Urgent need for Medical record privacy law, says HHS secretary
Urgent need for Medical record privacy law, says HHS secretary
Current protection standards dangerous’ Shalala tells Congress
The need for federal standards to protect the privacy of medical records took center stage when U.S. Department of Health and Human Services (HHS) Secretary Donna E. Shalala gave members of Congress her long-awaited recommendations for legislation to keep patients’ health information confidential.
If a law is enacted according to the recommendations, health information managers could face more administrative duties because they will be required to inform patients of who has access to their medical records, to let them know what that information will be used for, and to keep a record of that access. And health care providers could face civil penalties for failing to comply with the law.
Criminal penalties, including fines and prison terms, are recommended for deliberate misuse of health information and for knowledge and unlawful use or disclosure of that information.
The details of these recommendations will develop as members of Congress take up the privacy mantle and sponsor a bill or bills in the House of Representatives and/or the Senate to safeguard medical records. Although the privacy issue has been raised before, it has not gained the momentum necessary to pass it into law.
"Right now, the way we currently protect the privacy of our medical records is erratic at best dangerous at worst," Shalala told the Senate Labor and Human Resources and Finance committees and the House Ways and Means Committee on Sept. 11.
"Without safeguards to ensure that obtaining health care will not endanger our privacy, public distrust could turn back the clock on progress in our entire health care system. Instead, we must keep our eye on the future and act today," Shalala continued.
Specifically, she said a federal privacy law should do the following:
--The law should impose new restrictions on those who pay and provide care as well as those who receive information from them. It should prohibit disclosure of patient-identifiable information except as authorized by the patient or as explicitly permitted by the law. Disclosure of such information should be limited to the minimum necessary to accomplish the purpose of the disclosure and should be used only for the purpose for which the information was collected.
-- It should give consumers the right to be informed about how their health information is used and who sees that information. Providers and payers should be required to advise patients in writing of their information practices. Patients should be able to see and get copies for their records and propose corrections. A history of disclosure should be maintained by providers and payers and made accessible to patients.
Civil and criminal penalties
The law should also include punishment for those who misuse personal health information and redress for people who are harmed by its misuse. There should be criminal penalties for obtaining health information under false pretenses and for knowingly disclosing or using medical information in violation of the privacy law. Patients whose rights have been violated should be able to bring civil suits for damages.
The American Health Information Management Association (AHIMA) has commended Shalala "for the fine job she and her staff have done in assimilating information in this complex area, particularly the clarity with which they’ve expressed the issue," says CEO and executive vice president Linda Kloss, RRA. "We feel it is very compelling and really makes it understandable."
Other industry experts applaud the recommendations for seeking a balance between the need to use and the need to protect medical information. "We . . . believe that she is definitely striving for balance of all the different needs the need to access information to provide high quality patient care and the need to protect patient confidentiality," says Margret Amatayakul, executive directive of the Schaumburg, IL-based Computer-based Patient Record Institute.
One point that has drawn fire is that stricter safeguards for sharing medical information with law enforcement agencies are unnecessary. The Washington, DC-based American Hospital Association issued a statement saying that such restrictions are needed. "To allow law enforcement agents free rein to access and re-use private medical information is unjustifiable. No one except patients’ medical caregivers should have unlimited access to this information."
Shalala’s recommendations cover the following broad principles:
Boundaries.
The legislation would outline narrowly defined legitimate uses for patients’ medical record information. "An individual’s health care information should be used for health purposes and only those purposes. It should be easy to use information for those defined purposes and very difficult to use it for other purposes."
Security.
As we move nearer to a completely computerized health record, it becomes a bigger challenge to safeguard that information. "Organizations to which we entrust health information ought to protect it against deliberate or inadvertent misuse or disclosure," Shalala said.
Consumer control.
Patients will have clearly defined rights to see their medical records under the recommendations and to know who else is seeing them and why.
Accountability.
"Those who misuse personal health information should be punished, and those who are harmed by its misuse should have legal recourse," Shalala said.
Public responsibility.
Researchers must protect the privacy of personal health information.
Shalala emphasized that federal privacy law should "provide a basic level of protection for everyone a floor’ of protection without reducing other protections." Under the recommendations, federal privacy law would supersede only those state privacy laws which are less protective.
That, says Kloss, could result in a kind of patchwork of federal and state laws rather than one single federal law. "This set of recommendations is put forward as a floor preemption, so in that sense our position has been that we would have preferred federal preemption . . . for purposes of simplification." As health systems continue to grow more regional in scope, Kloss says a single federal law will be even more important.
Years in the making
Shalala’s recommendations are the culmination of several years of effort by legislators and industry experts to break ground on national health information privacy laws. When the Health Insurance Portability and Accountability Act, also known as the Kennedy-Kassebaum law, was passed in 1996, it required Congress to pass federal health information privacy legislation by August 1999.
To accomplish this, Congress handed HHS the task of recommending the federal standards that should be used. As part of the process of developing privacy standards, the HHS was told to consult with the National Committee on Vital and Health Statistics (NCVHS), a 16-member standing committee of the HHS staffed by industry academics and experts.
In June, the committee issued its "Health Privacy and Confidentiality Recommendations" to the HHS, which took them into consideration in making its own recommendations to Congress. The NCVHS report offers a detailed look at the issues raised by privacy and confidentiality requirements and is available on their Web site at http://aspe.os.dhhs.gov/ncvhs/.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.