|
By Mr. Walsh of Boston, petition (accompanied by bill, House, No. 2276) of Martin J. Walsh and others fore legislation to protect the privacy of health-related information of patients. Public Health. |
The Commonwealth of Massachusetts
——————
PETITION OF:
——————
In the Year Two Thousand and Seven.
——————
Be it enacted by the Senate and House of Representatives in General Court assembled, and by the authority of the same, as follows:
SECTION 1. Legislative Findings
The General Court of the Commonwealth of Massachusetts finds that:
(1) Public health agencies acquire, use, disclose, or store an increasing amount of health-related information about individuals, some of which is highly-sensitive, in paper-based and electronic forms for legitimate public health purposes;
(2) Uses of health-related information for legitimate public health purposes are vital to preserving, monitoring, and improving population-based health as well as personal health of individuals;
(3) Individuals have significant privacy interests with respect to health-related information which can be identified to them;
(4) Individual privacy interests in health-related information justify duties and
limitations concerning (a) the acquisition, use, disclosure, and storage of such information; (b) individual access to such information in the possession of public health agencies; and (c) security protections for such information;
(5) Individual interests in the privacy of health-related information are significantly reduced when the information is acquired, used, disclosed, or stored in non-identifiable forms;
(6) Public health agencies have a significant interest in protecting the privacy of
health-related information in their possession where protecting the privacy of such information encourages individuals to participate in public health programs and objectives; and
(7) While public health agencies generally have an excellent record of protecting the privacy interests of individuals in health-related information possessed by the agencies, additional statutory protections will further clarify and protect individual privacy interests while facilitating, without jeopardizing, legitimate public health purposes.
Therefore, it is the purpose of the General Court of the Commonwealth of Massachusetts to:
(1) Address privacy and security issues arising from the acquisition, use, disclosure, and storage of protected health information by public health agencies;
(2) Protect health-related information in the possession of public health agencies against unauthorized disclosures without significantly limiting the ability of agencies to use such information for legitimate public health purposes;
(3) Encourage wide use and disclosure of non-identifiable health information because this information does not implicate privacy and security concerns at the individual level and may greatly facilitate the accomplishment of legitimate public health purposes;
(4) Require the acquisition and uses of protected health information to be consistent with legitimate public health purposes;
(5) Prohibit the acquisition and disclosure of protected health information without the informed consent of the individual who is the subject of the information, with specified, narrow exceptions;
(6) Impose the duty on public health agencies to hold and use protected health information securely;
(7) Impose a general duty on public health agencies to ensure the accuracy of protected health information;
(8) Allow individuals access to their protected health information in the possession of public health agencies through inspection and copying privileges;
(9) Provide individuals the opportunity to request the correction, amendment, or deletion of erroneous, incomplete, or false protected health information; and
(10) Prescribe various criminal penalties and civil enforcement mechanisms to protect individuals who are harmed by violations of the Act by public health agencies, public health officials, and other persons.
SECTION 2. Chapter 111 of the General Laws, as appearing in the 2004 Official Edition, is hereby amended by inserting, after chapter 111M, the following chapter: -
Chapter 111N. THE PUBLIC HEALTH PRIVACY ACT
Section 1. For purposes of chapter 111N, the following words and phrases shall have the following meanings:
“Acquire,” “Acquired,” or “Acquisition” means to collect or gain possession or control of any part of protected health information for legitimate public health purposes.
"Act" means the Massachusetts Public Health Privacy Act.
"Amend" means to indicate one or more disputed entries in protected health
information or to change the entry without obliterating the original information.
“Assent” means a minor’s affirmative agreement to participate in research. Mere failure to object should not, absent affirmative agreement, be construed as assent.
"Confidentiality statement" means a written statement dated and signed by an applicable individual which certifies the individual's agreement to abide by the security policy of a public health agency, as well as this Act.
“Disclose,” “Disclosed,” or “Disclosure” means to release, transfer, disseminate, provide access to, or otherwise communicate or divulge all or any part of any protected health information to any person or entity, other than a public health agency or authorized public health official.
“Expunge” or “Expunged” means to permanently destroy, delete, or make non-identifiable.
“Health oversight agency” means a person who (a) performs or oversees an assessment, investigation, or prosecution relating to compliance with legal or fiscal standards concerning fraud or fraudulent claims regarding health care, health services or equipment, or related activities; and (b) is a public executive branch agency, acts on behalf of a public executive branch agency, acts pursuant to a requirement of a public executive branch agency, or carries out such activities under federal or state law.
"Institutional review board" means any board, committee, or other group formally
designated by an institution or authorized under federal or state law to review, approve the initiation of, or conduct periodic review of research programs to assure the protection of the rights and welfare of human research subjects, consistent with regulations of the Federal Office of Human Research Protections.
“Legitimate public health purpose” means a population-based activity or individual effort primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community, including (a) assessing the health needs and status of the community through public health surveillance and epidemiological research, (b) developing public health policy, and (c) responding to public health needs and emergencies.
“Non-identifiable health information” means any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) does not reveal the identity of the individual whose health status is the subject of the information, or (b) where there is no reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be, known to be available to predictable recipients of such information) to reveal the identity of that individual.
“Person” means a natural person, corporation, estate, trust, partnership, limited liability company, association, joint venture, government or governmental body, or any other legal or commercial entity.
“Protected health information” means any information, whether oral, written, electronic, visual, pictorial, physical, or any other form, that relates to an individual’s past, present, or future physical or mental health status, condition, treatment, service, products purchased, or provision of care, and which (a) reveals the identity of the individual whose health care is the subject of the information, or (b) where there is a reasonable basis to believe such information could be utilized (either alone or with other information that is, or should reasonably be known to be, available to predictable recipients of such information) to reveal the identity of that individual.
“Public health” means population-based activities or individual efforts primarily aimed at the prevention of injury, disease, or premature mortality, or the promotion of health in the community.
“Public health agency” means any organization operated by the Commonwealth or any local government that acquires, uses, discloses, or stores protected health information for legitimate public health purposes, including the Massachusetts Department of Public Health, the Massachusetts Department of Social Services, the Massachusetts Department of Mental Health, the Massachusetts Department of Youth Services, and the Massachusetts Department of Corrections.
"Public health official" means any officer, employee, private contractor or agent, intern, or volunteer of a public health agency with authorization from the agency or pursuant to law to acquire, use, disclose, or store protected health information.
“Public information” means information which is generally open to inspection or review by the general public.
“Request” means a written, dated, and signed correspondence in paper or electronic form through which the identity of the person making the request can be verified.
“Requestor” means any individual, the parent or legal guardian of a minor, or a person’s legally-appointed guardian who makes a request.
“Store,” “Stored,” or “Storage” means to hold, maintain, keep, or retain all or any part of protected health information.
“Use” or “Used” means to employ or utilize all or any part of any protected health information for a legitimate public health purpose.
.
Section 2. A public health agency shall only acquire protected health information where:
(1) the acquisition relates directly to a legitimate public health purpose;
(2) the acquisition is reasonably likely to achieve such purpose, taking into account the provisions of this Act and other governing laws, and the availability of resources or means to achieve such purpose;
(3) the legitimate public health purpose cannot otherwise be achieved with non-identifiable information; and
(4) the subject of the protected health information being acquired provides informed consent for the acquisition of the information pursuant to section 4b of this chapter.
Protected health information shall not be secretly acquired by a public health agency. Prior to implementation of a public health agency determination to acquire or store protected health information, the agency shall announce, through public notice and comment, and through public written notice distributed and posted in a manner and to such extent as will reasonably inform members of the affected community, its intentions to acquire or store protected health information and the purposes for which the information will be used. Such notice shall not identify any individual who is or may be the subject of protected health information. Further, a public health agency shall not acquire protected health information from another federal, state or local public health agency unless the acquisition is consistent with the requirements of section 2a of this chapter.
Section 3. Protected health information shall be used by a public health agency solely for legitimate public health purposes that are directly related to the purpose for which the information was acquired. Providing access to protected health information to any person other than a public health agency or public health official is prohibited.
A public health agency may use protected health information for legitimate public health purposes that are not directly related to the purpose for which the information was acquired provided that the agency meets the requirements of Section 2a(1) and (3) before using such information.
A public health agency or official may use protected health information for public health, epidemiological, medical, or health services research provided that:
(1) it is not feasible to obtain the informed consent of the individual who is the subject of the information;
(2) identifiable information is necessary for the effectiveness of the research project;
(3) the minimum amount of information necessary to conduct the research is used;
(4) the research utilizing the protected health information will contribute to achieving a legitimate public health purpose;
(5) the information is made non-identifiable at the earliest opportunity consistent with the purposes of the research project and expunged after the conclusion of the project; and
(6) such uses are made pursuant to assurances of protections through the execution of a confidentiality agreement after review and approval of an institutional review board. The agreement shall require any person receiving such information to adhere to protections for the privacy and security of the information equivalent to or greater than such protections provided in this chapter.
Unidentifiable health information shall be used by a public health agency whenever possible consistent with the accomplishment of legitimate public health purposes.
Any use of protected health information permitted by this Act shall be limited to the minimum amount of information necessary to accomplish the legitimate public health purpose. Protected health information shall not be used by a public health agency or public health official for the conduct of trade or commerce as defined in Chapter 93a, section 1 of the General Laws. Protected health information whose use by a public health agency no longer furthers the legitimate public health purpose for which it was acquired shall be expunged in a confidential manner.
Section 4. Protected health information is not public information, and may not be disclosed without the informed consent of the individual, or the individual’s lawful representative, who is the subject of the information, except as provided in this chapter.
For the purposes of this chapter, informed consent means by a written authorization for the disclosure of protected health information on a form substantially similar to one promulgated by the Massachusetts Department of Public Health which is signed in writing or electronically by the individual who is the subject of the information. This authorization shall be dated and shall specify to whom the disclosure is authorized, the general purpose for such disclosure, and the time period in which the authorization for the disclosure is effective. An individual may revoke an authorization in writing at any time.
The individual is responsible for informing the person who originally received the authorization that it has been revoked.
If the authorization does not contain an expiration date or has not previously been revoked, it automatically expires six months after the date it is signed.
A general authorization for the disclosure of health-related information shall not be construed as written authorization pursuant to informed consent for the disclosure of protected health information unless such authorization also complies with this chapter.
When the individual who is the subject of protected health information is not competent or is otherwise legally unable to give informed consent for the disclosure of protected health information, written authorization under subsection [a] may be provided by the individual's parents, legal guardians, or other persons lawfully authorized to make health care decisions for the individual.
For minors over the age of 13 and under the age of 18, informed consent shall include:
(1) written authorization under subsection (a) provided by the minor’s parents, legal guardians or other persons lawfully authorized to make health care decisions for the minor; and
(2) consent from the minor.
Protected health information shall be disclosed with the informed consent of the individual who is the subject of the information to any person and for any purpose for which the disclosure is authorized pursuant to informed consent.
Any disclosures of protected health information permitted by this chapter shall be disclosed in a non-identifiable form whenever possible, consistent with the accomplishment of legitimate public health purposes, except when the disclosure is authorized through the informed consent of the individual who is the subject of the information.
Any disclosures of protected health information permitted by this chapter shall be limited to the minimum amount of information which is necessary to accomplish the purpose of the disclosure, except when the disclosure is authorized through the informed consent of the individual who is the subject of the information.
Whenever disclosure of protected health information is made pursuant to this chapter, such disclosures shall be accompanied or followed by [in cases of oral disclosures, within three days] a statement in writing concerning the public health agency's disclosure policy, which shall include the following language: "This information has been disclosed to you from confidential public health records protected by Commonwealth and federal law. Any further disclosure of this information in an identifiable form may be prohibited without the written informed consent of the person who is the subject of the information or as otherwise permitted by federal or Commonwealth law. Unauthorized disclosure of this information may result in significant criminal or civil penalties, including imprisonment and monetary damages."
Protected health information may be disclosed without the informed consent of the individual who is the subject of the information where such disclosures are:
(a) made directly to the individual;
(b) made to appropriate federal agencies or authorities as required by federal or Commonwealth law; or
(c) made to health care personnel to the extent necessary in a medical emergency to protect the health or life of the person who is the subject of the information from serious, imminent harm.
No protected health information shall be disclosed, discoverable, or compelled to be produced pursuant to subpoena, compelled testimony of public health officials or other persons who have knowledge of such information subsequent to its acquisition by the public health agency, in any civil, criminal, administrative, or other legal proceeding, except:
(a) A public health agency or authorized public health official may seek a court order granting the disclosure of protected health information upon an application showing a clear danger to an individual or the public health that can only be averted or mitigated through a disclosure by the public health agency.
(b) Upon receiving an application for an order authorizing disclosure pursuant to this section, the court shall enter an order directing that all materials which are part of the application and decision of the court be sealed. Such materials shall not be made available to any person except to the extent necessary to conduct proceedings concerning the application, including any appeal. Such order shall further direct that all proceedings concerning the application be conducted in camera.
(c) Any individual about whom protected health information is sought and any person holding protected health information from whom disclosure is sought shall be notified of an application for its disclosure pursuant to this section.
(d) Any individual about whom protected health information is sought and any person holding protected health information from whom disclosure is sought may file a written response to the application, or appear in person for the limited purpose of providing evidence on the statutory criteria for the issuance of an order pursuant to this section. The court may grant an order without such notice or appearance where an application by a public health agency or authorized public health official requires immediate action to avert or mitigate a clear danger to the public health.
(e) In assessing clear danger under this section, the court shall provide written findings of fact and shall weigh the need for disclosure against the privacy interests of the individual who is the subject of the protected health information and any legitimate public health purpose which may be curtailed by disclosure.
(f) An order authorizing disclosure of protected health information shall:
(1) limit disclosure to that information which is necessary pursuant to the application;
(2) limit disclosure to those persons who need the information and specifically prohibit re-disclosure to any other persons;
(3) include any other measures which the court deems necessary to limit disclosures not authorized by the order; and
(4) conform to the other provisions of this chapter to the extent possible.
A public health agency may disclose protected health information to a health oversight agency to enable the agency to perform a health oversight function authorized by law if:
(a) the public health agency itself is the focus of the oversight inquiry;
(b) the protected health information is not removed from the premises, custody, or control of the public health agency; and
(c) the health oversight agency does not record the names or other identifying information of individuals who are the subjects of protected health information.
Nothing in this Act shall prohibit the disclosure of protected health information:
(1) in a certificate of death, autopsy report, or related documents prepared under applicable laws or regulations;
(2) for the purposes of identifying a deceased individual;
(3) for the purposes of determining a deceased individual's manner of death by a chief medical examiner or the examiner's designee; or
(4) to provide necessary information about a deceased individual who is a donor or prospective donor of an anatomical gift.
The rights of a deceased individual as provided by this chapter may be exercised for a period of two years after the date of death by one of the individuals in the following order of priority, subject to any written limitations or restrictions by the decedent:
(1) an executor or administrator of the estate of a deceased individual, or one soon to be appointed in accordance with a will or other legal instrument;
(2) a surviving spouse or domestic partner;
(3) an adult child;
(4) a parent; or
(5) another person authorized by law to act for the individual decedent.
No person to whom protected health information has been disclosed pursuant to this chapter shall disclose the information to another person except as authorized by this chapter. This section shall not apply to:
(a) the individual who is the subject of the information;
(b) the individual’s parents, legal guardians, or other persons lawfully authorized to make health care decisions for the individual where the individual who is the subject of the information is unable to give legal consent; or
(c) any person who is specifically required by federal or Commonwealth law to disclose the information.
A public health agency shall establish a written or electronic record of any of its disclosures of protected health information authorized by this chapter. This record shall be treated as protected health information for the purposes of this chapter.
The record of disclosures shall include the following information:
(1) the name, title, address, and institutional affiliation, if any, of the person to whom protected health information is disclosed;
(2) the date and purpose of the disclosure;
(3) a brief description of the information disclosed; and
(4) the legal authority for the disclosure.
This record shall be maintained by the public health agency for a period of ten years, even if the protected health information disclosed is no longer in the agency's possession.
Section 5. Public health agencies have a duty to acquire, use, disclose, and store protected health information in a confidential manner which safeguards the security of the information.
Public health agencies and other persons who are the recipients of protected health information disclosed by any agency, other than the individual (or the individual’s lawful representative) who is the subject of the information, shall take appropriate measures to protect the security of such information, including:
(1) maintaining such information in a physically secure environment, including:
[i] minimizing the physical places in which such information is used or stored; and
[ii] prohibiting the use or storage of such information in places where the security of the information may likely be breached or is otherwise significantly threatened;
(2) maintaining such information in a technologically secure environment;
(3) identifying and limiting the persons having access to such information to those who have a demonstrable need to access such information;
(4) reducing the length of time that such information is used or stored in a personally-identifiable form to that period of time which is necessary for the use of the information;
(5) eliminating unnecessary physical or electronic transfers of such information;
(6) expunging duplicate, unnecessary copies of such information;
(7) developing and distributing written guidelines consistent with this Act concerning the preservation of the security of such information;
(8) assigning personal responsibility to persons who acquire, use, disclose, or store such information for preserving its security;
(9) providing initial and periodic security training of all persons who acquire, use, disclose, or store such information;
(10) thoroughly investigating any potential or actual breaches of security concerning such information;
(11) imposing disciplinary sanctions for any breaches of security when appropriate; and
(12) undertaking continuous review and assessment of security standards.
Wherever protected health information is made accessible to public health officials on the premises of a public health agency, there shall be prominently displayed a notice in writing concerning the agency's disclosure policy, which shall include the following or substantially similar language: "Protected health information contains health-related information about individuals which may be highly-sensitive. This information is entitled to significant privacy protections under federal and Commonwealth law. The disclosure of this information outside public health agencies in an identifiable form is prohibited without the written consent of the person who is the subject of the information, unless specifically permitted by federal or state law. Unauthorized disclosures of this information may result in significant criminal or civil penalties, including imprisonment and monetary damages."
All public health officials or other persons having authority at any time to acquire, use, disclose, or store protected health information shall:
(1) be individually informed of their personal responsibility for preserving the security of protected health information;
(2) execute a confidentiality statement prior to entering the premises, or as soon thereafter as possible, pursuant to their review of written guidelines consistent with this Act concerning the preservation of the security of such information;
(3) fulfill their personal responsibility for preserving the security of protected health information to the degree possible; and
(4) report to the public health information officer any known security breaches or actions which may lead to security breaches.
The identity of any person making a report under subsection (d)(4) shall not be revealed, without the consent of the person making the report, to anyone other than investigating public health officials or law enforcement officers.
The Department of Public Health shall promulgate rules and regulations to carry out the purposes of this chapter which shall be applicable to all agencies, departments, boards, commissions, authorities, and instrumentalities which are in possession of protected health information as provided for in this chapter.
Notwithstanding any other provisions of this Act, protected health information concerning HIV or AIDS shall be secured in accordance with written standards promulgated by the federal Centers for Disease Control and Prevention of the Department of Health and Human Services, as amended.
Section 6. Public health agencies shall appoint or designate a public health official as the agency's "public health information officer."
The public health information officer has overall responsibility for preserving the security of all protected health information consistent with this chapter. This person shall report directly to the highest ranking public health official at the agency.
The public health information officer shall perform all duties as required by this chapter including:
(1) monitoring the acquisition, use, disclosure, and storage of protected health information to ensure such activities are conducted in a physically and technologically secure environment in accordance with the policies of the public health agency and Commonwealth and local laws and regulations;
(2) developing and implementing written policies and guidelines to preserve the security of protected health information, including a model confidentiality statement;
(3) coordinating the assignment of personal responsibility to each person who acquires, uses, discloses, or stores such information for preserving its security;
(4) acting as the agency's principal investigator for each investigation of any security breach;
(5) recommending disciplinary sanctions for any security breaches to the highest ranking public health official at the agency who shall be responsible for issuing and implementing any sanctions;
(6) coordinating with federal, state, or local authorities, where appropriate, in the investigation of any security breach; and
(7) preparing any report required pursuant to this chapter.
Public health agencies shall prepare on an annual basis a report concerning the status of security protections of protected health information, which shall be distributed to the public health information officer for the Department of Public Health. The report shall be prepared in accordance with guidelines issued by the public health information officer for the Department of Public Health.
The public health information officer for the Department of Public Health shall prepare a summary report on the status of security protections of protected health information for all public health agencies in the Commonwealth within ninety days of the date in which reports required under this section are requested. This report shall be issued to the General Court of Massachusetts with any recommendations for amendments to the chapter or other relevant state laws which may improve the security of protected health information. Reports prepared under this section are public information, and shall not contain any protected health information.
Section 7. Within fourteen days of the receipt of a request to review protected health information, a public health agency shall provide the requestor an opportunity during regular business hours to inspect copies of such information in the possession of the public health agency which concerns or relates to the requestor.
Within ten days of the receipt of a request for copies of a requestor’s protected health information, a public health agency shall provide without charge copies of protected health information in the possession of the agency which the requestor is authorized to inspect pursuant to this section.
Upon request, the public health agency shall provide an explanation of any code, abbreviation, notation, or other marks appearing in the protected health information. A public health agency is not responsible for producing or reformulating protected health information, solely for the purposes of clarification, in other than its original form.
Any information contained in the protected health information of the requestor that relates to the health status or other confidential information of other persons shall be deleted for the purposes of inspection and copying.
Any information contained in the protected health information of the requestor that is not related to the requestor’s health status may be deleted for the purposes of inspection and copying.
Public health agencies shall reasonably ensure the accuracy and completeness of protected health information.
After inspection or review of copies of protected health information pursuant to section 6, a requestor may request that the public health agency correct, amend, or delete erroneous, incomplete, or false information.
The public health agency shall correct, amend, or delete erroneous, incomplete, or false information within fourteen days of a request provided that it determines that such modification is reasonably supported. The public health agency bears the burden of proof to show that the information does not need to be corrected, amended or deleted.
The requestor shall be notified in writing of any corrections, amendments, or deletions made, or, in the alternative, the reasons for denying any request in whole or part.
A requestor may appeal any decision of a public health agency denying a request to correct, amend, or delete erroneous, incomplete, or false information under administrative review procedures as promulgated by the Department of Public Health.
A brief, written statement from the requestor challenging the veracity of the protected health information shall be retained by the public health agency for as long as the information is possessed. The public health agency shall make a notation of the disputed entries in the requestor’s protected health information, including the original language and the requestor’s proposed change. This statement shall be provided to any person who is authorized to receive the protected health information.
A public health agency shall take reasonable steps to notify all persons indicated by the requestor, or others for which known acquisitions or disclosures have previously been made, of corrections, amendments, or deletions made to protected health information.
In the event that administrative appeals have been exhausted pursuant to Section 7 (?), the requestor may appeal decisions of the public health agency in the Superior Court .
The court shall determine whether there exists a reasonable basis for the action or decision of the public health agency pursuant to an in camera review of the relevant protected health information, the administrative record, and other admissible evidence.
Individual relief is limited to a judgment requiring the public health agency to make available the requested information to the requestor for inspection or copying or to correct, amend, or delete erroneous, incomplete, or false information.
Section 8. Any public official who, knowing or in reckless disregard of the fact that protected health information is protected by this chapter, intentionally acquires or uses such information in violation of this chapter, or discloses such information to a person not lawfully entitled to receive it, is guilty of a felony. Upon conviction, the official is punishable by a fine not to exceed $5,000 or imprisonment for a period not to exceed two years, or both.
Any person who, knowing or in reckless disregard of the fact that protected health information is protected from disclosure by this chapter, intentionally discloses such information to a person or entity not lawfully entitled to receive it is guilty of a misdemeanor. Upon conviction, the person is punishable by a fine not to exceed $5,000 or imprisonment for a period not to exceed six months, or both.
Any person who by any unlawful means, including bribery, fraud, theft, false pretenses, or other misrepresentation of identity, purpose of use, or entitlement to information, inspects, copies, examines, or obtains protected health information in violation of this Act is guilty of a felony. Upon conviction, the person is punishable by a fine not to exceed $30,000 or imprisonment for a period not to exceed three years, or both, for each offense.
Any person who acts in violation of this chapter under subsections [a-c] of this section for the purposes of commercial gain, or with intent to cause malicious harm, shall be guilty of a felony. Upon conviction, the person is punishable by a fine not to exceed $30,000 or imprisonment for a period not to exceed three years, or both, for each offense.
The maximum penalties described in Subsections a through d shall be doubled for every subsequent conviction of any person arising out of a violation or violations related to a set of circumstances that are different from those involved in the previous violation or set of related violations described in subsections a through d.
Any action under this chapter is barred unless the action is commenced within three years after the cause of action accrues. Each violation of this chapter is a separate and actionable offense.
Section 9. The Attorney General may maintain a civil action to enforce this chapter. Relief may be ordered by the court as authorized in section 7 of this chapter to any person aggrieved by:
(1) the failure to impose and maintain adequate safeguards for the confidentiality and security of protected health information;
(2) the failure to supervise persons responsible for the acquisition, use, disclosure, or storage of protected health information;
(3) the disclosure of protected health information in violation of this chapter; or
(4) any other violation of this chapter, may maintain an action for relief as provided in this section.
The court may order a public health agency, public health official, or other persons to comply with this chapter and may order any other appropriate civil or equitable relief, including an injunction to prevent non-compliance.
If the court determines that there is a violation of this chapter, the aggrieved person is entitled to recover damages for losses sustained as a result of the violation. The measure of damages shall be the greater of the aggrieved person’s actual damages, or liquidated damages of $1,000 for each violation, provided that liquidated damages shall not exceed $10,000 for any particular claim.
If the court determines that there is a violation of this chapter which results from willful or grossly negligent conduct, the aggrieved person may recover punitive damages not to exceed $10,000, exclusive of any other loss, for each violation from the offending party.
If the aggrieved person prevails, the court shall assess reasonable attorney’s fees and all other expenses reasonably incurred in the litigation against the non-prevailing parties.
Responsible parties are jointly and severally liable for any compensatory damages, attorney’s fees, or other costs awarded.
Any action under this section is barred unless the action is commenced within three years after the cause of action accrues or was or should reasonably have been discovered by the aggrieved person or the person’s lawful representative. Each violation of this chapter is a separate and actionable offense.
Nothing in this section limits or expands the right of an aggrieved person or the person’s lawful representative to recover damages under any other applicable law.
SECTION 3. No later than six months after the date of enactment, the highest ranking public health official at each public health agency shall prepare and submit a report to the Department of Public Health concerning the effect of this chapter on each agency.
No later than nine months after the date of enactment, the Department of Public Health shall issue a comprehensive report to the General Court of Massachusetts on behalf of each public health agency concerning the effect of this chapter, including any recommendations for legislative amendments.
SECTION 4. Section 70F of Chapter 111 of the General Laws, as appearing in the 2004 Official Edition, is hereby amended by inserting the following language: -
Informed consent provided under Chapter 111, Section 70F shall include information that (a) the presence of the HIV or HTLV–III antibody or antigen is reportable to the public health agency, (b) a description of the purposes for which the individual’s protected health information will be used by such agency, and (c) a description of security measures used to protect the security of such information.
SECTION 5. The provisions of this act shall take effect one year after the date of enactment.