Battle intensifies over medical records confidentiality legislation

Preemption of state laws is a major sticking point

The warning bell is sounding as Congress rushes to meet the deadline for medical records privacy legislation. Debate over who should get access to the records and how much access they should be given, however, has only intensified.

In accordance with the Health Insurance Portability and Accountability Act of 1996, Congress must pass legislation governing electronic health information before Aug. 21, 1999. If Congress does not act by that time, the responsibility for the regulation passes to the secretary of Health and Human Services in Washington, DC.

That crunch for time in late May did not stop the Senate Committee on Health, Education, Labor and Pensions from postponing consideration of the issue until June 9.

HIM associations back Bennett’s bill

Hospital and information management associations are throwing their support behind medical records privacy legislation introduced by Sen. Robert Bennett (R-UT). Bennett introduced the "Medical Information Protection Act of 1999" in April. No floor action was taken on a similar bill he introduced late last year.

Other bills under consideration include the Medical Information Privacy and Security Act, sponsored by Sen. Patrick Leahy (D-VT), and the Health Care Personal Information Nondisclosure Act of 1999, sponsored by Sen. Jim Jeffords (R-VT).

The American Health Information Management Association (AHIMA) in Chicago is backing Bennett’s bill for several reasons, says Donald D. Asmonga, AHIMA’s government relations manager. "Possibly the most important [reason] is that it completely preempts state law and establishes a uniform national standard for the use and disclosure of the information."

Some privacy and medical groups are opposed, however, to any federal legislation that would override state laws that afford more privacy protection. California, for example, has a series of HIV/AIDS-specific confidentiality laws that cover testing, reporting, and partner notification. Wiping out that type of protection would create a public health crisis by discouraging people to seek testing, counseling, and treating for some of these conditions, the privacy groups argue.

"It is crucial that any federal legislation passed provides a floor, not a ceiling, of protection for this private information," reads a statement issued by the National Coalition for Patient Rights (CPR) in Lexington, MA. National CPR prefers Leahy’s bill in which federal law would not override tougher state laws.

The Jeffords bill would grandfather in existing state laws and give states 18 months after the measure’s enactment to pass stricter state rules before the federal exemption went into effect. (For more information about Leahy’s and Jeffords’ bills, see Hospital Payment & Information Management, June 1999, p. 93.)

The Joint Healthcare Information Technology Alliance (JHITA) in Washington, DC, says that the "patchwork" of state law should be preempted.

"In order for national fair information standards to offer consistent and genuine guidance and protection to health care professionals and consumers, and affect significant federal penalties and sanctions for the misuse of health data, the JHITA believes that federal law must preempt the current patchwork of federal, state, and local laws and regulations governing health information."

"When you start creating special protections for certain types of information, those special protections can give away the identity of that information," Asmonga explains. He gives an example of a situation in which mental health or HIV information requires a court order for its release.

Lawyers can find out the type of information involved in a case simply by requesting the information. "If that facility says, Sorry, we need a court order for the release of that information,’ then they have what they need to know."

AHIMA also supports the legislation because it treats all health information equally, Asmonga says. "It does not carve out any special or specific type of information. It says, We’re not going to protect one thing more than something else.’"

National CPR, however, believes that higher levels of protection should be afforded for "sensitive" information such as genetic testing, reproductive health, or mental-health information. The Leahy bill offers such protection.

Too much access?

Overall, the Bennett bill allows health plans to obtain a single authorization from individuals as a condition of enrolling in a health plan. Other provisions include:

    • authorization to use protected health information for purposes of obtaining treatment;
    • securing "payment" for the provision of services;
    • performance of activities necessary to carry out the management functions of the health plan or to meet the terms of the health benefits plan ("health care operations").

The Jeffords bill also includes health care operations in the authorization, while the Leahy bill requires a separate consent.

The Bennett bill does require patient consent for disclosure to third parties, such as direct marketers or database developers, but allowing information disclosure for the purpose of health care operations is too broad for some privacy and medical groups.

"[The bills] both make consent for widespread dissemination of our data a condition of being insured or obtaining treatment," National CPR states.

The Chicago-based American Medical Association (AMA) doesn’t like the disclosure either. "The AMA is concerned about blanket authorizations that would allow use of information for a wide range of activities, including health care operations," AMA Trustee Donald J. Palmisano, MD, told American Medical News.

Asmonga defends the use of patient information for health care operations. "The definition of whether it is broad enough or tight enough has always been somewhat problematic. I don’t think we’re ever going to have a definition that pleases everyone.

"Our nation is in this flux of trying to improve care and maintain and keep down the cost of care," he continues. "To do that, you need information. You can’t measure anything without it."

The nation has to decide whether it is going to permit the facilities and health plans to do that measurement or not, he adds. "If we don’t want the health plans and facilities to do that measurement to improve health care quality, then let’s stop the move toward quality. But if our nation is going to move toward a more quality-based health care system, we have to be able to measure it. If we are going to measure that information, we better protect it."

Privacy oversight required

If the Senate’s privacy bill passes, hospitals may find they have to fill the requirement for an information protection officer. "This would mean that every hospital and provider group would have to designate a person with the authority and obligation to establish and maintain safeguards over the confidentiality of patient information," says Doug Peticord, a health care information expert with Washington Health Advocates.

"I think it is a good idea for every institution to have somebody assume this role right now if they have not already done so," he adds. "Even if this concept gets dropped from the bill itself, it is a step that makes a lot of sense."