By Lisa Seachrist
WASHINGTON - With a statutory deadline long since passed and bipartisan legislation stalled, the Senate Health, Education, Labor and Pensions Committee took yet another look at the issues surrounding the privacy of medical records.
Committee chair Sen. Jim Jeffords (R-Vt.) convened the panel of experts and stakeholders in response to a General Accounting Office (GAO) report examining the privacy regulations proposed by Health and Human Service Secretary Donna Shalala, as well as the tremendous response to those regulations. It was the eighth such hearing on the general topic the committee has undertaken.
Jeffords commissioned the GAO study of the proposed rule in order to ascertain the need for congressional action and the adequacy of protections found in the regulations produced by the Department of Health and Human Services (DHHS).
"I started out asking, 'What is the magnitude of the problem?" said Janet Heinrich, associate director of health financing and public health issues at the GAO. "We have a lot of anecdotal information that it is quite easy for people who don't have the best interest of the patient in mind to gain access to private medical information."
Heinrich noted in the 52,000 responses DHHS received from patient groups, insurance organizations, the pharmaceutical and biotechnology industry and physician groups, no one said beefed up medical privacy protections were unnecessary.
"There was widespread acknowledgement, despite the organizations' diverse perspectives, of the importance of protecting the privacy of medical records," Heinrich said. "The fundamental differences among the groups' positions reflect the conflicts that sometimes arise between privacy and other objectives."
The GAO report identified the same concerns about the regulations raised in previous congressional testimony: preemption of state laws; identifying what was covered information and who was bound by the regulations; what constituted minimum necessary information; and when individual authorizations for using identifiable information was required. In addition, the report outlined where congressional action may be the only remedy for concerns about the regulations.
The regulations, issued in November, became necessary when Congress failed to pass comprehensive medical privacy legislation by an Aug. 21, 1999, deadline. That deadline was set into law when congress enacted the Health Insurance Portability and Accountability Act (HIPAA) of 1996. As a result of congressional inaction, Shalala was required to promulgate regulations to protect the privacy of electronic medical records. In order to expand those protections found in the proposed regulation to the paper-based medical records, new legislation must be enacted.
Jeffords, Sens. Christopher Dodd (D-Conn.), Edward Kennedy (D-Mass.) and Bill Frist (R-Tenn.) have been working on creating bipartisan medical privacy legislation. However, the proposal has been hung up by disagreements over the privacy rights of minors and the right to sue when confidential medical information is misused. Despite the committee's failure thus far, several of the hearing's witnesses encouraged them to push ahead.
"We urge you to put medical privacy legislation back on your agenda," said Kathy Farmer, manager of U.S. Compensation and Benefits at Hewlett Packard in Palo Alto, Calif. "Many of the shortfalls of HHS' privacy rule cannot be addressed by revisions to this rule because the agency has only limited statutory authority."
Farmer said the failure of the HHS regulation to preempt state privacy laws was a problem. Most industry representatives speaking at the hearing support a national standard. Representing the Biotechnology Industry Organization (BIO), Joanna Horobin, senior vice president of commercial development at EntreMed Inc. in Rockville, Md., noted that without such a federal standard, abiding by the patchwork of state privacy rules while conducting the extensive clinical trials necessary to approve new drugs is difficult.
"BIO supports enactment of a national law," Horobin said. "A national law is, indeed, a must. EntreMed currently carries out clinical tests in five states. We expect that number to double by the end of this year and double again next year. We need to ensure the pending laws allow us to gather the information we need for these clinical studies."
However, Greg Koski, associate professor of anesthesia and critical care medicine at the Massachusetts General Hospital in Boston, said the privacy regulations don't need to preempt state laws. He also maintained the enhanced privacy protections would spur research rather than inhibit it.
"There are, of course, those who will decry enhanced privacy protections as impediments to the research process," he said. "They claim stronger privacy protections will make it impossible to do research. In fact, the exact opposite is true. As biomedical research increasingly depends upon access to more personal health information, such as genetic information, society will demand that privacy protections be strengthened, and if we fail to meet those expectations, we will find that the credibility of our research endeavors are further undermined."
A number of panelists at the hearing mentioned problems with the provision forcing covered entities - health plans, health clearinghouses and health care providers - to maintain contracts with business partners to ensure medical privacy is protected. Farmer noted the HHS regulation would permit only the disclosure of individually identifiable medical information to health plans, consulting companies, third-party administrators or data informatics firms if there was a "satisfactory assurance" the business partner would abide by the HHS regulations. Farmer and several other panelists objected to the agency making the covered entities responsible for the actions of other groups.
Janlori Goldman, director of the health policy project at Georgetown University in Washington, pointed out the business partner provision was actually an attempt to permit such information to be shared. She said, "The secretary only has the authority over the [covered entities]. She could have, instead, said no information can be shared with these outside entities."
Goldman said the HHS regulations were a necessary intermediary step, but urged Congress to develop medical privacy legislation.
"Once we have privacy legislation, we will provide a front line against discrimination," Goldman said. "I think the issue is difficult, and it's not surprising you're having a lot of trouble reaching consensus."