(5) by adding at the end the following:
"(7) Not later than 1 year after the date of the enactment of the Health Insurance Portability and Accountability Act of 1996, and annually thereafter, the Committee shall submit to the Congress, and make public, a report regarding the implementation of part C of title XI of the Social Security Act. Such report shall address the following subjects, to the extent that the Committee determines appropriate:
"(A) The extent to which persons required to comply with part C of title XI of the Social Security Act are cooperating in implementing the standards adopted under such part.
"(B) The extent to which such entities are meeting the security standards adopted under such part and the types of penalties assessed for noncompliance with such standards.
"(C) Whether the Federal and State Governments are receiving information of sufficient quality to meet their responsibilities under such part.
"(D) Any problems that exist with respect to implementation of such part.
"(E) The extent to which timetables under such part are being met.".
SEC. 264. RECOMMENDATIONS WITH RESPECT TO PRIVACY OF CERTAIN HEALTH INFORMATION.
(a) IN GENERAL.—Not later than the date that is 12 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall submit to the Committee on Labor and Human Resources and the Committee on Finance of the Senate and the Committee on Commerce and the Committee on Ways and Means of the House of Representatives detailed recommendations on standards with respect to the privacy of individually identifiable health information.
(b) SUBJECTS FOR RECOMMENDATIONS.—The recommendations under subsection (a) shall address at least the following:
(1) The rights that an individual who is a subject of individually identifiable health information should have.
(2) The procedures that should be established for the exercise of such rights.
(3) The uses and disclosures of such information that should be authorized or required.
(1) IN GENERAL.—If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by the date that is 36 months after the date of the enactment of this Act, the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than the date that is 42 months after the date of the enactment of this Act. Such regulations shall address at least the subjects described in subsection (b).
(2) PRE-EMPTION.—A regulation promulgated under paragraph (1) shall not supercede [sic] a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more