Michigan

 (2) A prescription drug prior authorization workgroup is created. Within 30 days after the effective date of this section, the department of community health and the department of insurance and financial services shall work together and appoint members to the workgroup. The workgroup must consist of a member who represents the department of community health, a member who represents the department of insurance and financial services, and members who represent insurers, prescribers, pharmacists, hospitals, and other stakeholders as determined necessary by the department of community health and the department of insurance and financial services. The workgroup shall appoint a chairperson from among its members. The chairperson of the workgroup shall schedule workgroup meetings. The department of community health and the department of insurance and financial services shall organize the initial meeting of the workgroup and shall provide administrative support for the workgroup.
 (3) In developing the standard prior authorization methodology under subsection (1), the workgroup shall consider all of the following:
 (a) Existing and potential technologies that could be used to transmit a standard prior authorization request.
 (b) The national standards pertaining to electronic prior authorization developed by the national council for prescription drug programs.
 (c) Any prior authorization forms and methodologies used in pilot programs in this state.
 (d) Any prior authorization forms and methodologies developed by the federal centers for Medicare and Medicaid services.
 (4) Beginning on the effective date of this section, an insurer may specify in writing the materials and information necessary to constitute a properly completed standard prior authorization request when a policy, certificate, or contract requires prior authorization for prescription drug benefits.
 (5) If the workgroup develops a paper form as the standard prior authorization methodology under subsection (1), the paper form shall meet all of the following requirements:
 (a) Consist of not more than 2 pages. However, an insurer may request and require additional information beyond the 2-page limitation of this subdivision, if that information is specified in writing by the insurer under subsection (4). As used in this subdivision, "additional information" includes, but is not limited to, any of the following:
 (i) Patient clinical information including, but not limited to, diagnosis, chart notes, lab information, and genetic tests.
 (ii) Information necessary for approval of the prior authorization request under plan criteria.
 (iii) Drug specific information including, but not limited to, medication history, duration of therapy, and treatment use.
 (b) Be electronically available.
 (c) Be electronically transmissible, including, but not limited to, transmission by facsimile or similar device.
 (6) Beginning July 1, 2016, if an insurer uses a prior authorization methodology that utilizes an internet webpage, internet webpage portal, or similar electronic, internet, and web-based system, the prior authorization methodology described in subsection (5) does not apply. Subsections (4), (8), and (9) apply to a prior authorization methodology that utilizes an internet webpage, internet webpage portal, or similar electronic, internet, and web-based system.
 (7) Beginning July 1, 2016, except as otherwise provided in subsection (6), an insurer shall use the standard prior authorization methodology developed under subsection (1) when a policy, certificate, or contract requires prior authorization for prescription drug benefits.
 (8) Beginning January 1, 2016, a prior authorization request that has not been certified for expedited review by the prescriber is considered to have been granted by the insurer if the insurer fails to grant the request, deny the request, or require additional information of the prescriber within 15 days after the date and time of submission of a standard prior authorization request under this section. If additional information is requested by an insurer, a prior authorization request under this subsection is not considered granted if the prescriber fails to submit the additional information within 15 days after the date and time of the original submission of a properly completed standard prior authorization request under this section. If additional information is requested by an insurer, a prior authorization request is considered to have been granted by the insurer if the insurer fails to grant the request, deny the request, or otherwise respond to the request of the prescriber within 15 days after the date and time of submission of the additional information. If additional information is requested by an insurer, a prior authorization request under this subsection is considered void if the prescriber fails to submit the additional information within 21 days after the date and time of the original submission of a properly completed standard prior authorization request under this section.
 (9) Beginning January 1, 2016, a prior authorization request that has been certified for expedited review by the prescriber is considered to have been granted by the insurer if the insurer fails to grant the request, deny the request, or require additional information of the prescriber within 72 hours after the date and time of submission of a standard prior authorization request under this section. If additional information is requested by an insurer, a prior authorization request under this subsection is not considered granted if the prescriber fails to submit the additional information within 72 hours after the date and time of the original submission of a properly completed standard prior authorization request under this section. If additional information is requested by an insurer, a prior authorization request is considered to have been granted by the insurer if the insurer fails to grant the request, deny the request, or otherwise respond to the request of the prescriber within 72 hours after the date and time of submission of the additional information. If additional information is requested by an insurer, a prior authorization request under this subsection is considered void if the prescriber fails to submit the additional information within 5 days after the date and time of the original submission of a properly completed standard prior authorization request under this section.
 (10) As used in this section:
 (a) "Insurer" means any of the following:
 (i) An insurer issuing an expense-incurred hospital, medical, or surgical policy or certificate.
 (ii) A health maintenance organization.
 (iii) A health care corporation operating pursuant to the nonprofit health care corporation reform act, 1980 PA 350, MCL 550.1101 to 550.1704.
 (iv) A third party administrator of prescription drug benefits.
 (b) "Prescriber" means that term as defined in section 17708 of the public health code, 1978 PA 368, MCL 333.17708.
 (c) "Prescription drug" means that term as defined in section 17708 of the public health code, 1978 PA 368, MCL 333.17708.
 (d) "Prescription drug benefit" means the right to have a payment made by an insurer pursuant to prescription drug coverage contained within a policy, certificate, or contract delivered, issued for delivery, or renewed in this state.
 (e) "Workgroup" means the prescription drug prior authorization workgroup created under subsection (2).

 (a) The request is made pursuant to research that complies with 45 CFR part 46, or equivalent federal regulations, and any applicable state or local law or regulations for the protection of human subjects in research.
 (b) The insurer clearly indicates to each individual, or in the case of a minor child, to the legal guardian of that child, to whom the request is made, that compliance with the request is voluntary and that noncompliance will have no effect on enrollment status or premium or contribution amounts.
 (c) Genetic information collected or acquired under this subsection shall not be used for underwriting, determination of eligibility to enroll or maintain enrollment status, premium rates, or the issuance, renewal, or replacement of a policy or certificate.
 (d) The insurer notifies the commissioner in writing that the insurer is conducting activities pursuant to the exception provided for under this subsection, including a description of the activities conducted.
 (e) The insurer complies with any other conditions as the commissioner may by regulation require for activities conducted under this subsection.

 (i) False or misleading advertising.
 (ii) Dividing fees for referral of patients or accepting kickbacks on medical or surgical services, appliances, or medications purchased by or in behalf of patients.
 (iii) Fraud or deceit in obtaining or attempting to obtain third party reimbursement.

 (a) The nature and purpose of the presymptomatic or predictive genetic test.
 (b) The effectiveness and limitations of the presymptomatic or predictive genetic test.
 (c) The implications of taking the presymptomatic or predictive genetic test, including, but not limited to, the medical risks and benefits.
 (d) The future uses of the sample taken from the test subject in order to conduct the presymptomatic or predictive genetic test and the information obtained from the presymptomatic or predictive genetic test.
 (e) The meaning of the presymptomatic or predictive genetic test results and the procedure for providing notice of the results to the test subject.
 (f) Who will have access to the sample taken from the test subject in order to conduct the presymptomatic or predictive genetic test and the information obtained from the presymptomatic or predictive genetic test, and the test subject's right to confidential treatment of the sample and the information.
 (3) Within 6 months after the effective date of the amendatory act that added this section, the department of community health, in consultation with the Michigan board of medicine, the Michigan board of osteopathic medicine and surgery, at least 1 physician who is board certified by the American board of medical genetics, and appropriate professional organizations, shall develop and distribute a model informed consent form for purposes of this section that practitioners may adopt. The department of community health shall include in the model form at least all of the information required under subsection (2). The department of community health shall distribute the model form to physicians and other individuals subject to this section upon request and at no charge. The department of community health shall review the model form at least annually for 5 years after the first model form is distributed, and shall revise the model form if necessary to make the form reflect the latest developments in medical genetics.
 (4) The department of community health, in consultation with the entities described in subsection (3), may also develop and distribute a pamphlet that provides further explanation of the information included in the model informed consent form.
 (5) If a test subject or his or her legally authorized representative signs a copy of the model informed consent form developed and distributed under subsection (3), the physician or individual acting under the delegatory authority of the physician shall give the test subject a copy of the signed informed consent form and shall include the original signed informed consent form in the test subject's medical record.
 (6) If a test subject or his or her legally authorized representative signs a copy of the model informed consent form developed and distributed under subsection (3), the test subject is barred from subsequently bringing a civil action for damages against the physician, or an individual to whom the physician delegated the authority to perform a selected act, task, or function under section 16215, who ordered the presymptomatic or predictive genetic test, based on failure to obtain informed consent for the presymptomatic or predictive genetic test.
 (7) A physician's duty to inform a patient under this section does not require disclosure of information beyond what a reasonably well-qualified physician licensed under this article would know.
 (8) Except as otherwise provided in subsection (9), as used in this section:
 (a) “Genetic information” means information about a gene, gene product, or inherited characteristic which information is derived from a genetic test.
 (b) “Genetic test” means the analysis of human DNA, RNA, chromosomes, and those proteins and metabolites used to detect heritable or somatic disease-related genotypes or karyotypes for clinical purposes. A genetic test must be generally accepted in the scientific and medical communities as being specifically determinative for the presence, absence, or mutation of a gene or chromosome in order to qualify under this definition. Genetic test does not include a routine physical examination or a routine analysis, including, but not limited to, a chemical analysis, of body fluids, unless conducted specifically to determine the presence, absence, or mutation of a gene or chromosome.
 (c) “Predictive genetic test” means a genetic test performed for the purpose of predicting the future probability that the test subject will develop a genetically related disease or disability.
 (d) “Presymptomatic genetic test” means a genetic test performed before the onset of clinical symptoms or indications of disease.
 (9) For purposes of subsection (8)(b), the term “genetic test” does not include a procedure performed as a component of biomedical research that is conducted pursuant to federal common rule under 21 C.F.R. parts 50 and 56 and 45 C.F.R. part 46.

 (a) The nature and purpose of the presymptomatic or predictive genetic test.
 (b) The effectiveness and limitations of the presymptomatic or predictive genetic test.
 (c) The implications of taking the presymptomatic or predictive genetic test, including, but not limited to, the medical risks and benefits.
 (d) The future uses of the sample taken from the test subject in order to conduct the presymptomatic or predictive genetic test and the information obtained from the presymptomatic or predictive genetic test.
 (e) The meaning of the presymptomatic or predictive genetic test results and the procedure for providing notice of the results to the test subject.
 (f) Who will have access to the sample taken from the test subject in order to conduct the presymptomatic or predictive genetic test and the information obtained from the presymptomatic or predictive genetic test, and the test subject's right to confidential treatment of the sample and the information.
 (3) Within 6 months after the effective date of the amendatory act that added this section, the department of community health, in consultation with the Michigan board of medicine, the Michigan board of osteopathic medicine and surgery, at least 1 physician who is board certified by the American board of medical genetics, and appropriate professional organizations, shall develop and distribute a model informed consent form for purposes of this section that practitioners may adopt. The department of community health shall include in the model form at least all of the information required under subsection (2). The department of community health shall distribute the model form to physicians and other individuals subject to this section upon request and at no charge. The department of community health shall review the model form at least annually for 5 years after the first model form is distributed, and shall revise the model form if necessary to make the form reflect the latest developments in medical genetics.
 (4) The department of community health, in consultation with the entities described in subsection (3), may also develop and distribute a pamphlet that provides further explanation of the information included in the model informed consent form.
 (5) If a test subject or his or her legally authorized representative signs a copy of the model informed consent form developed and distributed under subsection (3), the physician or individual acting under the delegatory authority of the physician shall give the test subject a copy of the signed informed consent form and shall include the original signed informed consent form in the test subject's medical record.
 (6) If a test subject or his or her legally authorized representative signs a copy of the model informed consent form developed and distributed under subsection (3), the test subject is barred from subsequently bringing a civil action for damages against the physician, or an individual to whom the physician delegated the authority to perform a selected act, task, or function under section 16215, who ordered the presymptomatic or predictive genetic test, based on failure to obtain informed consent for the presymptomatic or predictive genetic test.
 (7) A physician's duty to inform a patient under this section does not require disclosure of information beyond what a reasonably well-qualified physician licensed under this article would know.
 (8) Except as otherwise provided in subsection (9), as used in this section:
 (a) “Genetic information” means information about a gene, gene product, or inherited characteristic which information is derived from a genetic test.
 (b) “Genetic test” means the analysis of human DNA, RNA, chromosomes, and those proteins and metabolites used to detect heritable or somatic disease-related genotypes or karyotypes for clinical purposes. A genetic test must be generally accepted in the scientific and medical communities as being specifically determinative for the presence, absence, or mutation of a gene or chromosome in order to qualify under this definition. Genetic test does not include a routine physical examination or a routine analysis, including, but not limited to, a chemical analysis, of body fluids, unless conducted specifically to determine the presence, absence, or mutation of a gene or chromosome.
 (c) “Predictive genetic test” means a genetic test performed for the purpose of predicting the future probability that the test subject will develop a genetically related disease or disability.
 (d) “Presymptomatic genetic test” means a genetic test performed before the onset of clinical symptoms or indications of disease.
 (9) For purposes of subsection (8)(b), the term “genetic test” does not include a procedure performed as a component of biomedical research that is conducted pursuant to federal common rule under 21 C.F.R. parts 50 and 56 and 45 C.F.R. part 46.

Sec. 3.

 An employer shall not do any of the following:
 (a) Request an employee or an applicant for employment to grant access to, allow observation of, or disclose information that allows access to or observation of the employee's or applicant's personal internet account.
 (b) Discharge, discipline, fail to hire, or otherwise penalize an employee or applicant for employment for failure to grant access to, allow observation of, or disclose information that allows access to or observation of the employee's or applicant's personal internet account.

37.274 Educational institution; prohibited acts. Sec. 4.

 An educational institution shall not do any of the following:
 (a) Request a student or prospective student to grant access to, allow observation of, or disclose information that allows access to or observation of the student's or prospective student's personal internet account.
 (b) Expel, discipline, fail to admit, or otherwise penalize a student or prospective student for failure to grant access to, allow observation of, or disclose information that allows access to or observation of the student's or prospective student's personal internet account.

37.275 Certain acts by employer not prohibited or restricted. Sec. 5.

 (1) This act does not prohibit an employer from doing any of the following:
 (a) Requesting or requiring an employee to disclose access information to the employer to gain access to or operate any of the following:
 (i) An electronic communications device paid for in whole or in part by the employer.
 (ii) An account or service provided by the employer, obtained by virtue of the employee's employment relationship with the employer, or used for the employer's business purposes.
 (b) Disciplining or discharging an employee for transferring the employer's proprietary or confidential information or financial data to an employee's personal internet account without the employer's authorization.
 (c) Conducting an investigation or requiring an employee to cooperate in an investigation in any of the following circumstances:
 (i) If there is specific information about activity on the employee's personal internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct.
 (ii) If the employer has specific information about an unauthorized transfer of the employer's proprietary information, confidential information, or financial data to an employee's personal internet account.
 (d) Restricting or prohibiting an employee's access to certain websites while using an electronic communications device paid for in whole or in part by the employer or while using an employer's network or resources, in accordance with state and federal law.
 (e) Monitoring, reviewing, or accessing electronic data stored on an electronic communications device paid for in whole or in part by the employer, or traveling through or stored on an employer's network, in accordance with state and federal law.
 (2) This act does not prohibit or restrict an employer from complying with a duty to screen employees or applicants prior to hiring or to monitor or retain employee communications that is established under federal law or by a self-regulatory organization, as defined in section 3(a)(26) of the securities and exchange act of 1934, 15 USC 78c(a)(26).
 (3) This act does not prohibit or restrict an employer from viewing, accessing, or utilizing information about an employee or applicant that can be obtained without any required access information or that is available in the public domain.

37.276 Powers of educational institution to gain access to certain information. Sec. 6.

 (1) This act does not prohibit an educational institution from requesting or requiring a student to disclose access information to the educational institution to gain access to or operate any of the following:
 (a) An electronic communications device paid for in whole or in part by the educational institution.
 (b) An account or service provided by the educational institution that is either obtained by virtue of the student's admission to the educational institution or used by the student for educational purposes.
 (2) This act does not prohibit or restrict an educational institution from viewing, accessing, or utilizing information about a student or applicant that can be obtained without any required access information or that is available in the public domain.

37.277 Duties not created by act; liability. Sec. 7.

 (1) This act does not create a duty for an employer or educational institution to search or monitor the activity of a personal internet account.
 (2) An employer or educational institution is not liable under this act for failure to request or require that an employee, a student, an applicant for employment, or a prospective student grant access to, allow observation of, or disclose information that allows access to or observation of the employee's, student's, applicant for employment's, or prospective student's personal internet account.

37.278 Violation of provisions of act as misdemeanor; civil action; injunction; damages; written demand and documentation; jurisdiction; affirmative defense. Sec. 8.

 (1) A person who violates section 3 or 4 is guilty of a misdemeanor punishable by a fine of not more than $1,000.00.
 (2) An individual who is the subject of a violation of this act may bring a civil action to enjoin a violation of section 3 or 4 and may recover not more than $1,000.00 in damages plus reasonable attorney fees and court costs. Not later than 60 days before filing a civil action for damages or 60 days before adding a claim for damages to an action seeking injunctive relief, the individual shall make a written demand of the alleged violator for not more than $1,000.00. The written demand shall include reasonable documentation of the violation. The written demand and documentation shall either be served in the manner provided by law for service of process in civil actions or mailed by certified mail with sufficient postage affixed and addressed to the alleged violator at his or her residence, principal office, or place of business. An action under this subsection may be brought in the district court for the county where the alleged violation occurred or for the county where the person against whom the civil complaint is filed resides or has his or her principal place of business.
 (3) It is an affirmative defense to an action under this act that the employer or educational institution acted to comply with requirements of a federal law or a law of this state.

Sec. 17020.

 (1) Except as otherwise provided for a test performed under section 5431 and except as otherwise provided by law, beginning upon the expiration of 6 months after the effective date of the amendatory act that added this section, a physician or an individual to whom the physician has delegated authority to perform a selected act, task, or function under section 16215 shall not order a presymptomatic or predictive genetic test without first obtaining the written, informed consent of the test subject, pursuant to this section.
 (2) For purposes of subsection (1), written, informed consent consists of a signed writing executed by the test subject or the legally authorized representative of the test subject that confirms that the physician or the individual acting under the delegatory authority of the physician has explained, and the test subject or the legally authorized representative of the test subject understands, at a minimum, all of the following:
 (a) The nature and purpose of the presymptomatic or predictive genetic test.
 (b) The effectiveness and limitations of the presymptomatic or predictive genetic test.
 (c) The implications of taking the presymptomatic or predictive genetic test, including, but not limited to, the medical risks and benefits.
 (d) The future uses of the sample taken from the test subject in order to conduct the presymptomatic or predictive genetic test and the information obtained from the presymptomatic or predictive genetic test.
 (e) The meaning of the presymptomatic or predictive genetic test results and the procedure for providing notice of the results to the test subject.
 (f) Who will have access to the sample taken from the test subject in order to conduct the presymptomatic or predictive genetic test and the information obtained from the presymptomatic or predictive genetic test, and the test subject's right to confidential treatment of the sample and the information.
 (3) Within 6 months after the effective date of the amendatory act that added this section, the department of community health, in consultation with the Michigan board of medicine, the Michigan board of osteopathic medicine and surgery, at least 1 physician who is board certified by the American board of medical genetics, and appropriate professional organizations, shall develop and distribute a model informed consent form for purposes of this section that practitioners may adopt. The department of community health shall include in the model form at least all of the information required under subsection (2). The department of community health shall distribute the model form to physicians and other individuals subject to this section upon request and at no charge. The department of community health shall review the model form at least annually for 5 years after the first model form is distributed, and shall revise the model form if necessary to make the form reflect the latest developments in medical genetics.
 (4) The department of community health, in consultation with the entities described in subsection (3), may also develop and distribute a pamphlet that provides further explanation of the information included in the model informed consent form.
 (5) If a test subject or his or her legally authorized representative signs a copy of the model informed consent form developed and distributed under subsection (3), the physician or individual acting under the delegatory authority of the physician shall give the test subject a copy of the signed informed consent form and shall include the original signed informed consent form in the test subject's medical record.
 (6) If a test subject or his or her legally authorized representative signs a copy of the model informed consent form developed and distributed under subsection (3), the test subject is barred from subsequently bringing a civil action for damages against the physician, or an individual to whom the physician delegated the authority to perform a selected act, task, or function under section 16215, who ordered the presymptomatic or predictive genetic test, based on failure to obtain informed consent for the presymptomatic or predictive genetic test.
 (7) A physician's duty to inform a patient under this section does not require disclosure of information beyond what a reasonably well-qualified physician licensed under this article would know.
 (8) Except as otherwise provided in subsection (9), as used in this section:
 (a) "Genetic information" means information about a gene, gene product, or inherited characteristic which information is derived from a genetic test.
 (b) "Genetic test" means the analysis of human DNA, RNA, chromosomes, and those proteins and metabolites used to detect heritable or somatic disease-related genotypes or karyotypes for clinical purposes. A genetic test must be generally accepted in the scientific and medical communities as being specifically determinative for the presence, absence, or mutation of a gene or chromosome in order to qualify under this definition. Genetic test does not include a routine physical examination or a routine analysis, including, but not limited to, a chemical analysis, of body fluids, unless conducted specifically to determine the presence, absence, or mutation of a gene or chromosome.
 (c) "Predictive genetic test" means a genetic test performed for the purpose of predicting the future probability that the test subject will develop a genetically related disease or disability.
 (d) "Presymptomatic genetic test" means a genetic test performed before the onset of clinical symptoms or indications of disease.
 (9) For purposes of subsection (8)(b), the term "genetic test" does not include a procedure performed as a component of biomedical research that is conducted pursuant to federal common rule under 21 C.F.R. parts 50 and 56 and 45 C.F.R. part 46.

Sec. 5.

 (1) A person shall not do any of the following:
 (a) With intent to defraud or violate the law, use or attempt to use the personal identifying information of another person to do either of the following:
 (i) Obtain credit, goods, services, money, property, a vital record, a confidential telephone record, medical records or information, or employment.
 (ii) Commit another unlawful act.
 (b) By concealing, withholding, or misrepresenting the person's identity, use or attempt to use the personal identifying information of another person to do either of the following:
 (i) Obtain credit, goods, services, money, property, a vital record, a confidential telephone record, medical records or information, or employment.
 (ii) Commit another unlawful act.
 (2) A person who violates subsection (1)(b)(i) may assert 1 or more of the following as a defense in a civil action or as an affirmative defense in a criminal prosecution, and has the burden of proof on that defense by a preponderance of the evidence:
 (a) That the person gave a bona fide gift for or for the benefit or control of, or use or consumption by, the person whose personal identifying information was used.
 (b) That the person acted in otherwise lawful pursuit or enforcement of a person's legal rights, including an investigation of a crime or an audit, collection, investigation, or transfer of a debt, child or spousal support obligation, tax liability, claim, receivable, account, or interest in a receivable or account.
 (c) That the action taken was authorized or required by state or federal law, rule, regulation, or court order or rule.
 (d) That the person acted with the consent of the person whose personal identifying information was used, unless the person giving consent knows that the information will be used to commit an unlawful act.

445.67 Additional prohibited acts. Sec. 7.

 A person shall not do any of the following:
 (a) Make any electronic mail or other communication under false pretenses purporting to be by or on behalf of a business, without the authority or approval of the business, and use that electronic mail or other communication to induce, request, or solicit any individual to provide personal identifying information with the intent to use that information to commit identity theft or another crime.
 (b) Create or operate a webpage that represents itself as belonging to or being associated with a business, without the authority or approval of that business, and induces, requests, or solicits any user of the internet to provide personal identifying information with the intent to use that information to commit identity theft or another crime.
 (c) Alter a setting on a user's computer or similar device or software program through which the user may access the internet and cause any user of the internet to view a communication that represents itself as belonging to or being associated with a business, which message has been created or is operated without the authority or approval of that business, and induces, requests, or solicits any user of the internet to provide personal identifying information with the intent to use that information to commit identity theft or another crime.
 (d) Obtain or possess, or attempt to obtain or possess, personal identifying information of another person with the intent to use that information to commit identity theft or another crime.
 (e) Sell or transfer, or attempt to sell or transfer, personal identifying information of another person if the person knows or has reason to know that the specific intended recipient will use, attempt to use, or further transfer the information to another person for the purpose of committing identity theft or another crime.
 (f) Falsify a police report of identity theft, or knowingly create, possess, or use a false police report of identity theft.

445.67a Prohibited acts; interactive computer service provider not liable for certain actions; civil action by attorney general or interactive computer service provider; exception; recovery of damages; investigation. Sec. 7a.

 (1) A person shall not do any of the following:
 (a) Make any electronic mail or other communication under false pretenses purporting to be by or on behalf of a business, without the authority or approval of the business, and use that electronic mail or other communication to induce, request, or solicit any individual to provide personal identifying information.
 (b) Create or operate a webpage that represents itself as belonging to or being associated with a business, without the authority or approval of that business, and induces, requests, or solicits any user of the internet to provide personal identifying information.
 (c) Alter a setting on a user's computer or similar device or software program through which the user may access the internet and cause any user of the internet to view a communication that represents itself as belonging to or being associated with a business, which message has been created or is operated without the authority or approval of that business, and induces, requests, or solicits any user of the internet to provide personal identifying information.
 (2) An interactive computer service provider shall not be held liable under any provision of the laws of this state for removing or disabling access to an internet domain name controlled or operated by the registrar or by the provider, or to content that resides on an internet website or other online location controlled or operated by the provider, that the provider believes in good faith is used to engage in a violation of this act. This act does not apply to a telecommunications provider's or internet service provider's good faith transmission or routing of, or intermediate temporary storing or caching of, personal identifying information.
 (3) The attorney general, or an interactive computer service provider harmed by a violation of subsection (1), may bring a civil action against a person who has violated that subsection.
 (4) Subsection (1) does not apply to the following:
 (a) A law enforcement officer while that officer is engaged in the performance of his or her official duties.
 (b) Any other individual authorized to conduct lawful investigations while that individual is engaged in a lawful investigation.
 (5) A person bringing an action under this section may recover 1 of the following:
 (a) Actual damages, including reasonable attorney fees.
 (b) In lieu of actual damages, reasonable attorney fees plus the lesser of the following:
 (i) $5,000.00 per violation.
 (ii) $250,000.00 for each day that a violation occurs.
 (6) If the attorney general has reason to believe that a person has violated section 7(a), (b), or (c) or this section, the attorney general may investigate the business transactions of that person. The attorney general may require that person to appear, at a reasonable time and place, to give information under oath and to produce any documents and evidence necessary to determine whether the person is in compliance with the requirements of that section.

445.69 Certain violations as felony; penalty; consecutive sentences; defense in civil action or criminal prosecution; burden of proof; exception. Sec. 9.

 (1) Subject to subsection (6), a person who violates section 5 or 7 is guilty of a felony punishable as follows:
 (a) Except as otherwise provided in subdivisions (b) and (c), by imprisonment for not more than 5 years or a fine of not more than $25,000.00, or both.
 (b) If the violation is a second violation of section 5 or 7, by imprisonment for not more than 10 years or a fine of not more than $50,000.00, or both.
 (c) If the violation is a third or subsequent violation of section 5 or 7, by imprisonment for not more than 15 years or a fine of not more than $75,000.00, or both.
 (2) Sections 5 and 7 apply whether an individual who is a victim or intended victim of a violation of 1 of those sections is alive or deceased at the time of the violation.
 (3) This section does not prohibit a person from being charged with, convicted of, or sentenced for any other violation of law committed by that person using information obtained in violation of this section or any other violation of law committed by that person while violating or attempting to violate this section.
 (4) The court may order that a term of imprisonment imposed under this section be served consecutively to any term of imprisonment imposed for a conviction of any other violation of law committed by that person using the information obtained in violation of this section or any other violation of law committed by that person while violating or attempting to violate this section.
 (5) A person may assert as a defense in a civil action or as an affirmative defense in a criminal prosecution for a violation of section 5 or 7, and has the burden of proof on that defense by a preponderance of the evidence, that the person lawfully transferred, obtained, or attempted to obtain personal identifying information of another person for the purpose of detecting, preventing, or deterring identity theft or another crime or the funding of a criminal activity.
 (6) Subsection (1) does not apply to a violation of a statute or rule administered by a regulatory board, commission, or officer acting under authority of this state or the United States that confers primary jurisdiction on that regulatory board, commission, or officer to authorize, prohibit, or regulate the transactions and conduct of that person, including, but not limited to, a state or federal statute or rule governing a financial institution and the insurance code of 1956, 1956 PA 218, MCL 500.100 to 500.8302, if the act is committed by a person subject to and regulated by that statute or rule, or by another person who has contracted with that person to use personal identifying information.

445.71 Prohibited acts in conduct of trade or commerce; violation as misdemeanor; penalty; civil liability. Sec. 11.

 (1) A person shall not do any of the following in the conduct of trade or commerce:
 (a) Deny credit or public utility service to or reduce the credit limit of a consumer solely because the consumer was a victim of identity theft, if the person had prior knowledge that the consumer was a victim of identity theft. A consumer is presumed to be a victim of identity theft for the purposes of this subdivision if he or she provides both of the following to the person:
 (i) A copy of a police report evidencing the claim of the victim of identity theft.
 (ii) Either a properly completed copy of a standardized affidavit of identity theft developed and made available by the federal trade commission under 15 USC 1681g or an affidavit of fact that is acceptable to the person for that purpose.
 (b) Solicit to extend credit to a consumer who does not have an existing line of credit, or has not had or applied for a line of credit within the preceding year, through the use of an unsolicited check that includes personal identifying information other than the recipient's name, address, and a partial, encoded, or truncated personal identifying number. In addition to any other penalty or remedy under this act or the Michigan consumer protection act, 1976 PA 331, MCL 445.901 to 445.922, a credit card issuer, financial institution, or other lender that violates this subdivision, and not the consumer, is liable for the amount of the instrument if the instrument is used by an unauthorized user and for any fees assessed to the consumer if the instrument is dishonored.
 (c) Solicit to extend credit to a consumer who does not have a current credit card, or has not had or applied for a credit card within the preceding year, through the use of an unsolicited credit card sent to the consumer. In addition to any other penalty or remedy under this act or the Michigan consumer protection act, 1976 PA 331, MCL 445.901 to 445.922, a credit card issuer, financial institution, or other lender that violates this subdivision, and not the consumer, is liable for any charges if the credit card is used by an unauthorized user and for any interest or finance charges assessed to the consumer.
 (d) Extend credit to a consumer without exercising reasonable procedures to verify the identity of that consumer. Compliance with regulations issued for depository institutions, and to be issued for other financial institutions, by the United States department of treasury under section 326 of the USA patriot act of 2001, 31 USC 5318, is considered compliance with this subdivision. This subdivision does not apply to a purchase of a credit obligation in an acquisition, merger, purchase of assets, or assumption of liabilities or any change to or review of an existing credit account.
 (2) A person who knowingly or intentionally violates subsection (1) is guilty of a misdemeanor punishable as follows:
 (a) Except as otherwise provided in subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $1,000.00, or both.
 (b) For a second violation, by imprisonment for not more than 93 days or a fine of not more than $2,000.00, or both.
 (c) For a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $3,000.00, or both.
 (3) Subsection (2) does not prohibit a person from being liable for any civil remedy for a violation of this act, the Michigan consumer protection act, 1976 PA 331, MCL 445.901 to 445.922, or any other state or federal law.

445.72 Notice of security breach; requirements. Sec. 12.

 (1) Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that owns or licenses data that are included in a database that discovers a security breach, or receives notice of a security breach under subsection (2), shall provide a notice of the security breach to each resident of this state who meets 1 or more of the following:
 (a) That resident's unencrypted and unredacted personal information was accessed and acquired by an unauthorized person.
 (b) That resident's personal information was accessed and acquired in encrypted form by a person with unauthorized access to the encryption key.
 (2) Unless the person or agency determines that the security breach has not or is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state, a person or agency that maintains a database that includes data that the person or agency does not own or license that discovers a breach of the security of the database shall provide a notice to the owner or licensor of the information of the security breach.
 (3) In determining whether a security breach is not likely to cause substantial loss or injury to, or result in identity theft with respect to, 1 or more residents of this state under subsection (1) or (2), a person or agency shall act with the care an ordinarily prudent person or agency in like position would exercise under similar circumstances.
 (4) A person or agency shall provide any notice required under this section without unreasonable delay. A person or agency may delay providing notice without violating this subsection if either of the following is met:
 (a) A delay is necessary in order for the person or agency to take any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database. However, the agency or person shall provide the notice required under this subsection without unreasonable delay after the person or agency completes the measures necessary to determine the scope of the security breach and restore the reasonable integrity of the database.
 (b) A law enforcement agency determines and advises the agency or person that providing a notice will impede a criminal or civil investigation or jeopardize homeland or national security. However, the agency or person shall provide the notice required under this section without unreasonable delay after the law enforcement agency determines that providing the notice will no longer impede the investigation or jeopardize homeland or national security.
 (5) Except as provided in subsection (11), an agency or person shall provide any notice required under this section by providing 1 or more of the following to the recipient:
 (a) Written notice sent to the recipient at the recipient's postal address in the records of the agency or person.
 (b) Written notice sent electronically to the recipient if any of the following are met:
 (i) The recipient has expressly consented to receive electronic notice.
 (ii) The person or agency has an existing business relationship with the recipient that includes periodic electronic mail communications and based on those communications the person or agency reasonably believes that it has the recipient's current electronic mail address.
 (iii) The person or agency conducts its business primarily through internet account transactions or on the internet.
 (c) If not otherwise prohibited by state or federal law, notice given by telephone by an individual who represents the person or agency if all of the following are met:
 (i) The notice is not given in whole or in part by use of a recorded message.
 (ii) The recipient has expressly consented to receive notice by telephone, or if the recipient has not expressly consented to receive notice by telephone, the person or agency also provides notice under subdivision (a) or (b) if the notice by telephone does not result in a live conversation between the individual representing the person or agency and the recipient within 3 business days after the initial attempt to provide telephonic notice.
 (d) Substitute notice, if the person or agency demonstrates that the cost of providing notice under subdivision (a), (b), or (c) will exceed $250,000.00 or that the person or agency has to provide notice to more than 500,000 residents of this state. A person or agency provides substitute notice under this subdivision by doing all of the following:
 (i) If the person or agency has electronic mail addresses for any of the residents of this state who are entitled to receive the notice, providing electronic notice to those residents.
 (ii) If the person or agency maintains a website, conspicuously posting the notice on that website.
 (iii) Notifying major statewide media. A notification under this subparagraph shall include a telephone number or a website address that a person may use to obtain additional assistance and information.
 (6) A notice under this section shall do all of the following:
 (a) For a notice provided under subsection (5)(a) or (b), be written in a clear and conspicuous manner and contain the content required under subdivisions (c) to (g).
 (b) For a notice provided under subsection (5)(c), clearly communicate the content required under subdivisions (c) to (g) to the recipient of the telephone call.
 (c) Describe the security breach in general terms.
 (d) Describe the type of personal information that is the subject of the unauthorized access or use.
 (e) If applicable, generally describe what the agency or person providing the notice has done to protect data from further security breaches.
 (f) Include a telephone number where a notice recipient may obtain assistance or additional information.
 (g) Remind notice recipients of the need to remain vigilant for incidents of fraud and identity theft.
 (7) A person or agency may provide any notice required under this section pursuant to an agreement between that person or agency and another person or agency, if the notice provided pursuant to the agreement does not conflict with any provision of this section.
 (8) Except as provided in this subsection, after a person or agency provides a notice under this section, the person or agency shall notify each consumer reporting agency that compiles and maintains files on consumers on a nationwide basis, as defined in 15 USC 1681a(p), of the security breach without unreasonable delay. A notification under this subsection shall include the number of notices that the person or agency provided to residents of this state and the timing of those notices. This subsection does not apply if either of the following is met:
 (a) The person or agency is required under this section to provide notice of a security breach to 1,000 or fewer residents of this state.
 (b) The person or agency is subject to 15 USC 6801 to 6809.
 (9) A financial institution that is subject to, and has notification procedures in place that are subject to examination by the financial institution's appropriate regulator for compliance with, the interagency guidance on response programs for unauthorized access to customer information and customer notice prescribed by the board of governors of the federal reserve system and the other federal bank and thrift regulatory agencies, or similar guidance prescribed and adopted by the national credit union administration, and its affiliates, is considered to be in compliance with this section.
 (10) A person or agency that is subject to and complies with the health insurance portability and accountability act of 1996, Public Law 104-191, and with regulations promulgated under that act, 45 CFR parts 160 and 164, for the prevention of unauthorized access to customer information and customer notice is considered to be in compliance with this section.
 (11) A public utility that sends monthly billing or account statements to the postal address of its customers may provide notice of a security breach to its customers in the manner described in subsection (5), or alternatively by providing all of the following:
 (a) As applicable, notice as described in subsection (5)(b).
 (b) Notification to the media reasonably calculated to inform the customers of the public utility of the security breach.
 (c) Conspicuous posting of the notice of the security breach on the website of the public utility.
 (d) Written notice sent in conjunction with the monthly billing or account statement to the customer at the customer's postal address in the records of the public utility.
 (12) A person that provides notice of a security breach in the manner described in this section when a security breach has not occurred, with the intent to defraud, is guilty of a misdemeanor punishable as follows:
 (a) Except as otherwise provided under subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $250.00 for each violation, or both.
 (b) For a second violation, by imprisonment for not more than 93 days or a fine of not more than $500.00 for each violation, or both.
 (c) For a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $750.00 for each violation, or both.
 (13) Subject to subsection (14), a person that knowingly fails to provide any notice of a security breach required under this section may be ordered to pay a civil fine of not more than $250.00 for each failure to provide notice. The attorney general or a prosecuting attorney may bring an action to recover a civil fine under this section.
 (14) The aggregate liability of a person for civil fines under subsection (13) for multiple violations of subsection (13) that arise from the same security breach shall not exceed $750,000.00.
 (15) Subsections (12) and (13) do not affect the availability of any civil remedy for a violation of state or federal law.
 (16) This section applies to the discovery or notification of a breach of the security of a database that occurs on or after July 2, 2006.
 (17) This section does not apply to the access or acquisition by a person or agency of federal, state, or local government records or documents lawfully made available to the general public.
 (18) This section deals with subject matter that is of statewide concern, and any charter, ordinance, resolution, regulation, rule, or other action by a municipal corporation or other political subdivision of this state to regulate, directly or indirectly, any matter expressly set forth in this section is preempted.

445.72a Destruction of data containing personal information required; violation as misdemeanor; fine; compliance; "destroy" defined. Sec. 12a.

 (1) Subject to subsection (3), a person or agency that maintains a database that includes personal information regarding multiple individuals shall destroy any data that contain personal information concerning an individual when that data is removed from the database and the person or agency is not retaining the data elsewhere for another purpose not prohibited by state or federal law. This subsection does not prohibit a person or agency from retaining data that contain personal information for purposes of an investigation, audit, or internal review.
 (2) A person who knowingly violates this section is guilty of a misdemeanor punishable by a fine of not more than $250.00 for each violation. This subsection does not affect the availability of any civil remedy for a violation of state or federal law.
 (3) A person or agency is considered to be in compliance with this section if the person or agency is subject to federal law concerning the disposal of records containing personal identifying information and the person or agency is in compliance with that federal law.
 (4) As used in this section, "destroy" means to destroy or arrange for the destruction of data by shredding, erasing, or otherwise modifying the data so that they cannot be read, deciphered, or reconstructed through generally available means.

445.72b Misrepresentation by advertisement or solicitation prohibited; violation as misdemeanor; penalty; civil remedy. Sec. 12b.

 (1) A person shall not distribute an advertisement or make any other solicitation that misrepresents to the recipient that a security breach has occurred that may affect the recipient.
 (2) A person shall not distribute an advertisement or make any other solicitation that is substantially similar to a notice required under section 12(5) or by federal law, if the form of that notice is prescribed by state or federal law, rule, or regulation.
 (3) A person who knowingly or intentionally violates this section is guilty of a misdemeanor punishable as follows:
 (a) Except as otherwise provided in subdivisions (b) and (c), by imprisonment for not more than 93 days or a fine of not more than $1,000.00 for each violation, or both.
 (b) For a second violation, by imprisonment for not more than 93 days or a fine of not more than $2,000.00 for each violation, or both.
 (c) For a third or subsequent violation, by imprisonment for not more than 93 days or a fine of not more than $3,000.00 for each violation, or both.
 (4) Subsection (3) does not affect the availability of any civil remedy for a violation of this section or any other state or federal law.

445.73 Verification of information; use of vital record. Sec. 13.

 (1) A law enforcement agency or victim of identity theft may verify information from a vital record from a local registrar or the state registrar in the manner described in section 2881(2) of the public health code, 1978 PA 368, MCL 333.2881.
 (2) A state registrar or local registrar that verifies information from a vital record under section 2881(2) of the public health code, 1978 PA 368, MCL 333.2881, for a law enforcement agency investigating identity theft may provide that law enforcement agency with all of the following information about any previous requests concerning that public record that is available to the registrar:
 (a) Whether or not a certified copy or copies of the record were requested.
 (b) The date or dates a copy or copies of the record were issued.
 (c) The name of each applicant who requested the record.
 (d) The address, e-mail address, telephone number, and other identifying information of each applicant who requested the record.
 (e) Payment information regarding each request.
 (3) A state registrar or local registrar that verifies information from a vital record under section 2881(2) of the public health code, 1978 PA 368, MCL 333.2881, for an individual who provides proof that he or she is a victim of identity theft may provide that individual with all of the following information about any previous requests concerning that public record that is available to the registrar:
 (a) Whether or not a certified copy or copies of the record were requested.
 (b) The date or dates a copy or copies of the record were issued.
 (4) For purposes of subsection (3), it is sufficient proof that an individual is a victim of identity theft for a state registrar or local registrar to provide the information described in that subsection if he or she provides the registrar with a copy of a police report evidencing the claim that he or she is a victim of identity theft; and, if available, an affidavit of identity theft, in a form developed by the state registrar in cooperation with the attorney general for purposes of this subsection.
 (5) A law enforcement agency may request an administrative use copy of a vital record from the state registrar in the manner described in section 2891 of the public health code, 1978 PA 368, MCL 333.2891.
 (6) A law enforcement agency may request an administrative use copy of a vital record from a local registrar in the manner described in section 2891 of the public health code, 1978 PA 368, MCL 333.2891, if the request for the administrative use copy is in writing and contains both of the following:
 (a) A statement that the law enforcement agency requires information from a vital record beyond the information the local registrar may verify under subsections (1) and (2).
 (b) The agreement of the law enforcement agency that it will maintain the administrative use copy of the vital record in a secure location and will destroy the copy by confidential means when it no longer needs the copy.

by health care provider or facility; extension of response time. Sec. 5. (1) Except as otherwise provided by law or regulation, a patient or his or her authorized representative has the right to examine or obtain the patient's medical record. (2) An individual authorized under subsection (1) who wishes to examine or obtain a copy of the patient's medical record shall submit a written request that is signed and dated by that individual not more than 60 days before being submitted to the health care provider or health facility that maintains the medical record that is the subject of the request. Upon receipt of a request under this subsection, a health care provider or health facility shall, as promptly as required under the circumstances, but not later than 30 days after receipt of the request or if the medical record is not maintained or accessible on-site not later than 60 days after receipt of the request, do 1 or more of the following: (a) Make the medical record available for inspection or copying, or both, at the health care provider's or health facility's business location during regular business hours or provide a copy of all or part of the medical record, as requested by the patient or his or her authorized representative. (b) If the health care provider or health facility has contracted with another person or medical records company to maintain the health care provider's or health facility's medical records, the health care provider or health facility shall transmit a request made under this subsection to the person or medical records company maintaining the medical records. The health care provider or health facility shall retrieve the medical record from the person or medical records company maintaining the medical records and comply with subdivision (a) or shall require the person or medical records company that maintains that medical record to comply with subdivision (a). (c) Inform the patient or his or her authorized representative if the medical record does not exist or cannot be found. (d) If the health care provider or health facility to which the request is directed does not maintain the medical record requested and does not have a contract with another person or medical records company as described in subdivision (b), so inform the patient or his or her authorized representative and provide the name and address, if known, of the health care provider or health facility that maintains the medical records. (e) If the health care provider or health facility determines that disclosure of the requested medical record is likely to have an adverse effect on the patient, the health care provider or health facility shall provide a Rendered Wednesday, March 11, 2020 Page 2 Michigan Compiled Laws Complete Through PA 56 of 2020  Legislative Council, State of Michigan Courtesy of www.legislature.mi.gov clear statement supporting that determination and provide the medical record to another health care provider, health facility, or legal counsel designated by the patient or his or her authorized representative. (f) If the health care provider or health facility receives a request for a medical record that was obtained from someone other than a health care provider or health facility under a confidentiality agreement, the health care provider or health facility may deny access to that medical record if access to that medical record would be reasonably likely to reveal the source of the information. If the health care provider or health facility denies access under this subdivision, it shall provide the patient or his or her authorized representative with a written denial. (g) The health care provider, health facility, or medical records company shall take reasonable steps to verify the identity of the person making the request to examine or obtain a copy of the patient's medical record. (3) If the health care provider, health facility, or medical records company is unable to take action as required under subsection (2) and the health care provider, health facility, or medical records company provides the patient with a written statement indicating the reasons for its delay within the required time period, the health care provider, health facility, or medical records company may extend the response time for no more than 30 days. A health care provider, health facility, or medical records company may only extend the response time once per request under this subsection. History: 2004, Act 47, Imd. Eff. Apr. 1, 2004. 333.26267 Inquiry as to purpose prohibited. Sec. 7. A health care provider or health facility that receives a request for a medical record under section 5 shall not inquire as to the purpose of the request. History: 2004, Act 47, Imd. Eff. Apr. 1, 2004. 333.26269 Fee. Sec. 9. (1) Except as otherwise provided in this section, if a patient or his or her authorized representative makes a request for a copy of all or part of his or her medical record under section 5, the health care provider, health facility, or medical records company to which the request is directed may charge the patient or his or her authorized representative a fee that is not more than the following amounts: (a) An initial fee of $20.00 per request for a copy of the record. (b) Paper copies as follows: (i) One dollar per page for the first 20 pages. (ii) Fifty cents per page for pages 21 through 50. (iii) Twenty cents for pages 51 and over. (c) If the medical record is in some form or medium other than paper, the actual cost of preparing a duplicate. (d) Any postage or shipping costs incurred by the health care provider, health facility, or medical records company in providing the copies. (e) Any actual costs incurred by the health care provider, health facility, or medical records company in retrieving medical records that are 7 years old or older and not maintained or accessible on-site. (2) A health care provider, health facility, or medical records company may refuse to retrieve or copy all or part of a medical record for a patient or his or her authorized representative until the applicable fee is paid. (3) A health care provider, health facility, or medical records company shall not charge a fee for retrieving, copying, or mailing all or part of a medical record other than a fee allowed under subsection (1). Except as otherwise provided in subsection (4), a health care provider, health facility, or medical records company shall waive all fees for a medically indigent individual. The health care provider, health facility, or medical records company may require the patient or his or her authorized representative to provide proof that the patient is a recipient of assistance as described in this subsection. (4) A medically indigent individual that receives copies of medical records at no charge under subsection (3) is limited to 1 set of copies per health care provider, health facility, or medical records company. Any additional requests for the same records from the same health care provider, health facility, or medical records company shall be subject to the fee provisions under subsection (1). (5) Notwithstanding subsection (1), a health care provider, health facility, or medical records company shall not charge a patient an initial fee for his or her medical record. (6) Beginning 2 years after the effective date of this act, the department of community health shall adjust on an annual basis the fees prescribed by subsection (1) by an amount determined by the state treasurer to reflect the cumulative annual percentage change in the Detroit consumer price index. History: 2004, Act 47, Imd. Eff. Apr. 1, 2004. Rendered Wednesday, March 11, 2020 Page 3 Michigan Compiled Laws Complete Through PA 56 of 2020  Legislative Council, State of Michigan Courtesy of www.legislature.mi.gov 333.26271 Applicability of act to third party payer. Sec. 11. This act does not apply to copies of medical records provided to a third party payer, insurer as defined in section 106 of the insurance code of 1956, 1956 PA 218, MCL 500.106, or self-funded plan.