Medical Records Privacy: A Hot Issue for Action in 1999

By Barbara J. Williams, LL.M. Candidate

A recent poll conducted by Princeton Research Associates for California Healthcare Foundation indicates that the public remains concerned about the issue of medical records privacy. More than half of U.S. adults think the shift from paper to computer based systems makes it more difficult to keep medical records confidential. Significantly, 85% back new federal legislation on the subject.

Above and beyond this call for action on the part of constituents, a deadline looms before Congress. According to the provisions of the 1996 Health Insurance Portability and Accountability Act ("HIPAA"), Congress must set public policy on medical privacy issues by August 21, 1991 or the Department of Health and Human Services ("HHS") is authorized to develop regulations under the leadership of Secretary Donna Shalala. In 1997, the HHS made recommendations for legislation to Congress but no action was forthcoming. Now time is running short.

On March 10, 1999, two separate bills were introduced in Congress to deal with this issue. The first bill, S. 573, sponsored by Senators Patrick Leahy (D.Vt.) and Edward Kennedy, (D.Mass.) is entitled the Medical Information Privacy and Security Act. The Act would require that doctors, insurance companies, employers and researchers safeguard the confidentiality of medical records. The legislation would require a patient's initial consent to use information for their own treatment or payment of claims. An additional consent would be necessary before the information could be passed on to a third party. Within businesses, access would be limited to people directly involved with health benefits, with others limited to review of aggregate data rather than individually identifiable information. It would also impose penalties for the release of information without proper consent.

The second bill, S. 578, the Health Care Personal Information Disclosure Act, introduced by Senator Jeffords, (R.Vt.) and Christopher Dodd (D-Conn), provides the same restrictions on seeing the records within a business but provides insurers more leeway in using individual records for quality care reviews and audits. Both bills strengthen privacy in medical research. Both bills would also allow an individual to review and update health information in his or her medical records.

Medical record privacy also remains a hot topic for state legislatures. Recognizing this, the National Association of Insurance Commissioners ("NAIC") adopted a model act on the subject on September 14, 1998. Currently, 28 states have laws dealing with medical privacy. Additional bills continue to be introduced in legislatures throughout the country. Last month, Kansas introduced legislation based upon the NAIC Model Act.

On March 1, Arkansas enacted legislation ensuring patient access to their medical records for preparation or use in any legal proceeding. (H.B. 1070). Legislation has also been introduced this year in many other states including Arizona, (H.C.R. 2007); California, (S.129); Florida (S.B. 1828); Illinois, (H.B. 1150), Indiana, (H.B. 1334); Georgia, (H.B. 819); Maryland (H.B. 939); New Hampshire (H.B. 114); and Washington. (S.B. 5587). What impact would enacting either of the bills pending in Congress have on existing and proposed state legislation on the subject? Under the Leahy/ Kennedy bill, states can override the law if the legislation is as strong as the provisions of the federal bill. However, under the Jeffords/Dodd measure, the window for state preemption would close l8 months after passage of the Act.

Medical privacy legislation is indeed a hot issue. The public favors it, HIPAA requires it, and currently, proposals are before Congress to meet this mandate. In the meantime, a medical privacy model act has been adopted by the NAIC and many proposals for medical privacy legislation are under consideration in state legislatures throughout the country. While the specific provisions remain subject to debate, it remains clear that by the end of this year, a federal law or regulations on medical privacy will exist against which, at a minimum, the scope and extent of state laws will be measured.