Health Information Privacy and Security Act

Health Information Privacy and Security Act - Requires a person who holds, uses, or discloses protected health information to: (1) permit an individual who is the subject of such information to inspect and copy the information; (2) establish safeguards and procedures to ensure the privacy, confidentiality, security, accuracy, and integrity of such information; and (3) establish and maintain a record of each protected health information disclosure.

Requires the Secretary of Health and Human Services to support demonstration projects to improve the communication of information pertaining to health privacy rights with individuals with limited English proficiency and limited health literacy.

Prohibits any person from disclosing, accessing, or using protected health information, except as authorized under this Act.

Requires the Secretary to develop and disseminate model written authorizations for the disclosure of such information.

Provides for notice to an individual of a security breach with regard to protected health information.

Sets forth purposes under which disclosure is permitted, including for public health, health oversight, and law enforcement purposes.

Directs the Secretary to designate the Office of Health Information Privacy to: (1) receive and investigate complaints of alleged violations of this Act; (2) provide guidance to health care providers and other relevant individuals concerning the interpretation and implementation of privacy protections; and (3) provide recommendations concerning improvements in the privacy and security of protected health information and concerning medical privacy research needs.

Requires the Secretary to establish and implement standards for health information technology products.

Sets forth criminal and civil penalties for knowing and intentional violations of this Act.

Provides that this Act does not preempt federal or state laws or regulations that provide greater protections.