Is the healthcare privacy bill introduced this summer by Sen. Edward Kennedy (D-MA), head of the Committee on Health, Education, Labor and Pensions (HELP) and Sen. Patrick Leahy (D-VT), head of the Judiciary Committee, setting the stage for a new phase in the debate?
"We think it is fabulous," says Deven McGraw, chief operating officer of the National Partnership for Women and Families, which advocates for more privacy controls. She asserts, "there is no other piece of legislation out there this strong."
In contrast, a few blocks away in Washington, attorney Kirk Nahra says, "I would be astonished if this bill passes."
The changes the bill calls for, he says, would require the healthcare industry to redo the privacy systems it just spent millions implementing under the Health Insurance Portability and Accountability Act (HIPAA). Nahra works with employers and health insurers on privacy and is co-chair of the subgroup on privacy for the American Health Information Community's (AHIC), the group advising the federal government about standards for the electronic health record.
Nahra asserts that, as it stands, the legislation would virtually "replace" HIPAA. It significantly expands patients' ability to opt out of record systems and it creates more avenues for enforcement. Nahra acknowledges that privacy advocates point out that there have been no penalties handed down through the federal HIPAA structure.
But if the legislation is a starting point for the conversation, it is one to be taken seriously. Its sponsors are the powerful chairs of key Senate committees with jurisdiction over the subject: Kennedy and Leahy.
Among other provisions, the legislation would guarantee individuals' rights to:
opt out of any entity's electronic system;
supplement, amend, correct, or destroy any of their protected health information maintained or stored by an entity;
segregate information and limit access to that information to only a subset of authorized recipients.
It would also seek to ensure individuals could not be denied services, their usual rights to employment or the continued maintenance of information because they do not authorize use or release of information. In addition, it would give individuals the right to a description of how and by whom their information will be used and a right to be notified in the case of a security breach.
The bill would require entities with protected health information — whether they create, access, use, or maintain it — to establish technological, administrative, organizational, technical, and physical safeguards and to review and update them as technology changes.
Such entities would also have to create an electronic record of all disclosures and uses, "to the extent practicable," including which information was disclosed, to whom, and for what purposes. It would guarantee individuals access to the record of disclosures and uses of their health information.
For enforcement, the bill would establish an office in the Department of Health and Human Services to investigate complaints, conduct audits and establish guidelines for compliance.
Among other penalties, anyone who intentionally discloses sensitive health information without permission and with the intent of selling it or using it for economic gain could get a $500,000 penalty and up to 10 years in prison. The legislation would also allow a state attorney general to bring a civil action to assess a daily civil penalty of up to $1,000 for each infringement, up to $50,000 per day. Health industry entities could be debarred from further federal payments, such as from Medicare, if they disclosed protected health information.
Nahra acknowledges that people are feeling a need for greater healthcare privacy enforcement, but he says this bill would be an aggressive change for industry entities that are trying to obey the law.
A big problem for hospitals and others, he says, is that the legislation would allow patients to pick and choose among the uses for their information. Patients could opt out, for example, of allowing information to be used for basic administrative purposes, including the facility's quality control or financial planning.
Privacy advocate McGraw acknowledges that hospitals and other healthcare organizations are reluctant to open up issues related to HIPAA again, because the passage of those rules in 1996 was contentious. On the other hand, the public is seeing, for example, news about laptops stolen with information on many millions of people, she points out.
The nation needs progress on electronic healthcare records, she contends, but further advances in that arena are unlikely to happen without better reassurances about privacy.
The bill has been referred to the Senate HELP committee. The committee was not immediately able to provide information on whether there would be hearings or other consideration of the bill this fall, despite several calls.
A summary of the legislation (S.1814) is at http://www.leahy.senate.gov/press (July 18.)