Patient Privacy Rights

Health Information Technology Promotion Act of 2005” (H.R. 4157) PDF file

Introduced on Oct. 27, 2005 by Representative Nancy Johnson (R-CT) with 41 cosponsors: Representatives Charles Bass (R-NH), Bob Beauprez (R-CO), Roy Blunt (R-MO), Sherwood Boehlert (R-NY), Jeb Bradley, Dave Camp (R-MI), Eric Cantor (R-VA), Michael Castle (R-DE), Nathan Deal (R-GA), Thelma Drake (R-VA), Vernon Ehlers (R-MI), Jo Ann Emerson (R-MO), Phil English (R-PA), Anna Eshoo (D-CA), Jim Gerlach (R-PA), Paul Gillmor (R-OH), Melissa Hart (R-PA), JD Hayworth (R-AZ), Wally Herger (R-CA), David Hobson (R-OH) , Kenny Hulshof (R-MO), Sheila JacksonLeigh (D-TX), Bobby Jindal (R-LA), Sam Johnson (R-TX), Sue Kelly (R-NY), Mark Kennedy (R-MN), Ron Lewis (R-KY), Thaddeus McCotter (R-MI), Jim McCrery (R-LA), John McHugh (R-NY), Tim Murphy (R-PA), Jim Ramstad (R-MN), Mike Rogers (R-MI), Paul Ryan (R-WI), “Joe” Schwarz (R-MI), Christopher Shays (R-CT), Rob Simmons (R-CT), Lee Terry (R-NE), Fred Upton (R-MI), Jerry Weller (R-IL), Heather Wilson (R-NM)

H.R. 4157 was referred to the Committee on Energy and Commerce, and in addition to the Committee on Ways and Means, on 10/27/2005 for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.

In addition, H.R. 4157 was referred to the Energy and Commerce Subcommittee on Health on 11/4/2005.

This bill was marked up by the House Ways and Means Health Subcommittee on May 24, 2006.

The House passed H.R. 4157–without critical privacy protection amendments–on July 27, 2006. In Fall 2006, the House and Senate began conferring on a final Health IT bill; no agreement was reached prior to the October 2006 mid-term election recess.

The 109th Congress, 2nd Session ended November 10, 2006 without passing H.R. 4157.

Stated Purpose: To “amend the Social Security Act to encourage the dissemination and usefulness of health information technology” and to facilitate “the development of a nationwide interoperable health information technology infrastructure.” It ensures that “the harmonized standards provided for under subparagraph (B) (3) shall supercede any contrary provision of State law.”

Real Effects: This national health network will facilitate access to all medical records, wherever they exist, so that individual health information can be datamined and compiled by the over 600,000 “covered entities” who can use the network. The bill will eliminate stronger privacy protections in existing state laws.

Problems:
The draft bill does not restore medical privacy, because the right of consent is not included in the bill. Patients cannot control who can see or use their records.
It does not require networks to adhere to traditional medical ethics or stronger Constitutional, state, and common law preserving patient privacy.

1. Patients cannot “opt out” of having their records flow through the national health network.
2. Patients cannot segregate access to sensitive parts of their medical records.
3. Originally the bill intended to “harmonize state and federal privacy protections,” which means the proposed bill will override stronger state and common law and medical ethics that require patient consent before medical records can be seen or used. That section was deleted from the final bill, but authorizes the Secretary of HHS to perform a study of state privacy laws.
4. HIPAA will become the national privacy ceiling instead of the floor Congress originally intended it to be.
5. The bill sets up “Safe Harbors for Provision of Health Information Technology to Health Care Professionals”; i.e. allows providers to receive free software to create and share electronic medical records.
6. No notification of privacy or security breaches is required.
7. There is no meaningful recourse for privacy violations.
8. Patients do not have a right of action.
9. The only right patients have is to complain to a government agency.

Note: Patient Privacy Rights offered legislative language that could have modified HR 4157 to allow patients control of who has access to their medical records. Democratic Representatives offered the amendments, but they failed to pass.

“Wired for Health Care Quality Act” (S. 1418) PDF file

Introduced on July 17, 2005 by Senator Enzi (R-WY) with 30 cosponsors: Senators Alexander (R-TN), Allen (R -VA), Bingaman, (D-NM), Bond (R -MO), Burr (R-NC), Cantwell (D-WA), Carper (D-DE), Chambliss (R-GA), Clinton (D-NY), DeWine (R-OH), Dodd (D-CT), Durbin (R-IL), Ensign (R-NV), Frist (R-TN),Gregg (R-NH), Hagel (R-NE), Harkin (D-IA), Isakson (R-GA), Jeffords (I-VT), Kennedy (D-MA), Landrieu (D-LA), Martinez (R-FL), Mikulski (D-MD), Murray (D-WA), Nelson (D-FL), Obama (D-IL), Reed (D-RI), Roberts (R-KS), Sessions (R-AL), and Talent (R-MO). Passed 11/18/05

The Senate passed an amended version of S. 1418 (“Wired for Healthcare Quality Act”, see below) on November 18, 2005, by voice vote. Senators were told the amendments addressed their concerns about patient privacy. Instead, security measures were added requiring data breach reporting. There is a difference between security and privacy. Patients’ rights to privacy were not addressed. The House intends to pass its version, H.R. 4157, in 2006. This bill sets up a process to eliminate all strong state laws protecting medical privacy, eliminating the only privacy rights Americans still have. At a minimum, health IT legislation must restore patients’ rights to control their medical records. Patients should have the right to decide who can see and use their records. Especially now, in electronic networks. The House passed H.R. 4157, it’s Health IT bill, on July 27, 2006. In Fall 2006, the House and Senate began conferring on a final Health IT bill; no agreement was reached prior to the October 2006 mid-term election recess. The 109th Congress, 2nd Session ended November 10, 2006 without passing H.R. 4157.

Stated Purpose: To “enhance the adoption of a nationwide interoperable health information technology system and to improve the quality and reduce the cost of health care in the U.S.”

Real Effects: This national health network will facilitate access to all medical records, wherever they exist, so that individual health information can accessed and used by the over 600,000 “covered entities” who can use the network. More importantly, this bill requires local and regional employers to be part of the network.

Problems:

1. Patients cannot opt-in or opt-out of the national health information network.
2. Patients cannot segregate more sensitive medical records from access.
3. Audit trails showing who used and disclosed patient medical records are not required.
4. Notification of privacy breaches is not required.
5. There is no meaningful recourse for privacy violations. The only right patients have is to complain to a government agency.
6. The grants to be given to build local and regional health networks for health information sharing require local and regional employers to be part of the network.
7. Employer access to employee medical records is a disaster for privacy; there is no barrier to employers using medical records to deny promotions or employment to people with medical illnesses.



“Health Technology to Enhance Quality Act of 2005” (S. 1262) Referred to as the “Health TEQ Act of 2005” PDF file

Introduced on June 16, 2005 by Senators Frist (R-TN) and Clinton (D-NY) with the cosponsorship of Senators Alexander (R-TN), Bingaman, (D-NM), Bond (R-MO), Dodd (D-CT), Jeffords (I-VT), Landrieu (D-LA) Martinez (R-FL), Mikulski (D-MD), Nelson (D-FL), Obama (D-IL), Santorum (R-PA), Talent (R-MO), and Thune (R-SD)

Stated Purpose: To “reduce healthcare costs, improve efficiency, and improve healthcare quality through the development of a nation-wide interoperable health information technology system, and for other purposes.” The emphasis of this bill is removing “barriers” to open access to the nation’s medical records.

Real Effects: This national health network will facilitate access to all medical records, wherever they exist, so that individual health information can be datamined and compiled by the over 600,000 “covered entities” who can use the network.

Problems:

1. The bill does not include any legal or ethical measures to protect medical privacy, i.e. restore the right of consent.
2. Patients cannot “opt out” of having their records accessed through the network.
3. Patients cannot segregate any sensitive medical records from access by all “covered entities.”
4. The only privacy standards cited in this bill are the HIPAA standards. Since the Amended HIPAA Privacy Rule eliminated the right of consent, this bill will institutionalize and facilitate open access to every American’s cradle-to-grave medical records.
5. The first “Priority” in this bill is to provide grants to “harmonize” state and federal laws, which means to eliminate longstanding state, common law, and ethical principles that have assured the privacy of our medical records.
6. It provides grants to establish local and regional health networks with unfettered access by all “covered entities.”
7. Notification of privacy breaches is not required.
8. There is no meaningful recourse for privacy violations. Patients do not have a right of action. The only right patients have is to complain to a government agency.



21st Century Health Information Act of 2005″ (H.R. 2234) PDF file

Introduced on May 10, 2005 by Congressmen Murphy (R-PA), and Co-Sponsored by Congressman Kennedy (D-RI) and twenty-four other members.

Stated Purpose: To “authorize the Secretary of Health and Human Services to make health information technology grants to regional health information organizations (RHIOs) to develop and implement regional health information technology plans.

Real Effects: These regional health networks will become the foundation of a national health network. The effect will be to open access to nearly all medical records in all local and regional health providers’ electronic databases, allowing over 600,000 “covered entities” to datamine and compile medical records via the regional networks.

Problems:

1. The right to consent is not restored. Patients cannot decide who can see or use their records in most situations. Only information concerning diagnosis and treatment of sexually transmitted diseases, addiction, and mental illnesses require consent for disclosure. It does not give patients the right to decide whether other portions of their medical records will be seen and used. (For example: breast reconstruction photos; cancer diagnoses; contraceptive use; abortions; erectile dysfunction medications; learning disabilities; genetic testing; etc.)
2. Requires “any health information network” to “comply with the privacy protections of regulations promulgated pursuant to section 264 (c) of the Health Information Portability and Accountability Act of 1996 (public Law 104-191; stat. 2033).” This means patients have no right of consent, because it uses the privacy standards in the Amended HIPAA Privacy Rule, which eliminated the right of consent.
3. There is no meaningful recourse for privacy violations. Patients do not have a right of action. The only right patients have is to complain to a government agency

Privacy Protections In H.R. 2234

(Only H.R. 2234 has any built-in privacy protections.)

1. “Allow(s) patients to exclude all their health information from the health information network,” i.e., patients can globally opt-out of the system.
2. Patients have the option to “allow only designated health care providers to access their individually identifiable information concerning diagnosis and treatment of sexually transmitted diseases, addiction, and mental illnesses.”
3. Allows researchers to access only aggregated patient medical records, rather than allowing researchers to access to every patient’s personally identifiable medical records.
4. Requires notice of privacy breaches to the Secretary of HHS and to “any individuals whose health information may have been compromised in violation of this subsection as a result of such unauthorized access or disclosure.”

(Note: H.R. 2234 requires networks to comply with the amended HIPAA privacy rule, then adds the protections listed above. It is not clear which provisions would prevail.)


Better Healthcare Through Information Technology Act” (S. 1355) PDF file

Introduced on June 30, 2005 By Senator Enzi (R-WY), Cosponsored by Senator Kennedy (D-MA) and 22 other Senators. The other cosponsors are: Senators Alexander (R-TN), Allen (R-VA), Baucus (D-MT), Burns (R-MT), Cantwell (D-WA), Carper (D-DE), Cornyn (R-TX), Crapo R-ID), DeMint (R-SC), DeWine (R-OH), Dodd (D-CT), Grassley (R-IA), Hagel (R-NE), Harkin (D-IA), Hatch (R-UT), Isakson (R-GA), Jeffords (I-VT), Mikulski (D-MD), Murray (D-WA), Reed (D-RI), Santorum (R-PA), and Thomas (R-WY)

Stated Purpose: To “enhance the adoption of health information technology and to improve the quality and reduce the costs of healthcare in the United States.” It will establish a national health network.

Real Effects: This national health network will facilitate access to all medical records, wherever they exist, so that individual health information can be datamined and compiled by the over 600,000 “covered entities” who can use the network. Although the bill’s first stated purpose is “protecting the privacy and security of health information,” and its first policy recommendation is “protecting the privacy and security of personal health information,” it requires adherence to the Privacy standards in the Amended HIPAA Privacy Rule, which eliminated patients’ right of consent.

Problems:

1. 1. The bill does not restore medical privacy, because the right of consent is not included in the bill. Patients cannot decide who can see or use their records.
   2. The only privacy standards cited in this bill are the HIPAA standards. Since the Amended HIPAA Privacy Rule eliminated the right of consent, this bill will institutionalize and facilitate open access to every American’s cradle-to-grave medical records.
   3. It does not require networks to adhere to traditional medical ethics or stronger Constitutional, state, and common law preserving patient privacy.
   4. Patients cannot “opt out” of having their records flow through the national health network.
   5. Patients cannot segregate access to sensitive parts of their medical records.
   6. It provides grants to establish local and regional health networks to facilitate unfettered access by all 600,000 “covered entities” to medical records in all databases.
   7. No notification of privacy or security breaches is required.
   8. There is no meaningful recourse for privacy violations. Patients do not have a right of action. The only right patients have is to complain to a government agency.

DRAFT – The House Energy and Commerce Committee is drafting a federal law to govern electronic data transfers and require notification of data privacy breaches. The final version should be introduced soon. PDF file

Stated Purpose: To “require persons engaged in interstate commerce and in possession of electronic data containing personal information to establish comprehensive policies and procedures to prevent unauthorized acquisition of such information and to notify individuals of any such unauthorized acquisition.”

Real Effect: This bill will pre-empt all stronger existing state laws requiring notification of data privacy breaches.

Problem:

Stronger state laws will be pre-empted if this national law takes effect. At least ten states have strong privacy laws requiring notification of electronic data privacy breaches, even if no harm would likely result. The states with stronger data breach notifications triggers are: Arkansas, California, Delaware, Georgia, Illinois, Maine, Montana, Rhode Island, Tennessee, and Texas.

(Note: California’s strong laws requiring customer notification when financial data was stolen or revealed are the reason for the recent media coverage of exposures of customers’ sensitive financial data.)