Stateline Story

States, Congress Weigh Medical Privacy Safeguards

WASHINGTON - Personal medical information, once thought to be safely tucked away in a manila folder in your doctor's office, is increasingly stored in large, linked computer databases where insurance companies, drug manufacturers, courts, and in some instances employers can access it without your consent or knowledge. Currently, no federal law exists that protects the confidentiality of medical records.

"The fact is your videotape rental record has more federal protections than your medical records," says Joe Karpinski, a spokesman for the Senate Health, Education, Labor and Pensions Committee.

Congress now faces an Aug. 21 deadline to pass a medical privacy bill, required by the Health Insurance Portability and Accountability Act of 1996. If the U.S. House and Senate fail to reach a consensus by that date, Health and Human Services Secretary Donna Shalala will be responsible for developing regulations by February 2000.

Dozens of states are also poised to take action on the issue. In 1998, more than 300 bills regarding medical records were introduced in statehouses, says Jacob Herstek, a policy associate with the Health Policy Tracking Service, a component of the National Conference of State Legislatures.

Maine was the only state that acted last year, but this January the legislature suspended implementation of the law until Oct. 1 after critics charged that it was overly restrictive.

Other states may have put off passing medical privacy legislation last year in order to wait and see what Congress would do, Herstek says. But this year they are moving ahead. He says around 230 bills have already been introduced in some 35 state legislatures.

A key question is whether the passage of a federal law would preempt tougher state measures.

"The reason for moving ahead is to show Congress that it is counter-intuitive to come in and preempt their laws.... The preemption of state law will be the most contentious part of the (federal) debate," Herstek says.

Crafting a medical records privacy law involves balancing the need for an individual's privacy with the need to access information for important medical research.

Three Senate bills are already in the works. A bill sponsored by Sens. Patrick Leahy (D-Vt.), Edward Kennedy (D-Mass.) and Rep. Edward Markey (D-Mass.) introduced on Wednesday (March 10) would set a "floor" rather than a "ceiling" for medical privacy, allowing stronger state laws to stand.

A second bill sponsored by Sen. James Jeffords (R-Vt.) and Sen. Christopher Dodd (D-Conn.), also introduced on Wednesday, would grandfather all state privacy laws enacted prior to the enactment of a federal privacy law. But any future state laws could not give greater privacy protections than the federal law, except in areas of mental health and public health including AIDS and HIV information.

A bill to be introduced by Sen. Bob Bennett (R-Utah) is expected to be the most restrictive of the three. Bennett's bill from last year would have preempted all state laws on medical records privacy.

"We believe very strongly that states should pass stronger bills," said Scott Sanders, field director of the Health Privacy Project based at Georgetown University in Washington, DC.

Sanders said most experts agree there should be a federal law that serves as a common denominator defining who should have access to medical records and how patients will be notified when their records are accessed, but states should have the flexibility to go beyond that.

The Health Privacy Project is putting together a publication due out in late Spring that would outline each state's privacy statutes so that state legislators do not allow laws to be preempted "that they didn't even know were out there," Sanders said.

Herstek said that all states have some sort of privacy statute in place, but because the laws exist in so many different parts of a state's code they are tough to identify. He points to California, Texas, New York and Minnesota as states with tough privacy legislation.

In 1996 Minnesota adopted a law which requires providers to notify patients in writing that medical records may be released for research purposes and that the patient may object. It says patients may require providers to obtain their general authorization for the release of records for research, and on request, providers notify patients how they can contact researchers who have received their medical records.

Many Americans are aware of the threat of their medical information getting into the wrong hands. Scott Sanders points to a survey undertaken by the California HealthCare Foundation that shows one in six Americans engages in "privacy protected behaviors" such as not seeking healthcare when ill, lying to their doctor about their medical history or switching doctors in order to protect their health privacy.

The survey was conducted in November and December 1998.

"Privacy is important to good quality health care in terms of the individual and the community. Research relies on good data, and if people are scared to get health care then there is not a good pool of data," Sanders says.

Health insurers, employers, researchers and pharmaceutical companies are pushing for national, uniform standards for the use and disclosure of health information. They argue that since the delivery and financing of health care frequently is coordinated across state lines, a single federal standard is easier to apply.

"This is one area where strong national legislation is called for," said Alan Mertz, vice president of government relations for the Healthcare Leadership Council.

Mertz said that his organization supports the passage of Sen. Bennett's bill, which would preempt stronger state laws. The Bennett bill would also allow health plans to practice "disease and pharmaceutical benefit management," which means that patients' medical records will be tracked and reminders issued if children are behind in their immunizations or a diabetes patient is behind in their insulin refills.

The Health Insurance Association of America's board of directors approved a resolution in late February calling for federal confidentiality legislation that would preempt most state laws.

"Strong federal legislation is essential to protect patients, provide high quality health care, and prevent fraud," said Chip Kahn, president of the Health Insurance Association of America. "In this case, without uniformity, costs will be high, and protections will be lacking."

Tags: Health