HISTORY

The confidentiality and security of medical information is protected by privacy and security regulations issued under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.  The HIPAA privacy rule protects the quality of health care and strengthens privacy protections. While still allowing for the needed flow of medical information in order to assure quality health care, the privacy rule ensures that patients' confidential medical information is kept secure. 

However, Congress and the president continue to be active on privacy issues. Recent congressional and White House efforts to pass legislation to encourage the adoption of electronic health records and standards for the electronic transaction of health care have resurrected questions about the privacy and security of electronic health information. Though the HIPAA privacy rule was adopted to address concerns about the security of electronic as well as paper information, this is not well known. As a result, legislation to facilitate the adoption of health information technology (HIT) often includes provisions addressing the privacy and security of medical information in an electronic context.

In July 2007, Senators Edward Kennedy (D-MA) and Patrick Leahy (D-VT) introduced the “Health Information Privacy and Security Act” (S. 1814). This comprehensive legislation would rewrite the HIPAA privacy regulation, disallowing many current practices.  The bill would require providers, health plans, and others to obtain prior authorization before disclosing individually identifiable patient information, even for purposes related to treatment and payment. All other uses and disclosures would require additional patient authorization.   Among other provisions, the bill would create a private right of action and would debar providers from receiving federal funds if information is wrongfully disclosed. The bill also would require medical providers to notify patients if their information is disclosed to persons without authorization.

Also in July, the House Labor-HHS-Education Appropriations Act (H.R. 3043) included provisions to reduce funding for the Office of the National Coordinator of Health information Technology (ONCHIT) because of concerns that the office has not yet developed a detailed and integrated implementation plan for achieving the HIT program's strategic goals. The committee report also directed the secretary of HHS to develop and make available for public comment a privacy and security framework to govern all efforts to advance electronic health information exchange.  The specified framework is to ensure fair information practices, including transparency; specifying the purposes of any data collection; collecting only what is necessary for that purpose; adhering to the uses agreed to by the individual; allowing individuals to know and have a say in who and how their information is used; maintaining the integrity of the data; security; audit; strong oversight; and appropriate remedies in the event of breach or misuse. The secretary was directed to report to the Appropriations Committee on the development and implementation of the framework and any recommended congressional or executive action no later than June 30, 2008.  After appropriate public comment, the committee requested that the secretary issue regulations as necessary to assure implementation of the privacy and security framework. The provisions were included by reference in omnibus appropriations legislation that passed the House and Senate and was signed by the president.

On June 27, the Senate HELP Committee passed the “Wired for Health Quality Act,” (S. 1693). The bill creates funding mechanisms to encourage the adoption of HIT.  It also establishes a public-private partnership to provide recommendations to the secretary of HHS regarding technical aspects of interoperability. During consideration of the bill, an amendment was adopted that added to the recommendations American Health Information Community (AHIC) is required to issue relating to privacy.   It required AHIC to recommend national policies to support widespread adoption of HIT that protect individually identifiable information, include methods to notify individuals if their individually identifiable information is wrongfully disclosed, and facilitate secure access to such individual's individually identifiable health information. The amendment, sponsored by Senator Jack Reed (D-RI), requires AHIC to recommend on these additional areas:  methods to preserve the individual's ability to control the acquisition, uses, and disclosures of individually identifiable information; and methods to protect individually identifiable health information from improper use and disclosure.   These additional requirements potentially may cause AHIC to recommend patient control requirements such as a prior consent requirement before information can be shared.

The sponsors of the “Wired for Health Quality Act,” hoped that the Senate would consider the legislation in late fall; however, the legislation has been held up in the Senate due in part to privacy concerns.

Both the House and Senate have considered legislation to facilitate the adoption of health information technology in past Congresses; both bodies passed legislation during the 109th Congress. 

As passed by the House, the “Health Information Technology Promotion Act,” required the secretary of HHS to study the variation and commonality among federal and state privacy and security requirements; the strengths and weaknesses of such requirements; and the extent to which the variation may adversely affect the security, confidentiality, and timely exchange of information. Within 18 months of the bill's enactment, the bill would have required the secretary to report back to Congress on the need for greater commonality. The secretary would also have been required to develop recommendations on the extent to which the current federal standards should be changed and the extent to which the standards should supersede state laws. Those recommendations were then to be drafted in legislation and introduced in both houses of Congress.  Provisions that would have required the recommendations to become a single federal standard that would preempt state laws were dropped during committee consideration of the bill. 


During House consideration of the legislation, a motion to recommit the bill for committee consideration that would have attached a private right of action and other privacy requirements was defeated because of concerns that such provisions would slow the provision of timely health care and further increase rising medical costs.

Unfortunately, House and Senate negotiators were unable to resolve the differences between the House and Senate bills before the 109th Congress adjourned for the year in December 2006.

On April 25, 2007, the House passed the “Genetic Information Nondiscrimination Act,” (GINA; H.R. 493), 420 to 3. The bill bars health insurance and employment discrimination based on an individual’s genetic makeup. The House bill includes language ensuring that entities covered by HIPAA will be able to use and disclose genetic information consistent with HIPAA, rather than GINA, when performing HIPAA-governed health care functions such as treatment, payment, and health care operations. The Senate companion bill did not include this language. House and Senate negotiators attempted to reach agreement on a compromise version of the legislation for inclusion in omnibus appropriations legislation passed at the end of 2007; however, the bill was not included in the funding legislation.

Other legislation impacting privacy also was considered in 2007. The “Social Security Number Privacy and Identity Theft Prevention Act,” (H.R. 3046), passed the Ways and Means Committee by a vote of 41-0. The bill is intended to disallow the use of Social Security numbers as an identifier, citing concerns about identity theft. The bill requires the Social Security Administration to establish security regulations for information containing Social Security numbers. For those HIPAA-covered entities with SSNs embedded in their medical information, the bill would subject them to a duplicative regulatory scheme, given the HIPAA security rule's similar requirements.  The Energy and Commerce Committee also has jurisdiction and has reported similar legislation.

Data security legislation, considered during the 109th Congress, has also dealt with the privacy of electronic information. Senate Judiciary Chairman Arlen Specter (R-PA) introduced bipartisan data security legislation that would exempt HIPAA-covered entities from compliance with duplicative security requirements, while still requiring that they notify consumers in the event of a breach of security that impacts sensitive information. The bill was reported by the Judiciary Committee on November 17, 2005, by a vote of 13-5.
The Senate Commerce, Science, and Transportation Committee reported a similar bill in July 2005; however, the Commerce bill did not include an exception for HIPAA-covered entities.  Though both Senate bills were reported broad margins, jurisdictional issues along with a full legislative calendar prevented action by the full Senate.

Several House committees have also considered the data security issue. During the 109th Congress, the Judiciary Committee reported a bill with penalties for concealing a security breach. The bill also criminalized "obtaining a means of identity" from a protected computer, making actions such as computer hacking punishable by up to 30 years in prison. 

In March 2006, the House Energy and Commerce Committee reported H.R. 4127, the "Data Accountability and Trust Act of 2005." Like the Senate Judiciary bill, the bill required businesses to notify consumers if a security breach placed their personal information at risk.  The bill also set new data security requirements for businesses, but allowed the Federal Trade Commission to exempt entities that must comply with other laws and regulations that provide "equal or greater protection," such as the protections included in the HIPAA privacy and security regulations. 

The House Financial Services Committee also reported identity theft legislation, H.R. 3997, the "Financial Data Protection Act of 2005," in March. However, this bill's requirements applied only to businesses classified as "consumer reporters" by the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.

While efforts were made to merge the bills reported by the House Energy and Commerce and Financial Services Committees, jurisdictional disputes held up floor action.

Also during the 109th Congress, Senator Hillary Clinton (D-NY) and Representative Ed Markey (D-MA) introduced the “SAFE-ID Act,” intended to protect personal information that is outsourced to other countries. The legislation would have required the secretary of HHS to revise the HIPAA privacy regulation to require covered entities to include information about outsourcing in their notice of privacy practices and would have established new liability for certain actions by covered entities.

Several administration entities are also considering privacy issues. The National Committee on Vital and Health Statistics (NCVHS) released a report entitled, "Enhanced Protections for Uses of Health Data: A Stewardship Framework for Secondary Uses of Electronically Collected and Transmitted Health Data."  The report provides recommendations to HHS on a data stewardship framework to enable optimal uses of health data while respecting the privacy of individuals who are the sources of the data.  The draft report follows a June letter to HHS Secretary Mike Leavitt recommending that privacy and confidentiality rules should apply to all individuals and entities that create, compile, store, transmit, or use personal health information.

On June 30, 2007, the Research Triangle Institute (RTI), under a contract with the Agency for Healthcare Research and Quality, issued its final findings on its project to identify state privacy laws and practices and whether they pose barriers to health information exchange.  The report concludes that variation in the interpretation and application of HIPAA poses a problem for health information exchange (HIE), along with varying levels of trust for security, and many other varied regulatory and business practice issues. The report summarizes recommendations made by state teams, such as reducing the variation on interpretation and application of HIPAA, consolidating conflicting state statutes, and developing model uniform medical records statutes.

The American Health Information Community (AHIC) Confidentiality, Privacy and Security Workgroup continues to address issues of privacy and security relating to health information technology.  Though the group's cochair, Paul Feldman, deputy director of the Health Privacy Project, resigned in January as a protest against the workgroup’s lack of progress, the workgroup has met monthly, working toward recommendations for HHS on privacy and security issues. The group has developed a set of draft hypotheses that would require organizations that create, store, or transmit individually identifiable electronic health information for purposes of clinical care or consumer management of such information to meet enforceable privacy and security requirements at least equivalent to the relevant HIPAA principles, even if they are not "covered entities" under HIPAA today.  The hypotheses also recommend strengthening enforcement for business associate arrangements under the privacy rule.    

THE FUTURE

Privacy issues have already played a role in consideration of health legislation during the 110th Congress.  Disagreement over the need for additional privacy requirements has largely prevented Senate consideration of legislation to facilitate greater health information technology (HIT) adoption. Though the House has not yet begun consideration of HIT, privacy issues are sure to be a factor as they were in past Congresses.

Congress should remember the physician's edict to “First, do no harm” and reject proposals that duplicate, contradict, or attempt to reverse the carefully crafted and considered HIPAA privacy rule.  In particular, Congress should very carefully consider legislative efforts to establish a private right of action for privacy breaches. Such actions could dramatically increase health care costs and jeopardize the provision of high-quality health care.  

However, Congress has the opportunity, in the context of HIT legislation, to improve upon the HIPAA rule by making it a uniform federal standard, replacing the patchwork of state privacy and security laws. Congress should strongly consider making the HHS rule the law of the land.