HB-5962, As Passed House, May 17, 2006

 

 

 

 

 

 

 

 

 

 

 

 

HOUSE BILL No. 5962

April 25, 2006, Introduced by Reps. Hune, Gaffney, Hildenbrand and Ward and referred to the Committee on Health Policy.

 

     A bill to amend 1980 PA 350, entitled

 

"The nonprofit health care corporation reform act,"

 

by amending section 406 (MCL 550.1406).

 

THE PEOPLE OF THE STATE OF MICHIGAN ENACT:

 

     Sec. 406. (1) A health care corporation shall, in order to

 

ensure the confidentiality of records containing personal data that

 

may be associated with identifiable members, use reasonable care to

 

secure these records from unauthorized access and to collect only

 

personal data that are necessary for the proper review and payment

 

of claims and for health care operations, treatment, and research.

 

Except as is necessary to comply with section 603 or for the

 

purpose of claims adjudication, claims verification, health care

 

operations, treatment, research, payment, health oversight


 

activities, or when required by law, a health care corporation

 

shall not disclose records containing personal data that may be

 

associated with an identifiable member, or personal information

 

concerning a member, to a person other than the member, without the

 

prior and specific informed consent of the member to whom the data

 

or information pertains. The member's consent shall be in writing.

 

Except when a disclosure is made to the commissioner or another

 

governmental agency, a court, or any other governmental entity, a

 

health care corporation shall make a disclosure for which prior and

 

specific informed consent is not required upon the condition that

 

the person to whom the disclosure is made protect and use the

 

disclosed data or information only in the manner authorized by the

 

corporation, pursuant to subsection (2). If a member has authorized

 

the release of personal data to a specific person, a health care

 

corporation shall make a disclosure to that person upon the

 

condition that the person shall not release the data to a third

 

person unless the member executes in writing another prior and

 

specific informed consent authorizing the additional release. This

 

subsection  shall  does not preclude the release of information to

 

a member, pertaining to that member, by telephone, if the identity

 

of the member is verified. This subsection  shall  does not

 

preclude a representative of a subscriber group, upon request of a

 

member of that subscriber group, or an elected official, upon

 

request of a constituent, from assisting the individual in

 

resolving a claim.

 

     (2) The board of directors of a health care corporation shall

 

establish and make public the policy of the corporation regarding


 

the protection of the privacy of members and the confidentiality of

 

personal data. The policy, at a minimum, shall do all of the

 

following:

 

     (a) Provide for the corporation's implementation of provisions

 

in this act and other applicable laws respecting collection,

 

security, use, release of, and access to personal data.

 

     (b) Identify the routine uses of personal data by the

 

corporation; prescribe the means by which members will be notified

 

regarding  such  those uses; and provide for notification regarding

 

the actual release of personal data and information that may be

 

identified with, or that concern, a member, upon specific request

 

by that member. As used in this subdivision, "routine use" means

 

the ordinary use or release of personal data compatible with the

 

purpose for which the data were collected.

 

     (c) Assure that no person shall have access to personal data

 

except on the basis of a need to know.

 

     (d) Establish the contractual or other conditions under which

 

the corporation will release personal data.

 

     (e) Provide that enrollment applications and claim forms

 

developed by the corporation shall contain a member's consent to

 

the release of data and information that is limited to the data and

 

information necessary for the proper review and payment of claims,

 

and shall reasonably notify members of their rights pursuant to the

 

board's policy and applicable law.

 

     (f) Provide that applicants for new or renewed certificates

 

shall be advised that the corporation does not require the use of

 

the applicant's federal social security account number and that,


House Bill No. 5962 as amended May 16, 2006

when applicable, another authority does require use of the number.

 

     (3) A health care corporation  which  that violates this

 

section is guilty of a misdemeanor, punishable by a fine of not

 

more than $1,000.00 for each violation.

 

     (4) A member may bring a civil action for damages against a

 

health care corporation for a violation of this section and may

 

recover actual damages or $200.00, whichever is greater, together

 

with reasonable attorneys' fees and costs.

 

     (5) This section shall not be construed to limit access to

 

records or to enlarge or diminish the investigative and examination

 

powers of governmental agencies, as provided for by law.

 

     (6) Compliance by a corporation with the health insurance

 

portability and accountability act of 1996, Public Law 104-191, and

 

regulations promulgated under that act, 45 CFR parts 160 and 164,

 

satisfies subsections (1) and (2).

     [(7) As used in this section, "health care operations" means that term as defined in 45 CFR 164.501.]