Shalala urges limit on medical record access

HHS calls for criminal penalties for violators

U.S. Dept. of Health and Human Services Secretary Donna Shalala has presented recommendations for federal legislation curbing access to medical records. Saying that her video rental card had more federal privacy protection than her medical records, Shalala made her recommendations in a Sept. 11 report to Congress.

The report, required under the Health Insurance Portability and Accountability Act (HIPAA), calls for limits on access to medical records, and civil and criminal penalties for those who misuse such access. The recommendations also acknowledge that health researchers and law enforcement officials need to maintain their access to medical records.

"Our recommendations represent tough choices and difficult trade-offs," Shalala told the Senate Committee on Labor & Human Resources in her Sept. 11 appearance. "Health care privacy can be safeguarded. I believe we must do it with national legislation, national education, and an ongoing national conversation."

Relying on a patchwork

Shalala noted that the United States currently has no federal protection for medical records. In contrast, laws protecting the privacy of credit records, motor vehicle records, and even records of video rentals have been proposed by Congress and signed into law.

"When it comes to our private health care records, we rely on a patchwork of state laws," Shalala said. That patchwork, it turns out, is woefully inadequate in providing adequate privacy for medical records. Shalala pointed to the case of a Boston-based HMO where every employee could tap into patients’ computer records and pull up detailed notes from psychotherapy sessions.

Shalala said, "The way we protect the privacy of our medical records right now is erratic at best, dangerous at worst." She noted that as the telecommunications revolution continues, protecting medical information will become even more important.

The department suggested that medical records privacy legislation ensure, with few exceptions, that health care information that includes genetic information about a consumer should be disclosed for health purposes only. For example, the information could be used to provide and pay for care. Employers could use it to administer a self-insurance plan, but would be enjoined from using the information to make decisions about hiring and firing people. Those who misuse their access to medical information would face civil and criminal penalties.

Under the department’s proposals, patients would have to be provided with a clear written explanation of how their doctors and insurance companies intend to use, keep, and disclose information. Patients would be able to see and get copies of their records, as well as correct errors in their records. A patient’s authorization to disclose information would be required in most instances. But the recommendations also include measures to protect the public interest in research, in public health, and in fighting against health care fraud and abuse.

Senator questions proposals

Sen. Patrick Leahy (D-VT) expressed concern about the report’s proposals. He said the recommendations would permit law enforcement officials to go on fishing expeditions for indications of criminal behavior in a person’s health records, and, on the larger scale, maintained that the proposals abandon the traditional model of informed consent for participation in medical research. Shalala disagreed, saying that the recommendations give no new access to law enforcement officials, but instead provide penalties for the misuse of that access.

HIPAA requires the DHHS secretary to impose confidentiality controls on electronic transactions systems if Congress doesn’t provide legislation on confidentiality by August 1999. A copy of the report, Confidentiality of Individually-identifiable Health Information, can be found on the DHHS web site (