As August Deadline Approaches, Privacy Debate Heats Up

By Mary R. Anderlik
Health Law & Policy Institute

Congress has never succeeded in passing comprehensive privacy protections for health information, despite the increasing frequency of interstate transactions in health care. With the Health Insurance Portability and Accountability Act of 1996 (HIPAA), legislators tried to goad themselves into action by setting a deadline. If Congress cannot succeed in passing privacy legislation by August 21, 1999, HIPAA directs the Secretary of Health and Human Services to issue regulations. At the moment, prospects for legislation appear dim.

Congress has plenty of privacy bills to consider, but the devil is in the details. In the Senate, Sen. James Jeffords (R-Vt.) has tried without success to move a bill melding elements of proposals made by Jeffords, Sen. Robert Bennett (R-Utah), and Sen. Patrick Leahy (D-Vt.). The House is mired in debate over H.R. 2470, the "Medical Information Protection and Research Enhancement Act," introduced by Rep. Jim Greenwood (R-Pa.). The key issues that divide legislators include:

The American Medical Association wants a separate authorization for the use of individually-identifiable health information for health care operations, and it opposes federal preemption of state laws. Many consumer groups and privacy advocates agree. (The AMA has also endorsed more stringent confidentiality protections when individually-identifiable health information is used in research.) On the other side, insurance companies, health plans, and employer groups are lobbying hard against introduction of a separate consent requirement for health care operations, claiming that it would be the death knell for quality improvement initiatives and disease management programs. For those seeking objective information, a number of groups have recently released reports on privacy issues, including "Best Principles for Health Privacy" from the Health Privacy Working Group, on July 14, 1999, and "The State of Health Privacy: An Uneven Terrain" from Georgetown University’s Health Privacy Project, on July 20, 1999. Both reports are available via the Health Privacy Project’s website at www.healthprivacy.org.

Meanwhile, something like panic has greeted a privacy-related amendment to banking reform legislation (H.R. 10). Some fear the amendment will lead to sharing of medical information among insurance companies and banks and other entities as they merge to form financial conglomerates. Under language initially proposed by Rep. Greg Ganske (R-Iowa), individuals would have the option of refusing authorization for information sharing, but this choice could then be used to deny services. Privacy advocates also point to the unclear boundaries of some of the exceptions to the authorization requirement, and the potential to preempt state laws—and action by the Secretary of Health and Human Services. On July 15, Rep. Ganske indicated that he would be willing to address concerns about the effect of his amendment on the Secretary’s authority to issue regulations.

In the event (or nonevent) of a Congressional failure to act on privacy, the Secretary of Health and Human Services has until February 2000 to issue regulations. The Secretary has already published recommendations, available at http://aspe.os.dhhs.gov/admnsimp/pvcrec.htm. Of course, members of Congress could always let themselves off the hook by extending or eliminating the August deadline.

07/22/99