable
27 costs for copies and postage.
1 (c) Have copies of the patient's health care information
2 transferred by a health care provider to another health care
3 provider or other person upon payment of reasonable costs for
4 copies and postage.
5 (d) Obtain copies of any health care information in the
6 possession of a health information custodian, upon payment of
7 reasonable costs for copies and postage.
8 (2) A health care provider shall note the time and date of
9 each request by a patient or an authorized representative to
10 inspect the patient's health care information, the name of the
11 inspecting person, and the time and date of inspection and
12 identify the health care information disclosed for inspection.
13 (3) Upon written request, a health care provider or health
14 information custodian shall provide copies of health care
15 information in accordance with this section within 30 calendar
16 days after receipt of the written request.
17 (4) A health care provider or health information custodian
18 shall not conceal or withhold all or any portion of a patient's
19 health care information that is covered by, and within the scope
20 of, a written consent from the patient, the authorized
21 representative or a health care provider, or other person to whom
22 disclosure has been directed by the patient or the authorized
23 representative.
24 Sec. 7. (1) A patient or an authorized representative may
25 request in writing that a health care provider amend or append
26 health care information pertaining to him or her to do either of
27 the following:
1 (a) Make a correction of any portion of the information that
2 the patient believes is not accurate, relevant, timely, or
3 complete.
4 (b) Include additional information in order to improve the
5 accuracy or completeness of the information.
6 (2) If a patient or an authorized representative requests
7 that health care information be amended or appended, within 60
8 days of receipt of the written request the health care provider
9 shall do 1 of the following:
10 (a) Amend the health care information or append information
11 as requested, if amending or appending information does not erase
12 or obliterate any of the original information.
13 (b) Notify the patient or the authorized representative that
14 the request has been denied, giving the reason for the denial,
15 and that the patient or the authorized representative may file a
16 statement of reasonable length explaining the correctness or
17 relevance of existing information or the need for the addition of
18 new information. The statement or a copy shall be appended to
19 the health care information pertaining to the patient.
20 (3) A patient or an authorized representative may request in
21 writing that a health information custodian amend or append
22 health care information pertaining to him or her that is in the
23 health information custodian's possession. If a patient or an
24 authorized representative requests that health care information
25 in the possession of a health information custodian be amended or
26 appended, within 60 days of receipt of the written request the
27 health information custodian shall do 1 of the following:
1 (a) Amend the health care information or append information
2 as requested, if amending or appending information does not erase
3 or obliterate any of the original information.
4 (b) Notify the patient or the authorized representative that
5 the request has been denied, giving the reason for the denial,
6 and that the patient or the authorized representative may file a
7 statement of reasonable length explaining the correctness or
8 relevance of existing information or the need for the addition of
9 new information. The statement or a copy shall be included in
10 any report or information pertaining to the patient that is
11 provided by the health information custodian to its members or
12 third parties.
13 Sec. 8. (1) Unless a longer period of time is required by
14 law, a health care provider shall retain his or her patients'
15 health care information as follows:
16 (a) Medical records with respect to competent adults shall be
17 kept at least 15 years from the date of the last treatment or
18 service.
19 (b) Medical records with respect to incompetent adults shall
20 be kept at least 15 years after the individual's incompetency
21 ceases, or 15 years after the individual's death, whichever
22 occurs sooner.
23 (c) Medical records with respect to minors shall be kept for
24 at least 15 years after the minor reaches his or her eighteenth
25 birthday.
26 (d) Mammograms shall be kept at least 15 years from the date
27 of the last mammogram.
1 (e) Dental records shall be kept at least 15 years from the
2 date of the last treatment or service.
3 (2) A health care provider who ceases practicing or doing
4 business as a health care provider, or the personal
5 representative of a deceased health care provider who was an
6 independent practitioner, shall do 1 of the following for all
7 patient health care information in the possession of the health
8 care provider when the health care provider ceased practicing or
9 doing business or died:
10 (a) Provide for the maintenance of patient health care
11 information for at least 15 years, unless a longer period is
12 required by law, by a person who states, in writing, that the
13 information will be maintained to protect patient confidentiality
14 and will be disclosed in compliance with this act or any other
15 applicable law.
16 (b) Provide for the transfer of health care information or
17 copies of health care information to a health care provider as
18 designated by the patient or the authorized representative.
19 (c) Provide for the transfer of health care information or
20 copies of health care information to the patient or the
21 authorized representative.
22 (d) Subject to subsection (4), provide for the deletion or
23 destruction of health care information that is more than 15 years
24 old, or older if a longer retention period is required by law.
25 (3) If the health care provider undertakes to provide for the
26 maintenance of health care information, the health care provider
27 shall do both of the following:
1 (a) Provide written notice, by first-class mail, to each
2 patient whose health care information will be maintained, or to a
3 representative authorized by the patient, at the last known
4 address of the patient or person, describing where and by whom
5 the health care information shall be maintained.
6 (b) Publish a copy of a notice to the public at least once
7 per week for 3 consecutive weeks in a newspaper that is published
8 in the county in which the health care provider's or decedent's
9 health practice was located, specifying where and by whom the
10 patient's health care information shall be maintained.
11 (4) If the health care provider intends to provide for the
12 deletion or destruction of any of a patient's health care
13 information retained under subsection (1), the health care
14 provider or the health care provider's personal representative
15 shall do at least 1 of the following:
16 (a) Provide notice to each patient whose health care
17 information will be deleted or destroyed, or the authorized
18 representative, that the information pertaining to the patient
19 will be deleted or destroyed. The notice shall be provided at
20 least 60 days before deleting or destroying any information,
21 shall be in writing, and shall be sent by first-class mail to the
22 last known address of the patient to whom the information
23 pertains or the last known address of the authorized
24 representative. The notice shall inform the patient or
25 authorized representative of the date on which the health care
26 information will be deleted or destroyed, unless the patient or
27 the authorized representative retrieves it before that date, and
1 the location where, and the dates and times when, the health care
2 information may be retrieved by the patient or the authorized
3 representative.
4 (b) Publish a notice at least once per week for 3 consecutive
5 weeks in a newspaper that is published in the county in which the
6 health care provider's or decedent's health practice was located,
7 specifying the date on which the health care information will be
8 deleted or destroyed, unless the patient or the authorized
9 representative retrieves it before that date, and the location
10 where, and the dates and times when, the health care information
11 may be retrieved by the patient or the authorized
12 representative.
13 (5) If a health care provider is licensed as a health
14 professional or a health facility or agency under the public
15 health code, 1978 PA 368, MCL 333.1101 to 333.25211, or as a
16 psychiatric hospital, psychiatric unit, or psychiatric partial
17 hospitalization program under the mental health code, 1974
18 PA 258, MCL 330.1001 to 330.2106, the health care provider or a
19 personal representative shall notify the department in writing
20 that the practice or business has ceased and describe the
21 procedure for the dissemination, destruction, or deletion of
22 health care information. If a health care provider maintains
23 records of recipients of mental health services that are covered
24 by the mental health code, 1974 PA 258, MCL 330.1001 to 330.2106,
25 the written notification shall also be provided to the office of
26 recipient rights within the department of community health, or to
27 its successor. The procedure for dissemination shall include
1 where and by whom the health care information will be maintained;
2 the date or dates for destruction or deletion of health care
3 information; and the location where, and the dates and times
4 when, health care information may be retrieved by the patient or
5 the authorized representative. The health care provider or a
6 personal representative may also notify and provide this
7 information in writing to a local professional association that
8 serves the particular group of health care providers, including,
9 but not limited to, the county medical association in the case of
10 physicians.
11 (6) Any health care information or personal information that
12 identifies a patient that is deleted or destroyed under this act
13 shall be sufficiently shredded or incinerated or disposed of in a
14 fashion that will protect the confidentiality of the patient's
15 health care information or the personal information concerning
16 the patient.
17 Sec. 9. (1) A consent for disclosure of health care
18 information under section 4 is not required in the following
19 situations:
20 (a) If health care information is released or requested under
21 federal or state law, rule, regulation, or medicaid policy for
22 purposes directly and specifically related to the administration
23 of a federal or state program, including, but not limited to, the
24 following:
25 (i) Review of a health provider's services.
26 (ii) Use in obtaining third party recoveries for payments.
27 (iii) Use in medical, fiscal, or utilization reviews.
1 (iv) Investigation of fraud or abuse.
2 (b) As authorized by and to the extent necessary to comply
3 with the worker's disability compensation claims act of 1969,
4 1969 PA 317, MCL 418.101 to 418.941.
5 (c) For release under the child protection law, 1975 PA 238,
6 MCL 722.621 to 722.638, or during the course of a child
7 protective proceeding or during a criminal investigation or
8 prosecution related to the released information.
9 (d) For any release to the extent required or authorized by
10 the public health code, 1978 PA 368, MCL 333.1101 to 333.25211,
11 to promote or protect the health, safety, and welfare of the
12 public, or to support data, information, and research activities
13 as set out in article 2 of the public health code, 1978 PA 368,
14 MCL 333.2201 to 333.2899.
15 (e) If a person with possession of health care information,
16 consistent with standards of ethical conduct and based on a
17 reasonable belief that the use or disclosure is necessary to
18 prevent or lessen a serious and imminent threat to the health or
19 safety of the patient, another individual, or the public, uses or
20 discloses health care information to a person or persons
21 reasonably able to prevent or lessen the threat, including the
22 target of the threat.
23 (f) If a health care provider discloses health care
24 information under any of the following circumstances:
25 (i) Within the health care provider's own office, practice,
26 or organizational affiliate.
27 (ii) To the health care provider's employees, agents,
1 contractors, or successors in interest.
2 (iii) To another health care provider, to the extent needed
3 for the health care provider to carry out his or her
4 responsibilities to the patient for diagnosis, treatment, and
5 care, consistent with good health care professional practices and
6 standards of ethics.
7 (g) For any release that is necessary to notify or assist in
8 the notification of a family member or personal representative of
9 the patient, or other person responsible for the care of the
10 patient, of the patient's location, general condition, or death,
11 unless the patient objects to this release. A release under this
12 subdivision may assist in the notification of a person by
13 identifying or locating the person.
14 (h) If a health care provider discloses, consistent with good
15 health care professional practices and standards of ethics,
16 health care information to an individual who is a next-of-kin, or
17 other family member, or close personal friend, and the health
18 care information is directly relevant to the individual's
19 involvement in the patient's health care. The purpose of this
20 disclosure may include, but is not limited to, allowing the
21 individual to act on behalf of the patient to pick up filled
22 prescriptions, medical supplies, x-rays, or other similar
23 health-related items. Disclosure under this subdivision shall be
24 made under 1 of the following circumstances:
25 (i) With the patient's verbal agreement if the patient has
26 the legal authority to make his or her own health decisions.
27 (ii) Without the patient's verbal agreement only if the
1 patient's verbal agreement cannot practicably or reasonably be
2 obtained and the health care provider believes that it is in the
3 patient's best interests to make the disclosure.
4 (i) As provided by law, if a search warrant, subpoena,
5 investigative demand, or court order has been issued for the
6 discovery, investigation, or use of health care information in a
7 criminal investigation or a criminal, civil, or administrative
8 proceeding.
9 (2) A health care provider may disclose the following
10 information to another person about a patient who is admitted to
11 a health facility:
12 (a) The name of the patient.
13 (b) The general health status of the patient, described as
14 critical, poor, fair, stable, or satisfactory or in terms
15 denoting similar conditions.
16 (c) The location of the patient on premises controlled by a
17 provider. This disclosure shall not be made if the information
18 would reveal specific information about the physical or mental
19 condition of the patient, unless the patient or the authorized
20 representative expressly authorizes the disclosure.
21 (3) A person who, in good faith, discloses health care
22 information under this section is immune from civil,
23 administrative, or criminal liability arising from that conduct,
24 unless the conduct constitutes gross negligence or willful and
25 wanton misconduct.
26 (4) This act is not intended, and shall not be construed, to
27 change mandatory reporting requirements or restrict access to,
1 and use of, health care information, if that access and use are
2 already allowed by law without consent.
3 Sec. 10. A person who believes that a licensed health care
4 provider, a licensed third party payer, or a licensed health care
5 information custodian has violated this act may file a complaint
6 with the department. The division of the department that
7 licenses the licensee about which the complaint has been made
8 shall review the complaint. If the division concludes that a
9 licensee has violated this act, the division may initiate the
10 appropriate administrative proceedings.
11 Sec. 11. An individual or an individual's authorized
12 representative may bring a civil action against a person for
13 declaratory relief, injunctive relief, or damages for a violation
14 of section 4, 6, 7, or 8. The court may award actual damages or
15 $500.00, whichever is greater, along with reasonable attorney
16 fees and costs.
17 Sec. 12. (1) In addition to other relief authorized by law,
18 the attorney general may, on behalf of this state, commence a
19 civil action seeking 1 or more of the following:
20 (a) Temporary or permanent injunctive relief necessary to
21 effectuate the provisions of this act.
22 (b) A declaratory judgment relating to the construction or
23 applicability of this act.
24 (c) A civil fine of not more than $5,000.00 for each
25 violation and, if a violation is of a continuing nature, for each
26 day of violation of this act. The amount of a fine imposed under
27 this subdivision shall be based upon the seriousness of the
1 violation and any good faith effort of the person to comply with
2 this act.
3 (d) Any relief necessary for the enforcement of this act.
4 (2) An action brought under this act may be brought in the
5 circuit court for Ingham county, in the county in which the
6 defendant resides or has a place of business, in the county of
7 the registered agent of a defendant corporation, or in the county
8 where the alleged violation occurred.
9 Sec. 13. (1) A person who violates this act for financial
10 gain or other pecuniary advantage by intentionally and knowingly
11 disclosing health care information, intentionally and knowingly
12 concealing health care information, or by obtaining or causing
13 the disclosure of health care information by fraud or false
14 pretenses, representations, or promises is guilty of a felony
15 punishable by imprisonment for not more than 5 years or a fine of
16 not more than $250,000.00, or both.
17 (2) A criminal penalty provided for under this section may be
18 imposed in addition to a penalty imposed for any other criminal
19 offense, including another criminal offense arising from the same
20 conduct.
21 Sec. 14. The penalties prescribed by this act are
22 cumulative and not exclusive. No patient, governmental
23 authority, or other person is limited to the remedies in this act
24 if other remedies are provided by common law or other statutory
25 provisions. The use of 1 enforcement remedy is not a bar to the
26 use of other remedies by the patient, governmental authority, or
27 other person.
1 Sec. 15. The department may promulgate rules to implement
2 this act pursuant to the administrative procedures act of 1969,
3 1969 PA 306, MCL 24.201 to 24.328.
4 Sec. 16. Immunity given in federal or state law is not
5 abrogated by the provisions of this act.
6 Sec. 17. An agreement with a patient or an authorized
7 representative waiving the provisions of this act is declared to
8 be against public policy and void.
9 Sec. 18. If a provision of this act is held by a court to
10 be invalid, that invalidity shall not affect the remaining
11 provisions of this act. The provisions of this act are
12 severable.