Standards for electronic health information transactions. Within 18 months of enactment, the Secretary of HHS is required to adopt standards from among those already approved by private standards developing organizations for certain electronic health transactions, including claims, enrollment, eligibility, payment, and coordination of benefits. These standards also must address the security of electronic health information systems.

Mandate on providers and health plans, and timetable. Providers and health plans are required to use the standards for the specified electronic transactions 24 months after they are adopted. Plans and providers may comply directly, or may use a health care clearinghouse. Certain health plans, in particular workers compensation, are not covered.

Privacy. The Secretary is required to recommend privacy standards for health information to Congress 12 months after enactment. If Congress does not enact privacy legislation within 3 years of enactment, the Secretary shall promulgate privacy regulations for individually identifiable electronic health information.

Pre-emption of State Law. The bill supersedes state laws, except where the Secretary determines that the State law is necessary to prevent fraud and abuse, to ensure appropriate state regulation of insurance or health plans, addresses controlled substances, or for other purposes. If the Secretary promulgates privacy regulations, those regulations do not pre-empt state laws that impose more stringent requirements. These provisions do not limit a State's ability to require health plan reporting or audits.

Penalties. The bill imposes civil money penalties and prison for certain violations.