By Lisa Seachrist
Washington Editor
WASHINGTON — Stating that her Blockbuster video card had more federal privacy protections than her medical records, Health and Human Services Secretary Donna Shalala presented a report to Congress and urged lawmakers to heed the department's recommendations for legislation curbing access to medical records.
The report, which was required as a provision of the Health Insurance Portability and Accountability Act (HIPAA), calls for limits to access to medical records and civil and criminal penalties for people who misuse such access. The recommendations also acknowledge health researchers and law enforcement officials need to maintain their access to medical records.
"Our recommendations represent tough choices and difficult tradeoffs," Shalala told the Senate Committee on Labor & Human Resources Thursday. "Health care privacy can be safeguarded. I believe we must do it with national legislation, national education and an ongoing national conversation."
Shalala noted that currently the country has no federal protections for medical records. In contrast, laws protecting the privacy of credit records, motor vehicle records and even records of video rentals have been proposed by Congress and signed into law.
"When it comes to our private health care records, we rely on a patchwork of state laws," Shalala said.
That patchwork, it turns out, is woefully inadequate in providing adequate privacy for medical records. Shalala pointed to the case of a Boston-based HMO where every employee could tap into patients' computer records and pull up detailed notes from psychotherapy sessions. In a Colorado case, a medical student copied countless health records at night and sold them to medical malpractice lawyers seeking easy cases.
"Let me be frank," Shalala said. "The way we protect the privacy of our medical records right now is erratic at best—dangerous at worst."
Shalala noted that as the telecommunications revolution continues, protecting medical information will become even more important.
The department suggested legislation ensure, with few exceptions, that health care information — which includes genetic information — about a consumer be disclosed for health purposes only. For example, the information could be used to provide and pay for care. Employers could use it to administer a self-insurance plan but would be enjoined from using the information to make decisions about hiring and firing people.
Persons who misuse their access to medical information would face civil and criminal penalties.
Research Would Not Suffer
In order to protect the large amount of epidemiologic research conducted on patient records, the report recommends that these strong protections be reserved for information that contains identifiers.
Under the department's proposals, patients would have to be provided with a clear written explanation of how their doctors and insurance companies intend to use, keep and disclose information. Patients would be able to see and get copies of their records as well as correct errors in their records. A patient's authorization to disclose information would be required in most instances.
However, the recommendations also include measures to protect the public interest in research, in public health and in fighting against health care fraud and abuse. The proposals call for controls to ensure that health information is protected in these circumstances.
"Just like our free speech rights, privacy rights can never be absolute," Shalala said. "We have other critical — yet often competing — interests and goals."
Shalala referred to these recommendations as a floor for the minimum protections afforded medical records.
The department's report, however, concerned Sen. Patrick Leahy (D-Vt.). He claimed the recommendations would permit law enforcement officers to go on fishing expeditions for indications of criminal behavior in a person's health records. And Leahy maintained that the proposals abandon the long-standing model of informed consent for participation in medical research.
Shalala disagreed, noting "the recommendations give no new access to law enforcement officials, but instead provide penalties for the misuse of that access."
The American Civil Liberties Union opposed the legislation on Leahy's grounds and was concerned about a provision for a national identification number.
Alan Holmer, president of the Pharmaceutical Manufacturers and Researchers of America, voiced his support for treating all medical information alike; however, he noted that allowing patients unlimited access to their medical records and failing to preempt state laws could stymie clinical trials research.
HIPAA requires the secretary of health and human services to impose confidentiality controls on electronic transactions systems if Congress doesn't provide legislation on confidentiality by August 1999. *