By Lisa Seachrist

Washington Editor

WASHINGTON - In his State of the Union Address, President Clinton called on Congress to pass comprehensive medical privacy legislation.

The House Ways and Means Health Subcommittee took the first step toward developing such a bill by reviewing the privacy provisions encompassed in draft regulations to protect the confidentiality of electronic medical records. Health and Human Services Secretary Donna Shalala following Congress' failure to enact medical privacy legislation in August 1999 promulgated those regulations.

"This hearing is intended to assist us in determining whether the regulation will ultimately prove workable or whether additional legislation might be necessary," said subcommittee chairman Rep. Bill Thomas (R-Calif.). "Everyone agrees that patient records should be kept confidential. The difficulties come in determining the best way to accomplish this goal."

The hearing featured Margaret Hamburg, assistant secretary for planning and evaluation at the Department of Health and Human Services (DHHS), as well as representatives of physicians, health insurers, privacy advocates and health research organizations. The legislators explored questions concerning the scope of the regulations, disclosure rules, federal preemption, and the use of de-identified information.

By congressional design, the regulations proposed by Shalala apply only to electronic records and only to "covered entities" - health care providers, health plans and health care clearinghouses.

"When Congress passed the Health Insurance Portability and Accountability Act (HIPAA), Congress gave itself two years to write comprehensive privacy regulations. If we did not act - and we didn't - then Secretary Shalala could issue rules," said Rep. Jim McDermott (D-Wash.). "But we imposed some strict constraints on the secretary. These constraints are reflected by the narrow scope of the regulation before us."

In order to broaden the reach of the regulations, the DHHS regulations call for "business partners" of "covered entities" to enter into contracts ensuring the protected health information disclosed to the business partners would remain confidential. That proposal drew criticism from William Plested, a member of the Board of Trustees of the American Medical Association.

"As a matter of fairness, the proposal fails," Plested said. "A physician group, for example, could be subject to the full weight of enforcement and sanctions under the regulation for prohibited activity by its business partners, even if the group had no knowledge or control over the practices of its business partner."

Janlori Goldman, director of the Health Privacy Project at Georgetown University in Washington, credited the provisions saying, "This is a good intermediary step to fulfill the privacy language of HIPAA. However, this approach has significant limits, including the liability borne by covered entities and the difficulty in prohibiting redisclosure by non-covered entities. The only way to eliminate these gaps is for Congress to enact a comprehensive health privacy law."

Hamburg told the committee the administration, in fact, desired that Congress take action for these very reasons.

In addition to limits over who is covered under the regulations, the requirement for patient consent for most disclosures and the requirement those disclosures include only the "minimally necessary" information drew fire.

Plested argued the requirement for patient consent was vital, saying, "The expressed need for information doesn't confer a right. Patient consent continues to be a critical consideration in the use and disclosure of personally identifiable information."

On the other hand, Mary Grealy, president of the Healthcare Leadership Council - an organization of the CEOs of most health-care companies and institutions, maintained such a requirement raises a question whether population data may be used to support patient treatment. She pointed out many health plans today review their entire enrollee database and analyze patterns of emergency room visits and pharmaceutical usage to identify patients who would benefit from an asthma management program.

The Pharmaceutical Research and Manufacturers of America (PhRMA) and the Biotechnology Industry Organization (BIO) have questioned whether such a requirement wouldn't stymie critical biomedical research.

Plested also said the regulations in the current form provide a disincentive to "de-identify" medical records. He recommended rules revising the list of "identifiers" to be removed from medical records and creating an explicit prohibition against linking the data or re-identifying it without patient authorization.

Subcommittee chairman Thomas questioned Hamburg about the administration's failure to preempt state privacy laws allowing for a continuation of the patchwork of privacy protections currently in place.

"We are trying to create a federal floor of privacy protections," Hamburg said. "By doing that, states would feel less of a need to fill in the gaps in the privacy law. It seems like a reasonable approach to allow states to address privacy needs that haven't been anticipated."

"Isn't it a better structure to have a federal ceiling than a floor," Thomas asked. "If you intend to have uniform penalties shouldn't you have uniform standards?"