Privacy Legislation Is on Track; Could It Derail DM Programs?

The Medicare Commission couldn’t cross the finish line. Patient-rights bills can’t seem to get to the starting line. So there’s not much chance of major health care legislation going far in this session of Congress, right?

Wrong. Think privacy. Legislation to protect the confidentiality of medical records is front and center on Capitol Hill, with prospects for passage better than they’ve been in years.

Of course, Congress has a built-in incentive to enact some sort of privacy measure. Under the Health Insurance Portability and Accountability Act, it has until August to pass legislation on the confidentiality of electronic health information — or suffer the consequences. If Congress can’t get its act together, then the Department of Health and Human Services will promulgate privacy standards by February.

For policy analysts on the Hill, it’s become a matter of pride, and there’s no shortage of proud players at that end of Pennsylvania Avenue.

In the Senate, Jim Jeffords of Vermont, chairman of the Health, Education, Labor, and Pensions Committee, and Christopher Dodd of Connecticut have reintroduced essentially the same measure they sponsored last year (this time, it’s called the Health Care Personal Information Nondisclosure Act of 1999). Jeffords’s fellow Vermonter, Patrick Leahy, and Massachusetts’s Edward Kennedy also have reintroduced their privacy-protection legislation. Also, with the support of the Healthcare Billing & Management Association, Bob Bennett of Utah is again pushing his pet bill, the Medical Information Protection Act.

On the House side, there’s the Medical Information Privacy and Security Act, introduced March 10 by Edward Markey of Massachusetts.

The American Medical Association is reviewing all of the bills, but hasn’t yet formulated a position, according to spokesman Mike Lynch. Last June, the AMA House of Delegates adopted a statement on patient-privacy protection, and any legislation will be judged against its principles, Lynch says.

Strategies differ

A General Accounting Office study concluded that “a considerable amount” of health research relies on information that can identify patients, and that existing safeguards on confidentiality are limited.

The Jeffords-Dodd measure — the presumptive leader at this point — would give individuals access to their medical records, prohibit disclosure of information without patient consent, and grant law-enforcement agencies access to information through subpoenas or warrants. It would not preempt existing state laws that provide stronger protection.

Dodd’s main goal is to prevent data, including prescription records, from being sold. “Individuals should have control of this very personal information. It shouldn’t be exploited to boost a company’s bottom line,” he says. The act creates incentives for those who would use a patient’s health information to sanitize it — that is, remove references that would make it possible for a recipient to identify the patient. Hospitals and physicians turning over patient information would need to provide individuals with “clear written notice” of their rights, and develop procedures for granting and revoking authorization for others to make use of that information.

Bennett, former chairman of the Senate Republican Health Care Task Force, doesn’t like the idea that state statutes could preempt federal law. State laws, he says, are “incomplete, inconsistent, and inadequate.”

While most pharmaceutical companies do not want research efforts to be compromised by what they might consider to be restrictive privacy measures, one trade group, the Biotechnology Industry Organization, says federal legislation may be preferable to the hodgepodge of existing state laws.

Federal law doesn’t regulate use of computerized patient medical information obtained in the course of clinical trials or in epidemiological and outcomes research. Janlori Goldman, director of the Health Privacy Project at the Institute for Health Care Research and Policy at Georgetown University, says a national health policy “should create incentives for researchers to use nonpersonally identifiable health care data,” and should provide uniform protection for subjects in any research study.

Will DM be sacrificed?

Privacy legislation is hardly a slam-dunk. While it’s not politically correct in this town to come out against confidentiality protections, as you read this, legislators are listening to arguments by health plan supporters who warn not to go overboard in the pursuit of privacy.

Al Lewis, president of the Disease Management Association of America, observes that medical records contain valuable data that can be used to benefit patients. “Our view is that unauthorized use of people’s medical data should be strictly prohibited, with stiff penalties for anyone who violates that privacy.”

On the other hand, says Lewis, disease management programs “require access to patient-care data to identify patients who stand to benefit from them, ensure compliance with recognized standards of care, and monitor patient outcomes.”

Disease management, Lewis argues, has emerged as the most effective and efficient way to organize and deliver proactive programs that improve health.

Successful disease management programs, he says, have reduced the number of lost school days for children with asthma by 83 percent, reduced ER visits by asthma sufferers, and improved screening and lowered overall blood-sugar levels for diabetes patients.

Thanks in large measure to the threat of HHS regulation, inside-the-beltway gurus assess the odds of passing privacy legislation by August as about 2:1.

“Society as a whole will face higher health care costs resulting from a sicker population,” says Lewis, who adds that access to patient data allows health plans, “for the first time, to manage diseases. They are finally doing what their critics have criticized them for not doing.”

Look beyond Washington for illumination on this issue. Last year, Maine passed legislation last year that prohibited hospitals from releasing information without a patient’s written authorization — with penalties of up to $50,000 per violation.

The situation created unintended effects: Clergy, florists, and reporters were denied data about a hospital’s census, family members complained of problems getting information on relatives, and pharmacists refused to release medication to anyone other than the patient without a waiver.

What the state had hoped would be a model for privacy protection turned out to be an unmitigated legislative disaster.

In fact, the public outcry against the measure was so enormous that Maine legislators were forced to passed another bill in January, suspending the law until a new privacy measure could be crafted.

After last year’s ennui, however, Congress probably will want to do something — anything — in the health care arena before the next millennium.